User Tools

Site Tools


aireplay-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
aireplay-ng [2009/09/25 16:57]
darkaudax Fixed typos
aireplay-ng [2018/03/11 19:06] (current)
mister_x updated link to bug tracker
Line 18: Line 18:
     * Attack 4: [[KoreK chopchop|KoreK chopchop attack]] ​     * Attack 4: [[KoreK chopchop|KoreK chopchop attack]] ​
     * Attack 5: [[Fragmentation|Fragmentation attack]]     * Attack 5: [[Fragmentation|Fragmentation attack]]
-    * Attack 6: Caffe-latte attack ​(Coming in the next release! Not available now.) +    * Attack 6: [[cafe-latte|Cafe-latte attack]] 
-    * Attack 7: Client-oriented fragmentation attack ​(Coming in the next release! Not available now.)+    * Attack 7: [[hirte|Client-oriented fragmentation attack]] 
 +    * Attack 8: [[WPA Migration Mode]]
     * Attack 9: [[injection_test|Injection test]]     * Attack 9: [[injection_test|Injection test]]
  
 ===== Usage ===== ===== Usage =====
  
-This section provides a general overview. ​ Not all options apply to all attacks. ​ See the details of the sepcific ​attack for the relevant details.+This section provides a general overview. ​ Not all options apply to all attacks. ​ See the details of the specific ​attack for the relevant details.
  
 Usage: Usage:
Line 45: Line 46:
   *-w iswep  : frame control, WEP     bit   *-w iswep  : frame control, WEP     bit
  
-When replaying (injecting) packets, the following options apply. ​ Keep in mind that not every option is relevant for every attack. ​ The specific attack ​documention ​provides examples of the relevant options.+When replaying (injecting) packets, the following options apply. ​ Keep in mind that not every option is relevant for every attack. ​ The specific attack ​documentation ​provides examples of the relevant options.
  
 Replay options: Replay options:
Line 54: Line 55:
   *-c dmac   : set Destination ​ MAC address   *-c dmac   : set Destination ​ MAC address
   *-h smac   : set Source ​      MAC address   *-h smac   : set Source ​      MAC address
-  *-e essid  : fakeauth ​ attack ​: set target AP SSID+  *-e essid  : For fakeauth attack ​or injection test, it sets target AP SSID.  This is optional when the SSID is not hidden.
   *-j     : arpreplay attack : inject FromDS pkts   *-j     : arpreplay attack : inject FromDS pkts
   *-g value  : change ring buffer size (default: 8)   *-g value  : change ring buffer size (default: 8)
Line 62: Line 63:
   *-q sec    : seconds between keep-alives (-1)   *-q sec    : seconds between keep-alives (-1)
   *-y prga   : keystream for shared key auth   *-y prga   : keystream for shared key auth
 +  * "​-B"​ or "​--bittest" ​ : bit rate test (Applies only to test mode)
 +  * "​-D" ​     :disables AP detection. ​ Some modes will not proceed if the AP beacon is not heard. ​ This disables this functionality.
 +  * "​-F"​ or "​--fast" ​    : chooses first matching packet. ​ For test mode, it just checks basic injection and skips all other tests.
 +  * "​-R"​ disables /dev/rtc usage. ​ Some systems experience lockups or other problems with RTC.  This disables the usage.
 +
  
 The attacks can obtain packets to replay from two sources. ​ The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://​www.tcpdump.org),​ is recognized by most commercial and open-source traffic capture and analysis tools. ​ Reading from a file is an often overlooked feature of aireplay-ng. ​ This allows you to read packets from other capture sessions. ​ Keep in mind that various attacks generate pcap files for easy reuse. The attacks can obtain packets to replay from two sources. ​ The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://​www.tcpdump.org),​ is recognized by most commercial and open-source traffic capture and analysis tools. ​ Reading from a file is an often overlooked feature of aireplay-ng. ​ This allows you to read packets from other capture sessions. ​ Keep in mind that various attacks generate pcap files for easy reuse.
Line 123: Line 129:
  
 These items apply to all modes of aireplay-ng. These items apply to all modes of aireplay-ng.
 +
 +==== aireplay-ng does not inject packets ====
 +Ensure you are using the correct monitor mode interface. ​ "​iwconfig"​ will show the wireless interfaces and their state. ​ For the mac80211 drivers, the monitor mode interface is typically "​mon0"​. ​ For ieee80211 madwifi-ng drivers, it is typically "​ath0"​. ​ For other drivers, the interface name may vary.
  
 ==== For madwifi-ng, ensure there are no other VAPs running ==== ==== For madwifi-ng, ensure there are no other VAPs running ====
Line 141: Line 150:
 You enter the command and the command appears to hang and there is no output.\\ You enter the command and the command appears to hang and there is no output.\\
  
-This is typically caused by being on the wrong channel ​compared to the access point. ​ Another potential cause of this problem is when you are using an old version of firmware on prism2 chipset. ​ Be sure you are running firmware 1.7.4 or above to resolve this.  See [[faq#​i_have_a_prism2_card_but_airodump-ng_aireplay-ng_doesn_t_seem_to_work|Prism card]] for more details. ​ Firmware upgrade instruction can be found [[prism2_flashing|here]].+This is typically caused by your wireless card being on a different ​channel ​then the access point. ​ Another potential cause of this problem is when you are using an old version of firmware on prism2 chipset. ​ Be sure you are running firmware 1.7.4 or above to resolve this.  See [[faq#​i_have_a_prism2_card_but_airodump-ng_aireplay-ng_doesn_t_seem_to_work|Prism card]] for more details. ​ Firmware upgrade instruction can be found [[prism2_flashing|here]].
  
 As well, if you have another instance of aireplay-ng running in background mode, this can cause the second to hang if the options conflict. As well, if you have another instance of aireplay-ng running in background mode, this can cause the second to hang if the options conflict.
Line 167: Line 176:
 "rtc: lost some interrupts at 1024Hz"​ "rtc: lost some interrupts at 1024Hz"​
  
-This message is then repeated ​thousands of times.  There are a couple of workarounds. ​ The first is to start a second ​instance of aireplay, then injection would increase to around 300 pps.  The second workaround is to:+This message is then repeated ​continuously.  There are a couple of workarounds. ​ The first workaround ​is to start another ​instance of aireplay, then injection would increase to around 300 pps.  The second workaround is to:
  
    rmmod rtc    rmmod rtc
Line 219: Line 228:
 There are many possible root causes of this problem: There are many possible root causes of this problem:
  
-  * The wireless card is set to a channel which is different ​then the AP.  Solution: Use iwconfig and confirm the card is set to the same channel as the AP.+  * The wireless card is set to a channel which is different ​from the AP.  Solution: Use iwconfig and confirm the card is set to the same channel as the AP.
   * The card is scanning channels. ​ Solution: Start airodump-ng with the "​-c"​ or "​--channel"​ parameter and set it to the same channel as the AP.   * The card is scanning channels. ​ Solution: Start airodump-ng with the "​-c"​ or "​--channel"​ parameter and set it to the same channel as the AP.
   * The ESSID is wrong. ​ Solution: Enter the correct value. ​ If if contains spaces or special characters then enclose it in quotes. ​ For the complete details, see this [[faq#​how_to_use_spaces_double_quote_and_single_quote_etc._in_ap_names|FAQ entry]].   * The ESSID is wrong. ​ Solution: Enter the correct value. ​ If if contains spaces or special characters then enclose it in quotes. ​ For the complete details, see this [[faq#​how_to_use_spaces_double_quote_and_single_quote_etc._in_ap_names|FAQ entry]].
Line 227: Line 236:
  
 For all of the above, running airodump-ng and the related text file should provide all the information you require identify and correct the problem. For all of the above, running airodump-ng and the related text file should provide all the information you require identify and correct the problem.
 +
 +
 +==== interfaceX is on channel Y, but the AP uses channel Z ====
 +
 +A typical example of this message is: "mon0 is on channel 1, but the AP uses channel 6"
 +
 +This means something is causing your card to channel hop.  Possible reasons is that failed to start airodump-ng locked to a single channel. ​ airodump-ng needs to be started with "-c <​channel-number>​.
 +
 +Another reason is that you have processes such as a network manager or wpa_supplicant channel hopping. ​ You must kill off all these processes. ​ See[airmon-ng] for details on checking what is running and how to kill the processes off.
  
 ==== General ==== ==== General ====
 Also make sure that: Also make sure that:
  
-  * Most modes of aireplay-ng require that your MAC address be associated with the access point. ​ The exception being client disassociation,​ injection test and fake authentication modes. ​ You must either do a fake authentication to associate your MAC address with the access point or use the MAC address of a client already associated with the AP.  Failure to do this means that the access point will not accept your packets. ​ Look for  deauthentication or disassociation messages during injection which indicate ​you are not associated with the access point. ​ aireplay-ng will typically indicate this or it can be done using tcpdump: "​tcpdump -n -e -s0 -vvv -i <​interface name>"​. ​ You can filter it by piping it to grep with something like `tcpdump -n -e -s0 -vvv -i ath0 | grep -E "​DeAuth|assoc"'​.  ​+  * Most modes of aireplay-ng require that your MAC address be associated with the access point. ​ The exception being client disassociation,​ injection test and fake authentication modes. ​ You must either do a fake authentication to associate your MAC address with the access point or use the MAC address of a client already associated with the AP.  Failure to do this means that the access point will not accept your packets. ​ Look for deauthentication or disassociation messages during injection which indicates ​you are not associated with the access point. ​ aireplay-ng will typically indicate this or it can be done using tcpdump: "​tcpdump -n -e -s0 -vvv -i <​interface name>"​. ​ You can filter it by piping it to grep with something like `tcpdump -n -e -s0 -vvv -i ath0 | grep -E "​DeAuth|assoc"'​.  ​
   * The wireless card driver is properly patched and installed. ​ Use the [[injection_test|injection test]] to confirm your card can inject.   * The wireless card driver is properly patched and installed. ​ Use the [[injection_test|injection test]] to confirm your card can inject.
   * You are physically close enough to the access point. ​ You can confirm that you can communicate with the specific AP by following [[injection_test#​hidden_or_specific_ssid|these instructions]].   * You are physically close enough to the access point. ​ You can confirm that you can communicate with the specific AP by following [[injection_test#​hidden_or_specific_ssid|these instructions]].
Line 241: Line 259:
   * The BSSID and ESSID (-a / -e options) are correct.   * The BSSID and ESSID (-a / -e options) are correct.
   * If Prism2, make sure the firmware was updated.   * If Prism2, make sure the firmware was updated.
-  * Ensure your are running the current stable version. ​ Some options are not available in older versions of the program.  ​As well, the current stable version contains many bug fixes. +  * Ensure your are running the current stable version. ​ Some options are not available in older versions of the program.  ​Also, the current stable version contains many bug fixes. 
-  * It does not hurt to check the [[http://trac.aircrack-ng.org/|Trac System]] to see if your "​problem"​ is actually a known bug in the current stable version. ​ Many times the current [[main#​development|development version]] has fixes to bugs within the current stable version.+  * It does not hurt to check the [[https://github.com/aircrack-ng/​aircrack-ng/​issues/|GitHub issues]] to see if your "​problem"​ is actually a known bug in the current stable version. ​ Many times the current [[main#​development|development version]] has fixes to bugs within the current stable version.
  
-===== Release Candidate or SVN Version Notes ===== 
- 
-This section ONLY applies the latest SVN version and to some release candidate versions of the aircrack-ng suite. ​ Once they are released as "​stable"​ then the documentation above will be updated. 
- 
-Changes: 
- 
-  * "-e <​ESSID>"​ is not needed provided the ESSID is not hidden. (Applies to fake auth and test) 
-  * "​-B"​ or "​--bittest"​ is a bit rate test (Applies to test) 
-  * "​-F"​ or "​--fast"​ is a fast test (Applies to test) 
-  * "​-D"​ disables AP detection. ​ Some modes will not proceed if the AP beacon is not heard. ​ This disables this functionality. 
-  * "​-F"​ chooses first matching packet 
-  * "​-R"​ disables /dev/rtc usage. ​ Some systems experience lockups or other problems with RTC.  This disables the usage. 
  
aireplay-ng.1253890631.txt.gz · Last modified: 2009/09/25 16:57 by darkaudax