| Both sides previous revisionPrevious revision | Last revisionBoth sides next revision |
| korek_chopchop [2007/07/03 00:13] – fixed typo mister_x | korek_chopchop [2007/12/20 17:59] – add unauthenticated chopchop example darkaudax |
|---|
| |
| Although it is not shown, you may use any of the other [[aireplay-ng]] filters. The main page of [[aireplay-ng]] has the complete list. Additional typical filters could be the -m and -n to set the minimum and maximum packet sizes to select. | Although it is not shown, you may use any of the other [[aireplay-ng]] filters. The main page of [[aireplay-ng]] has the complete list. Additional typical filters could be the -m and -n to set the minimum and maximum packet sizes to select. |
| | |
| | If the "-h" option is omitted, then a unauthenticated chopchop attack is performed. See the example below for more details. |
| |
| |
| |
| ==== Example with sample output ==== | ==== Example with sample output ==== |
| | |
| | This is an example an authenticated chopchop attack. Meaning you must first perform a fake authentication and use the source MAC with the "-h" option. Essentially this causes all packets to be sent with the source MAC specified by "-h" and the destination MAC will vary with 256 combinations. |
| |
| aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0 | aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0 |
| |
| Success! The file "replay_dec-0201-191706.xor" above can then be used in the next step to generate a packet with [[packetforge-ng]] such as an arp packet. You may also use tcpdump or Wireshark to view the decrypted packet which is stored in replay_dec-0201-191706.cap. | Success! The file "replay_dec-0201-191706.xor" above can then be used in the next step to generate a packet with [[packetforge-ng]] such as an arp packet. You may also use tcpdump or Wireshark to view the decrypted packet which is stored in replay_dec-0201-191706.cap. |
| | |
| | |
| | ==== Chopchop Without Authentication ==== |
| | |
| | This is an example of chopchop attack without authentication. Meaning you do not need to perform a fake authentication first and you omit the "-h" option. Essentially this causes all packets to be sent with the 256 random source MAC addresses and a broadcast destination MAC. |
| | |
| | This only works with a very limited number Access Points (AP). For APs which are vulnerable, they will only send a deauthentication packet if the source packet was valid. If this is the case, then one byte has been successfully determined. |
| | |
| | aireplay-ng -4 -b 00:14:6C:7E:40:80 ath0 |
| | |
| | Where: |
| | *-4 means the chopchop attack |
| | * -b 00:14:6C:7E:40:80 is the access point MAC address |
| | *ath0 is the wireless interface name |
| | |
| |
| ==== Generating an ARP packet ==== | ==== Generating an ARP packet ==== |
