deauthentication
                Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| deauthentication [2007/01/26 19:19] – update for v0.7 and expand darkaudax | deauthentication [2010/11/21 13:34] (current) – typos sleek | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Deauthentication ====== | ====== Deauthentication ====== | ||
| - | ===== | + | ===== Description | 
| + | This attack sends disassocate packets to one or more clients which are currently associated with a particular access point. | ||
| - | * Recovering a hidden | + | * Recovering a hidden ESSID.  This is an ESSID which is not being broadcast. | 
| - | * Capturing WPA handshakes by forcing clients to reauthenticate | + | * Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate | 
| * Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected) | * Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected) | ||
| + | Of course, this attack is totally useless if there are no associated wireless client or on fake authentications. | ||
| - | Of course, this attack | + | ===== Usage ===== | 
| - | It is usually more effective | + | |
| + |  | ||
| + | |||
| + | Where: | ||
| + | * -0 means deauthentication | ||
| + | * 1 is the number of deauths to send (you can send multiple | ||
| + | * -a 00: | ||
| + | * -c 00: | ||
| + | *ath0 is the interface name | ||
| + | |||
| + | ===== Usage Examples ===== | ||
| + | |||
| + | ==== Typical Deauthentication ==== | ||
| + | First, you determine a client which is currently connected. You need the MAC address for the following command: | ||
| + | |||
| + |  | ||
| + | |||
| + | Where: | ||
| + | * -0 means deauthentication | ||
| + | * 1 is the number of deauths | ||
| + | * -a 00: | ||
| + | * -c 000: | ||
| + | * ath0 is the interface name | ||
| + | |||
| + | Here is typical output: | ||
| + | |||
| + |  | ||
| + |  | ||
| + | |||
| + | For directed deauthentications, | ||
| + | |||
| + | Here is what the "[ 61|63 ACKs]" means: | ||
| + | |||
| + | * [ ACKs received from the client | ACKs received from the AP ] | ||
| + | * You will notice that the number in the example above is lower then 64 which is the number of packets sent.  It is not unusual to lose a few packets. | ||
| + | * How do you use this information? | ||
| + | |||
| - | ===== WPA Handshake capture with an Atheros | + | ==== WPA/WPA2 Handshake capture with an Atheros ==== | 
| airmon-ng start ath0 | airmon-ng start ath0 | ||
| Line 20: | Line 58: | ||
| aircrack-ng -w / | aircrack-ng -w / | ||
| - | Here the explaination | + | Explanation | 
| - | airodump-ng -c 6 --bssid 00: | + | airodump-ng -c 6 --bssid 00: | 
| Where: | Where: | ||
| *-c 6 is the channel to listen on | *-c 6 is the channel to listen on | ||
| Line 29: | Line 67: | ||
| *ath0 is the interface name | *ath0 is the interface name | ||
| - | aireplay-ng -0 5 -a 00: | + | aireplay-ng -0 5 -a 00: | 
| Where: | Where: | ||
| *-0 means deauthentication attack | *-0 means deauthentication attack | ||
| Line 45: | Line 83: | ||
|  |  | ||
| - | + | ==== ARP request generation with a Prism2 card ==== | |
| - | ===== ARP request generation with a Prism2 card ===== | + | |
| airmon-ng start wlan0 | airmon-ng start wlan0 | ||
| - | airodump-ng | + | airodump-ng | 
| aireplay-ng -0 10 -a 00: | aireplay-ng -0 10 -a 00: | ||
| aireplay-ng -3 -b 00: | aireplay-ng -3 -b 00: | ||
| - | After sending the five batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client. | + | After sending the ten batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client. | 
| If the driver is [[http:// | If the driver is [[http:// | ||
| - | ===== Mass denial-of-service with a RT2500 | + | ===== Usage Tips ===== | 
| + | |||
| + | It is usually more effective to target a specific station using the -c parameter. | ||
| + | |||
| + | The deauthentication packets are sent directly from your PC to the clients. | ||
| + | |||
| + | |||
| + | ===== Usage Troubleshooting ===== | ||
| + | |||
| + | ===== Why does deauthentication not work? ===== | ||
| + | |||
| + | There can be several reasons and one or more can affect you: | ||
| + | |||
| + | * You are physically too far away from the client(s). | ||
| + | * Wireless cards work in particular modes such b, g, n and so on.  If your card is in a different mode then the client card there is good chance that the client will not be able to correctly receive your transmission. | ||
| + | * Some clients ignore broadcast deauthentications. | ||
| + | * Clients may reconnect too fast for you to see that they had been disconnected. | ||
| + | |||
| + | |||
| + | ===== General | ||
| - | airmon-ng start ra0 | + | See the general aireplay-ng troubleshooting ideas: [[aireplay-ng# | 
| - |  | + | |
| - | With parameter 0, this attack will loop forever sending deauthentication packets to the broadcast address, thus preventing clients from staying connected. Sadly, the most up-to-date drivers and firmwares ignore deauthentications sent to broadcasts, so you need to send them directly to them using the -c option as described above. | ||
deauthentication.1169835562.txt.gz · Last modified:  (external edit)
                
                