11

I am trying to pentest the security of the password of my wireless network. It is a WPA2 with pre-shared-keys. My current computer is connected to the wifi router and I try to de-auth my own machine.

Steps

1) I created a monitoring interface:

sudo airmon-ng start wlan0

2) Now I use airodump-ng to find the channel and MAC of the access point:

sudo airodump-ng mon0

3) My access point has the channel 10 and the MAC ACCESS_POINT_MAC. I can record packets now:

sudo airodump-ng -c 10 --bssid ACCESS_POINT_MAC mon0

4) I try now to deauthenticate my computer from the network with aireplay-ng, but it does not work:

sudo aireplay-ng -0 1 -a ACCESS_POINT_MAC mon0

13:50:47  Waiting for beacon frame (BSSID: ACCESS_POINT_MAC) on channel -1
13:50:47  Couldn't determine current channel for mon0, you should either force the operation with --ignore-negative-one or apply a kernel patch
Please specify an ESSID (-e).
  • What the de-authentication with aireplay-ng does not work?

Update after feedback from @BadSkillz

I added --ig and -e ssid_string to my command. However, it could not find the BSSID: 

14:11:56 Waiting for beacon frame (BSSID: MAC_ADDRESS) on channel -1       
14:12:06 No such BSSID available.

On the same time I can find the MAC_ADDRESS|BSSID with airodump-ng. Moreover, I tried to use another interface when specifying the channel: 

sudo airmon-ng start wlan0 10

resulting in mon1. Nevertheless, the aireplay-ng still does not look at a specific channel.

Jon
  • 513
  • 1
  • 4
  • 11
  • 1
    You also need to provide the mac for the client you want to deauth with the -c option, as described [here](http://www.aircrack-ng.org/doku.php?id=deauthentication) – BadSkillz Nov 07 '14 at 13:37
  • I added the `-c` to the command. Still it cannot find the BSSID. – Jon Nov 07 '14 at 13:40

9 Answers9

9

I had the same problem and after some research I found that everything worked fine when I disabled the wlan0 interface before running the attack.

To disable the wlan0 interface, I used the following command:

ifconfig wlan0 down

Then I tried the following command again:

aireplay-ng --deauth 1111 -a macadress-of-ap -c macadress-of-client mon0
The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
dantosso
  • 91
  • 1
  • 3
7

I had a similar problem with an RTL8812AU on Kali 2018. What fixed it for me was throwing a -D into the attack command line so it stops trying to automatically determine the channel and just does what you tell it to.

Nicodemus
  • 71
  • 1
  • 2
  • Totally my experience with RTL8812AU on Kali 2019! `-D` did the trick; Forcing to send those packets worked as a charm, without that flag the `AP detection` fails over and over throwing the OP's mentioned error. However the deauth worked nice as I can see my phone disconnecting but the capturing of the handshake didn't work. I was running the proper command with the channel and BSSID, same command that worked with other network adapters but now luck. @Nicodemus did you manage to capture the handshake following the `deauth`? – Dan M Jan 08 '19 at 03:09
  • answering my own question from the above comment: for the `WPA handshake` capture to work I had to kill the `wpa_supplicant` process. Also not sure it matters but my `ifconfig wlan0 up` was run before so the card was enabled. – Dan M Jan 08 '19 at 03:33
3

It's looking at channel -1, try running aircrack with the following option: --ignore-negative-one or --ig as it said in the error you posted:

13:50:47 Waiting for beacon frame (BSSID: ACCESS_POINT_MAC) on channel -1

13:50:47 Couldn't determine current channel for mon0, you should either force the operation with --ignore-negative-one or apply a kernel patch

Community
  • 1
BadSkillz
  • 4,404
  • 24
  • 29
  • I added `--ig` and `-e ssid_string` to my command. However, it could not find the BSSID: `14:11:56 Waiting for beacon frame (BSSID: MAC_ADDRESS) on channel -1 14:12:06 No such BSSID available.` On the same time I can find the MAC_ADDRESS|BSSID with `airodump-ng`. – Jon Nov 07 '14 at 13:14
  • I tried to use another interface when specifying the channel: `sudo airmon-ng start wlan0 10` resulting in `mon1`. Nevertheless, the `aireplay-ng` still does not look at a specific channel. – Jon Nov 07 '14 at 13:19
1

In my experience the above problem occurs when you are broadcasting the deauth packets with your attacking machine's MAC and not with your router's MAC.

So to solve it you should change the attacker WiFi interface's MAC address to the same as your router's MAC. (This is so because you can't change the MAC of mon0 after it has been created.)
So do this:

  • Disable mon0.
  • Shut down wireless interface ifconfig wlan0 down (or whatever your interface is called).
  • Set the attacker's MAC to your routers: ifconfig wlan0 hw ether TARGET_MAC.
  • Reactivate interface, create new mon0 and do your deauth attack. It should work now. (Also make sure replay the deauth packet 3-4 times as for some reason sometimes a single death just won't work.)

Hope this helps.

Wolfer
  • 298
  • 2
  • 13
0

This is a problem that existed on older kali versions. To deal with it either update to a newer kali or use the --ignore-negative-one switch. Killing some problematic services with the airmon-ng check kill has also been found helpful.

Even for newer versions you should lock your card to the desired channel. So sudo airmon-ng stop monX and then sudo airmon-ng start wlanX YY where X is the number of your interface and YY the number of the desired channel.

dr.doom
  • 151
  • 2
0

Assuming your wireless card can do packet injection (check this by aireplay-ng -9 <interface>) and make sure at least one client should be connected with AP. To avoid any problems during pentest: airmon-ng check kill

Then issue command: airmon-ng start wlan0 <channel> (you can find the AP channel by airodump-ng wlan0) By doing this aireplay-ng will probe the only specified channel.

Now issue the following set of commands step by step.

  1. airodump-ng -c <channel> --bssid <BSSID OF AP> -w <directory_to_store_.cap file> <interface>. Now the four files should be appeared in your directory.

  2. Keep this terminal running and note the client's MAC.

  3. Now to deauthenticate the client:

    airelplay-ng -0 2 -a <AP MAC> -c <client's mac> <inteface>

Now you should be able to deauthenticate the client and get WPA handhake on your former terminal screen.

If this doesn't help try airmon-ng stop <interface> and then service network-manager start. Then repeat all steps again.

P.S In my whole answer i used the word 'interface' for the 'interface on which wireless card is monitoring'.

daya
  • 167
  • 2
  • 6
  • 20
  • The OP lists all of these "step by step" commands in the question .... – schroeder Jan 02 '18 at 18:38
  • @schroeder OP was missing airmon-ng check kill and he was unable to find even bssid. I mean how? So I answered from very beginning to deauthentication process. – daya Jan 03 '18 at 03:42
  • The only thing you have added was the `check kill` but this was included in another answer. I'm really not sure how this answer adds anything. – schroeder Jun 01 '18 at 09:13
  • @schroeder I was trying to indent the code but I will do it later. – daya Jun 01 '18 at 09:15
  • The problem is not with the indenting but with the content - there is nothing new in your answer that isn't stated by the OP or in other answers. – schroeder Jun 01 '18 at 09:32
  • @schroeder again I am telling, I have nothing new to add to my answer.I was just indenting the code so that it look readable. – daya Jun 01 '18 at 12:26
0

Turn off the first wlan0 using 

ifconfig wlan0mon down
Then run 
iwconfig wlan0mon channel X
where X is channel of AP which you want to attack. Then just start interface again with 
ifconfig wlan0mon up.
This worked for me
Tryna Learn Somethin
  • 600
  • 5
  • 11
0

There are many possible root causes of this problem:

  • The wireless card is set to a channel which is different from the AP. Solution: Use iwconfig and confirm the card is set to the same channel as the AP.
  • The card is scanning channels. Solution: Start airodump-ng with the “-c” or “–channel” parameter and set it to the same channel as the AP.
  • The ESSID is wrong. Solution: Enter the correct value. If if contains spaces or special characters then enclose it in quotes. For the complete details, see this FAQ entry.
  • The BSSID is wrong. Solution: Enter the correct value.
  • You are too far away from the AP and are not receiving any beacons. Solution: You can use tcpdump and/or airodump-ng to confirm you are in fact receiving beacons for the AP. If not, move closer.
  • You are not receiving beacons for the AP: Solution: Use “tcpdump -n -vvv -e -s0 -i ” to confirm you are receiving beacons. Assuming you have dealt with with potential problems above, it could be the drivers or you have not put the card into monitor mode.

https://www.aircrack-ng.org/doku.php?id=aireplay-ng#waiting_for_beacon_frame

Rob
  • 101
  • 1
-1

Try to stop Networkmanager:

/etc/init.d/network-manager stop
Jens Erat
  • 23,446
  • 12
  • 72
  • 96
hmh
  • 9
  • If there were a program interfering with the use of `wlan0`, `airmon-ng` would have warned about it. – Mark Mar 18 '15 at 03:12