User Tools

Site Tools


aireplay-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
aireplay-ng [2009/09/25 18:39]
darkaudax fixed typos
aireplay-ng [2019/08/20 22:50] (current)
mister_x [interfaceX is on channel Y, but the AP uses channel Z] Fixed link
Line 18: Line 18:
     * Attack 4: [[KoreK chopchop|KoreK chopchop attack]]      * Attack 4: [[KoreK chopchop|KoreK chopchop attack]] 
     * Attack 5: [[Fragmentation|Fragmentation attack]]     * Attack 5: [[Fragmentation|Fragmentation attack]]
-    * Attack 6: Caffe-latte attack (Coming in the next release! Not available now.) +    * Attack 6: [[cafe-latte|Cafe-latte attack]] 
-    * Attack 7: Client-oriented fragmentation attack (Coming in the next release! Not available now.)+    * Attack 7: [[hirte|Client-oriented fragmentation attack]] 
 +    * Attack 8: [[WPA Migration Mode]]
     * Attack 9: [[injection_test|Injection test]]     * Attack 9: [[injection_test|Injection test]]
  
 ===== Usage ===== ===== Usage =====
  
-This section provides a general overview.  Not all options apply to all attacks.  See the details of the sepcific attack for the relevant details.+This section provides a general overview.  Not all options apply to all attacks.  See the details of the specific attack for the relevant details.
  
 Usage: Usage:
Line 45: Line 46:
   *-w iswep  : frame control, WEP     bit   *-w iswep  : frame control, WEP     bit
  
-When replaying (injecting) packets, the following options apply.  Keep in mind that not every option is relevant for every attack.  The specific attack documention provides examples of the relevant options.+When replaying (injecting) packets, the following options apply.  Keep in mind that not every option is relevant for every attack.  The specific attack documentation provides examples of the relevant options.
  
 Replay options: Replay options:
Line 54: Line 55:
   *-c dmac   : set Destination  MAC address   *-c dmac   : set Destination  MAC address
   *-h smac   : set Source       MAC address   *-h smac   : set Source       MAC address
-  *-e essid  : fakeauth  attack : set target AP SSID+  *-e essid  : For fakeauth attack or injection test, it sets target AP SSID.  This is optional when the SSID is not hidden.
   *-j     : arpreplay attack : inject FromDS pkts   *-j     : arpreplay attack : inject FromDS pkts
   *-g value  : change ring buffer size (default: 8)   *-g value  : change ring buffer size (default: 8)
Line 62: Line 63:
   *-q sec    : seconds between keep-alives (-1)   *-q sec    : seconds between keep-alives (-1)
   *-y prga   : keystream for shared key auth   *-y prga   : keystream for shared key auth
 +  * "-B" or "--bittest"  : bit rate test (Applies only to test mode)
 +  * "-D"      :disables AP detection.  Some modes will not proceed if the AP beacon is not heard.  This disables this functionality.
 +  * "-F" or "--fast"     : chooses first matching packet.  For test mode, it just checks basic injection and skips all other tests.
 +  * "-R" disables /dev/rtc usage.  Some systems experience lockups or other problems with RTC.  This disables the usage.
 +
  
 The attacks can obtain packets to replay from two sources.  The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://www.tcpdump.org), is recognized by most commercial and open-source traffic capture and analysis tools.  Reading from a file is an often overlooked feature of aireplay-ng.  This allows you to read packets from other capture sessions.  Keep in mind that various attacks generate pcap files for easy reuse. The attacks can obtain packets to replay from two sources.  The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://www.tcpdump.org), is recognized by most commercial and open-source traffic capture and analysis tools.  Reading from a file is an often overlooked feature of aireplay-ng.  This allows you to read packets from other capture sessions.  Keep in mind that various attacks generate pcap files for easy reuse.
Line 123: Line 129:
  
 These items apply to all modes of aireplay-ng. These items apply to all modes of aireplay-ng.
 +
 +==== aireplay-ng does not inject packets ====
 +Ensure you are using the correct monitor mode interface.  "iwconfig" will show the wireless interfaces and their state.  For the mac80211 drivers, the monitor mode interface is typically "mon0" For ieee80211 madwifi-ng drivers, it is typically "ath0" For other drivers, the interface name may vary.
  
 ==== For madwifi-ng, ensure there are no other VAPs running ==== ==== For madwifi-ng, ensure there are no other VAPs running ====
Line 227: Line 236:
  
 For all of the above, running airodump-ng and the related text file should provide all the information you require identify and correct the problem. For all of the above, running airodump-ng and the related text file should provide all the information you require identify and correct the problem.
 +
 +
 +==== interfaceX is on channel Y, but the AP uses channel Z ====
 +
 +A typical example of this message is: "mon0 is on channel 1, but the AP uses channel 6"
 +
 +This means something is causing your card to channel hop.  Possible reasons is that failed to start airodump-ng locked to a single channel.  airodump-ng needs to be started with "-c <channel-number>.
 +
 +Another reason is that you have processes such as a network manager or wpa_supplicant channel hopping.  You must kill off all these processes.  See [[airmon-ng]] for details on checking what is running and how to kill the processes off.
  
 ==== General ==== ==== General ====
Line 242: Line 260:
   * If Prism2, make sure the firmware was updated.   * If Prism2, make sure the firmware was updated.
   * Ensure your are running the current stable version.  Some options are not available in older versions of the program.  Also, the current stable version contains many bug fixes.   * Ensure your are running the current stable version.  Some options are not available in older versions of the program.  Also, the current stable version contains many bug fixes.
-  * It does not hurt to check the [[http://trac.aircrack-ng.org/|Trac System]] to see if your "problem" is actually a known bug in the current stable version.  Many times the current [[main#development|development version]] has fixes to bugs within the current stable version.+  * It does not hurt to check the [[https://github.com/aircrack-ng/aircrack-ng/issues/|GitHub issues]] to see if your "problem" is actually a known bug in the current stable version.  Many times the current [[main#development|development version]] has fixes to bugs within the current stable version.
  
-===== Release Candidate or SVN Version Notes ===== 
- 
-This section ONLY applies the latest SVN version and to some release candidate versions of the aircrack-ng suite.  Once they are released as "stable" then the documentation above will be updated. 
- 
-Changes: 
- 
-  * "-e <ESSID>" is not needed provided the ESSID is not hidden. (Applies to fake auth and test) 
-  * "-B" or "--bittest" is a bit rate test (Applies to test) 
-  * "-F" or "--fast" is a fast test (Applies to test) 
-  * "-D" disables AP detection.  Some modes will not proceed if the AP beacon is not heard.  This disables this functionality. 
-  * "-F" chooses first matching packet 
-  * "-R" disables /dev/rtc usage.  Some systems experience lockups or other problems with RTC.  This disables the usage. 
  
aireplay-ng.1253896749.txt.gz · Last modified: 2009/09/25 18:39 by darkaudax