Messing with WiFi protocol, Esp8266 and fake APs

You can download our e-book ‘Learn Arduino from Scratch’ from this link

I was browsing the internet on a rainy day, and stumbled upon some cool stuff. The ESP8266, apart from being a super chip, which can be turned into a station and an access point, it can also do some weird stuff at the lowest possible level on the WiFi protocol. wifi_send_pkt_freedom() is a function built in Arduino Core which enables the chip to send out arbitrary WiFi packets.

That means a lot. Everything that is sent out in the air, is being sent using packets. Some of these packets may be plain text other are encrypted with a key that is shared between an access point and the connected station. As I said, everything is sent out as packets, even which device sent the packets and also its destination.

On github I came across a piece of code which creates multiple fake access points which popup and disappear almost instantly. This code produces some 100 access points per second with random SSIDs and MAC addresses. This is done simply by sending out a series of packets with the SSID and MAC address parts being randomly generated.

While this code should not cause harm to anyone, we cannot rule out that some old devices might not handle the amount of access points at one go and might also be illegal in your country. Please use it with caution, we are not responsible for any malicious and/or illegal activity.

Original code can be found here

#include <ESP8266WiFi.h>

extern "C" {
  #include "user_interface.h"

String alfa = "1234567890qwertyuiopasdfghjkklzxcvbnm QWERTYUIOPASDFGHJKLZXCVBNM_";
byte channel;

// Beacon Packet buffer
uint8_t packet[128] = { 0x80, 0x00, 0x00, 0x00, 
                /*4*/   0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 
                /*10*/  0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
                /*16*/  0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 
                /*22*/  0xc0, 0x6c, 
                /*24*/  0x83, 0x51, 0xf7, 0x8f, 0x0f, 0x00, 0x00, 0x00, 
                /*32*/  0x64, 0x00, 
                /*34*/  0x01, 0x04, 
                /* SSID */
                /*36*/  0x00, 0x06, 0x72, 0x72, 0x72, 0x72, 0x72, 0x72,
                        0x01, 0x08, 0x82, 0x84,
                        0x8b, 0x96, 0x24, 0x30, 0x48, 0x6c, 0x03, 0x01, 
                /*56*/  0x04};                       

void setup() {

void loop() {
    // Randomize channel //
    channel = random(1,12); 

    // Randomize SRC MAC
    packet[10] = packet[16] = random(256);
    packet[11] = packet[17] = random(256);
    packet[12] = packet[18] = random(256);
    packet[13] = packet[19] = random(256);
    packet[14] = packet[20] = random(256);
    packet[15] = packet[21] = random(256);

    // Randomize SSID (Fixed size 6. Lazy right?)
    packet[38] = alfa[random(65)];
    packet[39] = alfa[random(65)];
    packet[40] = alfa[random(65)];
    packet[41] = alfa[random(65)];
    packet[42] = alfa[random(65)];
    packet[43] = alfa[random(65)];
    packet[56] = channel;
    wifi_send_pkt_freedom(packet, 57, 0);
    wifi_send_pkt_freedom(packet, 57, 0);
    wifi_send_pkt_freedom(packet, 57, 0);


  1. This is incredibly interesting. I didn’t know that the ESP8266 could do this. Maybe I’ll have to dust off the few that I have laying around and see what I can make with them. I imagine that you could use this to cause trouble with systems that automatically scan for and keep track of APs.

Leave a Reply

Your email address will not be published. Required fields are marked *