A Wi-Fi deauthentication attack is a type of denial-of-service attack that targets communication between a user and a Wi-Fi wireless access point.

Unlike most radio jammers, deauthentication acts in a unique way. The IEEE 802.11 (Wi-Fi) protocol contains the provision for a deauthentication frame. Sending the frame from the access point to a station is called a “sanctioned technique to inform a rogue station that they have been disconnected from the network”.

This attack sends disassocate packets (frames) to one or more clients which are currently associated with a particular access point. Disassociating clients can be done for a number of reasons:

• Recovering a hidden ESSID. This is an ESSID which is not being broadcast. Another term for this is “cloaked”.
• Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate
• Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected)

An attacker can send a deauthentication frame at any time to a wireless access point, with a spoofed address for the victim. The protocol does not require any encryption for this frame, even when the session was established with Wired Equivalent Privacy (WEP) for data privacy, and the attacker only needs to know the victim's MAC address, which is available in the clear through wireless network sniffing.

 aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0

Where:

• -0 means deauthentication
• 1 is the number of deauths to send (you can send multiple if you wish); 0 means send them continuously
• -a 00:14:6C:7E:40:80 is the MAC address of the access point
• -c 00:0F:B5:34:30:30 is the MAC address of the client to deauthenticate; if this is omitted then all clients are deauthenticated
• ath0 is the interface name

First, you determine a client which is currently connected. You need the MAC address for the following command:

 aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AE:CE:9D ath0

Where:

• -0 means deauthentication
• 1 is the number of deauths to send (you can send multiple if you wish)
• -a 00:14:6C:7E:40:80 is the MAC address of the access point
• -c 000:0F:B5:AE:CE:9D is the MAC address of the client you are deauthing
• ath0 is the interface name

Here is typical output:

 12:35:25  Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80) on channel 9
 12:35:25  Sending 64 directed DeAuth. STMAC: [00:0F:B5:AE:CE:9D] [ 61|63 ACKs]

For directed deauthentications, aireplay-ng sends out a total of 128 packets for each deauth you specify. 64 packets are sent to the AP itself and 64 packets are sent to the client.

Here is what the “[ 61|63 ACKs]” means:

• [ ACKs received from the client | ACKs received from the AP ]
• You will notice that the number in the example above is lower then 64 which is the number of packets sent. It is not unusual to lose a few packets. Conversely, if the client was actively communicating at the time, the counts could be greater then 64.
• How do you use this information? This gives you a good indication if the client and or AP heard the packets you sent. A zero value definitely tells the client and/or AP did not hear your packets. Very low values likely indicate you are quite a distance and the signal strength is poor.

It is usually more effective to target a specific station using the -c parameter.

The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them.

There can be several reasons and one or more can affect you:

• You are physically too far away from the client(s). You need enough transmit power for the packets to reach and be heard by the clients. If you do a full packet capture, each packet sent to the client should result in an “ack” packet back. This means the client heard the packet. If there is no “ack” then likely it did not receive the packet.
• Wireless cards work in particular modes such b, g, n and so on. If your card is in a different mode then the client card there is good chance that the client will not be able to correctly receive your transmission. See the previous item for confirming the client received the packet.
• Some clients ignore broadcast deauthentications. If this is the case, you will need to send a deauthentication directed at the particular client.
• Clients may reconnect too fast for you to see that they had been disconnected. If you do a full packet capture, you will be able to look for the reassociation packets in the capture to confirm deauthentication worked.