How to Disconnect Devices from Wi-Fi using Scapy in Python

Forcing devices to disconnect from a network by sending deauthentication frames continuously using Scapy library in Python, this is called deauthentication attack.
  · 5 min read · Updated aug 2020 · Ethical Hacking · Packet Manipulation Using Scapy

In this tutorial, we will see how we can kick out devices from a particular network that you actually don't belong to in Python using Scapy, this can be done by sending deauthentication frames in the air using a network device that is in monitor mode.

An attacker can send deauthentication frames at any time to a wireless access point with a spoofed MAC address of the victim, causing the access point to deauthenticate with that user. As you may guess, the protocol does not require any encryption for this frame, the attacker only needs to know the victim's MAC address, which is easy to capture using utilities like airodump-ng.

Let's import Scapy (You need to install it first, head to this tutorial or the official scapy documentation for installation):

from scapy.all import *

Luckily enough, Scapy has a packet class Dot11Deauth() that does exactly what we are looking for, it takes a 802.11 reason code as a parameter, we'll choose a value of 7 for now (which is a frame received from nonassociated station as mentioned here).

Let's craft the packet:

target_mac = "00:ae:fa:81:e2:5e"
gateway_mac = "e8:94:f6:c4:97:3f"
# 802.11 frame
# addr1: destination MAC
# addr2: source MAC
# addr3: Access Point MAC
dot11 = Dot11(addr1=target_mac, addr2=gateway_mac, addr3=gateway_mac)
# stack them up
packet = RadioTap()/dot11/Dot11Deauth(reason=7)
# send the packet
sendp(packet, inter=0.1, count=100, iface="wlan0mon", verbose=1)

This is basically the access point requesting a deauthentication from the target, that is why we set the destination MAC address to the target device's MAC address, and source MAC address to the access point's MAC address, and then we send the stacked frame 100 times each 0.1s, this will cause a deauthentication for 10 seconds.

You can also set "ff:ff:ff:ff:ff:ff" (broadcast MAC address ) as addr1 (target_mac) and this will cause a complete denial of service, as no device can connect to that access point, this is quite harmful!

Now to run this, you need a Linux machine and a network interface that is in monitor mode. To enable monitor mode in your network interface, you can use either iwconfig or airmon-ng (after installing aircrack-ng) Linux utilities:

sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode monitor


sudo airmon-ng start wlan0

My network interface is called wlan0, but you should use your proper network interface name.

Now you're maybe wondering, how can we get the gateway and target MAC address if we're not connected to that network ? that is a good question, when you set your network card into monitor mode, you can actually sniff packets in the air using this command in linux (when you install aircrack-ng):

airodump-ng wlan0mon

Note: wlan0mon is my network interface name in monitor mode, you can check your network interface name using iwconfig Linux utility.

This command will keep sniffing 802.11 beacon frames and arrange the Wi-Fi networks to you as well as nearby connected devices to it.

Before we execute the script, my victim Android phone (which has the MAC address "00:ae:fa:81:e2:5e") is normally connected to the Wi-Fi access point (which has the MAC address "e8:94:f6:c4:97:3f"):

Connected deviceNow let's execute the script:

Executing a deauthentication attackGoing back to the victim device:

Disconnected device after deauthentication attack

As you can see, we have made a successful deauthentication attack! you can pass -c 0 (by default) to prevent him from connecting until you stop the execution!

I highly encourage you to check the completed version of the code that uses command line arguments as shown in the figures.

You may be wondering, why this is useful ? Well let's see:

  • One of the main purposes of deauthentication attack is to force clients to connect to an Evil twin access point which can be used to capture network packets transferred between the client and the Rogue Access Point.
  • It can also be useful to capture the WPA 4-way handshake, the attacker then needs to crack the WPA password.
  • You can also make jokes with your friends!

RELATED: How to Create Fake Access Points using Scapy in Python.

Finally, as always, don't use this on a network you don't have permission to, we do not take any responsibility, this tutorial is for educational purposes!

Happy Crafting ♥

View Full Code
Sharing is caring!

Read Also

Comment panel