User Tools

Site Tools


airbase-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Last revisionBoth sides next revision
airbase-ng [2009/10/11 16:24] – fixed typos darkaudaxairbase-ng [2010/11/21 16:45] – typos sleek
Line 108: Line 108:
 ==== -q Quiet Flag ==== ==== -q Quiet Flag ====
  
-This surpresses printing any statistics or status information.+This suppresses printing any statistics or status information.
  
 ==== -v Verbose Flag ==== ==== -v Verbose Flag ====
Line 146: Line 146:
 ==== -s Force Shared Key Authentication ==== ==== -s Force Shared Key Authentication ====
  
-When specfiied, this forces shared key authentication for all clients.+When specified, this forces shared key authentication for all clients.
  
 The soft AP will send an "authentication method unsupported" rejection to any open system The soft AP will send an "authentication method unsupported" rejection to any open system
Line 158: Line 158:
 ==== -L Caffe Latte Attack ==== ==== -L Caffe Latte Attack ====
  
-Airbase-ng also contains the new caffe-latte attack, which is also implemented in aireplay-ng as attack "-6" It can be used with "-L" or "--caffe-latte" This attack specifically works against clients, as it waits for a broadcast arp request, which happens to be a gratuitous arp. See [[http://wiki.wireshark.org/Gratuitous_ARP|this]] for an explaination of what a [[http://wiki.wireshark.org/Gratuitous_ARP|gratuitous arp]] is.  It then flips a few bits in the sender MAC and IP, corrects the ICV (crc32) value and sends it back to the client, where it came from.  The point why this attack works in practice is, that at least windows sends gratuitous arps after a connection on layer 2 is established and a static ip is set, or dhcp fails and windows assigned an IP out of 169.254.X.X.+Airbase-ng also contains the new caffe-latte attack, which is also implemented in aireplay-ng as attack "-6" It can be used with "-L" or "--caffe-latte" This attack specifically works against clients, as it waits for a broadcast arp request, which happens to be a gratuitous arp. See [[http://wiki.wireshark.org/Gratuitous_ARP|this]] for an explanation of what a [[http://wiki.wireshark.org/Gratuitous_ARP|gratuitous arp]] is.  It then flips a few bits in the sender MAC and IP, corrects the ICV (crc32) value and sends it back to the client, where it came from.  The point why this attack works in practice is, that at least windows sends gratuitous arps after a connection on layer 2 is established and a static ip is set, or dhcp fails and windows assigned an IP out of 169.254.X.X.
  
 "-x <pps>" sets the number of packets per second to send when performing the caffe-latte attack. At the moment, this attack doesn't stop, it continuously sends arp requests.  Airodump-ng is needed to capture the replys. "-x <pps>" sets the number of packets per second to send when performing the caffe-latte attack. At the moment, this attack doesn't stop, it continuously sends arp requests.  Airodump-ng is needed to capture the replys.
Line 175: Line 175:
  
 ==== -y Disable Broadcast Probes ==== ==== -y Disable Broadcast Probes ====
-When using this option, the fake AP will not respond to broadcast probes.  A broadcast probe is where the the specific AP is not identified uniquely.  Typically, most APs will respond with probe responses to a broadcast probe.  This flag will prevent this happening.  It will only respond when the specific AP is uniquely requested.+When using this option, the fake AP will not respond to broadcast probes.  A broadcast probe is where the specific AP is not identified uniquely.  Typically, most APs will respond with probe responses to a broadcast probe.  This flag will prevent this happening.  It will only respond when the specific AP is uniquely requested.
  
 ==== -0 Set WPA/WEP Tags ==== ==== -0 Set WPA/WEP Tags ====
Line 276: Line 276:
   * -d 00:06:62:F8:1E:2C filters the data captured to fake AP MAC (this is optional)   * -d 00:06:62:F8:1E:2C filters the data captured to fake AP MAC (this is optional)
   * -w specifies the file name prefix of the captured data   * -w specifies the file name prefix of the captured data
-  * ath0 specifies the wireless interface to capture data on+  * wlan0 specifies the wireless interface to capture data on
  
 Here is what the window looks like when airbase-ng has received a packet from the client and has successfully started the attack: Here is what the window looks like when airbase-ng has received a packet from the client and has successfully started the attack:
Line 316: Line 316:
 ==== Caffe Latte Attack in Access Point mode ==== ==== Caffe Latte Attack in Access Point mode ====
  
-This attack obtains the WEP key from a client.  It depends on receiving at least one gratutitous ARP request from the client after it has associated with the fake AP.+This attack obtains the WEP key from a client.  It depends on receiving at least one gratuitous ARP request from the client after it has associated with the fake AP.
  
 Enter: Enter:
Line 410: Line 410:
  
   * -c 9 specifies the channel   * -c 9 specifies the channel
-  * -d 00:C0:C6:94:F4:87 filters the data captured to fake AP MAC.  It is MAC of card running the the fake AP.  This is optional.+  * -d 00:C0:C6:94:F4:87 filters the data captured to fake AP MAC.  It is MAC of card running the fake AP.  This is optional.
   * -w specifies the file name of the captured data   * -w specifies the file name of the captured data
   * wlan0 specifies the wireless interface to capture data on   * wlan0 specifies the wireless interface to capture data on
  
 When the client connects, notice the "WPA handshake: 00:C0:C6:94:F4:87" in the top right-hand corner of the screen below: When the client connects, notice the "WPA handshake: 00:C0:C6:94:F4:87" in the top right-hand corner of the screen below:
- +
    CH  9 ][ Elapsed: 5 mins ][ 2008-03-21 10:26 ][ WPA handshake: 00:C0:C6:94:F4:87                                 CH  9 ][ Elapsed: 5 mins ][ 2008-03-21 10:26 ][ WPA handshake: 00:C0:C6:94:F4:87                             
                                                                                                                                                                                                                              
Line 491: Line 491:
  
 In all cases, bit flipping is used to ensure the CRC is correct.  Additionally, bit flipping is used to ensure the source MAC of the ARP contained within the fragmented packet is not multicast. In all cases, bit flipping is used to ensure the CRC is correct.  Additionally, bit flipping is used to ensure the source MAC of the ARP contained within the fragmented packet is not multicast.
 +
 +==== SoftAP with Internet connection and MITM sniffing ====
 +
 +This [[http://forum.aircrack-ng.org/index.php?topic=7172.0|forum thread]] provides a tutorial for SoftAP with Internet connection and MITM sniffing.
 +
  
 ===== Usage Troubleshooting ===== ===== Usage Troubleshooting =====
Line 502: Line 507:
 ==== Broken SKA error message ==== ==== Broken SKA error message ====
  
-You receive "Broken SKA: <MAC address> (expected: ??, got ?? bytes)" or similar. When using the "-S" option with values different then 128, some clients fail.  This message indicates the number of bytes actually received was different that the number requested.  Either don't use the option or try different values of "-S" to see which one elminates the error.+You receive "Broken SKA: <MAC address> (expected: ??, got ?? bytes)" or similar. When using the "-S" option with values different then 128, some clients fail.  This message indicates the number of bytes actually received was different that the number requested.  Either don't use the option or try different values of "-S" to see which one eliminates the error.
  
 ==== "write failed: Message too long" / "wi_write(): Illegal seek" error messages ==== ==== "write failed: Message too long" / "wi_write(): Illegal seek" error messages ====
Line 508: Line 513:
 See this [[http://trac.aircrack-ng.org/ticket/469|trac ticket]] for a workaround.  The trac ticket explains the root cause and how to adjust the MTU to avoid the problem. See this [[http://trac.aircrack-ng.org/ticket/469|trac ticket]] for a workaround.  The trac ticket explains the root cause and how to adjust the MTU to avoid the problem.
  
 +==== Error creating tap interface: Permission denied ====
 +
 +See the following [[faq#why_do_i_get_error_creating_tap_interfacepermission_denied_or_a_similar_message|FAQ entry]].
  
 ===== Related Commands ===== ===== Related Commands =====
airbase-ng.txt · Last modified: 2018/03/11 18:54 by mister_x