aireplay-ng(8)
NAME
aireplay-ng - inject packets into a wireless network to generate traffic
SYNOPSIS
aireplay-ng [options] <replay interface>
DESCRIPTION
aireplay-ng is used to inject/replay frames. The primary function is to generate traffic for the later use in aircrack-ng for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications, Interactive packet replay, hand-crafted ARP request injection and ARP-request reinjection. With the packetforge-ng tool it's possible to create arbitrary frames. aireplay-ng supports single-NIC injection/monitor. This feature needs driver patching.
OPTIONS
-H, --help
Shows the help screen.
Filter options:
-b <bssid>
MAC address of access point.
-d <dmac>
MAC address of destination.
-s <smac>
MAC address of source.
-m <len>
Minimum packet length.
-n <len>
Maximum packet length.
-u <type>
Frame control, type field.
-v <subt>
Frame control, subtype field.
-t <tods>
Frame control, "To" DS bit (0 or 1).
-f <fromds>
Frame control, "From" DS bit (0 or 1).
-w <iswep>
Frame control, WEP bit (0 or 1).
-D Disable AP Detection.
Replay options:
-x <nbpps>
Number of packets per second.
-p <fctrl>
Set frame control word (hex).
-a <bssid>
Set Access Point MAC address.
-c <dmac>
Set destination MAC address.
-h <smac>
Set source MAC address.
-g <nb_packets>
Change ring buffer size (default: 8 packets). The minimum is 1.
-F Choose first matching packet.
-e <essid>
Fake Authentication attack: Set target SSID (see below). For
SSID containing special characters, see http://www.aircrack-
ng.org/doku.php?id=faq#how_to_use_spaces_double_quote_and_single_quote_etc._in_ap_names
-o <npackets>
Fake Authentication attack: Set the number of packets for every
authentication and association attempt (Default: 1). 0 means
auto
-q <seconds>
Fake Authentication attack: Set the time between keep-alive
packets in fake authentication mode.
-Q Fake Authentication attack: Sends reassociation requests instead
of performing a complete authentication and association after
each delay period.
-y <prga>
Fake Authentication attack: Specifies the keystream file for
fake shared key authentication.
-T n Fake Authentication attack: Exit if fake authentication fails
'n' time(s).
-j ARP Replay attack : inject FromDS pakets (see below).
-k <IP>
Fragmentation attack: Set destination IP in fragments.
-l <IP>
Fragmentation attack: Set source IP in fragments.
-B Test option: bitrate test.
Source options:
-i <iface>
Capture packets from this interface.
-r <file>
Extract packets from this pcap file.
Miscellaneous options:
-R disable /dev/rtc usage.
--ignore-negative-one if the interface's channel can't be determined
ignore the mismatch, needed for unpatched cfg80211
Attack modes:
-0 <count>, --deauth=<count>
This attack sends deauthentication packets to one or more
clients which are currently associated with a particular access
point. Deauthenticating clients can be done for a number of
reasons: Recovering a hidden ESSID. This is an ESSID which is
not being broadcast. Another term for this is "cloaked" or
Capturing WPA/WPA2 handshakes by forcing clients to
reauthenticate or Generate ARP requests (Windows clients
sometimes flush their ARP cache when disconnected). Of course,
this attack is totally useless if there are no associated
wireless client or on fake authentications.
-1 <delay>, --fakeauth=<delay>
The fake authentication attack allows you to perform the two
types of WEP authentication (Open System and Shared Key) plus
associate with the access point (AP). This is only useful when
you need an associated MAC address in various aireplay-ng
attacks and there is currently no associated client. It should
be noted that the fake authentication attack does NOT generate
any ARP packets. Fake authentication cannot be used to
authenticate/associate with WPA/WPA2 Access Points.
-2, --interactive
This attack allows you to choose a specific packet for replaying
(injecting). The attack can obtain packets to replay from two
sources. The first being a live flow of packets from your
wireless card. The second being from a pcap file. Reading from a
file is an often overlooked feature of aireplay-ng. This allows
you read packets from other capture sessions or quite often,
various attacks generate pcap files for easy reuse. A common use
of reading a file containing a packet your created with
packetforge-ng.
-3, --arpreplay
The classic ARP request replay attack is the most effective way
to generate new initialization vectors (IVs), and works very
reliably. The program listens for an ARP packet then retransmits
it back to the access point. This, in turn, causes the access
point to repeat the ARP packet with a new IV. The program
retransmits the same ARP packet over and over. However, each ARP
packet repeated by the access point has a new IVs. It is all
these new IVs which allow you to determine the WEP key.
-4, --chopchop
This attack, when successful, can decrypt a WEP data packet
without knowing the key. It can even work against dynamic WEP.
This attack does not recover the WEP key itself, but merely
reveals the plaintext. However, some access points are not
vulnerable to this attack. Some may seem vulnerable at first but
actually drop data packets shorter that 60 bytes. If the access
point drops packets shorter than 42 bytes, aireplay tries to
guess the rest of the missing data, as far as the headers are
predictable. If an IP packet is captured, it additionally checks
if the checksum of the header is correct after guessing the
missing parts of it. This attack requires at least one WEP data
packet.
-5, --fragment
This attack, when successful, can obtain 1500 bytes of PRGA
(pseudo random generation algorithm). This attack does not
recover the WEP key itself, but merely obtains the PRGA. The
PRGA can then be used to generate packets with packetforge-ng
which are in turn used for various injection attacks. It
requires at least one data packet to be received from the access
point in order to initiate the attack.
-6, --caffe-latte
In general, for an attack to work, the attacker has to be in the
range of an AP and a connected client (fake or real). Caffe
Latte attacks allows one to gather enough packets to crack a WEP
key without the need of an AP, it just need a client to be in
range.
-7, --cfrag
This attack turns IP or ARP packets from a client into ARP
request against the client. This attack works especially well
against ad-hoc networks. As well it can be used against softAP
clients and normal AP clients.
-8, --migmode
This attack works against Cisco Aironet access points configured
in WPA Migration Mode, which enables both WPA and WEP clients to
associate to an access point using the same Service Set
Identifier (SSID). The program listens for a WEP-encapsulated
broadcast ARP packet, bitflips it to make it into an ARP coming
from the attacker's MAC address and retransmits it to the access
point. This, in turn, causes the access point to repeat the ARP
packet with a new IV and also to forward the ARP reply to the
attacker with a new IV. The program retransmits the same ARP
packet over and over. However, each ARP packet repeated by the
access point has a new IV as does the ARP reply forwarded to the
attacker by the access point. It is all these new IVs which
allow you to determine the WEP key.
-9, --test
Tests injection and quality.
FRAGMENTATION VERSUS CHOPCHOP
Fragmentation:
Pros
- Can obtain the full packet length of 1500 bytes XOR. This
means you can subsequently pretty well create any size of
packet.
- May work where chopchop does not
- Is extremely fast. It yields the XOR stream extremely quickly
when successful.
Cons
- Setup to execute the attack is more subject to the device
drivers. For example, Atheros does not generate the correct
packets unless the wireless card is set to the mac address you
are spoofing.
- You need to be physically closer to the access point since if
any packets are lost then the attack fails.
Chopchop
Pro
- May work where frag does not work.
Cons
- Cannot be used against every access point.
- The maximum XOR bits is limited to the length of the packet
you chopchop against.
- Much slower then the fragmentation attack.
AUTHOR
This manual page was written by Adam Cecile <[email protected]> for the Debian system (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common- licenses/GPL.
SEE ALSO
airbase-ng(8) airmon-ng(8) airodump-ng(8) airodump-ng-oui-update(8) airserv-ng(8) airtun-ng(8) besside-ng(8) easside-ng(8) tkiptun-ng(8) wesside-ng(8) aircrack-ng(1) airdecap-ng(1) airdecloak-ng(1) airolib-ng(1) besside-ng-crawler(1) buddy-ng(1) ivstools(1) kstats(1) makeivs-ng(1) packetforge-ng(1) wpaclean(1)
Opportunity
Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.
Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.
Free Software
Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.
Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.
Free Books
The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.
Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.
Education
Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.
Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.
