easside-ng
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
easside-ng [2007/07/19 17:06] – created easside-ng original page darkaudax | easside-ng [2013/03/19 18:21] (current) – Added link to the new page created of Besside-ng jano | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Easside-ng ====== | ====== Easside-ng ====== | ||
- | ++++++ IMPORTANT ++++++\\ | + | ===== Description ===== |
- | ++++++ IMPORTANT ++++++\\ | + | |
- | ++++++ IMPORTANT ++++++\\ | + | |
- | This functionality will be available in a future release. It is NOT available currently. | + | Easside-ng is an auto-magic tool which allows you to communicate via an WEP-encrypted access point (AP) without knowing the WEP key. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme and then setup a TAP interface so that you can communicate with the AP without requiring the WEP key. All this is done without your intervention. |
- | ++++++ IMPORTANT ++++++\\ | + | There are two primary papers "The Fragmentation Attack in Practice" |
- | ++++++ IMPORTANT ++++++\\ | + | |
- | ++++++ IMPORTANT ++++++\\ | + | |
+ | In order to access the wireless network without knowing the WEP key, we have the AP itself decrypt the packets. | ||
- | ===== Description ===== | + | * The target access point must be able to communicate with the Internet. |
+ | * A " | ||
+ | * The system running easside-ng must have access to the Internet and be able to communicate with the " | ||
+ | |||
+ | There are two overall phases: | ||
- | Easside-ng is an auto-magic tool which allows you to communicate via an access point (AP) without knowing the WEP key. | + | * Establish basic connectivity between easside-ng, buddy server and the access point. |
+ | * Communication | ||
- | There are two primary papers "The Fragmentation Attack | + | Each phase will be described |
- | In order to access the wireless network without knowing the WEP key is done by having the AP iteself decrypt the packets. | ||
- | * The access point must be able to communicate with the Internet | + | ==== Establish Connectivity ==== |
- | * A " | + | |
- | * The system running easside-ng must have access to the Internet and be able to communicate with the " | + | |
- | * The system running easside-ng must have a wireless card | + | |
- | Here are the steps which essside-ng | + | Here are the steps which essside-ng |
- Channel hops looking for a WEP network. | - Channel hops looking for a WEP network. | ||
- Once a network is found, it tries to authenticate. | - Once a network is found, it tries to authenticate. | ||
- Once the program has successfully authenticated then it associates with the AP. | - Once the program has successfully authenticated then it associates with the AP. | ||
- | - After sniffing a single data packet, it proceeds to discover at least 1504 bytes of PRGA by sending out larger broadcasts and intercepting the relayed packets. | + | - After sniffing a single data packet, it proceeds to discover at least 1504 bytes of PRGA by sending out larger broadcasts and intercepting the relayed packets. |
- | - It then decrypts the IP network by guessing the next three bytes of PRGA using multicast frames and the linear keystream expansion technique. | + | - It then decrypts the IP network by guessing the next four bytes of PRGA using multicast frames and the linear keystream expansion technique. |
- It creates a permanent TCP connection with the " | - It creates a permanent TCP connection with the " | ||
+ | - ARPs to get the MAC addresses for the router and source IP. The defaults are .1 for the router and .123 for the client IP. | ||
- It then tests connectivity via the access point and determines the Internet IP address that the AP uses. It also lists the round trip time of the test packets. | - It then tests connectivity via the access point and determines the Internet IP address that the AP uses. It also lists the round trip time of the test packets. | ||
- The TAP interface is then created. | - The TAP interface is then created. | ||
- | At this point, you run " | + | At this point, you run " |
- | So you may be asking "What is the magic? | ||
- | So you may also be asking "What is the linear keystream expansion technique?" | + | ==== What role does the buddy server play? ==== |
- | There are a few known limitations: | + | The following is a simplistic description. |
- | * Only open authentication | + | |
- | * Only B and G networks | + | * You sniff packet X on the wifi and it is encrypted. |
+ | * If say, that packet was going to cnn.com, then on the Internet it would arrive in clear-text. | ||
+ | * The idea is to retransmit that packet, but instead of sending it to its original destination (cnn.com) we send it to our buddy on the Internet. | ||
+ | * The buddy gets it in clear-text (the AP will decrypt packet before sending to the internet) and sends it back to us. | ||
+ | |||
+ | |||
+ | ==== Communication with the WIFI network ==== | ||
+ | |||
+ | The following describes this diagram in more detail. | ||
+ | \\ | ||
+ | \\ | ||
+ | \\ | ||
+ | {{ http:// | ||
+ | \\ | ||
+ | \\ | ||
+ | So you may be asking "What is the magic? | ||
+ | |||
+ | Lets look at the details of sending and receiving packets via the at0 TAP interface. | ||
+ | |||
+ | Sending packets: | ||
+ | |||
+ | * A packet | ||
+ | * The TAP interface hands the packet over to easside-ng | ||
+ | * Easside-ng then encrypts it for injection using the PRGA gathered in the initial connectivity phase. | ||
+ | * Easside-ng then injects the packet into the wifi network via the wireless device. | ||
+ | |||
+ | Receiving packets: | ||
+ | |||
+ | * A source device (wired or wireless) sends a packet destined for the IP assigned to the ath0 interface or to a broadcast destination. | ||
+ | * Easside-ng constantly listens to the packets being transmitted by the AP. It then processes packets addressed to the TAP IP based on the MAC address or broadcasts. | ||
+ | * For each packet it needs to process, the packet must first be decrypted. | ||
+ | * Easside-ng creates a new packets composed of two fragments. | ||
+ | * The AP receives the fragmented packet, decrypts each fragment | ||
+ | * The buddy server receives the decrypted packet from the AP by UDP. It then resends the decrypted information back to easside-ng. | ||
+ | * Easside-ng then sends the decrypted packet out the at0 (TAP) interface. | ||
+ | |||
+ | ==== Fragmentation Technique ==== | ||
+ | |||
+ | This section provides a brief explanation of the fragmentation technique used in easside-ng. | ||
+ | |||
+ | This technique, when successful, can obtain 1504 bytes of PRGA (pseudo random generation algorithm). This attack does not recover the WEP key itself, but merely obtains the PRGA. The PRGA can then be used to encrypt packets you want to transmit. | ||
+ | |||
+ | Basically, the program obtains a small amount of keying material from the packet then attempts to send packets with known content to the access point (AP). If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet. | ||
+ | |||
+ | The original paper, [[http:// | ||
+ | |||
+ | ==== Linear Keystream Expansion Technique ==== | ||
+ | |||
+ | This section provides a brief explanation of the linear keystream expansion technique used in easside-ng. | ||
+ | |||
+ | So you may also be asking "What is the linear keystream expansion technique?" | ||
+ | |||
+ | The program first obtains the PRGA from known plain text portion of the ARP request. Then it creates a new ARP request packet broken into two fragments. | ||
+ | |||
+ | The linear keystream expansion technique (Arbaugh inductive) is reverse | ||
+ | [[korek_chopchop|chopchop]]. | ||
+ | |||
+ | ==== Easside-ng compared to Wesside-ng ==== | ||
+ | |||
+ | The companion aircrack-ng suite program to easside-ng is [[wesside-ng]]. | ||
+ | |||
+ | ^Feature^easside-ng^wesside-ng^ | ||
+ | |Stability of the program|Stable|Proof of concept| | ||
+ | |Finds a MAC address to spoof|No|Yes| | ||
+ | |Fake Authentication to AP|Yes|Yes| | ||
+ | |Can use ARP packets for fragmentation|Yes|Yes| | ||
+ | |Can use IP packets for fragmentation|Yes|No| | ||
+ | |Fragmentation attack to obtain PRGA|Yes|Yes| | ||
+ | |Linear Keystream Expansion Technique|Yes|Yes| | ||
+ | |Communication with wifi network without WEP key|Yes|No| | ||
+ | |Network ARP request flooding|No|Yes| | ||
+ | |Aircrack-ng PTW attack|No|Yes| | ||
+ | |Recovers WEP key|No|Yes| | ||
+ | |||
+ | ==== Why easside-ng when aircrack-ng has PTW? ==== | ||
+ | |||
+ | Why release easside-ng when aircrack-ng has PTW? | ||
+ | |||
+ | * easside-ng was private and came a year before PTW. | ||
+ | * easside-ng is handy for a quick and stealthy attack. | ||
Line 50: | Line 127: | ||
- | Usage: easside-ng <arg> [v0] | + | Usage: easside-ng <args> |
Where: | Where: | ||
* -h Displays the list of options. | * -h Displays the list of options. | ||
- | * -v MAC address of the Acess Point (Optional) | + | * -v MAC address of the Access |
* -m | * -m | ||
* -i Source IP address to be used on the wireless LAN. Defaults to the decoded network plus " | * -i Source IP address to be used on the wireless LAN. Defaults to the decoded network plus " | ||
Line 62: | Line 139: | ||
* -f Wireless interface name. (Mandatory) | * -f Wireless interface name. (Mandatory) | ||
* -c Locks the card to the specified channel (Optional) | * -c Locks the card to the specified channel (Optional) | ||
- | * [v0] Current version number. | ||
Line 69: | Line 145: | ||
NOTE: There are no parameters for buddy-ng. | NOTE: There are no parameters for buddy-ng. | ||
- | + | When you run easside-ng, it creates a file automatically in the current directory: | |
- | + | ||
- | When you run easside-ng, it creates a file automatically in the current directory | + | |
* prga.log - Contains the PRGA obtained through the fragmentation attack. | * prga.log - Contains the PRGA obtained through the fragmentation attack. | ||
Line 81: | Line 155: | ||
===== Scenarios ===== | ===== Scenarios ===== | ||
- | ==== Standard | + | ==== Specific AP Usage Example ==== |
Be sure to use [[airmon-ng]] to put your card into monitor mode. | Be sure to use [[airmon-ng]] to put your card into monitor mode. | ||
- | First, you need to start a buddy server. | + | First, you need to start a buddy server. |
You start the buddy sever: | You start the buddy sever: | ||
Line 111: | Line 185: | ||
Where: | Where: | ||
- | * -f ath0 This is the wireless | + | * -f ath0 |
- | * -v 00: | + | * -v 00: |
- | * -c 9 This is the channel | + | * -c 9 |
- | * -s 10.116.23.144 | + | * -s 10.116.23.144 |
The system responds: | The system responds: | ||
Line 158: | Line 232: | ||
| | ||
- | Now you can send and receive packets to and from the AP network which in this case is 192.168.1.0/ | + | Now you can send and receive packets to and from the AP network which in this case is 192.168.1.0/ |
+ | |||
+ | |||
+ | ==== Scanning for APs Usage Example ==== | ||
+ | |||
+ | The " | ||
===== Usage Tips ===== | ===== Usage Tips ===== | ||
- | The above example | + | ==== Combining easside-ng and wesside-ng ==== |
+ | |||
+ | As you may know, wesside-ng | ||
+ | |||
+ | First run easside-ng to obtain the prga file. Then run wesside-ng to flood the network and obtain the WEP key. It is really that simple! | ||
+ | |||
+ | Playfully, this is known as [[besside-ng|Besside-ng]]. | ||
+ | |||
+ | ==== Demonstrating Insecurity! ==== | ||
+ | |||
+ | IMPORTANT: You must have written permission from the owner of the AP prior to using the instructions in this section. | ||
+ | |||
+ | A clever way to demonstrate the insecurity of WEP networks and access points: | ||
+ | |||
+ | * Use easside-ng to create an access mechanism to the WIFI network. | ||
+ | * Log into the AP with your favourite browser. | ||
+ | * Now you can configure your wireless card with the WEP key and access the network normally. | ||
+ | |||
+ | |||
+ | ==== Test Setup ==== | ||
+ | |||
+ | This section will discuss what works and what does not work with regards to testing easside-ng against your own wireless LAN. | ||
+ | |||
+ | 6969 is the standard port used by easside-ng and buddy-ng. | ||
+ | |||
+ | First, some simple assumptions about your wireless LAN: | ||
+ | |||
+ | * It has access to the Internet. | ||
+ | * Outbound UDP port 6969 to the Internet is not blocked. | ||
+ | * You have tested your ability to connect to the buddy-ng server. | ||
+ | |||
+ | Assumptions about your buddy-ng server: | ||
+ | |||
+ | * It is running on Internet with a routeable IP address | ||
+ | * It is accessible by both the system running easside-ng and the wireless LAN | ||
+ | * Inbound and outbound UDP and TCP port 6969 is permitted. | ||
+ | |||
+ | Assumptions about the system running easside-ng; | ||
+ | |||
+ | * It is running on Internet with a routeable IP address. | ||
+ | * Outbound TCP port 6969 to the Internet is not blocked. | ||
+ | * You have tested your ability to connect to the buddy-ng server. | ||
+ | * It contains a wireless device supported by aircrack-ng and it is in monitor mode. | ||
+ | |||
+ | The easiest way to test connectivity to the buddy-ng server is by using telnet. | ||
+ | |||
+ | Enter: | ||
+ | |||
+ | | ||
+ | |||
+ | The system should respond: | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | The buddy server should look like this: | ||
+ | |||
+ | | ||
+ | Got connection from <ip of the easside-ng | ||
+ | |||
+ | When you terminate the telnet session, it should look like this: | ||
+ | |||
+ | That was it | ||
+ | | ||
+ | |||
+ | The above examples show a successful test. If your test fails then use tcpdump or wireshark on the source and destination systems to sniff port 6969. Determine the problem with these tools and others then correct the root problem. | ||
+ | |||
+ | If you are running easside-ng and buddy-ng on the same system then the system must have a routeable Internet IP address. You cannot be on a LAN behind a firewall which does network address translation (NAT). | ||
+ | |||
+ | The ideal situation is to have the buddy-ng server running on a separate system someplace on the Internet. Then have a second system with easside-ng running with a routeable IP address. | ||
+ | |||
+ | |||
+ | ===== Tap interface under Windows ===== | ||
+ | |||
+ | To obtain a tap interface in a MS Windows environment, | ||
===== Usage Troubleshooting ===== | ===== Usage Troubleshooting ===== | ||
- | Make sure your card is in monitor mode. | + | * Make sure your card is in monitor mode. |
- | Make sure your card can inject by testing it with the [[http:// | + | * Make sure your card can inject by testing it with the [[injection_test|aireplay-ng injection test]]. |
- | Make sure your card supports the fragmentation attack. | + | * Make sure your card supports the fragmentation attack. |
- | Make sure to delete prga.log if you are changing access points or if you want to restart cleanly. | + | * Make sure to delete |
- | There are a few known limitations: | + | * There are a few known limitations: |
- | * Only open authentication is support. | + | * Only open authentication is support. |
- | * Only B and G networks are supported. | + | * Only B and G networks are supported. |
easside-ng.1184857582.txt.gz · Last modified: 2007/07/19 17:06 by darkaudax