This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | Last revision Both sides next revision | ||
korek_chopchop [2007/07/03 00:13] mister_x fixed typo |
korek_chopchop [2007/12/20 17:59] darkaudax add unauthenticated chopchop example |
||
---|---|---|---|
Line 19: | Line 19: | ||
Although it is not shown, you may use any of the other [[aireplay-ng]] filters. The main page of [[aireplay-ng]] has the complete list. Additional typical filters could be the -m and -n to set the minimum and maximum packet sizes to select. | Although it is not shown, you may use any of the other [[aireplay-ng]] filters. The main page of [[aireplay-ng]] has the complete list. Additional typical filters could be the -m and -n to set the minimum and maximum packet sizes to select. | ||
+ | |||
+ | If the "-h" option is omitted, then a unauthenticated chopchop attack is performed. See the example below for more details. | ||
Line 26: | Line 28: | ||
==== Example with sample output ==== | ==== Example with sample output ==== | ||
+ | |||
+ | This is an example an authenticated chopchop attack. Meaning you must first perform a fake authentication and use the source MAC with the "-h" option. Essentially this causes all packets to be sent with the source MAC specified by "-h" and the destination MAC will vary with 256 combinations. | ||
aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0 | aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0 | ||
Line 120: | Line 124: | ||
Success! The file "replay_dec-0201-191706.xor" above can then be used in the next step to generate a packet with [[packetforge-ng]] such as an arp packet. You may also use tcpdump or Wireshark to view the decrypted packet which is stored in replay_dec-0201-191706.cap. | Success! The file "replay_dec-0201-191706.xor" above can then be used in the next step to generate a packet with [[packetforge-ng]] such as an arp packet. You may also use tcpdump or Wireshark to view the decrypted packet which is stored in replay_dec-0201-191706.cap. | ||
+ | |||
+ | |||
+ | ==== Chopchop Without Authentication ==== | ||
+ | |||
+ | This is an example of chopchop attack without authentication. Meaning you do not need to perform a fake authentication first and you omit the "-h" option. Essentially this causes all packets to be sent with the 256 random source MAC addresses and a broadcast destination MAC. | ||
+ | |||
+ | This only works with a very limited number Access Points (AP). For APs which are vulnerable, they will only send a deauthentication packet if the source packet was valid. If this is the case, then one byte has been successfully determined. | ||
+ | |||
+ | aireplay-ng -4 -b 00:14:6C:7E:40:80 ath0 | ||
+ | |||
+ | Where: | ||
+ | *-4 means the chopchop attack | ||
+ | * -b 00:14:6C:7E:40:80 is the access point MAC address | ||
+ | *ath0 is the wireless interface name | ||
+ | |||
==== Generating an ARP packet ==== | ==== Generating an ARP packet ==== |