by vault . 18 July 2018
Wireless Networks are now somewhat the most important part of our lives and we are getting rapidly involved with this. Well, there is a famous deauthentication attack on wireless networks which allows the attacker to continuously kick someone out of his/her connected network with no actual interaction with the Access Point or Station. The interaction actually takes place in between STA and AP.
Referring to one of the most widely used attacks in wireless cracking, it's important to know how exactly it works. If you've yet a little background with cracking WPA/WPA-2 or jammers or capturing handshakes, you might have passed through aircrack-ng or mdk3. In case you don't, both of the previous underlined tools are very well-written C utilities, used to do stress testing on WiFi networks.
If you are very new to this, the above two paragraphs would seem very disgusted to you at first. Just keep your head on and you will find it much easier.
You would need Kali or a related Linux distribution installed on your system.
Put your respective wireless interface in monitor mode. Monitor mode will allow us to see other stations packets as well as duplicate and replicate them over the air.
$ airmon-ng start wlan1
Note that the interface was renamed to wlan1mon.
Now, we need the targets to work with. Run a airodump scan on your area:
$ airodump-ng wlan1mon
See the above screenshot, i've highligted the line. The BSSID column is specifying the MAC of Access Point while the STATION column is giving us the MAC of the either connected or not-connected clients. Closely observe the PWR column. It's actually telling us how close we are to the STA or station.
The higher the power is, means we are much closer to the client or station. The lesser the distance between us and the two target station. It's more likely the attack is going to work. Copy the both MACs of AP and station and paste it somewhere easy to remember and copy.
Now, we are going to send deauth frames using aireplay. But before that we need the card to be operating on the same channel as the Access Point is operating on. From the airodump-ng screenshot, you can note the channel:
And now putting the channel on:
$ iwconfig wlan1mon channel 6
Fire the aireplay-ng command with the following syntax:
$ airplay-ng -00 -a [BSSID OF AP] wlan1mon
Note the above parameters:
The frames were sent to broadcast address which means every other station in the area.
Sending a few deauth frames are enough to successfully disconnect the stations in case of performing tests and capturing handshakes. A long attack will keep the device from connecting and the end would be the device user will have to connect manually from WiFi Manager.
Deauthentication frame is subtype of management frames which are designed to manage and cope with a station. Managements frames never get checked for authenticity like who is the real orignator of packet etc. This is where the attacker gets in.
Now, lets try just disconnecting the two target stations, we've chosen. Doing this will take an extra argument:
$ aireplay-ng -02 -a [MAC of AP] -c [MAC of Client] wlan1mon
This time we've added an extra argument, -c which takes the MAC address of client as you can see in the screenshot. Moreover, this time the attack was only replayed 2 time as specifed with -0 option.
There's another famous utility that is somewhat more deadly than aireplay. In this case, there's no specifcation for how many packets or frames you want to send. It will keep on dispatching the packets.
The packets are sent when the data frames are captured, i.e. when clients are detected. It don't do the broadcast(FF:FF:FF...) sending. We've two options here, either to compute a blacklist consists of target MACs or to compute a whitelist consists of non-target MACs.
Blacklist or whitelist could be computed with like this:
$ echo [TARGET MAC] >> /tmp/blacklist
Starting mdk3 with blacklist:
$ mdk3 wlan1mon d -b /tmp/blacklist
$ mdk3 wlan1mon d -w /tmp/whitelist
If you are dealing with the very same problem, maybe somone's attacking your network. You can verify it by checking for deauth frames in your area. Lets try wireshark. Fire it up and add the following filter to the field:
(wlan.fc.type == 0) && (wlan.fc.type_subtype == 0x0c)
It explains that type field of deauth frame have value 0 while subtype has the value 0x0c.
Now, if any of the deauthentication frames are sniffed by your interface, you will see the packets in wireshark. You can further expand the fields and see who was the sender and who was the receiver:
We saw what are deauthentication frames and how they could be maliciously utilized to target two stations whether you've any sort of connection with them or not. We saw to use aireplay and mdk3. At the end, we saw to use wireshark to detect deauth if sent.