1

I am attempting to conduct a deauthentication attack on a stand alone AP using Aircrack-ng. Im using an ASUS 802.11ac router and using aireplay-ng to send the deauthentication packets.

But when conducting the attack whilst the router has any form of security enabled, WPA/WPA2, the deauthentication packets are sent, but don't seem to be accepted by the AP, meaning the stations stay authenticated.

However, if I take the security off the AP, the attack works successfully and the station is deauthenticated from the AP and a further authentication and association request is sent.

I am fully aware of 802.11w, that protects the management frames and would prevent deauthentication attacks from occurring, but this AP does not support PMF, so I cannot find a reason why the stations are not being deauthenticated when the packets are sent to the AP.

Am I missing something obvious as to why the attack isnt being successful? or does anyone have any further knowledge about WPA/WPA2 that would prevent the attack from working?

BurgerVanDan
  • 11
  • 1
  • 2
  • Can you paste the command you're using? Have you sniffed the packets? Which is this security option you disable? – Azteca Feb 01 '17 at 17:13

2 Answers2

1

I think your issue is still Protected Management Frames which appear mandatory in 802.11ac. See 802.11w protected management frames - Wi-Fi

but this AP does not support PMF

Specifically: "The IEEE 802.11w amendment added this functionality to the 802.11 standard and since July 1st 2014, the Wi-Fi Alliance (WFA) made the support of Protected Management Frames (PMF) mandatory to pass 802.11ac or Passpoint aka HotSpot2.0 R2 interoperability certification. So we will see a much greater adoption of this feature in the near future."

Source

I am curious how you know it doesn't support it, is that due to it not referencing it in the admin interface or from the frames it's sending out? You should be able to confirm this by checking the packets coming from the AP and looking for the presence of the bit identifying PMF support.

Also slight technicality but the attack used to work as the wireless clients believed they had been disassociated by the AP, not the other way around.

TL;DR: De-authentication frames are now signed using the wireless key because of something called "PMF" which is mandatory to pass 802.11ac certification. Your AP probably supports PMF without you realising.

Community
  • 1
Matthew1471
  • 1,124
  • 10
  • 14
  • 1
    Yeah I was thinking that 802.11w could be the problem, but I couldnt work out how it would be effecting it if the router didnt support it. The reason I dont believe the router supports PMF is because there is no setting for it on the router (where there has been on other routers I have used). I have also contacted ASUS, to see if my specific router supported PMF and they said it did not support it. I did not relalize that it was PMF was mandatory to pass 802.11ac since July 2014, that information is really useful thanks – BurgerVanDan Feb 02 '17 at 11:41
  • No problem. I think the easiest would be to check the frames yourself using a Linux LiveCD such as Kali. "The support for 802.11w is signalized within the Auth Key Management (AKM) of the 802.11i Information Element called Robust Security Network (RSN) found in Beacons or Probes", it should be enough just to capture them and check the RSN. The link above has screenshots showing both. – Matthew1471 Feb 02 '17 at 11:53
0

Now day most AP drop packets of unassociated clients or broadcast deauth as a really basic security measure, so try using spoofing the MAC of the Client to deatuh adding the c option -c AA:BB:CC:DD:EE:FF.

Also, please provide more information to help you further.

Azteca
  • 1,116
  • 7
  • 16
  • Sorry I've just re-read my post and realized I have not included much information as to the steps I’m taking. I am using Kali to conduct the attack, against a windows 7 station. I have attempted both a broadcast deauth and a targeted attack, but both don’t seem to work The command I am using to conduct the attack is as follows: *aireplay-ng -0 0 –a AA:BB:CC:DD:EE:FF -c AA:BB:CC:DD:EE:FF wlan0mon* – BurgerVanDan Feb 02 '17 at 11:37
  • @BurgerVanDan What about the output of the attack, is the client listening to the deauth? For every deauth there should an ACK, so the **Perfect output** should be: `Sending 64 directed DeAuth. STMAC: [AA:BB:CC:DD:EE:FF] [ 64|64 ACKs]`. Also remember that both AP and Attacker should be on the same PHY configuration (Channel and 802.11 Mode) PS: You can edit your own question to add the extra info. – Azteca Feb 02 '17 at 17:21