wds
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
wds [2007/10/07 19:15] – add extra enhancement requests darkaudax | wds [2009/08/17 15:43] – Added working airtun-ng attack aspj | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Tutorial: | ====== Tutorial: | ||
- | Version: 1.01 October 7, 2007 \\ | + | Version: 1.02.1 February 9, 2008 \\ |
By: darkAudax \\ | By: darkAudax \\ | ||
\\ | \\ | ||
Line 8: | Line 8: | ||
[[http:// | [[http:// | ||
[[http:// | [[http:// | ||
+ | |||
Line 23: | Line 24: | ||
It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. | It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. | ||
- | I would like to acknowledge and thank the [[http:// | + | I would like to acknowledge and thank the [[http:// |
Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | ||
Line 34: | Line 35: | ||
* You have Wireshark installed and working. | * You have Wireshark installed and working. | ||
* You are using the latest aircrack-ng 1.0dev version or above. | * You are using the latest aircrack-ng 1.0dev version or above. | ||
- | |||
- | In the examples, the option " | ||
- | |||
====Equipment used==== | ====Equipment used==== | ||
Line 110: | Line 108: | ||
* The WDS sends out probe packets for the specific AP as well as " | * The WDS sends out probe packets for the specific AP as well as " | ||
* The client line above only reflects the probes and probe responses. | * The client line above only reflects the probes and probe responses. | ||
- | |||
- | |||
==== Attacks which work ==== | ==== Attacks which work ==== | ||
Line 118: | Line 114: | ||
Although fake authentication does work, each BSSID can be used as an authenticated MAC on the other unit. So fake authentication is not required. | Although fake authentication does work, each BSSID can be used as an authenticated MAC on the other unit. So fake authentication is not required. | ||
+ | airtun-ng can inject plaintext and WEP packets into a WDS link. That's even possible when airtun-ng only sees one of the two WDS nodes! (Note that in this case only clients behind this node are reachable) | ||
==== Attacks which do not work ==== | ==== Attacks which do not work ==== | ||
Line 152: | Line 149: | ||
- | ==== wds.authentication.cap | + | === wds.authentication.cap === |
This capture shows the WDS AP authenticating and associating with the main AP. It contains the the typical probes followed by authentication and finally association. | This capture shows the WDS AP authenticating and associating with the main AP. It contains the the typical probes followed by authentication and finally association. | ||
- | ==== arp.request.from.ap.wired.client.cap | + | === arp.request.from.ap.wired.client.cap === |
A wired client attached to the main access point sends out an arp request packet. | A wired client attached to the main access point sends out an arp request packet. | ||
Line 162: | Line 159: | ||
- | ==== arp.request.from.wds.wired.client.cap | + | === arp.request.from.wds.wired.client.cap === |
A wired client attached to the WDS access point sends out an arp request packet. | A wired client attached to the WDS access point sends out an arp request packet. | ||
Line 168: | Line 165: | ||
- | ==== ap.wired.client.ping.wds.wired.client.cap | + | === ap.wired.client.ping.wds.wired.client.cap === |
A wired client attached to the main access point sends out a ping to a wired client attached to the WDS AP. Please note that an arp request/ | A wired client attached to the main access point sends out a ping to a wired client attached to the WDS AP. Please note that an arp request/ | ||
The existing aircrack-ng tools can capture this and break the WEP key. | The existing aircrack-ng tools can capture this and break the WEP key. | ||
- |
wds.txt · Last modified: 2018/03/11 19:08 by mister_x