This is an old revision of the document!
Table of Contents
NOTE: This documention is still under development. Please check back on a regular basis to obtain the latest updates. If you have any feedback on the documentation, please post your comments to the Forum.
NOTE: The tkiptun-ng SVN version is not fully working. A working version will be released shortly.
Tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS. He worked with Erik Tews (who created PTW attack) for a conference in PacSec 2008: “Gone in 900 Seconds, Some Crypto Issues with WPA”.
Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. This attack is described in the paper, Practical attacks against WEP and WPA written by Martin Beck and Erik Tews. The paper describes advanced attacks on WEP and the first practical attack on WPA. An additional excellent references explaining how tkiptun-ng does its magic is this ars technica article Battered, but not broken: understanding the WPA crack by Glenn Fleishman.
Basically tkiptun-ng starts by obtaining the plaintext of a small packet and the MIC (Message Integrity Check). This is done via chopchop-type method. Once this is done, the MICHAEL algorithm is reversed the MIC key used to protect packets being sent from the AP to the client can be calculated.
At this point, tkiptun-ng has recovered the MIC key and knows a keystram for access point to client communication. Subsequently, using the XOR file, you can create new packets and inject them. The creation and injection are done using the other aircrack-ng suite tools.
Please remember this is an extremely advanced attack. You require advanced linux and aircrack-ng skills to use this tool. DO NOT EXPECT support unless you can demonstrate you have these skills. Novices will NOT BE SUPPORTED.
Both the AP and the client must support QoS or sometimes called Wi-Fi Multi-media (WMM) on some APs.
The AP must be configured for WPA plus TKIP.
A fairly long rekeying time must be in use such as 3600 seconds. It should be at least 20 minutes.
The network card MAC address that is used by tkiptun-ng needs to be set to the MAC address of the client you are attacking.
This section is very preliminary. As tkiptun-ng works, it goes through various phases. People ask “Why is such and such done?”. This section attempts to answer those questions.
Why is the handshake gathered?
It is done for debugging reasons. First, so that the temporal keys in tkiptun can be calculated. Second, check them against the calculated values from the plaintext packet.
Another reason, is to check if the AP/client reuses the nonces after a mic shutdown.
Usage: tkiptun-ng <options> <replay interface>
- -d dmac : MAC address, Destination
- -s smac : MAC address, Source
- -m len : minimum packet length
- -n len : maximum packet length
- -t tods : frame control, To DS bit
- -f fromds : frame control, From DS bit
- -D : disable AP detection
- -x nbpps : number of packets per second
- -a bssid : set Access Point MAC address
- -c dmac : set Destination MAC address
- -h smac : set Source MAC address
- -F : choose first matching packet
- -e essid : set target AP SSID
- -K prga : keystream for continuation
- -y file : keystream-file for continuation
- -j : inject FromDS packets
- -P pmk : pmk for verification/vuln testing
- -p psk : psk to calculate pmk with essid
- -i iface : capture packets from this interface
- -r file : extract packets from this pcap file
-help : Displays this usage screen
The example below is incomplete but it gives some idea of how it looks.
Input: tkiptun-ng -h 00:0F:B5:AB:CB:9D -a 00:14:6C:7E:40:80 -m 80 -n 100 ath0
Blub 2:38 E6 38 1C 24 15 1C CF Blub 1:17 DD 0D 69 1D C3 1F EE Blub 3:29 31 79 E7 E6 CF 8D 5E 14:48:00 Michael Test: Successful 14:48:00 Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80) on channel 9 14:48:00 Found specified AP 14:48:00 Sending 4 directed DeAuth. STMAC: [00:0F:B5:AB:CB:9D] [ 2| 4 ACKs] 14:48:02 WPA handshake: 00:14:6C:7E:40:80 captured 14:48:02 Waiting for an ARP packet coming from the Client... Saving chosen packet in replay_src-1109-144822.cap 14:48:22 Waiting for an ARP response packet coming from the AP... Saving chosen packet in replay_src-1109-144822.cap 14:48:22 Got the answer! 14:48:22 Waiting 5 seconds to let encrypted EAPOL frames pass without interfering. Sent 40 packets, current guess: 27..
None at this time.
None at this time.