ESP can't detect stations properly

[ExploiTR]

I've 4 devices connected to victim AP. When I perform scan through serial (I've tried all possible commands)

it gives :

Scanning WiFi [20%]:   0 packets/s |  0 devices |  0 deauths
Scanning WiFi [40%]:   0 packets/s |  0 devices |  0 deauths
Scanning WiFi [60%]:   0 packets/s |  0 devices |  0 deauths
Scanning WiFi [80%]:   0 packets/s |  0 devices |  0 deauths

Can't understand where's the problem. AP is detected as normal.

[tobozo]

make sure victim AP uses 2.4GHz band

[ExploiTR]

@tobozo Hmm. I've said the AP is detected normally

I'm compiling from the 2.0.5 releases zip, without changing a single character of the code.

Tried reset_sketch and flashed the compiled binary and got the same result.

[tobozo]

Please try to understand what dual band is, review the settings on your AP, then read the wiki and you'll see why the deauther can only see devices using the 2.4GHz band.

[ExploiTR]

😭 😭 😭 😭 I do understand. @tobozo
Look, the AP is a Linksys E1200 N300 Router which only supports that 2.4 GHz band & channels 1-13.
And the stations are, desktop, one laptop and 2 phones which only support that 2.4GHz.
It worked last night. But, not working now 😭

[ExploiTR]

The problem is persisting on the ESP side.

• did scan without touching settings : worked
• did scan by stopAP : 0 result null X
• did scan by startAP : 1 device detected (3 connected)

a really unusual problem, I just got the all 3 of them. but, not always 😭 😕

[ExploiTR]

Scanning WiFi [15%]:   1 packets/s |  1 devices |  0 deauths
Scanning WiFi [30%]:   2 packets/s |  1 devices |  0 deauths
Scanning WiFi [45%]:   0 packets/s |  1 devices |  0 deauths
Scanning WiFi [60%]:   3 packets/s |  1 devices |  0 deauths
Scanning WiFi [75%]:   1 packets/s |  1 devices |  0 deauths
Scanning WiFi [90%]:   1 packets/s |  1 devices |  0 deauths
Scan results saved in /scan.json
Scan results saved in /scan.json
Removed all APs
Cleared station list
Scan results saved in /scan.json

Scanning WiFi [15%]:   0 packets/s |  0 devices |  0 deauths
Scanning WiFi [30%]:   0 packets/s |  0 devices |  0 deauths
Scanning WiFi [45%]:   0 packets/s |  0 devices |  0 deauths
Scanning WiFi [60%]:   0 packets/s |  0 devices |  0 deauths
Scanning WiFi [75%]:   0 packets/s |  0 devices |  0 deauths
Scanning WiFi [90%]:   0 packets/s |  0 devices |  0 deauths
Scan results saved in /scan.json
Scan results saved in /scan.json
Removed all APs
Cleared station list

Look, it detects one now then none.. 😭 Looks like spacehunn will tag WTF again.

[tobozo]

Looks like spacehunn will tag WTF again.

don't worry I can do this for @spacehuhn

what kind of activity do you generate on the given devices in order to actually have packets to sniff ?

[ExploiTR]

what kind of activity do you generate on the given devices in order to actually have packets to sniff ?

Can't understand

---

I tried scan -a -t 30000 | scan -st -t 30000 and, tried connect-disconnect on stations while scan is running.. no result. It shows there is 0 pckts

[spacehuhn]

In other words, are there any packets it could be sniffing? Because maybe there is actually 0 packets per second on the channel the ESP is sniffing on.

EDIT:
maybe also post the whole serial output, could be helpful if something is wrong there

[ExploiTR]

Doesn't it iterate through the channels by default? 😨 @spacehuhn

[ExploiTR]

However, my AP is on channel 6, and the stations too..

I tried the command scan -st -c 10

But, after 30 scans, only one device is getting detected - from the first to the last.

[ExploiTR]

@spacehuhn | I've turned off settings echo set serialEcho false

Mounting SPIFFS...OK
Switched to Channel 1
Settings loaded from /settings.json
Settings saved in /settings.json
Device names loaded from /names.json
SSIDs loaded from /ssids.json
Scan results saved in /scan.json
Serial interface enabled
Started AP
[WiFi] Path: '/web', Mode: 'AP', SSID: 'pwned', password: 'deauther', channel: '1', hidden: false, captive-portal: true
STARTED! \o/
v2.0.5
Executing /autostart.txt
Done executing script
# scan -ap
Stopped scan
Scan results saved in /scan.json
Removed all APs
Cleared station list
Starting scan for access points (Wi-Fi networks)...
[===== Access Points =====]
ID SSID                             Name             Ch RSSI Enc. Mac               Vendor   Selected
=====================================================================================================
 0 TimeExecutor                                       6  -30 WPA2 ##:##:##:##:##:## BelkinIn         
=====================================================================================================
Stopped scan
Scan results saved in /scan.json
# select -ap 0
Selected access point TimeExecutor
# scan -st -c 10
Stopped scan
Scan results saved in /scan.json
Starting Scan for stations (client devices) - 15s
Stopped Access Point
Scanning WiFi [20%]:   2 packets/s |  0 devices |  0 deauths
Scanning WiFi [40%]:   0 packets/s |  0 devices |  0 deauths
Scanning WiFi [60%]:   0 packets/s |  0 devices |  0 deauths
Scanning WiFi [80%]:   0 packets/s |  0 devices |  0 deauths
[===== Stations =====]
Station list is empty :(
Started AP
Stopped scan
Scan results saved in /scan.json
restarting in 0s - type stop to disable the continuous mode
Stopped scan
Scan results saved in /scan.json
Starting Scan for stations (client devices) - 15s
Stopped Access Point
Scanning WiFi [20%]:   0 packets/s |  0 devices |  0 deauths
Scanning WiFi [40%]:   0 packets/s |  0 devices |  0 deauths
Scanning WiFi [60%]:   0 packets/s |  0 devices |  0 deauths
Scanning WiFi [80%]:   0 packets/s |  0 devices |  0 deauths
# stop scan
Started AP
Stopped scan
Scan results saved in /scan.json

[spacehuhn]

@ExploiTR but why?! Now we can't see what command you typed, which is kinda important for debugging you know... 😉

[ExploiTR]

@spacehuhn , I've updated logcat

[spacehuhn]

Thanks. Have you tried running the scanner somewhere else where there are more networks? Have you tried sniffing with other devices to make sure there are packet's beeing sent?

[ExploiTR]

Well, opened virtual interfaces on my WRT. @tobozo

@spacehuhn

Command : scan -a

[===== Access Points =====]
ID SSID                             Name             Ch RSSI Enc. Mac               Vendor   Selected
=====================================================================================================
 0 dd-wrt_vap2                                        6  -35    - ##:##:##:##:##:30                  
 1 dd-wrt_vap                                         6  -35    - ##:##:##:##:##:3e                  
 2 TimeExecutor                                       6  -36 WPA2 ##:##:##:##:##:3d BelkinIn         
 3 dd-wrt_vap3                                        6  -36    - ##:##:##:##:##:31                  
=====================================================================================================
Stopped scan
Scan results saved in /scan.json
Starting Scan for stations (client devices) - 15s
Stopped Access Point
Scanning WiFi [20%]:  14 packets/s |  1 devices |  0 deauths
Scanning WiFi [40%]:  19 packets/s |  1 devices |  0 deauths
Scanning WiFi [60%]:  17 packets/s |  1 devices |  0 deauths
Scanning WiFi [80%]:  12 packets/s |  1 devices |  0 deauths
[===== Stations =====]
ID MAC               Ch Name             Vendor   Pkts     AP                               Last Seen Selected
==============================================================================================================
 0 ##:##:##:##:##:75  6                  HaoCheng        8 dd-wrt_vap3                      <1min             
 1 ##:##:##:##:##:35  6                  LiteonTe        2 dd-wrt_vap2                      <1sec             
==============================================================================================================
Started AP
Stopped scan
Scan results saved in /scan.json

And the result is quite normal for the other 2 open networks

The 3rd device connected to my main network which is encrypted by WPA doesn't seem to be detected 😨
But, I'm quite sure that it's software isn't configured to use encrypted frames as, it worked last night 😕 🤔

[spacehuhn]

Looks like it's working

[ExploiTR]

?? How @spacehuhn ? I'm continuously trying it for hours. But, it doesn't even sometimes the other two on an open network isn't showing.

I've already ordered the NodeMCU V3 to test if the problem is persisting only in this V2 one. \O/

One thing also to notice, rebooting that shows perfect result (90% cases).

[killergeek]

@ExploiTR yea i see the problem. its between the chair and the computer.
and something something RTFM.

[jLynx]

Closed issue due to the issue being with the user, not the actual software. Sadly we don't provide help for this specific "clearly beta" version of user

[ExploiTR]

@killergeek Welcome mate. Looks like went a long way through for the first comment. And, Secondly, being stubborn wouldn't help one - well? And, @killergeek first write a working project instead of forking before commenting

And, @jLynx @spacehuhn the issue is with the software. The way it detects stations isn't efficient. I know why this happened, and it's actually a bug. The devices aren't releasing any packet to save power somehow. So, as an open-source and without-warranty project, deauther wouldn't be detecting 100% of the devices using wifi tech and even not of them which don't use frame-encryption.

[jLynx]

I dont see why you reacted to your own comment...

[jLynx]

also @killergeek you just got TOLD, sit the f**k down kid! make a project before commenting 😂

[spacehuhn]

This might look rude but let me document my reactions reading this word salat

And, @jLynx @spacehuhn the issue is with the software.

oookaayy....

The way it detects stations isn't efficient.

rly?!

I know why this happened, and it's actually a bug.

Well now I'm hyped, tell me what you found young padawan!

The devices aren't releasing any packet to save power somehow.

🤦‍♂️ 🤦‍♀️ how is that a bug with the software then?! We already told you that you can only detect devices that send packets while your sniffing for those packets. It's common sense. You can't hear someone that isn't saying anything.

So, as an open-source and without-warranty project, deauther wouldn't be detecting 100% of the devices using wifi tech and even not of them which don't use frame-encryption.

Oh jeez...

1. open-source and without-warranty project has nothing to do with the rest of your comment, so what's your point here?
2. deauther wouldn't be detecting 100% of the devices using wifi tech yes it can only detect active devices that use Wi-Fi. (kinda self explanatory, isn't it?)
3. even not of them which don't use frame-encryption. Sniffing and detecting devices is absolutly unrelated to the Wi-Fi network encryption beeing used. There is a thing called MAC header in every 802.11 frame.

Some extra notes:

• We talk about a $2 chip here that wasn't meant for this specific purpose, so don't expect great sniffing performance.
• It might not get every packet because of the antenna beeing used
• You lose packets due to channel hopping
• You lose packets because the ESP is doing a lot of other stuff too, not just only sniffing
• The SDK 2.0.0 beeing used might not have the best performance either

[tobozo]

make a project before commenting

Actually this thread is the aftermath of doing exactly that

Unless stated in the Code of conduct, using emojis instead of a GPG public key to sign messages does not invalidate the opening of an issue, I'd be more blaming github for that, why did they allow self-emojis in the first place ?

Anyway, most symptoms described here are from a different environment from the usual standard we hear about in this issue tracker.

The build @ExploiTR is trying to achieve is a Java client running on an Android and using the serial to talk to the deauther.
As a result there are mixed problems and mixed symptoms, hence the WTF smell and the fun reactions.

[ExploiTR]

Well now I'm hyped, tell me what you found young padawan!

@spacehuhn No man, I'm not telling it in that way, I want to say that it wouldn't work when the devices are connected but not sending packets. Actually, I commented too fast being angry with killergeeks's comment. I'm sorry, it's my mistake to talk to a computer science student @spacehuhn

I just wanted to tell that @jLynx

the issue being with the user

No, it's global and wontfix. Again, sorry all for my languages pushed by killergeek

[spacehuhn]

To sum this whole thing up:
I can't see anything wrong with the serial output you provided. You need devices that send packets and are connected to an AP that is in the list of the ESP8266. The more active the devices are, the higher the chance the ESP will find them.

If it is a software bug, tell us how to fix it.

[ExploiTR]

By saying not efficient I wanted actually to mean it's not official and wouldn't always be successful to detect all the devices.

If it is a software bug, tell us how to fix it.

I don't know C/C++. And, I'm not an expert software engineer! But, one thing I can suggest. That is,
airodump-ng, I mean the whole aircrack-ng package is written in C. And, I didn't see it failing to detect any stations being active or not. Will this help you?

[spacehuhn]

Aircrack suit has the same "problems". It can only see active devices. Only advantage is that it lists unconnected devices. But that wouldn't make sense here, since you can only attack connected devices.
Aircrack might give you more reliable results because it's running on dedicated hardware with much much more horsepower than this $2 chip and a real OS to schedule tasks and processes.

[ExploiTR]

Okay. Thanks