Jump to content

Deauth - How To Make It Work?


hfam
 Share

Recommended Posts

I'm talking about the Deauth button on the Status page, upper right, just under the Airmon-ng options.

Has anyone got this working yet, or can explain why it's not working, and if you DID get it working, what am I doing wrong?

The dialog box asks for a BSSID. This is essentially the MAC address of an AP.

So, we're trying to send "deauth" packets to that AP, dumping their clients, and forcing them to reconnect to MY Karma-enabled MK3.

Here is the Association log as shown on my Status page:

Association Log

Enabled 
Checking SSID for start of association, pass through 001-sWLAN 
Successful association of 00:27:13:e9:4c:36 
Checking SSID for start of association, pass through GroundZero 
Successful association of c8:aa:21:41:95:5b 
Checking SSID for start of association, pass through Guest 
Successful association of 00:40:9d:41:ae:78 
Checking SSID for start of association, pass through Apple Network 0e5153 
Successful association of 00:16:a4:01:1d:b1 
Checking SSID for start of association, pass through Schneider 
Successful association of 00:16:a4:fe:08:ab 

In this example, I'm using the BSSID from the "Schneider" entry, which is: 00:16:a4:fe:08:ab

I enter it into the dialog box containing the string BSSID, I leave the packet count at "5", and I hit "Deauth"

After a few moments, the following appears on a new page:

Deauth Host: 00:C0:CA:32:8D:68 
Deauth Target: 00:16:a4:fe:08:ab 
Deauth Times: 5 

Executing: aireplay-ng -0 5 -a 00:C0:CA:32:8D:68 -c 00:16:a4:fe:08:ab --ignore-negative-one mon0

00:31:25  Waiting for beacon frame (BSSID: 00:C0:CA:32:8D:68) on channel 1
00:31:50  No such BSSID available.
Please specify an ESSID (-e).

This occurs for any BSSID I enter, I generate the same results, with the exception of the "-c" entry, which reflects the BSSID I entered to try to send deauth's to.

I'm stumped.

How is this feature supposed to work? Am I doing something wrong?

Any assistance would be greatly appreciated.

Edited by hfam
Link to comment
Share on other sites

I'm talking about the Deauth button on the Status page, upper right, just under the Airmon-ng options.

Has anyone got this working yet, or can explain why it's not working, and if you DID get it working, what am I doing wrong?

The dialog box asks for a BSSID. This is essentially the MAC address of an AP.

So, we're trying to send "deauth" packets to that AP, dumping their clients, and forcing them to reconnect to MY Karma-enabled MK3.

Here is the Association log as shown on my Status page:

Association Log

Enabled 
Checking SSID for start of association, pass through 001-sWLAN 
Successful association of 00:27:13:e9:4c:36 
Checking SSID for start of association, pass through GroundZero 
Successful association of c8:aa:21:41:95:5b 
Checking SSID for start of association, pass through Guest 
Successful association of 00:40:9d:41:ae:78 
Checking SSID for start of association, pass through Apple Network 0e5153 
Successful association of 00:16:a4:01:1d:b1 
Checking SSID for start of association, pass through Schneider 
Successful association of 00:16:a4:fe:08:ab 

In this example, I'm using the BSSID from the "Schneider" entry, which is: 00:16:a4:fe:08:ab

I enter it into the dialog box containing the string BSSID, I leave the packet count at "5", and I hit "Deauth"

After a few moments, the following appears on a new page:

Deauth Host: 00:C0:CA:32:8D:68 
Deauth Target: 00:16:a4:fe:08:ab 
Deauth Times: 5 

Executing: aireplay-ng -0 5 -a 00:C0:CA:32:8D:68 -c 00:16:a4:fe:08:ab --ignore-negative-one mon0

00:31:25  Waiting for beacon frame (BSSID: 00:C0:CA:32:8D:68) on channel 1
00:31:50  No such BSSID available.
Please specify an ESSID (-e).

This occurs for any BSSID I enter, I generate the same results, with the exception of the "-c" entry, which reflects the BSSID I entered to try to send deauth's to.

I'm stumped.

How is this feature supposed to work? Am I doing something wrong?

Any assistance would be greatly appreciated.

I think you are using the tool wrong.

Since the client already connected to you why would you deauth it you already have the victim?

Basically you need the BSSID of the AP you want to attack not a client...does that make sense?

Lets pretend we are trying to get clients from a local coffee shop:

Coffee shop AP SSID: java

Coffee shop AP BSSID: 01:02:a4:2g:21:a3

One coffee shop customer is on the wireless MAC is: aa:bb:cc:dd:ee:ff

Now you have your Pineapple setup next door and karma is up and running...but you want the coffee shop customer so lets deauth them!

In this case you would enter the Coffee shops AP BSSID (01:02:a4:2g:21:a3) into the MK3 interface and hit deauth.

This will cause the customer to be disconnected from the actual AP and hopefully connect to your pineapple.

Basically I see two issues with what your doing:

1) your trying to deauth a client that is already associated to you so no need

2) you will need to get the BSSID of the actual AP with another tool like airmon-ng on your laptop.

You will never be able to get the actual BSSID from the association log becasue it is showing you what the CLIENTS mac is and what AP it thinks its connecting to....not what the AP's BSSID is.

Does that make sense?

Link to comment
Share on other sites

thanks for the quick reply!

However, I just want to be clear, and maybe I am misunderstanding what the Association Log is showing.

I thought that the Association Log shows what APs my MK3 is mimicking, along with the MAC (BSSID) of the AP.

In other words, for the "Schnieder" example in my post, I believe that "Schnieder" is the name of the AP (that much I'm sure of), and that the BSSID it's showing is the MAC of the AP (Schnieder).

Are you indicating that the MAC that's showing associated with "Schnieder" is actually a MAC of a client connected to "Schnieder", and not of the "Schnieder" AP itself?

The DHCP log (across from the Assoc log on the Status page) shows the MACs of the clients that are connected to me.

Is what my understanding not correct? If not, I'm really lost, but I think I'm correct in my understanding of the data showing.

**UPDATE**

I think I've got it wrong, and that you're correct.

I've got the following 2 entries in my Assoc log right now:

Checking SSID for start of association, pass through do you have stairs in your house
Successful association of 00:16:a4:01:96:a2
Checking SSID for start of association, pass through do you have stairs in your house
Successful association of 00:16:a4:01:06:91

And I see the following in my DHCP log:

48573 00:16:a4:01:06:91 172.16.42.239 UA105301283 01:00:16:a4:01:06:91
48241 00:16:a4:01:96:a2 172.16.42.106 UA105328697 01:00:16:a4:01:96:a2

I see that the MAC addresses are the same, and obviously there aren't 2 AP's associated with that one SSID.

Thank you for your assistance and feedback, I can't tell you how much I appreciate the help out here, and trying to assist others when I can..that's what it's all about! :)

So, now that I have that squared away, what do you suggest is the best way to get the MAC (BSSID) of the AP using airmon-ng? Is it possible to do this using the MK3 instead, since it's already installed and running? maybe a command line run from SSH or something?

Again, I can't say thanks enough for all the help, eternally grateful to all of you!

Edited by hfam
Link to comment
Share on other sites

thanks for the quick reply!

However, I just want to be clear, and maybe I am misunderstanding what the Association Log is showing.

I thought that the Association Log shows what APs my MK3 is mimicking, along with the MAC (BSSID) of the AP.

In other words, for the "Schnieder" example in my post, I believe that "Schnieder" is the name of the AP (that much I'm sure of), and that the BSSID it's showing is the MAC of the AP (Schnieder).

Are you indicating that the MAC that's showing associated with "Schnieder" is actually a MAC of a client connected to "Schnieder", and not of the "Schnieder" AP itself?

The DHCP log (across from the Assoc log on the Status page) shows the MACs of the clients that are connected to me.

Is what my understanding not correct? If not, I'm really lost, but I think I'm correct in my understanding of the data showing.

Yes "Are you indicating that the MAC that's showing associated with "Schnieder" is actually a MAC of a client connected to "Schnieder", and not of the "Schnieder" AP itself?" is correct.

Using your log as an example its saying:

client MAC: 00:16:a4:fe:08:ab connected to your pineapple responding to the AP name of Schnieder.

Edited by itsm0ld
Link to comment
Share on other sites

Yes "Are you indicating that the MAC that's showing associated with "Schnieder" is actually a MAC of a client connected to "Schnieder", and not of the "Schnieder" AP itself?" is correct.

Using your log as an example its saying:

client MAC: 00:16:a4:fe:08:ab connected to your pineapple responding to the AP name of Schnieder.

Ah-ha! The lightbulb just went on completely! :) :) :)

It all makes perfect sense now. Even if that client connected, he doesn't necessarily pull IP via DHCP from me (although that's what we want!).

In the later example with the 2 clients, those connected to me thinking it was SSID:"do you have stairs...", and then went on to pull from my DHCP.

Now that I know what the hell I'm actually looking at, I just need to sort out how to get that AP MAC so I can do the deauths and "steal" their clients!

Could this be done through SSH on the MK3 via a command line, or for that matter, a command line entered on the Advanced page of the GUI?

Again, eternal thanks for all your help and patience!

Link to comment
Share on other sites

If you're running BT5R1 should be as easy as:

airodump-ng wlan0

or

airodump-ng mon0

Ah-ha! The lightbulb just went on completely! :) :) :)

It all makes perfect sense now. Even if that client connected, he doesn't necessarily pull IP via DHCP from me (although that's what we want!).

In the later example with the 2 clients, those connected to me thinking it was SSID:"do you have stairs...", and then went on to pull from my DHCP.

Now that I know what the hell I'm actually looking at, I just need to sort out how to get that AP MAC so I can do the deauths and "steal" their clients!

Could this be done through SSH on the MK3 via a command line, or for that matter, a command line entered on the Advanced page of the GUI?

Again, eternal thanks for all your help and patience!

Link to comment
Share on other sites

Thanks for the reply! I'm on a Windows 7 box currently. I'm definitely going to do a BT5 install, but I'm stuck with a Win7 box for the moment.

I did SSH into the MK3 and ran the command line "airodump-ng mon0", and appeared to do it's thing, but nothing much happening right now, just some probes from my own AP.

Admittedly I've got some research to do on some of these tools, but networking is what I do so this stuff isn't hard, just haven't had a requirement to use the air* tools in my industry, so I'm catching up on usage. :)

I really appreciate the assists, I promise I'm a fast learner and won't waste your time.

If anyone knows a great place to learn this stuff (the aircrack suite in particular) I'm more than happy to do my homework too.

Thanks again!

Link to comment
Share on other sites

I believe the issue with running airmon on the pineapple is that the wireless card cant be in monitor mode and have karma enabled at the same time...believe karma needs to be in master mode.

That makes perfect sense, thanks!

So, on the laptop I'm using,.its W7, the MK3 is on eth, and the Internet is being provided by internal wlan.

If I can place the wlan in.monitor mode, can I then use that interface to run the airomon against, perform deauths, etc, without.screwing up the MITM function?

Thanks guys!

Link to comment
Share on other sites

That makes perfect sense, thanks!

So, on the laptop I'm using,.its W7, the MK3 is on eth, and the Internet is being provided by internal wlan.

If I can place the wlan in.monitor mode, can I then use that interface to run the airomon against, perform deauths, etc, without.screwing up the MITM function?

Thanks guys!

It would have to be a separate wireless card from the one providing internet to the pineapple or anything really since it needs to be in monitor mode. I would recommend one of the alpha USB wifi adapters the hak shop sells, I have several with me all the time, or if you have an android phone I use a simple app called wifi analyzer I think. It doesn't do much but it does give me the BSSID of AP's close, it also looks less suspicious :rolleyes:

Link to comment
Share on other sites

It would have to be a separate wireless card from the one providing internet to the pineapple or anything really since it needs to be in monitor mode. I would recommend one of the alpha USB wifi adapters the hak shop sells, I have several with me all the time, or if you have an android phone I use a simple app called wifi analyzer I think. It doesn't do much but it does give me the BSSID of AP's close, it also looks less suspicious :rolleyes:

Thanks,.that's what I figured. Funny thing, I did a "I LOVE this show, I'll take one of everything." run on the hakshop recently (you gotta show some support for Hak5!) so I just happen to have that external alfa adapter for just that reason! ;)

So: Install the adapter, figure out how.to put it in monitor mode, and install the aircrack tools on my W7 MITM machine

Now, theoretically, when I run airodump against the new alfa adapter:

- my MITM functions all continue to work just as they do now with laptop and MK3

- the airodump results on the additional alfa interface it should show me the macs (BSSID) of the SSIDs which are showing up in the Association Log

- NOW I can use the Deauth feature in the MK3 GUI, or just command line it on the laptop because I have aircrack installed

Correct?

:)

And Ive had wifi analyzer on my droid for years, that's a BRILLIANT idea for close by targets...coffee shop, etc!!! Good call!!

As always, eternally grateful for your kind help!

Edited by hfam
Link to comment
Share on other sites

Thanks,.that's what I figured. Funny thing, I did a "I LOVE this show, I'll take one of everything." run on the hakshop recently (you gotta show some support for Hak5!) so I just happen to have that external alfa adapter for just that reason! ;)

So: Install the adapter, figure out how.to put it in monitor mode, and install the aircrack tools on my W7 MITM machine

Now, theoretically, when I run airodump against the new alfa adapter:

- my MITM functions all continue to work just as they do now with laptop and MK3

- the airodump results on the additional alfa interface it should show me the macs (BSSID) of the SSIDs which are showing up in the Association Log

- NOW I can use the Deauth feature in the MK3 GUI, or just command line it on the laptop because I have aircrack installed

Correct?

:)

And Ive had wifi analyzer on my droid for years, that's a BRILLIANT idea for close by targets...coffee shop, etc!!! Good call!!

As always, eternally grateful for your kind help!

Yep!

-Your MITM stuff should all still work like it is as long as you do the mon mode stuff on the alpha

-airodump-ng will show you only the BSSID for AP's in range so it wont help you get all the BSSID's from all the clients

-deauth away!

Link to comment
Share on other sites

hfam:

You have been chatting about using a deauth tool to target specific AP's, but I came across this segment earlier this afternoon.

http://www.youtube.com/watch?v=N_tnHHEFGKs :: check it around the 9 minute mark.

Basically there is a tool / script you can run called airdrop-ng that will deauth everyone except you if you use the correct script. Someone correct me if I'm wrong here -- Darren was using his 3g phone service for internet, so I'm not sure that if you send mass deauth's to AP's (one's your connected to for deploying Karma) if you'll lose your connection to the internet.

This seems like it would work very well and save you the time of entering and finding all the BSSID's from airodump-ng.

Yep!

-Your MITM stuff should all still work like it is as long as you do the mon mode stuff on the alpha

-airodump-ng will show you only the BSSID for AP's in range so it wont help you get all the BSSID's from all the clients

-deauth away!

Link to comment
Share on other sites

Hfam,

Thanks for posting this, I was having a hard time as well trying to get the DeAuth to work from the Pineapple.

I simply gave up and did it from the command line using BT5 and the RT8187 usb wifi adapter I purchased from the hak shop.

This thread clears things up nicely.

Thanks everyone

(oh I'm now convinced I need an Android phone ... thanks for spending more of my money lol)

Link to comment
Share on other sites

What a great bunch out here, thanks for all the help one and all!!

I'm now sorting out airdrop-ng, just need to figure out a bit more about how it's used, but I managed to get it all installed, and it appears that everything is working fine!

I intend to install BT5R1 on a separate partition, but for now, I'm running W7 and I'm using the aircrack-ng VMware image in the VMware Player. This gets me the 1.xx aircrack-ng suite on a linux platform, and still using Winbloze to connect the pineapple, as the base OS. It's all working really well so far, but I'm eager to learn BT, so I'm going to bite the bullet and learn it. :)

Thanks again to all you guys for all the help and expertise, I can't say thanks enough to you all.

Back to it, this is SO much fun!!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...