Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

Wireless How To

Packet replay via Aireplay

While a deauth attack generates traffic, it generally doesn't generate enough to effectively speed up our IV gathering process. It's also a pretty blunt instrument and severly interferes with normal WLAN operations. For more efficient traffic generation, we'll need to employ a different technique called a replay attack.

A replay attack simply captures a valid packet generated by a Target client, then spoofs the client that it captured the packet from and replays the packet over and over again more frequently than normal. Since the traffic looks like it is coming from a valid client, it doesn't interfere with normal network operations and goes about its IV-generating duties quietly.

So what we need is to capture a packet that is sure to be generated by the void11 deauth attack, stop the deauth attack, then start a replay attack using the captured packet. A perfect candidate for capture are Address Resolution Protocol (ARP) packets since they're small (68 Bytes long), have a fixed and easily recongnizable format, and are part of every reassociation attempt.

aireplay setup

Figure 11: aireplay setup
(click image to enlarge)

Let's start with a clean slate and reboot both Auditor-A and Auditor-B. Figure 12 shows the roles that Auditor-A and Auditor-B are playing. Notice that Auditor-A is running only aireplay and is just serving to stimulate traffic (and IVs) to shorten the time it takes to crack a WEP key. Also notice that Auditor-B is used for either running the deauth attack (via void11) or capturing traffic (via airodump) and running the actual crack against the captured data via aircrack which we'll get to shortly.

The full WEP-cracking monty

Figure 12: The full WEP-cracking monty

We'll first start aireplay. Go to Auditor-A, open a shell and type in these commands:

Commands to set up aireplay to listen for an ARP packet
cardctl eject
cardctl insert
monitor.wlan wlan0 THECHANNELNUM
cd /ramdisk
aireplay -i wlan0 -b MACADDRESSOFAP -m 68 -n 68 -d ff:ff:ff:ff:ff:ff

- switch-to-wlanng and monitor.wlan are custom scripts that come installed on the Auditor CD to simplify commands and reduce typing
- Replace THECHANNELNUM with the channel number of your Target WLAN

At first, nothing too exciting will happen. You should see aireplay reporting it has seen a certain number of packets, but little else since the packets haven't matched the filter we've set (68 Byte packet with a destination MAC address of FF:FF:FF:FF:FF:FF).

More Wireless

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

The router broadcasted a name for our wifi as "Mom_Use_This_One". I just got my brother and I ethernet cables. When he plugged his in, it showed the e...
Continuation of. . .
Hi All,Long time lurker but first time poster here. I just upgraded my triband Velops to a combo of 2 XT8's and 3 XD4s. I live in a large apartment wi...
In Singapore, there is a red AX86U for sale - listed as the ZAKU II gaming edition - which is supposed to be PS5 compatible.What makes it PS5 compatib...
I wanted to post this in case anyone else has questions about Pfsense vs. Opnsense, or why to use one over the other, as I have personally used both, ...

Don't Miss These

  • 1
  • 2
  • 3