aireplay-ng
inject packets into a wireless network to generate traffic
see also :
airbase-ng - aircrack-ng - airdecap-ng - airdecloak-ng - airdriver-ng - airmon-ng - airodump-ng - airolib-ng - airserv-ng - airtun-ng - buddy-ng - easside-ng - ivstools - kstats - makeivs-ng - packetforge-ng - tkiptun-ng - wesside-ng
Synopsis
aireplay-ng
[options] <replay interface>
add an example, a script, a trick and tips
examples
source
replay () {
aireplay-ng -3 -b $BSSID -h
$CLIENT mon0
}
deauth () {
aireplay-ng -0 5 -a $BSSID -c
$CLIENT mon0
aireplay-ng -0 5 -a $BSSID -c
$CLIENT mon0
}
fakeauth () {
aireplay-ng -1 0 -a $BSSID -h
$CLIENT mon0
}
inject () {
aireplay-ng -2 -F -p 0841 -c ff:ff:ff:ff:ff:ff -b
$BSSID -h $CLIENT
mon0
source
echo "Testing injection
using wlan to wlan..."
echo "Injecting from
$WLAN..."
aireplay-ng -9 -i $WLAN2
$WLAN
echo ""
echo "Injecting from
$WLAN2..."
echo "Injecting from
$WLAN2..."
aireplay-ng -9 -i $WLAN
$WLAN2
else
echo "Testing injection
using wlan to arp..."
aireplay-ng -9 $WLAN
fi
description
aireplay-ng
is used to inject/replay frames. The primary function is to
generate traffic for the later use in aircrack-ng for
cracking the WEP and WPA-PSK keys. There are different
attacks which can cause deauthentications for the purpose of
capturing WPA handshake data, fake authentications,
Interactive packet replay, hand-crafted ARP request
injection and ARP-request reinjection. With the
packetforge-ng tool it’s possible to create arbitrary
frames.
aireplay-ng
supports single-NIC injection/monitor.
This feature needs driver patching.
options
-H,
--help
Shows the help screen.
Filter options:
-b <bssid>
MAC address of access
point.
-d <dmac>
MAC address of destination.
-s <smac>
MAC address of source.
-m <len>
Minimum packet length.
-n <len>
Maximum packet length.
-u <type>
Frame control, type field.
-v <subt>
Frame control, subtype
field.
-t <tods>
Frame control, "To"
DS bit (0 or 1).
-f <fromds>
Frame control, "From"
DS bit (0 or 1).
-w <iswep>
Frame control, WEP bit (0 or
1).
Replay options:
-x <nbpps>
Number of packets per
second.
-p <fctrl>
Set frame control word
(hex).
-a <bssid>
Set Access Point MAC
address.
-c <dmac>
Set destination MAC
address.
-h <smac>
Set source MAC address.
-g
<nb_packets>
Change ring buffer size
(default: 8 packets). The minimum is 1.
-F
Choose first matching packet.
-e <essid>
Fake Authentication attack: Set
target SSID (see below). For SSID containing special
characters, see
http://www.aircrack-ng.org/doku.php?id=faq#how_to_use_spaces_double_quote_and_single_quote_etc._in_ap_names
-o <npackets>
Fake Authentication attack: Set
the number of packets for every authentication and
association attempt (Default: 1). 0 means auto
-q <seconds>
Fake Authentication attack: Set
the time between keep-alive packets in fake authentication
mode.
-y <prga>
Fake Authentication attack:
Specifies the keystream file for fake shared key
authentication.
-T n
Fake Authentication attack: Exit if fake authentication
fails ’n’ time(s).
-j
ARP Replay attack : inject FromDS pakets (see
below).
-k <IP>
Fragmentation attack: Set
destination IP in fragments.
-l <IP>
Fragmentation attack: Set
source IP in fragments.
-B
Test option: bitrate test.
Source options:
-i <iface>
Capture packets from this
interface.
-r <file>
Extract packets from this pcap
file.
Miscellaneous
options:
-R
disable /dev/rtc usage.
Attack modes:
-0 <count>, --deauth=<count>
This attack sends
deauthentication packets to one or more clients which are
currently associated with a particular access point.
Deauthenticating clients can be done for a number of
reasons: Recovering a hidden ESSID. This is an ESSID which
is not being broadcast. Another term for this is
"cloaked" or Capturing WPA/WPA2 handshakes by
forcing clients to reauthenticate or Generate ARP requests
(Windows clients sometimes flush their ARP cache when
disconnected). Of course, this attack is totally useless if
there are no associated wireless client or on fake
authentications.
-1 <delay>,
--fakeauth=<delay>
The fake authentication attack
allows you to perform the two types of WEP authentication
(Open System and Shared Key) plus associate with the access
point (AP). This is useful is only useful when you need an
associated MAC address in various aireplay-ng attacks and
there is currently no associated client. It should be noted
that the fake authentication attack does NOT generate any
ARP packets. Fake authentication cannot be used to
authenticate/associate with WPA/WPA2 Access Points.
-2, --interactive
This attack allows you to
choose a specific packet for replaying (injecting). The
attack can obtain packets to replay from two sources. The
first being a live flow of packets from your wireless card.
The second being from a pcap file. Reading from a file is an
often overlooked feature of aireplay-ng. This allows you
read packets from other capture sessions or quite often,
various attacks generate pcap files for easy reuse. A common
use of reading a file containing a packet your created with
packetforge-ng.
-3, --arpreplay
The classic ARP request replay
attack is the most effective way to generate new
initialization vectors (IVs), and works very reliably. The
program listens for an ARP packet then retransmits it back
to the access point. This, in turn, causes the access point
to repeat the ARP packet with a new IV. The program
retransmits the same ARP packet over and over. However, each
ARP packet repeated by the access point has a new IVs. It is
all these new IVs which allow you to determine the WEP
key.
-4, --chopchop
This attack, when successful,
can decrypt a WEP data packet without knowing the key. It
can even work against dynamic WEP. This attack does not
recover the WEP key itself, but merely reveals the
plaintext. However, some access points are not vulnerable to
this attack. Some may seem vulnerable at first but actually
drop data packets shorter that 60 bytes. If the access point
drops packets shorter than 42 bytes, aireplay tries to guess
the rest of the missing data, as far as the headers are
predictable. If an IP packet is captured, it additionally
checks if the checksum of the header is correct after
guessing the missing parts of it. This attack requires at
least one WEP data packet.
-5, --fragment
This attack, when successful,
can obtain 1500 bytes of PRGA (pseudo random generation
algorithm). This attack does not recover the WEP key itself,
but merely obtains the PRGA. The PRGA can then be used to
generate packets with packetforge-ng which are in turn used
for various injection attacks. It requires at least one data
packet to be received from the access point in order to
initiate the attack.
-6, --caffe-latte
In general, for an attack to
work, the attacker has to be in the range of an AP and a
connected client (fake or real). Caffe Latte attacks allows
to gather enough packets to crack a WEP key without the need
of an AP, it just need a client to be in range.
-7, --cfrag
This attack turns IP or ARP
packets from a client into ARP request against the client.
This attack works especially well against ad-hoc networks.
As well it can be used against softAP clients and normal AP
clients.
-9, --test
Tests injection and
quality.
fragmentation versus chopchop
Fragmentation:
Pros
- Can obtain the full packet length of 1500 bytes XOR. This means
you can subsequently pretty well create any size of packet.
- May work where chopchop does not
- Is extremely fast. It yields the XOR stream extremely quickly
when successful.
Cons
- Setup to execute the attack is more subject to the device
drivers. For example, Atheros does not generate the correct
packets unless the wireless card is set to the mac address you
are spoofing.
- You need to be physically closer to the access point since if
any packets are lost then the attack fails.
Chopchop
Pro
- May work where frag does not work.
Cons
- Cannot be used against every access point.
- The maximum XOR bits is limited to the length of the packet you
chopchop against.
- Much slower then the fragmentation attack.
see also
airbase-ng
aircrack-ng
airdecap-ng
airdecloak-ng
airdriver-ng
airmon-ng
airodump-ng
airolib-ng
airserv-ng
airtun-ng
buddy-ng
easside-ng
ivstools
kstats
makeivs-ng
packetforge-ng
tkiptun-ng
wesside-ng
author
This manual
page was written by Adam Cecile <gandalf@le-vert.net>
for the Debian system (but may be used by others).
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU General Public License,
Version 2 or any later version published by the Free
Software Foundation On Debian systems, the complete text of
the GNU General Public License can be found in
/usr/share/common-licenses/GPL.