1AIREPLAY-NG(1)              General Commands Manual             AIREPLAY-NG(1)
2
3
4

NAME

6       aireplay-ng  -  inject  ARP-request  packets into a wireless network to
7       generate traffic
8

SYNOPSIS

10       aireplay-ng options] <replay interface>
11

DESCRIPTION

13       aireplay-ng injects specially generated  ARP-request  packets  into  an
14       existing  wireless  network  in  order to generate traffic.  By sending
15       these ARP-request packets again and again, the target host will respond
16       with encrypted replies, thus providing new and possibly weak IVs.
17
18       aireplay-ng supports single-NIC injection/monitor.
19       This feature needs driver patching.
20

OPTIONS

22       -H, --help
23              Shows the help screen.
24
25       Filter options:
26
27       -b <bssid>
28              MAC address of access point.
29
30       -d <dmac>
31              MAC address of destination.
32
33       -s <smac>
34              MAC address of source.
35
36       -m <len>
37              Minimum packet length.
38
39       -n <len>
40              Maximum packet length.
41
42       -u <type>
43              Frame control, type field.
44
45       -v <subt>
46              Frame control, subtype field.
47
48       -t <tods>
49              Frame control, "To" DS bit.
50
51       -f <fromds>
52              Frame control, "From" DS bit.
53
54       -w <iswep>
55              Frame control, WEP bit.
56
57       Replay options:
58
59       -x <nbpps>
60              Number of packets per second.
61
62       -p <fctrl>
63              Set frame control word (hex).
64
65       -a <bssid>
66              Set Access Point MAC address.
67
68       -c <dmac>
69              Set destination MAC address.
70
71       -h <smac>
72              Set source MAC address.
73
74       -e <essid>
75              Set target SSID for Fake Authentication attack (see below).
76
77       -j     ARP Replay attack : inject FromDS pakets (see below).
78
79       -g <rbsize>
80              Set ring buffer size (rbsize must be higher or equal to 1 ).
81
82       -k <IP>
83              Set destination IP in fragments.
84
85       -l <IP>
86              Set source IP in fragments.
87
88       -o <npackets>
89              Set  the number of packets for every authentication and associa‐
90              tion attempt.
91
92       -q <seconds>
93              Set the time between keep-alive packets in  fake  authentication
94              mode.
95
96       -y <prga>
97              Specifies the keystream file for fake shared key authentication.
98
99       Source options:
100
101       -i <iface>
102              Capture packets from this interface.
103
104       -r <file>
105              Extract packets from this pcap file.
106
107       Attack modes:
108
109       -0 <count>, --deauth=<count>
110              Deauthenticate stations.
111
112       -1 <delay>, --fakeauth=<delay>
113              Fake authentication with AP.
114
115       -2, --interactive
116              Interactive frame selection.
117
118       -3, --arpreplay
119              Standard ARP-request replay.
120
121       -4, --chopchop
122              Decrypt/chopchop WEP packet.
123
124       -5, --fragment
125              Generates a valid keystream.
126
127       -9, --test
128              Tests injection and quality.
129

FRAGMENTATION VERSUS CHOPCHOP

131       Fragmentation:
132
133
134              Pros
135              -  Can  obtain  the  full  packet length of 1500 bytes XOR. This
136              means you can  subsequently  pretty  well  create  any  size  of
137              packet.
138              - May work where chopchop does not
139              -  Is extremely fast. It yields the XOR stream extremely quickly
140              when successful.
141
142
143              Cons
144              - Setup to execute the attack is  more  subject  to  the  device
145              drivers.  For  example,  Atheros  does  not generate the correct
146              packets unless the wireless card is set to the mac  address  you
147              are spoofing.
148              -  You need to be physically closer to the access point since if
149              any packets are lost then the attack fails.
150
151       Chopchop
152
153
154              Pro
155              - May work where frag does not work.
156
157
158              Cons
159              - Cannot be used against every access point.
160              - The maximum XOR bits is limited to the length  of  the  packet
161              you chopchop against.
162              - Much slower then the fragmentation attack.
163

AUTHOR

165       This  manual  page was written by Adam Cecile <gandalf@le-vert.net> for
166       the Debian system (but may be used by others).  Permission  is  granted
167       to  copy, distribute and/or modify this document under the terms of the
168       GNU General Public License, Version 2 or any later version published by
169       the  Free  Software  Foundation On Debian systems, the complete text of
170       the GNU General Public  License  can  be  found  in  /usr/share/common-
171       licenses/GPL.
172

SEE ALSO

174       airmon-ng(1)
175       airdecap-ng(1)
176       aircrack-ng(1)
177       airodump-ng(1)
178       airtun-ng(1)
179       packetforge-ng(1)
180       ivstools(1)
181       kstats(1)
182       makeivs(1)
183
184
185
186Version 0.9.3                    February 2008                  AIREPLAY-NG(1)
Impressum