1AIREPLAY-NG(8) System Manager's Manual AIREPLAY-NG(8)
2
6 aireplay-ng - inject packets into a wireless network to generate traf‐
7 fic
8
10 aireplay-ng [options] <replay interface>
11
13 aireplay-ng is used to inject/replay frames. The primary function is
14 to generate traffic for the later use in aircrack-ng for cracking the
15 WEP and WPA-PSK keys. There are different attacks which can cause deau‐
16 thentications for the purpose of capturing WPA handshake data, fake
17 authentications, Interactive packet replay, hand-crafted ARP request
18 injection and ARP-request reinjection. With the packetforge-ng tool
19 it's possible to create arbitrary frames.
20 aireplay-ng supports single-NIC injection/monitor.
22 This feature needs driver patching.
23
25 -H, --help
26 Shows the help screen.
27 Filter options:
29 -b <bssid>
31 MAC address of access point.
32 -d <dmac>
34 MAC address of destination.
35 -s <smac>
37 MAC address of source.
38 -m <len>
40 Minimum packet length.
41 -n <len>
43 Maximum packet length.
44 -u <type>
46 Frame control, type field.
47 -v <subt>
49 Frame control, subtype field.
50 -t <tods>
52 Frame control, "To" DS bit (0 or 1).
53 -f <fromds>
55 Frame control, "From" DS bit (0 or 1).
56 -w <iswep>
58 Frame control, WEP bit (0 or 1).
59 -D Disable AP Detection.
61 Replay options:
63 -x <nbpps>
65 Number of packets per second.
66 -p <fctrl>
68 Set frame control word (hex).
69 -a <bssid>
71 Set Access Point MAC address.
72 -c <dmac>
74 Set destination MAC address.
75 -h <smac>
77 Set source MAC address.
78 -g <nb_packets>
80 Change ring buffer size (default: 8 packets). The minimum is 1.
81 -F Choose first matching packet.
83 -e <essid>
85 Fake Authentication attack: Set target SSID (see below). For
86 SSID containing special characters, see http://www.aircrack-
87 ng.org/doku.php?id=faq#how_to_use_spaces_double_quote_and_sin‐
88 gle_quote_etc._in_ap_names
89 -o <npackets>
91 Fake Authentication attack: Set the number of packets for every
92 authentication and association attempt (Default: 1). 0 means
93 auto
94 -q <seconds>
96 Fake Authentication attack: Set the time between keep-alive
97 packets in fake authentication mode.
98 -Q Fake Authentication attack: Sends reassociation requests instead
100 of performing a complete authentication and association after
101 each delay period.
102 -y <prga>
104 Fake Authentication attack: Specifies the keystream file for
105 fake shared key authentication.
106 -T n Fake Authentication attack: Exit if fake authentication fails
108 'n' time(s).
109 -j ARP Replay attack : inject FromDS pakets (see below).
111 -k <IP>
113 Fragmentation attack: Set destination IP in fragments.
114 -l <IP>
116 Fragmentation attack: Set source IP in fragments.
117 -B Test option: bitrate test.
119 Source options:
121 -i <iface>
123 Capture packets from this interface.
124 -r <file>
126 Extract packets from this pcap file.
127 Miscellaneous options:
129 -R disable /dev/rtc usage.
131 --ignore-negative-one if the interface's channel can't be determined
133 ignore the mismatch, needed for unpatched cfg80211
134 Attack modes:
136 -0 <count>, --deauth=<count>
138 This attack sends deauthentication packets to one or more
139 clients which are currently associated with a particular access
140 point. Deauthenticating clients can be done for a number of rea‐
141 sons: Recovering a hidden ESSID. This is an ESSID which is not
142 being broadcast. Another term for this is "cloaked" or Capturing
143 WPA/WPA2 handshakes by forcing clients to reauthenticate or Gen‐
144 erate ARP requests (Windows clients sometimes flush their ARP
145 cache when disconnected). Of course, this attack is totally
146 useless if there are no associated wireless client or on fake
147 authentications.
148 -1 <delay>, --fakeauth=<delay>
150 The fake authentication attack allows you to perform the two
151 types of WEP authentication (Open System and Shared Key) plus
152 associate with the access point (AP). This is only useful when
153 you need an associated MAC address in various aireplay-ng
154 attacks and there is currently no associated client. It should
155 be noted that the fake authentication attack does NOT generate
156 any ARP packets. Fake authentication cannot be used to authenti‐
157 cate/associate with WPA/WPA2 Access Points.
158 -2, --interactive
160 This attack allows you to choose a specific packet for replaying
161 (injecting). The attack can obtain packets to replay from two
162 sources. The first being a live flow of packets from your wire‐
163 less card. The second being from a pcap file. Reading from a
164 file is an often overlooked feature of aireplay-ng. This allows
165 you read packets from other capture sessions or quite often,
166 various attacks generate pcap files for easy reuse. A common use
167 of reading a file containing a packet your created with packet‐
168 forge-ng.
169 -3, --arpreplay
171 The classic ARP request replay attack is the most effective way
172 to generate new initialization vectors (IVs), and works very
173 reliably. The program listens for an ARP packet then retransmits
174 it back to the access point. This, in turn, causes the access
175 point to repeat the ARP packet with a new IV. The program
176 retransmits the same ARP packet over and over. However, each ARP
177 packet repeated by the access point has a new IVs. It is all
178 these new IVs which allow you to determine the WEP key.
179 -4, --chopchop
181 This attack, when successful, can decrypt a WEP data packet
182 without knowing the key. It can even work against dynamic WEP.
183 This attack does not recover the WEP key itself, but merely
184 reveals the plaintext. However, some access points are not vul‐
185 nerable to this attack. Some may seem vulnerable at first but
186 actually drop data packets shorter that 60 bytes. If the access
187 point drops packets shorter than 42 bytes, aireplay tries to
188 guess the rest of the missing data, as far as the headers are
189 predictable. If an IP packet is captured, it additionally checks
190 if the checksum of the header is correct after guessing the
191 missing parts of it. This attack requires at least one WEP data
192 packet.
193 -5, --fragment
195 This attack, when successful, can obtain 1500 bytes of PRGA
196 (pseudo random generation algorithm). This attack does not
197 recover the WEP key itself, but merely obtains the PRGA. The
198 PRGA can then be used to generate packets with packetforge-ng
199 which are in turn used for various injection attacks. It
200 requires at least one data packet to be received from the access
201 point in order to initiate the attack.
202 -6, --caffe-latte
204 In general, for an attack to work, the attacker has to be in the
205 range of an AP and a connected client (fake or real). Caffe
206 Latte attacks allows one to gather enough packets to crack a WEP
207 key without the need of an AP, it just need a client to be in
208 range.
209 -7, --cfrag
211 This attack turns IP or ARP packets from a client into ARP
212 request against the client. This attack works especially well
213 against ad-hoc networks. As well it can be used against softAP
214 clients and normal AP clients.
215 -8, --migmode
217 This attack works against Cisco Aironet access points configured
218 in WPA Migration Mode, which enables both WPA and WEP clients to
219 associate to an access point using the same Service Set Identi‐
220 fier (SSID). The program listens for a WEP-encapsulated broad‐
221 cast ARP packet, bitflips it to make it into an ARP coming from
222 the attacker's MAC address and retransmits it to the access
223 point. This, in turn, causes the access point to repeat the ARP
224 packet with a new IV and also to forward the ARP reply to the
225 attacker with a new IV. The program retransmits the same ARP
226 packet over and over. However, each ARP packet repeated by the
227 access point has a new IV as does the ARP reply forwarded to the
228 attacker by the access point. It is all these new IVs which
229 allow you to determine the WEP key.
230 -9, --test
232 Tests injection and quality.
233
235 Fragmentation:
236 Pros
239 - Can obtain the full packet length of 1500 bytes XOR. This
240 means you can subsequently pretty well create any size of
241 packet.
242 - May work where chopchop does not
243 - Is extremely fast. It yields the XOR stream extremely quickly
244 when successful.
245 Cons
248 - Setup to execute the attack is more subject to the device
249 drivers. For example, Atheros does not generate the correct
250 packets unless the wireless card is set to the mac address you
251 are spoofing.
252 - You need to be physically closer to the access point since if
253 any packets are lost then the attack fails.
254 Chopchop
256 Pro
259 - May work where frag does not work.
260 Cons
263 - Cannot be used against every access point.
264 - The maximum XOR bits is limited to the length of the packet
265 you chopchop against.
266 - Much slower then the fragmentation attack.
267
269 This manual page was written by Adam Cecile <gandalf@le-vert.net> for
270 the Debian system (but may be used by others). Permission is granted
271 to copy, distribute and/or modify this document under the terms of the
272 GNU General Public License, Version 2 or any later version published by
273 the Free Software Foundation On Debian systems, the complete text of
274 the GNU General Public License can be found in /usr/share/common-
275 licenses/GPL.
276
278 airbase-ng(8)
279 airmon-ng(8)
280 airodump-ng(8)
281 airodump-ng-oui-update(8)
282 airserv-ng(8)
283 airtun-ng(8)
284 besside-ng(8)
285 easside-ng(8)
286 tkiptun-ng(8)
287 wesside-ng(8)
288 aircrack-ng(1)
289 airdecap-ng(1)
290 airdecloak-ng(1)
291 airolib-ng(1)
292 besside-ng-crawler(1)
293 buddy-ng(1)
294 ivstools(1)
295 kstats(1)
296 makeivs-ng(1)
297 packetforge-ng(1)
298 wpaclean(1)
299Version 1.2-rc4 February 2016 AIREPLAY-NG(8)