User Tools

Site Tools


packetforge-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
packetforge-ng [2007/01/27 17:10]
darkaudax correction and expand
packetforge-ng [2010/08/22 20:59] (current)
mister_x update "Usage" and fixed "mode" rendering
Line 1: Line 1:
 ====== Packetforge-ng ====== ====== Packetforge-ng ======
- 
- 
  
  
Line 12: Line 10:
 Usage: packetforge-ng <​mode>​ <​options>​ Usage: packetforge-ng <​mode>​ <​options>​
  
-====Forge options:====+====Forge options====
  
       *-p <​fctrl> ​    : set frame control word (hex)       *-p <​fctrl> ​    : set frame control word (hex)
Line 22: Line 20:
       *-e             : disables WEP encryption       *-e             : disables WEP encryption
       *-k <​ip[:​port]>​ : set Destination IP [Port]       *-k <​ip[:​port]>​ : set Destination IP [Port]
-      *-l <​ip[:​port]>​ : set Source ​     IP [Port]+      *-l <​ip[:​port]>​ : set Source ​     IP [Port] ​(Dash lowercase letter L)
       *-t ttl         : set Time To Live       *-t ttl         : set Time To Live
       *-w <​file> ​     : write packet to this pcap file       *-w <​file> ​     : write packet to this pcap file
  
-====Source options:====+====Source options====
  
       *-r <​file> ​     : read packet from this raw file       *-r <​file> ​     : read packet from this raw file
       *-y <​file> ​     : read PRGA from this file       *-y <​file> ​     : read PRGA from this file
  
-====Modes:====+====Modes ====
  
-      *--arp ​         : forge an ARP packet ​   (-0) +      *-''''​-arp          : forge an ARP packet ​   (-0) 
-      *--udp ​         : forge an UDP packet ​   (-1) +      *-''''​-udp          : forge an UDP packet ​   (-1) 
-      *--icmp ​        : forge an ICMP packet ​  ​(-2) +      *-''''​-icmp         : forge an ICMP packet ​  ​(-2) 
-      *--custom ​      : build a custom packet ​ (-9)+      *-''''​-null ​        : build a null packet (-3) 
 +      *-''''​-custom ​      : build a custom packet ​ (-9)
  
  
 ===== Usage Example ===== ===== Usage Example =====
  
 +==== Generating an arp request packet ====
 Here is an example of how to generate an arp request packet. Here is an example of how to generate an arp request packet.
  
Line 101: Line 101:
  
  
-Tip:+==== Generating a null packet ==== 
 + 
 +This option allows you to generate LLC null packets. ​ These are the smallest possible packets and contain no data.  The switch "​-s"​ is used to manually set the size of the packet. ​ This a simple way to generate small packets for injection. 
 + 
 +Remember that the size value (-s) defines the absolute size of an unencrypted packet, so you need to add 8 bytes to get its final length after encrypting it (4 bytes for iv+idx and 4 bytes for icv). This value also includes the 802.11 header with a length of 24bytes. 
 + 
 +The command is: 
 + 
 +   ​packetforge-ng --null -s 42 -a BSSID -h SMAC -w short-packet.cap -y fragment.xor 
 + 
 +Where: 
 +  * --null means generate a LLC null packet (requires double dash). 
 +  * -s 42 specifies the packet length to be generated. 
 +  * -a BSSID is the MAC address of the access point. 
 +  * -h SMAC is the source MAC address of the packet to be generated. 
 +  * -w short-packet.cap is the name of the output file. 
 +  * -y fragment.xor is the name of the file containing the PRGA. 
 + 
 + 
 +==== Generating a custom packet ==== 
 +If you want to generate a customer packet, first create a packet with the tool of your choice. ​ This could be a specialized tool, a hex editor or even from a previous capture. ​ Then save it as a pcap file.  Following this, run the command: 
 + 
 +   ​packetforge-ng -9 -r input.cap -y keystream.xor -w output.cap 
 + 
 +Where: 
 +  * -9 means generate a custom packet. 
 +  * -r input.cap is the input file. 
 +  * -y keystream.xor is the file containing the PRGA. 
 +  * -w output.cap is the output file. 
 + 
 +When it runs, packetforge-ng will ask you which packet to use and then output the file. 
 + 
 + 
 + 
 +===== Usage Tips ===== 
 + 
 +Most access points really don't care what IPs are used for the arp request. ​ So as a result you can use 255.255.255.255 for source and destination IPs. 
 + 
 +So the packetforge-ng command becomes: 
 +   ​packetforge-ng -0 -a 00:​14:​6C:​7E:​40:​80 -h 00:​0F:​B5:​AB:​CB:​9D -k 255.255.255.255 -l 255.255.255.255 -y fragment-0124-161129.xor -w arp-request 
 + 
 + 
 +===== Usage Troubleshooting ===== 
 + 
 +==== Including both -j and -o flags ==== 
 + 
 +A common mistake people make is to include either or both -j and -o flags and create invalid packets. ​ These flags adjust the FromDS and ToDS flages in the packet generated. ​ Unless you are doing something special and really know what you are doing, don't use them.  In general, they are not needed. 
 + 
 + 
 +==== Error message "Mode already specified"​ ==== 
 + 
 +This is commonly caused by using the number one (-1) instead of dash lowercase L (-l) in the command. 
 + 
 +Entering: 
 +   ​packetforge-ng -0 -a 00:​14:​6C:​7E:​40:​80 -h 00:​09:​5B:​EC:​EE:​F2 -k 255.255.255.255 -1 255.255.255.255 -y 00:​14:​6C:​7E:​40:​80-03-00-14-6C-7E-40-80.xor -w arp-request  
 + 
 +Gives: 
 +   Mode already specified. 
 +   "​packetforge-ng --help"​ for help. 
 + 
 +This because -1 (number one) was used instead of the correct -l (the letter ell).  So simply use "​-l"​.
  
-   Most access points really don't care what IPs are used for the arp request. 
-   So as a result you can use 255.255.255.255 for source and destination IPs. 
-    ​ 
-   So the packetforge-ng command becomes: 
-   ​packetforge-ng -0 -a 00:​14:​6C:​7E:​40:​80 -h 00:​0F:​B5:​AB:​CB:​9D -k 192.168.1.100 
-   -l 192.168.1.1 -y fragment-0124-161129.xor -w arp-request 
packetforge-ng.1169914214.txt.gz · Last modified: 2007/01/27 17:10 (external edit)