interactive_packet_replay
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
interactive_packet_replay [2007/11/27 20:57] – darkaudax | interactive_packet_replay [2010/11/21 09:05] (current) – typos sleek | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Interactive packet replay ====== | ====== Interactive packet replay ====== | ||
- | |||
- | |||
===== Description ===== | ===== Description ===== | ||
This attack allows you to choose a specific packet for replaying (injecting). | This attack allows you to choose a specific packet for replaying (injecting). | ||
- | In order to use the interactive packet replay successfully, | + | In order to use the interactive packet replay successfully, |
To do this, we either have to select a packet which naturally will be successful or manipulate a captured packet into a natural one. We will now explore these two concepts in more detail. | To do this, we either have to select a packet which naturally will be successful or manipulate a captured packet into a natural one. We will now explore these two concepts in more detail. | ||
Line 14: | Line 12: | ||
So the aireplay-ng filter options we require to select these packets are: | So the aireplay-ng filter options we require to select these packets are: | ||
- | * -b 00: | + | * -b 00: |
* -d FF: | * -d FF: | ||
* -t 1 selects packets with the "To Distribution System" | * -t 1 selects packets with the "To Distribution System" | ||
Line 22: | Line 20: | ||
Next, we will look at packets which need to be manipulated in order to be successfully replayed by the access point. | Next, we will look at packets which need to be manipulated in order to be successfully replayed by the access point. | ||
- | * -b 00: | + | * -b 00: |
* -t 1 selects packets with the "To Distribution System" | * -t 1 selects packets with the "To Distribution System" | ||
We don't care what the destination MAC address is. This because in this case we will modify the packet being injected. | We don't care what the destination MAC address is. This because in this case we will modify the packet being injected. | ||
- | * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client to the access point. | + | * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client to the access point. IE Set the "To DS" field to 1. |
* -c FF: | * -c FF: | ||
Line 49: | Line 47: | ||
==== Natural Packet Replay ==== | ==== Natural Packet Replay ==== | ||
- | For this example, you do not need do a fake authenticaion | + | For this example, you do not need do a fake authentication |
Putting it all together: | Putting it all together: | ||
Line 58: | Line 56: | ||
* -2 means interactive replay | * -2 means interactive replay | ||
- | * -b 00: | + | * -b 00: |
* -d FF: | * -d FF: | ||
* -t 1 selects packets with the "To Distribution System" | * -t 1 selects packets with the "To Distribution System" | ||
Line 100: | Line 98: | ||
* -2 means interactive replay | * -2 means interactive replay | ||
- | * -b 00: | + | * -b 00: |
* -t 1 selects packets with the "To Distribution System" | * -t 1 selects packets with the "To Distribution System" | ||
* -c FF: | * -c FF: | ||
- | * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. | + | * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. IE Set the "To DS" field to 1. |
* ath0 is the wireless interface | * ath0 is the wireless interface | ||
Line 144: | Line 142: | ||
* -2 means the interactive replay attack | * -2 means the interactive replay attack | ||
- | * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. | + | * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. IE Set the "To DS" field to 1. |
* -c FF: | * -c FF: | ||
* -b 00: | * -b 00: | ||
Line 188: | Line 186: | ||
* -2 means the interactive replay attack | * -2 means the interactive replay attack | ||
- | * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. | + | * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. IE Set the "To DS" field to 1. |
* -m 68 is the minimum packet length | * -m 68 is the minimum packet length | ||
* -n 86 is the maximum packet length | * -n 86 is the maximum packet length | ||
Line 231: | Line 229: | ||
* -2 means the interactive replay attack | * -2 means the interactive replay attack | ||
- | * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. | + | * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. IE Set the "To DS" field to 1. |
* -c FF: | * -c FF: | ||
* -b 00: | * -b 00: | ||
Line 291: | Line 289: | ||
Check the [[i_am_injecting_but_the_ivs_don_t_increase|I am injecting but the ivs don't increase tutorial]]. | Check the [[i_am_injecting_but_the_ivs_don_t_increase|I am injecting but the ivs don't increase tutorial]]. | ||
- | One situation that may affect interactive replay: Exception of wireless client separation option - http:// | + | One situation that may affect interactive replay: Exception of wireless client separation option - http:// |
Also see the general aireplay-ng troubleshooting ideas: [[aireplay-ng# | Also see the general aireplay-ng troubleshooting ideas: [[aireplay-ng# | ||
interactive_packet_replay.txt · Last modified: 2010/11/21 09:05 by sleek