Differences

This shows you the differences between two versions of the page.

--- wds [2007/10/03 18:12] – created Tutorial: How to crack WEP on a Wireless Distribution System (WDS)? darkaudax
+++ wds [2018/03/11 19:08] (current) – Removed links to trac mister_x
@@ Line 1: / Line 1: @@
 ====== Tutorial:  How to crack WEP on a Wireless Distribution System (WDS)? ======
-Version: 1.00 October 3, 2007 \\
+Version: 1.02.1 February 9, 2008 \\
 By: darkAudax \\
 \\
@@ Line 8: / Line 8: @@
 [[http://download.aircrack-ng.org/wiki-files/other/arp.request.from.wds.wired.client.cap|arp.request.from.wds.wired.client.cap]] \\
 [[http://download.aircrack-ng.org/wiki-files/other/ap.wired.client.ping.wds.wired.client.cap|ap.wired.client.ping.wds.wired.client.cap]] \\
@@ Line 23: / Line 24: @@
 It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.
-I would like to acknowledge and thank the [[http://trac.aircrack-ng.org|Aircrack-ng team]] for producing such a great robust tool.
+Please send any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.
-Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.
 ===== Solution =====
@@ Line 34: / Line 33: @@
   * You have Wireshark installed and working.  Plus you have a basic understanding of how to use it.
   * You are using the latest aircrack-ng 1.0dev version or above.
-In the examples, the option "double dash bssid" is shown as "- -bssid".  Remember to remove the space between the two dashes when using it in real life.  This also applies to  "- -ivs", "- -arpreplay", "- -deauth", "- -channel", "- -arp" and "- -fakeauth".
 ====Equipment used====
@@ Line 110: / Line 106: @@
   * The WDS sends out probe packets for the specific AP as well as "broadcast".  This continues, at least on these particular units, even after the WDS connects to the main AP.  I suspect this is a type of keep alive process but this is not an authoritative explanation.  I have seen other WDS implementations which do not continuously send probes.
   * The client line above only reflects the probes and probe responses.  Currently, the WDS traffic is not shown as client activity.
 ==== Attacks which work ====
@@ Line 118: / Line 112: @@
 Although fake authentication does work, each BSSID can be used as an authenticated MAC on the other unit.  So fake authentication is not required.  However, using a separate MAC seems to yield better injection rates.
+airtun-ng can inject plaintext and WEP packets into a WDS link. That's even possible when airtun-ng only sees one of the two WDS nodes! (Note that in this case only clients behind this node are reachable)
 ==== Attacks which do not work ====
@@ Line 130: / Line 125: @@
 ==== Enhancements required ====
-This is list of software changes required to support WDS attacks.  Once aircrack-ng version 1 is released, this section will become a trac ticket.
+This is list of software changes required to support WDS attacks:
-  * aircrack-ng: Allow two BSSIDs to be defined to allow selection of both APs.
+  * aircrack-ng: Allow two BSSIDs to be defined to allow selection of both APs.  As well, add a "netmask" function the same as currently exists in airodump-ng.
   * airdecap-ng: Properly select SSID and BSSID.  Allow two BSSIDs to be defined to allow selection of both APs.
-  * airodump-ng: Allow two BSSIDS to be defined to allow the selection of both APs.
+  * airodump-ng: Allow two BSSIDS to be defined to allow the selection of both APs.  NOTE: In the interim, you can use the "netmask" function to achieve the same thing if they are all the same brand.
   * airodump-ng: Change the logic to allow the WDS packets to be shown as client traffic.  An arbitrary decision will need to be made as to which MAC is to be the BSSID and which is to be treated as the Client MAC.
   * All tools: Ability to specify all four address fields on the command line
   * aireplay-ng: Display all address fields based on context of To/FromDS bit combinations
-  * aireplay-ng: For arp request replay, recognize the arp request packet being sent from the other unit (using 4 addresses plus exta 6 bytes) and replay that.
+  * aireplay-ng: For arp request replay, recognize the arp request packet being sent from the other unit (using 4 addresses plus extra 6 bytes) and replay that.
@@ Line 152: / Line 147: @@
-==== wds.authentication.cap ====
+=== wds.authentication.cap ===
 This capture shows the WDS AP authenticating and associating with the main AP.  It contains the the typical probes followed by authentication and finally association.
-==== arp.request.from.ap.wired.client.cap ====
+=== arp.request.from.ap.wired.client.cap ===
 A wired client attached to the main access point sends out an arp request packet.  This arp request is broadcast by the main AP.  It is also sent to the WDS AP (To/FromDS both equal to 1;4 addresses).  The WDS AP broadcasts the arp request.
@@ Line 162: / Line 157: @@
-==== arp.request.from.wds.wired.client.cap ====
+=== arp.request.from.wds.wired.client.cap ===
 A wired client attached to the WDS access point sends out an arp request packet.  This arp request is broadcast by the WDS AP.  It is also sent to the main AP (To/FromDS both equal to 1;4 addresses).  The main AP broadcasts the arp request.
@@ Line 168: / Line 163: @@
-==== ap.wired.client.ping.wds.wired.client.cap ====
+=== ap.wired.client.ping.wds.wired.client.cap ===
 A wired client attached to the main access point sends out a ping to a wired client attached to the WDS AP.  Please note that an arp request/response previously took place and is not included in the capture.  You can see the ping request and response go back and forth (To/FromDS both equal to 1;4 addresses).
 The existing aircrack-ng tools can capture this and break the WEP key.