Aireplay-ng

Aireplay-ng is used to inject frames.

The primary function is to generate traffic for the later use in aircrack-ng for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications, Interactive packet replay, hand-crafted ARP request injection and ARP-request reinjection. With the packetforge-ng tool it’s possible to create arbitrary frames.

Usage

Airplay-ng <options> <replay interface>

Options

Syntax	Parameters	Description
-b	bssid	MAC address, Access Point
-d	dmac	MAC address, Destination
-s	smac	MAC address, Source
-m	len	minimum packet length
-n	len	maximum packet length
-u	type	frame control, type field
-v	subt	frame control, subtype field
-t	tods	frame control, To DS bit
-f	fromds	frame control, From DS bit
-w	iswep	frame control, WEP bit

Replay Options

Syntax	Parameters	Description
-x	nbpps	number of packets per second
-p	fctrl	set frame control word (hex)
-a	bssid	set Access Point MAC address
-c	dmac	set Destination MAC address
-h	smac	set Source MAC address
-e	essid	For fakeauth attack or injection test, it sets target AP SSID. This is optional when the SSID is not hidden.
-j	none	arpreplay attack, inject FromDS pkts
-g	value	change ring buffer size (default: 8)
-k	IP	set destination IP in fragments
-l	IP	set source IP in fragments
-o	npckts	number of packets per burst (-1)
-q	sec	seconds between keep-alives (-1)
-y	prga	keystream for shared key auth
-B or – bittest	none	bit rate test (Applies only to test mode)
-D	none	disables AP detection. Some modes will not proceed if the AP beacon is not heard. This disables this functionality.
-F or – fast	none	chooses first matching packet. For test mode, it just checks basic injection and skips all other tests.
-R	none	disables /dev/rtc usage. Some systems experience lockups or other problems with RTC. This disables the usage.