Technical details[edit]

Sequence diagram for a WiFi deauthentication attack

Unlike most radio jammers, deauthentication acts in a unique way. The IEEE 802.11 (Wi-Fi)
protocol contains the provision for a deauthentication frame. Sending the frame from the
access point to a station is called a "sanctioned technique to inform a rogue station that they
have been disconnected from the network".[1]

An attacker can send a deauthentication frame at any time to a wireless access point, with
a spoofed address for the victim. The protocol does not require any encryption for this frame,
even when the session was established with Wired Equivalent
Privacy (WEP), WPA or WPA2 for data privacy, and the attacker only needs to know the
victim's MAC address, which is available in the clear through wireless network sniffing.[2][3]

Usage[edit]
Evil twin access points[edit]
One of the main purposes of deauthentication used in the hacking community is to force clients
to connect to an evil twin access point which then can be used to capture network
packets transferred between the client and the access point.

The attacker conducts a deauthentication attack to the target client, disconnecting it from its
current network, thus allowing the client to automatically connect to the evil twin access point.

Password attacks[edit]
In order to mount a brute-force or dictionary based WPA password cracking attack on a WiFi
user with WPA or WPA2 enabled, a hacker must first sniff the WPA 4-way handshake. The
user can be elicited to provide this sequence by first forcing them offline with the
deauthentication attack.[4]
In a similar phishing style attack without password cracking, Wifiphisher starts with a
deauthentication attack to disconnect the user from their legitimate base station, then mounts
a man-in-the-middle attack to collect passwords supplied by an unwitting user.