top of page
Search
K.K Prathunan

Performing a Deauthentication (Deauth) Attack Using Flipper Zero And Analysis of the Attack in Wireshark

Introduction

In the realm of wireless network security, a deauthentication (deauth) attack is a powerful technique used to disconnect clients from their access points. This attack can be particularly useful for penetration testers to identify vulnerabilities in wireless networks. In this blog, we will explore how to perform a deauth attack using the Flipper Zero, a versatile and portable device designed for security research.


What is a Deauthentication Attack?

A deauthentication attack involves sending specially crafted packets to a wireless client, forcing it to disconnect from the access point. This can be achieved by exploiting weaknesses in the wireless protocols, such as the handling of deauthentication frames.


What is Flipper Zero?

Flipper Zero is an open-source hardware platform designed for security research and development. It is a versatile tool that can emulate various wireless protocols, perform packet sniffing, and execute a wide range of security-related tasks. Its compact size and robust feature set make it an excellent choice for penetration testers and security professionals.


Prerequisites

Before we dive into the attack, make sure you have the following:

  • Flipper Zero device and ESP32 

  • Jumper cables

  • A target wireless network (with permission to test)

  • Basic understanding of wireless networks and security

Figure showing Flipper zero, ESP32 microcontroller and Jumper cables

Performing the Deauth Attack Using Flipper Zero (ESP 32)


1. Flashing Marauder on an ESP32

  • Install dependencies via  pip3 install -r requirements.txt.

  • Press and hold the BOOT button on the module

  • While still holding BOOT, connect the devboard or ESP32 board via USB.

  • Release the BOOT button.

  • run python3 EasyInstall.py.

Choose the appropriate option in my case its ‘4’

2. Setting Up Flipper Zero

  • Install Flipper Firmware: Ensure that your Flipper Zero is running the latest firmware. You can download the firmware from the official Flipper Zero GitHub repository and flash it using the Flipper Zero app.

  • Connect Flipper Zero to Your Computer: Connect your Flipper Zero to your computer using a USB cable and download qflipper app.


3. Connecting ESP32 to Flipper Zero   

GPIO pins in ESP32
GPIO pins in Flipper

Pins to connect from ESP32 to Flipper:

ESP32

Flipper Zero

TX0

 RX

RX0

 TX

GND

 GND

3v3

 3v3

 

All Set for the Deauth Attack

 

4. Perform Deauth Attack: 

Navigate to Apps > GPIO > ESP32 Marauder

Index page in Marauder module :

Open Marauder and Scan for Wi-Fi Networks

Once the Scan is done List the Networks: 

Navigate to ‘Select’ and input the appropriate network id

Navigate to ‘Channel’ and input the channel number for your target network.

Finally click on Attack :

After performing Deauth attack all the device connected our target network gets disconnected as shown in below image.


5. Analysing with Wireshark  What Are DEAUTH Packets?

DEAUTH packets are part of the IEEE 802.11 protocol used in Wi-Fi networks. They are management frames that signal devices to disconnect from a network. While these packets can be a legitimate part of network management, they can also indicate potential security issues, such as deauthentication attacks.

 

Analyzing the Wireshark Capture

In the Wireshark screenshot below, we observe multiple DEAUTH packets being transmitted: Use the display filter to isolate DEAUTH packets ‘wlan.fc_subtype == 0x0c ‘


Key Observations

1. Source & Destination: - The Source MAC address indicates the device sending the DEAUTH packets, typically a router or access point. - The Destination is set to "Broadcast," meaning these packets are directed to all devices on the network.

2. Protocol: - Each packet is categorized as a Deauthentication frame under the IEEE 802.11 protocol, confirming their role in managing wireless connections.

3. Packet Length: - The Length of each DEAUTH packet varies slightly, which can provide insights into the specific details of the packets being sent

4. Frequency: - The frequent occurrence of these packets suggests active disconnection of clients from the network. This could be due to legitimate user actions or potentially malicious activities.

5. Flags: - The flags section may contain additional information about the DEAUTH frame's status and type, which can be useful for further analysis.

 

MITIGATION:

  Use WPA3 Security:

  • Upgrade to WPA3 (Wi-Fi Protected Access 3) if possible. WPA3 offers stronger security features and improved resistance against deauthentication attacks compared to previous protocols.

 Implement Management Frame Protection (MFP):

  • Enable Management Frame Protection, which helps secure management frames (including deauthentication frames) from spoofing and unauthorized access.

  Regular Firmware Updates:

  • Keep your router and access point firmware up to date to ensure that security vulnerabilities are patched.

 


References: 

 

51 views0 comments

Recent Posts

See All

Comments


bottom of page