1AIREPLAY-NG(8) System Manager's Manual AIREPLAY-NG(8)
2
3
4
6 aireplay-ng - inject packets into a wireless network to generate traf‐
7 fic
8
10 aireplay-ng [options] <replay interface>
11
13 aireplay-ng is used to inject/replay frames. The primary function is
14 to generate traffic for the later use in aircrack-ng for cracking the
15 WEP and WPA-PSK keys. There are different attacks which can cause deau‐
16 thentications for the purpose of capturing WPA handshake data, fake
17 authentications, Interactive packet replay, hand-crafted ARP request
18 injection and ARP-request reinjection. With the packetforge-ng tool
19 it's possible to create arbitrary frames.
20
21 aireplay-ng supports single-NIC injection/monitor.
22
23 This feature needs driver patching.
24
26 -H, --help
27 Shows the help screen.
28
29 Filter options:
30
31 -b <bssid>
32 MAC address of access point.
33
34 -d <dmac>
35 MAC address of destination.
36
37 -s <smac>
38 MAC address of source.
39
40 -m <len>
41 Minimum packet length.
42
43 -n <len>
44 Maximum packet length.
45
46 -u <type>
47 Frame control, type field.
48
49 -v <subt>
50 Frame control, subtype field.
51
52 -t <tods>
53 Frame control, "To" DS bit (0 or 1).
54
55 -f <fromds>
56 Frame control, "From" DS bit (0 or 1).
57
58 -w <iswep>
59 Frame control, WEP bit (0 or 1).
60
61 -D Disable AP Detection.
62
63 Replay options:
64
65 -x <nbpps>
66 Number of packets per second.
67
68 -p <fctrl>
69 Set frame control word (hex).
70
71 -a <bssid>
72 Set Access Point MAC address.
73
74 -c <dmac>
75 Set destination MAC address.
76
77 -h <smac>
78 Set source MAC address.
79
80 -g <nb_packets>
81 Change ring buffer size (default: 8 packets). The minimum is 1.
82
83 -F Choose first matching packet.
84
85 -e <essid>
86 Fake Authentication attack: Set target SSID (see below). For
87 SSID containing special characters, see https://www.aircrack-
88 ng.org/doku.php?id=faq#how_to_use_spaces_double_quote_and_sin‐
89 gle_quote_etc_in_ap_names
90
91 -o <npackets>
92 Fake Authentication attack: Set the number of packets for every
93 authentication and association attempt (Default: 1). 0 means
94 auto
95
96 -q <seconds>
97 Fake Authentication attack: Set the time between keep-alive
98 packets in fake authentication mode.
99
100 -Q Fake Authentication attack: Sends reassociation requests instead
101 of performing a complete authentication and association after
102 each delay period.
103
104 -y <prga>
105 Fake Authentication attack: Specifies the keystream file for
106 fake shared key authentication.
107
108 -T n Fake Authentication attack: Exit if fake authentication fails
109 'n' time(s).
110
111 -j ARP Replay attack : inject FromDS packets (see below).
112
113 -k <IP>
114 Fragmentation attack: Set destination IP in fragments.
115
116 -l <IP>
117 Fragmentation attack: Set source IP in fragments.
118
119 -B Test option: bitrate test.
120
121 Source options:
122
123 -i <iface>
124 Capture packets from this interface.
125
126 -r <file>
127 Extract packets from this pcap file.
128
129 Miscellaneous options:
130
131 -R disable /dev/rtc usage.
132
133 --ignore-negative-one if the interface's channel can't be determined
134 ignore the mismatch, needed for unpatched cfg80211
135
136 --deauth-rc <rc>, -Z <rc> Provide a reason code when doing deauthica‐
137 tion (between 0 and 255). By default, 7 is used: Class 3 frame received
138 from unassociated STA. 0 is a reserved value. Reason codes explanations
139 can be found in the IEEE802.11 standard or in https://mrnc‐
140 ciew.com/2014/10/11/802-11-mgmt-deauth-disassociation-frames/
141
142 Attack modes:
143
144 -0 <count>, --deauth=<count>
145 This attack sends deauthentication packets to one or more
146 clients which are currently associated with a particular access
147 point. Deauthenticating clients can be done for a number of rea‐
148 sons: Recovering a hidden ESSID. This is an ESSID which is not
149 being broadcast. Another term for this is "cloaked" or Capturing
150 WPA/WPA2 handshakes by forcing clients to reauthenticate or Gen‐
151 erate ARP requests (Windows clients sometimes flush their ARP
152 cache when disconnected). Of course, this attack is totally
153 useless if there are no associated wireless client or on fake
154 authentications.
155
156 -1 <delay>, --fakeauth=<delay>
157 The fake authentication attack allows you to perform the two
158 types of WEP authentication (Open System and Shared Key) plus
159 associate with the access point (AP). This is only useful when
160 you need an associated MAC address in various aireplay-ng
161 attacks and there is currently no associated client. It should
162 be noted that the fake authentication attack does NOT generate
163 any ARP packets. Fake authentication cannot be used to authenti‐
164 cate/associate with WPA/WPA2 Access Points.
165
166 -2, --interactive
167 This attack allows you to choose a specific packet for replaying
168 (injecting). The attack can obtain packets to replay from two
169 sources. The first being a live flow of packets from your wire‐
170 less card. The second being from a pcap file. Reading from a
171 file is an often overlooked feature of aireplay-ng. This allows
172 you read packets from other capture sessions or quite often,
173 various attacks generate pcap files for easy reuse. A common use
174 of reading a file containing a packet your created with packet‐
175 forge-ng.
176
177 -3, --arpreplay
178 The classic ARP request replay attack is the most effective way
179 to generate new initialization vectors (IVs), and works very
180 reliably. The program listens for an ARP packet then retransmits
181 it back to the access point. This, in turn, causes the access
182 point to repeat the ARP packet with a new IV. The program
183 retransmits the same ARP packet over and over. However, each ARP
184 packet repeated by the access point has a new IVs. It is all
185 these new IVs which allow you to determine the WEP key.
186
187 -4, --chopchop
188 This attack, when successful, can decrypt a WEP data packet
189 without knowing the key. It can even work against dynamic WEP.
190 This attack does not recover the WEP key itself, but merely
191 reveals the plaintext. However, some access points are not vul‐
192 nerable to this attack. Some may seem vulnerable at first but
193 actually drop data packets shorter that 60 bytes. If the access
194 point drops packets shorter than 42 bytes, aireplay tries to
195 guess the rest of the missing data, as far as the headers are
196 predictable. If an IP packet is captured, it additionally checks
197 if the checksum of the header is correct after guessing the
198 missing parts of it. This attack requires at least one WEP data
199 packet.
200
201 -5, --fragment
202 This attack, when successful, can obtain 1500 bytes of PRGA
203 (pseudo random generation algorithm). This attack does not
204 recover the WEP key itself, but merely obtains the PRGA. The
205 PRGA can then be used to generate packets with packetforge-ng
206 which are in turn used for various injection attacks. It
207 requires at least one data packet to be received from the access
208 point in order to initiate the attack.
209
210 -6, --caffe-latte
211 In general, for an attack to work, the attacker has to be in the
212 range of an AP and a connected client (fake or real). Caffe
213 Latte attacks allows one to gather enough packets to crack a WEP
214 key without the need of an AP, it just need a client to be in
215 range.
216
217 -7, --cfrag
218 This attack turns IP or ARP packets from a client into ARP
219 request against the client. This attack works especially well
220 against ad-hoc networks. As well it can be used against softAP
221 clients and normal AP clients.
222
223 -8, --migmode
224 This attack works against Cisco Aironet access points configured
225 in WPA Migration Mode, which enables both WPA and WEP clients to
226 associate to an access point using the same Service Set Identi‐
227 fier (SSID). The program listens for a WEP-encapsulated broad‐
228 cast ARP packet, bitflips it to make it into an ARP coming from
229 the attacker's MAC address and retransmits it to the access
230 point. This, in turn, causes the access point to repeat the ARP
231 packet with a new IV and also to forward the ARP reply to the
232 attacker with a new IV. The program retransmits the same ARP
233 packet over and over. However, each ARP packet repeated by the
234 access point has a new IV as does the ARP reply forwarded to the
235 attacker by the access point. It is all these new IVs which
236 allow you to determine the WEP key.
237
238 -9, --test
239 Tests injection and quality.
240
242 Fragmentation:
243
244
245 Pros
246 - Can obtain the full packet length of 1500 bytes XOR. This
247 means you can subsequently pretty well create any size of
248 packet.
249 - May work where chopchop does not
250 - Is extremely fast. It yields the XOR stream extremely quickly
251 when successful.
252
253
254 Cons
255 - Setup to execute the attack is more subject to the device
256 drivers. For example, Atheros does not generate the correct
257 packets unless the wireless card is set to the mac address you
258 are spoofing.
259 - You need to be physically closer to the access point since if
260 any packets are lost then the attack fails.
261
262 Chopchop
263
264
265 Pro
266 - May work where frag does not work.
267
268
269 Cons
270 - Cannot be used against every access point.
271 - The maximum XOR bits is limited to the length of the packet
272 you chopchop against.
273 - Much slower then the fragmentation attack.
274
276 This manual page was written by Adam Cecile <gandalf@le-vert.net> for
277 the Debian system (but may be used by others). Permission is granted
278 to copy, distribute and/or modify this document under the terms of the
279 GNU General Public License, Version 2 or any later version published by
280 the Free Software Foundation On Debian systems, the complete text of
281 the GNU General Public License can be found in /usr/share/common-
282 licenses/GPL.
283
285 airbase-ng(8)
286 airmon-ng(8)
287 airodump-ng(8)
288 airodump-ng-oui-update(8)
289 airserv-ng(8)
290 airtun-ng(8)
291 besside-ng(8)
292 easside-ng(8)
293 tkiptun-ng(8)
294 wesside-ng(8)
295 aircrack-ng(1)
296 airdecap-ng(1)
297 airdecloak-ng(1)
298 airolib-ng(1)
299 besside-ng-crawler(1)
300 buddy-ng(1)
301 ivstools(1)
302 kstats(1)
303 makeivs-ng(1)
304 packetforge-ng(1)
305 wpaclean(1)
306 airventriloquist(8)
307
308
309
310Version 1.6.0 January 2020 AIREPLAY-NG(8)