| Next revision | Previous revisionNext revisionBoth sides next revision |
| supported_packets [2008/08/06 18:27] – created darkaudax | supported_packets [2008/08/06 21:56] – darkaudax |
|---|
| ====== Tutorial: Packets Supported for the PTW Attack ====== | ====== Tutorial: Packets Supported for the PTW Attack ====== |
| Version: 1.00 August 6, 2008\\ | Version: 1.01 August 6, 2008\\ |
| By: darkAudax | By: darkAudax |
| |
| |
| ^ Protocol ^ Address Information ^ Packet Information ^ Comments ^ PTW ^ | ^ Protocol ^ Address Information ^ Packet Information ^ Comments ^ PTW ^ |
| |Spanning Tree|Destination MAC 01:80:C2:00:00:00|DSAP 0x42, SSAP 0x42, Control Frame Type 0x03|The Spanning Tree protocol is used to prevent routing loops between switches|Yes. Limited to 40bits.| | |Spanning Tree (STP)|Destination MAC 01:80:C2:00:00:00|DSAP 0x42, SSAP 0x42, Control Frame Type 0x03|The Spanning Tree protocol is used to prevent routing loops between switches|Yes. Limited to 40bits.| |
| |Port Aggregation Protocol (PAgP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x0104|Used to bundle porfts on Catalys switches into EtherChannel. Similar to Ethernet bonding in the linux world.|No| | |Port Aggregation Protocol (PAgP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x0104|Used to bundle porfts on Catalys switches into EtherChannel. Similar to Ethernet bonding in the linux world.|No| |
| |VLAN Trunking Protocol (VTP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2003|Provides information about configured virtual LANs (VLANs)|No| | |VLAN Trunking Protocol (VTP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2003|Provides information about configured virtual LANs (VLANs)|No| |
| For PTW we need "key length plus 3 bytes" keystream length. As an example: A 40 bit WEP key is 5 bytes long. So we need "5 bytes plus 3 bytes", thus 8 keystream bytes. Keystream bytes are bytes that we know the unencrypted value. | For PTW we need "key length plus 3 bytes" keystream length. As an example: A 40 bit WEP key is 5 bytes long. So we need "5 bytes plus 3 bytes", thus 8 keystream bytes. Keystream bytes are bytes that we know the unencrypted value. |
| |
| For ARP packets, we know 22 keystream bytes. That is why ARP packets can be used to crack any length of WEP key. | For ARP packets, we know 22 keystream bytes. ARPs can be used for 40 and 104 bit WEP cracking. |
| |
| For IP packets, we know 9 bytes for sure so 40 bit WEP is no problem. For 104 bit WEP, there are 2 bytes which are completely unknown. These are bruteforced. And one final byte is guessed since there are only three possibilities. | For IP packets, we know 9 bytes for sure so 40 bit WEP is no problem. For 104 bit WEP, there are 2 bytes which are completely unknown. These are bruteforced. And one final byte is guessed since there are only three possibilities. |
| | |
| | |
| | ===== Handy URLs ===== |
| | |
| | * [[http://www.cavebear.com/archive/cavebear/Ethernet/multicast.html|Multicast Addresses]] |
| | * [[http://www.iana.org/assignments/ethernet-numbers|Ether Types]] |
| |
