Deauthentication Attack using Kali Linux
Surya Shankar
Posted on January 3, 2023
What is a Deauth Attack?
Deauthentication attack is a type of denial of service attack that targets communication between a user ( or all users ) and a Wi-Fi access point.
This attack sends disassociate packets to one or more clients which are currently associated with a particular access point. Of course, this attack is useless if there are no associated wireless clients or no fake authentications.
The cool thing about this attack is that even today where all networks are using WPA2 encryption you can still easily deauth almost anything or anyone without even being inside the network!
Why does a deauth attack work on WPA2 despite encryption?
The use of encryption in 802.11 is limited to data payloads only. Encryption does not apply to the 802.11 frame headers, and cannot do so as key elements of 802.11 headers are necessary for normal operations of 802.11 traffic.
Since 802.11 management frames largely work by setting information in the headers, management frames are not encrypted and as such are easily spoofed.
To prevent deauthentication/disassociation attacks, the IEEE implemented the 802.11w amendment to 802.11. This provides a mechanism to help prevent the spoofing of management frames, but both client and infrastructure need to support it (and have it enabled) for it to function.
A deauth attack is, most of the time, the first step for a greater attack, a gateway hack ! Hackers usually need to deauth a user off of a network so they can:
- Capture WPA/WPA2 4-Way Handshakes by forcing a user to reconnect to the network
- Force users to connect to their Rogue access point (search: Evil Twin Attack)
- Force users to connect to a Captive Portal for whatever reason
To perform this type of attact , You will a wifi adapter.
The ist command is iwconfig. Type it and execute it on your terminal
iwconfig
**Note : Here you have to set your wlan0 from managed to the monitor mode**
Execute the command airodump-ng wlan0 on your terminal and start choosing targets.
airodump-ng wlan0
You can also do specefic attack like
airodump-ng -d "target's BSSID" -c "target's channel number" "wireless adapter monitor mode name"
In our case the full command is:
airodump-ng -d <BSSID> -c 11 wlan0
The combination of BSSID and ESSID can help hackers find locations.
The command will keep running and monitoring near Access Point behavior but as soon as we find our target on the list we can just hit ctrl+c to stop the monitoring process.
- BSSID | MAC address of the access point.
- PWR | Signal level reported by the card.
- Beacons | Number of announcements packets sent by the AP.
- Data | Number of captured data packets (if WEP, unique IV count), including data broadcast packets.
- #/s | Number of data packets per second measure over the last 10 seconds.
- CH | Channel number (taken from beacon packets).
- MB | Maximum speed supported by the AP.
- ENC | Encryption algorithm in use.
- CIPHER | The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104.
- AUTH | The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).
- ESSID | Shows the wireless network name.
I will be targeting my own Wifi[Surya24]! You should understand that doing this to other APs is illegal. Unless you have the permission.
Deauthenticating device from network //Kicking
The final command is:
aireplay-ng --deauth 10 -a <BSSID> -D wlan0
Now the user will get disconnected and after 10 deauth attack , user will automatically connect
Posted on January 3, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.