packetforge-ng

packetforge-ng <packet_type_option> [packet_options] [output_options] [misc_options]

-A
    Forges an ARP request packet. Commonly used in WEP attacks to generate Initialization Vectors (IVs).

-N
    Forges a WPA Null packet, typically used to trigger WPA/WPA2 handshake captures passively.

-M
    Forges a WPA MPDU (Management Packet Data Unit) packet, also for passive WPA handshake capture.

-F
    Forges a Fragmentation attack packet. Used in WEP cracking to obtain the PRGA (Pseudo Random Generation Algorithm) key stream.

-K
    Forges a Chopchop attack packet. A WEP cracking technique to recover the keystream byte by byte.

-S
    Forges a Shared Key authentication attack packet, used to obtain the WEP keystream during shared key authentication.

-R
    Forges a re-injection packet based on a previously captured packet. Requires the -r option.

-L
    Forges an ARP replay packet, often used in conjunction with deauthentication and reassociation to stimulate ARP traffic for WEP cracking.

-I
    Forges an ICMP echo request packet.

-P
    Forges a WEP custom payload packet. Requires the -p option or -P (file) option to specify payload data.

-E
    Forges an EAPOL Start packet, used to trigger a WPA/WPA2 handshake from a client.

-5
    Forges a Caffe-Latte attack packet, a client-less WEP attack that can recover the WEP key.

-T
    Forges a T-ReX attack packet, another client-less WEP attack aiming to recover the WEP key.

-C
    Forges a custom client frame, such as reassociation requests or probe requests.

-H
    Forges a custom 802.11 packet. Allows specifying raw hexadecimal data for the entire packet.
Example: packetforge-ng -H -x 00:11:22:33:44:55:66:77...

-a <BSSID>
    Sets the MAC address of the Access Point (BSSID) for the forged packet.

-h <MAC>
    Sets the source MAC address for the forged packet.

-k <MAC>
    Sets the destination MAC address for the forged packet.

-l <MAC>
    Sets the AP MAC address when forging client-related packets (e.g., for reassociation).

-s <IP>
    Sets the source IP address for forged IP packets (e.g., ICMP).

-d <IP>
    Sets the destination IP address for forged IP packets (e.g., ICMP).

-x <length/hexdata>
    Specifies the length of the payload in bytes or provides direct hexadecimal data for the payload. Used with -H for raw data.

-p <hexdata>
    Specifies the payload data in hexadecimal format, typically for custom packets.

-P <file>
    Reads the payload data from the specified file.

-r <file>
    Reads a packet from a pcap file for re-injection (used with -R).

-w <file>
    Writes the forged packet to the specified file. If not specified, output goes to standard output.

-q
    Runs in quiet mode, suppressing non-essential output messages.

-v
    Runs in verbose mode, showing more detailed information about the packet being forged.

packetforge-ng is a command-line tool within the aircrack-ng suite designed to forge and craft various types of network packets. It provides advanced control over packet headers and data, allowing users to generate specific frames like ARP requests, ICMP echo requests, or custom-defined 802.11 frames. Its primary use case is in conjunction with aireplay-ng for injecting these crafted packets into a wireless network, often to accelerate data collection for WEP key cracking (e.g., through ARP replay attacks, fragmentation attacks) or to trigger WPA/WPA2 handshake captures. It's a versatile utility for network security testing, penetration testing, and exploiting wireless vulnerabilities by allowing precise control over the packets sent.

packetforge-ng typically requires root privileges to operate effectively due to its low-level interaction with network protocols and interfaces. It is primarily a packet generation tool; for actual packet injection into a network interface, it is commonly used in conjunction with aireplay-ng. Misuse of this tool can lead to network disruption or legal consequences; it should only be used on networks you have explicit permission to test.

It's important to understand that packetforge-ng does not inject packets directly into the air. Instead, it generates a raw packet in memory and usually writes it to a file or outputs it to standard output. This output is then typically piped to or read by aireplay-ng, which handles the actual injection into a monitor-mode enabled wireless interface. For instance, to perform an ARP replay attack for WEP cracking, one would first use packetforge-ng -A to create the ARP request packet, save it to a file, and then use aireplay-ng -2 -r <file> <interface> to inject it repeatedly.

The diverse range of packet types that packetforge-ng can forge (e.g., ARP, Fragmentation, Caffe-Latte, EAPOL Start) are each designed to exploit specific vulnerabilities or induce certain network behaviors. ARP replay attacks are primarily used in WEP cracking to rapidly generate a large number of Initialization Vectors (IVs). Fragmentation and chopchop attacks aim to directly recover portions of the WEP keystream. WPA-related options (like EAPOL Start or Null/MPDU packets) are used to provoke or passively capture the 4-way handshake, essential for offline WPA/WPA2 password cracking.

packetforge-ng is an integral component of the aircrack-ng suite, a widely recognized collection of tools for auditing 802.11 wireless networks. It evolved from the original aircrack project, with the '-ng' (new generation) suffix signifying continuous development and enhancements. Its role has been crucial in advancing WEP and WPA/WPA2 key recovery techniques by providing the capability to precisely craft the specific packets required for various active injection attacks, making it a foundational tool for wireless security research and penetration testing.

aircrack-ng(1), aireplay-ng(1), airmon-ng(8), airodump-ng(1)