deauthentication
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
deauthentication [2007/01/26 19:57] – darkaudax | deauthentication [2010/11/21 13:34] (current) – typos sleek | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Deauthentication ====== | ====== Deauthentication ====== | ||
- | ===== | + | ===== Description |
+ | This attack sends disassocate packets to one or more clients which are currently associated with a particular access point. | ||
- | * Recovering a hidden | + | * Recovering a hidden ESSID. This is an ESSID which is not being broadcast. |
- | * Capturing WPA handshakes by forcing clients to reauthenticate | + | * Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate |
* Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected) | * Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected) | ||
+ | Of course, this attack is totally useless if there are no associated wireless client or on fake authentications. | ||
- | Of course, this attack | + | ===== Usage ===== |
- | It is usually more effective | + | |
+ | | ||
+ | |||
+ | Where: | ||
+ | * -0 means deauthentication | ||
+ | * 1 is the number of deauths to send (you can send multiple | ||
+ | * -a 00: | ||
+ | * -c 00: | ||
+ | *ath0 is the interface name | ||
+ | |||
+ | ===== Usage Examples ===== | ||
+ | |||
+ | ==== Typical Deauthentication ==== | ||
+ | First, you determine a client which is currently connected. You need the MAC address for the following command: | ||
+ | |||
+ | | ||
+ | |||
+ | Where: | ||
+ | * -0 means deauthentication | ||
+ | * 1 is the number of deauths | ||
+ | * -a 00: | ||
+ | * -c 000: | ||
+ | * ath0 is the interface name | ||
+ | |||
+ | Here is typical output: | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | For directed deauthentications, | ||
+ | |||
+ | Here is what the "[ 61|63 ACKs]" means: | ||
+ | * [ ACKs received from the client | ACKs received from the AP ] | ||
+ | * You will notice that the number in the example above is lower then 64 which is the number of packets sent. It is not unusual to lose a few packets. | ||
+ | * How do you use this information? | ||
+ | |||
- | ===== WPA Handshake capture with an Atheros | + | ==== WPA/WPA2 Handshake capture with an Atheros ==== |
airmon-ng start ath0 | airmon-ng start ath0 | ||
Line 21: | Line 58: | ||
aircrack-ng -w / | aircrack-ng -w / | ||
- | Here the explaination | + | Explanation |
- | airodump-ng -c 6 --bssid 00: | + | airodump-ng -c 6 --bssid 00: |
Where: | Where: | ||
*-c 6 is the channel to listen on | *-c 6 is the channel to listen on | ||
Line 30: | Line 67: | ||
*ath0 is the interface name | *ath0 is the interface name | ||
- | aireplay-ng -0 5 -a 00: | + | aireplay-ng -0 5 -a 00: |
Where: | Where: | ||
*-0 means deauthentication attack | *-0 means deauthentication attack | ||
Line 46: | Line 83: | ||
| | ||
- | + | ==== ARP request generation with a Prism2 card ==== | |
- | ===== ARP request generation with a Prism2 card ===== | + | |
airmon-ng start wlan0 | airmon-ng start wlan0 | ||
Line 58: | Line 94: | ||
If the driver is [[http:// | If the driver is [[http:// | ||
- | ===== Mass denial-of-service with a RT2500 | + | ===== Usage Tips ===== |
+ | |||
+ | It is usually more effective to target a specific station using the -c parameter. | ||
+ | |||
+ | The deauthentication packets are sent directly from your PC to the clients. | ||
+ | |||
+ | |||
+ | ===== Usage Troubleshooting ===== | ||
+ | |||
+ | ===== Why does deauthentication not work? ===== | ||
+ | |||
+ | There can be several reasons and one or more can affect you: | ||
+ | |||
+ | * You are physically too far away from the client(s). | ||
+ | * Wireless cards work in particular modes such b, g, n and so on. If your card is in a different mode then the client card there is good chance that the client will not be able to correctly receive your transmission. | ||
+ | * Some clients ignore broadcast deauthentications. | ||
+ | * Clients may reconnect too fast for you to see that they had been disconnected. | ||
+ | |||
+ | |||
+ | ===== General | ||
- | airmon-ng start ra0 | + | See the general aireplay-ng troubleshooting ideas: [[aireplay-ng# |
- | | + | |
- | With parameter 0, this attack will loop forever sending deauthentication packets to the broadcast address, thus preventing clients from staying connected. Sadly, the most up-to-date drivers and firmwares ignore deauthentications sent to broadcasts, so you need to send them directly to them using the -c option as described above. |
deauthentication.1169837863.txt.gz · Last modified: 2007/01/26 19:57 (external edit)