aireplay-ng - inject packets into a wireless network to generate traffic
[options] <replay interface>
is used to inject/replay frames. The primary function is to
generate traffic for the later use in aircrack-ng for cracking the WEP and
WPA-PSK keys. There are different attacks which can cause deauthentications
for the purpose of capturing WPA handshake data, fake authentications,
Interactive packet replay, hand-crafted ARP request injection and ARP-request
reinjection. With the packetforge-ng tool it's possible to create arbitrary
supports single-NIC injection/monitor.
This feature needs driver patching.
- -H, --help
- Shows the help screen.
- Filter options:
- -b <bssid>
- MAC address of access point.
- -d <dmac>
- MAC address of destination.
- -s <smac>
- MAC address of source.
- -m <len>
- Minimum packet length.
- -n <len>
- Maximum packet length.
- -u <type>
- Frame control, type field.
- -v <subt>
- Frame control, subtype field.
- -t <tods>
- Frame control, "To" DS bit (0 or 1).
- -f <fromds>
- Frame control, "From" DS bit (0 or 1).
- -w <iswep>
- Frame control, WEP bit (0 or 1).
- Disable AP Detection.
- Replay options:
- -x <nbpps>
- Number of packets per second.
- -p <fctrl>
- Set frame control word (hex).
- -a <bssid>
- Set Access Point MAC address.
- -c <dmac>
- Set destination MAC address.
- -h <smac>
- Set source MAC address.
- -g <nb_packets>
- Change ring buffer size (default: 8 packets). The minimum
- Choose first matching packet.
- -e <essid>
- Fake Authentication attack: Set target SSID (see below).
For SSID containing special characters, see
- -o <npackets>
- Fake Authentication attack: Set the number of packets for
every authentication and association attempt (Default: 1). 0 means
- -q <seconds>
- Fake Authentication attack: Set the time between keep-alive
packets in fake authentication mode.
- Fake Authentication attack: Sends reassociation requests
instead of performing a complete authentication and association after each
- -y <prga>
- Fake Authentication attack: Specifies the keystream file
for fake shared key authentication.
- -T n
- Fake Authentication attack: Exit if fake authentication
fails 'n' time(s).
- ARP Replay attack : inject FromDS pakets (see below).
- -k <IP>
- Fragmentation attack: Set destination IP in fragments.
- -l <IP>
- Fragmentation attack: Set source IP in fragments.
- Test option: bitrate test.
- Source options:
- -i <iface>
- Capture packets from this interface.
- -r <file>
- Extract packets from this pcap file.
- Miscellaneous options:
- disable /dev/rtc usage.
if the interface's channel can't be determined
ignore the mismatch, needed for unpatched cfg80211
- Attack modes:
- -0 <count>, --deauth=<count>
- This attack sends deauthentication packets to one or more
clients which are currently associated with a particular access point.
Deauthenticating clients can be done for a number of reasons: Recovering a
hidden ESSID. This is an ESSID which is not being broadcast. Another term
for this is "cloaked" or Capturing WPA/WPA2 handshakes by
forcing clients to reauthenticate or Generate ARP requests (Windows
clients sometimes flush their ARP cache when disconnected). Of course,
this attack is totally useless if there are no associated wireless client
or on fake authentications.
- -1 <delay>, --fakeauth=<delay>
- The fake authentication attack allows you to perform the
two types of WEP authentication (Open System and Shared Key) plus
associate with the access point (AP). This is only useful when you need an
associated MAC address in various aireplay-ng attacks and there is
currently no associated client. It should be noted that the fake
authentication attack does NOT generate any ARP packets. Fake
authentication cannot be used to authenticate/associate with WPA/WPA2
- -2, --interactive
- This attack allows you to choose a specific packet for
replaying (injecting). The attack can obtain packets to replay from two
sources. The first being a live flow of packets from your wireless card.
The second being from a pcap file. Reading from a file is an often
overlooked feature of aireplay-ng. This allows you read packets from other
capture sessions or quite often, various attacks generate pcap files for
easy reuse. A common use of reading a file containing a packet your
created with packetforge-ng.
- -3, --arpreplay
- The classic ARP request replay attack is the most effective
way to generate new initialization vectors (IVs), and works very reliably.
The program listens for an ARP packet then retransmits it back to the
access point. This, in turn, causes the access point to repeat the ARP
packet with a new IV. The program retransmits the same ARP packet over and
over. However, each ARP packet repeated by the access point has a new IVs.
It is all these new IVs which allow you to determine the WEP key.
- -4, --chopchop
- This attack, when successful, can decrypt a WEP data packet
without knowing the key. It can even work against dynamic WEP. This attack
does not recover the WEP key itself, but merely reveals the plaintext.
However, some access points are not vulnerable to this attack. Some may
seem vulnerable at first but actually drop data packets shorter that 60
bytes. If the access point drops packets shorter than 42 bytes, aireplay
tries to guess the rest of the missing data, as far as the headers are
predictable. If an IP packet is captured, it additionally checks if the
checksum of the header is correct after guessing the missing parts of it.
This attack requires at least one WEP data packet.
- -5, --fragment
- This attack, when successful, can obtain 1500 bytes of PRGA
(pseudo random generation algorithm). This attack does not recover the WEP
key itself, but merely obtains the PRGA. The PRGA can then be used to
generate packets with packetforge-ng which are in turn used for various
injection attacks. It requires at least one data packet to be received
from the access point in order to initiate the attack.
- -6, --caffe-latte
- In general, for an attack to work, the attacker has to be
in the range of an AP and a connected client (fake or real). Caffe Latte
attacks allows one to gather enough packets to crack a WEP key without the
need of an AP, it just need a client to be in range.
- -7, --cfrag
- This attack turns IP or ARP packets from a client into ARP
request against the client. This attack works especially well against
ad-hoc networks. As well it can be used against softAP clients and normal
- -8, --migmode
- This attack works against Cisco Aironet access points
configured in WPA Migration Mode, which enables both WPA and WEP clients
to associate to an access point using the same Service Set Identifier
(SSID). The program listens for a WEP-encapsulated broadcast ARP packet,
bitflips it to make it into an ARP coming from the attacker's MAC address
and retransmits it to the access point. This, in turn, causes the access
point to repeat the ARP packet with a new IV and also to forward the ARP
reply to the attacker with a new IV. The program retransmits the same ARP
packet over and over. However, each ARP packet repeated by the access
point has a new IV as does the ARP reply forwarded to the attacker by the
access point. It is all these new IVs which allow you to determine the WEP
- -9, --test
- Tests injection and quality.
- Can obtain the full packet length of 1500 bytes XOR. This means you can
subsequently pretty well create any size of packet.
- May work where chopchop does not
- Is extremely fast. It yields the XOR stream extremely quickly when successful.
- Setup to execute the attack is more subject to the device drivers. For
example, Atheros does not generate the correct packets unless the wireless
card is set to the mac address you are spoofing.
- You need to be physically closer to the access point since if any packets are
lost then the attack fails.
- May work where frag does not work.
- Cannot be used against every access point.
- The maximum XOR bits is limited to the length of the packet you chopchop
- Much slower then the fragmentation attack.
This manual page was written by Adam Cecile <firstname.lastname@example.org> for the
Debian system (but may be used by others). Permission is granted to copy,
distribute and/or modify this document under the terms of the GNU General
Public License, Version 2 or any later version published by the Free Software
Foundation On Debian systems, the complete text of the GNU General Public
License can be found in /usr/share/common-licenses/GPL.