User Tools

Site Tools


broadcast_key_rotation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
broadcast_key_rotation [2010/08/11 17:40]
lmeiners created
broadcast_key_rotation [2010/08/29 19:42] (current)
mister_x Fixed channel/frequency graph link
Line 1: Line 1:
-=== Tutorial: Bypassing Broadcast Key Rotation in WPA Migration Mode ===+====== Tutorial: Bypassing Broadcast Key Rotation in WPA Migration Mode ======
 Version: 1.0 August 11, 2010 \\ Version: 1.0 August 11, 2010 \\
 By: Leandro Meiners and Diego Sor By: Leandro Meiners and Diego Sor
  
-=== Introduction ===+===== Introduction ​=====
  
 This tutorial walks you through cracking WPA Migration Mode with Broadcast Key Rotation enabled. It assumes you have a working wireless card with drivers already patched for injection. This tutorial walks you through cracking WPA Migration Mode with Broadcast Key Rotation enabled. It assumes you have a working wireless card with drivers already patched for injection.
Line 21: Line 21:
 Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.
  
-=== Assumptions ===+===== Assumptions ​=====
 First, this solution assumes: ​ First, this solution assumes: ​
  
Line 30: Line 30:
 Ensure all of the above assumptions are true; otherwise the advice that follows will not work. In the examples below, you will need to change “wlan0” to the interface name which is specific to your wireless card. Ensure all of the above assumptions are true; otherwise the advice that follows will not work. In the examples below, you will need to change “wlan0” to the interface name which is specific to your wireless card.
  
-=== Equipment used ===+===== Equipment used =====
  
 In this tutorial, here is what was used:  In this tutorial, here is what was used: 
Line 41: Line 41:
 You should gather the equivalent information for the network you will be working on. Then just change the values in the examples below to the specific network. You should gather the equivalent information for the network you will be working on. Then just change the values in the examples below to the specific network.
  
-=== Solution === +===== Solution ​===== 
-=== Solution Overview ===+==== Solution Overview ​====
  
 To bypass Broadcast Key Rotation, fake authentication as a WEP client must be carried out to force the access point to switch back to using the static WEP key to encrypt broadcast traffic. ​ To bypass Broadcast Key Rotation, fake authentication as a WEP client must be carried out to force the access point to switch back to using the static WEP key to encrypt broadcast traffic. ​
Line 55: Line 55:
 http://​www.youtube.com/​watch?​v=mwpB2zXxYo4 http://​www.youtube.com/​watch?​v=mwpB2zXxYo4
  
-=== Step 1 - Start the wireless interface in monitor mode on AP channel ===+==== Step 1 - Start the wireless interface in monitor mode on AP channel ​====
  
 The purpose of this step is to put your card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air. Normally your card will only “hear” packets addressed to you. By hearing every packet, we can later select some for injection. As well, only (there are some rare exceptions) monitor mode allows you to inject packets. ​ The purpose of this step is to put your card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air. Normally your card will only “hear” packets addressed to you. By hearing every packet, we can later select some for injection. As well, only (there are some rare exceptions) monitor mode allows you to inject packets. ​
Line 94: Line 94:
           Retry  long limit:​7 ​  RTS thr:​off ​  ​Fragment thr:off           Retry  long limit:​7 ​  RTS thr:​off ​  ​Fragment thr:off
           Power Management:​off           Power Management:​off
-          
 </​code> ​ </​code> ​
  
Line 100: Line 99:
 In the response above, you can see that mon0 is in monitor mode, on the 2.447GHz frequency which is channel 8 and the Access Point shows the MAC address of your wireless card. Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. ​ In the response above, you can see that mon0 is in monitor mode, on the 2.447GHz frequency which is channel 8 and the Access Point shows the MAC address of your wireless card. Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. ​
  
-To match the frequency to the channel, check out: http://www.rflinx.com/help/calculations/#​2.4ghz_wifi_channels then select the “Wifi ​Channel ​Selection and Channel Overlap” tab. This will give you the frequency for each channel.+To match the frequency to the channel, check out: http://www.cisco.com/en/US/​docs/​wireless/​technology/​channel/​deployment/​guide/Channel.html#​wp134132 ​. This will give you the frequency for each channel.
  
-=== Step 2 - Use aireplay-ng to do a fake authentication with the access point ===+==== Step 2 - Use aireplay-ng to do a fake authentication with the access point ====
  
 In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “deauthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets. ​ In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “deauthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets. ​
broadcast_key_rotation.1281541237.txt.gz · Last modified: 2010/08/11 17:40 by lmeiners