Table of Contents
Airdrop-ng
A Rule Based Wireless Deauth Tool
Description
airdrop-ng is a program used for targeted, rule-based deauthentication of users. It can target based on MAC address, type of hardware, (by using an OUI lookup, IE, “APPLE” devices) or completely deauthenticate ALL users. lorcon and pylorcon are used in the transmission of the deauth packets.
Dependencies
Supports Python 2.6 and may support 2.5 and 2.4.
Dependencies:
- lorcon-old aka lorcon version 1 (already installed on BT4 final)
- pylorcon
- A lorcon supported wireless card with monitor mode and injection
Optional Dependencies:
- pysco JIT
Installing lorcon
Currently we only support the older version of lorcon you can download these files from the following svn link:
svn co http://802.11ninja.net/svn/lorcon/branch/lorcon-old
If pylorcon reports import errors you need to run the following command:
ln -s /usr/local/lib/liborcon-1.0.0.so /usr/lib
This will create a symlink to the directory that pylorcon looks in for liborcon.
If you are on ubuntu you will also need to install the python-dev package as they do not include the headers
Usage
airdrop-ng [options] <pcap file>
| Option | Param. | Description |
|---|---|---|
| -i | card | Wireless card in monitor mode to inject from |
| -t | csv file | Airodump txt file in CSV format NOT the pcap |
| -p | psyco | Disable the use of Psyco JIT |
| -r | Rule File | Rule File for matched deauths |
| -u | update | Updates OUI list |
| -d | Driver | Injection driver. Default is mac80211 |
| -s | sleep | Time to sleep between sending each packet |
| -b | debug | Turn on Rule Debugging |
| -l | key | Enable Logging to a file, if file path not provided airdrop will log to default location |
| -n | nap | Time to sleep between loops |
Usage Examples
Start airdrop-ng on mon0 reading from airodump.csv and kick on the rules in rulefile.txt
airdrop-ng -i mon0 -t airodump.csv -r rulefile.txt
Rule File Configuration Examples
#[comments] #All lines in this page are commented out # The # symbol at the front of a line denotes a commented line #airdrop-ng.py rule configuration file #a is allow #d is deny #format is (a or d)/bssid|(any or client mac or list of client macs in format of mac1,mac2,mac3) #it is not wise to mix rule types for example #d/any|00:17:AB:5C:DE:3A,00:1B:63:00:60:C4,apple #While it may work i have no idea result it will have and at this time is not recommended #EX d/bssid|mac1,mac2 #note this is not a valid rule just shows format the / and | placement do matter #MORE EXAMPLE RULES #d/00:1F:90:CA:0B:74|00:18:41:75:8E:4B #deny rule with a single client #d/any|00:21:E9:3D:EB:45,00:17:AB:5C:DE:3A,00:1B:63:00:60:C4 #a deny rule for several clients on any AP #d/any|any #a global deny any any rule #A/00:17:3F:3A:F0:7E|00:21:E9:3D:EB:45,00:17:AB:5C:DE:3A,00:1B:63:00:60:C4 #an allow rule with multiple clients #D/00-1E-58-00-FF-5E|00:19:7E:9A:66:96 #another deny rule with a different mac format #d/12:02:DC:02:10:00|any #a bssid deny any client rule #a/any|any #a global allow, no idea why you would wanna use this ;) #oui examples #d/any|Apple, Inc;APPLE COMPUTER;APPLE COMPUTER, INC.;Apple Computer Inc.;APPLE COMPUTER INC.;APPLE, INC #d/any|apple #d/action|broadcom #kicks only broadcom devices off actiontech routers #d/00:1F:3C|any #kicks all clients that match that oui #d/action|00:1F:3C kick any clinets off an actiontec router that match the oui #d/action|00:21:E9:3D:EB:45,00:17:AB:5C:DE:3A,00:1B:63:00:60:C4 #kick the following clients off an any actiontech router #d/00:17:3F:3A:F0:7E|apple kick any apple device off that ap