User Tools

Site Tools


fragmentation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
fragmentation [2007/01/26 23:46]
mister_x PRAGA -> PRGA
fragmentation [2009/09/05 23:32] (current)
mister_x wiki-files.aircrack-ng.org become download.aircrack-ng.org/wiki-files
Line 1: Line 1:
 ====== Fragmentation Attack ====== ====== Fragmentation Attack ======
- 
- 
 ===== Description ===== ===== Description =====
-This attack, when successful, can obtain 1500 bits of PRGA (pseudo random ​genration ​algorithm). This attack does not recover the WEP key itself, but merely obtains the PRGA. The PRGA can then be used to generate packets with [[packetforge-ng]] which are in turn used for various injection attacks. ​ It requires at least one data packet ​needs to be received from the access point in order to initiate the attack.+This attack, when successful, can obtain 1500 bytes of PRGA (pseudo random ​generation ​algorithm). This attack does not recover the WEP key itself, but merely obtains the PRGA. The PRGA can then be used to generate packets with [[packetforge-ng]] which are in turn used for various injection attacks. ​ It requires at least one data packet to be received from the access point in order to initiate the attack.
  
-Basically, the program ​obains ​a small amount of keying material from the packet then attempts to send ARP and/or LLC packets with known content to the access point (AP).  If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet. ​ This cycle is repeated ​several times until 1500 bits of PRGA are obtained or sometimes less then 1500 bits.+Basically, the program ​obtains ​a small amount of keying material from the packet then attempts to send ARP and/or LLC packets with known content to the access point (AP).  If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet. ​ This cycle is repeated several times until 1500 bytes of PRGA are obtained or sometimes less then 1500 bytes.
  
-The original paper by Andrea Bittau at http://www.toorcon.org/2005/​slides/​abittau/​paper.pdf provides a much more detailed technical description of the technique.+The original paper, [[http://darkircop.org/bittau-wep.pdf|The Fragmentation Attack in Practice]], by Andrea Bittau ​provides a much more detailed technical description of the technique.  A local copy is located [[http://​download.aircrack-ng.org/​wiki-files/​doc/​Fragmentation-Attack-in-Practice.pdf|here]]. ​ Here are [[http://​darkircop.org/​frag.pdf|presentation slides]] of a related paper. ​ A local copy of the slides is located [[http://​download.aircrack-ng.org/​wiki-files/​doc/​Final-Nail-in-WEPs-Coffin.slides.pdf|here]]. ​ Also see the paper "The Final Nail in WEP's Coffin"​ on this page.
  
 ===== Usage ===== ===== Usage =====
Line 33: Line 31:
   *-k IP     : set destination IP in fragments - defaults to 255.255.255.255   *-k IP     : set destination IP in fragments - defaults to 255.255.255.255
   *-l IP     : set source IP in fragments - defaults to 255.255.255.255   *-l IP     : set source IP in fragments - defaults to 255.255.255.255
 +
  
 ===== Usage Example ===== ===== Usage Example =====
  
-Notes: 
-  *The source MAC address used in the attack must be associated with the access point. ​ To do this, you can use [[fake_authentication]] or use a MAC address of existing wireless client. 
  
-  *For madwifi-ng drivers (Atheros chipset), you must change MAC address of your card to the MAC address you will injecting with otherwise the attack will not work. 
  
 Essentially you start the attack with the following command then select the packet you want to try:\\ Essentially you start the attack with the following command then select the packet you want to try:\\
-aireplay-ng -5 -b 00:​14:​6C:​7E:​40:​80 -h 00:​0F:​B5:​AB:​CB:​9D ath0\\ +  ​aireplay-ng -5 -b 00:​14:​6C:​7E:​40:​80 -h 00:​0F:​B5:​AB:​CB:​9D ath0 
 +  
   Waiting for a data packet...   Waiting for a data packet...
   Read 96 packets...   Read 96 packets...
 +  ​
         Size: 120, FromDS: 1, ToDS: 0 (WEP)         Size: 120, FromDS: 1, ToDS: 0 (WEP)
 +  ​
              ​BSSID ​ =  00:​14:​6C:​7E:​40:​80              ​BSSID ​ =  00:​14:​6C:​7E:​40:​80
          Dest. MAC  =  00:​0F:​B5:​AB:​CB:​9D          Dest. MAC  =  00:​0F:​B5:​AB:​CB:​9D
         Source MAC  =  00:​D0:​CF:​03:​34:​8C         Source MAC  =  00:​D0:​CF:​03:​34:​8C
 +  ​
         0x0000: ​ 0842 0201 000f b5ab cb9d 0014 6c7e 4080  .B..........l~@.         0x0000: ​ 0842 0201 000f b5ab cb9d 0014 6c7e 4080  .B..........l~@.
         0x0010: ​ 00d0 cf03 348c e0d2 4001 0000 2b62 7a01  ....4...@...+bz.         0x0010: ​ 00d0 cf03 348c e0d2 4001 0000 2b62 7a01  ....4...@...+bz.
Line 61: Line 57:
         0x0060: ​ 517f 1544 bd82 ad77 fe9a cd99 a43c 52a1  Q.D...w.....<​R.         0x0060: ​ 517f 1544 bd82 ad77 fe9a cd99 a43c 52a1  Q.D...w.....<​R.
         0x0070: ​ 0505 933f af2f 740e                      ...?./t.         0x0070: ​ 0505 933f af2f 740e                      ...?./t.
 +  ​
    Use this packet ? y    Use this packet ? y
  
Line 80: Line 76:
    Now you can build a packet with packetforge-ng out of that 1500 bytes keystream    Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
  
-You have successfully obtained the PRAGA which is stored in the file named by the program. ​ You can now use [[packetforge-ng]] to generate one or more packets to be used for various injection attacks.+You have successfully obtained the PRGA which is stored in the file named by the program. ​ You can now use [[packetforge-ng]] to generate one or more packets to be used for various injection attacks
 + 
 +===== Usage Tips ===== 
 + 
 +  *The source MAC address used in the attack must be associated with the access point. ​ To do this, you can use [[fake_authentication|fake authentication]] or use a MAC address of an existing wireless client. 
 + 
 +  *For madwifi-ng drivers (Atheros chipset), you must change MAC address of your card to the MAC address you will injecting with otherwise the attack will not work.  See this [[faq#​how_do_i_change_my_card_s_mac_address|FAQ entry]] regarding how to change your card's MAC address. 
 + 
 +  * The fragmentation attack sends out a large number of packets that must all be received by the AP for the attack to be successful. ​ If any of the packets get lost then the attack fails. ​ So this means you must a have a good quality connection plus be reasonably close to the AP. 
 + 
 +  * The [[tutorial|tutorials page]] have a number of tutorials which utilize the fragmentation attack. ​ These provide additional examples of how to use it plus usage and troubleshooting information. 
 + 
 +  * When to say no to a packet? ​ You may ask if there are times when you should say "​no"​ to selecting a specific packet. ​ Yes, if you chose a packet before that didn't work, you can ignore this type of packet the next time.  Examples might be strange multicast mac address, or anything else suspicious. 
 + 
 + 
 + 
 +===== Usage Troubleshooting ===== 
 + 
 +==== General ===== 
 + 
 +  * Make sure your card can successfully inject. ​ Use the [[injection_test|injection test]] to confirm your card can inject. 
 +  * Make sure the MAC you are using for injection is associated with the AP. 
 +  * Make sure you are on the same channel as the AP. 
 +  * Also see the general aireplay-ng troubleshooting ideas: [[aireplay-ng#​usage_troubleshooting|aireplay-ng usage troubleshooting]]. 
 + 
 +Although not a direct troubleshooting tip for the fragmentation attack, if you are unable to get the attack to work, there are some alternate attacks you should consider: 
 + 
 +  * [[korek_chopchop|Korek chopchop Attack]]: This is an alternate technique to obtain PRGA for building packets for subsequent injection. 
 +  * [[interactive_packet_replay#​other_examples|-p 0841 method]]: This technique allows you to reinject any data packet received from the access point and generate IVs. 
 + 
 + 
 +==== "Not enough acks, repeating"​ message ==== 
 + 
 +If you receive a message similar to: 
 + 
 +   ​20:​49:​37 ​ Sending fragmented packet 
 +   ​20:​49:​37 ​ Not enough acks, repeating... 
 +   ​20:​49:​37 ​ Sending fragmented packet 
 +   ​20:​49:​38 ​ Not enough acks, repeating... 
 +   ​20:​49:​38 ​ Sending fragmented packet 
 +   ​20:​49:​39 ​ No answer, repeating... 
 + 
 +Possible reasons are: 
 + 
 +  * Too close or too far from the Access Point 
 +  * The driver is problematic. ​ Especially mac80211 versions of drivers are not as stable at this point as the ieee80211 version. ​ Try the ieee80211 version. ​ Or try a different version of the same driver. ​ This especially applies to the madwifi-ng driver.
  
fragmentation.1169851589.txt.gz · Last modified: 2007/01/26 23:46 (external edit)