-0 Deautenticate Conflict Mode
Causes an already connected legitimate client to forcibly disconnect from the routing end and make it reconnect. Authentication packets are obtained during the reconnection process, resulting in a valid ARP request.
If a client is connected to the routing end, but no one is online to generate valid data, the -3 attack will not generate a valid ARP request, so the -3 attack will be activated immediately if the -0 attack mode is used.
aireplay-ng -0 10 -a -c wifi0 Parameter description.
[-0]: conflict attack mode, followed by the number of times to send (set to 0, then it is a cyclic attack, disconnecting constantly, and the client cannot access the Internet normally)
[-a]: set ap's mac
[-c]: set the mac of the connected legal client.
If -c is not set, all legitimate clients connected with ap will be disconnected.
aireplay-ng -3 -b -h wifi0
Note: The prerequisite for using this attack mode is that there must be an authenticated, legitimate client connected to the router

-1 fakeauth count Disguise client connection
This mode is to disguise a client connection to the AP.
This step is the first step in the clientless study, as there is no legitimate connected client, so a masquerading client is needed to connect to the router. In order for the AP to accept the packet, it must associate its own NIC with the AP. If there is no association, the target AP will ignore all packets sent from your NIC and IVS data will not be generated.
Use -1 to disguise that the client is successfully connected before sending the injection command, so that the router can receive the injection command and then feed the data to generate ARP packets.
aireplay-ng -1 0 -e -a -h wifi0
Parameter description.
[-1]: disguise client connection mode, followed by delay
[-e]: set the essid of ap
[-a]: set the ap's mac
[-h]: set the NIC MAC of the disguised client (i.e. your own NIC mac)

-2 Interactive Interactive mode
This attack mode is a packet capture and mention the data to send the attack packet, three collections together mode

1. This mode is mainly used to study the study of no client, first with -1 to establish a false client connection and then directly send packets to attack ,
   aireplay-ng -2 -p 0841 -c ff:ff:ff:ff:ff:ff:ff -b -h wifi0
   Parameter description.
   [-2]: interactive attack mode
   [-p]: set the information contained in the control frame (hexadecimal), default is 0841
   [-c]: set the target mac address
   [-b]: set the mac address of ap
   [-h]: set the MAC of the disguised client (i.e. your own NIC mac)
2. extract packets and send injected packets aireplay-ng -2 -r -x 1024 wifi0 Send packet attack. Among them, -x 1024 is to limit the packet sending speed to avoid the NIC dead, you can choose 1024.

-3 ARP-request injection attack mode
This mode is a packet capture and analysis retransmission process This attack mode is very effective. Both the use of legitimate clients, but also with the -1 use of virtual connection of the disguised client. If there is a legitimate client that generally need to wait a few minutes, so that the legitimate client and ap communication between a small amount of data can generate a valid ARP request before the -3 mode can be used to inject successfully. If no communication exists and no ARP request can be obtained, then this attack will fail.
If there is no ARP request between the legitimate client and the ap for a long time, you can try to use the -0 attack at the same time. If there is no legitimate client, then you can use -1 to establish a virtual connection with a fake client and get authentication packets during the connection to generate a valid ARP request. and then inject it through -3 mode.
aireplay-ng -3 -b -h -x 512 wifi0
Parameter description.
[-3]: arp injection attack mode
[-b]: set the mac of ap
[-h]: set
[-x]: Define the number of packets sent per second, but the maximum is not more than 1024, we recommend using 512 (or not)

-4 Chopchop attack mode
This mode is mainly used to obtain an xor file containing key data, which can be used to decrypt packets. Instead, it is used to generate a new packet so that we can inject it.
aireplay-ng -4 -b -h wifi0 Parameter description.
[-b]: Set the mac of the AP to be studied
[-h]: set the mac of the virtual masquerade connection (i.e. the mac of your own NIC)
-5 fragment fragmentation packet attack mode
This mode is mainly used to obtain a usable PRGA (a file containing the key suffix xor), where the PRGA is not wep key data and cannot be used to decrypt packets. Instead, it is used to generate a new packet so that we can inject it. It works by making the target AP rebroadcast the packet, and when the AP rebroadcasts it, a new IVS will be generated, which we use to study and learn !
aireplay-ng -5 -b -h wifi0

[-5]: fragmented packet attack mode
[-b]: set ap's mac
[-h]: set the mac of the virtual masquerade connection (i.e. the mac of your own NIC)
Packetforge-ng: packet maker Packetforge-ng Mode
[-0]: fake ARP packets
packetforge-ng -0 -a -h wifi0 -k 255.255.255.255 -l 255.255.255.255-y<.xor file> -w mrarp
Parameter description.
[-0]: disguise arp packet
[-a]: set the mac of ap
[-h]: set the mac of the virtual spoofed connection (i.e. your own mac)
[-k]<ip[:port]> Description: Set the target file IP and port
[-l]<ip[:port]> Description: Set the source file IP and port
[-y] Description: Read PRGA from xor file. followed by xor's filename.
[-w] Set the file name of the disguised arp packet Aircrack-ng: WEP and WPA-PSK key Study the main program
Aircrack-ng [optin] <.cap/.ivs file>Optin aircrack-ng -n 64 -b name-01.ivs )
Parameter description.
[-n]: set the WEP KEY length (64/128/152/256/512) aircrack-ng -x -f 2 name-01h.cap
Parameter description.
[-x]: set to violent research learning mode
[-f]: set the complexity, wep password is set to 1, wpa password is set to 2 aircrack-ng -w password.txt ciw.cap
[-w]: set to dictionary research learning mode, followed by the dictionary file, followed by the capture of the WPA authentication packet file that we saved instantly.