User Tools

Site Tools


wesside-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
wesside-ng [2008/02/08 16:06] – fixed typos darkaudaxwesside-ng [2009/09/08 01:20] – removed availability warning (1.0 is released) mister_x
Line 1: Line 1:
 ====== Wesside-ng ====== ====== Wesside-ng ======
- 
-++++++ IMPORTANT ++++++\\ 
-++++++ IMPORTANT ++++++\\ 
-++++++ IMPORTANT ++++++\\ 
- 
-This functionality will be available in a future release. It is NOT available currently. 
- 
-++++++ IMPORTANT ++++++\\ 
-++++++ IMPORTANT ++++++\\ 
-++++++ IMPORTANT ++++++\\ 
- 
- 
  
 ===== Description ===== ===== Description =====
Line 17: Line 5:
 Wesside-ng is an auto-magic tool which incorporates a number of techniques to seamlessly obtain a WEP key in minutes.  It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme, reinject ARP requests and finally determine the WEP key.  All this is done without your intervention. Wesside-ng is an auto-magic tool which incorporates a number of techniques to seamlessly obtain a WEP key in minutes.  It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme, reinject ARP requests and finally determine the WEP key.  All this is done without your intervention.
  
-The original wesside tool was written by Andrea Bittau and was a proof-of-concept program to accompany two published papers.  The two papers are "The Fragmentation Attack in Practice"  by Andrea Bittau and "The Final Nail in WEP's Coffin" by Andrea Bittau, Mark Handley and Josua Lockey.  See the the [[http://aircrack-ng.org/doku.php?id=links|links page]] for these papers and more.  The papers referenced provide excellent background information if you would like to understand the underlying methodologies.  The concepts for the fragment attack currently incorporated in aircrack-ng came from these papers.+The original wesside tool was written by Andrea Bittau and was a proof-of-concept program to accompany two published papers.  The two papers are "The Fragmentation Attack in Practice"  by Andrea Bittau and "The Final Nail in WEP's Coffin" by Andrea Bittau, Mark Handley and Josua Lockey.  See the the [[links|links page]] for these papers and more.  The papers referenced provide excellent background information if you would like to understand the underlying methodologies.  The concepts for the fragment attack currently incorporated in aircrack-ng came from these papers.
  
 For you trivia buffs, who knows where the program name "wesside" came from?  As it turns out, it comes from tupac the rapper (2Pac / Tupac Shakur). For you trivia buffs, who knows where the program name "wesside" came from?  As it turns out, it comes from tupac the rapper (2Pac / Tupac Shakur).
Line 29: Line 17:
   - After it sniffs an ARP request, it decrypts the IP  address by guessing the next four bytes of PRGA using multicast frames and the linear keystream expansion technique.  By decrypting the ARP request, the network number scheme can be determined plus the source IP of ARP request.  This is used to build the ARP request which is used for subsequent injection.   - After it sniffs an ARP request, it decrypts the IP  address by guessing the next four bytes of PRGA using multicast frames and the linear keystream expansion technique.  By decrypting the ARP request, the network number scheme can be determined plus the source IP of ARP request.  This is used to build the ARP request which is used for subsequent injection.
   - It floods the network with ARP requests for the decrypted IP address.   - It floods the network with ARP requests for the decrypted IP address.
-  - Launches the [[http://aircrack-ng.org/doku.php?id=aircrack-ng|aircrack-ng PTW attack]] to determine the WEP key.  +  - Launches the [[aircrack-ng|aircrack-ng PTW attack]] to determine the WEP key.  
  
 So you may be asking "What is the linear keystream expansion technique?" The foundation is the fact that packets like an encrypted ARP request can easily be identified combined with the fact that the start of it has known plain text.  So the program first obtains the PRGA from known plain text portion of the ARP request. Then it creates a new ARP request packet broken into two fragments.  The first fragment is one more byte then the know PRGA and the PRGA is guessed for the extra byte.  These guesses are sent and the program listens to see which one is replayed by the AP.  The replayed packet has the correct PRGA and this value was included in the destination multicast address.  Now that we know the correct PRGA, one more byte can be decrypted in the original ARP request.  This process is repeated until the sending IP in the original ARP request is decrypted.  It takes a maximum of 256 guesses to determine the correct PRGA for a particular byte and on average only 128 guesses. So you may be asking "What is the linear keystream expansion technique?" The foundation is the fact that packets like an encrypted ARP request can easily be identified combined with the fact that the start of it has known plain text.  So the program first obtains the PRGA from known plain text portion of the ARP request. Then it creates a new ARP request packet broken into two fragments.  The first fragment is one more byte then the know PRGA and the PRGA is guessed for the extra byte.  These guesses are sent and the program listens to see which one is replayed by the AP.  The replayed packet has the correct PRGA and this value was included in the destination multicast address.  Now that we know the correct PRGA, one more byte can be decrypted in the original ARP request.  This process is repeated until the sending IP in the original ARP request is decrypted.  It takes a maximum of 256 guesses to determine the correct PRGA for a particular byte and on average only 128 guesses.
Line 158: Line 146:
 Make sure your card is in monitor mode. Make sure your card is in monitor mode.
  
-Make sure your card can inject by testing it with the [[http://aircrack-ng.org/doku.php?id=injection_test|aireplay-ng injection test]].  Also specifically ensure you can communicate with the AP in question.+Make sure your card can inject by testing it with the [[injection_test|aireplay-ng injection test]].  Also specifically ensure you can communicate with the AP in question.
  
 Make sure your card supports the fragmentation attack.  Again, this can be confirmed with the aireplay-ng injection test. Make sure your card supports the fragmentation attack.  Again, this can be confirmed with the aireplay-ng injection test.
wesside-ng.txt · Last modified: 2018/03/11 18:57 by mister_x