Attack modes:

-0 <count>, --deauth=<count>
This attack sends deauthentication packets to one or more clients which are currently associated with a particular access point. Deauthenticating clients can be done for a number of
reasons: Recovering a hidden ESSID. This is an ESSID which is not being broadcast. Another term for this is "cloaked" or Capturing WPA/WPA2 handshakes by forcing clients to reau‐
thenticate or Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected). Of course, this attack is totally useless if there are no associated wire‐
less client or on fake authentications.

-1 <delay>, --fakeauth=<delay>
The fake authentication attack allows you to perform the two types of WEP authentication (Open System and Shared Key) plus associate with the access point (AP). This is useful is
only useful when you need an associated MAC address in various aireplay-ng attacks and there is currently no associated client. It should be noted that the fake authentication
attack does NOT generate any ARP packets. Fake authentication cannot be used to authenticate/associate with WPA/WPA2 Access Points.

-2, --interactive
This attack allows you to choose a specific packet for replaying (injecting). The attack can obtain packets to replay from two sources. The first being a live flow of packets from
your wireless card. The second being from a pcap file. Reading from a file is an often overlooked feature of aireplay-ng. This allows you read packets from other capture sessions or
quite often, various attacks generate pcap files for easy reuse. A common use of reading a file containing a packet your created with packetforge-ng.

-3, --arpreplay
The classic ARP request replay attack is the most effective way to generate new initialization vectors (IVs), and works very reliably. The program listens for an ARP packet then
retransmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a new IV. The program retransmits the same ARP packet over and over.
However, each ARP packet repeated by the access point has a new IVs. It is all these new IVs which allow you to determine the WEP key.

-4, --chopchop
This attack, when successful, can decrypt a WEP data packet without knowing the key. It can even work against dynamic WEP. This attack does not recover the WEP key itself, but
merely reveals the plaintext. However, some access points are not vulnerable to this attack. Some may seem vulnerable at first but actually drop data packets shorter that 60 bytes.
If the access point drops packets shorter than 42 bytes, aireplay tries to guess the rest of the missing data, as far as the headers are predictable. If an IP packet is captured, it
additionally checks if the checksum of the header is correct after guessing the missing parts of it. This attack requires at least one WEP data packet.

-5, --fragment
This attack, when successful, can obtain 1500 bytes of PRGA (pseudo random generation algorithm). This attack does not recover the WEP key itself, but merely obtains the PRGA. The
PRGA can then be used to generate packets with packetforge-ng which are in turn used for various injection attacks. It requires at least one data packet to be received from the
access point in order to initiate the attack.

-6, --caffe-latte
In general, for an attack to work, the attacker has to be in the range of an AP and a connected client (fake or real). Caffe Latte attacks allows to gather enough packets to crack a
WEP key without the need of an AP, it just need a client to be in range.

-7, --cfrag
This attack turns IP or ARP packets from a client into ARP request against the client. This attack works especially well against ad-hoc networks. As well it can be used against sof‐
tAP clients and normal AP clients.

-9, --test
Tests injection and quality.