User Tools

Site Tools


arp-request_reinjection

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
arp-request_reinjection [2007/02/19 19:37] darkaudaxarp-request_reinjection [2009/08/14 19:20] – use dokuwiki internal link mister_x
Line 1: Line 1:
 ====== ARP Request Replay Attack ====== ====== ARP Request Replay Attack ======
- 
- 
 ===== Description ===== ===== Description =====
  
 The classic ARP request replay attack is the most effective way to generate new initialization vectors (IVs), and works very reliably.  The program listens for an ARP packet then retransmits it back to the access point.  This, in turn, causes the access point to repeat the ARP packet with a new IV.  The program retransmits the same ARP packet over and over.  However, each ARP packet repeated by the access point has a new IVs.  It is all these new IVs which allow you to determine the WEP key. The classic ARP request replay attack is the most effective way to generate new initialization vectors (IVs), and works very reliably.  The program listens for an ARP packet then retransmits it back to the access point.  This, in turn, causes the access point to repeat the ARP packet with a new IV.  The program retransmits the same ARP packet over and over.  However, each ARP packet repeated by the access point has a new IVs.  It is all these new IVs which allow you to determine the WEP key.
 +
 +==== What is ARP? ====
  
 ARP is address resolution protocol:   A TCP/IP protocol used to convert an IP address into a physical address, such as an Ethernet address.  A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host on the network that has the address in the request then replies with its physical hardware address. ARP is address resolution protocol:   A TCP/IP protocol used to convert an IP address into a physical address, such as an Ethernet address.  A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host on the network that has the address in the request then replies with its physical hardware address.
 +
 +ARP is the foundation of many attacks in the aircrack-ng suite.  These links will allow you to learn more about ARP:
 +
 +   * [[http://www.pcmag.com/encyclopedia_term/0,2542,t=ARP&i=37988,00.asp|PC Magazine: Definition of ARP]]
 +   * [[http://en.wikipedia.org/wiki/Address_resolution_protocol|Wikipedia: Address Resolution Protocol]]
 +   * [[http://technet2.microsoft.com/windowsserver/en/library/7b77bb1b-5c57-408f-907f-8b474203a5331033.mspx?pf=true|Microsft Technet: Address Resolution Protocol (ARP)]]
 +   * [[http://tools.ietf.org/html/rfc826|RFC 826]]
  
 ===== Usage ===== ===== Usage =====
Line 20: Line 27:
   *ath0 is the wireless interface name\\   *ath0 is the wireless interface name\\
  
-Replaying a previous arp replay.  This is a special case of the [[interactive_packet_replay|interactive packet replay attack]].  It is present here since it is complementary to the ARP requeste replay attack.+There are two methods of replaying an ARP which was previously injected.  The first and simplest method is to use the same command plus the "-r" to read the output file from your last successful ARP replay. 
 + 
 +   aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 -r replay_arp-0219-115508.cap ath0 
 + 
 +Where:\\ 
 +  *-3 means standard arp request replay\\ 
 +  *-b 00:13:10:30:24:9C is the access point MAC address\\ 
 +  *-h 00:11:22:33:44:55 is the source MAC address (either an associated client or from fake authentication)\\ 
 +  *-r replay_arp-0219-115508.cap is the name of the file from your last successful ARP replay\\ 
 +  *ath0 is the wireless interface name\\ 
 + 
 +The second method is a special case of the [[interactive_packet_replay|interactive packet replay attack]].  It is presented here since it is complementary to the ARP request replay attack.
  
    aireplay-ng -2 -r replay_arp-0219-115508.cap ath0    aireplay-ng -2 -r replay_arp-0219-115508.cap ath0
Line 28: Line 46:
   *-r replay_arp-0219-115508.cap is the name of the file from your last successful ARP replay\\   *-r replay_arp-0219-115508.cap is the name of the file from your last successful ARP replay\\
 ath0 is the wireless card interface name\\ ath0 is the wireless card interface name\\
- 
  
 ===== Usage Example ===== ===== Usage Example =====
Line 56: Line 73:
 The second example we will look at is reusing the captured ARP from the example above.  You will notice that it said the ARP requests were being saved in "replay_arp-0219-123051.cap" So rather then waiting for a new ARP, we simply reuse the old ones with the "-r" parameter: The second example we will look at is reusing the captured ARP from the example above.  You will notice that it said the ARP requests were being saved in "replay_arp-0219-123051.cap" So rather then waiting for a new ARP, we simply reuse the old ones with the "-r" parameter:
  
-   aireplay-ng -2  -r replay_arp-0219-123051.cap ath0                          +   aireplay-ng -2 -r replay_arp-0219-123051.cap ath0                          
  
 The system responds: The system responds:
Line 82: Line 99:
    Sent 3181 packets...    Sent 3181 packets...
  
-At this point, if you have not already done so, start [[airmon-ng]] to capture the IVs being generated.  They data count should be inscreasing rapidly.+As well, you can alternatively use per the Usage Section above: 
 + 
 +   aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 -r replay_arp-0219-115508.cap ath0 
 + 
 +At this point, if you have not already done so, start [[airodump-ng]] to capture the IVs being generated.  The data count should be increasing rapidly.
  
 ===== Usage Tips ===== ===== Usage Tips =====
Line 90: Line 111:
 ===== Usage Troubleshooting ===== ===== Usage Troubleshooting =====
  
-See [[http://aircrack-ng.org/doku.php?id=i_am_injecting_but_the_ivs_don_t_increase|Tutorial: I am injecting but the IVs don't increase!]]+==== I am injecting but the IVs don't increase! ==== 
 +See [[i_am_injecting_but_the_ivs_don_t_increase|Tutorial: I am injecting but the IVs don't increase!]] 
 + 
 +==== I get 'Read XXXXX packets (got 0 ARP requests), sent 0 packets...(0 pps)' - Why it doesn't send any packets? ==== 
 + 
 +Simply because there are no [[http://en.wikipedia.org/wiki/Address_resolution_protocol|ARP]] packets being broadcast into the air and on the network, nothing to replay. If [[aireplay-ng]] doesn't find any of the right packets, it will not be able to replay anything.  Don't forget that 'replay' imply that there's some packets are being broadcast, already sent by a legitimate client/AP. 
 + 
 + 
 +==== Alternate Attack ==== 
 + 
 +Although not a direct troubleshooting tip for the arp request reinjection attack, if you are unable to get the attack to work or there are no arp request packets coming from the access point, there is an alternate attack you should consider: 
 + 
 +  * [[interactive_packet_replay#other_examples|-p 0841 method]]: This technique allows you to reinject any data packet received from the access point and generate IVs. 
 + 
 + 
 +==== General ==== 
 + 
 +Also see the general aireplay-ng troubleshooting ideas: [[aireplay-ng#usage_troubleshooting|aireplay-ng usage troubleshooting]].
  
arp-request_reinjection.txt · Last modified: 2010/11/21 16:08 by sleek