User Tools

Site Tools


This is an old revision of the document!

Injection test

++++++ IMPORTANT ++++++
++++++ IMPORTANT ++++++
++++++ IMPORTANT ++++++

This functionality will be available in a future release. It is NOT available currently.

++++++ IMPORTANT ++++++
++++++ IMPORTANT ++++++
++++++ IMPORTANT ++++++


The injection test determines if your card can successfully inject. If you have two wireless cards, it can also determine which specific injection tests can be successfully peformed.

The basic injection test provides additional valuable information as well. First, it lists access points in the area which respond to broadcast probes. Second, for each, it does 20 packet test that indicates the connection quality. This connection quality quantifies the ability of your card to successfully send and then receive a response to the test packet. The percentage of responses received gives an excellent indication of the link quality.

You may optionally specify the access point (AP) name and MAC address. This can be used to test a specific AP or test a hidden SSID.

So how does it work? The following will briefly describe how the testing is performed.

The program initially sends out broadcast probe requests. These are probe requests ask any AP listening to respond with a description of itself. Not every AP will respond to this type of request. A list is assembled to be used in subsequent steps of each AP which does respond. If any AP responds, a messages is printed on the screen indicating that the card can successfully inject.

At the same time, any AP identified via a beacon packet is also added to the list of APs to be processed in subsequent steps.

If a specific AP was optionally listed on the command line (BSSID and SSID), this is also added to the list of APs to be processed.

Then for each AP in the list, 20 directed probe requests are sent out. A directed probe request is addressed to a specific AP. The count of probe responses received plus the percentage is then printed on the screen. This indicates if you can communicate with the AP and how well.

If two wireless cards were specified then each attack mode is tried and the results printed on the screen.


aireplay-ng -9 -e teddy -a 00:14:6C:7E:40:80 -i wlan0 ath0


  • -9 means injection test. Long form is - -test. (Double dash)
  • -e teddy is the network name (SSID). This is optional.
  • -a 00:14:6C:7E:40:80 ath0 is MAC address of the access point (BSSID). This is optional.
  • -i wlan0 is interface name of the second card if you want to determine which attacks your card supports. This is option.
  • ath0 is the interface name. (Mandatory)

IMPORTANT: You must set your card to the desired channel with airmon-ng prior to running any of the tests.

Usage Examples

Basic Test

This is a basic test to determine if you card successfully supports injection.

 aireplay-ng -9 wlan0

The system responds:

 16:29:41  wlan0 channel: 9
 16:29:41  Trying broadcast probe requests...
 16:29:41  Injection is working!
 16:29:42  Found 5 APs
 16:29:42  Trying directed probe requests...
 16:29:42  00:09:5B:5C:CD:2A - channel: 11 - 'NETGEAR'
 16:29:48  0/20: 0%
 16:29:48  00:14:BF:A8:65:AC - channel: 9 - 'title'
 16:29:54  0/20: 0%
 16:29:54  00:14:6C:7E:40:80 - channel: 9 - 'teddy'
 16:29:55  18/20: 90%
 16:29:55  00:C0:49:E2:C4:39 - channel: 11 - 'mossy'
 16:30:01  0/20: 0%
 16:30:01  00:0F:66:C3:14:4E - channel: 9 - 'tupper'
 16:30:07  0/20: 0%
aireplay-ng --test -e teddy -a 00:14:6C:7E:40:80 ath0

The system responds:

16:31:06  ath0 channel: 9
16:31:06  Trying broadcast probe requests...
16:31:06  Injection is working!
16:31:07  Found 1 APs

16:31:07  Trying directed probe requests...
16:31:07  00:14:6C:7E:40:80 - channel: 9 - 'teddy'
16:31:07  20/20: 100%

Analysis of the response:

  • 16:29:41 wlan0 channel: 9: This tells you which interface was used and the channel it was running on.
  • 16:29:41 Injection is working!: This confirms your card can inject.
  • 16:29:42 Found 5 APs: These access points (APs) were found either through the broadcast probe or received beasons.
  • 16:29:42 00:09:5B:5C:CD:2A - channel: 11 - 'NETGEAR': Notice that this AP is on channel 11 and not on our card channel of 9. It is common for adjacent channels to spill over.
  • 16:29:55 18/20: 90% for teddy: This is the only AP that the card can successfully communicate with. This is another verification that your card can inject. You will also notice that all the other APs have 0%.

Hidden or Specific SSID

You can check a hidden SSID or check a specific SSID with the following command:

 aireplay-ng --test -e teddy -a 00:14:6C:7E:40:80 ath0

The system responds:

 11:01:06  ath0 channel: 9
 11:01:06  Trying broadcast probe requests...
 11:01:06  Injection is working!
 11:01:07  Found 1 APs
 11:01:07  Trying directed probe requests...
 11:01:07  00:14:6C:7E:40:80 - channel: 9 - 'teddy'
 11:01:07  20/20: 100%

Analysis of the response:

  • It confirms that the card can inject and successfully communicate with the specified network.

Attack Tests

This test requires two wireless cards. The card specified by “-i” acts as the access point.

Run the following command:

 aireplay-ng -9 -i ath0 wlan0


  • -9 means injection test.
  • -i ath0 is the interface to mimic the AP.
  • wlan0 is the injection interface.

The system responds:

 11:06:05  wlan0 channel: 9, ath0 channel: 9
 11:06:05  Trying broadcast probe requests...
 11:06:05  Injection is working!
 11:06:05  Found 1 APs
 11:06:05  Trying directed probe requests...
 11:06:05  00:14:6C:7E:40:80 - channel: 9 - 'teddy'
 11:06:07  17/20: 85%
 11:06:07  Trying card-to-card injection...
 11:06:07  Attack -0:        OK
 11:06:07  Attack -1 (open): OK
 11:06:07  Attack -1 (psk):  OK
 11:06:07  Attack -2/-3/-4:  OK
 11:06:07  Attack -5:        OK

Analysis of the response:

  • “11:06:05 wlan0 channel: 9, ath0 channel: 9”: It is import to make sure both your cards are on the same channel otherwise the tests will not work correctly.
  • The first part of the output is identical as what has been presented earlier.
  • The last port shows that wlan0 card is able to perform all attack types successfully.
  • If you get a failure on attack 5, it may still work in the field if the injection MAC address matches the current card MAC address. With some drivers, it will fail if they are not the same.

Usage Tips

Nothing at this point in time.

Usage Troubleshooting

Make sure the card(s) are on the same channel as your AP.

Make sure your cards are not channel hopping.

injection_test.1177786537.txt.gz · Last modified: 2007/04/28 20:55 by mister_x