User Tools

Site Tools


aireplay-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
aireplay-ng [2008/05/19 19:31]
netrolller3d SuD's patch fixes this bug!
aireplay-ng [2018/03/11 19:06]
mister_x updated link to bug tracker
Line 1: Line 1:
 ====== Aireplay-ng ====== ====== Aireplay-ng ======
- 
- 
 ===== Description ===== ===== Description =====
-Aireplay-ng is used to inject frames.\\+Aireplay-ng is used to inject frames.
  
 The primary function is to generate traffic for the later use in [[aircrack-ng]] for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications,​ Interactive packet replay, hand-crafted ARP request injection and ARP-request reinjection. The primary function is to generate traffic for the later use in [[aircrack-ng]] for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications,​ Interactive packet replay, hand-crafted ARP request injection and ARP-request reinjection.
 With the [[packetforge-ng]] tool it's possible to create arbitrary frames. With the [[packetforge-ng]] tool it's possible to create arbitrary frames.
-\\ +
-\\+
 Most drivers needs to be patched to be able to inject, don't forget to read [[install_drivers|Installing drivers]]. Most drivers needs to be patched to be able to inject, don't forget to read [[install_drivers|Installing drivers]].
- 
  
 ===== Usage of the attacks ===== ===== Usage of the attacks =====
Line 22: Line 18:
     * Attack 4: [[KoreK chopchop|KoreK chopchop attack]] ​     * Attack 4: [[KoreK chopchop|KoreK chopchop attack]] ​
     * Attack 5: [[Fragmentation|Fragmentation attack]]     * Attack 5: [[Fragmentation|Fragmentation attack]]
 +    * Attack 6: [[cafe-latte|Cafe-latte attack]]
 +    * Attack 7: [[hirte|Client-oriented fragmentation attack]]
 +    * Attack 8: [[WPA Migration Mode]]
     * Attack 9: [[injection_test|Injection test]]     * Attack 9: [[injection_test|Injection test]]
- 
  
 ===== Usage ===== ===== Usage =====
  
-This section provides a general overview. ​ Not all options apply to all attacks. ​ See the details of the sepcific ​attack for the relevant details.+This section provides a general overview. ​ Not all options apply to all attacks. ​ See the details of the specific ​attack for the relevant details.
  
 Usage: Usage:
Line 48: Line 46:
   *-w iswep  : frame control, WEP     bit   *-w iswep  : frame control, WEP     bit
  
-When replaying (injecting) packets, the following options apply. ​ Keep in mind that not every option is relevant for every attack. ​ The specific attack ​documention ​provides examples of the relevant options.+When replaying (injecting) packets, the following options apply. ​ Keep in mind that not every option is relevant for every attack. ​ The specific attack ​documentation ​provides examples of the relevant options.
  
 Replay options: Replay options:
Line 57: Line 55:
   *-c dmac   : set Destination ​ MAC address   *-c dmac   : set Destination ​ MAC address
   *-h smac   : set Source ​      MAC address   *-h smac   : set Source ​      MAC address
-  *-e essid  : fakeauth ​ attack ​: set target AP SSID+  *-e essid  : For fakeauth attack ​or injection test, it sets target AP SSID.  This is optional when the SSID is not hidden.
   *-j     : arpreplay attack : inject FromDS pkts   *-j     : arpreplay attack : inject FromDS pkts
   *-g value  : change ring buffer size (default: 8)   *-g value  : change ring buffer size (default: 8)
Line 65: Line 63:
   *-q sec    : seconds between keep-alives (-1)   *-q sec    : seconds between keep-alives (-1)
   *-y prga   : keystream for shared key auth   *-y prga   : keystream for shared key auth
 +  * "​-B"​ or "​--bittest" ​ : bit rate test (Applies only to test mode)
 +  * "​-D" ​     :disables AP detection. ​ Some modes will not proceed if the AP beacon is not heard. ​ This disables this functionality.
 +  * "​-F"​ or "​--fast" ​    : chooses first matching packet. ​ For test mode, it just checks basic injection and skips all other tests.
 +  * "​-R"​ disables /dev/rtc usage. ​ Some systems experience lockups or other problems with RTC.  This disables the usage.
  
-The attacks can obtain packets to replay from two sources. ​ The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://​www.tcpdump.org),​ is recognized by most commercial and open-source traffic capture and analysis tools. ​ Reading from a file is an often overlooked feature of aireplay-ng. ​ This allows you read packets from other capture sessions ​or quite often, ​various attacks generate pcap files for easy reuse.+ 
 +The attacks can obtain packets to replay from two sources. ​ The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://​www.tcpdump.org),​ is recognized by most commercial and open-source traffic capture and analysis tools. ​ Reading from a file is an often overlooked feature of aireplay-ng. ​ This allows you to read packets from other capture sessions.  Keep in mind that various attacks generate pcap files for easy reuse.
  
 Source options: Source options:
  
-  *-i iface  : capture packets from this interface+  *iface ​    ​: capture packets from this interface
   *-r file   : extract packets from this pcap file   *-r file   : extract packets from this pcap file
  
Line 89: Line 92:
 Here are the differences between the fragmentation and chopchop attacks Here are the differences between the fragmentation and chopchop attacks
  
-Fragmentation\\ +==== Fragmentation ​==== 
-\\ + 
-Pros\\+Pros:\\
   * Typically obtains the full packet length of 1500 bytes xor.  This means you can subsequently pretty well create any size of packet. ​ Even in cases where less then 1500 bytes are collected, there is sufficient to create ARP requests.   * Typically obtains the full packet length of 1500 bytes xor.  This means you can subsequently pretty well create any size of packet. ​ Even in cases where less then 1500 bytes are collected, there is sufficient to create ARP requests.
   * May work where chopchop does not.   * May work where chopchop does not.
   * Is extremely fast.  It yields the xor stream extremely quickly when successful.   * Is extremely fast.  It yields the xor stream extremely quickly when successful.
-\\ + 
-Cons\\+Cons:\\
   * Need more information to launch it - IE IP address info.  Quite often this can be guessed. ​ Better still, aireplay-ng assumes source and destination IPs of 255.255.255.255 if nothing is specified. ​ This will work successfully on most if not all APs.  So this is a very  limited con.   * Need more information to launch it - IE IP address info.  Quite often this can be guessed. ​ Better still, aireplay-ng assumes source and destination IPs of 255.255.255.255 if nothing is specified. ​ This will work successfully on most if not all APs.  So this is a very  limited con.
   * Setup to execute the attack is more subject to the device drivers. ​ For example, Atheros does not generate the correct packets unless the wireless card is set to the mac address you are spoofing.   * Setup to execute the attack is more subject to the device drivers. ​ For example, Atheros does not generate the correct packets unless the wireless card is set to the mac address you are spoofing.
-  * You need to be physically closer to the access point since if any packets are lost then the attack fails.+  * You need to be physically closer to the access point because ​if any packets are lost then the attack fails.
   * The attack will fail on access points which do not properly handle fragmented packets.   * The attack will fail on access points which do not properly handle fragmented packets.
-\\ + 
-Chopchop\\ +==== Chopchop ​==== 
-\\ + 
-Pros\\+Pros:\\
   * May work where fragmentation does not work.   * May work where fragmentation does not work.
   * You don't need to know any IP information.   * You don't need to know any IP information.
-\\ + 
-Cons\\+Cons:\\
   * Cannot be used against every access point.   * Cannot be used against every access point.
   * The maximum xor bits is limited to the length of the packet you chopchop against. ​ Although in theory you could obtain 1500 bytes of the xor stream, in practice, you rarely if ever see 1500 byte wireless packets.   * The maximum xor bits is limited to the length of the packet you chopchop against. ​ Although in theory you could obtain 1500 bytes of the xor stream, in practice, you rarely if ever see 1500 byte wireless packets.
Line 118: Line 121:
 ==== Optimizing injection speeds ==== ==== Optimizing injection speeds ====
  
-Optimizing injection speed is more art than science. First, try using to tools "as is"​. ​ You can try using the "​-x"​ parameter to vary the injection speed. ​ Surprisingly,​ lowering this value can sometimes increase your overall rate.+Optimizing injection speed is more art than science. First, try using the tools "as is"​. ​ You can try using the "​-x"​ parameter to vary the injection speed. ​ Surprisingly,​ lowering this value can sometimes increase your overall rate.
  
-You may try to playing with the rate "​iwconfig wlan0 rate 11M". Depending on the driver and how you started the card in monitor mode, it is typically 1 or 11MBit by default. ​ If you are close enough set it up to a higher value, like 54M, this way you'll get more packets per second. ​ If you are too far away and the packets don't travel that far, try to lowering it to (for example) 1M.+You can try playing with the transmission ​rate.  IE "​iwconfig wlan0 rate 11M". Depending on the driver and how you started the card in monitor mode, it is typically 1 or 11MBit by default. ​ If you are close enough set it up to a higher value, like 54M, this way you'll get more packets per second. ​ If you are too far away and the packets don't travel that far, try to lowering it to (for example) 1M.
  
  
Line 126: Line 129:
  
 These items apply to all modes of aireplay-ng. These items apply to all modes of aireplay-ng.
 +
 +==== aireplay-ng does not inject packets ====
 +Ensure you are using the correct monitor mode interface. ​ "​iwconfig"​ will show the wireless interfaces and their state. ​ For the mac80211 drivers, the monitor mode interface is typically "​mon0"​. ​ For ieee80211 madwifi-ng drivers, it is typically "​ath0"​. ​ For other drivers, the interface name may vary.
  
 ==== For madwifi-ng, ensure there are no other VAPs running ==== ==== For madwifi-ng, ensure there are no other VAPs running ====
Line 139: Line 145:
    ​wlanconfig ath0 destroy    ​wlanconfig ath0 destroy
    ​wlanconfig ath create wlandev wifi0 wlanmode monitor    ​wlanconfig ath create wlandev wifi0 wlanmode monitor
- 
- 
- 
  
 ==== Aireplay-ng hangs with no output ==== ==== Aireplay-ng hangs with no output ====
Line 147: Line 150:
 You enter the command and the command appears to hang and there is no output.\\ You enter the command and the command appears to hang and there is no output.\\
  
-This is typically caused by being on the wrong channel ​compared to the access point. ​ Another potential cause of this problem is when you are using an old version of firmware on prism2 chipset. ​ Be sure you are running firmware 1.7.4 or above to resolve this.  See [[faq#​i_have_a_prism2_card_but_airodump-ng_aireplay-ng_doesn_t_seem_to_work|Prism card]] for more details. ​ Firmware upgrade instruction can be found [[prism2_flashing|here]].+This is typically caused by your wireless card being on a different ​channel ​then the access point. ​ Another potential cause of this problem is when you are using an old version of firmware on prism2 chipset. ​ Be sure you are running firmware 1.7.4 or above to resolve this.  See [[faq#​i_have_a_prism2_card_but_airodump-ng_aireplay-ng_doesn_t_seem_to_work|Prism card]] for more details. ​ Firmware upgrade instruction can be found [[prism2_flashing|here]].
  
 As well, if you have another instance of aireplay-ng running in background mode, this can cause the second to hang if the options conflict. As well, if you have another instance of aireplay-ng running in background mode, this can cause the second to hang if the options conflict.
- 
- 
  
 ==== Aireplay-ng freezes while injecting ==== ==== Aireplay-ng freezes while injecting ====
  
-See this thread: [[http://​tinyshell.be/​aircrackng/​forum/​index.php?​topic=3064.0|Aireplay freezes when injecting]]+See this thread: [[http://​forum.aircrack-ng.org/​index.php?​topic=3064.0|Aireplay freezes when injecting]]
  
-Or see this thread: [[http://​tinyshell.be/​aircrackng/​forum/​index.php?​topic=3389.msg18907#​msg18907|Commenting out RTC]]+Or see this thread: [[http://​forum.aircrack-ng.org/​index.php?​topic=3389.msg18907#​msg18907|Commenting out RTC]]
  
 Also check the previous entries. Also check the previous entries.
- 
- 
  
 ==== write failed: Cannot allocate memory wi_write(): Illegal seek ==== ==== write failed: Cannot allocate memory wi_write(): Illegal seek ====
Line 169: Line 168:
    write failed: Cannot allocate memory wi_write(): Illegal seek    write failed: Cannot allocate memory wi_write(): Illegal seek
  
-This is due to a bug in the original bcm43xx patch. Use SuD's modified patch to fix this. Alternatively,​ you can try using the [[b43]] driver instead of bcm43xx. (B43 requires aireplay-ng 1.0-beta2 or newer.)+This is due to a bug in the original bcm43xx patch. Use SuD's modified patch to fix this. Alternatively,​ you can try using the [[b43]] driver instead of bcm43xx. (B43 requires aireplay-ng 1.0-beta2 or newer; 1.0 rc1 or svn is recommended.)
  
 ==== Slow injection, "rtc: lost some interrupts at 1024Hz"​ ==== ==== Slow injection, "rtc: lost some interrupts at 1024Hz"​ ====
Line 177: Line 176:
 "rtc: lost some interrupts at 1024Hz"​ "rtc: lost some interrupts at 1024Hz"​
  
-This message is then repeated ​thousands ​of timesIf you start a second ​instance of aireplay, then the injection would increases ​to around 300 pps.+This message is then repeated ​continuously. ​ There are a couple ​of workarounds The first workaround is to start another ​instance of aireplay, then injection would increase ​to around 300 pps.  The second workaround is to:
  
-There is no solution at this point in time, just the workaround to start a second instance.  See this [[http://​tinyshell.be/​aircrackng/​forum/​index.php?​topic=1599.0|forum thread]]. ​+   rmmod rtc 
 +   ​modprobe genrtc 
 + 
 +or if you have rtc-cmos enabled in your kernel: 
 + 
 +   rmmod rtc 
 +   ​modprobe rtc-cmos 
 + 
 +There is no solution at this point in time, just the workarounds.  See this [[http://​forum.aircrack-ng.org/​index.php?​topic=1599.0|forum thread]]. ​
  
  
 ==== Slow injection rate in general ==== ==== Slow injection rate in general ====
  
-Being too close to the AP can dramatically reduce the injection rate.  This is caused by packet corruption and/or overloading the the AP.  See this [[http://tinyshell.be/​aircrackng/​forum/​index.php?​topic=2523.0|thread]] for an example of the impact of being too close to the AP. +Being too close to the AP can dramatically reduce the injection rate.  This is caused by packet corruption and/or overloading the the AP.  See this [[http://forum.aircrack-ng.org/​index.php?​topic=2523.0|thread]] for an example of the impact of being too close to the AP.
  
 ==== Error message, "​open(/​dev/​rtc) failed: Device or resource busy" ==== ==== Error message, "​open(/​dev/​rtc) failed: Device or resource busy" ====
  
 This is caused by having two or more instances of aireplay-ng running at the same time.  The program will still work but the timing will be less accurate. This is caused by having two or more instances of aireplay-ng running at the same time.  The program will still work but the timing will be less accurate.
- 
- 
- 
  
 ==== "​Interface MAC doesn'​t match the specified MAC" ==== ==== "​Interface MAC doesn'​t match the specified MAC" ====
Line 216: Line 219:
   * Use a tool like [[http://​homepages.tu-darmstadt.de/​~p_larbig/​wlan|mdk3]] to bruteforce the SSID.   * Use a tool like [[http://​homepages.tu-darmstadt.de/​~p_larbig/​wlan|mdk3]] to bruteforce the SSID.
  
 +==== How to use spaces, double quote and single quote or other special characters in AP names? ====
  
-==== How to use spaces, double quote and single quote in AP names? ==== +See this [[faq#how_to_use_spaces_double_quote_and_single_quote_etc._in_ap_names|FAQ entry]]
- +
-See this[[http://​aircrack-ng.org/​doku.php?​id=faq#how_to_use_spaces_double_quote_and_single_quote_in_ap_names|FAQ entry]] +
  
 ==== Waiting for beacon frame ==== ==== Waiting for beacon frame ====
Line 227: Line 228:
 There are many possible root causes of this problem: There are many possible root causes of this problem:
  
-  * The wireless card is set to a channel which is different ​then the AP.  Solution: Use iwconfig and confirm the card is set to the same channel as the AP.+  * The wireless card is set to a channel which is different ​from the AP.  Solution: Use iwconfig and confirm the card is set to the same channel as the AP.
   * The card is scanning channels. ​ Solution: Start airodump-ng with the "​-c"​ or "​--channel"​ parameter and set it to the same channel as the AP.   * The card is scanning channels. ​ Solution: Start airodump-ng with the "​-c"​ or "​--channel"​ parameter and set it to the same channel as the AP.
-  * The ESSID is wrong. ​ Solution: Enter the correct value. ​ If if contains spaces or special characters then enclose it in quotes. ​ For the complete details, see this [[http://​aircrack-ng.org/​doku.php?​id=faq#how_to_use_spaces_double_quote_and_single_quote_in_ap_names|FAQ entry]].+  * The ESSID is wrong. ​ Solution: Enter the correct value. ​ If if contains spaces or special characters then enclose it in quotes. ​ For the complete details, see this [[faq#how_to_use_spaces_double_quote_and_single_quote_etc._in_ap_names|FAQ entry]].
   * The BSSID is wrong. ​ Solution: Enter the correct value.   * The BSSID is wrong. ​ Solution: Enter the correct value.
   * You are too far away from the AP and are not receiving any beacons. ​ Solution: ​ You can use tcpdump and/or airodump-ng to confirm you are in fact receiving beacons for the AP.  If not, move closer.   * You are too far away from the AP and are not receiving any beacons. ​ Solution: ​ You can use tcpdump and/or airodump-ng to confirm you are in fact receiving beacons for the AP.  If not, move closer.
Line 237: Line 238:
  
  
 +==== interfaceX is on channel Y, but the AP uses channel Z ====
 +
 +A typical example of this message is: "mon0 is on channel 1, but the AP uses channel 6"
 +
 +This means something is causing your card to channel hop.  Possible reasons is that failed to start airodump-ng locked to a single channel. ​ airodump-ng needs to be started with "-c <​channel-number>​.
 +
 +Another reason is that you have processes such as a network manager or wpa_supplicant channel hopping. ​ You must kill off all these processes. ​ See[airmon-ng] for details on checking what is running and how to kill the processes off.
  
 ==== General ==== ==== General ====
 Also make sure that: Also make sure that:
  
-  * Most modes of aireplay-ng require that your MAC address be associated with the access point. ​ The exception being client disassociation,​ injection test and fake authentication modes. ​ You must either do a fake authentication to associate your MAC address with the access point or use the MAC address of a client already associated with the AP.  Failure to do this means that the access point will not accept your packets. ​ Look for  deauthentication or disassociation messages during injection which indicate ​you are not associated with the access point. ​ aireplay-ng will typically indicate this or it can be done using tcpdump: "​tcpdump -n -e -s0 -vvv -i <​interface name>"​. ​ You can filter it by piping it to grep with something like `tcpdump -n -e -s0 -vvv -i ath0 | grep -E "​DeAuth|assoc"'​.  ​+  * Most modes of aireplay-ng require that your MAC address be associated with the access point. ​ The exception being client disassociation,​ injection test and fake authentication modes. ​ You must either do a fake authentication to associate your MAC address with the access point or use the MAC address of a client already associated with the AP.  Failure to do this means that the access point will not accept your packets. ​ Look for deauthentication or disassociation messages during injection which indicates ​you are not associated with the access point. ​ aireplay-ng will typically indicate this or it can be done using tcpdump: "​tcpdump -n -e -s0 -vvv -i <​interface name>"​. ​ You can filter it by piping it to grep with something like `tcpdump -n -e -s0 -vvv -i ath0 | grep -E "​DeAuth|assoc"'​.  ​
   * The wireless card driver is properly patched and installed. ​ Use the [[injection_test|injection test]] to confirm your card can inject.   * The wireless card driver is properly patched and installed. ​ Use the [[injection_test|injection test]] to confirm your card can inject.
   * You are physically close enough to the access point. ​ You can confirm that you can communicate with the specific AP by following [[injection_test#​hidden_or_specific_ssid|these instructions]].   * You are physically close enough to the access point. ​ You can confirm that you can communicate with the specific AP by following [[injection_test#​hidden_or_specific_ssid|these instructions]].
Line 251: Line 259:
   * The BSSID and ESSID (-a / -e options) are correct.   * The BSSID and ESSID (-a / -e options) are correct.
   * If Prism2, make sure the firmware was updated.   * If Prism2, make sure the firmware was updated.
-  * Ensure your are running the current stable version. ​ Some options are not available in older versions of the program.  ​As well, the current stable version contains many bug fixes. +  * Ensure your are running the current stable version. ​ Some options are not available in older versions of the program.  ​Also, the current stable version contains many bug fixes. 
-  * It does not hurt to check the [[http://trac.aircrack-ng.org/|Trac System]] to see if your "​problem"​ is actually a known bug in the current stable version. ​ Many times the current [[http://​aircrack-ng.org/​doku.php?​id=#​development|development version]] has fixes to bugs within the current stable version.+  * It does not hurt to check the [[https://github.com/aircrack-ng/​aircrack-ng/​issues/|GitHub issues]] to see if your "​problem"​ is actually a known bug in the current stable version. ​ Many times the current [[main#​development|development version]] has fixes to bugs within the current stable version. 
 + 
aireplay-ng.txt · Last modified: 2018/03/11 19:06 by mister_x