The behaviour of legit De-Auth frame and Malicious De-Auth frame

I have done several testbed to looks details on the De-Auth frames.

This is the legit de-auth packet sent from client to AP.


Here is De-Auth packet sending by aireplay-ng with command :

aireplay-ng -0 1 -a 10:FE:ED:F6:C1:A0 -c 00:1F:3C:E4:AF:7F mon0

Where : 

-0 - Means deauthentication
1  - Number of deauth
-a 00:14:6C:7E:40:80 - MAC address of deauth packet
-c 00:0F:B5:34:30:30 - MAC address of station

mon0 - the interface name


So what we have here ?

1. The legitimate de-auth packet just send only 1 packet to de-auth

2. The legitimate de-auth packet length is 39 bit where malicious de-auth sending 44 bit length

3. De-auth attacks using aireplay-ng with 1 deauth will send 128 packet which is 64 packet to the AP and 64 to the Client as depicted above.

4. On the reason code for the legit deauth is Code 3 that is sending STA is leaving, but from the malicious deauth packet send Code 7 – Class 3 received from non associated station.

This article was written by matn0t.