How To Wireless Deauthentication Attack

July 17, 2015 by Matthew Knight

Wireless deauth attack

Wireless deauth attack or a Wireless Deauthentication Attack sends Wireless Deauthentication Packet to one or more clients which are currently associated with a particular access point. Disassociating clients can be done for a number of reasons: Recovering a hidden ESSID. This is an ESSID which is not being broadcast. Another term for this is “cloaked”.
Capturing WPA/WPA2 handshakes by forcing clients to re authenticate Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected) wireless deauth attack is pretending to be the access point asking the client to re connect.

You spoof a re authorization packet to the client which makes the client try to reconnect to the access point. However, because you are constantly sending these packets the client can't connect because they continuously need to re authenticate.

This is also how people kick users to set up a man in the middle attack. When you kick the client the client will automatically find another known access point. If you provide that to then they will connect to it.

However, we are not going to get in to man in the middle attacks today. Maybe another time. ;-)
First of all you are going to need a few things to make this work.aircrack-ng ( mdk3

You should be able to find these on Kali Linux.
Your wireless card also needs to support injection and monitor mode.
Need one?
Check these out:
Compatible Wireless Cards: Alfa Networks AWUS036H - Works! Alfa Network AWUS036NH - Untested! TP-LINK TL-WN722N - Works!
Getting a low signal to the target network?
Order a WiFi signal amplifier: WiFi signal amplifier Signal gain could be increase by -20 dbi.
Its possible to do this with just aircrack-ng but I prefer mdk3 for the actual deauthing.
First thing we need to do is see if your wireless card supports injection and monitor mode.
For the sake of this tip we will call your wireless device wlan0. If you need to know what yours is type this command. ifconfig -a
Now look for the wlanx that you want to use. Most people will only have one unless your like me and use two wireless cards. First take your card down with this command ifconfig wlan0 down
For testing injection type this
aireplay-ng -9 wlan0You should get something back that says "Injection is working!"Now to test if your card support monitor mode.
We first need the physical name of the wireless card. For this run. airmon-ng
Identify your card on the list and look for the phy#Once you have it run this but replace phy0 with yours.
iw phy phy0 info |grep -A8 modes
Under supported interface modes it should have "monitor" listed.
So if everything’s cool lets move on. If not you may need newer drivers or a different wireless card. Now we are ready to have some fun with a Wireless Deauth Attack You need to get some info about your access point to proceed. So at this point disconnect from your network and lets get to it. Use this command to get info about your access point. airodump-ng wlan0 This should start packet capturing all wireless traffic. Once you see yours hit Ctrl+C to cancel the capture.Take note of your essid, mac address, and channel. once you have it lets take a closer look at whos on line with the same command but a little different. You have to make sure your wireless card is set to the same channel as your access point.

Theirs a bug in aircrack-ng that will not do it for you. At least there was for me.
For this step I will number the steps to make it easier to start over it it doesn't work. A way to avoid the channel -1 bug in aircrack. Just skip step 3 and don't use airmon-ng to put your card in monitor mode.

This will stop the mon0 interface from being created but airodump-ng will put your card in monitor mode.
1.) Bring your network card back up with this command.
ifconfig wlan0 up 2.) change your channel with iwconfig like this. My channel is 6. Make sure you use the channel you got earlier. iwconfig wlan0 channel 6 3.)Now put your card in monitor mode with this command. Don't forget to put the channel number at the end. airmon-ng start wlan0 6 4.)Bring your wireless card back down. ifconfig wlan0 down 5.) Now its time to find out who's on line. Run this command below. airodump-ng -c 6 --bssid {mac address for access point} wlan0 -c is for the channel number --bssid is for your mac address on your access point.If you want to store the captured packets just add the -w option with the location you want to store the capture files. This would look like this airodump-ng -c 6 --bssid {mac address for access point} -w {path and name of file} wlan0 Once airodump-ng starts running if you see something on the end of the top line that says something like stuck on channel -1 then you suffered from the same bug I did. To fix it hit Ctrl+C and run these two commands and then start over on step 1. airmon-ng stop mon0 airmon-ng stop wlan0 If you don't see that error then your good. Now kick back and watch the stations appear. Each system on the network will show up at the bottom as they use the wireless. You can cross reference the first three MAC segments xx:xx:xx on line to see the manufacturer until you find your pray. For me it was my dads laptop. Once you see the device you want to kick off the network write down the mac address and hit Ctrl+C to stop the packet capture. Now finally for the moment of truth. Which family member do you have in your sites. Once you pick one run this command. echo "xx:xx:xx:xx:xx:xx" > ./black.lst Replace the "xx" with the mac address of the victim. This creates a list of mac addresses you want to kick. If you want to add more then one change the > to >>.The final command. mdk3 wlan0 d -n {essid} -b ./black.lst Don't Include the { } in the essid. replace {essid} with the essid of the access point. That's it. As long as the command runs they will be kicked off line. Unless they spoof there mac address or use another access point. This also works well for neighbors that your wife gives the pass-phrase out to.

You can take this a step further and kick everyone off the access point with this command.
mdk3 wlan0 d -n {essid} Don't Include the { } in the essid. By just leaving out the black list you will kick off everyone on that access point. To stop the attack just hit Ctrl+C to kill the command and everyone will be able to connect again. Have fun and remember its cool to play with your own equipment but don't cause trouble for other people. That's not nice. ;-)

Usage Troubleshooting
Why does wireless deauth attack not work? There can be several reasons and one or more can affect you:
You are physically too far away from the client(s).

You need enough transmit power for the packets to reach and be heard by the clients. If you do a full packet capture, each packet sent to the client should result in an “ack” packet back. This means the client heard the packet. If there is no “ack” then likely it did not receive the packet. Wireless cards work in particular modes such b, g, n and so on.
If your card is in a different mode then the client card there is good chance that the client will not be able to correctly receive your transmission.

See the previous item for confirming the client received the packet. Some clients ignore broadcast wireless deauth attack.
If this is the case, you will need to send a Wireless Deauthentication Packet directed at the particular client.
Clients may reconnect too fast for you to see that they had been disconnected.
If you do a full packet capture, you will be able to look for the reassociation packets in the capture to confirm wireless deauth attack worked.

Last edited by Matthew Knight on July 19, 2015 at 8:41 pm