Главная » Статьи » Мои статьи


Aireplay-ng is a tool that is used to generate packages. Aireplay-ng - puts the packets in the wireless network to generate traffic. If your wireless access point no one is connected, hence no traffic for capture and subsequent analysis.

Utility Aireplay-ng it is also used for injection (injection) frames. The main function of the program is to generate traffic for the later use in aircrack-ng for cracking the WEP and WPA-PSK keys. There are several different attacks that you can use to make: reassociation units in order to obtain the WPA handshake data, fake authentication, interactive packet repetition (Interactive packet replay), manually produce an injector ARP requests and re-ARP requests. Tool packetforge-ng to create custom packages. Most drivers need patching to be able to generate packages.

Currently the program implements multiple different attacks:

Attacks can obtain packets to generate from two sources. The first source is a stream of packets in real vremeni your wireless card. The second source of the pcap file. Standard Pcap format (Packet CAPture, associated with the libpcap library http://www.tcpdump.org), is recognized by most commercial and open-source) programs to capture and analyze packets.When reading from a file are often ignored features of aireplay-ng. It allows you to read packets from other capture sessions and packages dovolnoye to generate various attacks in the pcap files for easy reuse.

The settings for selection source:

iface: capture packets from this interface

-r file: receiving a packet from this pcap file format

Here you specify the way in which mode the program will work. Depending on the method, not all options will be available. (for mode selection can be used numbers):

--deauth      count : deauthenticate 1 or all stations (-0)
--fakeauth    delay : fake authentication with AP (-1)
--interactive       : interactive frame selection (-2)
--arpreplay          : standard ARP-request replay (-3)
--chopchop          : decrypt/chopchop WEP packet (-4)
--fragment           : generates valid keystream   (-5)
--caffe-latte         : query a client for new IVs  (-6)
--cfrag                  : fragments against a client  (-7)
--migmode          : attacks WPA migration mode  (-8)
--test                    : tests injection and quality (-9)


   root@d1gg3r:~#aireplay-ng <options> <replay interface>    

For all attacks, except for the reassociation of nodes and fake authentication, you can use the following filters to restrict the packets that will participate in a specific attack. The most commonly used filter-option "-b" to select a specific access point. Usually the option "-b" is the only key that you are using.

Filtering options:

Filter options:

      -b bssid  : MAC address, Access Point
      -d dmac   : MAC address, Destination
      -s smac   : MAC address, Source
      -m len    : minimum packet length
      -n len    : maximum packet length
      -u type   : frame control, type    field
      -v subt   : frame control, subtype field
      -t tods   : frame control, To      DS bit
      -f fromds : frame control, From    DS bit
      -w iswep  : frame control, WEP     bit
      -D        : disable AP detection

  Replay options:

When generating packages (by injection), apply the following setting options. Keep in mind that not every parameter is relevant to each attack. For each attack below are given examples of possible options.

      -x nbpps  : number of packets per second
      -p fctrl  : set frame control word (hex)
      -a bssid  : set Access Point MAC address
      -c dmac   : set Destination  MAC address
      -h smac   : set Source       MAC address
      -g value  : change ring buffer size (default: 8)
      -F        : choose first matching packet

      Fakeauth attack options:

      -e essid  : set target AP SSID
      -o npckts : number of packets per burst (0=auto, default: 1)
      -q sec    : seconds between keep-alives
      -Q        : send reassociation requests
      -y prga   : keystream for shared key auth
      -T n      : exit after retry fake auth request n time

      Arp Replay attack options:

      -j        : inject FromDS packets

      Fragmentation attack options:

      -k IP     : set destination IP in fragments
      -l IP     : set source IP in fragments

      Test attack options:

      -B        : activates the bitrate test

  Source options:

      -i iface  : capture packets from this interface
      -r file   : extract packets from this pcap file

  Miscellaneous options:

      -R                                  : disable /dev/rtc usage
      --ignore-negative-one  : if the interface's channel can't be determined,
         ignore the mismatch, needed for unpatched cfg80211

Fragmentation vs. Сhopchop attack

Below shows the differences in the attacks, fragmentation and chopchop.


Typically, the received packet length equal to 1500 bytes. This means that you can later create a package of any size. Even in cases when the obtained packet length less than 1500 bytes then it is sufficient to create ARP requests.

May work where chopchop attack doesn't work.

Very fast. It gives the xor of the flow extremely quickly when successful.


Need more information to run — information on IE's IP address. Quite often, the address can be guessed. Moreover, aireplay-papriwal the IP addresses of the source and destination of in the case if nothing is specified. It works successfully on most,if not all access points. So that's a small minus.

Settings to perform an attack depend on the device drivers. For example, the card on the Atheros chipset does not generate the correct packets if the updated MAC address of the wireless card.

You have to be physically closer to the access point, because if any packets are lost then the attack fails.

This attack will fail for access points that do not correctly handle fragmented packets.


Can work where they attack the "fragmentation" does not work.

You don't need to know any IP addresses.


Cannot be used against every access point.

The maximum length of the xor of the packets is limited. Although it is theoretically possible to obtain the xor of the stream with length more than 1500 bytes, in practice you rarely see wireless packets with length of 1500 bytes, if any, will see this.

Much slower than the charge of "fragmentation".
Usage tips
Speed optimization packet generation (injection)

Optimization of the generation rate of packets is more art than science. First, try to use tools "as is".You can try to use option "-x", to change the injection speed. Surprisingly, sometimes reducing this setting can increase the overall speed level of the packet capture.

You can try to play with the speed of your wireless card "iwconfig wlan0 rate 11M". Depending on the driver and how you configured the card in monitor mode, it is usually 1 or 11MBit default. If you're near an access point, install a high speed, for example 54M, so you will get more packets per second. If you are too far, and packets do not reach,try to reduce it (for example) 1M.


  -0 <count>, --deauth=<count>  

This attack sends packets of deauthenticate one or more clients which are currently associated with a particular access point. Deauthenticate clients can be done for a number of reasons: Recovering a hidden ESSID. This ESSID is not shown in the broadcast. Another reason for this is "masking" or Capture the handshake of WPA/WPA2 by forcing re-authentication of clients, or Generate ARP requests (Windows clients sometimes clear their ARP cache after disconnecting). Of course, this attack is totally useless if not connected to the wireless network clients or the false authentication.

  -1 <delay>, --fakeauth=<delay>  

The fake authentication attack allows you to perform two types of WEP authentication (Open system and Shared key) plus associate with the access point (AP). This is only useful when you need an associated MAC address in various attacks aireplay-ng and associated clients at the moment. It should be noted that the fake authentication attack does NOT generate any ARP packets. Fake authentication cannot be used for authentication/Association with WPA/WPA2 access points.

  -2, --interactive  

This attack allows you to choose a certain package for replay (injection). Attacks can obtain packets to replay from two sources. The first is a live flow of packets from your wireless card. The second is a pcap file. Many overlooked this function of aireplay-ng as reading from a file. It allows you to read packets from the captured sessions or are often generated from the various to attack the pcap files for easy reuse. Popular usage is the reading of the file that you created with packetforge-ng.

  -3, --arpreplay  

Attack classic re-play the ARP request is the most effective way to generate new initialization vectors (IVs), and it works very reliably. The program looks for ARP packets, then forwards them back to the access point. This, in turn, causes the access point to repeat the ARP packet with a new IV. The program sends the same ARP packet over and over again. However, each ARP packet repeated by the access point, has a new IVs. This is an all new IVs which allow you to define a WEP key.

  -4, --chopchop  

This attack, if successful, can decrypt a WEP data packet without knowing the key. It can even work against dynamic WEP. This attack does not recover the WEP key itself, but only reveals the plain text. However, some access points are not vulnerable to this attack. Some seem vulnerable, but actually drop data packets shorter than 60 bytes. If the access point abrasive packages carechem than 42 bytes, aireplay tries to guess the remaining missing data, because the header is predictable. If the captured IP packet, additionally checks header checksum for correctness after guessing the missing parts. This attack requires at least one WEP package.

  -5, --fragment  

This attack, when successful, can obtain 1500 bytes of PRGA (pseudo random generation algorithm). This attack does not reveal the WEP key itself, but only obtains the PRGA. This PRGA can be used to generate packet with packetforge-ng which are in turn used for various injection attacks. Required to obtain at least one packet from the access point to initiate this attack.

  -6, --caffe-latte  

In General terms, in order for the attack to work, attackers need to be in the range TD and a connected client (fake or real). The Caffe Latte attack, allows to gather enough packets to crack a WEP key without the need of TD, simply the client in the range.

  -7, --cfrag   

This attack turns IP or ARP packets from a client to ARP requests for the client. This attack works especially well against networks in ad-hoc. It can also be used against customers softAP (software access point) and the normal clients of TD.

  -8, --migmode   

This attack works against access points Cisco Aironet configured in WPA Migration Mode, which enables both WPA clients and WEP to connect to the access point using the same Service Set Identifier (SSID). The program listens for a WEP-encapsulated broadcast ARP packet, changes the bits to convert it into an ARP coming from the attacker MAC address, and forwards to the access point. This, in turn, causes the access point repeats the ARP packet with a new IV and also forwards the ARP reply to the attacker with a new IV. The program sends the same ARP packet over and over again. However, each ARP packet repeated by the access point, has a new IV, and the ARP response is forwarded to the access point to the attacker. All these new IV allows you to define a WEP key.

  -9, --test   

Test injection and the quality of communication.

The examples run Aireplay-NG

Go to channel 1 (iwconfig wlan0 channel 1), to make the attack Deauthenticate (-0) until it is stopped manually (0) against AP with the Mac address 20:25:64:16:58:8S and 20:25:64:16:58:8C) network interface wlan0 (wlan0):

channel 1 iwconfig wlan0
aireplay-NG -0 0 -A 20:25:64:16:58:8S wlan0

Go to channel 1 (iwconfig wlan0 channel 1), to make the attack Deauthenticate (-0), to send five packages of separation (5) in relation to AP with ESSID 20:25:64:16:58:8S (e-MIAL) with a network interface wlan0 (wlan0):

channel 1 iwconfig wlan0
aireplay-NG -0 5 -e MIAL wlan0

The output of these two commands is identical:

root@d1gg3r:~# iwconfig wlan0 channel 1
oot@d1gg3r:~# aireplay-NG -0 0 -A 20:25:64:16:58:8S wlan0
20:59:42 waiting for the packet (the Mac address: 20:25:64:16:58:8S) on channel 11
Note: this attack is more effective when targeting
wireless client (-C <client's Mac>).
20:59:42 sending DeAuth to broadcast -- Mac address: [20:25:64:16:58:8S]
20:59:42 sending DeAuth to broadcast -- Mac address: [20:25:64:16:58:8S]
20:59:43 sending DeAuth to broadcast -- Mac address: [20:25:64:16:58:8S]
20:59:43 sending DeAuth to broadcast -- Mac address: [20:25:64:16:58:8S]

To check whether wireless card injection (injection) (-9) on a network interface wlan0 (wlan0):

aireplay-NG -9 wlan0

Sample output:

oot@d1gg3r:~# aireplay-NG -9 wlan0
08:36:50 trying broadcast probe requests...
08:36:50 injection works!
08:36:52 Found 2 APS

08:36:52 attempt directed probe requests...
08:36:52 F8:1A output:67:F0:73:7A - channel: 1 - 'Janphen'
08:36:53 ping (min/AVG/Max): 1.005 MS/10.098 MS/MS 43.203 Power: -89.04
08:36:53 25/30: 83%

08:36:53 64:66:B3:AE:8C:E7 - channel: 3 - 'TP-LINK_AP_AE8CE7'
08:36:55 ping (min/AVG/Max): 1.412 MS/35.386 MS/MS 150.605 Power: -78.81
08:36:55 26/30: 86%


Категория: Мои статьи | Добавил: d1gger (30.08.2016)
Просмотров: 472 | Теги: wifikey, wep, WiFi, airodump-ng, aircrack-ng, WPA, aireplay-ng, wpa2 | Рейтинг: 5.0/1
Всего комментариев: 0
3139 Brownton Road
Long Community, MS 38915

+7 495 287-42-34 info@ucoz.com
sample map