wesside-ng
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
wesside-ng [2007/07/21 20:30] – major update of content. darkaudax | wesside-ng [2018/03/11 18:57] (current) – Updated links to tickets mister_x | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== | + | ====== |
- | + | ||
- | ++++++ IMPORTANT ++++++\\ | + | |
- | ++++++ IMPORTANT ++++++\\ | + | |
- | ++++++ IMPORTANT ++++++\\ | + | |
- | + | ||
- | This functionality will be available in a future release. It is NOT available currently. | + | |
- | + | ||
- | ++++++ IMPORTANT ++++++\\ | + | |
- | ++++++ IMPORTANT ++++++\\ | + | |
- | ++++++ IMPORTANT ++++++\\ | + | |
===== Description ===== | ===== Description ===== | ||
- | Easside-ng is an auto-magic tool which allows you to communicate via an WEP-encrypted access point (AP) without knowing the WEP key. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme and then setup a TAP interface so that you can communicate with the AP without requiring | + | Wesside-ng is an auto-magic tool which incorporates a number of techniques |
- | + | ||
- | There are two primary papers "The Fragmentation Attack in Practice" | + | |
- | + | ||
- | In order to access the wireless network without knowing the WEP key is done by having the AP itself decrypt the packets. | + | |
- | + | ||
- | * The target access point must be able to communicate with the Internet. | + | |
- | * A " | + | |
- | * The system running easside-ng must have access to the Internet and be able to communicate with the " | + | |
- | + | ||
- | There are two overall phases: | + | |
- | + | ||
- | * Establish basic connectivity between easside-ng, buddy server and the access point. | + | |
- | * Communication with the WIFI network. | + | |
- | + | ||
- | Each phase will be described in more detail in the following sections. | + | |
+ | The original wesside tool was written by Andrea Bittau and was a proof-of-concept program to accompany two published papers. | ||
- | ==== Establish Connectivity ==== | + | For you trivia buffs, who knows where the program name " |
- | Here are the steps which essside-ng performs during the establishing connectivity phase: | + | Wesside-ng has been updated to reflect advances in determining the WEP key. |
- Channel hops looking for a WEP network. | - Channel hops looking for a WEP network. | ||
- | - Once a network is found, it tries to authenticate. | + | - Once a network is found, it tries to authenticate. If authentication fails, then the program attempts to find a MAC address currently associated with the AP to spoof. |
- Once the program has successfully authenticated then it associates with the AP. | - Once the program has successfully authenticated then it associates with the AP. | ||
- | - After sniffing a single data packet, it proceeds to discover at least 1504 bytes of PRGA by sending out larger broadcasts and intercepting the relayed packets. | + | - After sniffing a single data packet, it proceeds to discover at least 128 bytes of PRGA by sending out larger broadcasts and intercepting the relayed packets. |
- | - It then decrypts the IP network | + | - After it sniffs an ARP request, it decrypts the IP |
- | - It creates a permanent TCP connection | + | |
- | - ARPs to get the MAC addresses | + | - Launches |
- | - It then tests connectivity via the access point and determines | + | |
- | - The TAP interface is then created. | + | |
- | At this point, you run " | + | So you may be asking "What is the linear keystream expansion technique?" |
- | + | ||
- | + | ||
- | ==== What role does the buddy server play? ==== | + | |
- | + | ||
- | The following is a simplistic description. | + | |
- | + | ||
- | * You sniff packet X on the wifi and it is encrypted. | + | |
- | * If say, that packet was going to cnn.com, then on the Internet it would arrive in clear-text. | + | |
- | * The idea is to retransmit that packet, but instead of sending it to its original destination (cnn.com) we send it to our buddy on the Internet. | + | |
- | * The buddy gets it in clear-text (the AP will decrypt packet before sending to the internet) and sends it back to us. | + | |
- | + | ||
- | + | ||
- | ==== Communication with the WIFI network ==== | + | |
- | + | ||
- | The following describes this diagram in more detail. | + | |
- | \\ | + | |
- | \\ | + | |
- | \\ | + | |
- | {{ http:// | + | |
- | \\ | + | |
- | \\ | + | |
- | So you may be asking "What is the magic? | + | |
- | + | ||
- | Lets look at the details of sending and receiving packets via the at0 TAP interface. | + | |
- | + | ||
- | Sending packets: | + | |
- | + | ||
- | * A packet | + | |
- | * The TAP interface hands the packet over to easside-ng | + | |
- | * Easside-ng then encrypts it for injection using the PRGA gathered in the initial connectivity phase. | + | |
- | * Easside-ng then injects the packet into the wifi network via the wireless device. | + | |
- | + | ||
- | Receiving packets: | + | |
- | + | ||
- | * A source device (wired or wireless) sends a packet destined for the IP assigned to the ath0 interface or to a broadcast destination. | + | |
- | * Easside-ng constantly listens to the packets being transmitted by the AP. It then processes packets addressed to the TAP IP based on the MAC address or broadcasts. | + | |
- | * For each packet it needs to process, the packet must first be decrypted. | + | |
- | * Easside-ng creates a new packets composed of two fragments. | + | |
- | * The AP receives the fragmented packet, decrypts each fragment and reassembles the fragments into a single packet. | + | |
- | * The buddy server receives the decrypted packet from the AP by UDP. It then resends the decrypted information back to easside-ng. | + | |
- | * Easside-ng then sends the decrypted packet out the at0 (TAP) interface. | + | |
- | + | ||
- | + | ||
- | ==== Fragmentation Technique ==== | + | |
- | + | ||
- | This section provides a brief explanation of the fragmentation technique used in easside-ng. | + | |
- | + | ||
- | This technique, when successful, can obtain 1504 bytes of PRGA (pseudo random generation algorithm). This attack does not recover the WEP key itself, but merely obtains the PRGA. The PRGA can then be used to encrypt packets you want to transmit. | + | |
- | + | ||
- | Basically, the program obtains a small amount of keying material from the packet then attempts to send packets with known content to the access point (AP). If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet. | + | |
- | + | ||
- | The original paper, [[http:// | + | |
- | + | ||
- | + | ||
- | ==== Linear Keystream Expansion Technique ==== | + | |
- | + | ||
- | This section provides a brief explanation of the linear keystream expansion technique used in easside-ng. | + | |
- | + | ||
- | So you may also be asking "What is the linear keystream expansion technique?" | + | |
- | + | ||
- | The program first obtains the PRGA from known plain text portion of the ARP request. Then it creates a new ARP request packet broken into two fragments. | + | |
- | + | ||
- | The linear keystream expansion technique (Arbaugh inductive) is reverse | + | |
- | [[chopchop]]. | + | |
- | + | ||
- | + | ||
- | ==== Easside-ng compared to Wesside-ng ==== | + | |
- | + | ||
- | The companion aircrack-ng suite program to easside-ng is [[wesside-ng]]. | + | |
- | + | ||
- | ^Feature^easside-ng^wesside-ng^ | + | |
- | |Fake Authentication to AP|Included|Included| | + | |
- | |Fragmentation attack to obtain PRGA|Included|Included| | + | |
- | |Linear Keystream Expansion Technique|Included|Included| | + | |
- | |Communication with wifi network without WEP key|Yes|No| | + | |
- | |Network ARP request flooding|No|Yes| | + | |
- | |aircrack-ng PTW attack|No|Yes| | + | |
- | + | ||
- | + | ||
- | ==== Why easside-ng when aircrack-ng has PTW? ==== | + | |
- | + | ||
- | Why release easside-ng when aircrack-ng has PTW? | + | |
- | + | ||
- | * easside-ng was private and came a year before PTW. | + | |
- | * easside-ng is handy for a quick and stealthy attack. | + | |
- | + | ||
- | + | ||
- | ==== Limitations ==== | + | |
There are a few known limitations: | There are a few known limitations: | ||
- | * Only open authentication is support. Shared key authentication is not supported. | + | * Only open authentication is supported. Shared key authentication is not supported. |
* Only B and G networks are supported. | * Only B and G networks are supported. | ||
+ | * Fake MAC functionality is broken if there is a lot of traffic on the network. | ||
- | ===== Usage ===== | + | Please remember that this is still basically a proof-of-concept tool so you can expect to find bugs. Plus you will find features that don't quite work as expected. Consider using [[easside-ng]] as an alternative or a companion program. |
- | Usage: easside-ng <arg> [v0] | + | ===== Usage ===== |
- | Where: | + | Usage: wesside-ng < |
+ | *-h Displays the list of options. | ||
+ | *-i Wireless interface name. (Mandatory) | ||
+ | *-n | ||
+ | *-m MY IP "who has destination IP (netip) tell source IP (myip)" | ||
+ | *-a | ||
+ | *-c Do not start aircrack-ng. | ||
+ | *-f Allows the highest channel for scanning to be defined. | ||
+ | *-k Ignores ACKs since some cards/ | ||
+ | *-p Determines the minimum number of bytes of PRGA which are gathered. | ||
+ | *-t For each number of IVs specified, restart the airecrack-ng PTW engine. (Optional) | ||
+ | *-v Wireless access point MAC address | ||
- | * -h Displays the list of options. | ||
- | * -v MAC address of the Acess Point (Optional) | ||
- | * -m | ||
- | * -i Source IP address to be used on the wireless LAN. Defaults to the decoded network plus " | ||
- | * -r IP address of the AP router. | ||
- | * -s IP address of the " | ||
- | * -f Wireless interface name. (Mandatory) | ||
- | * -c Locks the card to the specified channel (Optional) | ||
- | * [v0] Current version number. | ||
+ | When you run wesside-ng, it creates three files automatically in the current directory: | ||
- | Usage: buddy-ng | + | * wep.cap - The packet capture file. |
- | + | ||
- | NOTE: There are no parameters for buddy-ng. Once invoked, it listens on TCP port 6969 and UDP port 6969. TCP is used for the permanent connection between esside-ng and buddy-ng. | + | |
- | + | ||
- | + | ||
- | + | ||
- | When you run easside-ng, it creates a file automatically in the current directory when run the program: | + | |
* prga.log - Contains the PRGA obtained through the fragmentation attack. | * prga.log - Contains the PRGA obtained through the fragmentation attack. | ||
+ | * key.log - Contains the WEP key when it is found. | ||
- | + | It is very important to delete | |
- | It is very important to delete | + | |
===== Scenarios ===== | ===== Scenarios ===== | ||
- | ==== Specific AP Usage Example ==== | + | ==== Standard |
Be sure to use [[airmon-ng]] to put your card into monitor mode. | Be sure to use [[airmon-ng]] to put your card into monitor mode. | ||
- | First, | + | Then you enter: |
- | You start the buddy sever: | + | |
- | | + | Where: |
- | It responds: | + | * -i wlan0 is the wireless interface. |
- | | + | The program responds: |
- | | + | |
- | When easside-ng connects, it responds similar to: | + | |
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | |||
+ | [328385: | ||
+ | |||
+ | | ||
+ | 0 0/ 1 01( 206) 3B( 198) 5F( 190) 77( 188) 3D( 187) D2( 187) 60( 186) 6F( 186) A1( 185) 48( 184) | ||
+ | 1 0/ 1 23( 232) 82( 190) BF( 187) 4E( 184) 0D( 183) 90( 181) B9( 181) 08( 180) 1A( 180) 8A( 180) | ||
+ | 2 0/ 1 45( 200) F0( 186) 52( 184) AE( 184) 75( 183) 48( 181) A1( 180) 71( 179) DE( 179) 21( 178) | ||
+ | 3 0/ 1 67( 221) AE( 202) B2( 193) 14( 191) 51( 184) 6D( 184) 64( 183) 65( 183) 5B( 182) 17( 181) | ||
+ | 4 0/ 5 89( 182) DB( 182) 74( 181) C2( 181) CC( 181) 64( 180) CD( 180) 5F( 179) A6( 179) 1A( 178) | ||
+ | |||
+ | Key: 01: | ||
+ | |||
+ | |||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | Owned in 3.60 minutes | ||
+ | |||
+ | | ||
- | Got connection from 10.113.65.187 | ||
- | | ||
- | Inet check by 10.113.65.187 1 | ||
- | The IP 10.113.65.187 above is the IP of the system running easside-ng. | + | ===== Usage Tips ===== |
+ | ==== Using the -k option ==== | ||
- | Now run easside-ng: | + | Some cards/ |
- | | + | Some specific cases: |
- | Where: | + | * If you get MAX retransmits error, try -k 1. |
+ | * If you have a poor connection, try -k 3. | ||
- | * -f ath0 This is the wireless interface name. | + | In general, you can experiment with different values to determine if it resolves |
- | * -v 00: | + | |
- | * -c 9 This is the channel the AP is on. | + | |
- | * -s 10.116.23.144 | + | |
- | The system responds: | ||
- | | + | ===== Usage Troubleshooting ===== |
- | | + | |
- | MAC is 00: | + | |
- | | + | |
- | | + | |
- | SSID teddy Chan 9 Mac 00: | + | ==== General ==== |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | ARP IP so far: 192 | + | |
- | | + | |
- | ARP IP so far: 192.168 | + | |
- | | + | |
- | ARP IP so far: 192.168.1 | + | |
- | My IP 192.168.1.123 | + | |
- | Rtr IP 192.168.1.1 | + | |
- | | + | |
- | Rtr MAC 00: | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | Rtt 77ms | + | |
- | At this point, you need to bring up the TAP interface: | + | Make sure your card is in monitor mode. |
- | | + | Make sure your card can inject by testing it with the [[injection_test|aireplay-ng injection test]]. |
- | Now you can send and receive packets to and from the AP network which in this case is 192.168.1.0/ | + | Make sure your card supports |
+ | Make sure to delete wep.cap, prga.log and key.log files if you are changing access points or if you want to restart cleanly. | ||
- | ==== Specific AP Usage Example ==== | + | There are a few known limitations: |
+ | * Only open authentication is supported. | ||
+ | * Only B and G networks are supported. | ||
+ | * Fake MAC functionality is broken if there is a lot of traffic on the network. | ||
- | The "Specific AP Usage Example" | + | ==== "ERROR Max retransmits" |
+ | You get an error similar to the following while running the program: | ||
- | ===== Usage Tips ===== | + | [18:23:49] ERROR Max retransmits for (30 bytes): |
+ | B0 00 FF 7F 00 1A 70 51 B0 70 00 0E 2E C5 81 D3 00 1A 70 51 B0 70 00 00 00 00 01 00 00 00 | ||
- | ==== Combining easside-ng and wesside-ng ==== | + | This can be caused if the AP does not acknowledge the the packets you are sending. |
- | As you may know, wesside-ng is a proof-of-concept | + | Another reason is that the internal state machine of wesside-ng is confused. |
- | First run easside-ng to obtain the prga file. Then run wesside-ng to flood the network and obtain the WEP key. It is really that simple! | ||
+ | ==== RT73 chipset and "ERROR Max retransmits" | ||
- | ==== Demonstrating Insecurity! ==== | + | If you are using the RT73 chipset, try adding the "-k 1" option. |
- | IMPORTANT: You must have written permission from the owner of the AP prior to using the instructions in this section. | ||
- | A clever way to demonstrate the insecurity of WEP networks and access points: | + | ==== Known Bugs ==== |
- | * Use easside-ng to create an access mechanism to the WIFI network. | + | There are a variety |
- | * Log into the AP with your favourite browser and obtain the WEP key. 99% of the time, the APs have default ids and passwords. | + | |
- | * Now you can configure your wireless card with the WEP key and access the network normally. | + | |
- | + | ||
- | + | ||
- | ===== Usage Troubleshooting ===== | + | |
- | + | ||
- | Make sure your card is in monitor mode. | + | |
- | + | ||
- | Make sure your card can inject by testing it with the [[http:// | + | |
- | + | ||
- | Make sure your card supports the fragmentation attack. | + | |
- | + | ||
- | Make sure to delete prga.log if you are changing access points or if you want to restart cleanly. | + | |
- | + | ||
- | There are a few known limitations: | + | |
- | * Only open authentication is support. | + | |
- | * Only B and G networks are supported. | + | |
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// |
wesside-ng.txt · Last modified: 2018/03/11 18:57 by mister_x