User Tools

Site Tools


airtun-ng

This is an old revision of the document!


Description

Airtun-ng is a virtual tunnel interface creator. There are two basic functions. The first allows all encrypted traffic to be monitored for wireless Intrusion Detection System (wIDS) purposes. The second is to inject arbitrary traffic into a network.

In order to perform wIDS data gathering, you must have the encryption key and the bssid for the network you wish to monitor. Airtun-ng decrypts all the traffic for the specific network and passes it to a traditional IDS system such as snort.

Traffic injection can be two bidirectional if you have the full encyption key. It is outgoing unidirectional if you have the PRAGA obtained via korek_chopchop or fragmentation attacks. The prime advantage of airtun-ng over the other injection tools in the aircrack-ng suite is that you may use any tool subsequently to create, inject or sniff packets.

Airtun-ng only runs on linux platforms.

Usage

usage: airtun-ng <options> <replay interface>

  • -x nbpps : maximum number of packets per second (optional)
  • -a bssid : set Access Point MAC address (mandatory)
  • -i iface : capture packets from this interface (optional)
  • -y file : read PRGA from this file (optional / one of -y or -w must be defined)
  • -w wepkey : use this WEP-KEY to encrypt packets (optional / one of -y or -w must be defined)
  • -t tods : send frames to AP (1) or to client (0) (optional / defaults to 0)

Usage Examples

wIDS Scenario

The first scenario is wIDS. Start your wireless card in monitor mode then enter:

airtun-ng -a 00:14:6C:7E:40:80 -w 1234567890 ath0 Where:

  • -a 00:14:6C:7E:40:80 is the MAC address of the access point to be monitored
  • -w 1234567890 is the encryption key
  • ath0 is the interface currently running in monitor mode

The system responds:

 created tap interface at0
 WEP encryption specified. Sending and receiving frames through ath0.
 FromDS bit set in all frames.

You notice above that it created the “at0” interface. Switch to another console sesssion and you must now bring this interface up in order to use it:

 ifconfig at0 up

This interface (at0) will receive a copy of every wireless network packet. The packets will have been decrypted with the key you have provided. At this point you may any tool to sniff and analyze the traffic. For example, tcpdump or snort.

WEP Injection Scenario

The next scenario is where you want to inject packets into the network. Do exactly the same steps as in the first scenario except define a valid IP address for the network when you bring the at0 interface up:

 ifconfig at0 192.168.1.83 netmask 255.255.255.0 up

You can confirm this by entering “ifconfig at0” and checking the output.

 at0       Link encap:Ethernet  HWaddr 36:CF:17:56:75:27  
        inet addr:192.168.1.83  Bcast:192.168.1.255  Mask:255.255.255.0
        inet6 addr: fe80::34cf:17ff:fe56:7527/64 Scope:Link
        UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
        RX packets:192 errors:0 dropped:0 overruns:0 frame:0
        TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
        collisions:0 txqueuelen:500 
        RX bytes:25113 (24.5 KiB)  TX bytes:516 (516.0 b)

At this point you can use any tool you want and send traffic via the at0 interface to wireless clients. Please note by default the FromDS flag is set. Meaning packets are flagged as going to the wireless clients. If you wish to communicate via the AP or wired clients, specify the option “-t 1” when you start airtun-ng.

IMPORTANT NOTE: The normal rules apply to injection here as well. For example, being associated with the AP, having the wireless card MAC match the injected source, etc. You have to remember to also set the at0 MAC address.

An interesting use of this scenario is that it allows you to use a WEP encrypted network with a driver that supports injection, but no WEP encryption, as not all drivers support 256bit wep or 512bit wep keys or wpa (once it is implemented). and so on.

PRAGA Injection Scenario

The next scenario is where you want to inject packets into the network but do not have the full WEP key. You only have the PRAGA obtain via a korek_chopchop or fragmentation attack. In this case you may only inject packets outbound. There is no way to decrypt inbound packets since you do not have the full WEP key.

Start your wireless card in monitor mode then enter:

 airtun-ng  -a 00:14:6C:7E:40:80  -y fragment-0124-153850.xor ath0

Notice that the PRAGA files was specified via the “-y” option.

The system responds (notice it correctly states “no reception”:

 created tap interface at0
 WEP encryption by PRGA specified. No reception, only sending frames through ath0.
 FromDS bit set in all frames.

From here you can define a valid IP address for the network when you bring the at0 interface up:

 ifconfig at0 192.168.1.83 netmask 255.255.255.0 up

You can confirm this by entering “ifconfig at0”. Again, at this point you can use any tool you want and send traffic via the at0 interface to wireless clients.

Connecting to Two Access Points Scenario

The next scenario is connecting to two wireless networks at the same time. This is done by simply starting airtun-ng twice and specifying the appropriate bssid MAC for each. If the 2 APs are on the same channel, then everything should be fine. If they don't share one channel, you can listen with airodump-ng on both channels (not simultaneously, but switching between only the two channels). Assuming the two APs you want to connect to are on on channels 1 and 11, enter “airodump-ng -c 1,11 ath0”.

So you'll get two tunnel interfaces (at0 and at1), each pointing to another AP. if they don't use the same private subnet range, then you can use them at the same time. IE You are connected to more than one AP. In theory, you could do this for even more then two APs, but the quality of the link would be even worse when hopping on 3 channels.

Copy Packets from the Optional Interface Scenario

The next scenario is copying packets from the optional interface. The -i <wireless interface> is just like the aireplay-ng -i parameter. It is used for specifying a source to read packets from, other than the given injection interface (ath0 in the examples above). A typical use is to listen with a very sensitive card on one interface and to inject with a high power adapter, which has a lower sensitivity.

Usage Tips

This tool is extremely powerful and utilizes advanced concepts. Please make sure you have built your knowledge and experience with the other tools in the aircrack-ng suite prior to using it.

Usage Troubleshooting

Windows platforms - “I can't find the airtun-ng tool!”. Answer: airtun-ng only runs on linux.

airtun-ng.1170103714.txt.gz · Last modified: 2007/01/29 21:48 (external edit)