Deauthentication Attack


This Denial of Service attack is against the connected clients of a wireless network. The idea is to send deauthentication frames on behalf of the Access Point to the clients. When a connected client receives this type of wireless frame is obligated to disconnect immediately from the network.

Getting into monitor mode

Create a monitoring interface with the following command:

airmon-ng start INTERFACE

Network discovery

I’ll use Airodump-ng in order to identify the target network, but there are a number of tools out there for this job.


Filtering out APs

Usually, you are presented with a huge amount Access Points. You can simply narrow down the list to only show that specific AP.


Changing channels

It’s a good practice to put the WNIC (Wireless Network Interface Controller) to the same channel as with the target AP.

ifconfig INTERFACE down
iwconfig INTERFACE channel CHANNEL
ifconfig INTERFACE up

Wireshark filter

You can capture deauthentication frames being sent in Wireshark with this filter:

wlan.fc.type_subtype == 0x0c

Transmitting deauth frames

In this step, I launch the aireplay-ng tool to transmit deauthentication frames on behalf of the AP to all the clients.


The “-0 10” specifies that this is a deauthentication attack and 10 is the number of frames, which you can freely change. You can also disconnect a specific client with the help of the -c CLIENT_MAC_ADDRESS switch.

Final words

Wireless Denial of Service attacks are active attacks meaning that we are transmitting malicious frames that can be detected by an intrusion detection system or by sniffing traffic with Wireshark.

Before you go

If you found this article helpful, please share to help others with similar interest find it! + Feedback and donations are always welcome!