Aireplay

Deauthing a valid client (to increase the chances of acquiring an ARP packet, will also allows us to determine a hidden ESSID.
Capture and replay of a valid ARP request to speedup/generate the collection of encrypted packets.

airmon.sh start [interface] [channel]

airodump [interface] [filename] [channel]

aireplay usage:

Open another console and initiate a broadcast deauth:

aireplay -0 10 -a 11:11:11:11:11:11 [interface]

Or to perform a more specific deauth (usually more effective) against a specific station:

aireplay -0 10 -a 11:11:11:11:11:11 -c 22:22:22:22:22:22 [interface]

Whichever of the above deauths you perform, both are sending 10 deauthentication packets.

Now to produce encrypted packets by collecting and replaying ARP requests:

aireplay -3 -b 11:11:11:11:11:11 -h 22:22:22:22:22:22 [interface]

We now start listening for ARP requests with the -3 option. The -h option is mandatory and has to be the MAC address of an associated client:

As an example:

aireplay -3 -b 11:11:11:11:11:11 -h 22:22:22:22:22:22 [interface]

Captured 30,000 encrypted packets in 10 minutes against an 802.11b network on a previously inactive network.

Further Notes:

Attempting the attack against a dedicated 802.11g network failed to significantly increase the number of encrypted packets collected:
Appending the -x option with a variety of different values failed to significantly increase the number of encrypted packets collected.

Producing encrypted packets for WEP breaking - No Client Present:

This attack is only useful when you need an associated MAC address there is currently no associated client. However it is generally better to use the MAC address of a real client as in the Producing encrypted packets for WEP breaking - Client Present attack.

Open a console and start airodump:

airmon.sh start [interface] [channel]

airodump [interface] [filename] [channel]

"Some access points require reassociation every 30 seconds, otherwise our fake client is considered disconnected." Open a second console and setup the associate/reassociate to the access point:

aireplay -1 20 -e [ESSID] -a 11:11:11:11:11:11 -h 33:33:33:33:33:33 [interface]

If the association stops you may need to manually restart, however after a while even though the association requests (aireplay -1 20) stopped encrypted packets were still being collected ok.

Now open a third console and start listening for ARP requests with the -3 option:

aireplay -3 -b 11:11:11:11:11:11 -h 33:33:33:33:33:33 [interface]

It may take a little time to pickup some ARP packets initially, if successful airodump should now be collecting encrypted packets at a rate of roughly 3,000/min.

Receiving no ARP requests?

If after sometime aireplay is still stalling on "(got 0 ARP requests)" you can attempt to speed this process up with some deauths (e.g. aireplay -0 10...., as below) followed by some more auths (e.g. aireplay -1 20...., as below).

aireplay -0 10 -a 11:11:11:11:11:11 -c 33:33:33:33:33:33 [interface] (Deauth)

aireplay -1 20 -e [ESSID] -a 11:11:11:11:11:11 -h 33:33:33:33:33:33 [interface] (Association request)

Receiving: AP rejects source MAC address?

If you are using a random MAC address (i.e. not a valid inactive MAC) MAC filtering may be in place:

To overcome this you will need to acquire the MAC address of a valid client with airodump or kismet and then DoS this client or wait for it to go down before attempting to join the network.