Detecting WiFi deauth attacks

WiFi networks have been the norm for more than 10 years in our homes, businesses and offices. They are simple and quick to setup: no wiring, no cables running around the house, just a power plug, a few antennas and no more than 3 clicks are all you need to gain access to Internet.

As convenient as they are, wireless networks have a weakness: they broadcast your data all around you, often even outside the building they are covering, making it easy for, let’s say, someone in a car parked nearby to capture it.

The good news is your traffic is encrypted, making it cumbersome to extract anything useful from it. The bad news, however, is that you don’t need to run any decryption trick in order to cause trouble for WiFi users.

In this article, I will show you how anyone with a little bit of knowledge can get all users kicked out from almost any wireless network. You will get to see the hardware required, the software used and the entirety of the process.

Hardware & software

What is needed to carry the attack

ESP8266 WiFi Deauther Watch V2 by DSTIKE

You can get this one from Amazon or Ali Baba, it’s fairly priced and sturdy enough to be carried around…on your wrist !

MakerFocus ESP8266 WiFi Module

Or you can go for something less socially stigmatizing than the Frankenwatch above and pick that innocent-looking USB sticky thingy. It’s also way cheaper (about one third of the price).

Both the watch and the stick are running the same software: the infamous ESP8266 WiFi Deauther by SpacehuhnTech

What is needed to detect it

You need a computer (preferably running Linux), a wireless card that can go into monitor mode and Wireshark. The wireless adapter I’m using is a Alfa Network Atheros AR9271 model AWUS036NHA, a classic among wardriving enthusiasts.

Getting ready to attack


This article is for learning purposes only. In no way do I encourage anyone to do anything illegal or to misbehave using the techniques and tools presented here. Try these on your own WiFi network exclusively, do not for any reason cause trouble to neighbors, businesses or anyone else. I want to clearly state here that I 100% dissociate myself from anyone doing anything illegal during or after reading this blog post.

If you need to setup a test WiFi network, simply activate the connection sharing feature on your smartphone and connect your computer to it. Simple. Again, don’t do anything nasty to someone else.

Step one: Scan & Select

If you are using the watch, scan for locally available WiFi networks first. Then, select the network you want to target with the deauth attack.

If you’re using the stick, plug it in a USB port somewhere, wait for the LED to turn green, connect your phone to the WiFi network named « pwned » (password: deauther) and open

Getting ready to detect the attack

Get the name of your wireless adapter using iwconfig

Set your adapter to monitor mode using airmon-ng

Activate your monitoring interface using airodump-ng

Start Wireshark and get it ready to capture deauth management frames. My monitoring interface is named wlan0mon, a name automatically defined by airmon-ng when I switched wlx00c0ca98b191 (my Alfa Network adapter) to monitor mode.

Double-click on your monitoring interface to get to the capture window.

Add the following filter: wlan.fc.type_subtype==0x00c

Wireshark will now only capture deauthentication frames.

You can have a specific color setting for WiFi deauth frames:


On your phone, activate the Internet connection sharing feature

Connect your computer to the WiFi access point offered by your phone

Set the ESP8266 to attack mode

Follow the attack as it happens

If we look at the details of a deauth frame, we can see no reason is provided:

Here is what a legit WiFi deauthentication looks like:

Two differences: first, a proper reason code is provided, second, the deauth instruction is not targeted to a broadcast address (ff:ff:ff:ff:ff:ff), but to a specific host:

Protecting yourself

Switch to a 5GHz WiFi network

The ESP8266 WiFi SoC (System On A Chip) does only support 2.4GHz. This means that anyone using 5GHz WiFi can’t be affected by this specific line of tools. Most WiFi routers sold nowadays are capable of 5GHz, so I suggest you just use that feature.


The WiFi protocol has had Protected Management Frames for a while now, but vendors took quite a long time to implement it. If you want to learn more about this feature, have a look here:

One last word

I will simply quote Spacehuhn himself:

The main feature, the deauthentication attack, is used to disconnect devices from their WiFi network.

No one seems to care about this huge vulnerability in the official 802.11 WiFi standard, so I took action and enabled everyone who has less than 10 USD to spare to recreate this project.

I hope it raises more attention on the issue. In 2009 the WiFi Alliance actually fixed the problem (see 802.11w), but only a few companies implemented it into their devices and software.

To effectively prevent a deauthentication attack, both client and access point must support the 802.11w standard with protected management frames (PMF).

While most client devices seem to support it when the access point forces it, basically no WiFi access point has it enabled.