User Tools

Site Tools


airbase-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Last revisionBoth sides next revision
airbase-ng [2010/03/29 19:24] – removed double 'the' mister_xairbase-ng [2010/11/21 16:45] – typos sleek
Line 108: Line 108:
 ==== -q Quiet Flag ==== ==== -q Quiet Flag ====
  
-This surpresses printing any statistics or status information.+This suppresses printing any statistics or status information.
  
 ==== -v Verbose Flag ==== ==== -v Verbose Flag ====
Line 146: Line 146:
 ==== -s Force Shared Key Authentication ==== ==== -s Force Shared Key Authentication ====
  
-When specfiied, this forces shared key authentication for all clients.+When specified, this forces shared key authentication for all clients.
  
 The soft AP will send an "authentication method unsupported" rejection to any open system The soft AP will send an "authentication method unsupported" rejection to any open system
Line 158: Line 158:
 ==== -L Caffe Latte Attack ==== ==== -L Caffe Latte Attack ====
  
-Airbase-ng also contains the new caffe-latte attack, which is also implemented in aireplay-ng as attack "-6" It can be used with "-L" or "--caffe-latte" This attack specifically works against clients, as it waits for a broadcast arp request, which happens to be a gratuitous arp. See [[http://wiki.wireshark.org/Gratuitous_ARP|this]] for an explaination of what a [[http://wiki.wireshark.org/Gratuitous_ARP|gratuitous arp]] is.  It then flips a few bits in the sender MAC and IP, corrects the ICV (crc32) value and sends it back to the client, where it came from.  The point why this attack works in practice is, that at least windows sends gratuitous arps after a connection on layer 2 is established and a static ip is set, or dhcp fails and windows assigned an IP out of 169.254.X.X.+Airbase-ng also contains the new caffe-latte attack, which is also implemented in aireplay-ng as attack "-6" It can be used with "-L" or "--caffe-latte" This attack specifically works against clients, as it waits for a broadcast arp request, which happens to be a gratuitous arp. See [[http://wiki.wireshark.org/Gratuitous_ARP|this]] for an explanation of what a [[http://wiki.wireshark.org/Gratuitous_ARP|gratuitous arp]] is.  It then flips a few bits in the sender MAC and IP, corrects the ICV (crc32) value and sends it back to the client, where it came from.  The point why this attack works in practice is, that at least windows sends gratuitous arps after a connection on layer 2 is established and a static ip is set, or dhcp fails and windows assigned an IP out of 169.254.X.X.
  
 "-x <pps>" sets the number of packets per second to send when performing the caffe-latte attack. At the moment, this attack doesn't stop, it continuously sends arp requests.  Airodump-ng is needed to capture the replys. "-x <pps>" sets the number of packets per second to send when performing the caffe-latte attack. At the moment, this attack doesn't stop, it continuously sends arp requests.  Airodump-ng is needed to capture the replys.
Line 276: Line 276:
   * -d 00:06:62:F8:1E:2C filters the data captured to fake AP MAC (this is optional)   * -d 00:06:62:F8:1E:2C filters the data captured to fake AP MAC (this is optional)
   * -w specifies the file name prefix of the captured data   * -w specifies the file name prefix of the captured data
-  * ath0 specifies the wireless interface to capture data on+  * wlan0 specifies the wireless interface to capture data on
  
 Here is what the window looks like when airbase-ng has received a packet from the client and has successfully started the attack: Here is what the window looks like when airbase-ng has received a packet from the client and has successfully started the attack:
Line 316: Line 316:
 ==== Caffe Latte Attack in Access Point mode ==== ==== Caffe Latte Attack in Access Point mode ====
  
-This attack obtains the WEP key from a client.  It depends on receiving at least one gratutitous ARP request from the client after it has associated with the fake AP.+This attack obtains the WEP key from a client.  It depends on receiving at least one gratuitous ARP request from the client after it has associated with the fake AP.
  
 Enter: Enter:
Line 410: Line 410:
  
   * -c 9 specifies the channel   * -c 9 specifies the channel
-  * -d 00:C0:C6:94:F4:87 filters the data captured to fake AP MAC.  It is MAC of card running the the fake AP.  This is optional.+  * -d 00:C0:C6:94:F4:87 filters the data captured to fake AP MAC.  It is MAC of card running the fake AP.  This is optional.
   * -w specifies the file name of the captured data   * -w specifies the file name of the captured data
   * wlan0 specifies the wireless interface to capture data on   * wlan0 specifies the wireless interface to capture data on
  
 When the client connects, notice the "WPA handshake: 00:C0:C6:94:F4:87" in the top right-hand corner of the screen below: When the client connects, notice the "WPA handshake: 00:C0:C6:94:F4:87" in the top right-hand corner of the screen below:
- +
    CH  9 ][ Elapsed: 5 mins ][ 2008-03-21 10:26 ][ WPA handshake: 00:C0:C6:94:F4:87                                 CH  9 ][ Elapsed: 5 mins ][ 2008-03-21 10:26 ][ WPA handshake: 00:C0:C6:94:F4:87                             
                                                                                                                                                                                                                              
Line 507: Line 507:
 ==== Broken SKA error message ==== ==== Broken SKA error message ====
  
-You receive "Broken SKA: <MAC address> (expected: ??, got ?? bytes)" or similar. When using the "-S" option with values different then 128, some clients fail.  This message indicates the number of bytes actually received was different that the number requested.  Either don't use the option or try different values of "-S" to see which one elminates the error.+You receive "Broken SKA: <MAC address> (expected: ??, got ?? bytes)" or similar. When using the "-S" option with values different then 128, some clients fail.  This message indicates the number of bytes actually received was different that the number requested.  Either don't use the option or try different values of "-S" to see which one eliminates the error.
  
 ==== "write failed: Message too long" / "wi_write(): Illegal seek" error messages ==== ==== "write failed: Message too long" / "wi_write(): Illegal seek" error messages ====
airbase-ng.txt · Last modified: 2018/03/11 18:54 by mister_x