1

I'm currently working on a WIPS and I would like to know how to obtain the attacking MAC address when he launches a aireplay-ng deauth attack.

On wireshark, if the attacker broadcast the deauth attack it appears as source address my router and destination address broadcast. If the attacker launches the attack to a specific victim it appears as source address my router and destination the victims MAC address.

Is there any way to obtain the attacker MAC?

schroeder
  • 123,438
  • 55
  • 284
  • 319
elena.bdc
  • 35
  • 7
  • You mean, even if the attacker spoofs the MAC? You want the real MAC? – schroeder Mar 20 '17 at 11:55
  • Thank you for your answer @schroeder I think that's impossible, but I'm not sure. I mean, I'm using aireplay-ng to start an deauth attack, I'm not spoofing any MAC, I mean, I'm not using macchanger or any similar tool. I would like to obtain the MAC address used by the attacker to launch the attack. – elena.bdc Mar 20 '17 at 11:57
  • What command are you using to launch the deauth? I think you need to review how deauth works. – schroeder Mar 20 '17 at 11:58
  • I'm using aireplay-ng -0 1 -a AP-bsid monitor-mode-interface – elena.bdc Mar 20 '17 at 12:06
  • Ok, now how does your machine convince the other machines that you are the AP? You send out deauth packets, but why do the other machines listen to you? – schroeder Mar 20 '17 at 12:12
  • My machine spoof the address, it makes sense. Thank you for your answers. – elena.bdc Mar 20 '17 at 12:14
  • I think the frames count is rising of the attackers mac address with every deauth, so you could display it with airodump-ng in a "live" session. But this is not that you can log it as far as I know. – xyz2 Oct 28 '20 at 10:27
  • Ok, but what if the attacker falsifies the frame count? – peterh Oct 28 '20 at 11:31

1 Answers1

1

Deauth attacks require that the attacker spoofs the MAC address. What you are asking is to somehow get the MAC address of the attacker even if it is spoofed.

This is not possible from packet captures.

There is a potential that if the attacker hangs around long enough and sends packets from the real MAC on the network, then you might be able to correlate that traffic to the deauth traffic and conclude that the MAC is the attacker's. But there are a lot of things that would have to occur for that to be possible.

schroeder
  • 123,438
  • 55
  • 284
  • 319