AIREPLAY-NG

Section: User Commands (1)
Updated: February 2008
Index Return to Main Contents

 

NAME

aireplay-ng - inject ARP-request packets into a wireless network to generate traffic  

SYNOPSIS

aireplay-ng [options] <replay interface>  

DESCRIPTION

aireplay-ng injects specially generated ARP-request packets into an existing wireless network in order to generate traffic. By sending these ARP-request packets again and again, the target host will respond with encrypted replies, thus providing new and possibly weak IVs.

aireplay-ng supports single-NIC injection/monitor.
This feature needs driver patching.
 

OPTIONS

-H, --help
Shows the help screen.

Filter options:
-b <bssid>
MAC address of access point.
-d <dmac>
MAC address of destination.
-s <smac>
MAC address of source.
-m <len>
Minimum packet length.
-n <len>
Maximum packet length.
-u <type>
Frame control, type field.
-v <subt>
Frame control, subtype field.
-t <tods>
Frame control, "To" DS bit.
-f <fromds>
Frame control, "From" DS bit.
-w <iswep>
Frame control, WEP bit.

Replay options:
-x <nbpps>
Number of packets per second.
-p <fctrl>
Set frame control word (hex).
-a <bssid>
Set Access Point MAC address.
-c <dmac>
Set destination MAC address.
-h <smac>
Set source MAC address.
-e <essid>
Set target SSID for Fake Authentication attack (see below).
-j
ARP Replay attack : inject FromDS pakets (see below).
-g <rbsize>
Set ring buffer size (rbsize must be higher or equal to 1 ).
-k <IP>
Set destination IP in fragments.
-l <IP>
Set source IP in fragments.
-o <npackets>
Set the number of packets for every authentication and association attempt.
-q <seconds>
Set the time between keep-alive packets in fake authentication mode.
-y <prga>
Specifies the keystream file for fake shared key authentication.

Source options:
-i <iface>
Capture packets from this interface.
-r <file>
Extract packets from this pcap file.

Attack modes:
-0 <count>, --deauth=<count>
Deauthenticate stations.
-1 <delay>, --fakeauth=<delay>
Fake authentication with AP.
-2, --interactive
Interactive frame selection.
-3, --arpreplay
Standard ARP-request replay.
-4, --chopchop
Decrypt/chopchop WEP packet.
-5, --fragment
Generates a valid keystream.
-9, --test
Tests injection and quality.
 

FRAGMENTATION VERSUS CHOPCHOP

Fragmentation:

Pros
- Can obtain the full packet length of 1500 bytes XOR. This means you can subsequently pretty well create any size of packet.
- May work where chopchop does not
- Is extremely fast. It yields the XOR stream extremely quickly when successful.

Cons
- Setup to execute the attack is more subject to the device drivers. For example, Atheros does not generate the correct packets unless the wireless card is set to the mac address you are spoofing.
- You need to be physically closer to the access point since if any packets are lost then the attack fails.

Chopchop

Pro
- May work where frag does not work.

Cons
- Cannot be used against every access point.
- The maximum XOR bits is limited to the length of the packet you chopchop against.
- Much slower then the fragmentation attack.
 

AUTHOR

This manual page was written by Adam Cecile <gandalf@le-vert.net> for the Debian system (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL.  

SEE ALSO


airmon-ng(1)
airdecap-ng(1)
aircrack-ng(1)
airodump-ng(1)
airtun-ng(1)
packetforge-ng(1)
ivstools(1)
kstats(1)
makeivs(1)


 

Index

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
FRAGMENTATION VERSUS CHOPCHOP
AUTHOR
SEE ALSO

linux.jgfs.net manual pages