Detect a Fluxion Deauthentication Attack using Wireshark

Introduction

In this lab, you will step into the role of a network security analyst. Your task is to monitor a Wi-Fi network and detect a common type of wireless attack: a deauthentication (deauth) attack. This attack is used to disconnect clients from a Wi-Fi network, often as a preliminary step for other attacks like setting up an evil twin access point.

You will use two primary tools:

• Fluxion: A security auditing tool used here to simulate the deauthentication attack.
• Wireshark: A powerful network protocol analyzer that allows you to capture and inspect network traffic in real-time.

By the end of this lab, you will be able to start a network capture, filter for malicious traffic, and identify the key characteristics of a deauthentication attack. This is a fundamental skill for anyone interested in wireless network security.

Start a Wireshark Capture on the Correct Wi-Fi Channel

In this step, you will prepare your wireless interface for monitoring and start capturing traffic with Wireshark. A wireless network card must be put into "monitor mode" to capture all Wi-Fi traffic in the air, not just traffic addressed to your device.

First, open a terminal from the application menu. We will use the aircrack-ng suite to manage our wireless interface. Let's assume your wireless interface is wlan0. We will create a monitoring interface called wlan0mon.

Execute the following command to start monitor mode:

sudo airmon-ng start wlan0

You should see output confirming that monitor mode has been enabled on a new interface, likely named wlan0mon.

Next, launch Wireshark with sudo privileges to access the network interfaces.

sudo wireshark

When the Wireshark window opens, you will see a list of available network interfaces. Find and double-click on your monitor mode interface (wlan0mon) to start capturing packets. The main window will immediately start filling up with captured Wi-Fi traffic.

For now, just let the capture run. We will launch the attack in the next step and then come back to analyze the traffic.

Launch a Fluxion Deauth Attack Against a Target

In this step, you will use Fluxion to launch the deauthentication attack. This will generate the malicious traffic that you will detect in Wireshark.

Open a new terminal window, keeping your first terminal and Wireshark running. In the new terminal, start Fluxion with sudo privileges.

sudo fluxion

Fluxion has a menu-driven interface. Follow these instructions carefully:

1. If prompted for a language, enter 1 for English and press Enter.
2. Fluxion will search for wireless adapters. It should find wlan0mon. Enter the number corresponding to wlan0mon (usually 1) and press Enter.
3. Next, it will ask for a channel to scan. Choose 1 for "All channels" and press Enter. A new window will pop up, scanning for nearby Wi-Fi networks.
4. Wait about 15-20 seconds for the scan to find some networks, then close the scanner window (the one titled "airodump-ng").
5. You will see a list of target networks in your terminal. For this lab, let's assume you are targeting a network named "TestNet". Enter the number corresponding to "TestNet" and press Enter.
6. You will be presented with a list of attack options. We want to perform a deauth attack. Select the FakeAP - Hostapd option.
7. For the SSL certificate, you can skip it.
8. Fluxion will then ask which deauthentication attack method to use. Choose the aircrack-ng deauth option. This will start flooding the target network with deauthentication frames.

Leave Fluxion running in this state. It is now actively attacking the target network. In the next step, we will switch back to Wireshark to see the effects.

Apply the Wireshark Filter 'wlan.fc.type_subtype == 0x0c'

In this step, you will apply a display filter in Wireshark to isolate the deauthentication frames from all the other network traffic. This is the most crucial step in detecting the attack.

Go back to your running Wireshark window. You will see a lot of different 802.11 packets, which can be overwhelming. To find the specific packets we're interested in, we use a display filter.

Deauthentication frames have a specific type and subtype value in the 802.11 frame control field. Wireshark allows us to filter based on this. The filter for deauthentication frames is wlan.fc.type_subtype == 0x0c.

1. Locate the display filter bar at the top of the Wireshark window. It's a long text entry field, often with a green or red background.
2. Type the following filter into the bar:

wlan.fc.type_subtype == 0x0c

3. Press the Enter key or click the "Apply" button (usually an arrow) to the right of the filter bar.

Once the filter is applied, the packet list will update. Instead of seeing all traffic, you should now only see packets that are identified as "Deauthentication" frames. If the list is empty, wait a few moments for new packets to be captured and filtered.

Observe the Flood of Deauthentication Frames

In this step, you will observe the results of your filter. With the attack running and the filter applied, you should see a clear pattern of malicious activity.

Look at the main packet list pane in Wireshark. You should see a continuous stream of new packets appearing, all of which match your filter. This is what a deauthentication "flood" looks like. The attacker is sending these packets repeatedly to ensure clients are persistently disconnected.

Pay attention to the following columns in the packet list:

• No.: The packet number in the capture. You'll see this number increasing rapidly.
• Time: The timestamp when the packet was captured.
• Source: The source MAC address of the sender.
• Destination: The destination MAC address. This is often the broadcast address (ff:ff:ff:ff:ff:ff) to deauthenticate all clients, or a specific client's MAC address.
• Protocol: This should show 802.11.
• Info: This provides a summary, which should clearly state "Deauthentication".

The sheer volume of these frames is the first major indicator of an attack. A network under normal operation might see a few deauthentication frames when a device legitimately disconnects, but a constant flood is a definitive sign of an attack.

Analyze the Source MAC of the Deauth Frames

In this step, you will perform the final piece of analysis to confirm the attack. You will examine the source MAC address of the deauthentication frames.

In a deauthentication attack, the attacker doesn't use their own MAC address. Instead, they "spoof" the MAC address of the legitimate Access Point (AP). They pretend to be the AP telling the clients to disconnect. This makes the attack more effective because clients trust management frames that appear to come from the AP they are connected to.

Look at the Source column in your Wireshark capture. You will see that all the deauthentication frames are coming from the same MAC address. This MAC address is the BSSID (the MAC address) of the "TestNet" AP that you targeted with Fluxion in Step 2.

By spoofing the AP's MAC address, the attacker tricks the client devices into obeying the deauthentication command. For a network analyst, observing a flood of deauthentication frames that all originate from the AP's MAC address is conclusive evidence of a deauthentication attack.

You can now stop the Wireshark capture (red square button) and close the Fluxion terminal to end the attack.

Summary

Congratulations on completing this lab! You have successfully simulated and detected a Wi-Fi deauthentication attack.

You learned how to:

• Put a wireless interface into monitor mode using airmon-ng.
• Launch a deauthentication attack using the Fluxion tool for educational purposes.
• Capture live wireless traffic using Wireshark.
• Apply a specific display filter (wlan.fc.type_subtype == 0x0c) to isolate deauthentication frames.
• Identify the key indicators of a deauth attack: a flood of deauthentication packets and a spoofed source MAC address that matches the legitimate Access Point.

These skills are fundamental for wireless network monitoring and defense, forming a solid foundation for more advanced cybersecurity analysis.