In this blog, I will explain to you how wifi deauth works. You may have watch lots of videos ” How to hack wifi “. I have seen those videos and I have also tried on different devices. After the research there are several possible ways to “Hack” wifi. That Wifi hacking is nothing but just they are sending deauth request to a particular access point(AP).
Today, I explain you how it’s work and how can deauth flood the access point and all connected devices are disconnected from the particular WIFI.
Station or AP can send a Deauthentication Frame when all communications are terminated. (When disassociated, still a station can be authenticated to the cell). Deauthentication frame format is as shown below. It is subtype 12 (0x0c) management frame (type 0) & you can filter it using below wireshark filter.
(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0c)
Frame body of Deauth frame contains following
1. Reason Code (2 bytes)
2. Vendor Specific Information (one or more)
3. 802.11w (MFP) info
Here is a capture of a Deauthentication frame. In this case, client station specifies reason code as 3 – Deauthenticated because sending station is leaving BSS. Once AP receive this, it should send ACK to the client station.
Here is another deauthentication frame, where in this instance reason code 4 – Disassociated due to Inactivity.
In the below case due to 1- Unspecified reason client has been deauthenticated.
Here is another Deauth frame captured. This is triggered when I enable client management frame protection on a SSID. This time AP sending deauth to client with reason code 6 – Class 2 frame received from the nonauthenticated station.
Once a station associated to an AP, either side can terminate the association at any time by sending a disassociation frame. It has the same frame format as deauthentication frame. A station can send a disassociation frame because it leave the current cell to roam to another cell. An AP could send disassociation frame because station try to use invalid parameters.(above given reason codes applicable to disassociation frames as well). You can filter disassociation frames in wireshark using below filter (subtype 10 management frames)
(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0a)
Disassociation frame’s destination address could be a Unicast MAC address or Broadcast Address. If a single station to be disassociated it can be sent to client unicast MAC address. If all stations need to be disassociated, disassociation frame can be sent to broadcast MAC address.
Here is a disassociation frame send by a client station with reason code 8 – Disassociated because sending station is leaving.
Here is another disassociation frame sent by AP to client station. (This is triggered when I shut down the WLAN from controller). In this case reason code 1- Unspecified Reason.