User Tools

Site Tools


hirte

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

hirte [2009/09/26 21:07] – created darkaudaxhirte [2009/10/11 16:29] (current) – Initial documentation darkaudax
Line 1: Line 1:
-Coming soon!+====== Hirte attack ======
  
  
-==== aireplay-ng -7  (Hirte attack) ====+===== Description =====
  
-Example: aireplay-ng -7  -h 00:0E:D2:8D:7D:0A  -D  rausb0+The Hirte attack is a client attack which can use any IP or ARP packet.  It extends the [[cafe-latte|Cafe Latte]] attack by allowing any packet to be used and not be limited to client ARP packets.
  
 +The following describes the attack in detail.
 +
 +The basic idea is to generate an ARP request to be sent back to the client such that the client responds.
 +
 +The attack needs either an ARP or IP packet from the client.  From this, we need to generate an ARP request.  The ARP request must have the target IP (client IP) at byte position 33 and the target MAC should be all zeroes.  However the target MAC can really be any value in practice.
 +
 +The source IP is in the packet received from the client is in a known position - position 23 for ARP or 21 for IP.  ARP is assumed if the packet is 68 or 86 bytes in length plus a broadcast destination MAC address.  Otherwise it is assumed to be an IP packet.
 +
 +In order to send a valid ARP request back to the client, we need to move the source IP to position 33.  Of course you can't simply move bytes around, that would invalidate the packet.  So instead, we use the concept of packet fragmentation to achieve this.  The ARP request is sent to the client as two fragments.  The first fragment length is selected such that the incoming source IP is moved to position 33 when the fragments are ultimately reassembled by the client.  The second fragment is the original packet received from the client.
 +
 +In the case of an IP packet, a similar technique is used.  However due to the more limited amount of PRGA available, there are three fragments plus the original packet used.
 +
 +In all cases, bit flipping is used to ensure the CRC is correct.  Additionally, bit flipping is used to ensure the source MAC of the ARP contained within the fragmented packet is not multicast.
 +
 +
 +===== Usage =====
 +
 +  aireplay-ng -7  -h 00:09:5B:EC:EE:F2 -D rausb0
 +
 +Where:
 +  *-7 means Hirte attack
 +  *-h 00:09:5B:EC:EE:F2 is our card MAC address
 +  *-D disables AP detection.
 +  *rausb0 is the wireless interface name
 +
 +
 +===== Usage Examples =====
 +
 +None at this time.
 +
 +
 +===== Usage Tips =====
 +
 +None at this time.
 +
 +
 +===== Usage Troubleshooting =====
 +
 +None at this time.
hirte.1253992048.txt.gz · Last modified: 2009/09/26 21:07 by darkaudax