Next revision | Previous revision |
supported_packets [2008/08/06 18:27] – created darkaudax | supported_packets [2010/11/20 23:18] (current) – typos sleek |
---|
====== Tutorial: Packets Supported for the PTW Attack ====== | ====== Tutorial: Packets Supported for the PTW Attack ====== |
Version: 1.00 August 6, 2008\\ | Version: 1.03 August 14, 2008\\ |
By: darkAudax | By: darkAudax |
| |
This tutorial is intended to explore this problem in more detail. Hopefully it will allow people to understand when alternate techniques are to be used. | This tutorial is intended to explore this problem in more detail. Hopefully it will allow people to understand when alternate techniques are to be used. |
| |
Another important limitation is that only ARP packets can be used for all WEP lengths. All others are limited to 40 and 104 bit WEP. | Another important limitation is that the PTW attack currently can only crack 40 and 104 bit WEP keys. |
| |
This [[http://www.erg.abdn.ac.uk/users/gorry/course/lan-pages/llc.html|web page]] briefly describes the IEEE 802.3 Logical Link Control. It explains the following terms which are used in the table below: | This [[http://www.erg.abdn.ac.uk/users/gorry/course/lan-pages/llc.html|web page]] briefly describes the IEEE 802.3 Logical Link Control. It explains the following terms which are used in the table below: |
| |
^ Protocol ^ Address Information ^ Packet Information ^ Comments ^ PTW ^ | ^ Protocol ^ Address Information ^ Packet Information ^ Comments ^ PTW ^ |
|Spanning Tree|Destination MAC 01:80:C2:00:00:00|DSAP 0x42, SSAP 0x42, Control Frame Type 0x03|The Spanning Tree protocol is used to prevent routing loops between switches|Yes. Limited to 40bits.| | |Spanning Tree 802.1D (STP)|Destination MAC 01:80:C2:00:00:00|DSAP 0x42, SSAP 0x42, Control Frame Type 0x03|The Spanning Tree protocol is used to prevent routing loops between switches|No.| |
|Port Aggregation Protocol (PAgP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x0104|Used to bundle porfts on Catalys switches into EtherChannel. Similar to Ethernet bonding in the linux world.|No| | |Port Aggregation Protocol (PAgP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x0104|Used to bundle ports on Catalys switches into EtherChannel. Similar to Ethernet bonding in the linux world.|No| |
|VLAN Trunking Protocol (VTP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2003|Provides information about configured virtual LANs (VLANs)|No| | |VLAN Trunking Protocol (VTP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2003|Provides information about configured virtual LANs (VLANs)|No| |
|Cisco Inter Switch Link (ISL)|Destination MAC 01:00:0C:00:00:00|Unknown|Cisco Version. Functionally similar to 802.1q.|Unknown| | |Cisco Inter Switch Link (ISL)|Destination MAC 01:00:0C:00:00:00|Unknown|Cisco Version. Functionally similar to 802.1q.|Unknown| |
|Dynamic Trunking Protocol (DTP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2004|Negotiates trunk port mode between Cisco Catalyst swtiches.|No| | |Dynamic Trunking Protocol (DTP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2004|Negotiates trunk port mode between Cisco Catalyst switches.|No| |
|Cisco Spanning Tree PVST+|Destination MAC 01:00:0C:CC:CC:CD|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x010B|Cisco proprietary verson of the Spanning Tree Protocol.|No| | |Cisco Spanning Tree PVST+|Destination MAC 01:00:0C:CC:CC:CD|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x010B|Cisco proprietary verson of the Spanning Tree Protocol.|No| |
|Cisco STP Uplink Fast|Destination MAC 01:00:0C:CD:CD:CD|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x200A|Speeds up STP convergence time in the prescence of reducant links on networks consistening of Catalys switches.|No| | |Cisco STP Uplink Fast|Destination MAC 01:00:0C:CD:CD:CD|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x200A|Speeds up STP convergence time in the presence of reducant links on networks consisting of Catalys switches.|No| |
|Cisco VLAN Bridge STP|Destination MAC 01:00:0C:CD:CD:CE|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x010C|Operates on top of IEEE STP to bridge VLANS while running single instance of STP. Indicates presence of Catalyst 6000/6500 switches with Multilayer Swtich Feature Cards (MSFCs) installed.|No| | |Cisco VLAN Bridge STP|Destination MAC 01:00:0C:CD:CD:CE|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x010C|Operates on top of IEEE STP to bridge VLANS while running single instance of STP. Indicates presence of Catalyst 6000/6500 switches with Multilayer Switch Feature Cards (MSFCs) installed.|No| |
|Cisco Sync|Destination MAC 01:00:0C:EE:EE:EE|Unknown|Sent by the root bridge on VLAN 1 every 2 minutes. Helps to maintain an accurate STP topology.|Unknown| | |Cisco Sync|Destination MAC 01:00:0C:EE:EE:EE|Unknown|Sent by the root bridge on VLAN 1 every 2 minutes. Helps to maintain an accurate STP topology.|Unknown| |
|Cisco Discovery Protocol (STP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2000|CDP is used to discover and announce network devices.|No| | |Cisco Discovery Protocol (STP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2000|CDP is used to discover and announce network devices.|No| |
For PTW we need "key length plus 3 bytes" keystream length. As an example: A 40 bit WEP key is 5 bytes long. So we need "5 bytes plus 3 bytes", thus 8 keystream bytes. Keystream bytes are bytes that we know the unencrypted value. | For PTW we need "key length plus 3 bytes" keystream length. As an example: A 40 bit WEP key is 5 bytes long. So we need "5 bytes plus 3 bytes", thus 8 keystream bytes. Keystream bytes are bytes that we know the unencrypted value. |
| |
For ARP packets, we know 22 keystream bytes. That is why ARP packets can be used to crack any length of WEP key. | For ARP packets, we know 22 keystream bytes. ARPs can be used for 40 and 104 bit WEP cracking. |
| |
For IP packets, we know 9 bytes for sure so 40 bit WEP is no problem. For 104 bit WEP, there are 2 bytes which are completely unknown. These are bruteforced. And one final byte is guessed since there are only three possibilities. | For IP packets, we know 9 bytes for sure so 40 bit WEP is no problem. For 104 bit WEP, there are 2 bytes which are completely unknown. These are bruteforced. And one final byte is guessed since there are only three possibilities. |
| |
| |
| ===== Handy URLs ===== |
| |
| * [[http://www.cavebear.com/archive/cavebear/Ethernet/multicast.html|Multicast Addresses]] |
| * [[http://www.iana.org/assignments/ethernet-numbers|Ether Types]] |
| |