AIREPLAY-NG(1)               General Commands Manual              AIREPLAY-NG(1)

       aireplay-ng - inject packets into a wireless network to generate traffic

       aireplay-ng [options] <replay interface>

       aireplay-ng is used to inject/replay frames.  The primary function is to
       generate traffic for the later use in aircrack-ng for cracking the WEP
       and WPA-PSK keys. There are different attacks which can cause
       deauthentications for the purpose of capturing WPA handshake data, fake
       authentications, Interactive packet replay, hand-crafted ARP request
       injection and ARP-request reinjection. With the packetforge-ng tool it's
       possible to create arbitrary frames.

       aireplay-ng supports single-NIC injection/monitor.
       This feature needs driver patching.

       -H, --help
              Shows the help screen.

       Filter options:

       -b <bssid>
              MAC address of access point.

       -d <dmac>
              MAC address of destination.

       -s <smac>
              MAC address of source.

       -m <len>
              Minimum packet length.

       -n <len>
              Maximum packet length.

       -u <type>
              Frame control, type field.

       -v <subt>
              Frame control, subtype field.

       -t <tods>
              Frame control, "To" DS bit (0 or 1).

       -f <fromds>
              Frame control, "From" DS bit (0 or 1).

       -w <iswep>
              Frame control, WEP bit (0 or 1).

       -D     Disable AP Detection.

       Replay options:

       -x <nbpps>
              Number of packets per second.

       -p <fctrl>
              Set frame control word (hex).

       -a <bssid>
              Set Access Point MAC address.

       -c <dmac>
              Set destination MAC address.

       -h <smac>
              Set source MAC address.

       -g <nb_packets>
              Change ring buffer size (default: 8 packets). The minimum is 1.

       -F     Choose first matching packet.

       -e <essid>
              Fake Authentication attack: Set target SSID (see below). For SSID
              containing special characters, see http://www.aircrack-

       -o <npackets>
              Fake Authentication attack: Set the number of packets for every
              authentication and association attempt (Default: 1). 0 means auto

       -q <seconds>
              Fake Authentication attack: Set the time between keep-alive
              packets in fake authentication mode.

       -y <prga>
              Fake Authentication attack: Specifies the keystream file for fake
              shared key authentication.

       -T n   Fake Authentication attack: Exit if fake authentication fails 'n'

       -j     ARP Replay attack : inject FromDS pakets (see below).

       -k <IP>
              Fragmentation attack: Set destination IP in fragments.

       -l <IP>
              Fragmentation attack: Set source IP in fragments.

       -B     Test option: bitrate test.

       Source options:

       -i <iface>
              Capture packets from this interface.

       -r <file>
              Extract packets from this pcap file.

       Miscellaneous options:

       -R     disable /dev/rtc usage.

       Attack modes:

       -0 <count>, --deauth=<count>
              This attack sends deauthentication packets to one or more clients
              which are currently associated with a particular access point.
              Deauthenticating clients can be done for a number of reasons:
              Recovering a hidden ESSID. This is an ESSID which is not being
              broadcast. Another term for this is "cloaked" or Capturing
              WPA/WPA2 handshakes by forcing clients to reauthenticate or
              Generate ARP requests (Windows clients sometimes flush their ARP
              cache when disconnected).  Of course, this attack is totally
              useless if there are no associated wireless client or on fake

       -1 <delay>, --fakeauth=<delay>
              The fake authentication attack allows you to perform the two types
              of WEP authentication (Open System and Shared Key) plus associate
              with the access point (AP). This is useful is only useful when you
              need an associated MAC address in various aireplay-ng attacks and
              there is currently no associated client. It should be noted that
              the fake authentication attack does NOT generate any ARP packets.
              Fake authentication cannot be used to authenticate/associate with
              WPA/WPA2 Access Points.

       -2, --interactive
              This attack allows you to choose a specific packet for replaying
              (injecting). The attack can obtain packets to replay from two
              sources. The first being a live flow of packets from your wireless
              card. The second being from a pcap file. Reading from a file is an
              often overlooked feature of aireplay-ng. This allows you read
              packets from other capture sessions or quite often, various
              attacks generate pcap files for easy reuse. A common use of
              reading a file containing a packet your created with packetforge-

       -3, --arpreplay
              The classic ARP request replay attack is the most effective way to
              generate new initialization vectors (IVs), and works very
              reliably. The program listens for an ARP packet then retransmits
              it back to the access point. This, in turn, causes the access
              point to repeat the ARP packet with a new IV. The program
              retransmits the same ARP packet over and over. However, each ARP
              packet repeated by the access point has a new IVs. It is all these
              new IVs which allow you to determine the WEP key.

       -4, --chopchop
              This attack, when successful, can decrypt a WEP data packet
              without knowing the key. It can even work against dynamic WEP.
              This attack does not recover the WEP key itself, but merely
              reveals the plaintext. However, some access points are not
              vulnerable to this attack. Some may seem vulnerable at first but
              actually drop data packets shorter that 60 bytes. If the access
              point drops packets shorter than 42 bytes, aireplay tries to guess
              the rest of the missing data, as far as the headers are
              predictable. If an IP packet is captured, it additionally checks
              if the checksum of the header is correct after guessing the
              missing parts of it. This attack requires at least one WEP data

       -5, --fragment
              This attack, when successful, can obtain 1500 bytes of PRGA
              (pseudo random generation algorithm). This attack does not recover
              the WEP key itself, but merely obtains the PRGA. The PRGA can then
              be used to generate packets with packetforge-ng which are in turn
              used for various injection attacks. It requires at least one data
              packet to be received from the access point in order to initiate
              the attack.

       -6, --caffe-latte
              In general, for an attack to work, the attacker has to be in the
              range of an AP and a connected client (fake or real). Caffe Latte
              attacks allows to gather enough packets to crack a WEP key without
              the need of an AP, it just need a client to be in range.

       -7, --cfrag
              This attack turns IP or ARP packets from a client into ARP request
              against the client. This attack works especially well against ad-
              hoc networks. As well it can be used against softAP clients and
              normal AP clients.

       -9, --test
              Tests injection and quality.


              - Can obtain the full packet length of 1500 bytes XOR. This means
              you can subsequently pretty well create any size of packet.
              - May work where chopchop does not
              - Is extremely fast. It yields the XOR stream extremely quickly
              when successful.

              - Setup to execute the attack is more subject to the device
              drivers. For example, Atheros does not generate the correct
              packets unless the wireless card is set to the mac address you are
              - You need to be physically closer to the access point since if
              any packets are lost then the attack fails.


              - May work where frag does not work.

              - Cannot be used against every access point.
              - The maximum XOR bits is limited to the length of the packet you
              chopchop against.
              - Much slower then the fragmentation attack.

       This manual page was written by Adam Cecile <> for the
       Debian system (but may be used by others).  Permission is granted to
       copy, distribute and/or modify this document under the terms of the GNU
       General Public License, Version 2 or any later version published by the
       Free Software Foundation On Debian systems, the complete text of the GNU
       General Public License can be found in /usr/share/common-licenses/GPL.


Version 1.1                        April 2010                     AIREPLAY-NG(1)