User Tools

Site Tools


packetforge-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
packetforge-ng [2007/01/27 20:49]
darkaudax Standardizing the format
packetforge-ng [2010/08/22 20:59] (current)
mister_x update "Usage" and fixed "mode" rendering
Line 1: Line 1:
 ====== Packetforge-ng ====== ====== Packetforge-ng ======
- 
- 
  
  
Line 12: Line 10:
 Usage: packetforge-ng <​mode>​ <​options>​ Usage: packetforge-ng <​mode>​ <​options>​
  
-====Forge options:====+====Forge options====
  
       *-p <​fctrl> ​    : set frame control word (hex)       *-p <​fctrl> ​    : set frame control word (hex)
Line 22: Line 20:
       *-e             : disables WEP encryption       *-e             : disables WEP encryption
       *-k <​ip[:​port]>​ : set Destination IP [Port]       *-k <​ip[:​port]>​ : set Destination IP [Port]
-      *-l <​ip[:​port]>​ : set Source ​     IP [Port]+      *-l <​ip[:​port]>​ : set Source ​     IP [Port] ​(Dash lowercase letter L)
       *-t ttl         : set Time To Live       *-t ttl         : set Time To Live
       *-w <​file> ​     : write packet to this pcap file       *-w <​file> ​     : write packet to this pcap file
  
-====Source options:====+====Source options====
  
       *-r <​file> ​     : read packet from this raw file       *-r <​file> ​     : read packet from this raw file
       *-y <​file> ​     : read PRGA from this file       *-y <​file> ​     : read PRGA from this file
  
-====Modes:==== +====Modes ====
- +
-      *--arp ​         : forge an ARP packet ​   (-0) +
-      *--udp ​         : forge an UDP packet ​   (-1) +
-      *--icmp ​        : forge an ICMP packet ​  ​(-2) +
-      *--custom ​      : build a custom packet ​ (-9)+
  
 +      *-''''​-arp ​         : forge an ARP packet ​   (-0)
 +      *-''''​-udp ​         : forge an UDP packet ​   (-1)
 +      *-''''​-icmp ​        : forge an ICMP packet ​  (-2)
 +      *-''''​-null ​        : build a null packet (-3)
 +      *-''''​-custom ​      : build a custom packet ​ (-9)
  
  
 ===== Usage Example ===== ===== Usage Example =====
  
 +==== Generating an arp request packet ====
 Here is an example of how to generate an arp request packet. Here is an example of how to generate an arp request packet.
  
Line 100: Line 99:
  
 By entering "​y"​ above, the packet you created with packetforge-ng is then injected. By entering "​y"​ above, the packet you created with packetforge-ng is then injected.
 +
 +
 +==== Generating a null packet ====
 +
 +This option allows you to generate LLC null packets. ​ These are the smallest possible packets and contain no data.  The switch "​-s"​ is used to manually set the size of the packet. ​ This a simple way to generate small packets for injection.
 +
 +Remember that the size value (-s) defines the absolute size of an unencrypted packet, so you need to add 8 bytes to get its final length after encrypting it (4 bytes for iv+idx and 4 bytes for icv). This value also includes the 802.11 header with a length of 24bytes.
 +
 +The command is:
 +
 +   ​packetforge-ng --null -s 42 -a BSSID -h SMAC -w short-packet.cap -y fragment.xor
 +
 +Where:
 +  * --null means generate a LLC null packet (requires double dash).
 +  * -s 42 specifies the packet length to be generated.
 +  * -a BSSID is the MAC address of the access point.
 +  * -h SMAC is the source MAC address of the packet to be generated.
 +  * -w short-packet.cap is the name of the output file.
 +  * -y fragment.xor is the name of the file containing the PRGA.
 +
 +
 +==== Generating a custom packet ====
 +If you want to generate a customer packet, first create a packet with the tool of your choice. ​ This could be a specialized tool, a hex editor or even from a previous capture. ​ Then save it as a pcap file.  Following this, run the command:
 +
 +   ​packetforge-ng -9 -r input.cap -y keystream.xor -w output.cap
 +
 +Where:
 +  * -9 means generate a custom packet.
 +  * -r input.cap is the input file.
 +  * -y keystream.xor is the file containing the PRGA.
 +  * -w output.cap is the output file.
 +
 +When it runs, packetforge-ng will ask you which packet to use and then output the file.
 +
  
  
Line 107: Line 140:
  
 So the packetforge-ng command becomes: So the packetforge-ng command becomes:
-   ​packetforge-ng -0 -a 00:​14:​6C:​7E:​40:​80 -h 00:​0F:​B5:​AB:​CB:​9D -k 192.168.1.100 -l 192.168.1.-y fragment-0124-161129.xor -w arp-request+   ​packetforge-ng -0 -a 00:​14:​6C:​7E:​40:​80 -h 00:​0F:​B5:​AB:​CB:​9D -k 255.255.255.255 -l 255.255.255.255 -y fragment-0124-161129.xor -w arp-request 
  
 ===== Usage Troubleshooting ===== ===== Usage Troubleshooting =====
 +
 +==== Including both -j and -o flags ====
 +
 A common mistake people make is to include either or both -j and -o flags and create invalid packets. ​ These flags adjust the FromDS and ToDS flages in the packet generated. ​ Unless you are doing something special and really know what you are doing, don't use them.  In general, they are not needed. A common mistake people make is to include either or both -j and -o flags and create invalid packets. ​ These flags adjust the FromDS and ToDS flages in the packet generated. ​ Unless you are doing something special and really know what you are doing, don't use them.  In general, they are not needed.
 +
 +
 +==== Error message "Mode already specified"​ ====
 +
 +This is commonly caused by using the number one (-1) instead of dash lowercase L (-l) in the command.
 +
 +Entering:
 +   ​packetforge-ng -0 -a 00:​14:​6C:​7E:​40:​80 -h 00:​09:​5B:​EC:​EE:​F2 -k 255.255.255.255 -1 255.255.255.255 -y 00:​14:​6C:​7E:​40:​80-03-00-14-6C-7E-40-80.xor -w arp-request ​
 +
 +Gives:
 +   Mode already specified.
 +   "​packetforge-ng --help"​ for help.
 +
 +This because -1 (number one) was used instead of the correct -l (the letter ell).  So simply use "​-l"​.
  
packetforge-ng.1169927358.txt.gz · Last modified: 2007/01/27 20:49 (external edit)