User Tools

Site Tools


aireplay-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
aireplay-ng [2009/09/25 18:39]
darkaudax fixed typos
aireplay-ng [2019/08/20 22:50] (current)
mister_x [interfaceX is on channel Y, but the AP uses channel Z] Fixed link
Line 18: Line 18:
     * Attack 4: [[KoreK chopchop|KoreK chopchop attack]] ​     * Attack 4: [[KoreK chopchop|KoreK chopchop attack]] ​
     * Attack 5: [[Fragmentation|Fragmentation attack]]     * Attack 5: [[Fragmentation|Fragmentation attack]]
-    * Attack 6: Caffe-latte attack ​(Coming in the next release! Not available now.) +    * Attack 6: [[cafe-latte|Cafe-latte attack]] 
-    * Attack 7: Client-oriented fragmentation attack ​(Coming in the next release! Not available now.)+    * Attack 7: [[hirte|Client-oriented fragmentation attack]] 
 +    * Attack 8: [[WPA Migration Mode]]
     * Attack 9: [[injection_test|Injection test]]     * Attack 9: [[injection_test|Injection test]]
  
 ===== Usage ===== ===== Usage =====
  
-This section provides a general overview. ​ Not all options apply to all attacks. ​ See the details of the sepcific ​attack for the relevant details.+This section provides a general overview. ​ Not all options apply to all attacks. ​ See the details of the specific ​attack for the relevant details.
  
 Usage: Usage:
Line 45: Line 46:
   *-w iswep  : frame control, WEP     bit   *-w iswep  : frame control, WEP     bit
  
-When replaying (injecting) packets, the following options apply. ​ Keep in mind that not every option is relevant for every attack. ​ The specific attack ​documention ​provides examples of the relevant options.+When replaying (injecting) packets, the following options apply. ​ Keep in mind that not every option is relevant for every attack. ​ The specific attack ​documentation ​provides examples of the relevant options.
  
 Replay options: Replay options:
Line 54: Line 55:
   *-c dmac   : set Destination ​ MAC address   *-c dmac   : set Destination ​ MAC address
   *-h smac   : set Source ​      MAC address   *-h smac   : set Source ​      MAC address
-  *-e essid  : fakeauth ​ attack ​: set target AP SSID+  *-e essid  : For fakeauth attack ​or injection test, it sets target AP SSID.  This is optional when the SSID is not hidden.
   *-j     : arpreplay attack : inject FromDS pkts   *-j     : arpreplay attack : inject FromDS pkts
   *-g value  : change ring buffer size (default: 8)   *-g value  : change ring buffer size (default: 8)
Line 62: Line 63:
   *-q sec    : seconds between keep-alives (-1)   *-q sec    : seconds between keep-alives (-1)
   *-y prga   : keystream for shared key auth   *-y prga   : keystream for shared key auth
 +  * "​-B"​ or "​--bittest" ​ : bit rate test (Applies only to test mode)
 +  * "​-D" ​     :disables AP detection. ​ Some modes will not proceed if the AP beacon is not heard. ​ This disables this functionality.
 +  * "​-F"​ or "​--fast" ​    : chooses first matching packet. ​ For test mode, it just checks basic injection and skips all other tests.
 +  * "​-R"​ disables /dev/rtc usage. ​ Some systems experience lockups or other problems with RTC.  This disables the usage.
 +
  
 The attacks can obtain packets to replay from two sources. ​ The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://​www.tcpdump.org),​ is recognized by most commercial and open-source traffic capture and analysis tools. ​ Reading from a file is an often overlooked feature of aireplay-ng. ​ This allows you to read packets from other capture sessions. ​ Keep in mind that various attacks generate pcap files for easy reuse. The attacks can obtain packets to replay from two sources. ​ The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://​www.tcpdump.org),​ is recognized by most commercial and open-source traffic capture and analysis tools. ​ Reading from a file is an often overlooked feature of aireplay-ng. ​ This allows you to read packets from other capture sessions. ​ Keep in mind that various attacks generate pcap files for easy reuse.
Line 123: Line 129:
  
 These items apply to all modes of aireplay-ng. These items apply to all modes of aireplay-ng.
 +
 +==== aireplay-ng does not inject packets ====
 +Ensure you are using the correct monitor mode interface. ​ "​iwconfig"​ will show the wireless interfaces and their state. ​ For the mac80211 drivers, the monitor mode interface is typically "​mon0"​. ​ For ieee80211 madwifi-ng drivers, it is typically "​ath0"​. ​ For other drivers, the interface name may vary.
  
 ==== For madwifi-ng, ensure there are no other VAPs running ==== ==== For madwifi-ng, ensure there are no other VAPs running ====
Line 227: Line 236:
  
 For all of the above, running airodump-ng and the related text file should provide all the information you require identify and correct the problem. For all of the above, running airodump-ng and the related text file should provide all the information you require identify and correct the problem.
 +
 +
 +==== interfaceX is on channel Y, but the AP uses channel Z ====
 +
 +A typical example of this message is: "mon0 is on channel 1, but the AP uses channel 6"
 +
 +This means something is causing your card to channel hop.  Possible reasons is that failed to start airodump-ng locked to a single channel. ​ airodump-ng needs to be started with "-c <​channel-number>​.
 +
 +Another reason is that you have processes such as a network manager or wpa_supplicant channel hopping. ​ You must kill off all these processes. ​ See [[airmon-ng]] for details on checking what is running and how to kill the processes off.
  
 ==== General ==== ==== General ====
Line 242: Line 260:
   * If Prism2, make sure the firmware was updated.   * If Prism2, make sure the firmware was updated.
   * Ensure your are running the current stable version. ​ Some options are not available in older versions of the program. ​ Also, the current stable version contains many bug fixes.   * Ensure your are running the current stable version. ​ Some options are not available in older versions of the program. ​ Also, the current stable version contains many bug fixes.
-  * It does not hurt to check the [[http://trac.aircrack-ng.org/|Trac System]] to see if your "​problem"​ is actually a known bug in the current stable version. ​ Many times the current [[main#​development|development version]] has fixes to bugs within the current stable version.+  * It does not hurt to check the [[https://github.com/aircrack-ng/​aircrack-ng/​issues/|GitHub issues]] to see if your "​problem"​ is actually a known bug in the current stable version. ​ Many times the current [[main#​development|development version]] has fixes to bugs within the current stable version.
  
-===== Release Candidate or SVN Version Notes ===== 
- 
-This section ONLY applies the latest SVN version and to some release candidate versions of the aircrack-ng suite. ​ Once they are released as "​stable"​ then the documentation above will be updated. 
- 
-Changes: 
- 
-  * "-e <​ESSID>"​ is not needed provided the ESSID is not hidden. (Applies to fake auth and test) 
-  * "​-B"​ or "​--bittest"​ is a bit rate test (Applies to test) 
-  * "​-F"​ or "​--fast"​ is a fast test (Applies to test) 
-  * "​-D"​ disables AP detection. ​ Some modes will not proceed if the AP beacon is not heard. ​ This disables this functionality. 
-  * "​-F"​ chooses first matching packet 
-  * "​-R"​ disables /dev/rtc usage. ​ Some systems experience lockups or other problems with RTC.  This disables the usage. 
  
aireplay-ng.1253896749.txt.gz · Last modified: 2009/09/25 18:39 by darkaudax