In this part of the book, all we will discuss are attacks that we can launch on any network in our Wi-Fi range, even if the network has encryption or uses a key. We don't have to connect to a network to launch these attacks.
Deauthentication attacks are very useful; they allow us to disconnect any device from any network that is within our Wi-Fi range. To perform the attacks, we spoof our MAC address to get the target MAC address (the target being the client that we want to disconnect). We pretend to be the client, and then we send a deauthentication packet to the router, telling the router that we want to disconnect. At the same time, we spoof our MAC address to the AP MAC address, and tell the target client that it needs to re-authenticate itself. Then, the connection will be lost.
Let's see how to do it, using a tool called aireplay-ng:
- First of all, we need to run airodump-ng on the target network, because we want to see which clients are connected to it. This time, we will not need the --write option, so we are just going to remove it. All we need are airodump-ng, the --channel (we put the channel of the target network), and the --bssid (the MAC address of the target network). The command will be as follows:
airodump-ng --channel 10 --bssid 00:10:18:90:2D:EE wlan0
We hit Enter, and we're sniffing on the target network, Test. This method will work on any device, whether it's a Linux, Windows, Mac, or Android deviceāit doesn't matter; they all use the same method of transferring packets:
Now, we're going to run aireplay-ng, to disassociate one of the devices from the network. We can run it to disassociate all devices, but I have found that when we do that, it doesn't really disassociate all of them, because there are too many targets to disassociate. So, we will choose one target, which will be the device 6C:C4:D5:6F:A6:DC.
- Using aireplay-ng, we will add --deauth (for a deauthentication attack), and then put the number of deauthentication packets that we're going to send; we will just put a very large number, to keep the device disconnected. Then, we will put the target AP (the MAC address of our target AP), and the source (or the client's MAC address), which is the device that we want to disconnect. We will also include wlan0, our Wi-Fi card in monitor mode. If we hit Enter, aireplay-ng will now send the deauthentication packets. The command will look as follows:
aireplay-ng --deauth 10000 -a EC:1A:59:5A:E1:46 -c 6C:C4:D5:6F:A6:DC wlan0
The output will be something like this:
Go to the target device and see if it still has an internet connection. We'll be able to see that it has lost connection, and it's trying to reconnect; it won't be able to, because we are still sending our deauthentication packets. We can launch this attack on any network that we choose; we don't need to know the password or key.