Hacking & Solutions: 802.11 Protocol Attacks, Deauthentication

Hacking & Solutions: 802.11 Protocol Attacks, Deauthentication

By CWNP On 02/19/2008 - 27 Comments

This article is presented as part of hacking + solution track for Wireless Security Expo 2008.

Deauthentication is the most common form of 802.11 protocol denial-of-service (DoS) attack.  After watching the Deauthentication video, you can see that performing this type of attack takes seconds using common and user-friendly software and hardware, can wreak havoc on a network, and can be used as part of other types of wireless network attacks.  Deauthentication frames are considered notifications, not requests, which means any associated station or AP that receives a deauthentication frame must comply.

802.11 stations must authenticate themselves through "Open System Authentication" prior to requesting a connection.  Following successful authentication (consisting of two acknowledged authentication frames), the client station will then request association (connectivity).  The association request frame is followed by an association response frame.  Each of these frames are also acknowledged.  

The next steps depend on the type of security in use on the WLAN and determine just how intrusive a deauthentication attack will be.  If the WLAN is using only Open System authentication, then a deauthentication attack will yield a very minor interruption for client stations.  The reason for this is that the authentication and association process is extremely fast.  When deauthenticated, a client station must reauthenticate and reassociate, but this entire process  takes only a few milliseconds to complete.  If the WLAN is using WEP with Open System authentication, the same process would apply.

If the WLAN is using WPA/WPA2-PSK, then a 4-way handshake (plus 4 ACK frames) will follow the acknowledged association response frame.  This process is fairly fast (roughly an additional 20-30 ms), but added to the Open System authentication and association, it can easily add up to 50 ms (total) when adding in contention time.  If a single AP is used, this won't be a big problem, but a deauthentication like this may also cause a client station to roam.  Roaming requires passive and active scanning, which could add 1-3 seconds to the process.  This additional time can easily disrupt many applications.

If the WLAN is using 802.1X/EAP and not using Opportunistic PMK Caching (not widely supported in client utilities), deauthentication can cause a disruption of 0.5 - 5 seconds depending on the specific EAP type in use, scanning processes, and the 4-way handshake.  802.1X/EAP authentication mechanisms are almost always deployed in enterprise WLANs.  Any application that is latency sensitive will suffer dramatic problems when the client station is deauthenticated.  File transfers, voice/video streams, thin-client sessions, and other real-time applications will often break when disrupted for more than 0.5 seconds.

The 802.11w amendment to the 802.11-2007 standard offers three new security pieces: Data Origin Authenticity, Replay Detection, and Management Frame Protection.  The data origin authenticity mechanism defines a means by which a station that receives a management frame (such as a deauthentication frame) can determine which station transmitted the data or management frame.  This feature is required to prevent an intruder from masquerading as an authorized station.  The replay detection mechanism defines a means by which a station that receives a management frame from another station can detect whether the received frame is an unauthorized retransmission.  Management frame protection is required to protect against forgery and eavesdropping on management frames such as Action, Disassociate, and Deauthenticate frames through the use of security keys.

Most of today's WLAN infrastructure systems do not support management frame protection, and until they do, deauthentication attacks will remain a significant security problem.  

27 Responses to Hacking & Solutions: 802.11 Protocol Attacks, Deauthentication

Subscribe by Email
zhen12 zhen12 Says:
05/01/2018 at 22:36pm
February 24th, 2004: 1st Round of 1/8 Finals - The Only Handshake
This was the first time that Real Madrid had left Munich as a loser. NFL Jerseys Ma Kai's header made Bayern almost beat Real Madrid again. Unfortunately, Carlos's classic 30-meter free kick reopened Kahn's guarded door when the game left with 7 minutes.NFL Cheap Sports Jerseys Eventually the two sides made a 1:1 handshake. "We were lucky," said Real Madrid's midfielder Zidane, who was at the time. At the time, Bayern coach Hitzfeld said: "We taught Real Madrid how to write the word 'fear'."
March 7, 2007: 1/8 Final Round - Makai Lightning Breaks
This is the first time in Bayern Munich to enter the Allianz Arena in the Champions League "hospitality" Real Madrid - giving opponents the fastest time in the Champions League conceded.Adidas NHL Jersey Thomas Muller later recalled this classic goal from Makai: Adidas NBA Swingman Jersey "Brazo (Salihamidzic) broke the right, passed in, boomed, and scored the ball." The overshoot took 10.12 seconds!Stitched NCAA Hockey Jersey So far this fastest goal record has not been broken. In the second half, CFL Jersey knife guard Lucio used the corner kick to expand the score to 2-0, after which Fannie entered a controversial penalty that made the game tense again. Van Bommel and Diarra had two yellows and one red. Ramos scored a goal in the last minutes of the scent,Flex Base Baseball Jersey but was penalized for handball. In the end, Bayern beat Real Madrid 2-1 (2:3 in the first round) to advance with a goal scoring advantage.April 17,Soccer Club Jersey 2012: The first round of the semi-finals - Gomez continues Bayern's dream
After five years, Real Madrid Bayern met again and the last few minutes of the match were still very exciting.Women Jersey The Champions League final was held at the Allianz Arena with the dream of returning home in the Champions League. Bayern took the lead in the 17th minute and Franck Ribery took the lead to score the second half. Kier helped Real Madrid to equalize, Gomez scored the final seconds of the game so that Allianz Arena 66,000 home fans into madness. Youth Jersey "This is a passionate game. Real Madrid has proved that he is a great team. At the last moment we can win 2-1 with a bit of luck. We can be proud of our victory," Custom Jersey said Rummenigge after the game.April 29, 2014: Semi-final second round - Real Madrid defeats Bayern for the first time0:1 loss to Real Madrid Bayern had a big mountain to cross at home.Nike Pas Cher Outlet "Everything will burn in Munich in Munich" This is a rhetoric released by Rummenigge before the game. However, the results are very different: 20 minutes later, Bayern has fallen behind 0:2, Ramos scored twice. Adidas shoe "We planned a lot but didn't notice the two most standard conditions," said Ram after the game. At the end of halftime, Ronaldo scored another goal and Crome took a second stoppage. Real Madrid expanded the winning streak and defeated the ten rivals of the Madrid City AFC Champions League in the final.April 12,Nike Air Force One 2017: First round of the quarter-finals - reversal of Real Madrid Allianz Arena
The two sides played against each other at the Allianz Arena and Real Madrid brought misfortune to Bayern.Nike Air Huarache However, Bayern's start is quite good: In the 25th minute, Bidar headed for Bayern to lead.Nike Air Jordan At the end of the half he was even expected to change the score to 2:0, but he missed the penalty. Bayern wasted the opportunity to pay the price of bearing.Nike Air Max Cristiano Ronaldo reached the score in the second half of the opening match. In the 61st minute, Martinez was sent off. In 77 minutes, NMD R1 shoe Crome opened twice and Real Madrid reversed Bayern. After Ram’s conclusion: “The match turned sharply after being equalized. Both yellow and red are the turning points of the game.”

Kevinogi jhome Says:
04/19/2018 at 05:39am
Manfred said he didn't know that the Marlins' new owners planned to tear it washington nationals jersers down
In the early moments of atlanta braves jersers the interview, Le Batard asked Manfred whether he knew prior to the recent sale to the group oakland athletics jersers fronted by Bruce Sherman and Jeter whether the new owners planned to slash payroll. After some prodding (and Le Batard's saying that the commissioner was lying), Manfred answered, "We do not get involved in operating-level decisions in the ownership approval process."

"We did not have player-specific plans from the Miami Marlins or any other team that has been in the ownership miami marlins jersers process. Those are decisions that the individual owners make, and they do not have to be cleared by us or approved by us. ... Those are local decisions that really are not part of the approval process. Those are decisions that the individual owners make, and they do not have to be cleared with us or approved by us."

Manfred went on to say that he didn't receive a payroll plan from the Marlins until two days prior to his interview with Le Batard. More: "We don't get into, are you going to trade 'Player X' or 'Player Y' at a particular point in time, nor do we ask them to make a commitment to people before they even got in and made an evaluation of their talent level, their ability to win with the people that st. louis cardinals jersers they have. That's just not how the ownership process works."
wholesale baseball jersers

But some of that may not be true
Here's a key excerpt from a los angeles angels of anaheim jersers must-read Barry Jackson piece in the Miami Herald:

A source directly involved in the Marlins sales chicago white sox jersers process, after hearing the Le Batard cincinnati reds jersers interview, said, via text: "Commissioner said was not aware of [Jeter] plan to slash payroll. Absolutely not true. They request and receive the operating plan from all bidders.

"Project Wolverine [the name for Jeter's plan] called chicago white sox jersers on his group to reduce payroll to $85 million. This was vetted and approved by MLB prior to approval by MLB. Every [Jeter] investor and non investor has the Wolverine financial plan of slashing payroll to $85 million. Widely circulated."

First off, "Project Wolverine" is ludicrously self-important and sinister-sounding, as budget strategies go. That's the name of a secret NSA laboratory deep under the Caballo Mountains in New Mexico, not a financial schematic. Do better, Jeets. Anyhow, there's enough careful phrasing in Manfred's comments ("operating-level decisions," "'Player X' or 'Player Y'") to give him some plausible deniability. However, the idea that he didn't know about plans to engage in yet another demo job by Marlins owners strains credulity.

wiatmppgryar wiatmppgryar Says:
04/18/2018 at 03:42am
Computer chip Williams presents succeeding dwelling perform

Philadelphia Eagles Jerseys PHILADELPHIA -- A laptop suggests is actually a well known first-pitch swinger. Making it understandable this Reds reliever put the pup your first-pitch stopping tennis ball while in the 9th inning Thursday day during Inhabitants Loan company Store. Torrey Jackson Jerseys Quackenbush sought Williams so that you can fall in love with, with the exception this occassion Williams could not. Tommy McDonald Jerseys Your dog preferably previously worked him self to a 3-1 add up, in advance of your dog killed your fastball so that you can right-center-field for your pinch-hit one dwelling perform inside of a 6-5 wining.

Philadelphia Eagles That it was the earliest pinch-hit homer with Williams' employment. Phillies finer obtained her initially help you save of your year or so which includes a scoreless 9th. Timmy Jernigan Jerseys Reds catcher click her initially dwelling perform of your year or so while in the lastly inning, tying the adventure during 3. Your dog appeared to be regarding a eating plan for any initially start of year or so to get southpaw, who seem to made possible all five flows (some won) around her some innings with deliver the results.   A Reds bullpen previously worked three scoreless innings in advance of Quackenbush produced your property run to Williams. Terrence Brooks Jerseys EVENTS THIS MATTEREDHoskins, Kingery batter Reed: Phillies kept fielder click your two-out, two-run dwelling run to kept arena while in the initially inning from Reed handy a Phillies your 2-1 head. Stephen Tulloch Jerseys Out of law school observed which includes a one dwelling run to kept while in the secondly, her initially Big Category dwelling perform, in making them 3-1.

NFL Jerseys Kingery click your 1-0 fastball a little bit not as much as 15 inches tall (1. 24 paws) heli-copter flight flooring. Virtually no Phillies battler obtained click your tennis ball more affordable heli-copter flight flooring considering click a person not as much as 9 inches tall (0. 73 paws) with the debris continue Aug. Ervin totals, Hamilton would not: going a 6th inning which includes a solo so that you can kept arena. Droped straight borrowed secondly helping put him self around score posture. Stefen Wisniewski Jerseys Phillies catcher essentially put your explode so that you can secondly platform -- clocked a pitch during eighty six. 0 mph -- nonetheless Kingery had reached a travelling bag missed plus obtained virtually no an opportunity to ticket the pup. Sidney Jones Jerseys Them turned out to be overpriced when Ervin eventually obtained for a two-out chopper out of Phillies glass pitcher is hands and fingers so that you can complement the adventure, 5-5. Alfaro experienced quite a few payoff missed while in the inning if Hamilton tested out so that you can scores out of secondly for a rough outdoors presentation. Stefen Wisniewski Jerseys Alfaro slid so that you can get access to a tennis ball regarding a eating plan plus put your struck so that you can, who seem to organised in a tennis ball when Hamilton collided by using the pup for any lastly outside.

crothermbeme crothermbeme Says:
04/18/2018 at 02:50am
On Monday,NFL jersesys shop US local time, the New England Patriots began their first voluntary activity in the offseason. Many media have focused their attention on the absence of quarterbackShop NFL Jerseys By Team Tom Brady and near-fielder Rob Gronkowski. However, the return of a key player deserves the same level of attention. He is the wide receiver - JulianBuy Customized NFL Jerseys Edelman. On Monday, Edelman appeared in the Gillette Stadium. This was his first step toward a $500,000 training bonus.Shop NFL Hats
The amount Shop NFL T-Shirtsof this bonus ranks first in the Patriot team. The following is the comparison of Edelman's total training bonus with other players in the team: Edelman:Shop NFL Hoodie $500,000 in Glonnowski: $250,000 Kickback Goalbacker Kodarel Patterson: $250,000 in defense Endpoints Lawrence Guy: $200,000 kicker Stephen Gestkowski: $100,000Pittsburgh Steelers Jerseys security guard Patrick Bell (Clock family): $85,000 In addition to the bonus, Edelman's appearance is also A positive signal was Minnesota Vikings Jerseysreleased: He was recovering systematically from the anterior cruciate ligament tear injury on August 25 last year. With Brandine Cooks Customized Seattle Seahawks Jerseysbeing traded by the team, Danny Amundola joined the Miami Dolphins again through the free agency market. As Brady’s numberCustomized Carolina Panthers Jerseys one goal, Edelman’s return to health in the new season is The Patriots' top priority. As a rule, Brady and Edelman hadIndianapolis Colts Hats practiced many passes during this offseason.
In addition, Edelman’s move Tampa Bay Buccaneersto Gillette Stadium on Monday was also a balance between strength training and Brady’s personal trainer Alex Guerrero. Edelman, who willSeattle Seahawks Hoodie soon turn 32, is a frequent guest of the TB12 Sports Therapy Center founded by Guerrero.
It is reported that Brady may reduceLos Angeles Chargers Hoodie the frequency of participating in the Patriots training during this offseason, and will pay more attention to his training withBaltimore Ravens T-shirts Guerrero. From the current situation, Edelman does not seem to have similar ideas with Brady. (TB12 is Tom Brady's English initialsAtlanta Falcons T-shirts and jersey number.) If you don't remember what Elderman's Patriots lost last season, perhaps the following three facts can remind Denver Broncos T-shirtsyou of Edelman’s Importance: 1. He collected data in 89 postseason games, ranking third in NFL history, second only to Jerry Rice's 151Jacksonville Jaguars Hoodie and Reggie Wayne's 93.
This also means that as long as Edelman completed Los Angeles Rams Hatsfive postseason catches, he will surpass Wayne and rank second in history. 2. He was one of 14 players who completed at least 1000 yardsCustomized New England Patriots Jerseys of NFL postseason advancement and ranked 13th in NFL history with 1024 yards of data. As long as Edelman finished San Francisco 49ers Jerseyscatching the ball in the 39-yard playoffs, he will be ranked in the top ten in history. 3. In his career, a total of four postseasonArizona Cardinals Jerseys games have completed single-field catches and advanced over 100 yards. In this data, he and Dion - Blanche together, ranked first in the history of the Patriots.

Henry Troedel Says:
04/12/2018 at 01:49am
you will observe that answers to your search query direct you to Outlook Outlook Sign Up login account Outlook has numerous e-mail address hosted on its web server.

Caroline Flack Says:
03/05/2018 at 09:18am
I was experiencing the same issue like deauthentication so I contacted an expert of Coursework Writing
04/12/2010 at 09:04am
[...] hi, deauthentication [Aircrack-ng] scroll down to section: Why does deauthentication not work? Hacking & Solutions: 802.11 Protocol Attacks, Deauthentication | CWNP - Enterprise Wi-Fi Career ... deauth must work on PS3, even with the latest release 3.21! /brtw2003 Reply With [...]

07/12/2008 at 14:56pm
It's working.But
How can I find IP??

03/12/2008 at 09:05am
very very advance and enjoy with


03/03/2008 at 13:43pm
Another method that is pretty disruptive is to send the deauth frame to the AP (posing at the client...). Often times, the client will not be aware that it has been deauth'ed and send a packet to the AP. Then, the AP will have to tell the client it's association is no longer valid and the whole process is started as describer above...

02/25/2008 at 16:10pm
I really enjoyed this series on wireless security !
Thanks for your effort in putting it together

02/21/2008 at 11:15am
Do not see\play the video

02/20/2008 at 06:02am
The writeup was scholarly and a person must be a techno saavy to understand the it If the video had opened it woud have been much better

02/20/2008 at 00:17am
Presentation was very informative....Great job to Jeff on the presentation :)

02/19/2008 at 21:34pm

02/19/2008 at 20:43pm
Very good info so far. I can only watch after I get home in the afternoon, but because you have made this available continuously, I don't miss a thing.
OUTSTANDING IDEA! Hope to see many more in the future.

Brad Stanfield, CISSP-ISSEP

02/19/2008 at 19:53pm
I have enjoyed this broadcast!Thank you very much!!!

02/19/2008 at 18:28pm
I found the event very informative :) Great job to Jeff on the presentation :)

02/19/2008 at 14:36pm
First time listening to a LIVE broadcast with you guys. I enjoyed all of it very much.

02/19/2008 at 14:27pm
Very informative.

02/19/2008 at 14:27pm
WTF? The video cut off the speaker. I also thought this was a live webinar event..

02/19/2008 at 14:24pm
I wonder if the 802.11w will require significant HW upgrade or just some firmware upload.

02/19/2008 at 14:24pm
We have a problem with the currently-posted "Deauthentication" video. We are working on it right this minute and will have it resolved shortly. Sorry for the inconvenience.



02/19/2008 at 14:13pm
I found this to be very informative, but the video Devin put together seemed a bit short. He was still in the middle of speaking at the end when it cut off. Will the rest of the video be available soon?

02/19/2008 at 14:03pm
it is ok.

02/19/2008 at 14:01pm
Very good

02/19/2008 at 13:21pm
I think this is good and powerful. but may we see soon good solution for deauthentication attacks

<< prev - comments page 1 of 1 - next >>

Leave a Reply

Please login or sign-up to add your comment.
Success Stories

I literally just came out of the testing centre having taken the CWDP exam. The certification process opened my mind to different techniques and solutions. This knowledge can only broaden your perspective. Great job, CWNP, you have a great thing going on here.

Read More

Working through the CWNP coursework and certifications helped not only to deepen my technical knowledge and understanding, but also it boosted my confidence. The hard work it took to earn my CWNE has been rewarding in so many ways.

Read More

I want to commend you and all at CWNP for having a great organization. You really 'raise the bar' on knowing Wi-Fi well. I have learned a ton of information that is helping my job experience and personal career goals, because of my CWAP/CWDP/CWSP studies. Kudos to all at CWNP.

Read More