interactive_packet_replay
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
interactive_packet_replay [2007/03/03 21:00] – reworte page to standard format and updated content darkaudax | interactive_packet_replay [2008/12/02 21:18] – packes darkaudax | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Interactive packet replay ====== | ====== Interactive packet replay ====== | ||
+ | |||
===== Description ===== | ===== Description ===== | ||
- | This attack allows you to choose a specific packet for replaying (injecting). | + | This attack allows you to choose a specific packet for replaying (injecting). |
+ | |||
+ | In order to use the interactive packet replay successfully, | ||
+ | |||
+ | To do this, we either have to select a packet which naturally will be successful or manipulate a captured packet into a natural one. We will now explore these two concepts in more detail. | ||
+ | |||
+ | First, lets look at what characteristics a packet must have to naturally work. Access points will always repeat packets destined for the broadcast MAC address. | ||
+ | |||
+ | So the aireplay-ng filter options we require to select these packets are: | ||
+ | |||
+ | * -b 00: | ||
+ | * -d FF: | ||
+ | * -t 1 selects packets with the "To Distribution System" | ||
+ | |||
+ | See " | ||
+ | |||
+ | Next, we will look at packets which need to be manipulated in order to be successfully replayed by the access point. | ||
+ | |||
+ | * -b 00: | ||
+ | * -t 1 selects packets with the "To Distribution System" | ||
+ | |||
+ | We don't care what the destination MAC address is. This because in this case we will modify the packet being injected. | ||
+ | |||
+ | * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client to the access point. IE Set "To DS" field to 1. | ||
+ | * -c FF: | ||
+ | |||
+ | See " | ||
===== Usage ===== | ===== Usage ===== | ||
Line 12: | Line 40: | ||
* -2 means interactive replay attack | * -2 means interactive replay attack | ||
- | * <filter options> | + | * <filter options> |
- | * <replay options> | + | * <replay options> |
* -r <file name> used to specify a pcap file to read packets from (this is optional) | * -r <file name> used to specify a pcap file to read packets from (this is optional) | ||
* <replay interface> | * <replay interface> | ||
===== Usage Examples ===== | ===== Usage Examples ===== | ||
+ | |||
+ | ==== Natural Packet Replay ==== | ||
+ | |||
+ | For this example, you do not need do a fake authenticaion first, since the source MAC address is already associated with the access point. | ||
+ | |||
+ | Putting it all together: | ||
+ | |||
+ | | ||
+ | |||
+ | Where: | ||
+ | |||
+ | * -2 means interactive replay | ||
+ | * -b 00: | ||
+ | * -d FF: | ||
+ | * -t 1 selects packets with the "To Distribution System" | ||
+ | * ath0 is the wireless interface | ||
+ | |||
+ | When launched, the program will look as follows: | ||
+ | |||
+ | Read 4 packets... | ||
+ | |||
+ | Size: 68, FromDS: 0, ToDS: 1 (WEP) | ||
+ | |||
+ | | ||
+ | Dest. MAC = FF: | ||
+ | Source MAC = 00: | ||
+ | |||
+ | 0x0000: | ||
+ | 0x0010: | ||
+ | 0x0020: | ||
+ | 0x0030: | ||
+ | 0x0040: | ||
+ | |||
+ | Use this packet ? y | ||
+ | |||
+ | Notice that the packet matches our selection criteria. | ||
+ | |||
+ | | ||
+ | You should also start airodump-ng to capture replies. | ||
+ | |||
+ | Sent 773 packets... | ||
+ | |||
+ | |||
+ | ==== Modified Packet Replay ==== | ||
+ | |||
+ | For this example, you do not need do a fake authenticaion first, since the source MAC address is already associated with the access point. | ||
+ | |||
+ | Putting it all together: | ||
+ | |||
+ | | ||
+ | |||
+ | Where: | ||
+ | |||
+ | * -2 means interactive replay | ||
+ | * -b 00: | ||
+ | * -t 1 selects packets with the "To Distribution System" | ||
+ | * -c FF: | ||
+ | * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. | ||
+ | * ath0 is the wireless interface | ||
+ | |||
+ | The IVs generated per second will vary based on the size of the packet you select. | ||
+ | |||
+ | Read 10 packets... | ||
+ | |||
+ | Size: 124, FromDS: 0, ToDS: 1 (WEP) | ||
+ | |||
+ | | ||
+ | Dest. MAC = 00: | ||
+ | Source MAC = 00: | ||
+ | |||
+ | 0x0000: | ||
+ | 0x0010: | ||
+ | 0x0020: | ||
+ | 0x0030: | ||
+ | 0x0040: | ||
+ | 0x0050: | ||
+ | 0x0060: | ||
+ | 0x0070: | ||
+ | |||
+ | Use this packet ? y | ||
+ | |||
+ | Enter " | ||
+ | |||
+ | | ||
+ | You should also start airodump-ng to capture replies. | ||
+ | |||
+ | Sent 2966 packets... | ||
+ | |||
+ | |||
+ | ==== Other Examples ==== | ||
You could use it, for example, to have the access point (AP) rebroadcast the packet and thereby generate new initialization vectors (IVs): | You could use it, for example, to have the access point (AP) rebroadcast the packet and thereby generate new initialization vectors (IVs): | ||
Line 26: | Line 144: | ||
* -2 means the interactive replay attack | * -2 means the interactive replay attack | ||
- | * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. | + | * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. IE Set "To DS" field to 1. |
* -c FF: | * -c FF: | ||
* -b 00: | * -b 00: | ||
* -h 00: | * -h 00: | ||
* ath0 is the wireless interface name. | * ath0 is the wireless interface name. | ||
+ | |||
+ | IMPORTANT: | ||
The IVs generated per second will vary based on the size of the packet you select. | The IVs generated per second will vary based on the size of the packet you select. | ||
Line 68: | Line 188: | ||
* -2 means the interactive replay attack | * -2 means the interactive replay attack | ||
- | * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. | + | * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. IE Set "To DS" field to 1. |
* -m 68 is the minimum packet length | * -m 68 is the minimum packet length | ||
* -n 86 is the maximum packet length | * -n 86 is the maximum packet length | ||
Line 75: | Line 195: | ||
* -h 00: | * -h 00: | ||
* ath0 is the wireless interface name. | * ath0 is the wireless interface name. | ||
+ | |||
+ | IMPORTANT: | ||
Once you start the program it looks as follows: | Once you start the program it looks as follows: | ||
Line 109: | Line 231: | ||
* -2 means the interactive replay attack | * -2 means the interactive replay attack | ||
- | * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. | + | * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. IE Set "To DS" field to 1. |
* -c FF: | * -c FF: | ||
* -b 00: | * -b 00: | ||
* -h 00: | * -h 00: | ||
* ath0 is the wireless interface name. | * ath0 is the wireless interface name. | ||
+ | |||
+ | IMPORTANT: | ||
The program responds: | The program responds: | ||
Line 140: | Line 264: | ||
===== Usage Tips ===== | ===== Usage Tips ===== | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ==== Additional Interactive Application ==== | ||
There are some interesting applications of the first example above. | There are some interesting applications of the first example above. | ||
This would also work on APs with clients. | This would also work on APs with clients. | ||
+ | |||
+ | IMPORTANT: | ||
+ | |||
+ | ==== Injecting Management Frames ==== | ||
+ | |||
+ | You can also inject management and control frames on a per frame basis with aireplay-ng. | ||
+ | |||
+ | Examples: | ||
+ | * Setting -v 8 -u 0 -w 0 allows you to send beacons frames. | ||
+ | * Setting -v 12 -u 1 -w 0 -m 10 -n 2000 sets a filter for control frames (in this case clear-to-send frames). | ||
+ | |||
===== Usage Troubleshooting ===== | ===== Usage Troubleshooting ===== | ||
Line 150: | Line 290: | ||
Check the [[i_am_injecting_but_the_ivs_don_t_increase|I am injecting but the ivs don't increase tutorial]]. | Check the [[i_am_injecting_but_the_ivs_don_t_increase|I am injecting but the ivs don't increase tutorial]]. | ||
+ | |||
+ | One situation that may affect interactive replay: Exception of wireless client separation option - http:// | ||
Also see the general aireplay-ng troubleshooting ideas: [[aireplay-ng# | Also see the general aireplay-ng troubleshooting ideas: [[aireplay-ng# | ||
interactive_packet_replay.txt · Last modified: 2010/11/21 09:05 by sleek