User Tools

Site Tools


arp_amplification

Tutorial: The art of ARP amplification

Version: 1.00 June 13, 2007
By: darkAudax

Files linked to this tutorial:

Introduction

This tutorial deals with how to dramatically increase the number of initialization vectors (IVs) generated per second. Capture rates up to 1300 data IVs per second have been achieved! This is done by increasing the number of data packets generated for each packet injected. It is intended for advanced users of the aircrack-ng suite.

There have been many advances whereby aircrack-ng requires fewer and fewer data packets to determine the WEP key. Another approach to reducing the total elapsed time is to increase the rate of IVs collected. This tutorial presents a methodology of increasing the rate of IVs per second by having the wireless LAN generate multiple data packets for each one you inject.

Since this tutorial is intended for advanced users of the aircrack-ng suite, the emphasis is on the theory and reviewing packet captures. It will not provide a howto of the detailed mechanics. Each scenario was tested in real life and does work. If you don't already know how to use the aircrack-ng commands in detail, this tutorial is not for you!

It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.

I would like to acknowledge and thank the Aircrack-ng team for producing such a great robust tool.

Please send me any constructive feedback, positive or negative.

Solution

Assumptions used in this tutorial

  • Your wireless rig is working and can inject packets.
  • You are familiar with ARP. More information can be found here or search the Internet.
  • You have Wireshark installed and working. Plus you have a basic understanding of how to use it.

Equipment used

Access Point

ESSID: teddy
MAC address: 00:14:6C:7E:40:80 Channel: 9

Aircrack-ng System

IP address: none MAC address: 00:0F:B5:88:AC:82

Ethernet wired Workstation

IP address: 192.168.1.1 MAC address: 00:D0:CF:03:34:8C

Wireless Workstation

IP address: 192.168.1.59 MAC address: 00:0F:B5:AB:CB:9D

Scenarios

We will look at a variety of scenarios starting with a typical inject one packet and get one back through to inject one packet and get three back. This yields data IVs at the rates ranging from 350 to 1300 per second! Yes, 1300 data IVs per second capture rate. Although the detailed steps are not presented, each scenario was tested in real life and does work.

Here are the scenarios we will be exploring:

  • One for one ARP packets
  • Two for one ARP packets
  • Three for one ARP packets

The following sections assume you have used the KoreK chopchop or Fragmentation attacks to obtain the PRGA, Please read the wiki documentation and the tutorials with regards to how to use these methods. The mechanics of these techniques will not be covered in this tutorial.

It also assumes you know the IP address of various devices on the network. Chopchop is the most effective way to determine IP addresses since it decrypts packets for you. In turn, looking at the decrypted packet will give you the IP address and network being used. You can guess the network and typical IPs based on the manufacturer of the Access Point. The manufacturer can typically be determined via the MAC address. Same for DHCP pools which have standard defaults in each brand. The last method is simply what most people pick as network numbers.

More research is being done on using interactive replay with live packets as an alternate method instead building packets from scratch. Once this technique is refined, the tutorial will be updated and re-released.

Scenario One - One for one ARP packets

This is typical of what occurs when you use ARP request reinjection. Although it does not provide any extra amplification, we study it for educational purposes and to provide a baseline measurement of the injection speed. In simple terms, for each ARP request that we inject, you get one new IV by the AP rebroadcasting it.

We generate an ARP request to inject:

 packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 -k 255.255.255.255 -l 255.255.255.255 -y fragment-0608-132715.xor -w arp-request-1x.cap 

We inject the packet:

 aireplay-ng -2 -r arp-request-1x.cap ath0

We measure the packets per second with airodump-ng:

 CH  9 ][ Elapsed: 12 s ][ 2007-06-08 14:14                                         
                                                                                                            
  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                            
  00:14:6C:7E:40:80   21  71      130     4532  355   9  54  WEP  WEP         teddy                           
                                                                                                            
  BSSID              STATION            PWR  Lost  Packets  Probes                                             
                                                                                                            
  00:14:6C:7E:40:80  00:0F:B5:88:AC:82   38     0     6666 

As you can see above we achieve roughly 355 new data packets per second.

Lets look at part of the capture. The arp-1x.cap is a representative subset of the full capture.

Use Wireshark to review the capture along with the following description. The easiest way is to use “View –> Expand”. Here is a description of the relevant packets:

  • Packet 1: Your standard beacon.
  • Packet 2: This is the packet we are injecting using aireplay-ng. Notice the DS Status flag is set to “TO DS” meaning from a client going to the AP wired network.
  • Packet 3: The AP acknowledges the packet from the Aircrack-ng system.
  • Packet 4: The ARP request packet is broadcast by the AP. This is a new data packet. You will notice that it has a new unique IV and a different sequence number. Notice the DS Status flag is set to “FROM DS” meaning from the wired network (AP) to a wireless client.
  • Packets 5-7 are repeat of the cycle 2-4 above. This cycle would be repeated constantly.

As you can see, there was only one new IVs generated per cycle - packets 4.

Scenario Two - Two for one ARP packets

This where things start to get interesting. By sending an ARP request to a live system, we can get the access point to generate two new IVs for each packet we inject. This increases the rate of data collection significantly.

This is a little harder then it sounds since we need to know an IP of a wired client attached to the LAN. As described in the introduction you can determine IPs via a variety of methods. So in the following I am using “192.168.1.1” as the destination IP. A critical item for success is to use “10.255.255.255” as the source IP. The source IP cannot be an IP already used in the LAN and it must be a valid network. You cannot use “255.255.255.255” like we do in many of our other examples.

We generate an ARP request to inject:

 packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 -k 192.168.1.1 -l 10.255.255.255 -y fragment-0608-132715.xor -w arp-request-2x.cap

We inject the packet:

 aireplay-ng -2 -r arp-request-2x.cap ath0

We measure the packets per second with airodump-ng:

 CH  9 ][ Elapsed: 8 s ][ 2007-06-08 14:12                                         
                                                                                                            
  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                            
  00:14:6C:7E:40:80   38 100      107    10474  945   9  54  WEP  WEP         teddy                           
                                                                                                            
  BSSID              STATION            PWR  Lost  Packets  Probes                                             
                                                                                                            
  00:14:6C:7E:40:80  00:0F:B5:88:AC:82   37     0    10921  

As you can see above we achieve roughly 945 new data packets per second. This is a substantial increase over the first scenario.

Lets look at part of the capture. The arp-2x.cap is a representative subset of the full capture.

Use Wireshark to review the capture along with the following description. The easiest way is to use “View –> Expand”. Here is a description of the relevant packets:

  • Packet 1: Your standard beacon.
  • Packet 2: This is the packet we are injecting using aireplay-ng. Notice the DS Status flag is set to “TO DS” meaning from a wireless client going to the AP wired network.
  • Packet 3: The AP acknowledges the packet from the Aircrack-ng system.
  • Packet 4: The ARP request packet is broadcast by the AP. This is a new data packet. You will notice that it has a new unique IV and a different sequence number. Notice the DS Status flag is set to “FROM DS” meaning from the wired network (AP) to a wireless client.
  • Packet 5: This is the ARP reply packet broadcast by the AP back to our system. This is a new data packet. You will notice that is has a new unique IV and a different sequence number. The source MAC is a wired client. Notice the DS Status flag is set to “FROM DS” meaning from the wired network (AP) to a wireless client.
  • Packets 6-9 are repeat of the cycle 2-5 above. This cycle would be repeated constantly.

If you count, there were two new IVs generated per cycle - packets 4 and 5.

Scenario Three - Three for one ARP packets

The final scenario is where we generate three new IV data packets for every one that we inject. This scenario is the hardest one to perform successfully. However, when successful, it achieves the highest injection rate.

In this case we need to know an IP of a wireless client attached currently associated with the access point. As described in the introduction you can determine IPs via a variety of methods. So in the following I am using “192.168.1.89” as the destination IP. A critical item for success is to use “10.255.255.255” as the source IP. The source IP cannot be an IP already used in the LAN and it must be a valid network. You cannot use “255.255.255.255” like we do in many of our other examples.

We generate an ARP request to inject:

 packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 -k 192.168.1.89 -l 10.255.255.255 -y fragment-0608-132715.xor -w arp-request-3x.cap

We inject the packet:

 aireplay-ng -2 -r arp-request-3x.cap ath0 

We measure the packets per second with airodump-ng:

 CH  9 ][ Elapsed: 0 s ][ 2007-06-09 12:52                                         
                                                                                                            
  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                            
  00:14:6C:7E:40:80   32 100       30     3797 1294   9  54  WEP  WEP         teddy                           
                                                                                                            
  BSSID              STATION            PWR  Lost  Packets  Probes                                             
                                                                                                            
  00:14:6C:7E:40:80  00:0F:B5:AB:CB:9D   47     0     1342                                                     
  00:14:6C:7E:40:80  00:0F:B5:88:AC:82   33     0     2641               

As you can see above we achieve roughly 1294 new data packets per second. Wow! This is also a substantial increase over the first scenario. In the airodump-ng screen shot above there are two clients. Our attack system and the wireless client we are leveraging.

Lets look at part of the capture. The arp-3x.cap is a representative subset of the full capture.

Use Wireshark to review the capture along with the following description. The easiest way is to use “View –> Expand”. Here is a description of the relevant packets:

  • Packet 1: Your standard beacon.
  • Packet 2: This is the packet we are injecting using aireplay-ng. Notice the DS Status flag is set to “TO DS” meaning from a wireless client going to the AP wired network.
  • Packet 3: The AP acknowledges the packet from the Aircrack-ng system.
  • Packet 4: The ARP request packet is broadcast by the AP. This is a new data packet. You will notice that it has a new unique IV and a different sequence number. Notice the DS Status flag is set to “FROM DS” meaning from the wired network (AP) to a wireless client.
  • Packet 5: This is the ARP reply packet being sent by the wireless client to the AP. This is a new data packet. You will notice that is has a new unique IV and a different sequence number. The source MAC is the wireless client. Notice the DS Status flag is set to “TO DS” meaning from a wireless client going to the AP wired network.
  • Packet 6: The AP acknowledges the packet from the wireless client.
  • Packet 7: The ARP request packet from the wireless client is sent to the Aircrack-ng system by the AP. You can verify this by looking at the source and destination MAC addresses. This is a new data packet. You will notice that is has a new unique IV and a different sequence number. Notice the DS Status flag is set to “FROM DS” meaning from the wired network (AP) to a wireless client.
  • Packets 8-13 are repeat of the cycle 2-7 above. This cycle would be repeated constantly.

If you count, there were three new IVs generated per cycle - packets 4, 5 and 7.

Important note

The speed you can achieve depends on the hardware used. By the Access point as well as your hardware.

See this thread for more information.

arp_amplification.txt · Last modified: 2010/11/21 16:06 by sleek