Aireplay-ng is used to inject frames.
The primary function is to generate traffic for the later use in aircrack-ng for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications, Interactive packet replay, hand-crafted ARP request injection and ARP-request reinjection. With the packetforge-ng tool it’s possible to create arbitrary frames.
Usage
Airplay-ng <options> <replay interface>
Options
Syntax | Parameters | Description |
-b | bssid | MAC address, Access Point |
-d | dmac | MAC address, Destination |
-s | smac | MAC address, Source |
-m | len | minimum packet length |
-n | len | maximum packet length |
-u | type | frame control, type field |
-v | subt | frame control, subtype field |
-t | tods | frame control, To DS bit |
-f | fromds | frame control, From DS bit |
-w | iswep | frame control, WEP bit |
Replay Options
Syntax | Parameters | Description |
-x | nbpps | number of packets per second |
-p | fctrl | set frame control word (hex) |
-a | bssid | set Access Point MAC address |
-c | dmac | set Destination MAC address |
-h | smac | set Source MAC address |
-e | essid | For fakeauth attack or injection test, it sets target AP SSID. This is optional when the SSID is not hidden. |
-j | none | arpreplay attack, inject FromDS pkts |
-g | value | change ring buffer size (default: 8) |
-k | IP | set destination IP in fragments |
-l | IP | set source IP in fragments |
-o | npckts | number of packets per burst (-1) |
-q | sec | seconds between keep-alives (-1) |
-y | prga | keystream for shared key auth |
-B or – bittest | none | bit rate test (Applies only to test mode) |
-D | none | disables AP detection. Some modes will not proceed if the AP beacon is not heard. This disables this functionality. |
-F or – fast | none | chooses first matching packet. For test mode, it just checks basic injection and skips all other tests. |
-R | none | disables /dev/rtc usage. Some systems experience lockups or other problems with RTC. This disables the usage. |