Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Router Charts

Click for Router Charts

Router Ranker

Click for Router Ranker

NAS Charts

Click for NAS Charts

NAS Ranker

Click for NAS Ranker

More Tools

Click for More Tools

Wireless How To

Packet replay via Aireplay

While a deauth attack generates traffic, it generally doesn't generate enough to effectively speed up our IV gathering process. It's also a pretty blunt instrument and severly interferes with normal WLAN operations. For more efficient traffic generation, we'll need to employ a different technique called a replay attack.

A replay attack simply captures a valid packet generated by a Target client, then spoofs the client that it captured the packet from and replays the packet over and over again more frequently than normal. Since the traffic looks like it is coming from a valid client, it doesn't interfere with normal network operations and goes about its IV-generating duties quietly.

So what we need is to capture a packet that is sure to be generated by the void11 deauth attack, stop the deauth attack, then start a replay attack using the captured packet. A perfect candidate for capture are Address Resolution Protocol (ARP) packets since they're small (68 Bytes long), have a fixed and easily recongnizable format, and are part of every reassociation attempt.

aireplay setup

Figure 11: aireplay setup
(click image to enlarge)

Let's start with a clean slate and reboot both Auditor-A and Auditor-B. Figure 12 shows the roles that Auditor-A and Auditor-B are playing. Notice that Auditor-A is running only aireplay and is just serving to stimulate traffic (and IVs) to shorten the time it takes to crack a WEP key. Also notice that Auditor-B is used for either running the deauth attack (via void11) or capturing traffic (via airodump) and running the actual crack against the captured data via aircrack which we'll get to shortly.

The full WEP-cracking monty

Figure 12: The full WEP-cracking monty

We'll first start aireplay. Go to Auditor-A, open a shell and type in these commands:

Commands to set up aireplay to listen for an ARP packet
switch-to-wlanng
cardctl eject
cardctl insert
monitor.wlan wlan0 THECHANNELNUM
cd /ramdisk
aireplay -i wlan0 -b MACADDRESSOFAP -m 68 -n 68 -d ff:ff:ff:ff:ff:ff

NOTE!NOTES:
- switch-to-wlanng and monitor.wlan are custom scripts that come installed on the Auditor CD to simplify commands and reduce typing
- Replace THECHANNELNUM with the channel number of your Target WLAN

At first, nothing too exciting will happen. You should see aireplay reporting it has seen a certain number of packets, but little else since the packets haven't matched the filter we've set (68 Byte packet with a destination MAC address of FF:FF:FF:FF:FF:FF).

More Wireless

Wi-Fi System Tools
Check out our Wi-Fi System Charts, Ranker and Finder!

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Over In The Forums

Howdy all,I am writing this in hopes of getting some advice from people who are more experienced with NAS devices than myself. I currently use Onedriv...
Hello,Just bought a brand new AX88U router. My issue is connecting to the 2.4ghz band. If I am right next to the router it works fine but if I move to...
After 4 days, Port Forwarding rule disappears from router. It can be easily reentered and will persist for approximately the same period, before disap...
I live in a complex that has great broadband. I have been annoyed with my Linksys's inability to keep things running, and since my alexa stuff does no...
Greetings,Just setup a R6700V3 to replace an 8 year old D-Link 655. Roku Premiere was killing the 655 every 4-24 hours.My Windows 10 PC connects via e...

Don't Miss These

  • 1
  • 2
  • 3