User Tools

Site Tools


airtun-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Last revisionBoth sides next revision
airtun-ng [2007/01/29 21:48] – better wep key example darkaudaxairtun-ng [2010/11/21 16:14] – typos sleek
Line 1: Line 1:
 +====== Airtun-ng ======
 ===== Description ===== ===== Description =====
  
-Airtun-ng is a virtual tunnel interface creator.  There are two basic functions The first allows all encrypted traffic to be monitored for wireless Intrusion Detection System (wIDS) purposes.  The second is to inject arbitrary traffic into a network.+Airtun-ng is a virtual tunnel interface creator. There are two basic functions
 +  * Allow all encrypted traffic to be monitored for wireless Intrusion Detection System (wIDS) purposes. 
 +  * Inject arbitrary traffic into a network
 +\\ 
 +In order to perform wIDS data gathering, you must have the encryption key and the bssid for the network you wish to monitor. Airtun-ng decrypts all the traffic for the specific network and passes it to a traditional IDS system such as [[http://www.snort.org|snort]].
  
-In order to perform wIDS data gathering, you must have the encryption key and the bssid for the network you wish to monitor Airtun-ng decrypts all the traffic for the specific network and passes it to a traditional IDS system such as snort.+Traffic injection can be fully bidirectional if you have the full encryption key. It is outgoing unidirectional if you have the PRGA obtained via [[korek_chopchop|chopchop]] or [[fragmentation]] attacksThe prime advantage of airtun-ng over the other injection tools in the aircrack-ng suite is that you may use any tool subsequently to create, inject or sniff packets.
  
-Traffic injection can be two bidirectional if you have the full encyption key.  It is outgoing unidirectional if you have the PRAGA obtained via [[korek_chopchop]] or [[fragmentation]] attacks.  The prime advantage of airtun-ng over the other injection tools in the aircrack-ng suite is that you may use any tool subsequently to create, inject or sniff packets.+Airtun-ng also has repeater and tcpreplay-type functionality.  There is a repeater function which allows you to replay all traffic sniffed through a wireless device (interface specified by -i at0) and optionally filter the traffic by a bssid together with a network mask and replay the remaining traffic.  While doing this, you can still use the tun interface while repeating.  As well, a pcap file read feature allows you to replay stored pcap-format packet captures just the way you captured them in the first place.  This is essentially tcpreplay functionality for wifi.
  
-Airtun-ng only runs on linux platforms.+Airtun-ng only runs on linux platforms and does support WDS if you have a pretty recent version (svn rev 1624?).
  
 ===== Usage ===== ===== Usage =====
Line 13: Line 18:
  usage: airtun-ng <options> <replay interface>  usage: airtun-ng <options> <replay interface>
  
-      *-x nbpps  : maximum number of packets per second (optional) +      *-x nbpps : maximum number of packets per second (optional) 
-      *-a bssid  : set Access Point MAC address (mandatory) +      *-a bssid : set Access Point MAC address (mandatory) 
-      *-i iface  : capture packets from this interface (optional) +      *-i iface : capture packets from this interface (optional) 
-      *-y file   : read PRGA from this file (optional / one of -y or -w must be defined)+      *-y file : read PRGA from this file (optional / one of -y or -w must be defined)
       *-w wepkey : use this WEP-KEY to encrypt packets (optional / one of -y or -w must be defined)       *-w wepkey : use this WEP-KEY to encrypt packets (optional / one of -y or -w must be defined)
-      *-t tods   : send frames to AP (1) or to client (0) (optional / defaults to 0)+      *-t tods : send frames to AP (1) or to client (0) (optional / defaults to 0) 
 +      *-r file : read frames out of pcap file (optional) 
 +      *-h MAC  : source MAC address 
 +      *-H      : Display help.  Long form --help
  
-===== Usage Examples =====+Repeater options (the following all require double dashes): 
 +  *- -repeat : activates repeat mode.  Short form -f. 
 +  *- -bssid <mac> : BSSID to repeat.  Short form -d. 
 +  *- -netmask <mask> : netmask for BSSID filter.  Short form -m.
  
  
-==== wIDS Scenario ====+===== Scenarios =====
  
-The first scenario is wIDS.  Start your wireless card in monitor mode then enter:+==== wIDS ====
  
-airtun-ng -a 00:14:6C:7E:40:80 -w 1234567890 ath0 +The first scenario is wIDS. Start your wireless card in monitor mode then enter: 
-Where:\\+ 
 +  airtun-ng -a 00:14:6C:7E:40:80 -w 1234567890 ath0 
 + 
 +Where:
   *-a 00:14:6C:7E:40:80 is the MAC address of the access point to be monitored   *-a 00:14:6C:7E:40:80 is the MAC address of the access point to be monitored
   * -w 1234567890 is the encryption key   * -w 1234567890 is the encryption key
   *ath0 is the interface currently running in monitor mode   *ath0 is the interface currently running in monitor mode
 +\\
 The system responds: The system responds:
    created tap interface at0    created tap interface at0
Line 38: Line 52:
    FromDS bit set in all frames.    FromDS bit set in all frames.
  
-You notice above that it created the "at0interface.  Switch to another console sesssion and you must now bring this interface up in order to use it:+You notice above that it created the **at0** interface. Switch to another console session and you must now bring this interface up in order to use it:
  
    ifconfig at0 up    ifconfig at0 up
  
-This interface (at0) will receive a copy of every wireless network packet.  The packets will have been decrypted with the key you have provided.  At this point you may any tool to sniff and analyze the traffic.  For example, tcpdump or snort.+This interface (at0) will receive a copy of every wireless network packet. The packets will have been decrypted with the key you have provided.  At this point you may utilize any tool to sniff and analyze the traffic.  For example, tcpdump, wireshark or snort.
  
-==== WEP Injection Scenario ====+==== WEP injection ====
  
-The next scenario is where you want to inject packets into the network.  Do exactly the same steps as in the first scenario except define a valid IP address for the network when you bring the at0 interface up:+The next scenario is where you want to inject packets into the network. Do exactly the same steps as in the first scenario except define a valid IP address for the network when you bring the at0 interface up:
  
    ifconfig at0 192.168.1.83 netmask 255.255.255.0 up    ifconfig at0 192.168.1.83 netmask 255.255.255.0 up
Line 61: Line 75:
           RX bytes:25113 (24.5 KiB)  TX bytes:516 (516.0 b)           RX bytes:25113 (24.5 KiB)  TX bytes:516 (516.0 b)
  
-At this point you can use any tool you want and send traffic via the at0 interface to wireless clients.  Please note by default the FromDS flag is set.  Meaning packets are flagged as going to the wireless clients.  If you wish to communicate via the AP or wired clients, specify the option "-t 1" when you start airtun-ng.+At this point you can use any tool you want and send traffic via the at0 interface to wireless clients. Please note by default the FromDS flag is set. Meaning packets are flagged as going to the wireless clients. If you wish to communicate via the AP or wired clients, specify the option "-t 1" when you start airtun-ng.
  
-IMPORTANT NOTE:  The normal rules apply to injection here as well.  For example, being associated with the AP, having the wireless card MAC match the injected source, etc.  You have to remember to also set the at0 MAC address.+**IMPORTANT NOTE:**  The normal rules apply to injection here as well. For example, being associated with the AP, having the wireless card MAC match the injected source, etc. You have to remember to also set the at0 MAC address.
  
-An interesting use of this scenario is that it allows you to use a WEP encrypted network with a driver that supports injection, but no WEP encryption, as not all drivers support 256bit wep or 512bit wep keys or wpa (once it is implemented)and so on.+An interesting use of this scenario is that it allows you to use a WEP encrypted network with a driver that supports injection, but no WEP encryption, as not all drivers support 256bit wep or 512bit WEP keys or WPA (once it is implemented) and so on.
  
-==== PRAGA Injection Scenario ====+==== PRGA injection ====
  
-The next scenario is where you want to inject packets into the network but do not have the full WEP key.  You only have the PRAGA obtain via a [[korek_chopchop]] or [[fragmentation]] attack.  In this case you may only inject packets outbound.  There is no way to decrypt inbound packets since you do not have the full WEP key.+The next scenario is where you want to inject packets into the network but do not have the full WEP key. You only have the PRGA obtain via a [[korek_chopchop|chopchop]] or [[fragmentation]] attack.  In this case you may only inject packets outbound. There is no way to decrypt inbound packets since you do not have the full WEP key.
  
 Start your wireless card in monitor mode then enter: Start your wireless card in monitor mode then enter:
  
-   airtun-ng  -a 00:14:6C:7E:40:80  -y fragment-0124-153850.xor ath0+   airtun-ng -a 00:14:6C:7E:40:80 -y fragment-0124-153850.xor ath0
  
-Notice that the PRAGA files was specified via the "-y" option.+Notice that the PRGA files was specified via the "-y" option.
  
-The system responds (notice it correctly states "no reception":+The system responds (notice it correctly states "no reception"):
    created tap interface at0    created tap interface at0
    WEP encryption by PRGA specified. No reception, only sending frames through ath0.    WEP encryption by PRGA specified. No reception, only sending frames through ath0.
Line 86: Line 100:
    ifconfig at0 192.168.1.83 netmask 255.255.255.0 up    ifconfig at0 192.168.1.83 netmask 255.255.255.0 up
  
-You can confirm this by entering "ifconfig at0" Again, at this point you can use any tool you want and send traffic via the at0 interface to wireless clients.+You can confirm this by entering "ifconfig at0". Again, at this point you can use any tool you want and send traffic via the at0 interface to wireless clients.
  
-==== Connecting to Two Access Points Scenario ====+==== Connecting to Two Access Points====
  
 The next scenario is connecting to two wireless networks at the same time.  This is done by simply starting airtun-ng twice and specifying the appropriate bssid MAC for each.  If the 2 APs are on the same channel, then everything should be fine.  If they don't share one channel, you can listen with airodump-ng on both channels (not simultaneously, but switching between only the two channels). Assuming the two APs you want to connect to are on on channels 1 and 11, enter "airodump-ng -c 1,11 ath0". The next scenario is connecting to two wireless networks at the same time.  This is done by simply starting airtun-ng twice and specifying the appropriate bssid MAC for each.  If the 2 APs are on the same channel, then everything should be fine.  If they don't share one channel, you can listen with airodump-ng on both channels (not simultaneously, but switching between only the two channels). Assuming the two APs you want to connect to are on on channels 1 and 11, enter "airodump-ng -c 1,11 ath0".
Line 94: Line 108:
 So you'll get two tunnel interfaces (at0 and at1), each pointing to another AP. if they don't use the same private subnet range, then you can use them at the same time.  IE  You are connected to more than one AP.  In theory, you could do this for even more then two APs, but the quality of the link would be even worse when hopping on 3 channels. So you'll get two tunnel interfaces (at0 and at1), each pointing to another AP. if they don't use the same private subnet range, then you can use them at the same time.  IE  You are connected to more than one AP.  In theory, you could do this for even more then two APs, but the quality of the link would be even worse when hopping on 3 channels.
  
-==== Copy Packets from the Optional Interface  Scenario ====+==== Copy packets from the optional interface ====
  
 The next scenario is copying packets from the optional interface.  The -i <wireless interface> is just like the aireplay-ng -i parameter.  It is used for specifying a source to read packets from, other than the given injection interface (ath0 in the examples above).  A typical use is to listen with a very sensitive card on one interface and to inject with a high power adapter, which has a lower sensitivity. The next scenario is copying packets from the optional interface.  The -i <wireless interface> is just like the aireplay-ng -i parameter.  It is used for specifying a source to read packets from, other than the given injection interface (ath0 in the examples above).  A typical use is to listen with a very sensitive card on one interface and to inject with a high power adapter, which has a lower sensitivity.
 +
 +==== Repeater Mode ====
 +
 +This scenario allows you to repeat all packets from one wireless card to another.  This would allow you to extend the distance by which you could listen to the access point communication.  The cards may also be on different channels which provides additional flexibility.
 +
 +Prior to running the following command, you must use airmon-ng to put each card into monitor mode on the the appropriate channels:
 +
 +   airtun-ng -a 00:14:6C:7E:40:80  --repeat --bssid 00:14:6C:7E:40:80 -i ath0 wlan0
 +
 +Where:
 +  * -a 00:14:6C:7E:40:80 is the MAC address used for packets injected via the at0 interface.
 +  * - -repeat specifies that inbound packets from the -i interface be repeated on the output interface.  Note the double dash.
 +  * - -bssid 00:14:6C:7E:40:80 used to select which packets are repeated. Note the double dash.  (Optional)
 +  * -i ath0 is input interface from which packets are read.
 +  * wlan0 is the output interface.
 +
 +The system responds:
 +
 +   created tap interface at0
 +   No encryption specified. Sending and receiving frames through wlan0.
 +   FromDS bit set in all frames.
 +
 +At this point, any packets for the AP (00:14:6C:7E:40:80) from the ath0 interface will be repeated and sent out on the wlan0 interface.
 +
 +==== Packet Replay Mode ====
 +
 +You can replay any previous capture.  The capture must have been stored in pcap format.
 +
 +You enter the command:
 +
 +   airtun-ng -a 00:14:6C:7E:40:80 -r ath0one-01.cap ath0 
 +
 +Where:
 +   * -a 00:14:6C:7E:40:80 is the MAC address used for packets injected via the at0 interface.
 +   * -r ath0one-01.cap in the name of the pcap file to be replayed.
 +   * ath0 is the output interface.
 +
 +The system responds:
 +
 +   created tap interface at0
 +   No encryption specified. Sending and receiving frames through ath0.
 +   FromDS bit set in all frames.
 +   Finished reading input file ath0one-01.cap.
 +
 +Please note that the file contents are transmitted exactly as is.  You may ignore the message "FromDS bit set in all frames" The flags nor any other field are modified while  transmitting the file contents.
 +
 +==== Tunneling traffic into WDS networks or WiFi Bridges ====
 +
 +If you use a recent version of airtun-ng, you can use its WDS support to inject traffic into WDS networks and WiFi bridges.
 +Bridges are pretty secure since traffic may be sniffed, but it is impossible to connect with them to send data into the networks.
 +This is where airtun-ng comes into the game. With airtun-ng you can impersonate either of the two endpoints to interact with the other one. Lets assume you can only see one node of the bridge, this is how you can check if an attacker could inject traffic into this side of the network:
 +
 +   * There are two nodes AA:AA:AA:AA:AA:AA and BB:BB:BB:BB:BB:BB.
 +   * Your attacking client can only send to and receive from node A.
 +   * In this case you will only see packets with Transmitter = A and Receiver = B on your interface.
 +   * If you impersonate node B, you could inject traffic into the network behind node A.
 +
 +This is how to setup airtun-ng for this scenario:
 +
 +   airtun-ng -t 1 ath0 -h BB:BB:BB:BB:BB:BB -a AA:AA:AA:AA:AA:AA -i ath0
 +
 +If you are able to see both sides of a WDS/Bridge network, you can enable bidirectional mode. This enables communication with both endpoint's networks. Be aware that bidirectional mode keeps track of clients behind each node in a list in memory, since it needs to know to which of the two endpoints it needs to send a packet to reach a certain client. If you use an embedded system, or there are large amounts of clients connected, this may slow down your machine.
 +
 +   airtun-ng -t 1 ath0 -h BB:BB:BB:BB:BB:BB -a AA:AA:AA:AA:AA:AA -i ath0 -f
 +
 +WDS mode is fully compatible with WEP encryption, so you can use the -w and -y flags as usual.
 +However, Repeater Mode hasn't been tested with WDS.
  
 ===== Usage Tips ===== ===== Usage Tips =====
  
-This tool is extremely powerful and utilizes advanced concepts.  Please make sure you have built your knowledge and experience with the other tools in the aircrack-ng suite prior to using it.+This tool is extremely powerful and utilizes advanced concepts. Please make sure you have built your knowledge and experience with the other tools in the aircrack-ng suite prior to using it.
  
-===== Usage Troubleshooting =====+==== Injecting Management Frames ====
  
 +You can also inject management and control frames.  This can be done by putting a PCAP file together of frames to be sent, or just using a capture you made before and by replaying the whole file using airtun-ng.
 +
 +===== Usage Troubleshooting =====
 +==== I can't find the airtun-ng tool! ====
 Windows platforms - "I can't find the airtun-ng tool!" Answer:  airtun-ng only runs on linux. Windows platforms - "I can't find the airtun-ng tool!" Answer:  airtun-ng only runs on linux.
 +
 +==== Error opening tap device: No such file or directory ====
 +
 +When you run airtun-ng, you get a message similar to "error opening tap device: No such file or directory".
 +
 +Make sure you have the OpenVPN package installed and run:
 +
 + modprobe tun
 +
 +This loads the "tun" module.  You can confirm it is loaded by running "lsmod | grep tun" If it does not load or there are problems, running "dmesg" and reviewing the end should show errors, if any.
 +
 +==== Error creating tap interface: Permission denied ====
 +
 +See the following [[faq#why_do_i_get_error_creating_tap_interfacepermission_denied_or_a_similar_message|FAQ entry]].
  
airtun-ng.txt · Last modified: 2015/04/12 23:15 by mister_x