aireplay-ng
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
aireplay-ng [2008/05/13 15:28] – darkaudax | aireplay-ng [2013/05/26 06:05] – [Usage of the attacks] WPA Migration mode is now available mister_x | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Aireplay-ng ====== | ====== Aireplay-ng ====== | ||
- | |||
- | |||
===== Description ===== | ===== Description ===== | ||
- | Aireplay-ng is used to inject frames.\\ | + | Aireplay-ng is used to inject frames. |
The primary function is to generate traffic for the later use in [[aircrack-ng]] for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications, | The primary function is to generate traffic for the later use in [[aircrack-ng]] for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications, | ||
With the [[packetforge-ng]] tool it's possible to create arbitrary frames. | With the [[packetforge-ng]] tool it's possible to create arbitrary frames. | ||
- | \\ | + | |
- | \\ | + | |
Most drivers needs to be patched to be able to inject, don't forget to read [[install_drivers|Installing drivers]]. | Most drivers needs to be patched to be able to inject, don't forget to read [[install_drivers|Installing drivers]]. | ||
- | |||
===== Usage of the attacks ===== | ===== Usage of the attacks ===== | ||
Line 22: | Line 18: | ||
* Attack 4: [[KoreK chopchop|KoreK chopchop attack]] | * Attack 4: [[KoreK chopchop|KoreK chopchop attack]] | ||
* Attack 5: [[Fragmentation|Fragmentation attack]] | * Attack 5: [[Fragmentation|Fragmentation attack]] | ||
+ | * Attack 6: [[cafe-latte|Cafe-latte attack]] | ||
+ | * Attack 7: [[hirte|Client-oriented fragmentation attack]] | ||
+ | * Attack 8: [[WPA Migration Mode]] | ||
* Attack 9: [[injection_test|Injection test]] | * Attack 9: [[injection_test|Injection test]] | ||
- | |||
===== Usage ===== | ===== Usage ===== | ||
- | This section provides a general overview. | + | This section provides a general overview. |
Usage: | Usage: | ||
Line 48: | Line 46: | ||
*-w iswep : frame control, WEP bit | *-w iswep : frame control, WEP bit | ||
- | When replaying (injecting) packets, the following options apply. | + | When replaying (injecting) packets, the following options apply. |
Replay options: | Replay options: | ||
Line 57: | Line 55: | ||
*-c dmac : set Destination | *-c dmac : set Destination | ||
*-h smac : set Source | *-h smac : set Source | ||
- | *-e essid : fakeauth | + | *-e essid : For fakeauth attack |
*-j : arpreplay attack : inject FromDS pkts | *-j : arpreplay attack : inject FromDS pkts | ||
*-g value : change ring buffer size (default: 8) | *-g value : change ring buffer size (default: 8) | ||
Line 65: | Line 63: | ||
*-q sec : seconds between keep-alives (-1) | *-q sec : seconds between keep-alives (-1) | ||
*-y prga : keystream for shared key auth | *-y prga : keystream for shared key auth | ||
+ | * " | ||
+ | * " | ||
+ | * " | ||
+ | * " | ||
- | The attacks can obtain packets to replay from two sources. | + | |
+ | The attacks can obtain packets to replay from two sources. | ||
Source options: | Source options: | ||
- | *-i iface : capture packets from this interface | + | *iface |
*-r file : extract packets from this pcap file | *-r file : extract packets from this pcap file | ||
Line 89: | Line 92: | ||
Here are the differences between the fragmentation and chopchop attacks | Here are the differences between the fragmentation and chopchop attacks | ||
- | Fragmentation\\ | + | ==== Fragmentation |
- | \\ | + | |
- | Pros\\ | + | Pros:\\ |
* Typically obtains the full packet length of 1500 bytes xor. This means you can subsequently pretty well create any size of packet. | * Typically obtains the full packet length of 1500 bytes xor. This means you can subsequently pretty well create any size of packet. | ||
* May work where chopchop does not. | * May work where chopchop does not. | ||
* Is extremely fast. It yields the xor stream extremely quickly when successful. | * Is extremely fast. It yields the xor stream extremely quickly when successful. | ||
- | \\ | + | |
- | Cons\\ | + | Cons:\\ |
* Need more information to launch it - IE IP address info. Quite often this can be guessed. | * Need more information to launch it - IE IP address info. Quite often this can be guessed. | ||
* Setup to execute the attack is more subject to the device drivers. | * Setup to execute the attack is more subject to the device drivers. | ||
- | * You need to be physically closer to the access point since if any packets are lost then the attack fails. | + | * You need to be physically closer to the access point because |
* The attack will fail on access points which do not properly handle fragmented packets. | * The attack will fail on access points which do not properly handle fragmented packets. | ||
- | \\ | + | |
- | Chopchop\\ | + | ==== Chopchop |
- | \\ | + | |
- | Pros\\ | + | Pros:\\ |
* May work where fragmentation does not work. | * May work where fragmentation does not work. | ||
* You don't need to know any IP information. | * You don't need to know any IP information. | ||
- | \\ | + | |
- | Cons\\ | + | Cons:\\ |
* Cannot be used against every access point. | * Cannot be used against every access point. | ||
* The maximum xor bits is limited to the length of the packet you chopchop against. | * The maximum xor bits is limited to the length of the packet you chopchop against. | ||
Line 118: | Line 121: | ||
==== Optimizing injection speeds ==== | ==== Optimizing injection speeds ==== | ||
- | Optimizing injection speed is more art than science. First, try using to tools "as is" | + | Optimizing injection speed is more art than science. First, try using the tools "as is" |
- | You may try to playing with the rate " | + | You can try playing with the transmission |
Line 126: | Line 129: | ||
These items apply to all modes of aireplay-ng. | These items apply to all modes of aireplay-ng. | ||
+ | |||
+ | ==== aireplay-ng does not inject packets ==== | ||
+ | Ensure you are using the correct monitor mode interface. | ||
==== For madwifi-ng, ensure there are no other VAPs running ==== | ==== For madwifi-ng, ensure there are no other VAPs running ==== | ||
Line 139: | Line 145: | ||
| | ||
| | ||
- | |||
- | |||
- | |||
==== Aireplay-ng hangs with no output ==== | ==== Aireplay-ng hangs with no output ==== | ||
Line 147: | Line 150: | ||
You enter the command and the command appears to hang and there is no output.\\ | You enter the command and the command appears to hang and there is no output.\\ | ||
- | This is typically caused by being on the wrong channel | + | This is typically caused by your wireless card being on a different |
As well, if you have another instance of aireplay-ng running in background mode, this can cause the second to hang if the options conflict. | As well, if you have another instance of aireplay-ng running in background mode, this can cause the second to hang if the options conflict. | ||
- | |||
- | |||
==== Aireplay-ng freezes while injecting ==== | ==== Aireplay-ng freezes while injecting ==== | ||
- | See this thread: [[http:// | + | See this thread: [[http:// |
- | Or see this thread: [[http:// | + | Or see this thread: [[http:// |
Also check the previous entries. | Also check the previous entries. | ||
- | |||
==== write failed: Cannot allocate memory wi_write(): Illegal seek ==== | ==== write failed: Cannot allocate memory wi_write(): Illegal seek ==== | ||
- | When using a broadcom chipset and related driver you get something similar to: | + | When using a [[broadcom]] chipset and related driver you get something similar to: |
write failed: Cannot allocate memory wi_write(): Illegal seek | write failed: Cannot allocate memory wi_write(): Illegal seek | ||
- | Include the "-x <packet rate>" | + | This is due to a bug in the original bcm43xx patch. Use SuD's modified patch to fix this. Alternatively, |
==== Slow injection, "rtc: lost some interrupts at 1024Hz" | ==== Slow injection, "rtc: lost some interrupts at 1024Hz" | ||
Line 177: | Line 176: | ||
"rtc: lost some interrupts at 1024Hz" | "rtc: lost some interrupts at 1024Hz" | ||
- | This message is then repeated | + | This message is then repeated |
- | There is no solution at this point in time, just the workaround to start a second instance. See this [[http:// | + | rmmod rtc |
+ | | ||
+ | |||
+ | or if you have rtc-cmos enabled in your kernel: | ||
+ | |||
+ | rmmod rtc | ||
+ | | ||
+ | |||
+ | There is no solution at this point in time, just the workarounds. See this [[http:// | ||
==== Slow injection rate in general ==== | ==== Slow injection rate in general ==== | ||
- | Being too close to the AP can dramatically reduce the injection rate. This is caused by packet corruption and/or overloading the the AP. See this [[http://tinyshell.be/ | + | Being too close to the AP can dramatically reduce the injection rate. This is caused by packet corruption and/or overloading the the AP. See this [[http://forum.aircrack-ng.org/ |
==== Error message, " | ==== Error message, " | ||
This is caused by having two or more instances of aireplay-ng running at the same time. The program will still work but the timing will be less accurate. | This is caused by having two or more instances of aireplay-ng running at the same time. The program will still work but the timing will be less accurate. | ||
- | |||
- | |||
- | |||
==== " | ==== " | ||
Line 216: | Line 219: | ||
* Use a tool like [[http:// | * Use a tool like [[http:// | ||
+ | ==== How to use spaces, double quote and single quote or other special characters in AP names? ==== | ||
- | ==== How to use spaces, double quote and single quote in AP names? ==== | + | See this [[faq#how_to_use_spaces_double_quote_and_single_quote_etc._in_ap_names|FAQ entry]] |
- | + | ||
- | See this[[http:// | + | |
==== Waiting for beacon frame ==== | ==== Waiting for beacon frame ==== | ||
Line 227: | Line 228: | ||
There are many possible root causes of this problem: | There are many possible root causes of this problem: | ||
- | * The wireless card is set to a channel which is different | + | * The wireless card is set to a channel which is different |
* The card is scanning channels. | * The card is scanning channels. | ||
- | * The ESSID is wrong. | + | * The ESSID is wrong. |
* The BSSID is wrong. | * The BSSID is wrong. | ||
* You are too far away from the AP and are not receiving any beacons. | * You are too far away from the AP and are not receiving any beacons. | ||
Line 237: | Line 238: | ||
+ | ==== interfaceX is on channel Y, but the AP uses channel Z ==== | ||
+ | |||
+ | A typical example of this message is: "mon0 is on channel 1, but the AP uses channel 6" | ||
+ | |||
+ | This means something is causing your card to channel hop. Possible reasons is that failed to start airodump-ng locked to a single channel. | ||
+ | |||
+ | Another reason is that you have processes such as a network manager or wpa_supplicant channel hopping. | ||
==== General ==== | ==== General ==== | ||
Also make sure that: | Also make sure that: | ||
- | * Most modes of aireplay-ng require that your MAC address be associated with the access point. | + | * Most modes of aireplay-ng require that your MAC address be associated with the access point. |
* The wireless card driver is properly patched and installed. | * The wireless card driver is properly patched and installed. | ||
* You are physically close enough to the access point. | * You are physically close enough to the access point. | ||
Line 251: | Line 259: | ||
* The BSSID and ESSID (-a / -e options) are correct. | * The BSSID and ESSID (-a / -e options) are correct. | ||
* If Prism2, make sure the firmware was updated. | * If Prism2, make sure the firmware was updated. | ||
- | * Ensure your are running the current stable version. | + | * Ensure your are running the current stable version. |
- | * It does not hurt to check the [[http:// | + | * It does not hurt to check the [[http:// |
+ |
aireplay-ng.txt · Last modified: 2022/02/09 00:44 by mister_x