Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revision | Next revisionBoth sides next revision |
| tkiptun-ng [2009/03/10 16:43] – updated to reflect which drivers are now working and which parts are working. darkaudax | tkiptun-ng [2009/05/03 20:03] – Fixed broken URL darkaudax |
|---|
| Tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS. He worked with Erik Tews (who created PTW attack) for a conference in [[http://pacsec.jp/|PacSec 2008]]: "Gone in 900 Seconds, Some Crypto Issues with WPA". | Tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS. He worked with Erik Tews (who created PTW attack) for a conference in [[http://pacsec.jp/|PacSec 2008]]: "Gone in 900 Seconds, Some Crypto Issues with WPA". |
| |
| Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. This attack is described in the paper, [[http://dl.aircrack-ng.org/breakingwepandwpa.pdf|Practical attacks against WEP and WPA]] written by Martin Beck and Erik Tews. The paper describes advanced attacks on WEP and the first practical attack on WPA. An additional excellent references explaining how tkiptun-ng does its magic is this ars technica article [[http://arstechnica.com/articles/paedia/wpa-cracked.ars/|Battered, but not broken: understanding the WPA crack]] by Glenn Fleishman. | Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. This attack is described in the paper, [[http://dl.aircrack-ng.org/breakingwepandwpa.pdf|Practical attacks against WEP and WPA]] written by Martin Beck and Erik Tews. The paper describes advanced attacks on WEP and the first practical attack on WPA. An additional excellent references explaining how tkiptun-ng does its magic is this ars technica article [[http://arstechnica.com/security/news/2008/11/wpa-cracked.ars/|Battered, but not broken: understanding the WPA crack]] by Glenn Fleishman. |
| |
| Basically tkiptun-ng starts by obtaining the plaintext of a small packet and the MIC (Message Integrity Check). This is done via [[chopchoptheory|chopchop]]-type method. Once this is done, the MICHAEL algorithm is reversed the MIC key used to protect packets being sent from the AP to the client can be calculated. | Basically tkiptun-ng starts by obtaining the plaintext of a small packet and the MIC (Message Integrity Check). This is done via [[chopchoptheory|chopchop]]-type method. Once this is done, the MICHAEL algorithm is reversed the MIC key used to protect packets being sent from the AP to the client can be calculated. |
