Aireplay-ng is used to inject frames.
Aireplay-ng 是一个用来(向网络中)注入帧(即数据包)的工具。
The primary function is to generate traffic for the later use in Aircrack-ng for cracking the WEP and WPA-PSK keys. There are different attacks which can cause deauthentications for the purpose of capturing WPA handshake data, fake authentications, Interactive packet replay, hand-crafted ARP request injection and ARP-request reinjection. With the packetforge-ng tool it's possible to create arbitrary frames.
它最主要的功能是产生一些(数据)流量,而这些流量会在 Aircrack-ng 破解WEP和WPA-PSK的密钥时被用到。它提供了一些不同的攻击方式,比如说,为了获取WPA的握手包而发起的解除认证攻击(-0),或是伪造认证攻击(-1),交互式数据包重放攻击(-2),手工ARP请求注入攻击(-3)以及ARP请求重放注入攻击(-3)。基于工具 packetforge-ng ,我们可以随心所欲地创建数据帧。
Most drivers needs to be patched to be able to inject, don't forget to read Installing drivers.
大部分的驱动需要打上补丁才能支持数据包注入,请不要忘了阅读关于 安装驱动 的说明。
It currently implements multiple different attacks:
当前已经实现的攻击(模式)如下:
This section provides a general overview. Not all options apply to all attacks. See the details of the specific attack for the relevant details.
本小节(并非面面俱到,而是只)提供了一个通常情况下会用到的概览。(首先要说明的是,)并非所有的命令选项都适用于所有的攻击模式。您可以参阅特定攻击(模式)的(实现)细节来获得(该种攻击模式)的相关(使用)细节。
Usage: 【用法: 】
aireplay-ng <options(攻击/重放选项)> <replay interface(重放网卡)>
For all the attacks except deauthentication and fake authentication, you may use the following filters to limit which packets will be presented to the particular attack. The most commonly used filter option is the "-b" to select a specific access point. For typical usage, the "-b" is the only one you use.
除了解除认证攻击(-0)和伪造认证攻击(-1)以外,其他所有的攻击(模式)都可以使用以下的过滤选项来限制哪些包会被提交给特定的攻击。"-b"是最常用的一个过滤选项,它的作用是指定一个特定的接入点(即AP)。(甚至)在典型的用法中,您可能只会用到"-b"一个选项。
Filter options: 【过滤选项如下: 】
When replaying (injecting) packets, the following options apply. Keep in mind that not every option is relevant for every attack. The specific attack documentation provides examples of the relevant options.
当我们重放(注入)数据包时,会用到以下的选项。请谨记,并非所有的命令选项都适用于每一种攻击模式。在特定攻击模式的说明文档中提供了和它(该种攻击模式)相关的重放选项的使用范例。
Replay options: 【重放选项如下: 】
The attacks can obtain packets to replay from two sources. The first being a live flow of packets from your wireless card. The second being from a pcap file. Standard Pcap(Packet CAPture, associated with the libpcap libraryhttp://www.tcpdump.org) format, is recognized by most commercial and open-source traffic capture and analysis tools. Reading from a file is an often overlooked feature of aireplay-ng. This allows you to read packets from other capture sessions. Keep in mind that various attacks generate pcap files for easy reuse.
在攻击的时候,(Aireplay-ng)有两个来源可以获取数据包。第一个来源是取自无线网卡的实时通信流,第二个来源是取自一个pcap文件。大部分商业的或开源的(数据)流量捕获与分析工具都可以识别标准的Pcap【即Packet CAPture[数据包捕获],(更多相关知识)可咨询libpcap的文档库http://www.tcpdump.org 】格式。可以从pcap文件读取数据(并以此作为攻击时数据包的来源)是Aireplay-ng一个经常被忽视的功能。这个功能使得您可以从其他捕获的会话中读取数据包。请注意,有很多种攻击会在攻击时生成pcap文件以便于重复使用。
Source options: 【来源选项: 】
This is how you specify which mode (attack) the program will operate in. Depending on the mode, not all options above are applicable.
您可以用下面的选项来指定程序运行哪一种攻击模式。前面我们提到的选项并非在所有攻击模式下都适用,(选项是否可用)基于当前指定的攻击模式。
Attack modes (Numbers can still be used): 【攻击模式选项(您可以照旧使用编号来指定攻击模式) 】
Here are the differences between the fragmentation and chopchop attacks
Pros:
Cons:
Pros:
Cons:
Optimizing injection speed is more art than science. First, try using the tools “as is”. You can try using the ”-x” parameter to vary the injection speed. Surprisingly, lowering this value can sometimes increase your overall rate.
(如何)优化注入速率,与其说这是一门科学,不如说它是一门艺术。您可以首先尝试让工具按照默认的设定运行。(如果效果欠佳,)您可以使用-x选项来改变注入速度。出乎意料的是,降低注入速率有时反而会提高您的整体效率。
You can try playing with the transmission rate. IE “iwconfig wlan0 rate 11M”. Depending on the driver and how you started the card in monitor mode, it is typically 1 or 11MBit by default. If you are close enough set it up to a higher value, like 54M, this way you'll get more packets per second. If you are too far away and the packets don't travel that far, try to lowering it to (for example) 1M.
您可以按照(网卡本身支持的)传输速率来设置注入速率。即"iwconfig wlan0 rate 11M"。通常默认的传输速率是1或11M,这取决于网卡驱动以及您怎样启动那张工作于监听模式下的无线网卡。如果您(距离AP)足够近,您可以设定一个相对较高的值,比方说54M,这使您每秒可以获取更多的数据包。如果您(距离AP)是如此远以至于数据包都无法传输到这么远,您可以尝试将它降低到,比如说1M。
These items apply to all modes of aireplay-ng.
以下各项适用于aireplay-ng的所有攻击模式。
Ensure you are using the correct monitor mode interface. “iwconfig” will show the wireless interfaces and their state. For the mac80211 drivers, the monitor mode interface is typically “mon0”. For ieee80211 madwifi-ng drivers, it is typically “ath0”. For other drivers, the interface name may vary.
请确认您正在使用的是正确的,且开启了监听模式的无线网卡。使用"iwconfig"命令可以查看无线网卡列表以及他们的状态。对于开启了监听模式的无线网卡,当驱动程序为mac80211时,一般显示为"mon0";当驱动程序为ieee80211 madwifi-ng时,一般显示为"ath0"。当使用其他驱动时,网卡显示的名称可能会有所不同。
Make sure there are no other VAPs running. There can be issues when creating a new VAP in monitor mode and there was an existing VAP in managed mode.
You should first stop ath0 then start wifi0:
airmon-ng stop ath0 airmon-ng start wifi0
or
wlanconfig ath0 destroy wlanconfig ath create wlandev wifi0 wlanmode monitor
You enter the command and the command appears to hang and there is no output.
您输入了命令,但它看起来好像被挂起了,没有任何输出。
This is typically caused by your wireless card being on a different channel then the access point. Another potential cause of this problem is when you are using an old version of firmware on prism2 chipset. Be sure you are running firmware 1.7.4 or above to resolve this. See Prism card for more details. Firmware upgrade instruction can be found here.
nbsp; 导致这种现象的原因通常是因为您的无线网卡与AP工作在不同的频道。另一个可能会导致这个问题的原因是您正在prism2芯片组上使用的固件版本过老。要解决这个问题,请确保您正在使用1.7.4或更高版本的固件。欲知详情,请查看这个链接:Prism card。您还可以在这里找到升级固件所使用的指令。
As well, if you have another instance of aireplay-ng running in background mode, this can cause the second to hang if the options conflict.
另外,如果您还在后台运行了另一个aireplay-ng的实例(即进程),如果两个实例之间选项有冲突,那也会导致第二个实例被挂起。
See this thread: Aireplay freezes when injecting
查看这篇帖子:Aireplay在注入过程中僵死
Or see this thread: Commenting out RTC
也可以查看这篇帖子:注释掉RTC
Also check the previous entries.
另外还可以查看前面列举的条目。
When using a broadcom chipset and related driver you get something similar to:
当您使用一块broadcom芯片以及对应驱动时,您可能会得到类似于下面的提示信息:
write failed: Cannot allocate memory wi_write(): Illegal seek
This is due to a bug in the original bcm43xx patch. Use SuD's modified patch to fix this. Alternatively, you can try using theb43 driver instead of bcm43xx. (B43 requires aireplay-ng 1.0-beta2 or newer; 1.0 rc1 or svn is recommended.)
这要归咎于bcm43xx原始补丁里的一个BUG。要解决这个问题,可以使用SuD修改过的补丁。此外,您也可以使用B43驱动来代替bcm43xx。【B43要求aireplay-ng 1.0-beta2或更新的aireplay-ng版本,我们推荐您使用1.0 rc1或它的子版本。】
Symptoms: The injection works but very slowly, at around 30 packets per second (pps). Whenever you start injecting packets, you get the following or similar kernel message:
症状:可以成功注入但是速度非常慢,注入速率大概是30个数据包每秒【记为30pps】。不论您何时开始注入数据包,您都会收到和下述一样或类似的内核(警告)消息:
"rtc: lost some interrupts at 1024Hz"
This message is then repeated continuously. There are a couple of workarounds. The first workaround is to start another instance of aireplay, then injection would increase to around 300 pps. The second workaround is to:
这消息随后不断重复。对此有多种变通方法,第一种变通方法是再启动一个新的aireplay进程,这样注入速度就能涨到大约300pps。第二种变通方法需要输入以下命令:
rmmod rtc modprobe genrtc
or if you have rtc-cmos enabled in your kernel:
又或者,如果您的内核里可以用rtc-cmos,那么输入以下命令:
rmmod rtc modprobe rtc-cmos
There is no solution at this point in time, just the workarounds. See this forum thread.
对于这个问题当前并没有一个解决方案,有的只是变通方法。详情可查看这篇帖子。
Being too close to the AP can dramatically reduce the injection rate. This is caused by packet corruption and/or overloading the the AP. See thisthread for an example of the impact of being too close to the AP.
离AP太近会导致注入速率显著地降低。这主要是由数据包损坏 和/或 AP过载导致的。在这篇帖子里可以看到,因距离AP太近而导致影响的一个具体例子。
This is caused by having two or more instances of aireplay-ng running at the same time. The program will still work but the timing will be less accurate.
导致此错误信息的原因是同时运行了两个或多个aireplay-ng的实例。程序依旧可以运行,但是时序会变得不那么准确。
After entering an aireplay-ng command similar to:
当您键入了一个类似于如下的命令启动aireplay-ng后,
aireplay-ng -1 0 -e horcer -a 00:50:18:4C:A5:02 -h 00:13:A7:12:3C:5B ath0
You get a message similar to:
您会看到类似于如下的信息:
The interface MAC (06:13:F7:12:23:4A) doesn't match the specified MAC (-h). ifconfig ath1 hw ether 00:13:A7:12:3C:5B
This occurs when the source MAC address for injection (specified by -h) is different then your card MAC address. In the case above, the injection MAC of 00:13:A7:12:3C:5B does not match the card MAC of 06:13:F7:12:23:4A. In some cases, but not all, this will cause injection to fail. That is why it gives you this warning. So it is always recommended that your injection MAC match the card MAC address.
当用来进行注入的MAC地址【由-h选项指定】不同于您网卡的(真实)MAC地址时,会出现上述提示信息。在上述例子中,用来注入的MAC地址是00:13:A7:12:3C:5B,而网卡的MAC地址是06:13:F7:12:23:4A,二者不相匹配。在某些但并非所有情况下,这样的不匹配会导致注入的失败。这就是它为什么会给出这个警告的原因。所以一般会要求您指定用以注入的MAC地址要匹配网卡的MAC地址。
Detailed instructions on changing the card MAC address can be found in the FAQ: How do I change my card's MAC address ?.
您可以在常见问题:How do I change my card's MAC address ? 中找到更改网卡MAC地址的具体方法细节。
Many aireplay-ng commands require knowing the SSID. You will sometimes see ”<length: ?>” as the SSID on theairodump-ng display. This means the SSID is hidden. The ”?” is normally the length of the SSID. For example, if the SSID was “test123” then it would show up as ”<length: 7>” where 7 is the number of characters. When the length is 0 or 1, it means the AP does not reveal the actual length and the real length could be any value.
许多aireplay-ng命令要求知道SSID(此处指ESSID,即AP唯一的ID码)。您有时会在airodump-ng 的输出结果中看到以"<length: ?>"作为SSID的情况,这表示该AP的SSID是隐藏的。"?"的取值通常是SSID的长度。比如说当SSID是 "test123" 时,显示的就会是"<length: 7>",其中7是SSID中字符的数量。当长度显示为0或1的时候,就表示AP并没有透露出它SSID的确切长度,真正的长度可能是(<=32的)任意值。
To obtain the hidden SSID there are a few options:
要想获取被隐藏的SSID可以有以下一些办法:
When you enter the command, the system freezes or a line is printed with “Waiting for beacon frame” or “No such BSSID available” and then no further activity occurs.
当您输入命令后,系统僵死了,或者输出一行提示信息:"Waiting for beacon frame"或"No such BSSID available",然后就没有进一步的行为发生了。
There are many possible root causes of this problem:
可能导致这个问题的根源有很多:
For all of the above, running airodump-ng and the related text file should provide all the information you require identify and correct the problem.
运行airodump-ng,通过其相关的文件(应该是指airodump-ng的运行结果)您应该可以获得,找出并修正上述所有的问题所需要的所有信息。
A typical example of this message is: “mon0 is on channel 1, but the AP uses channel 6”
此消息的一个典型范例是:"mon0 is on channel 1, but the AP uses channel 6"
This means something is causing your card to channel hop. A possible reason is that failed to start airodump-ng locked to a single channel. airodump-ng needs to be started with “-c <channel-number>”.
这意味着有什么东西导致您的网卡发生了跳频。一个可能的原因是并未启动airodump-ng的时候并未成功将之锁定到一个单一的频道。airodump-ng需要带上参数"-c <频道编号>"启动。
Another reason is that you have processes such as a network manager or wpa_supplicant channel hopping. You must kill off all these processes. See[airmon-ng] for details on checking what is running and how to kill the processes off.
另一个(可能的)原因是您同时运行了会引起跳频的进程,比如:network manager、wpa_supplicant。您必须杀死所有这些进程。查看[airmon-ng]来获取怎样查看哪些进程正在运行,以及怎样杀死这些进程。
Also make sure that:
也请确认以下事项:
tcpdump -n -e -s0 -vvv -i <interface name(监听网卡)>您还可以把它和grep用管道连接起来以达到过滤的目的。类似于这样:
tcpdump -n -e -s0 -vvv -i ath0 | grep -E "DeAuth|assoc"The wireless card driver is properly patched and installed. Use the injection test to confirm your card can inject.
tcpdump -n -vvv -e -s0 -i <wireless interface(开启监听模式的无线网卡)>接收来自AP的ACK包失败意味着AP无法收到您的消息,也就表明您和AP的物理距离太远了。
译文用蓝色字体标注,其中用中文圆括号“()”括起来的内容并非来自原文,而是译者根据自己的理解,以及语句通顺的需要自行添加;
译者自己也是初涉此领域,见识浅薄,翻译本文,一方面便于交流,另一方面也是作为深化学习之用,如有曲解、错译,望先行者告知;
尚未完工,剩下的内容会慢慢补上,也会不定期地进行小型维护,敬请期待;
可以并欢迎转载,但请务必注明出处。
------本文由CSDN-蚍蜉撼青松【主页:http://blog.csdn.net/howeverpf】整理翻译,转载请注明出处!------