Deauthentication – N10-008 CompTIA Network+ : 4.2

Older 802.11 networks are susceptible to deauthentication attacks. In this video, you’ll learn how deauthentication attacks work and how to prevent them on your wireless network.


Here’s a scenario you might find yourself in. You’re on a wireless network, working normally, and then all of a sudden the wireless network is no longer there. So you reconnect to the wireless network again, you start doing more work, and then you find the wireless network is unavailable again. So you try connecting again, and you notice over and over again, the wireless network is suddenly disappearing. There’s really nothing you can do to keep that network from connecting, and you eventually need to find a very long patch cable and connect into the wired ethernet network.

It may be that the problem you’re having is related to wireless authentication. You might also hear this referred to as wireless disassociation. This is a denial of service attack where a third party can send specially crafted frames to disconnect your station from the wireless network.

On your wireless network there’s a lot of activity that’s happening behind the scenes. There are 802.11 management frames that are responsible for making sure that people can connect to the network, disconnect from the network, properly authenticate, and many other processes as well. It’s important that your wireless network is able to use these management frames, because without those, you wouldn’t be able to find an access point, manage quality of service, or disconnect from the access point.

Unfortunately, the original 802.11 standards didn’t include any security for these management frames, and that’s why someone is able to take advantage of this denial of service attack. If we were to capture packets on a wireless network, we would be able to see all of the management frames going back and forth, and the information inside of them. This is a management frame from one of the access points on my network. It shows supported data rates, it shows power capabilities, supported channels, I can see vendor information, and you can see there’s a lot of detail about how this particular access point is able to operate.

Let’s perform a deauthentication attack against a device on my wireless network. On the left side, I have my mobile phone. This mobile phone has a particular Wi-Fi address. You can see that it’s Wi-Fi address ends in two echo fox delta. That’s going to be an important MAC address, because we’ll specify that during the authentication process.

On the right side, I have a Linux workstation where I’ll be performing the deauthentication attack. We’ll start by using the utility airodump-ng, and I’ll specify the wireless interface on this device. And it lists out for me the wireless access point. You can see the BSSIC here. And I can see all of the other devices that are connected to this wireless network.

You can see that one of the devices that is communicating on this wireless network ends in two echo fox delta. That is the MAC address of our Wi-Fi device that we have here on the left side, and that’s the device we will focus on for this deauthentication attack. You can see, on the left side, that this phone is currently connected to a wireless network. It’s the PM network, and that’s the one we’ll want to watch when we perform the deauthentication attack.

Let’s run the aireplay-ng utility. I’ll specify a -0 so that we’ll keep sending these deauthentications. I’ll specify the BSSID of the access point, and then I’ll tell what client MAC address we want to send these deauthentication frames to. And I’ll specify also the wireless device. Once I start this deauthentication attack, notice that I lose connectivity to the Wi-Fi network immediately. And as long as I keep this deauthentication process going, this phone will never be able to reconnect to this wireless network.

As you can tell, this is a significant denial of service attack, but fortunately, this particular problem has already been addressed by a new standard the 802.11w standard, and that was created in July of 2014. This has now encrypted these management frames so that no one can modify or take advantage of those management frames on the network. So the disassociation, deauthentication, channel switch announcements, and other important management frames are now encrypted and can’t be modified by a third party.

Of course, there are certain frames that you can’t encrypt so that you can first connect to this network. So frames like beacons, probes, authentication, and association frames are still sent in the clear, but they are not susceptible to these types of denial of service attacks. If you’re running an 802.11ac network or later, you’ll find that these 802.11w standards have already been incorporated into your network, and you’re no longer susceptible to these deauthentication attacks.