Operations and securityWireless attacksIntermediate26 min read

What Is Deauthentication attack? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

A deauthentication attack happens when someone sends fake signals to your Wi-Fi devices, making them think the network kicked them out. This forces your phone or laptop to disconnect and usually try to reconnect. Attackers do this to secretly capture the data your device sends when it reconnects, which can be used to crack the Wi-Fi password. It is a common method used to attack wireless networks.

Commonly Confused With

Deauthentication attackvsDisassociation attack

A disassociation attack sends disassociation frames instead of deauthentication frames. While both cause a client to disconnect, deauthentication frames reset the authentication state, forcing a full handshake on reconnection. Disassociation frames only remove the association; the client can reassociate more quickly without a full handshake. Deauthentication attacks are more dangerous because they guarantee a fresh handshake is needed.

If you want to capture a handshake, use deauthentication. If you just want to annoy someone by temporarily dropping their connection without forcing a password exchange, you might use disassociation.

Deauthentication attackvsEvil Twin attack

An Evil Twin attack sets up a rogue access point with the same SSID as a legitimate network. The attacker may or may not use a deauthentication attack to force clients to connect to their rogue AP. The goal of an Evil Twin is usually to capture credentials or perform a man-in-the-middle attack. Deauthentication is just a tool that can be used to direct clients to the Evil Twin. The two are often combined, but they are not the same.

The Evil Twin is the fake coffee shop Wi-Fi setup that asks for your email to connect. The deauthentication attack is the shove that disconnects you from the real Wi-Fi so you try the fake one.

Deauthentication attackvsJamming attack

A jamming attack uses radio frequency interference to overwhelm the wireless channel with noise, making it impossible for any device to communicate. It does not use management frames. Deauthentication attacks are more targeted and use protocol-level frames, not raw RF noise. Jamming is a physical-layer attack, while deauthentication is a layer-2 attack. Jamming can affect all devices on a channel, while deauthentication can target specific clients.

Jamming is like turning on a loud vacuum cleaner in a library so nobody can hear each other. Deauthentication is like walking up to someone and telling them to leave, then whispering to them later.

Deauthentication attackvsBeacon flood attack

A beacon flood attack overwhelming the network by sending thousands of fake beacon frames, each advertising a different SSID, which can confuse clients and drain battery. Deauthentication attacks focus on sending deauth frames to force disconnections. Beacon floods are more about creating chaos and less about capturing data.

Beacon flood is like posting thousands of fake event signs all over town, making it hard to find the real party. Deauthentication is like sending a text to a friend saying 'the party moved' so they leave and go somewhere else.

Deauthentication attackvsBrute-force attack

A brute-force attack is a method of guessing a password by trying many possibilities, often offline after a handshake is captured. Deauthentication attack does not guess passwords-it captures the encrypted handshake. The brute-force attack is the follow-up step. Some learners confuse the two because they are often performed together in demonstrations.

Deauthentication is like stealing the lockbox. Brute-force is like sitting at home trying every key until one opens it.

Must Know for Exams

For CompTIA Security+, the deauthentication attack is a primary objective under Wireless Attacks (Domain 2.3). The exam expects you to know what a deauthentication attack is, how it relates to the four-way handshake, and what the purpose of the attack is. You may be asked to identify the attack from a scenario description, such as 'A user's device keeps disconnecting from the Wi-Fi, and after investigation, you find an unusual number of deauthentication frames in the packet capture.' Security+ also tests your understanding of mitigation techniques, specifically the use of Protected Management Frames (802.11w) and WPA3. Multiple-choice questions may ask which technology prevents deauthentication attacks, and the correct answer is 802.11w.

For Network+, deauthentication attacks fall under Network Security (Domain 5). The exam is more focused on how management frames work within the 802.11 standard. You may see questions about the difference between deauthentication frames and disassociation frames, or about the role of monitor mode in capturing these frames. Network+ questions sometimes present a scenario where a network engineer is troubleshooting intermittent connection issues and needs to identify that the root cause is a deauthentication attack. You should understand that these attacks are not just theoretical-they directly impact network availability and performance.

For PenTest+, the deauthentication attack is a key practical skill (Domain 3). The exam expects you to know how to perform this attack using tools like aircrack-ng suite, specifically aireplay-ng. You need to understand the command syntax, the importance of placing the wireless card in monitor mode, and how to capture the handshake with airodump-ng. PenTest+ may present command-line outputs where you have to identify which tool sent deauthentication frames or how to craft a specific deauthentication packet. The exam also covers using captured handshakes for offline password cracking with aircrack-ng or Hashcat, and understanding the limitations of brute-forcing. Performance-based questions might ask you to order the steps of a wireless attack: put card in monitor mode, scan for networks, capture traffic, send deauthentication frame, capture handshake, crack password.

Across all exams, a common theme is the distinction between WPA2 and WPA3. WPA3 introduces Simultaneous Authentication of Equals (SAE), which includes protections against offline dictionary attacks even if a handshake is captured. However, WPA3 can still be vulnerable to downgrade attacks or if Management Frame Protection is not enforced. So, an exam question may ask about the best defense against deauthentication attacks, and the best answer is 'implement WPA3 with Protected Management Frames enabled.' Also, be prepared for questions about the limitations: deauthentication attacks cannot be fully prevented on WPA2 networks, only mitigated.

exam questions often link deauthentication attacks to Evil Twin attacks. The deauthentication attack is sometimes used as a precursor to an Evil Twin attack-the attacker disconnects the client from the legitimate AP and then lures the client to connect to a rogue AP with the same SSID. Understanding this relationship is important for scenario-based questions.

Simple Meaning

Imagine you are at a coffee shop, happily browsing the internet on your laptop using the shop's free Wi-Fi. Suddenly, your laptop loses connection and shows a message that says the Wi-Fi network is no longer available. You try to reconnect, and after a few seconds, you are back online. What you might not realize is that someone sitting nearby just forced your laptop to disconnect using a deauthentication attack.

In simple terms, a deauthentication attack is like a bully in a playground who keeps cutting the jump rope, pretending the game is over, just to watch everyone try to restart. The bully isn't interested in the game itself-they want to see how the game starts, so they can learn the rules. In wireless networking, the 'jump rope' is the connection between your device and the Wi-Fi router. The attacker sends a special kind of fake signal to your device, tricking it into thinking the router wants it to disconnect. Your device then obediently drops the connection and tries to reconnect, which is normal behavior.

The real danger is that when your device reconnects, it sends a series of messages to the router to re-authenticate. These messages contain encrypted information that, with the right tools, can be captured and analyzed later. If the attacker gets enough of this data, they can try to guess the Wi-Fi password offline. This is why deauthentication attacks are a first step in many wireless network break-ins-they don't give the attacker the password directly, but they create an opportunity to steal it. The attack itself is not illegal in terms of the technology-it's just a misuse of a legitimate wireless management feature. The legitimate purpose of deauthentication frames is for a router to tell a device to disconnect when the network is shutting down or when the device has been inactive too long. Attackers simply abuse this feature by impersonating the router and sending these frames maliciously.

Full Technical Definition

A deauthentication attack exploits the management frame structure defined in the IEEE 802.11 wireless networking standard. In a Wi-Fi network, three main types of frames exist: data frames, control frames, and management frames. Management frames handle the maintenance of the wireless connection, including association, authentication, and disassociation. Deauthentication frames are a specific subtype of management frames used to terminate a wireless connection gracefully.

The attack works because 802.11 management frames are, by default, unencrypted and unauthenticated in most consumer and enterprise deployments unless Protected Management Frames (PMF) or 802.11w is implemented. An attacker only needs to know the BSSID (the MAC address of the access point) and the MAC address of the target client device to craft a deauthentication frame. This frame is sent from the attacker's wireless interface, which is placed in monitor mode, with the source MAC address spoofed to match the target access point. The frame is then transmitted on the same channel as the victim network.

Most Wi-Fi client devices and access points will honor a deauthentication frame without question because the 802.11 standard originally assumed the wireless medium was trusted. When the client receives a valid deauthentication frame, it immediately drops its current connection state and may attempt to re-associate. This re-association process involves a four-way handshake (in WPA2-Personal or WPA3-Personal) that includes the Pre-Shared Key (PSK) exchange, which can be captured. The attacker uses a packet capture tool like airodump-ng or Wireshark to capture this handshake. Once the handshake is captured, offline brute-force or dictionary attacks can be attempted against the PSK using tools like aircrack-ng or Hashcat.

In real IT implementations, deauthentication attacks are a significant concern for wireless network security. Enterprise networks often mitigate this by enabling 802.11w (Protected Management Frames), which adds cryptographic protection to management frames including deauthentication frames. However, 802.11w is not universally supported on older devices. Some access points implement rate-limiting on deauthentication frames or use client isolation techniques to reduce the attack surface. For penetration testers, a controlled deauthentication attack is a standard technique to test the resilience of a wireless network against unauthorized disconnections and to capture handshakes for password strength validation. It is also used to test whether the network's WPA3 implementation is vulnerable to downgrade attacks, as some WPA3 implementations may fall back to WPA2, exposing the handshake to legacy attacks.

Real-Life Example

Picture this: You are at a busy airport waiting for your flight. You connect your phone to the free public Wi-Fi, and everything works fine for a few minutes. Then, all of a sudden, your phone shows 'No Internet Connection' and the Wi-Fi icon disappears. A message pops up asking if you want to reconnect. You tap reconnect, and it works again. This happens three more times over the next ten minutes. You might think the airport's Wi-Fi is just flaky. But in reality, someone in the waiting area is intentionally making this happen.

They are using a small laptop with a wireless card running Kali Linux. They have a tool called mdk4 or aireplay-ng running, which is continuously sending fake deauthentication packets from a fake address that looks like the airport's router. Your phone believes these fake packets and instantly disconnects. Each time you reconnect, your phone sends a new handshake to the router. The attacker's laptop is recording all of this traffic.

This is very similar to someone standing outside a locked door, repeatedly pulling the door open just as you are about to close it, forcing you to re-lock it every time. By watching you re-lock it, they can study the exact pattern of your key turn and maybe copy your key. In the Wi-Fi world, the 'key' is your network password. The attacker doesn't need your physical key-they just need enough data from the handshake to try millions of possible passwords on their own computer later. They aren't trying to break in while you are there; they are collecting the information they need to break in later, in private, when they have all the time in the world. This is why public Wi-Fi is so risky-the attacker can easily force your device to reconnect repeatedly, each time providing a fresh opportunity to capture the handshake. The more handshakes they capture, the better their chances of cracking the password, especially if the password is weak or common.

Why This Term Matters

In practical IT contexts, deauthentication attacks matter for several critical reasons. First, they are a primary vector for gaining unauthorized access to wireless networks. For a network administrator, understanding this attack is essential for implementing proper defenses. Without mitigation, any WPA2-PSK network is effectively vulnerable to offline password cracking if an attacker can capture a single handshake. This means that a weak Wi-Fi password can be cracked in minutes using a deauthentication attack followed by a dictionary attack.

Second, deauthentication attacks are not just about breaking passwords-they can be used for denial of service (DoS). An attacker can continuously flood an entire area with deauthentication frames, effectively disabling Wi-Fi for all users within range. This can disrupt business operations, especially in environments that rely on Wi-Fi for point-of-sale systems, medical devices, or inventory management. For example, a retail store could be shut down on a busy day if attackers target its Wi-Fi network, forcing all transactions to halt.

Third, this attack highlights a fundamental design flaw in the 802.11 standard: the lack of authentication for management frames. This has led to the development of IEEE 802.11w, which is now a mandatory feature in Wi-Fi 6 (802.11ax) and strongly recommended for all modern deployments. IT professionals need to know whether their access points and clients support PMF, and how to configure them to require it. For instance, in a corporate environment, the network should be set to 'PMF Required' rather than 'PMF Capable' to ensure that legacy devices that don't support PMF cannot connect, thus eliminating the vulnerability.

Finally, deauthentication attacks are a common tool for penetration testers during wireless security assessments. They demonstrate how easy it is to disrupt a network and collect sensitive data. For IT professionals preparing for certifications, understanding this attack is crucial for both defensive (Security+, Network+) and offensive (PenTest+) roles. It illustrates core concepts of wireless security, cryptography, and the importance of protocol design. It also serves as a gateway to understanding more advanced wireless attacks like KRACK, PMKID, and Evil Twin attacks.

How It Appears in Exam Questions

In certification exams, deauthentication attack questions appear in multiple formats.

Scenario-based questions: You are given a description of a user's experience. For example: 'A user reports that their laptop keeps disconnecting from the corporate Wi-Fi network. Each time, they have to manually reconnect. A packet capture shows a large number of management frames with the source MAC matching the access point. What is most likely happening?' The correct answer is a deauthentication attack. Another scenario: 'A penetration tester is tasked with testing the strength of a company's Wi-Fi password. They capture a four-way handshake after performing a deauthentication attack. What is the next step?' Answer: Use an offline password cracking tool.

Configuration questions: These ask about what configuration change prevents such attacks. Example: 'Which of the following would most effectively prevent a deauthentication attack against a WPA2 network?' Options include disabling SSID broadcast, enabling MAC filtering, enabling 802.11w, or changing the Wi-Fi channel. The correct answer is enabling 802.11w (Protected Management Frames). Another question might ask: 'A network administrator wants to ensure that all clients connecting to the new Wi-Fi 6 network support Protected Management Frames. Which setting should they choose?' The correct answer is to set PMF to 'Required' rather than 'Capable'.

Command/tool identification: For PenTest+ and advanced Network+, you may see questions about tools. Example: 'Which tool from the aircrack-ng suite is used to send deauthentication frames?' Answer: aireplay-ng. Or, 'What mode must the wireless interface be in to capture deauthentication frames?' Answer: Monitor mode. There may also be questions about interpreting the output of airodump-ng. For instance: 'A technician runs the command airodump-ng wlan0mon and sees an unusually high number of deauth packets in the 'Data' column. What does this indicate?'

Troubleshooting questions: These present symptoms and ask you to identify the attack or the best remediation. Example: 'A help desk technician receives reports that multiple users in a conference room experience Wi-Fi drops every few minutes only when a particular vendor's laptop is present in the room. What could be the cause?' The answer might be a rogue deauthentication attack, but also could be a legitimate interference issue-troubleshooting requires distinguishing between accidental and malicious causes.

Multiple-choice with networking terms: You might see a question about the type of frame used in a deauthentication attack. Options: Data, Control, Management, Beacon. The answer is Management. Another variation: 'Which IEEE standard protocol introduces protection against deauthentication attacks?' Answer: 802.11w.

Performance-based questions: You may be asked to order a sequence of steps for conducting a wireless security test. The steps would include: Place wireless card in monitor mode, start packet capture, send deauthentication frames to force client reconnection, capture the four-way handshake, and then crack the password. Or, you may have to drag and drop the correct command for each step.

Practise Deauthentication attack Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Imagine you are a security intern at a small company called SwiftBooks, a bookstore that offers free Wi-Fi to customers. The manager comes to you with a complaint: several customers have reported that their phones keep disconnecting from the Wi-Fi every few minutes. They have to keep reconnecting, and it is really annoying. The manager thinks the router is broken and wants you to troubleshoot.

You start by looking at the router's logs. You see no errors. You then run Wireshark on your laptop connected to the same Wi-Fi to capture some traffic. Within a minute, you see hundreds of packets with 'Deauthentication' in the description. The source MAC address looks exactly like the bookstore's router. But you know that the router is not sending these. Something is fishy.

You walk around the bookstore with your laptop in monitor mode using a tool called airodump-ng. You see a nearby person's laptop with a strange wireless card transmitting on the same channel. That person is sending deauth packets continuously using aireplay-ng. You politely inform the manager, who then asks the person to leave. After that, the Wi-Fi works fine.

Later, you explain to the manager what happened. 'The attacker was sending fake disconnection messages to customers' devices, making them disconnect and reconnect. Every time a customer reconnected, their device sent a handshake that the attacker captured. The attacker was trying to record enough handshakes to crack the Wi-Fi password later, so they could get free internet or maybe access our internal network.' The manager is impressed and asks how to prevent this. You recommend upgrading to a router that supports Protected Management Frames, or at least enabling the option if it already does. You also suggest setting up a Wi-Fi password policy with longer, more complex passwords. This real-world scenario shows how a simple deauthentication attack can disrupt business, frustrate customers, and pose a security risk, all while being relatively easy to perform with free tools.

Common Mistakes

Assuming deauthentication attacks can be completely prevented on WPA2 networks.

WPA2 does not natively support Protected Management Frames (802.11w). Without PMF, deauthentication frames are sent unencrypted and unauthenticated, so any device can forge them. No amount of configuration on a WPA2-only network can fully stop them; you can only mitigate by using tools like WIPS or monitoring for anomalies.

Accept that WPA2 networks are inherently vulnerable to deauthentication attacks. The only complete fix is to upgrade to WPA3 with PMF enabled, or to use enterprise authentication with 802.1X and PMF.

Thinking that deauthentication attacks directly steal the Wi-Fi password.

The attack does not steal the password. It forces a device to reconnect, allowing the attacker to capture the encrypted handshake. The handshake does not contain the plaintext password. The attacker must then use offline brute-force or dictionary attacks to crack the password, which is time-consuming and may not succeed if the password is strong.

Understand that the deauthentication attack is just the first step. The real threat is the subsequent offline cracking. The strength of the Wi-Fi password is the ultimate defense.

Confusing deauthentication attacks with Evil Twin attacks.

A deauthentication attack disconnects a client from a legitimate access point. An Evil Twin attack involves setting up a rogue access point that mimics a legitimate one to steal credentials. While they can be used together (deauth forces client to connect to Evil Twin), they are distinct concepts. An Evil Twin attack does not require deauthentication-it can work passively if the client simply auto-connects to the rogue AP.

Separate the two. Deauthentication = disconnection. Evil Twin = impersonation. An attacker might use deauthentication to make the client reconnect, but the Evil Twin is the trap, not the disconnection itself.

Believing that changing the SSID or disabling SSID broadcast prevents deauthentication attacks.

Deauthentication frames target the BSSID (MAC address) of the access point, not the SSID. The SSID can be hidden, but the BSSID is always broadcast in beacon frames and management frames. Attackers can easily discover the BSSID using airodump-ng even if the SSID is hidden. So, hiding the SSID provides no protection against deauthentication.

Do not rely on SSID hiding as a security measure. Focus on using PMF, strong passwords, and WPA3 for protection.

Thinking only the access point can send deauthentication frames.

Any device with a compatible wireless card in monitor mode can send spoofed deauthentication frames. The 802.11 standard allows any device to transmit management frames. There is no built-in validation of the source MAC address. Attackers exploit this by setting the source MAC to the legitimate access point's MAC, making it look like the AP sent the frame.

Understand that the attack is possible because management frames are not authenticated. Always assume that a device sending deauth frames might not be the real AP.

Exam Trap — Don't Get Fooled

{"trap":"In an exam scenario, a question might describe a situation where a user's device keeps disconnecting, but the packet capture shows many 'Disassociation' frames rather than 'Deauthentication' frames. A learner might assume this is a deauthentication attack because the symptoms are similar.","why_learners_choose_it":"Learners often think 'disconnection = deauthentication' because deauthentication is the more commonly discussed attack.

Disassociation frames are also used to terminate connections, but they are used for different reasons (e.g., when a client roams to another AP). The exam traps you by using the less common term to test if you know the exact frame type for forced disconnection."

,"how_to_avoid_it":"Memorize the specific frame types: Deauthentication frames are used to terminate the authentication state entirely, requiring a full re-authentication. Disassociation frames remove the association only, but the client can reassociate without full re-authentication. For an attack that forces a full reconnect and handshake capture, it must be a deauthentication frame.

If the question says 'Disassociation', it is not the same attack. Always read the frame type carefully."

Step-by-Step Breakdown

1

Place wireless card in monitor mode

The attacker switches their wireless interface from managed mode (normal client mode) to monitor mode. In monitor mode, the card can capture all wireless traffic on a given channel without being associated with a network. This is necessary to send custom frames and capture responses. Tools like airmon-ng are used for this, e.g., 'airmon-ng start wlan0'.

2

Identify target access point and client

Using a tool like airodump-ng, the attacker scans for nearby wireless networks. They note the BSSID (MAC address of the target access point) and the channel it operates on. They also identify a client currently connected to that AP by its MAC address. This information is required to craft the deauthentication frame.

3

Start packet capture

The attacker starts capturing wireless traffic on the target channel using a tool like airodump-ng. This capture will record all data frames, including the four-way handshake when the client reconnects. The capture file (e.g., .cap or .pcap) is saved for later analysis.

4

Send deauthentication frames

Using a tool like aireplay-ng, the attacker sends deauthentication frames targeting the specific client and AP. The command may look like 'aireplay-ng -0 5 -a [AP MAC] -c [client MAC] wlan0mon'. This sends 5 deauth packets to the client, impersonating the AP. The client receives these frames and immediately drops its connection.

5

Client reconnects and handshake capture

The client, now disconnected, automatically attempts to re-establish the connection. This triggers the four-way handshake between the client and the AP. The attacker, who is still capturing traffic, records this handshake in the capture file. A successful handshake capture is indicated in airodump-ng by a line showing 'WPA handshake' with the AP's BSSID.

6

Analyze captured handshake offline

The attacker now has a file containing the encrypted handshake. Using tools like aircrack-ng or Hashcat, they perform a dictionary or brute-force attack on the handshake to recover the Pre-Shared Key (Wi-Fi password). The success of this step depends on the strength of the password and the attacker's wordlist.

Practical Mini-Lesson

A deauthentication attack is not just a theoretical exam concept-it is a real, practical technique that IT professionals must understand for both defense and penetration testing. Let's dive into how it works in practice, what you need to know as a professional, and what can go wrong.

First, the hardware and software requirements. On the attacker side, you need a wireless network adapter that supports monitor mode and packet injection. Common chipsets like Atheros (AR9271) or Ralink (RT3070) are supported in Linux distributions like Kali Linux. The standard tools are part of the aircrack-ng suite: airmon-ng (to enable monitor mode), airodump-ng (to capture packets and find targets), aireplay-ng (to inject deauth frames), and aircrack-ng (to crack the handshake). For Windows, Wireshark with Npcap can capture, but packet injection is more limited. For network defenders, tools like Wireshark can detect deauthentication attacks by filtering for 'wlan.fc.type_subtype == 12' (deauth frame subtype).

In a real engagement, a penetration tester will first ensure they have a clear legal agreement (letter of authorization) before performing any attack. They will then set up their environment. A common mistake is to send too many deauth frames, which can cause a denial of service that disrupts business operations. Ethical testers send only a few frames (e.g., 3-5) to force a single reconnection, not a continuous flood. Also, they carefully target one specific client to minimize impact.

For defense, the most effective mitigation is to enable Protected Management Frames (802.11w) on the access point. This requires both the AP and all clients to support the feature. In enterprise environments, using WPA3-Enterprise with 802.1X and PMF provides robust protection. Network monitoring tools like WIPS (Wireless Intrusion Prevention Systems) can detect deauthentication floods and alert administrators. Some enterprise APs also have features like 'Deauth Attack Detection' or 'Rogue AP Detection' that automatically block offending MAC addresses.

What can go wrong? The biggest risk is misidentification. A high number of deauthentication frames in a capture might not be an attack-it could be a malfunctioning client or AP, or a legitimate network management action (e.g., an AP updating its firmware). Always correlate with other symptoms. Also, note that deauthentication attacks do not work if the client is using PMF. However, some older clients (e.g., IoT devices) may not support PMF, and disabling them may cause connectivity issues.

Another practical point: you cannot crack every password. If the Wi-Fi password is a strong, random string of 16+ characters, a dictionary attack will fail. The attack is only as effective as the weakest password. This is why password policies matter. In a corporate environment, using WPA2-Enterprise with individual user credentials (via 802.1X) makes deauthentication attacks much less useful because the attacker would need to capture a unique handshake for each user, and the password is not shared.

Finally, on the exam, you may be asked to interpret output. For example, in airodump-ng output, if you see a line like 'WPA handshake: 00:11:22:33:44:55', that indicates a captured handshake after a deauth attack. You should know that the handshake contains enough information to attempt offline cracking. But also note that WPA3 handshakes use SAE (Simultaneous Authentication of Equals), which makes offline dictionary attacks infeasible even if the handshake is captured. So the same attack on a WPA3 network would fail to reveal the password. Understanding these nuances is key for both practical work and exams.

Memory Tip

Remember: Deauth = Disconnect + Handshake capture. The 'De' in Deauth stands for 'Disconnect' and 'Expose' the handshake. If you forget the attack, think 'Deauth = D-E-A-U-T-H = Disconnect Everyone And Unlock The Handshake'.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Can a deauthentication attack be used to steal Wi-Fi passwords instantly?

No. It captures the encrypted handshake, not the plaintext password. The attacker must then crack the handshake offline using brute-force or dictionary methods, which takes time and might not succeed with strong passwords.

Does changing my Wi-Fi password stop deauthentication attacks?

Not directly. A new password does not prevent the attacker from sending deauth frames. However, if you change to a very strong, long password after an attack, the captured handshake becomes useless because the old handshake is no longer valid.

Are deauthentication attacks illegal?

They can be illegal if performed without authorization. In many jurisdictions, disrupting network communications or gaining unauthorized access to a network is a crime. However, they are legal for security researchers and penetration testers with explicit permission.

Can I prevent deauthentication attacks on my home Wi-Fi?

If your router supports WPA3, enable it and make sure Protected Management Frames (802.11w) is turned on. If you are stuck with WPA2, there is no full prevention, but you can use a very strong password to mitigate the risk if the handshake is captured.

Does a VPN protect me from deauthentication attacks?

A VPN protects your data traffic after you are connected, but it does not prevent the disconnection itself. The attacker can still force you offline, but your traffic will be encrypted through the VPN once you reconnect. The VPN does not stop the handshake capture either.

What is the difference between a deauthentication attack and a disassociation attack?

Deauthentication removes the authentication state and requires a full four-way handshake to reconnect. Disassociation only removes the association, and the client can rejoin more quickly without a new handshake. Deauth is used for capturing handshakes; disassociation is more for DoS.

Can deauthentication attacks affect both 2.4 GHz and 5 GHz networks?

Yes. The attack works on any frequency band that uses 802.11 management frames. The attacker must be on the same channel and use the correct BSSID for the specific band they target.