Stop the Signal! Choosing and Setting Up a Hardware Wi-Fi Deauther on ESP8266

A Wi-Fi jammer, or Wi-Fi deauther, is a gadget designed to disconnect wireless devices from a hotspot. Why would you need this? It could be used as a harmless prank (your neighbor will surely be thrilled when you interrupt his adult video or a soccer match at the most exciting moment), but it also has criminal applications: an attacker could disconnect surveillance cameras or other important equipment from the network. In this article, we’ll look at affordable hardware deauthers, how to use them, and how to protect yourself from such attacks.

How Does a Wi-Fi Deauther Work?

Unlike real jammers that overpower a transmitter’s signal with a stronger one, a deauther works at the software level. It performs a denial-of-service attack by sending deauthentication frames to the router on behalf of devices connected to the network. Since these frames aren’t encrypted, the deauther only needs to sniff the network traffic to learn the MAC addresses of devices.

Deauthentication is usually part of a more complex network attack. It’s used to create an “evil twin” access point or to capture a handshake, which can then be used to crack the password. However, a deauther can be useful on its own.

All advice in this article is for educational purposes only. Blocking data transmission and using these tools may be illegal. For penetration testing, you must have written permission from the client. Remember, deauthentication events are logged by the router.

Choosing the Hardware: NodeMCU and ESP8266 Boards

Recently, affordable and compact boards supporting the NodeMCU platform have become very popular. They’re based on the ESP8266 module, which supports Wi-Fi (802.11b/g/n) at 2.4 GHz. There are two main types: with the CP2102 chip from Silicon Labs (USA) or the CH340 chip (China).

NodeMCU Versions

These boards are designed for prototyping: enthusiasts use them to create automated systems controlled via Wi-Fi. While that’s interesting, we’re focusing on using NodeMCU for attacks.

Due to technical limitations, the ESP8266 isn’t suitable for full packet monitoring and injection, but it works well as a deauther, which led to the development of special firmware. The first popular firmware was released by Spacehuhn, and since then, other versions with extra features have appeared. Before discussing software, let’s choose the hardware.

We’ll use a board from the Chinese manufacturer Dstike as an example: it has an ESP8266 and supports both client (P2P) and access point (soft-AP) modes. You can control the board from a smartphone or any Wi-Fi device.

The software works regardless of the chip or board, so you can choose any option you like. Dstike alone offers several models for different situations, but they all have one thing in common: the ability to jam Wi-Fi networks.

Dstike Device Types

• Deauther Wristband — a wristband with a built-in display, battery, and switch. Convenient for quick access to the control panel.
• Deauther Power Bank — with a modified charging controller; managed via a special panel. The controller has a connector for an external antenna. Batteries are not included. This is a discreet device you can leave somewhere and use remotely.
• Deauther OLED V3.5 — includes a connector for an external antenna and a holder for a 18650 mAh battery. Controlled by buttons and a switch, with output to a screen, so you can use it without extra equipment.

The main advantage of these gadgets is the ability to target a specific network or all networks within range. Note: you do not need the Wi-Fi password to perform attacks!

Installing Deauther 2.0

Let’s start with Deauther 2.0, the firmware developed by Spacehuhn. You can choose the version for your specific board on his GitHub repository.

Files with the .bin extension are compiled sketches. You need to install them on the board using a special flasher. If you prefer, you can find the source code and libraries in the archives to install via the Arduino IDE.

Flashing the .bin File

1. Download the NodeMCU Flasher from the NodeMCU repository.
2. Install drivers for CP2102 or CH340.
3. Connect the board to your computer, open NodeMCU Flasher, and select the COM port in Device Manager under “Ports (COM & LPT)”.
4. Go to the Config tab, click the gear icon, and select the downloaded .bin file.
5. After adding the file, its path will appear on the left. Go to the Operation tab and click Flash — the firmware will be uploaded to the board.

Flashing via Arduino IDE

1. Install the drivers (CP2102 or CH340).
2. Open Arduino IDE. In the “File” menu, go to “Preferences” and add these URLs to the “Additional Boards Manager URLs” field:
   • http://arduino.esp8266.com/stable/package_esp8266com_index.json
   • http://phpsecu.re/esp8266/package_deauther_index.json
3. Save the settings.
4. Go to “Tools” > “Board” > “Boards Manager”.
5. Install arduino-esp-8266-deauther and esp8266.
6. Open the folder with the sketch and libraries, go to “Tools”, and set the settings as shown in the documentation. For “Board”, select ESP8266 Deauther Modules. Set the flash size and memory as needed.
7. Upload the firmware.

After powering on, the board will create an access point. Connect to it and go to 192.168.4.1 or deauth.me. You’ll enter the configurator and see a warning.

In the configuration section, set LANG to en for English in the web interface. Click “Save” and reboot the device for the settings to take effect. Now it’s ready to use.

Features and Settings Overview

Let’s quickly review the app and see what your board can do.

• If you connect the deauther via serial port, you can control it with commands. You can disable this feature in the settings by unchecking SERIAL.

Serial Port Commands

scan [<all/aps/stations>] [-t <time>] [-c <continue-time>] [-ch <channel>]
show [selected] [<all/aps/stations/names/ssids>]
select [<all/aps/stations/names>] [<id>]
deselect [<all/aps/stations/names>] [<id>]
add ssid <ssid> [-wpa2] [-cl <clones>]
add ssid -ap <id> [-cl <clones>] [-f]
add ssid -s [-f]
add name <name> [-ap <id>] [-s]
add name <name> [-st <id>] [-s]
add name <name> [-m <mac>] [-ch <channel>] [-b <bssid>] [-s]
set name <id> <newname>
enable random <interval>
disable random
load [<all/ssids/names/settings>] [<file>]
save [<all/ssids/names/settings>] [<file>]
remove <ap/station/name/ssid> <id>
remove <ap/station/names/ssids> [all]
attack [beacon] [deauth] [deauthall] [probe] [nooutput] [-t <timeout>]
attack status [<on/off>]
stop <all/scan/attack>
sysinfo
clear
format
print <file> [<lines>]
delete <file> [<lineFrom>] [<lineTo>]
replace <file> <line> <new-content>
copy <file> <newfile>
rename <file> <newfile>
run <file>
write <file> <commands>
get <setting>
set <setting> <value>
reset
chicken
reboot
info
// <comments>
send deauth <apMac> <stMac> <reason> <channel>
send beacon <mac> <ssid> <ch> [wpa2]
send probe <mac> <ssid> <ch>
led <r> <g> <b> [<brightness>]
led <#rrggbb> [<brightness>]
led <enable/disable>
draw
screen <on/off>
screen mode <menu/packetmonitor/buttontest/loading>

After 600 seconds, attacks will automatically stop. If you don’t want this, set ATTACKTIMEOUT to 0 in the menu, and attacks won’t stop automatically.

In the scan section, click Scan APs to find all Wi-Fi access points. Select one or more networks and go to the attack section. The Deauth mode disconnects all devices from the selected network. The Beacon mode allows you to create up to 60 fake access points at once.

In the SSIDs section, you can create access points for Beacon attacks.

The firmware supports connecting a display (for compatible devices). You can also solder a screen and buttons yourself and add a battery to make it a standalone device.

The developers also sell a device that can detect deauthers.

The firmware is regularly updated with new features, so keep an eye out for updates!

Wi-PWN: An Alternative Firmware

Let’s look at another firmware, Wi-PWN, developed by Sam Denty (samdenty99). He improved on Spacehuhn’s work by adding a deauthentication detector and an Android companion app. As a result, Wi-PWN is more convenient to use than Deauther 2.0.

After downloading and extracting the archive, flash the board and install the app on your phone. In the folder, you’ll find the ESP8266Flasher program. Run it, select the COM port, and in the Config section, select the firmware (located at *\Wi-PWN-master\arduino\Wi-PWN). Then click Flash in the Operation tab.

Connect your phone to the board via Wi-Fi. Open the app, accept the terms, and enter the network name and password. After setup, connect to the new Wi-Fi network.

The app has several tabs:

• Scan — search for and select multiple access points
• Users — scan a specific Wi-Fi network for connected devices and create your own “users”
• Attack — attacks similar to Spacehuhn’s version, but with a maximum of 48 users for network cloning (compared to 60 in early Deauther versions)
• Detector — scan channels and detect jammers
• Settings — configure the Wi-Fi server (network name and password), enable Wi-Fi client mode, and set scan and attack parameters

WARNING! For stable operation, attach a heatsink to the part of the device that gets hot. Otherwise, the jammer may overheat and shut down.

A Few Words About Protection

NodeMCU is a cheap, versatile, powerful, and compact solution for deauthentication. Anyone can replicate this project quickly and easily. Since anyone can do it, it’s important to think about protection.

Most popular routers use IEEE 802.11b/g/n standards, which are vulnerable to jamming. To avoid this, look for a router that supports 802.11w, which fully protects users from this attack.

Some routers have anti-spam protection, but it only works for devices connected to the network, while a Wi-Fi jammer doesn’t connect to the network. If your router has anti-spam protection that works with unconnected devices, be sure to enable it!