Differences

This shows you the differences between two versions of the page.

--- aireplay-ng [2008/07/09 00:47] – Attacks -6 and -7 netrolller3d
+++ aireplay-ng [2022/02/09 00:44] (current) – [Description] update mister_x
@@ Line 1: / Line 1: @@
 ====== Aireplay-ng ======
 ===== Description =====
-Aireplay-ng is used to inject frames.\\
+Aireplay-ng is used to inject frames.
 The primary function is to generate traffic for the later use in [[aircrack-ng]] for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications, Interactive packet replay, hand-crafted ARP request injection and ARP-request reinjection.
 With the [[packetforge-ng]] tool it's possible to create arbitrary frames.
-\\
-\\
-Most drivers needs to be patched to be able to inject, don't forget to read [[install_drivers|Installing drivers]].
+Some drivers needs to be patched to be able to inject, don't forget to read [[install_drivers|Installing drivers]].
 ===== Usage of the attacks =====
@@ Line 23: / Line 18: @@
     * Attack 4: [[KoreK chopchop|KoreK chopchop attack]]
     * Attack 5: [[Fragmentation|Fragmentation attack]]
-    * Attack 6: Caffe-latte attack FIXME no link!
+    * Attack 6: [[cafe-latte|Cafe-latte attack]]
-    * Attack 7: Client-oriented fragmentation attack FIXME no link!
+    * Attack 7: [[hirte|Client-oriented fragmentation attack]]
+    * Attack 8: [[WPA Migration Mode]]
     * Attack 9: [[injection_test|Injection test]]
 ===== Usage =====
-This section provides a general overview.  Not all options apply to all attacks.  See the details of the sepcific attack for the relevant details.
+This section provides a general overview.  Not all options apply to all attacks.  See the details of the specific attack for the relevant details.
 Usage:
@@ Line 51: / Line 46: @@
   *-w iswep  : frame control, WEP     bit
-When replaying (injecting) packets, the following options apply.  Keep in mind that not every option is relevant for every attack.  The specific attack documention provides examples of the relevant options.
+When replaying (injecting) packets, the following options apply.  Keep in mind that not every option is relevant for every attack.  The specific attack documentation provides examples of the relevant options.
 Replay options:
@@ Line 60: / Line 55: @@
   *-c dmac   : set Destination  MAC address
   *-h smac   : set Source       MAC address
-  *-e essid  : fakeauth  attack : set target AP SSID
+  *-e essid  : For fakeauth attack or injection test, it sets target AP SSID.  This is optional when the SSID is not hidden.
   *-j     : arpreplay attack : inject FromDS pkts
   *-g value  : change ring buffer size (default: 8)
@@ Line 68: / Line 63: @@
   *-q sec    : seconds between keep-alives (-1)
   *-y prga   : keystream for shared key auth
+  * "-B" or "--bittest"  : bit rate test (Applies only to test mode)
+  * "-D"      :disables AP detection.  Some modes will not proceed if the AP beacon is not heard.  This disables this functionality.
+  * "-F" or "--fast"     : chooses first matching packet.  For test mode, it just checks basic injection and skips all other tests.
+  * "-R" disables /dev/rtc usage.  Some systems experience lockups or other problems with RTC.  This disables the usage.
-The attacks can obtain packets to replay from two sources.  The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://www.tcpdump.org), is recognized by most commercial and open-source traffic capture and analysis tools.  Reading from a file is an often overlooked feature of aireplay-ng.  This allows you read packets from other capture sessions or quite often, various attacks generate pcap files for easy reuse.
+The attacks can obtain packets to replay from two sources.  The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://www.tcpdump.org), is recognized by most commercial and open-source traffic capture and analysis tools.  Reading from a file is an often overlooked feature of aireplay-ng.  This allows you to read packets from other capture sessions.  Keep in mind that various attacks generate pcap files for easy reuse.
 Source options:
-  *-i iface  : capture packets from this interface
+  *iface     : capture packets from this interface
   *-r file   : extract packets from this pcap file
@@ Line 92: / Line 92: @@
 Here are the differences between the fragmentation and chopchop attacks
-Fragmentation\\
+==== Fragmentation ====
-\\
-Pros\\
+Pros:\\
   * Typically obtains the full packet length of 1500 bytes xor.  This means you can subsequently pretty well create any size of packet.  Even in cases where less then 1500 bytes are collected, there is sufficient to create ARP requests.
   * May work where chopchop does not.
   * Is extremely fast.  It yields the xor stream extremely quickly when successful.
-\\
-Cons\\
+Cons:\\
   * Need more information to launch it - IE IP address info.  Quite often this can be guessed.  Better still, aireplay-ng assumes source and destination IPs of 255.255.255.255 if nothing is specified.  This will work successfully on most if not all APs.  So this is a very  limited con.
   * Setup to execute the attack is more subject to the device drivers.  For example, Atheros does not generate the correct packets unless the wireless card is set to the mac address you are spoofing.
-  * You need to be physically closer to the access point since if any packets are lost then the attack fails.
+  * You need to be physically closer to the access point because if any packets are lost then the attack fails.
   * The attack will fail on access points which do not properly handle fragmented packets.
-\\
-Chopchop\\
+==== Chopchop ====
-\\
-Pros\\
+Pros:\\
   * May work where fragmentation does not work.
   * You don't need to know any IP information.
-\\
-Cons\\
+Cons:\\
   * Cannot be used against every access point.
   * The maximum xor bits is limited to the length of the packet you chopchop against.  Although in theory you could obtain 1500 bytes of the xor stream, in practice, you rarely if ever see 1500 byte wireless packets.
@@ Line 121: / Line 121: @@
 ==== Optimizing injection speeds ====
-Optimizing injection speed is more art than science. First, try using to tools "as is".  You can try using the "-x" parameter to vary the injection speed.  Surprisingly, lowering this value can sometimes increase your overall rate.
+Optimizing injection speed is more art than science. First, try using the tools "as is".  You can try using the "-x" parameter to vary the injection speed.  Surprisingly, lowering this value can sometimes increase your overall rate.
-You may try to playing with the rate "iwconfig wlan0 rate 11M". Depending on the driver and how you started the card in monitor mode, it is typically 1 or 11MBit by default.  If you are close enough set it up to a higher value, like 54M, this way you'll get more packets per second.  If you are too far away and the packets don't travel that far, try to lowering it to (for example) 1M.
+You can try playing with the transmission rate.  IE "iwconfig wlan0 rate 11M". Depending on the driver and how you started the card in monitor mode, it is typically 1 or 11MBit by default.  If you are close enough set it up to a higher value, like 54M, this way you'll get more packets per second.  If you are too far away and the packets don't travel that far, try to lowering it to (for example) 1M.
@@ Line 129: / Line 129: @@
 These items apply to all modes of aireplay-ng.
+==== aireplay-ng does not inject packets ====
+Ensure you are using the correct monitor mode interface.  "iwconfig" will show the wireless interfaces and their state.  For the mac80211 drivers, the monitor mode interface is typically "mon0".  For ieee80211 madwifi-ng drivers, it is typically "ath0".  For other drivers, the interface name may vary.
 ==== For madwifi-ng, ensure there are no other VAPs running ====
@@ Line 142: / Line 145: @@
    wlanconfig ath0 destroy
    wlanconfig ath create wlandev wifi0 wlanmode monitor
 ==== Aireplay-ng hangs with no output ====
@@ Line 150: / Line 150: @@
 You enter the command and the command appears to hang and there is no output.\\
-This is typically caused by being on the wrong channel compared to the access point.  Another potential cause of this problem is when you are using an old version of firmware on prism2 chipset.  Be sure you are running firmware 1.7.4 or above to resolve this.  See [[faq#i_have_a_prism2_card_but_airodump-ng_aireplay-ng_doesn_t_seem_to_work|Prism card]] for more details.  Firmware upgrade instruction can be found [[prism2_flashing|here]].
+This is typically caused by your wireless card being on a different channel then the access point.  Another potential cause of this problem is when you are using an old version of firmware on prism2 chipset.  Be sure you are running firmware 1.7.4 or above to resolve this.  See [[faq#i_have_a_prism2_card_but_airodump-ng_aireplay-ng_doesn_t_seem_to_work|Prism card]] for more details.  Firmware upgrade instruction can be found [[prism2_flashing|here]].
 As well, if you have another instance of aireplay-ng running in background mode, this can cause the second to hang if the options conflict.
 ==== Aireplay-ng freezes while injecting ====
-See this thread: [[http://tinyshell.be/aircrackng/forum/index.php?topic=3064.0|Aireplay freezes when injecting]]
+See this thread: [[http://forum.aircrack-ng.org/index.php?topic=3064.0|Aireplay freezes when injecting]]
-Or see this thread: [[http://tinyshell.be/aircrackng/forum/index.php?topic=3389.msg18907#msg18907|Commenting out RTC]]
+Or see this thread: [[http://forum.aircrack-ng.org/index.php?topic=3389.msg18907#msg18907|Commenting out RTC]]
 Also check the previous entries.
 ==== write failed: Cannot allocate memory wi_write(): Illegal seek ====
@@ Line 173: / Line 169: @@
 This is due to a bug in the original bcm43xx patch. Use SuD's modified patch to fix this. Alternatively, you can try using the [[b43]] driver instead of bcm43xx. (B43 requires aireplay-ng 1.0-beta2 or newer; 1.0 rc1 or svn is recommended.)
 ==== Slow injection, "rtc: lost some interrupts at 1024Hz" ====
@@ Line 181: / Line 176: @@
 "rtc: lost some interrupts at 1024Hz"
-This message is then repeated thousands of times.  There are a couple of workarounds.  The first is to start a second instance of aireplay, then injection would increase to around 300 pps.  The second workaround is to:
+This message is then repeated continuously.  There are a couple of workarounds.  The first workaround is to start another instance of aireplay, then injection would increase to around 300 pps.  The second workaround is to:
    rmmod rtc
@@ Line 191: / Line 186: @@
    modprobe rtc-cmos
-There is no solution at this point in time, just the workarounds.  See this [[http://tinyshell.be/aircrackng/forum/index.php?topic=1599.0|forum thread]].
+There is no solution at this point in time, just the workarounds.  See this [[http://forum.aircrack-ng.org/index.php?topic=1599.0|forum thread]].
 ==== Slow injection rate in general ====
-Being too close to the AP can dramatically reduce the injection rate.  This is caused by packet corruption and/or overloading the the AP.  See this [[http://tinyshell.be/aircrackng/forum/index.php?topic=2523.0|thread]] for an example of the impact of being too close to the AP.
+Being too close to the AP can dramatically reduce the injection rate.  This is caused by packet corruption and/or overloading the the AP.  See this [[http://forum.aircrack-ng.org/index.php?topic=2523.0|thread]] for an example of the impact of being too close to the AP.
 ==== Error message, "open(/dev/rtc) failed: Device or resource busy" ====
 This is caused by having two or more instances of aireplay-ng running at the same time.  The program will still work but the timing will be less accurate.
 ==== "Interface MAC doesn't match the specified MAC" ====
@@ Line 228: / Line 219: @@
   * Use a tool like [[http://homepages.tu-darmstadt.de/~p_larbig/wlan|mdk3]] to bruteforce the SSID.
+==== How to use spaces, double quote and single quote or other special characters in AP names? ====
-==== How to use spaces, double quote and single quote in AP names? ====
+See this [[faq#how_to_use_spaces_double_quote_and_single_quote_etc._in_ap_names|FAQ entry]]
-See this[[http://aircrack-ng.org/doku.php?id=faq#how_to_use_spaces_double_quote_and_single_quote_in_ap_names|FAQ entry]]
 ==== Waiting for beacon frame ====
@@ Line 239: / Line 228: @@
 There are many possible root causes of this problem:
-  * The wireless card is set to a channel which is different then the AP.  Solution: Use iwconfig and confirm the card is set to the same channel as the AP.
+  * The wireless card is set to a channel which is different from the AP.  Solution: Use iwconfig and confirm the card is set to the same channel as the AP.
   * The card is scanning channels.  Solution: Start airodump-ng with the "-c" or "--channel" parameter and set it to the same channel as the AP.
-  * The ESSID is wrong.  Solution: Enter the correct value.  If if contains spaces or special characters then enclose it in quotes.  For the complete details, see this [[http://aircrack-ng.org/doku.php?id=faq#how_to_use_spaces_double_quote_and_single_quote_in_ap_names|FAQ entry]].
+  * The ESSID is wrong.  Solution: Enter the correct value.  If if contains spaces or special characters then enclose it in quotes.  For the complete details, see this [[faq#how_to_use_spaces_double_quote_and_single_quote_etc._in_ap_names|FAQ entry]].
   * The BSSID is wrong.  Solution: Enter the correct value.
   * You are too far away from the AP and are not receiving any beacons.  Solution:  You can use tcpdump and/or airodump-ng to confirm you are in fact receiving beacons for the AP.  If not, move closer.
@@ Line 249: / Line 238: @@
+==== interfaceX is on channel Y, but the AP uses channel Z ====
+A typical example of this message is: "mon0 is on channel 1, but the AP uses channel 6"
+This means something is causing your card to channel hop.  Possible reasons is that failed to start airodump-ng locked to a single channel.  airodump-ng needs to be started with "-c <channel-number>.
+Another reason is that you have processes such as a network manager or wpa_supplicant channel hopping.  You must kill off all these processes.  See [[airmon-ng]] for details on checking what is running and how to kill the processes off.
 ==== General ====
 Also make sure that:
-  * Most modes of aireplay-ng require that your MAC address be associated with the access point.  The exception being client disassociation, injection test and fake authentication modes.  You must either do a fake authentication to associate your MAC address with the access point or use the MAC address of a client already associated with the AP.  Failure to do this means that the access point will not accept your packets.  Look for  deauthentication or disassociation messages during injection which indicate you are not associated with the access point.  aireplay-ng will typically indicate this or it can be done using tcpdump: "tcpdump -n -e -s0 -vvv -i <interface name>".  You can filter it by piping it to grep with something like `tcpdump -n -e -s0 -vvv -i ath0 | grep -E "DeAuth|assoc"'.
+  * Most modes of aireplay-ng require that your MAC address be associated with the access point.  The exception being client disassociation, injection test and fake authentication modes.  You must either do a fake authentication to associate your MAC address with the access point or use the MAC address of a client already associated with the AP.  Failure to do this means that the access point will not accept your packets.  Look for deauthentication or disassociation messages during injection which indicates you are not associated with the access point.  aireplay-ng will typically indicate this or it can be done using tcpdump: "tcpdump -n -e -s0 -vvv -i <interface name>".  You can filter it by piping it to grep with something like `tcpdump -n -e -s0 -vvv -i ath0 | grep -E "DeAuth|assoc"'.
   * The wireless card driver is properly patched and installed.  Use the [[injection_test|injection test]] to confirm your card can inject.
   * You are physically close enough to the access point.  You can confirm that you can communicate with the specific AP by following [[injection_test#hidden_or_specific_ssid|these instructions]].
@@ Line 263: / Line 259: @@
   * The BSSID and ESSID (-a / -e options) are correct.
   * If Prism2, make sure the firmware was updated.
-  * Ensure your are running the current stable version.  Some options are not available in older versions of the program.  As well, the current stable version contains many bug fixes.
+  * Ensure your are running the current stable version.  Some options are not available in older versions of the program.  Also, the current stable version contains many bug fixes.
-  * It does not hurt to check the [[http://trac.aircrack-ng.org/|Trac System]] to see if your "problem" is actually a known bug in the current stable version.  Many times the current [[http://aircrack-ng.org/doku.php?id=#development|development version]] has fixes to bugs within the current stable version.
+  * It does not hurt to check the [[https://github.com/aircrack-ng/aircrack-ng/issues/|GitHub issues]] to see if your "problem" is actually a known bug in the current stable version.  Many times the current [[main#development|development version]] has fixes to bugs within the current stable version.