User Tools

Site Tools


hirte

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

hirte [2009/09/26 21:07]
darkaudax created
hirte [2009/10/11 16:29] (current)
darkaudax Initial documentation
Line 1: Line 1:
-Coming soon!+====== Hirte attack ======
  
  
-==== aireplay-ng -7  (Hirte attack) ​====+===== Description =====
  
-Example: aireplay-ng -7  -h 00:​0E:​D2:​8D:​7D:​0A ​ -D  rausb0+The Hirte attack is a client attack which can use any IP or ARP packet. ​ It extends the [[cafe-latte|Cafe Latte]] attack by allowing any packet to be used and not be limited to client ARP packets.
  
 +The following describes the attack in detail.
 +
 +The basic idea is to generate an ARP request to be sent back to the client such that the client responds.
 +
 +The attack needs either an ARP or IP packet from the client. ​ From this, we need to generate an ARP request. ​ The ARP request must have the target IP (client IP) at byte position 33 and the target MAC should be all zeroes. ​ However the target MAC can really be any value in practice.
 +
 +The source IP is in the packet received from the client is in a known position - position 23 for ARP or 21 for IP.  ARP is assumed if the packet is 68 or 86 bytes in length plus a broadcast destination MAC address. ​ Otherwise it is assumed to be an IP packet.
 +
 +In order to send a valid ARP request back to the client, we need to move the source IP to position 33.  Of course you can't simply move bytes around, that would invalidate the packet. ​ So instead, we use the concept of packet fragmentation to achieve this.  The ARP request is sent to the client as two fragments. ​ The first fragment length is selected such that the incoming source IP is moved to position 33 when the fragments are ultimately reassembled by the client. ​ The second fragment is the original packet received from the client.
 +
 +In the case of an IP packet, a similar technique is used.  However due to the more limited amount of PRGA available, there are three fragments plus the original packet used.
 +
 +In all cases, bit flipping is used to ensure the CRC is correct. ​ Additionally,​ bit flipping is used to ensure the source MAC of the ARP contained within the fragmented packet is not multicast.
 +
 +
 +===== Usage =====
 +
 +  aireplay-ng -7  -h 00:​09:​5B:​EC:​EE:​F2 -D rausb0
 +
 +Where:
 +  *-7 means Hirte attack
 +  *-h 00:​09:​5B:​EC:​EE:​F2 is our card MAC address
 +  *-D disables AP detection.
 +  *rausb0 is the wireless interface name
 +
 +
 +===== Usage Examples =====
 +
 +None at this time.
 +
 +
 +===== Usage Tips =====
 +
 +None at this time.
 +
 +
 +===== Usage Troubleshooting =====
 +
 +None at this time.
hirte.txt ยท Last modified: 2009/10/11 16:29 by darkaudax