aireplay-ng
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
aireplay-ng [2009/05/03 23:41] – Update links to forum mister_x | aireplay-ng [2022/02/09 00:44] (current) – [Description] update mister_x | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Aireplay-ng ====== | ====== Aireplay-ng ====== | ||
===== Description ===== | ===== Description ===== | ||
- | Aireplay-ng is used to inject frames.\\ | + | Aireplay-ng is used to inject frames. |
The primary function is to generate traffic for the later use in [[aircrack-ng]] for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications, | The primary function is to generate traffic for the later use in [[aircrack-ng]] for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications, | ||
With the [[packetforge-ng]] tool it's possible to create arbitrary frames. | With the [[packetforge-ng]] tool it's possible to create arbitrary frames. | ||
- | \\ | + | |
- | \\ | + | Some drivers needs to be patched to be able to inject, don't forget to read [[install_drivers|Installing drivers]]. |
- | Most drivers needs to be patched to be able to inject, don't forget to read [[install_drivers|Installing drivers]]. | + | |
===== Usage of the attacks ===== | ===== Usage of the attacks ===== | ||
Line 19: | Line 18: | ||
* Attack 4: [[KoreK chopchop|KoreK chopchop attack]] | * Attack 4: [[KoreK chopchop|KoreK chopchop attack]] | ||
* Attack 5: [[Fragmentation|Fragmentation attack]] | * Attack 5: [[Fragmentation|Fragmentation attack]] | ||
- | * Attack 6: Caffe-latte attack | + | * Attack 6: [[cafe-latte|Cafe-latte attack]] |
- | * Attack 7: Client-oriented fragmentation attack | + | * Attack 7: [[hirte|Client-oriented fragmentation attack]] |
+ | * Attack 8: [[WPA Migration Mode]] | ||
* Attack 9: [[injection_test|Injection test]] | * Attack 9: [[injection_test|Injection test]] | ||
- | |||
===== Usage ===== | ===== Usage ===== | ||
- | This section provides a general overview. | + | This section provides a general overview. |
Usage: | Usage: | ||
Line 47: | Line 46: | ||
*-w iswep : frame control, WEP bit | *-w iswep : frame control, WEP bit | ||
- | When replaying (injecting) packets, the following options apply. | + | When replaying (injecting) packets, the following options apply. |
Replay options: | Replay options: | ||
Line 56: | Line 55: | ||
*-c dmac : set Destination | *-c dmac : set Destination | ||
*-h smac : set Source | *-h smac : set Source | ||
- | *-e essid : fakeauth | + | *-e essid : For fakeauth attack |
*-j : arpreplay attack : inject FromDS pkts | *-j : arpreplay attack : inject FromDS pkts | ||
*-g value : change ring buffer size (default: 8) | *-g value : change ring buffer size (default: 8) | ||
Line 64: | Line 63: | ||
*-q sec : seconds between keep-alives (-1) | *-q sec : seconds between keep-alives (-1) | ||
*-y prga : keystream for shared key auth | *-y prga : keystream for shared key auth | ||
+ | * " | ||
+ | * " | ||
+ | * " | ||
+ | * " | ||
+ | |||
- | The attacks can obtain packets to replay from two sources. | + | The attacks can obtain packets to replay from two sources. |
Source options: | Source options: | ||
Line 88: | Line 92: | ||
Here are the differences between the fragmentation and chopchop attacks | Here are the differences between the fragmentation and chopchop attacks | ||
- | Fragmentation\\ | + | ==== Fragmentation |
- | \\ | + | |
- | Pros\\ | + | Pros:\\ |
* Typically obtains the full packet length of 1500 bytes xor. This means you can subsequently pretty well create any size of packet. | * Typically obtains the full packet length of 1500 bytes xor. This means you can subsequently pretty well create any size of packet. | ||
* May work where chopchop does not. | * May work where chopchop does not. | ||
* Is extremely fast. It yields the xor stream extremely quickly when successful. | * Is extremely fast. It yields the xor stream extremely quickly when successful. | ||
- | \\ | + | |
- | Cons\\ | + | Cons:\\ |
* Need more information to launch it - IE IP address info. Quite often this can be guessed. | * Need more information to launch it - IE IP address info. Quite often this can be guessed. | ||
* Setup to execute the attack is more subject to the device drivers. | * Setup to execute the attack is more subject to the device drivers. | ||
- | * You need to be physically closer to the access point since if any packets are lost then the attack fails. | + | * You need to be physically closer to the access point because |
* The attack will fail on access points which do not properly handle fragmented packets. | * The attack will fail on access points which do not properly handle fragmented packets. | ||
- | \\ | + | |
- | Chopchop\\ | + | ==== Chopchop |
- | \\ | + | |
- | Pros\\ | + | Pros:\\ |
* May work where fragmentation does not work. | * May work where fragmentation does not work. | ||
* You don't need to know any IP information. | * You don't need to know any IP information. | ||
- | \\ | + | |
- | Cons\\ | + | Cons:\\ |
* Cannot be used against every access point. | * Cannot be used against every access point. | ||
* The maximum xor bits is limited to the length of the packet you chopchop against. | * The maximum xor bits is limited to the length of the packet you chopchop against. | ||
Line 117: | Line 121: | ||
==== Optimizing injection speeds ==== | ==== Optimizing injection speeds ==== | ||
- | Optimizing injection speed is more art than science. First, try using to tools "as is" | + | Optimizing injection speed is more art than science. First, try using the tools "as is" |
- | You may try to playing with the rate " | + | You can try playing with the transmission |
Line 125: | Line 129: | ||
These items apply to all modes of aireplay-ng. | These items apply to all modes of aireplay-ng. | ||
+ | |||
+ | ==== aireplay-ng does not inject packets ==== | ||
+ | Ensure you are using the correct monitor mode interface. | ||
==== For madwifi-ng, ensure there are no other VAPs running ==== | ==== For madwifi-ng, ensure there are no other VAPs running ==== | ||
Line 143: | Line 150: | ||
You enter the command and the command appears to hang and there is no output.\\ | You enter the command and the command appears to hang and there is no output.\\ | ||
- | This is typically caused by being on the wrong channel | + | This is typically caused by your wireless card being on a different |
As well, if you have another instance of aireplay-ng running in background mode, this can cause the second to hang if the options conflict. | As well, if you have another instance of aireplay-ng running in background mode, this can cause the second to hang if the options conflict. | ||
Line 169: | Line 176: | ||
"rtc: lost some interrupts at 1024Hz" | "rtc: lost some interrupts at 1024Hz" | ||
- | This message is then repeated | + | This message is then repeated |
rmmod rtc | rmmod rtc | ||
Line 221: | Line 228: | ||
There are many possible root causes of this problem: | There are many possible root causes of this problem: | ||
- | * The wireless card is set to a channel which is different | + | * The wireless card is set to a channel which is different |
* The card is scanning channels. | * The card is scanning channels. | ||
* The ESSID is wrong. | * The ESSID is wrong. | ||
Line 229: | Line 236: | ||
For all of the above, running airodump-ng and the related text file should provide all the information you require identify and correct the problem. | For all of the above, running airodump-ng and the related text file should provide all the information you require identify and correct the problem. | ||
+ | |||
+ | |||
+ | ==== interfaceX is on channel Y, but the AP uses channel Z ==== | ||
+ | |||
+ | A typical example of this message is: "mon0 is on channel 1, but the AP uses channel 6" | ||
+ | |||
+ | This means something is causing your card to channel hop. Possible reasons is that failed to start airodump-ng locked to a single channel. | ||
+ | |||
+ | Another reason is that you have processes such as a network manager or wpa_supplicant channel hopping. | ||
==== General ==== | ==== General ==== | ||
Also make sure that: | Also make sure that: | ||
- | * Most modes of aireplay-ng require that your MAC address be associated with the access point. | + | * Most modes of aireplay-ng require that your MAC address be associated with the access point. |
* The wireless card driver is properly patched and installed. | * The wireless card driver is properly patched and installed. | ||
* You are physically close enough to the access point. | * You are physically close enough to the access point. | ||
Line 243: | Line 259: | ||
* The BSSID and ESSID (-a / -e options) are correct. | * The BSSID and ESSID (-a / -e options) are correct. | ||
* If Prism2, make sure the firmware was updated. | * If Prism2, make sure the firmware was updated. | ||
- | * Ensure your are running the current stable version. | + | * Ensure your are running the current stable version. |
- | * It does not hurt to check the [[http://trac.aircrack-ng.org/|Trac System]] to see if your " | + | * It does not hurt to check the [[https://github.com/aircrack-ng/ |
- | ===== Release Candidate or SVN Version Notes ===== | ||
- | |||
- | This section ONLY applies the latest SVN version and to some release candidate versions of the aircrack-ng suite. | ||
- | |||
- | Changes: | ||
- | |||
- | * "-e < | ||
- | * " | ||
- | * " | ||
- | * " | ||
- | * " | ||
- | * " | ||
aireplay-ng.1241386885.txt.gz · Last modified: 2009/05/03 23:41 by mister_x