Why the Deauthentication Attack isn't working

Why the Deauthentication Attack isn't working

Stefan's photo
Stefan
·

4 min read

Table of contents

Plenty of you enjoy the ESP8266 Deauther project because it's easy to get started with and makes you able to block specified WiFi connections. But what if that core feature isn't working? There are a few things that could render the WiFi deauthentication attack ineffective. Here we will explore why that is.

Installation

If you are using the ESP8266 Deauther but starting a deauthentication attack results in a packet rate of 0 packets per second, you likely have to flash the firmware again.

If you're using Arduino to install it, make sure you install and select one from the Deauther ESP8266 Boards section and not from the regular ESP8266 Boards. Because if you don't, it will probably compile and work, but it won't send deauth packets. However, other attacks like beacon and probe will work fine.

You can find the installation instructions here.

5 GHz Access Point

WiFi router

If you can send deauthentication packets, but your target isn't getting disconnected, chances are high that you are trying to attack a dual-band network. Meaning it's present on both 2.4 GHz and 5 GHz. Client devices will opt for the 5 GHz connection whenever they can since it provides higher bandwidth than a 2.4 GHz connection.

The ESP8266 is only able to work on the 2.4 GHz spectrum. And there is no way to make it work on 5 GHz, sorry. So make sure your target device is connected through 2.4 GHz. Otherwise, the attack will simply not work.

You could, however, use a 5 GHz USB WiFi adapter that can do packet injection. We made a tutorial for it: https://blog.spacehuhn.com/5ghz-deauther/.

Protected Management Frames

Lock

If you ever asked yourself, how one can be protected against the WiFi denial of service by deauthentication, the answer is Protected Management Frames.

They were first introduced in 2009 with the 802.11w standard and allow management frames like the deauthentication packet to be secure against spoofing - or at least secure enough to make attacks like this impractical.

But for a long time, this feature was not implemented in consumer WiFi devices. And when it was, it usually wasn't enforced by the access point to stay backward compatible so that older WiFi clients without this feature could still connect.

Today, WiFi-certified hardware must have this feature, and WPA3 networks have to enforce it. So deauthing a WPA3 network is unlikely to work.

If your network uses protected management frames, deauthentication attacks will not work. Often the only way to figure out if a network is secure is by testing it. We made the ESP8266 Deauther project so you can perform such pentests easily.

Reason codes

Every deauthentication packet contains a code to indicate why the recipient has been disconnected. This so-called reason code can be changed in the ESP8266 Deauther. By default, it's on 1 (Unspecified reason), but plenty of other reason codes are available: https://blog.spacehuhn.com/wifi-deauthentication-frame/#reason-codes.

Using a different reason code shouldn't make any difference. However, users of our tool have told us that changing it can result in a more or less effective attack.

With the ESP8266 Deauther, you can change the reason code in the settings.

Attack a Station (not an AP)

404

Deauthentication attacks can target a single connection or, by broadcasting the packet, every connection to this access point.

We've observed cases where a deauthentication attack against the access point was not effective, but against a specific client, it was.

So instead of attacking an access point (AP) and every device that is connected to it, you can also scan for client devices (Stations) and target one of those specifically. Keep in mind though that to find a station, it has to be actively sending packets while you're scanning. Otherwise, you won't detect it even if it's connected and in range.

Verdict

Code

If all this sounds like an unstable hack and you don't really know if it will work until you try, you are correct!

Deauthentication attacks are an exploit. Some devices have addressed and fixed it, and others haven't. An old access point can keep us from using the latest security features our modern clients are capable of. But enforcing new technology means trouble for backward compatibility. After all, we expect WiFi to work with all our devices flawlessly.

If you're interested in starting to learn about WiFi security, a tool like the ESP8266 Deauther can be a great start. It's affordable and relatively easy to use. With it, you will be able to test your home network(s) and devices and have a great starting point for further research.

But please don't be sad if you can't deauthenticate your home network because it's up to date with basic security measures. If anything, it's good, and you should be glad!

Hacking means being creative and just trying things out. So we hope that the tips in this post will help you on that journey.

If you need to test different access points, you can also create one easily using your phone's hotspot feature (though that access point might also be protected depending on the phone). But maybe you know someone who has an old router or phone that you can borrow to set up a WiFi access point for testing.

Good luck and happy hacking :)

Deauther