Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

Wireless How To

Active Attack

Using the information we gathered with Kismet during the recon step, we can target associated clients of a certain AP with forged deauthentication packets, which should cause the client to disassociate from the AP. We then listen for the reassociation and subsequent authentication. This is a little trickier and also detectable, since we're sending out packets. But it's much quicker than waiting for a genuine association (in most cases).

After identifying our target AP with associated clients, we need to set up the wireless hardware for packet injection. The aircrack suite has a little bash script to do just that.

First bring down the managed VAP (Virtual Access Point) with:

airmon-ng stop ath0

Bringing down the managed interface

Figure 2: Bringing down the managed interface

Next, start up a VAP in "Monitor" mode:

airmon-ng start wifi0

Creating a monitor mode interface

Figure 3: Creating a monitor mode interface

Now we need to simultaneously deauthenticate a client and capture the resulting reauthentication. Open up two terminal windows. Start airodump-ng in one terminal:

General Form:

airodump-ng -w capture_file_prefix --channel channel_number interface

Example:

airodump-ng -w cap --channel 6 ath0

airodump-ng, up and running

Figure 4: airodump-ng, up and running
NOTE!Note:
You can check which interface is in monitor mode by using iwconfig.

Next, run the deathentication attack with aireplay-ng in the other terminal:

General Form:

aireplay-ng --deauth 1 -a MAC_of_AP -c MAC_of_client interface

Example:

aireplay-ng --deauth 1 -a 00:18:E7:02:4C:E6 -c 00:13:CE:21:54:14 ath0

A successfully sent deathentication packet

Figure 5: A successfully sent deathentication packet

If all goes well, the client should be deauthenticated from the AP and will usually reauthenticate. I like to keep the number of deauthentication packets sent to a minimum (one, in this case). This helps keep you under the radar, since programs like Kismet can detect deauthentication floods.

If the deauthentication was successful, airodump-ng displays a notification of the captured reauthentication event (boxed in red in Figure 6).

Successful WPA handshake capture

Figure 6: Successful WPA handshake capture

More Wireless

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

We've got an AC3200 as the primary router with an AC68U as an access point on the 2nd floor. They're connected over ethernet. About 1800sf on each flo...
Yes... Firefox 73.0.1 has broken login for Asus routers. Both Merlin and Official firmware are affected. I disabled addons, even tried accessing from ...
I'm planning to buy a Galaxy S20+ at launch from Verizon. I usually wait a few months before buying a new device but they're offering great trade-in d...
Interesting topic: https://www.reddit.com/r/pihole/comments/f65sge/place_to_test_ad_block/I don't see Diversion on the list of favorite blockers! We s...
Hi,until I find a better way to do, I have debian and asteriskinstalled in my ac56u following https://hqt.ro/asterisk-voip-server-running-on-asuswrt-r...

Don't Miss These

  • 1
  • 2
  • 3