LinuxCommandLibrary

airtun-ng

Inject frames into wireless networks

SYNOPSIS

airtun-ng [options] <replay interface>

PARAMETERS

-a <bssid>
    Specifies the BSSID (MAC address) of the access point to which the virtual interface will connect. This is mandatory for tunnel mode operations.

-i <ip_address>
    Sets the IP address for the virtual tunnel interface (e.g., at0). This IP address will be used to communicate over the tunnel.

-r <ip_range>/<netmask>
    Defines an IP range and netmask for the virtual interface, useful for more complex network setups.

-t <essid>
    Specifies the ESSID (network name) of the target wireless network.

-w <wepkey>
    Sets the WEP key in ASCII or hexadecimal format. This is required to decrypt/encrypt frames when interacting with a WEP-protected network.

-x
    Enables decryption of WEP frames as they pass through the tunnel.

-p <pmkid>
    Specifies a PMKID to use for authentication or attack. This is used in specific WPA/WPA2 attacks.

-s
    Used with -p <pmkid> to specify shared key authentication.

-u
    Used with -p <pmkid> to specify unauthenticated mode.

-d
    Uses dummy FCS (Frame Check Sequence) for injected frames.

-y
    Creates a new session, which can be useful for certain attack types.

--debug
    Activates debug output, providing more verbose information for troubleshooting.

--help
    Displays the help message and available options for the command.

DESCRIPTION

airtun-ng is a powerful utility within the aircrack-ng suite, designed to create a virtual tunnel interface, typically named at0.

This interface allows for the injection of raw 802.11 frames, enabling advanced wireless security testing and exploitation. By capturing frames on a wireless interface operating in monitor mode and then re-injecting them through the at0 tunnel, airtun-ng facilitates various network attacks, such as WEP/WPA key cracking, ARP request injection, and interactive packet manipulation.

It essentially bridges the gap between the raw 802.11 layer and the IP layer, making it possible to use standard networking tools like ping, ssh, or nmap over a WEP/WPA-protected wireless network, provided the WEP key is known or can be cracked. Its primary use case involves collaborating with other aircrack-ng tools, like aireplay-ng, to perform active attacks that require frame injection.

CAVEATS

  • Requires a wireless adapter capable of monitor mode and frame injection.
  • Typically used on Linux systems; compatibility on other platforms may vary or require specific drivers/setups.
  • The target wireless interface must be in monitor mode before running airtun-ng.
  • Knowledge of the WEP key is usually necessary to effectively utilize the IP tunnel for communication beyond basic injection.
  • Misuse can lead to legal consequences or network instability.

MONITOR MODE REQUIREMENT

Before running airtun-ng, ensure your wireless adapter is successfully placed into monitor mode using a utility like airmon-ng. This is crucial for airtun-ng to function correctly and interact with the wireless network.

VIRTUAL INTERFACE

Upon successful execution, airtun-ng creates a virtual network interface, commonly named at0. This interface acts as a tunnel, allowing IP packets sent through it to be encapsulated into 802.11 frames and injected onto the wireless network, and vice versa for incoming frames.

HISTORY

airtun-ng is an integral part of the aircrack-ng suite, which evolved from the original aircrack project. The aircrack-ng project focuses on tools for auditing wireless networks, and airtun-ng was developed to provide the necessary virtual interface for advanced frame injection and interaction with target networks at the IP layer. Its development has been driven by the need for more sophisticated and versatile attacks and analyses within the wireless security research community, allowing researchers to leverage standard networking tools over raw 802.11 traffic.

SEE ALSO

Copied to clipboard