aireplay-ng injects specially generated ARP-request packets into an existing wireless network in order to generate traffic. By sending these ARP-request packets again and again, the target host will respond with encrypted replies, thus providing new and possibly weak IVs.aireplay-ng supports single-NIC injection/monitor. This feature needs driver patching.
Shows the help screen.Filter options: MAC address of access point.-dMAC address of destination.-sMAC address of source.-mMinimum packet length.-nMaximum packet length.-uFrame control, type field.-vFrame control, subtype field.-tFrame control, To DS bit.-fFrame control, From DS bit.-wFrame control, WEP bit.Replay options: Number of packets per second.-pSet frame control word (hex).-aSet Access Point MAC address.-cSet destination MAC address.-hSet source MAC address.-eSet target SSID for Fake Authentication attack (see below).-jARP Replay attack : inject FromDS pakets (see below).-gSet ring buffer size (rbsize must be higher or equal to 1 ).-kSet destination IP in fragments.-lSet source IP in fragments.-oSet the number of packets for every authentication and association attempt.-qSet the time between keep-alive packets in fake authentication mode.-ySpecifies the keystream file for fake shared key authentication.Source options: Capture packets from this interface.-rExtract packets from this pcap file.Attack modes: Deauthenticate stations.-1Fake authentication with AP.-2,Interactive frame selection.-3,Standard ARP-request replay.-4,Decrypt/chopchop WEP packet.-5,Generates a valid keystream.-9,Tests injection and quality.
Fragmentation: - Can obtain the full packet length of 1500 bytes XOR. This means you can subsequently pretty well create any size of packet. - May work where chopchop does not - Is extremely fast. It yields the XOR stream extremely quickly when successful.Cons - Setup to execute the attack is more subject to the device drivers. For example, Atheros does not generate the correct packets unless the wireless card is set to the mac address you are spoofing. - You need to be physically closer to the access point since if any packets are lost then the attack fails. Chopchop - May work where frag does not work.Cons - Cannot be used against every access point. - The maximum XOR bits is limited to the length of the packet you chopchop against. - Much slower then the fragmentation attack.
This manual page was written by Adam Cecile for the Debian system (but may be used by others). Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL.
airmon-ng(1) airdecap-ng(1) aircrack-ng(1) airodump-ng(1) airtun-ng(1) packetforge-ng(1) ivstools(1) kstats(1) makeivs(1)