This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Aireplay-ng

Generating wireless traffic tool

This tool is useful to generate wireless traffic, it can be used for different reasons:

  1. With Aircrack-ng to crack WPS/PSK passphrases

  2. De-authentication attack

  3. Fake authentication

And many more things.

Usage

As usual we can use the tool without parameters to display the usage options, but there is a new thing that we did not see before. Yes, it also displays the available attacks (Check the image below)!

The majority of these attacks are specific to WEP networks, we will focus on the attacks related to WPA which are highlighted also in the image below:

Aireplay-ng Injection Test

Before we start sending de-authentication frames, we need to check whether our NIC supports the injection of wireless frames, the injection test measures ping response time on the target as well as the quality of the link depending on the percentage of the responses received, also if we have 2 cards, we can test which injection attacks will be successful!

The basic injection test lists the APs in the area that respond to broadcast probes, for each of the APs found, this tool performs 30 frame tests to measure the connection quality.

Basic Injection

First, we need to set our NIC to the desired channel using Airmon-ng (check to see more), then we execute Aireplay-ng using the following command:

sudo aireplay-ng -9 <WLAN Interface>

For Specific SSID

sudo aireplay-ng -9 -e <ESSID> -a <BSSID> <WLAN Interface>

But sometimes we don't get the desired result because the signal is too low or too high, so let's disable AP detection using -D option to blindly trust the value provided from the command line:

sudo aireplay-ng -9 -e <ESSID> -a <BSSID> -D <WLAN Interface>

Card-to-Card (Attack) Injection Test

This injection test is more robust check; it will also test whether our NIC can implement different aireplay-ng attacks. Why is this a more reliable guarantee for frames being sent? sometimes drivers or card firmware modify the frames, so doing Card-to-Card injection test will guarantee 100% that frames are sent correctly.

How to perform the test?

First, we need both interfaces to be at monitor mode (You need 2 physical adapters), then we want to start the injection test by the command bellow:

sudo aireplay-ng -9 -i <Another WLAN Interface> <WLAN Interface>

We notice that it tries all types of attacks except for 9 (because it is test only).

De-authentication Attack

Simply we need this attack to capture a 4-way handshake to crack them later

For this attack we need to make sure that:

  1. We are in monitor mode, no shit sherlock :) (refer to Airmon-ng for more)

  2. Start dumping information from the desired channel (refer to Airodump-ng for more)

  3. Now we need to inject the frame into the channel:

Some wireless drivers ignore directed de-auth frames and respond only to broadcast, so we’ll switch to broadcast.

Note: This won’t work if 802.11w Protected Management Frames are enabled; you must wait for a client to authenticate.

After setting up the interface to the monitor mode and started capturing the packets we need only to send the de-authentication frame and wait:

Directed

sudo aireplay-ng -0 <Frames Count> -a <AP BSSID> -c <Target MAC> <WLAN Interface>

Broadcast

sudo aireplay-ng -0 <Frames Count> -a <AP BSSID> <WLAN Interface>

If you want to keep sending until interrupt, set the frames count to 0.

What is next? crack them all!

PreviousAirodump-ngNextAircrack-ng

Last updated

Was this helpful?