User Tools

Site Tools


aireplay-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
aireplay-ng [2008/06/10 00:20]
mister_x rc1
aireplay-ng [2013/05/26 06:05]
mister_x [Usage of the attacks] WPA Migration mode is now available
Line 1: Line 1:
 ====== Aireplay-ng ====== ====== Aireplay-ng ======
- 
- 
 ===== Description ===== ===== Description =====
-Aireplay-ng is used to inject frames.\\+Aireplay-ng is used to inject frames.
  
 The primary function is to generate traffic for the later use in [[aircrack-ng]] for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications,​ Interactive packet replay, hand-crafted ARP request injection and ARP-request reinjection. The primary function is to generate traffic for the later use in [[aircrack-ng]] for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications,​ Interactive packet replay, hand-crafted ARP request injection and ARP-request reinjection.
 With the [[packetforge-ng]] tool it's possible to create arbitrary frames. With the [[packetforge-ng]] tool it's possible to create arbitrary frames.
-\\ +
-\\+
 Most drivers needs to be patched to be able to inject, don't forget to read [[install_drivers|Installing drivers]]. Most drivers needs to be patched to be able to inject, don't forget to read [[install_drivers|Installing drivers]].
- 
  
 ===== Usage of the attacks ===== ===== Usage of the attacks =====
Line 22: Line 18:
     * Attack 4: [[KoreK chopchop|KoreK chopchop attack]] ​     * Attack 4: [[KoreK chopchop|KoreK chopchop attack]] ​
     * Attack 5: [[Fragmentation|Fragmentation attack]]     * Attack 5: [[Fragmentation|Fragmentation attack]]
 +    * Attack 6: [[cafe-latte|Cafe-latte attack]]
 +    * Attack 7: [[hirte|Client-oriented fragmentation attack]]
 +    * Attack 8: [[WPA Migration Mode]]
     * Attack 9: [[injection_test|Injection test]]     * Attack 9: [[injection_test|Injection test]]
- 
  
 ===== Usage ===== ===== Usage =====
  
-This section provides a general overview. ​ Not all options apply to all attacks. ​ See the details of the sepcific ​attack for the relevant details.+This section provides a general overview. ​ Not all options apply to all attacks. ​ See the details of the specific ​attack for the relevant details.
  
 Usage: Usage:
Line 48: Line 46:
   *-w iswep  : frame control, WEP     bit   *-w iswep  : frame control, WEP     bit
  
-When replaying (injecting) packets, the following options apply. ​ Keep in mind that not every option is relevant for every attack. ​ The specific attack ​documention ​provides examples of the relevant options.+When replaying (injecting) packets, the following options apply. ​ Keep in mind that not every option is relevant for every attack. ​ The specific attack ​documentation ​provides examples of the relevant options.
  
 Replay options: Replay options:
Line 57: Line 55:
   *-c dmac   : set Destination ​ MAC address   *-c dmac   : set Destination ​ MAC address
   *-h smac   : set Source ​      MAC address   *-h smac   : set Source ​      MAC address
-  *-e essid  : fakeauth ​ attack ​: set target AP SSID+  *-e essid  : For fakeauth attack ​or injection test, it sets target AP SSID.  This is optional when the SSID is not hidden.
   *-j     : arpreplay attack : inject FromDS pkts   *-j     : arpreplay attack : inject FromDS pkts
   *-g value  : change ring buffer size (default: 8)   *-g value  : change ring buffer size (default: 8)
Line 65: Line 63:
   *-q sec    : seconds between keep-alives (-1)   *-q sec    : seconds between keep-alives (-1)
   *-y prga   : keystream for shared key auth   *-y prga   : keystream for shared key auth
 +  * "​-B"​ or "​--bittest" ​ : bit rate test (Applies only to test mode)
 +  * "​-D" ​     :disables AP detection. ​ Some modes will not proceed if the AP beacon is not heard. ​ This disables this functionality.
 +  * "​-F"​ or "​--fast" ​    : chooses first matching packet. ​ For test mode, it just checks basic injection and skips all other tests.
 +  * "​-R"​ disables /dev/rtc usage. ​ Some systems experience lockups or other problems with RTC.  This disables the usage.
  
-The attacks can obtain packets to replay from two sources. ​ The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://​www.tcpdump.org),​ is recognized by most commercial and open-source traffic capture and analysis tools. ​ Reading from a file is an often overlooked feature of aireplay-ng. ​ This allows you read packets from other capture sessions ​or quite often, ​various attacks generate pcap files for easy reuse.+ 
 +The attacks can obtain packets to replay from two sources. ​ The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://​www.tcpdump.org),​ is recognized by most commercial and open-source traffic capture and analysis tools. ​ Reading from a file is an often overlooked feature of aireplay-ng. ​ This allows you to read packets from other capture sessions.  Keep in mind that various attacks generate pcap files for easy reuse.
  
 Source options: Source options:
  
-  *-i iface  : capture packets from this interface+  *iface ​    ​: capture packets from this interface
   *-r file   : extract packets from this pcap file   *-r file   : extract packets from this pcap file
  
Line 89: Line 92:
 Here are the differences between the fragmentation and chopchop attacks Here are the differences between the fragmentation and chopchop attacks
  
-Fragmentation\\ +==== Fragmentation ​==== 
-\\ + 
-Pros\\+Pros:\\
   * Typically obtains the full packet length of 1500 bytes xor.  This means you can subsequently pretty well create any size of packet. ​ Even in cases where less then 1500 bytes are collected, there is sufficient to create ARP requests.   * Typically obtains the full packet length of 1500 bytes xor.  This means you can subsequently pretty well create any size of packet. ​ Even in cases where less then 1500 bytes are collected, there is sufficient to create ARP requests.
   * May work where chopchop does not.   * May work where chopchop does not.
   * Is extremely fast.  It yields the xor stream extremely quickly when successful.   * Is extremely fast.  It yields the xor stream extremely quickly when successful.
-\\ + 
-Cons\\+Cons:\\
   * Need more information to launch it - IE IP address info.  Quite often this can be guessed. ​ Better still, aireplay-ng assumes source and destination IPs of 255.255.255.255 if nothing is specified. ​ This will work successfully on most if not all APs.  So this is a very  limited con.   * Need more information to launch it - IE IP address info.  Quite often this can be guessed. ​ Better still, aireplay-ng assumes source and destination IPs of 255.255.255.255 if nothing is specified. ​ This will work successfully on most if not all APs.  So this is a very  limited con.
   * Setup to execute the attack is more subject to the device drivers. ​ For example, Atheros does not generate the correct packets unless the wireless card is set to the mac address you are spoofing.   * Setup to execute the attack is more subject to the device drivers. ​ For example, Atheros does not generate the correct packets unless the wireless card is set to the mac address you are spoofing.
-  * You need to be physically closer to the access point since if any packets are lost then the attack fails.+  * You need to be physically closer to the access point because ​if any packets are lost then the attack fails.
   * The attack will fail on access points which do not properly handle fragmented packets.   * The attack will fail on access points which do not properly handle fragmented packets.
-\\ + 
-Chopchop\\ +==== Chopchop ​==== 
-\\ + 
-Pros\\+Pros:\\
   * May work where fragmentation does not work.   * May work where fragmentation does not work.
   * You don't need to know any IP information.   * You don't need to know any IP information.
-\\ + 
-Cons\\+Cons:\\
   * Cannot be used against every access point.   * Cannot be used against every access point.
   * The maximum xor bits is limited to the length of the packet you chopchop against. ​ Although in theory you could obtain 1500 bytes of the xor stream, in practice, you rarely if ever see 1500 byte wireless packets.   * The maximum xor bits is limited to the length of the packet you chopchop against. ​ Although in theory you could obtain 1500 bytes of the xor stream, in practice, you rarely if ever see 1500 byte wireless packets.
Line 118: Line 121:
 ==== Optimizing injection speeds ==== ==== Optimizing injection speeds ====
  
-Optimizing injection speed is more art than science. First, try using to tools "as is"​. ​ You can try using the "​-x"​ parameter to vary the injection speed. ​ Surprisingly,​ lowering this value can sometimes increase your overall rate.+Optimizing injection speed is more art than science. First, try using the tools "as is"​. ​ You can try using the "​-x"​ parameter to vary the injection speed. ​ Surprisingly,​ lowering this value can sometimes increase your overall rate.
  
-You may try to playing with the rate "​iwconfig wlan0 rate 11M". Depending on the driver and how you started the card in monitor mode, it is typically 1 or 11MBit by default. ​ If you are close enough set it up to a higher value, like 54M, this way you'll get more packets per second. ​ If you are too far away and the packets don't travel that far, try to lowering it to (for example) 1M.+You can try playing with the transmission ​rate.  IE "​iwconfig wlan0 rate 11M". Depending on the driver and how you started the card in monitor mode, it is typically 1 or 11MBit by default. ​ If you are close enough set it up to a higher value, like 54M, this way you'll get more packets per second. ​ If you are too far away and the packets don't travel that far, try to lowering it to (for example) 1M.
  
  
Line 126: Line 129:
  
 These items apply to all modes of aireplay-ng. These items apply to all modes of aireplay-ng.
 +
 +==== aireplay-ng does not inject packets ====
 +Ensure you are using the correct monitor mode interface. ​ "​iwconfig"​ will show the wireless interfaces and their state. ​ For the mac80211 drivers, the monitor mode interface is typically "​mon0"​. ​ For ieee80211 madwifi-ng drivers, it is typically "​ath0"​. ​ For other drivers, the interface name may vary.
  
 ==== For madwifi-ng, ensure there are no other VAPs running ==== ==== For madwifi-ng, ensure there are no other VAPs running ====
Line 139: Line 145:
    ​wlanconfig ath0 destroy    ​wlanconfig ath0 destroy
    ​wlanconfig ath create wlandev wifi0 wlanmode monitor    ​wlanconfig ath create wlandev wifi0 wlanmode monitor
- 
- 
- 
  
 ==== Aireplay-ng hangs with no output ==== ==== Aireplay-ng hangs with no output ====
Line 147: Line 150:
 You enter the command and the command appears to hang and there is no output.\\ You enter the command and the command appears to hang and there is no output.\\
  
-This is typically caused by being on the wrong channel ​compared to the access point. ​ Another potential cause of this problem is when you are using an old version of firmware on prism2 chipset. ​ Be sure you are running firmware 1.7.4 or above to resolve this.  See [[faq#​i_have_a_prism2_card_but_airodump-ng_aireplay-ng_doesn_t_seem_to_work|Prism card]] for more details. ​ Firmware upgrade instruction can be found [[prism2_flashing|here]].+This is typically caused by your wireless card being on a different ​channel ​then the access point. ​ Another potential cause of this problem is when you are using an old version of firmware on prism2 chipset. ​ Be sure you are running firmware 1.7.4 or above to resolve this.  See [[faq#​i_have_a_prism2_card_but_airodump-ng_aireplay-ng_doesn_t_seem_to_work|Prism card]] for more details. ​ Firmware upgrade instruction can be found [[prism2_flashing|here]].
  
 As well, if you have another instance of aireplay-ng running in background mode, this can cause the second to hang if the options conflict. As well, if you have another instance of aireplay-ng running in background mode, this can cause the second to hang if the options conflict.
- 
- 
  
 ==== Aireplay-ng freezes while injecting ==== ==== Aireplay-ng freezes while injecting ====
  
-See this thread: [[http://​tinyshell.be/​aircrackng/​forum/​index.php?​topic=3064.0|Aireplay freezes when injecting]]+See this thread: [[http://​forum.aircrack-ng.org/​index.php?​topic=3064.0|Aireplay freezes when injecting]]
  
-Or see this thread: [[http://​tinyshell.be/​aircrackng/​forum/​index.php?​topic=3389.msg18907#​msg18907|Commenting out RTC]]+Or see this thread: [[http://​forum.aircrack-ng.org/​index.php?​topic=3389.msg18907#​msg18907|Commenting out RTC]]
  
 Also check the previous entries. Also check the previous entries.
- 
- 
  
 ==== write failed: Cannot allocate memory wi_write(): Illegal seek ==== ==== write failed: Cannot allocate memory wi_write(): Illegal seek ====
Line 177: Line 176:
 "rtc: lost some interrupts at 1024Hz"​ "rtc: lost some interrupts at 1024Hz"​
  
-This message is then repeated ​thousands ​of timesIf you start a second ​instance of aireplay, then the injection would increases ​to around 300 pps.+This message is then repeated ​continuously. ​ There are a couple ​of workarounds The first workaround is to start another ​instance of aireplay, then injection would increase ​to around 300 pps.  The second workaround is to:
  
-There is no solution at this point in time, just the workaround to start a second instance.  See this [[http://​tinyshell.be/​aircrackng/​forum/​index.php?​topic=1599.0|forum thread]]. ​+   rmmod rtc 
 +   ​modprobe genrtc 
 + 
 +or if you have rtc-cmos enabled in your kernel: 
 + 
 +   rmmod rtc 
 +   ​modprobe rtc-cmos 
 + 
 +There is no solution at this point in time, just the workarounds.  See this [[http://​forum.aircrack-ng.org/​index.php?​topic=1599.0|forum thread]]. ​
  
  
 ==== Slow injection rate in general ==== ==== Slow injection rate in general ====
  
-Being too close to the AP can dramatically reduce the injection rate.  This is caused by packet corruption and/or overloading the the AP.  See this [[http://tinyshell.be/​aircrackng/​forum/​index.php?​topic=2523.0|thread]] for an example of the impact of being too close to the AP. +Being too close to the AP can dramatically reduce the injection rate.  This is caused by packet corruption and/or overloading the the AP.  See this [[http://forum.aircrack-ng.org/​index.php?​topic=2523.0|thread]] for an example of the impact of being too close to the AP.
  
 ==== Error message, "​open(/​dev/​rtc) failed: Device or resource busy" ==== ==== Error message, "​open(/​dev/​rtc) failed: Device or resource busy" ====
  
 This is caused by having two or more instances of aireplay-ng running at the same time.  The program will still work but the timing will be less accurate. This is caused by having two or more instances of aireplay-ng running at the same time.  The program will still work but the timing will be less accurate.
- 
- 
- 
  
 ==== "​Interface MAC doesn'​t match the specified MAC" ==== ==== "​Interface MAC doesn'​t match the specified MAC" ====
Line 216: Line 219:
   * Use a tool like [[http://​homepages.tu-darmstadt.de/​~p_larbig/​wlan|mdk3]] to bruteforce the SSID.   * Use a tool like [[http://​homepages.tu-darmstadt.de/​~p_larbig/​wlan|mdk3]] to bruteforce the SSID.
  
 +==== How to use spaces, double quote and single quote or other special characters in AP names? ====
  
-==== How to use spaces, double quote and single quote in AP names? ==== +See this [[faq#how_to_use_spaces_double_quote_and_single_quote_etc._in_ap_names|FAQ entry]]
- +
-See this[[http://​aircrack-ng.org/​doku.php?​id=faq#how_to_use_spaces_double_quote_and_single_quote_in_ap_names|FAQ entry]] +
  
 ==== Waiting for beacon frame ==== ==== Waiting for beacon frame ====
Line 227: Line 228:
 There are many possible root causes of this problem: There are many possible root causes of this problem:
  
-  * The wireless card is set to a channel which is different ​then the AP.  Solution: Use iwconfig and confirm the card is set to the same channel as the AP.+  * The wireless card is set to a channel which is different ​from the AP.  Solution: Use iwconfig and confirm the card is set to the same channel as the AP.
   * The card is scanning channels. ​ Solution: Start airodump-ng with the "​-c"​ or "​--channel"​ parameter and set it to the same channel as the AP.   * The card is scanning channels. ​ Solution: Start airodump-ng with the "​-c"​ or "​--channel"​ parameter and set it to the same channel as the AP.
-  * The ESSID is wrong. ​ Solution: Enter the correct value. ​ If if contains spaces or special characters then enclose it in quotes. ​ For the complete details, see this [[http://​aircrack-ng.org/​doku.php?​id=faq#how_to_use_spaces_double_quote_and_single_quote_in_ap_names|FAQ entry]].+  * The ESSID is wrong. ​ Solution: Enter the correct value. ​ If if contains spaces or special characters then enclose it in quotes. ​ For the complete details, see this [[faq#how_to_use_spaces_double_quote_and_single_quote_etc._in_ap_names|FAQ entry]].
   * The BSSID is wrong. ​ Solution: Enter the correct value.   * The BSSID is wrong. ​ Solution: Enter the correct value.
   * You are too far away from the AP and are not receiving any beacons. ​ Solution: ​ You can use tcpdump and/or airodump-ng to confirm you are in fact receiving beacons for the AP.  If not, move closer.   * You are too far away from the AP and are not receiving any beacons. ​ Solution: ​ You can use tcpdump and/or airodump-ng to confirm you are in fact receiving beacons for the AP.  If not, move closer.
Line 237: Line 238:
  
  
 +==== interfaceX is on channel Y, but the AP uses channel Z ====
 +
 +A typical example of this message is: "mon0 is on channel 1, but the AP uses channel 6"
 +
 +This means something is causing your card to channel hop.  Possible reasons is that failed to start airodump-ng locked to a single channel. ​ airodump-ng needs to be started with "-c <​channel-number>​.
 +
 +Another reason is that you have processes such as a network manager or wpa_supplicant channel hopping. ​ You must kill off all these processes. ​ See[airmon-ng] for details on checking what is running and how to kill the processes off.
  
 ==== General ==== ==== General ====
 Also make sure that: Also make sure that:
  
-  * Most modes of aireplay-ng require that your MAC address be associated with the access point. ​ The exception being client disassociation,​ injection test and fake authentication modes. ​ You must either do a fake authentication to associate your MAC address with the access point or use the MAC address of a client already associated with the AP.  Failure to do this means that the access point will not accept your packets. ​ Look for  deauthentication or disassociation messages during injection which indicate ​you are not associated with the access point. ​ aireplay-ng will typically indicate this or it can be done using tcpdump: "​tcpdump -n -e -s0 -vvv -i <​interface name>"​. ​ You can filter it by piping it to grep with something like `tcpdump -n -e -s0 -vvv -i ath0 | grep -E "​DeAuth|assoc"'​.  ​+  * Most modes of aireplay-ng require that your MAC address be associated with the access point. ​ The exception being client disassociation,​ injection test and fake authentication modes. ​ You must either do a fake authentication to associate your MAC address with the access point or use the MAC address of a client already associated with the AP.  Failure to do this means that the access point will not accept your packets. ​ Look for deauthentication or disassociation messages during injection which indicates ​you are not associated with the access point. ​ aireplay-ng will typically indicate this or it can be done using tcpdump: "​tcpdump -n -e -s0 -vvv -i <​interface name>"​. ​ You can filter it by piping it to grep with something like `tcpdump -n -e -s0 -vvv -i ath0 | grep -E "​DeAuth|assoc"'​.  ​
   * The wireless card driver is properly patched and installed. ​ Use the [[injection_test|injection test]] to confirm your card can inject.   * The wireless card driver is properly patched and installed. ​ Use the [[injection_test|injection test]] to confirm your card can inject.
   * You are physically close enough to the access point. ​ You can confirm that you can communicate with the specific AP by following [[injection_test#​hidden_or_specific_ssid|these instructions]].   * You are physically close enough to the access point. ​ You can confirm that you can communicate with the specific AP by following [[injection_test#​hidden_or_specific_ssid|these instructions]].
Line 251: Line 259:
   * The BSSID and ESSID (-a / -e options) are correct.   * The BSSID and ESSID (-a / -e options) are correct.
   * If Prism2, make sure the firmware was updated.   * If Prism2, make sure the firmware was updated.
-  * Ensure your are running the current stable version. ​ Some options are not available in older versions of the program.  ​As well, the current stable version contains many bug fixes. +  * Ensure your are running the current stable version. ​ Some options are not available in older versions of the program.  ​Also, the current stable version contains many bug fixes. 
-  * It does not hurt to check the [[http://​trac.aircrack-ng.org/​|Trac System]] to see if your "​problem"​ is actually a known bug in the current stable version. ​ Many times the current [[http://​aircrack-ng.org/​doku.php?​id=#​development|development version]] has fixes to bugs within the current stable version.+  * It does not hurt to check the [[http://​trac.aircrack-ng.org/​|Trac System]] to see if your "​problem"​ is actually a known bug in the current stable version. ​ Many times the current [[main#​development|development version]] has fixes to bugs within the current stable version. 
 + 
aireplay-ng.txt · Last modified: 2018/03/11 19:06 by mister_x