deauthentication
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
deauthentication [2007/01/26 19:19] – update for v0.7 and expand darkaudax | deauthentication [2009/08/14 17:40] – typo mister_x | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Deauthentication ====== | ====== Deauthentication ====== | ||
- | ===== | + | ===== Description |
+ | This attack sends disassocate packets to one or more clients which are currently associated with a particular access point. | ||
- | * Recovering a hidden | + | * Recovering a hidden ESSID. This is an ESSID which is not being broadcast. |
- | * Capturing WPA handshakes by forcing clients to reauthenticate | + | * Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate |
* Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected) | * Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected) | ||
+ | Of course, this attack is totally useless if there are no associated wireless client or on fake authentications. | ||
- | Of course, this attack | + | ===== Usage ===== |
- | It is usually more effective | + | |
+ | | ||
+ | |||
+ | Where: | ||
+ | * -0 means deauthentication | ||
+ | * 1 is the number of deauths to send (you can send multiple | ||
+ | * -a 00: | ||
+ | * -c 00: | ||
+ | *ath0 is the interface name | ||
+ | |||
+ | ===== Usage Examples ===== | ||
+ | |||
+ | ==== Typical Deauthentication ==== | ||
+ | First, you determine a client which is currently connected. You need the MAC address for the following command: | ||
+ | |||
+ | aireplay-ng -0 1 -a 00: | ||
+ | |||
+ | Where: | ||
+ | * -0 means deauthentication | ||
+ | * 1 is the number of deauths | ||
+ | * -a 00: | ||
+ | * -c 00: | ||
+ | *ath0 is the interface name | ||
+ | |||
+ | Here is what the ouput looks like: | ||
+ | | ||
- | ===== WPA Handshake capture with an Atheros | + | ==== WPA/WPA2 Handshake capture with an Atheros ==== |
airmon-ng start ath0 | airmon-ng start ath0 | ||
Line 22: | Line 49: | ||
Here the explaination of the above commands: | Here the explaination of the above commands: | ||
- | airodump-ng -c 6 --bssid 00: | + | airodump-ng -c 6 --bssid 00: |
Where: | Where: | ||
*-c 6 is the channel to listen on | *-c 6 is the channel to listen on | ||
Line 29: | Line 56: | ||
*ath0 is the interface name | *ath0 is the interface name | ||
- | aireplay-ng -0 5 -a 00: | + | aireplay-ng -0 5 -a 00: |
Where: | Where: | ||
*-0 means deauthentication attack | *-0 means deauthentication attack | ||
Line 45: | Line 72: | ||
| | ||
- | + | ==== ARP request generation with a Prism2 card ==== | |
- | ===== ARP request generation with a Prism2 card ===== | + | |
airmon-ng start wlan0 | airmon-ng start wlan0 | ||
- | airodump-ng | + | airodump-ng |
aireplay-ng -0 10 -a 00: | aireplay-ng -0 10 -a 00: | ||
aireplay-ng -3 -b 00: | aireplay-ng -3 -b 00: | ||
- | After sending the five batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client. | + | After sending the ten batches of deauthentication packets, we start listening for ARP requests with attack 3. The -h option is mandatory and has to be the MAC address of an associated client. |
If the driver is [[http:// | If the driver is [[http:// | ||
- | ===== Mass denial-of-service with a RT2500 | + | ===== Usage Tips ===== |
+ | |||
+ | It is usually more effective to target a specific station using the -c parameter. | ||
+ | |||
+ | The deauthentication packets are sent directly from your PC to the clients. | ||
+ | |||
+ | |||
+ | ===== Usage Troubleshooting ===== | ||
+ | |||
+ | ===== Why does deauthentication not work? ===== | ||
+ | |||
+ | There can be several reasons and one or more can affect you: | ||
+ | |||
+ | * You are physically too far away from the client(s). | ||
+ | * Wireless cards work in particular modes such b, g, n and so on. If your card is in a different mode then the client card there is good chance that the client will not be able to correctly receive your transmission. | ||
+ | * Some clients ignore broadcast deauthentications. | ||
+ | * Clients may reconnect too fast for you to see that they had been disconnected. | ||
+ | |||
+ | |||
+ | ===== General ===== | ||
+ | |||
+ | See the general aireplay-ng troubleshooting ideas: [[aireplay-ng# | ||
+ | |||
+ | |||
+ | ===== Release Candidate or SVN Version Notes ===== | ||
+ | |||
+ | This section ONLY applies the latest SVN version and to some release candidate versions of the aircrack-ng suite. | ||
+ | |||
+ | For directed deauthentications, | ||
+ | |||
+ | Here is a typical command: | ||
+ | |||
+ | aireplay-ng -0 1 -a 00: | ||
+ | |||
+ | Here is typical output: | ||
+ | |||
+ | | ||
+ | | ||
- | airmon-ng start ra0 | + | Here is what the "[ 61|63 ACKs]" means: |
- | aireplay-ng -0 0 -a 00:13: | + | |
- | With parameter 0, this attack | + | * [ ACKs received from the client | ACKs received from the AP ] |
+ | * You will notice that the number in the example above is lower then 64 which is the number of packets | ||
+ | * How do you use this information? | ||
+ |
deauthentication.txt · Last modified: 2010/11/21 13:34 by sleek