Click here to view the updated version of this post: _This post will show you how to disable a devices connection to WiFi using a detauthentication attack.A deauthentication…_skerritt.blog Forcing a device to disconnect from WiFi using a deauthentication attack This post will show you how to disable a devices connection to WiFi using a detauthentication attack. A deauthentication attack is a type of attack which targets the communication between router and the device. Effectively disabling the WiFi on the device. The deauthentication attack isn’t some special exploit of a bug. It’s a created protocol and is being used in real world applications. Deauthencation attack’s use a . This frame sent from a router to a device forces the device to disconnect. In technical terms it’s called: deauthenication frame “sanctioned technique to inform a rogue station that they have been disconnected from the network” This means that a device is on the network that shouldn’t be on the network. The router sends a deauthentication frame to the device telling it that it has been disconnected. I like to imagine the interaction goes something like this: Laptop asking a router if it can go to Google.com (this is the last bad comic you’ll see here I promise) Router denying the request and forcing the laptop to disconnect from the network In 2015, a showed that some AirBNB’s have hidden cameras which spy on their occupants. report In response, a programmer created a simple shell script. This script auto-detected the cameras and kicked them from the network using the techniques you will learn: _bin/bash # # DROPKICK.SH # # Detect and Disconnect the DropCam and Withings devices some people are using to # spy on…_julianoliver.com Detect and disconnect WiFi cameras in that AirBnB you’re staying in The same author wrote a script to auto-kick off Google Glass _bin/bash # # GLASSHOLE.SH # # Find and kick Google Glass devices from your local wireless network. Requires # ‘beep’…_julianoliver.com Find a Google Glass and kick it from the network You know the drill. Don’t do this to anyone else that isn’t you unless you have their permission. I am not advocating hacking. Disclaimer: illegal How do you perform a deauthentication attack? The 2 important things we need to know are: The device we want to kick off of the network The router that the device is connected to I will go over how to get both in this tutorial. This attack is done using Kali Linux but can be done on Mac OS, Linux or . For best results, use . Bash on Windows Kali Linux Firstly we need to install the aircrack-ng suite. Open up a Linux like terminal and run: sudo apt install aircrack-ng Now run iwconfig This will show you what your wireless card is called. Image shows the command being run with 3 network cards, eth0, lo and wlan0. wlan0 is the only one with information. In this instance, my wireless card is called wlan0. iwconfig only shows you the wireless interfaces. lo and eth0 don’t come up since they are not wireless. This means we know for sure wlan0 is the wireless interface. Next run this command: airmon-ng start wlan0 where wlan0 is your network card. This will put your card into which allows the card to monitor all traffic on the network. monitor mode Now that the wireless card is in monitor mode we want to see every router around us. You will need to as this command will change your network card name. In most cases it changes it to mon0 but in mine it’s changed to wlan0mon. run iwconfig again Run this command with your new network card name: airdump-ng wlan0mon And you should see something like this: This is every single router in range. We need to know what router the device is on. You can tell how close a router is by the PWR column. PWR is the signal strength, how close it is to you. The closer it is, the larger the signal strength. In this instance our victim (my laptop) is on TP-LINK_32F604. We want to take note of 2 things here: The BSSID (mac address) of the router The Channel of the router A wireless router broadcasts the WiFi signal on channels ranging from 1 to 11. In this case, our router is on channel 1. The BSSID (also called a mac (media access control) address) is an address which specifies the router’s network card. The MAC address is made up of 2 parts, xx:xx:xx:yy:yy:yy The first part is xx:xx:xx. In this case, it’s C4:E9:84 These groupings specify the maker of the network card. The last three groupings: yy:yy:yy. In this case, it’s 3F:26:04. These groupings specify the exact network card. Not the make or model but the exact network card, much like a license plate specifies the exact car. Each manufacture has a set of MAC addresses they’re allowed to use. These are the xx:xx:xx groupings. Within these mac addresses are the exact cards. You need both parts to find out the exact network card, but you only need the first grouping to find out the manufacturer. So far we have found out what the router is. Now we want to find out what the device is. To do this, run this command: airodump-ng wlan0mon --bssid [routers BSSID here]--channel [routers channel here] Running the command with the previous output above it Now you should see something like this: We need to know what specific device we want to boot off the network. We can see the router there. Luckily on this network there is only 1 device. If you wanted to find out what that device is you can run the first 3 groupings of the MAC address (called STATION here) into Google. I got back which is the correct device. this, So now we know the MAC address of the router and the MAC address of the device. Let’s initiate our attack. Run this command: aireplay-ng --deauth 0 -c [DEVICES MAC ADDRESS] -a [ROUTERS MAC ADDRESS] wlan0mon The 0 represents an infinite amount of deauth attacks. If you wanted to only run 3 deauth attacks you’ll change this to 3. -c is the client, what you’re attacking. This is the devices MAC address. -a is the router, what is the router the victim is connected to. wlan0mon is the name of the network card still in monitor mode. The device is now disconnected from the network! On the clients end it looks like this. The ping timed out and Windows disconnected from the router. These commands are simple but yet they are the cornerstone of most cyber security toolkits. Phishing attacks A simple deauthentication attack will force a victim to reauthenticate. The attacker can than sniff the WPA 4-way handshake and perform a WPA bruteforce attack on the password. Another attack that relies heavily on this deauthentication attack is forcing the user to connect to an access point you made. You’ll clone the users router onto your device, then you’ll deauthenticate the user and make sure your router has a higher signal than the original router. The users device will automatically connect to your router since it is “closer”. Once the users device is connected to your fake AP you can easily sniff all of their outgoing and incoming connections. In the next tutorial, we’ll go over how to force a device to connect to a spoofed access point. Be sure to follow me to keep up to date with this. Did you like this article? Connect with me on or . Twitter LinkedIn
