Aireplay-ng

Aireplay-ng Description

Aireplay-ng is used to inject frames.

The primary function is to generate traffic for the later use in aircrack-ng for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications, Interactive packet replay, hand-crafted ARP request injection and ARP-request reinjection. With the packetforge-ng tool it's possible to create arbitrary frames.

Most drivers needs to be patched to be able to inject, don't forget to read Installing drivers.

Usage of the attacks

It currently implements multiple different attacks:

• Attack 0: Deauthentication

• Attack 1: Fake authentication

• Attack 2: Interactive packet replay

• Attack 3: ARP request replay attack

• Attack 4: KoreK chopchop attack

• Attack 5: Fragmentation attack

• Attack 6: Cafe-latte attack

• Attack 7: Client-oriented fragmentation attack

• Attack 8: WPA Migration Mode

• Attack 9: Injection test

Homepage: http://aircrack-ng.org/

Author: Thomas d’Otreppe

License: GPLv2

Aireplay-ng Help

  usage: aireplay-ng <options> <replay interface>

  Filter options:

      -b bssid  : MAC address, Access Point
      -d dmac   : MAC address, Destination
      -s smac   : MAC address, Source
      -m len    : minimum packet length
      -n len    : maximum packet length
      -u type   : frame control, type    field
      -v subt   : frame control, subtype field
      -t tods   : frame control, To      DS bit
      -f fromds : frame control, From    DS bit
      -w iswep  : frame control, WEP     bit
      -D        : disable AP detection

  Replay options:

      -x nbpps  : number of packets per second
      -p fctrl  : set frame control word (hex)
      -a bssid  : set Access Point MAC address
      -c dmac   : set Destination  MAC address
      -h smac   : set Source       MAC address
      -g value  : change ring buffer size (default: 8)
      -F        : choose first matching packet

      Fakeauth attack options:

      -e essid  : set target AP SSID
      -o npckts : number of packets per burst (0=auto, default: 1)
      -q sec    : seconds between keep-alives
      -Q        : send reassociation requests
      -y prga   : keystream for shared key auth
      -T n      : exit after retry fake auth request n time

      Arp Replay attack options:

      -j        : inject FromDS packets

      Fragmentation attack options:

      -k IP     : set destination IP in fragments
      -l IP     : set source IP in fragments

      Test attack options:

      -B        : activates the bitrate test

  Source options:

      -i iface  : capture packets from this interface
      -r file   : extract packets from this pcap file

  Miscellaneous options:

      -R                    : disable /dev/rtc usage
      --ignore-negative-one : if the interface's channel can't be determined,
                              ignore the mismatch, needed for unpatched cfg80211

  Attack modes (numbers can still be used):

      --deauth      count : deauthenticate 1 or all stations (-0)
      --fakeauth    delay : fake authentication with AP (-1)
      --interactive       : interactive frame selection (-2)
      --arpreplay         : standard ARP-request replay (-3)
      --chopchop          : decrypt/chopchop WEP packet (-4)
      --fragment          : generates valid keystream   (-5)
      --caffe-latte       : query a client for new IVs  (-6)
      --cfrag             : fragments against a client  (-7)
      --migmode           : attacks WPA migration mode  (-8)
      --test              : tests injection and quality (-9)

      --help              : Displays this usage screen                                

Aireplay-ng Usage Example

aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AE:CE:9D ath0

Where:

• -0 means deauthentication

• 1 is the number of deauths to send (you can send multiple if you wish)

• -a 00:14:6C:7E:40:80 is the MAC address of the access point

• -c 000:0F:B5:AE:CE:9D is the MAC address of the client you are deauthing

• ath0 is the interface name

Here is typical output:

 12:35:25  Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80) on channel 9
 12:35:25  Sending 64 directed DeAuth. STMAC: [00:0F:B5:AE:CE:9D] [ 61|63 ACKs]

How to install Aireplay-ng

The program is pre-installed on Kali Linux.

Installation on Linux (Debian, Mint, Ubuntu)

sudo apt-get install aircrack-ng

Aireplay-ng Screenshots

Aireplay-ng Tutorials

• Main documentation: Aireplay-ng
• Three ways to put wireless interface in Monitor mode and Managed mode
• USB Wi-Fi Adapters with monitor mode and wireless injection (100% compatible with Kali Linux) 2021