Deauthentication Attacks on 802.11x, how OSS are able to create and prevent the attacks


1. Today i would like to share of my current research on 802.11x deauthentication attacks.

2. OSS tools used for attacks and detect/prevent :

  • aircrack-ng suite
  • python
  • scapy
  • rfkill

3. What is the problem statement ?

  • The termendous growth of Wi-Fi network contributed of the risk of the attacks. This motivate  a hacker or kiddies to find a new way to exploit the Wi-Fi network.
  • There are some lack of security on 802.11 a/b/g/n where deauthentication frames on the management frame are not encrypted and send with the clear text.
  • This is not bug or vulnerabilities but this is how they made the 802.11x.
  • 802.11w was made for protect management frame but most of WLAN devices are still use legacy 802.11 a/b/g/n either on the AP or on the client. Thus, almost all of WLAN are exposed of this attacks.


4. What motivate of this attacks ?

  • Since the management frames are not encrypted and send with plain text so anybody can manipulate the frame.
  • For instance on subtype 12 in the management frame are Deauthentication Frame. This subtype frame are use to deauth client from the AP.
  • Thus, the client will disconnect from the current connected AP.
  • The attacker are able to create evil twin AP and launch MiTM attack
  • Other attacks contributed from insecure Management Frame are mac address spoofing, denial of service, wifi jamming, session hijacking, and many more.


5. How to deploy the attacks?

  •  Using OSS aircrack-ng suite with aireplay-ng

aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0

-0 means deauthentication

1 is the number of deauths, if 0 it will send continuously

-a MAC address of AP

-c MAC address of the client

ath0 the interface card


6. How to detect and prevent the attacks.

  • There are lot of papers proposed many of schemes to detect and protect from this attacks, but most of the papers are too complicated which is the proposal needs to change the drivers of the devices. So, how about the current legacy devices that widely used ?
  • My proposal is to create simple solution where it can detect deauth attacks and maybe to prevent it with calling some kind of others tools to block the connection.
  • To make this happen, we also use aircrack-ng suite where airmon-ng will be create our wireless device on monitor mode.

airmon-ng start wlan0

wlan0 is your wireless device

  • To detect the deauth attack we use python + scapy. Scapy is a library or python where it use as packet manipulation tools.
  • We can use scapy classes such as Dot11 or Dot11Deauth to detect the packet.
  • Once we detected the attacks, we can prevent the client to unconsciously connected the malicious AP with rfkill.


7. This is not an ultimate solutions to solve of this issue, but some how it might help us to notify that we are on the attacks and maybe we are on MiTM of the evil twin AP.