deauthentication
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
deauthentication [2007/01/26 19:57] – darkaudax | deauthentication [2008/04/09 23:45] – added troubleshooting as to why deauth may not work. darkaudax | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Deauthentication ====== | ====== Deauthentication ====== | ||
- | ===== | + | ===== Description |
+ | This attack sends disassocate packets to one or more clients which are currently associated with a particular access point. | ||
- | * Recovering a hidden | + | * Recovering a hidden ESSID. This is an ESSID which is not being broadcast. |
- | * Capturing WPA handshakes by forcing clients to reauthenticate | + | * Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate |
* Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected) | * Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected) | ||
+ | Of course, this attack is totally useless if there are no associated wireless client or on a fake authentications. | ||
- | Of course, this attack | + | ===== Usage ===== |
- | It is usually more effective | + | |
+ | | ||
+ | |||
+ | Where: | ||
+ | * -0 means deauthentication | ||
+ | * 1 is the number of deauths to send (you can send muliple | ||
+ | * -a 00: | ||
+ | * -c 00: | ||
+ | *ath0 is the interface name | ||
+ | |||
+ | ===== Usage Examples ===== | ||
+ | |||
+ | ==== Typical Deauthentication ==== | ||
+ | First, you determine a client which is currently connected. You need the MAC address for the following command: | ||
+ | |||
+ | aireplay-ng -0 1 -a 00: | ||
+ | |||
+ | Where: | ||
+ | * -0 means deauthentication | ||
+ | * 1 is the number of deauths | ||
+ | * -a 00: | ||
+ | * -c 00: | ||
+ | *ath0 is the interface name | ||
+ | Here is what the ouput looks like: | ||
+ | | ||
- | ===== WPA Handshake capture with an Atheros | + | ==== WPA/WPA2 Handshake capture with an Atheros ==== |
airmon-ng start ath0 | airmon-ng start ath0 | ||
Line 23: | Line 49: | ||
Here the explaination of the above commands: | Here the explaination of the above commands: | ||
- | airodump-ng -c 6 --bssid 00: | + | airodump-ng -c 6 --bssid 00: |
Where: | Where: | ||
*-c 6 is the channel to listen on | *-c 6 is the channel to listen on | ||
Line 30: | Line 56: | ||
*ath0 is the interface name | *ath0 is the interface name | ||
- | aireplay-ng -0 5 -a 00: | + | aireplay-ng -0 5 -a 00: |
Where: | Where: | ||
*-0 means deauthentication attack | *-0 means deauthentication attack | ||
Line 46: | Line 72: | ||
| | ||
- | + | ==== ARP request generation with a Prism2 card ==== | |
- | ===== ARP request generation with a Prism2 card ===== | + | |
airmon-ng start wlan0 | airmon-ng start wlan0 | ||
Line 56: | Line 81: | ||
After sending the ten batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client. | After sending the ten batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client. | ||
- | If the driver is [[http:// | + | If the driver is [[http:// |
+ | |||
+ | ===== Usage Tips ===== | ||
+ | |||
+ | It is usually more effective to target a specific station using the -c parameter. | ||
+ | |||
+ | The deauthentication packets are sent directly from your PC to the clients. | ||
+ | |||
+ | |||
+ | ===== Usage Troubleshooting ===== | ||
+ | |||
+ | ===== Why does deauthentication not work? ===== | ||
+ | |||
+ | There can be several reasons and one or more can affect you: | ||
+ | |||
+ | * You are physically too far away from the client(s). | ||
+ | * Wireless cards work in particular modes such b, g, n and so on. If your card is in a different mode then the client card there is good chance that the client will not be able to correctly receive your transmission. | ||
+ | * Some clients ignore broadcast deauthentications. | ||
+ | * Clients may reconnect too fast for you to see that they had been disconnected. | ||
- | ===== Mass denial-of-service with a RT2500 card ===== | + | ===== General |
- | airmon-ng start ra0 | + | See the general aireplay-ng troubleshooting ideas: [[aireplay-ng# |
- | | + | |
- | With parameter 0, this attack will loop forever sending deauthentication packets to the broadcast address, thus preventing clients from staying connected. Sadly, the most up-to-date drivers and firmwares ignore deauthentications sent to broadcasts, so you need to send them directly to them using the -c option as described above. |
deauthentication.txt · Last modified: 2010/11/21 13:34 by sleek