How to Perform a Wi-Fi Deauthentication Attack

The information in this article is meant for educational purposes only. There should be no attempt to practice the discussed concepts in this article on unauthorized systems. Please use this knowledge responsibly and ethically.

Today I’m going to show you how to perform a deauthentication attack. You’d be able to deauthenticate (or disconnect) any user connected to the same Wi-Fi network as you. You don’t have to be the owner of the Wi-Fi network to do so. I mean if you were, it wouldn’t be called an attack.

Note: I am going to carry out this demonstration using Kali Linux as it is the preferred OS in the hacking community. If you don’t know or have kali, refer to this guide.

What we’ll be doing. Don’t worry if it doesn’t make sense for now.

Personally, when it comes to the issue of public Wi-Fi, I do not like to sugarcoat it. I always tell people not to use them (if you can afford not to). I tell people this because of attacks like what I am about to show you. Imagine being in a very important meeting (virtually) and all of a sudden your connection is interrupted. Or you’re trying to make a payment or purchase within a time limit and because your connection got interrupted, you’re unable to. This can be quite costly.

This deauthentication attack mimics a form of DOS (Denial of service). Technically, you will tell the router (Wi-Fi) that you’re the target and you want to leave the network. That’s how the attack works. We’ll see the demo shortly.

Please note that I’m not showing you this attack to disrupt someone’s meeting or payments. As security practitioners and enthusiasts, this attack can also be very handy when carrying out a pentest. This can be used to determine the resistivity of the network to the said attack. Also, say for example you find that malicious activities are being carried out on a network and you do not have administrative access to kick the attackers out of the network, this can come in handy until you get in touch with the administrator. Like I always tell people, hacking is a double-edged sword. How we use it determines if we are on track or not. Gone are the days of approaching security from just a defensive perspective. Today, we need to go defensive and offensive.

Note: To carry out this attack, you need a wireless adapter.

A wireless adapter is hardware that enables devices to connect to Wi-Fi networks. In deauthentication attacks, it’s used to send unauthorized disconnect signals. In defense, it’s used to monitor and counter these attacks. These adapters are quite affordable. You can get one for as low $25. And there are even cheaper ones. Just make sure you get an adapter that supports packet injection, monitor mode and AP mode. So do well by reading the description before buying. You can get yours here.

To follow along, connect your wireless adapter to Kali linux, open up your terminal in Kali, and connect to a Wi-Fi network you have permission to test. Try to connect as many devices as possible to the network for testing purposes. Also make sure you run all the following commands as a root user.

The first command you should type in your terminal:

$ ifconfig

ifconfig is a command-line utility used to display or configure network interfaces on a Unix-like operating system.

Result of running ifconfig

As you can see, there are three interfaces listed. eth0, lo and wlan0

• eth0: Refers to the first Ethernet network interface on a system. It’s used for wired network connections.
• lo: Stands for loopback. It’s a virtual network interface that allows a computer to communicate with itself using the IP address 127.0.0.1. It’s often used for testing network services on the local machine.
• wlan0: Represents the first wireless network interface on a system. It’s used for connecting to Wi-Fi networks wirelessly. In our case it represents our wireless adapter connected to a Wi-Fi network. Yours might be wlanmon0 or another name, it doesn’t matter. Just replace wlan0 with the name of your interface when running the program

Next up, we need to enable monitor mode on our wireless adapter. Monitor mode is a capability of a wireless network interface that allows it to capture and analyze wireless network traffic without actively participating in any specific network. In English, we use it to see all networks within range.

To do that, first we run:

$ iwconfig

iwconfig is quite similar to ifconfig. The difference is that unlike ifconfig, iwconfig only displays the wireless interfaces. 

Notice it is in managed mode

Our wireless adapter is currently in managed mode. In managed mode, we cannot achieve what we want (as in listing Wi-Fi networks within range). So, we need to switch to monitor mode.

To do that, we run:

$ ifconfig wlan0 down

This command disables or turns off the wireless network interface wlan0 (our wireless adapter). It effectively disconnects the wireless interface from any active network connections. We need this off because we are about to switch to a different mode (monitor) and we can’t have it running while doing that.

Next,

$ airmon-ng check kill

This command stops processes that might interfere with monitor mode on wireless interfaces. It helps ensure a clean environment for performing wireless network analysis.

Then the main,

$ iwconfig wlan0 mode monitor

This is quite straightforward. The command enables monitor mode on wlan0 (our wireless adapter).

Afterwards, we bring the interface back up:

$ ifconfig wlan0 up

Previously discussed commands

Moving on, the next thing to do, since we are now on monitor mode, is to list all available Wi-Fi networks around us and the ones connected to the same network as us. We do that by running:

$ airodump-ng wlan0

Airodump-ng is part of the Aircrack-ng suite, which comes pre-installed with Kali Linux. However, if for some reason you don’t have Aircrack-ng, you can simply install it by running:

$ sudo apt-get update
$ sudo apt-get install aircrack-ng

These are all users connected to the same Wi-Fi network. Use Ctrl + c to end the process.

From the first row of data, we have:

• BSSID: Stands for Basic Service Set Identifier. It’s the MAC address of the wireless access point (AP). Basically the MAC address of the Wi-Fi network.
• PWR: Represents the signal strength of the AP as perceived by your wireless adapter. A lower value indicates a stronger signal.
• Beacons: Indicates the number of beacons sent by the AP. Beacons are management frames used by APs to announce their presence and capabilities.
• Data: Represents the number of data frames transmitted by or to the AP. This value helps estimate the amount of network activity. /s is a time measure per second.
• CH: Represents the channel number on which the AP (Access point) is operating. It indicates the specific radio frequency channel the AP uses for communication.
• Maximum Bitrate: shows the highest data transfer rate (in Mbps) the wireless access point supports for communication.
• Privacy: Indicates whether encryption is used for the network. WEP indicates WEP encryption, WPA indicates WPA/WPA2 encryption, and OPN indicates an open network.
• Cipher: Specifies the encryption algorithm used. Common values include CCMP for AES encryption and TKIP for Temporal Key Integrity Protocol.
• Authentication: Shows the authentication method used by the network. MGT is Management Frame Protection (WPA/WPA2), PSK is pre-shared key (WPA/WPA2), and OPN is open.
• ESSID: Stands for Extended Service Set Identifier. This is basically the name of the wireless network, often referred to as the SSID.

From the second row, we have the STATION parameter. This represents the MAC address of the users connected to the wireless (Wi-Fi) network. Notice how they all have the same BSSID? It means they’re all connected to the same Wi-Fi network. In this case, connected to the same network as me. By the way, MAC address, short for Media Access Control address, is a unique identifier assigned to network devices, like network interface cards (NICs) and wireless adapters, to identify them on a network. This parameter is important in deauthenticating the user.

Now obviously, from the prompt I just showed you. There was only one available Wi-Fi network. It is so because this is just for demonstration purposes. In a real life scenario, you may see more Wi-Fi networks. The procedure is exactly the same. In a scenario where you have multiple networks, to see the devices connected to each network, after running airodump-ng wlan0, run:

$ airodump-ng --bssid [of the target network] --channel [channel number] [interface e.g wlan0]

This would give you information specific to the specified Wi-Fi network. We didn’t need to do that because we are already able to see all devices connected to the Wi-Fi network available.

Now we have all the info we need to deauthenticate our target. So to do that, assuming we want to deauthenticate the third station, which is an iPhone, we run:

$ aireplay-ng --deauth 3000000 -a 98:A9:42:2D:06:B1 -c B2:FA:2C:79:63:22

Don’t worry, I’ll explain the command.

Target getting Deauthenticated

Notice the top right of the screen shows the iPhone lost its connection.

Please make sure to replace these arguments with your actual targets when testing. And please, only test on devices you have authorization to test on.

Explaining the deauthentication command:

--deauth 3000000000: Sends deauthentication frames continuously (3 hundred million times in this case) to disrupt devices on the network. Feel free to experiment with other numbers of frames. While testing I noticed that extremely large numbers didn’t really get the job done. For testing, 300 million is fine. Feel free to experiment with other values. Also, remember that this parameter would determine how long the user would get deauthenticated for.

-a 98:A9:42:2D:06:B1: Specifies the Wi-Fi network’s BSSID (Access Point’s MAC address).
-c B2:FA:2C:79:63:22: Specifies the target’s client MAC address.

This attack disconnects the target device from the network temporarily until the 300 million frames are exhausted. That’s quite some time. And we still have the option of running it again. Also, sometimes you might encounter errors about mismatching channels. Don’t panic, just keep running the program until the channels match. An average of 3–4 times should do. This is quite rare, just thought to let you know.

So, there you have it, this is how to deauthenticate any user from any Wi-Fi network. You can easily know your target’s MAC address by using network scanning tools like netdiscover or social engineering.

During a pentest engagement, to test users’ resilience to social engineering, you can just deauthenticate a highly privileged user, call and tell them there’s an issue and certain information is required from them to fix that issue. They’re very likely to believe you because they don’t expect you to know that their Wi-Fi just went out.

Finally, social engineering is the art of manipulating people to disclose confidential information, perform actions, or make decisions that compromise their own security or the security of an organization. It involves exploiting psychological traits, emotions, and social dynamics to deceive individuals into revealing sensitive data, clicking on malicious links, providing access to secure areas, or taking actions that can lead to unauthorized access or data breaches. Social engineering attacks target the human element of security rather than relying solely on technical vulnerabilities. In my opinion, this is the most difficult element to protect against (in security). To learn how to protect against social engineering, check out our eBook!

If you enjoyed this one.

Till next time!