aireplay-ng
Inject wireless frames for testing and attacks
TLDR
Send a specific number of disassociate packets given an access point's MAC address, a client's MAC address and an interface
SYNOPSIS
aireplay-ng <options> <replay interface>
Common usage examples:
aireplay-ng --deauth <count> -a <AP MAC> -c <Client MAC> <interface>
aireplay-ng --arpreplay -b <AP MAC> -h <Source MAC> <interface>
PARAMETERS
--deauth <count>
Deauthentication attack. Disconnects clients from an AP. Count specifies the number of deauths. Use 0 for continuous.
-0 <count>
Shorthand for deauthentication attack. Same as --deauth.
-a <bssid>
Specify the Access Point (AP) BSSID (MAC address) to target.
-c <dmac>
Specify the client MAC address to target for attacks.
-D
Disassociation attack. Similar to deauthentication but for specific clients.
-H <smac>
Sets the source MAC address for sent packets.
--arpreplay
Performs the standard ARP-request replay attack to generate new IVs.
-1 <count>
Fake authentication attack. Used to associate with an AP. Count is reassociation interval.
-3
ARP request replay attack. Replays captured ARP requests to generate traffic.
-4
Chopchop attack. Recovers WEP key by analyzing packet fragments.
-5
Fragmentation attack. Recovers PRGA (Pseudo-Random Generation Algorithm) for WEP by exploiting fragment reassembly.
-x <pkts/sec>
Sets the replay speed in packets per second.
-r <file>
Reads packets from a pcap file for replaying.
-y <file>
Reads PRGA (keystream) from a file for interactive attacks.
--ignore-negative-one
Ignores the "fixed channel" error, useful for some drivers.
DESCRIPTION
aireplay-ng is a crucial tool within the Aircrack-ng suite, primarily designed for injecting and re-injecting wireless frames. Its main purpose is to generate traffic and accelerate the capture of Initialization Vectors (IVs) for WEP cracking, or to facilitate WPA/WPA2 handshake captures. It can perform various types of attacks, including deauthentication attacks to disconnect clients from an access point, ARP request replay attacks to generate IVs, and chopchop or fragmentation attacks to recover WEP keys. This utility is indispensable for active wireless security auditing, allowing users to interact with Wi-Fi networks in a controlled manner to test their vulnerabilities. It requires a wireless adapter capable of monitor mode and packet injection.
CAVEATS
aireplay-ng requires a wireless adapter capable of monitor mode and packet injection. Improper or unauthorized use of this tool can be illegal and may disrupt network services. It should only be used on networks for which you have explicit permission to test.
<I>ATTACK TYPES</I>
aireplay-ng offers several attack modes, indicated by a single digit (e.g., -0 for deauthentication). Each mode serves a specific purpose, from generating IVs for WEP cracking (-3, -4, -5) to forcing WPA/WPA2 handshake captures (-0). Understanding the specific attack mode is key to its effective use.
<I>MONITOR MODE REQUIREMENT</I>
For aireplay-ng to function, the wireless interface must be put into monitor mode. This allows the adapter to capture all packets on a given channel, rather than just those addressed to it, and enables the injection of custom packets. This setup is typically achieved using airmon-ng.
HISTORY
aireplay-ng is a core component of the Aircrack-ng suite, a powerful set of tools for auditing wireless networks. It evolved from earlier standalone tools like 'aireplay' and was integrated into the unified Aircrack-ng project to provide comprehensive wireless security testing capabilities. Its development has consistently focused on improving injection techniques and supporting new attack vectors against modern Wi-Fi security protocols.
SEE ALSO
airodump-ng(8), airmon-ng(8), aircrack-ng(1), airtun-ng(8)