Sunday, February 12, 2012

Aireplay-ng attacks


Attack 9: Injection Test

This option is used for testing rather than attacking. Not all wireless chipsets support packet ‘injection’. Test if your chipset supports packet injection.

Ex..

aireplay-ng -9 mon0


If an AP is found, aireplay-ng will test injection and give you the output. This is why you bought a specific wireless card that supports injection. You will see how powerful injection can be in later attacks.



Attack 0: Deauthentication

Deauthentication simply kicks clients off of the wireless network. This is useful because when the client reconnects, they often generate an ARP request. (note: you cannot deauth your fake authed card to obtain an ARP request.) In WEP cracking, ARP requests are used to inject and quickly generate IVs. The attack can also force a client to give up the WPA/WPA2 handshake for cracking. Deauth will force a client to give up a hidden ESSID.

            Unlike others, this attack specifically targets the STA (client). If you have issues with this attack make sure you are close enough to the STA.

            This attack requires that you are in monitor mode and that a client is connected to the network you are attacking.


Ex.

aireplay-ng -0 2 –e “jake” –a 00:0C:41:F2:AC:F0 –c 00:23:15:99:2D:1E mon0

o   -0 is the deauth attack

o   2 is the # of deauths you wish to send---0 means infinite

o   -e is the ESSID of the target network

o   -a is the BSSID of the target network

o   -c is the STA or client MAC address of the target network---not using –c will send a deauth to all connected clients.

o   mon0 is the interface used


Attack 1: Fake Authentication

Fake authentication is used to connect to WEP networks. Fake authentication does not mean you have the WEP key and doesn’t mean you bypassed it. It simply means that the AP will accept your MAC address. This is useful when there are no other connected STAs. Fake authentication will not generate any ARP requests.

            The biggest reason why injection attacks fail is because you are not associated with the AP. Using the fake authentication attack solves this problem.

***If your fake auth always fails, MAC address filtering may be enabled***

Ex.

aireplay-ng -1 5 –e “jake” –a 00:0C:41:F2:AC:F0 –h 00:C0:CA:32:3D:85 mon0

·        -1 is the fake auth attack

·        5 is the time in seconds to re-associate. Longer times allow for keep alive packets to be sent, resulting in more traffic.

·        -e is the ESSID of the target network

·        -a is the BSSID of the target network

·        -h is your MAC address

·        mon0 is the interface being used


Issues:

1.      Make sure you are close to the AP

2.      Make sure you are on the same channel as the AP

3.      You can only fake auth to networks using WEP.

4.      Make sure your –a and –h options are correct

5.      If you are using macchanger, check to see if your changed MAC is realistic.



Attack 2: Interactive Packet Replay

            Interactive Packet Replay is used to replay packets and quickly generate IVs for WEP cracking. The tool will grab a packet you want off the network and replay it back to the AP. While any packet can be replayed back, not all of them will successfully generate IVs.

            A certain packet will generate IVs on all access points. This is an ARP request packet. Because the AP sees these packets all the time, it will have no problem replaying it back. Before we successfully replay an ARP request packet we have to know what the packet entails.


            An ARP request packet has the following unique fields:

§  A broadcast destination MAC address of FF:FF:FF:FF:FF:FF

§  The packet will be traveling from a wireless client to the wired network. (the TO DS flag will be set to “1”)

To have aireplay-ng filter out these unique qualities of an ARP request packet we need to use the following options:

·        -d FF:FF:FF:FF:FF:FF

·        -t 1


Before we run this attack we need to fake authenticate first. We also need a client connected to our network to generate the initial ARP request packet. (remember we cannot generate an ARP request from our fake auth) After a successful fake auth, we can begin our packet replay. If you plan to crack the WEP key, make sure to run airodump-ng to capture the IVs you generate.


Ex.

aireplay-ng -2  –b 00:0C:41:F2:AC:F0 -d FF:FF:FF:FF:FF:FF –t 1 mon0


·        -2 will specify the interactive replay attack

·        -b is for the BSSID

·        -d is the destination MAC we are looking for

·        -t 1 will set the TO DS flag bit to 1

·        mon0 is the interface we are using


When the command is run it will look like above. If you look at the packet aireplay-ng grabbed, it is exactly what we filtered out. (try using deauth to force a client to send out an ARP request packet)

Press “y” and enter to use this packet. If you choose “no” aireplay-ng will continue to look for packets.




Aireplay-ng will begin replaying the packet you selected. The smaller the packet size, the faster you will generate IVs.

If you are having issues finding the right packet to inject, try the modified packet replay method. This method is very similar but instead of grabbing a real packet it will modify a packet to act like an ARP request packet.

Ex.

aireplay-ng -2  –b 00:0C:41:F2:AC:F0 –t 1 -d FF:FF:FF:FF:FF:FF  -p0841 mon0

·        -p 0841 will set the Frame control field to make the packet seem as though it’s being sent from a wireless client

·        See above example for explanations on the other options



Attack 3: ARP Request Replay Attack


The best way to generate new IVs is to use the ARP request replay attack. This attack is the most reliable and is the attack I prefer to use over interactive packet replay. The attack simply captures an ARP packet and automatically repeats it to the AP you specify. Because it is an ARP request packet, the AP will retransmit the packet and generate a new IV each time it does so. This allows us to capture a large amount of IVs very quickly for later WEP cracking.

This attack is used on a WEP encrypted network. It requires that you have your card in monitor mode. We need a client on the victim network for this attack to be successful because somebody needs to generate the initial ARP request packet. It is recommended that you run airodump-ng to capture the IVs you generate.


Ex.


aireplay-ng -3 –b 00:0C:41:F2:AC:F0 –h 00:23:15:99:2D:1E mon0

o   -3 specifies the ARP Request Replay Attack

o   -b is the BSSID

o   -h is the source MAC address. This address can be a connected client or our address from fake auth.

o   mon0 is the interface used




Attack 4: KoreK chopchop attack


            The KoreK chopchop attack is used to decrypt WEP encrypted packets. This attack will get the PGRA stream XOR file which is used to decrypt the WEP packets. This is often used with packetforge-ng to forge packets used for injection, but can also be used with wireshark to view decrypted packets. It is important to understand that the chopchop attack DOES NOT reveal the WEP key.

            Note that not all APs are vulnerable to this attack and that it is much slower than the fragmentation attack. However, unlike the fragmentation attack, you do not need to know any IP addresses for a successful chopchop attack.

            Before we attack, we should fake auth with the AP so the frames we send from our card are not dropped.


Ex.

aireplay-ng -4 –h 00:C0:CA:32:3D:85 –b 00:0C:41:F2:AC:F0 mon0

·        -4 specifies the chopchop attack

·        -h is the our MAC used in fake auth

·        -b is the BSSID

·        mon0 is the interface used


Aireplay-ng will begin to read packets. Once you find a packet you wish to decrypt, hit “y” to continue.



The attack can take some time. After it is complete the XOR file will be saved in the directory you launched the attack from. This XOR file can then be used with packetforge-ng and later injected.



Attack 5: Fragmentation Attack

            The fragmentation attack will also get the PGRA stream XOR file. This file is used to decrypt packets and is also necessary to create packets with packetforge-ng. This attack is often faster and more successful compared to the chopchop attack.

            This attack requires that you set the destination and source IP address. If you do not specify a source or destination IP, it will default them both to 255.255.255.255. Lucky for us, most APs will accept this as valid. Because this attack sends out a large number of packets, good signal quality with the AP is important before you start this attack.

Fake auth your card before this attack.

Ex.


aireplay-ng -5 –b 00:0C:41:F2:AC:F0 –h 00:C0:CA:32:3D:85 mon0

·        -5 chooses the fragmentation attack

·        -b is the BSSID

·        -h is your MAC from fake auth

·        mon0 is the interface used


Optional filter arguments:


·        -k set the destination IP address (default is 255.255.255.255 if unset)

·        -l set the source IP address (default is 255.255.255.255 if unset)

·        -m sets minimum packet length

·        -n sets the maximum packet length




Aireplay-ng will begin to read packets. Once you find a packet you wish to decrypt, hit “y” to continue. Remember that the smaller the packet, the faster your injection speed will be.




            This is a successful fragmentation attack. Aireplay-ng saved the output into the “fragment-01130-203902.xor” file. This file is located in your current directory and can be used later to create a packet using packetforge-ng.










Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)