korek_chopchop
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision | Last revision Both sides next revision | ||
|
korek_chopchop [2007/07/03 00:13] mister_x fixed typo |
korek_chopchop [2007/12/20 17:59] darkaudax add unauthenticated chopchop example |
||
|---|---|---|---|
| Line 19: | Line 19: | ||
| Although it is not shown, you may use any of the other [[aireplay-ng]] filters. The main page of [[aireplay-ng]] has the complete list. Additional typical filters could be the -m and -n to set the minimum and maximum packet sizes to select. | Although it is not shown, you may use any of the other [[aireplay-ng]] filters. The main page of [[aireplay-ng]] has the complete list. Additional typical filters could be the -m and -n to set the minimum and maximum packet sizes to select. | ||
| + | |||
| + | If the "-h" option is omitted, then a unauthenticated chopchop attack is performed. See the example below for more details. | ||
| Line 26: | Line 28: | ||
| ==== Example with sample output ==== | ==== Example with sample output ==== | ||
| + | |||
| + | This is an example an authenticated chopchop attack. Meaning you must first perform a fake authentication and use the source MAC with the "-h" option. Essentially this causes all packets to be sent with the source MAC specified by "-h" and the destination MAC will vary with 256 combinations. | ||
| aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0 | aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0 | ||
| Line 120: | Line 124: | ||
| Success! The file "replay_dec-0201-191706.xor" above can then be used in the next step to generate a packet with [[packetforge-ng]] such as an arp packet. You may also use tcpdump or Wireshark to view the decrypted packet which is stored in replay_dec-0201-191706.cap. | Success! The file "replay_dec-0201-191706.xor" above can then be used in the next step to generate a packet with [[packetforge-ng]] such as an arp packet. You may also use tcpdump or Wireshark to view the decrypted packet which is stored in replay_dec-0201-191706.cap. | ||
| + | |||
| + | |||
| + | ==== Chopchop Without Authentication ==== | ||
| + | |||
| + | This is an example of chopchop attack without authentication. Meaning you do not need to perform a fake authentication first and you omit the "-h" option. Essentially this causes all packets to be sent with the 256 random source MAC addresses and a broadcast destination MAC. | ||
| + | |||
| + | This only works with a very limited number Access Points (AP). For APs which are vulnerable, they will only send a deauthentication packet if the source packet was valid. If this is the case, then one byte has been successfully determined. | ||
| + | |||
| + | aireplay-ng -4 -b 00:14:6C:7E:40:80 ath0 | ||
| + | |||
| + | Where: | ||
| + | *-4 means the chopchop attack | ||
| + | * -b 00:14:6C:7E:40:80 is the access point MAC address | ||
| + | *ath0 is the wireless interface name | ||
| + | |||
| ==== Generating an ARP packet ==== | ==== Generating an ARP packet ==== | ||
korek_chopchop.txt ยท Last modified: 2009/06/02 19:24 by mister_x
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
