User Tools

Site Tools


This is an old revision of the document!



The purpose of packetforge-ng is to create encrypted packets that can subsequently be used for injection. You may create various types of packets such as arp requests, UDP, ICMP and custom packets. The most common use is to create ARP requests for subsequent injection.

To create an encrypted packet, you must have a PRGA (pseudo random genration algorithm) file. This is used to encrypt the packet you create. This is typically obtained from aireplay-ng chopchop or fragmentation attacks.


Usage: packetforge-ng <mode> <options>

Forge options:

  • -p <fctrl> : set frame control word (hex)
  • -a <bssid> : set Access Point MAC address
  • -c <dmac> : set Destination MAC address
  • -h <smac> : set Source MAC address
  • -j : set FromDS bit
  • -o : clear ToDS bit
  • -e : disables WEP encryption
  • -k <ip[:port]> : set Destination IP [Port]
  • -l <ip[:port]> : set Source IP [Port]
  • -t ttl : set Time To Live
  • -w <file> : write packet to this pcap file

Source options:

  • -r <file> : read packet from this raw file
  • -y <file> : read PRGA from this file


  • –arp : forge an ARP packet (-0)
  • –udp : forge an UDP packet (-1)
  • –icmp : forge an ICMP packet (-2)
  • –custom : build a custom packet (-9)

Usage Example

Here is an example of how to generate an arp request packet.

First, obtain a xor file (PRGA) with either the aireplay-ng chopchop or fragmentation method.

Then use the following command:

packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D -k -l -y fragment-0124-161129.xor -w arp-request


  • -0 indicates you want a arp request packet generated
  • -a 00:14:6C:7E:40:80 is the Access Point MAC address
  • -h 00:0F:B5:AB:CB:9D is the source MAC address you wish to use
  • -k is the destination IP. IE In an arp it is the “Who has this IP”
  • -l is the source IP. IE In an arp is the “Tells this IP”
  • -y fragment-0124-161129.xor
  • -w arp-packet

Assuming you are experimenting with your own access point, arp request packet generated above can be decrypted with your own key. So to see that packet we just created can be decrypted:

Enter “airdecap-ng -w <access point encryption key> arp-request”

The results look like this:

Total number of packets read             1
Total number of WEP data packets         1
Total number of WPA data packets         0
Number of plaintext data packets         0
Number of decrypted WEP  packets         1
Number of decrypted WPA  packets         0

To view the packet that was just decrypted, enter “tcpdump -n -vvv -e -s0 -r arp-request-dec”

The results look like this:

reading from file arp-request-dec, link-type EN10MB (Ethernet)
18:09:27.743303 00:0f:b5:ab:cb:9d > Broadcast, ethertype ARP (0x0806), length 42: arp who-has tell

Which is exactly what we expected. Now you can inject this arp request packet as follows “aireplay-ng -2 -r arp-request ath0”.

The program will respond as follows:

      Size: 68, FromDS: 0, ToDS: 1 (WEP)

           BSSID  =  00:14:6C:7E:40:80
       Dest. MAC  =  FF:FF:FF:FF:FF:FF
      Source MAC  =  00:0F:B5:AB:CB:9D

      0x0000:  0841 0201 0014 6c7e 4080 000f b5ab cb9d  .A....l~@.......
      0x0010:  ffff ffff ffff 8001 6c48 0000 0999 881a  ........lH......
      0x0020:  49fc 21ff 781a dc42 2f96 8fcc 9430 144d  I.!.x..B/....0.M
      0x0030:  3ab2 cff5 d4d1 6743 8056 24ec 9192 c1e1  :.....gC.V$.....
      0x0040:  d64f b709                                .O..

Use this packet ? y

Saving chosen packet in replay_src-0124-163529.cap
You should also start airodump-ng to capture replies.

End of file.

By entering “y” above, the packet you created with packetforge-ng is then injected.

packetforge-ng.1169851477.txt.gz · Last modified: 2007/01/26 23:44 (external edit)