User Tools

Site Tools


tkiptun-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
tkiptun-ng [2009/03/05 23:06]
darkaudax Added complete example of working output
tkiptun-ng [2009/09/27 16:01] (current)
darkaudax Updated to reflect v1.0
Line 3: Line 3:
 ===== Description ===== ===== Description =====
  
-NOTE: This documention ​is still under development. ​ Please check back on a regular basis to obtain the latest updates. ​ If you have any feedback on the documentation,​ please post your comments to the [[http://​forum.tinyshell.be|Forum]].+NOTE: This documentation ​is still under development. ​ Please check back on a regular basis to obtain the latest updates. ​ If you have any feedback on the documentation,​ please post your comments to the [[http://​forum.aircrack-ng.org|Forum]].
  
-NOTE: The tkiptun-ng ​SVN version ​is not fully working.  ​working ​version will be released shortly.+**IMPORTANT ​NOTE:** The tkiptun-ng ​included in v1.0 is not fully working.  ​The final attack phase is not yet implemented. ​ The other portions are working ​with the ieee80211 drivers for RT73 and RTL8187L chipsets. ​ The madwifi-ng driver is definitely broken and is known to completely fail.  tkiptun-ng may work with other drivers but has not been tested so your mileage may vary.
  
 Tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS.  He worked with Erik Tews (who created PTW attack) for a conference in [[http://​pacsec.jp/​|PacSec 2008]]: "Gone in 900 Seconds, Some Crypto Issues with WPA". Tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS.  He worked with Erik Tews (who created PTW attack) for a conference in [[http://​pacsec.jp/​|PacSec 2008]]: "Gone in 900 Seconds, Some Crypto Issues with WPA".
  
-Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. ​ This attack is described in the paper, [[http://​dl.aircrack-ng.org/​breakingwepandwpa.pdf|Practical attacks against WEP and WPA]] written by Martin Beck and Erik Tews.  The paper describes advanced attacks on WEP and the first practical attack on WPA.  An additional excellent references explaining how tkiptun-ng does its magic is this ars technica article [[http://​arstechnica.com/​articles/paedia/​wpa-cracked.ars/​|Battered,​ but not broken: understanding the WPA crack]] by Glenn Fleishman.+Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. ​ This attack is described in the paper, [[http://​dl.aircrack-ng.org/​breakingwepandwpa.pdf|Practical attacks against WEP and WPA]] written by Martin Beck and Erik Tews.  The paper describes advanced attacks on WEP and the first practical attack on WPA.  An additional excellent references explaining how tkiptun-ng does its magic is this ars technica article [[http://​arstechnica.com/​security/news/​2008/​11/​wpa-cracked.ars/​|Battered,​ but not broken: understanding the WPA crack]] by Glenn Fleishman.
  
 Basically tkiptun-ng starts by obtaining the plaintext of a small packet and the MIC (Message Integrity Check). ​ This is done via [[chopchoptheory|chopchop]]-type method. ​ Once this is done, the MICHAEL algorithm is reversed the MIC key used to protect packets being sent from the AP to the client can be calculated. Basically tkiptun-ng starts by obtaining the plaintext of a small packet and the MIC (Message Integrity Check). ​ This is done via [[chopchoptheory|chopchop]]-type method. ​ Once this is done, the MICHAEL algorithm is reversed the MIC key used to protect packets being sent from the AP to the client can be calculated.
Line 15: Line 15:
 At this point, tkiptun-ng has recovered the MIC key  and knows a keystram for access point to client communication. ​ Subsequently,​ using the XOR file, you can create new packets and inject them.  The creation and injection are done using the other aircrack-ng suite tools. At this point, tkiptun-ng has recovered the MIC key  and knows a keystram for access point to client communication. ​ Subsequently,​ using the XOR file, you can create new packets and inject them.  The creation and injection are done using the other aircrack-ng suite tools.
  
-Please remember this is an extremely advanced attack. ​ You require ​advanced linux and aircrack-ng skills to use this tool.  DO NOT EXPECT support unless you can demonstrate you have these skills. ​ Novices will NOT BE SUPPORTED.+[[http://​download.aircrack-ng.org/​wiki-files/​doc/​tkip_master.pdf|Cryptanalysis of IEEE 802.11i TKIP]] by Finn Michael Halvorsen and Olav Haugen, June 2009 provides an excellent detailed description of how tkiptun-ng works. ​ As well, their paper includes detailed descriptions of many other attacks against WEP/​WPA/​WPA2. 
 + 
 +Please remember this is an extremely advanced attack. ​ You must possess ​advanced linux and aircrack-ng skills to use this tool.  DO NOT EXPECT support unless you can demonstrate you have these skills. ​ Novices will NOT BE SUPPORTED.
  
  
Line 29: Line 31:
 ===== Specific Requirements ===== ===== Specific Requirements =====
  
-The network card MAC address ​that is used by tkiptun-ng needs to be set to the MAC address of the client you are attacking.+The network card MAC address used by tkiptun-ng needs to be set to the MAC address of the client you are attacking.
  
  
tkiptun-ng.1236290780.txt.gz · Last modified: 2009/03/05 23:06 by darkaudax