Aircrack-ng

User Tools

Site Tools

Trace:
easside-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
easside-ng [2007/09/02 20:18] – added new section regarding test setup darkaudaxeasside-ng [2009/05/03 20:51] – Fixed broken URL darkaudax
Line 40: Line 40:
   - Once the program has successfully authenticated then it associates with the AP.   - Once the program has successfully authenticated then it associates with the AP.
   - After sniffing a single data packet, it proceeds to discover at least 1504 bytes of PRGA by sending out larger broadcasts and intercepting the relayed packets.  This is what is known as the fragmentation attack.  The PRGA is written to the prga.log file.   - After sniffing a single data packet, it proceeds to discover at least 1504 bytes of PRGA by sending out larger broadcasts and intercepting the relayed packets.  This is what is known as the fragmentation attack.  The PRGA is written to the prga.log file.
-  - It then decrypts the IP network by guessing the next three bytes of PRGA using multicast frames and the linear keystream expansion technique.  By decrypting the ARP request, the network number scheme can be determined.  This is used to build the ARP request which is used for subsequent injection.  Easside-ng can also use an IP packet to determine the IP network as well, it just takes a bit longer.+  - It then decrypts the IP network by guessing the next four bytes of PRGA using multicast frames and the linear keystream expansion technique.  By decrypting the ARP request, the network number scheme can be determined.  This is used to build the ARP request which is used for subsequent injection.  Easside-ng can also use an IP packet to determine the IP network as well, it just takes a bit longer.
   - It creates a permanent TCP connection with the "buddy" server and verifies connectivity.   - It creates a permanent TCP connection with the "buddy" server and verifies connectivity.
   - ARPs to get the MAC addresses for the router and source IP.  The defaults are .1 for the router and .123 for the client IP.   - ARPs to get the MAC addresses for the router and source IP.  The defaults are .1 for the router and .123 for the client IP.
Line 97: Line 97:
 Basically, the program obtains a small amount of keying material from the packet then attempts to send packets with known content to the access point (AP).  If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet.  This cycle is repeated several times until 1504 bytes of PRGA are obtained. Basically, the program obtains a small amount of keying material from the packet then attempts to send packets with known content to the access point (AP).  If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet.  This cycle is repeated several times until 1504 bytes of PRGA are obtained.
  
-The original paper, [[http://darkircop.org/bittau-wep.pdf|The Fragmentation Attack in Practice]], by Andrea Bittau provides a much more detailed technical description of the technique.  A local copy is located [[http://wiki-files.aircrack-ng.org/doc/Fragmentation-Attack-in-Practice.pdf|here]].  Here are [[http://darkircop.org/frag.pdf|presentation slides]] of a related paper.  A local copy of the slides is located [[http://wiki-files.aircrack-ng.org/doc/Final-Nail-in-WEPs-Coffin.slides.pdf|here]].  Also see the paper "The Final Nail in WEP's Coffin" on this page.+The original paper, [[http://darkircop.org/bittau-wep.pdf|The Fragmentation Attack in Practice]], by Andrea Bittau provides a much more detailed technical description of the technique.  A local copy is located [[http://wiki-files.aircrack-ng.org/doc/Fragmentation-Attack-in-Practice.pdf|here]].  A local copy of the presentation slides is located [[http://wiki-files.aircrack-ng.org/doc/Final-Nail-in-WEPs-Coffin.slides.pdf|here]].  Also see the paper "The Final Nail in WEP's Coffin" on this page.
  
 ==== Linear Keystream Expansion Technique ==== ==== Linear Keystream Expansion Technique ====
Line 133: Line 133:
   * easside-ng was private and came a year before PTW.   * easside-ng was private and came a year before PTW.
   * easside-ng is handy for a quick and stealthy attack.  It is significantly faster than PTW.  It's "instant" and requires no flooding.   * easside-ng is handy for a quick and stealthy attack.  It is significantly faster than PTW.  It's "instant" and requires no flooding.
 +
  
 ===== Usage ===== ===== Usage =====
  
  
-Usage: easside-ng <arg[v0]+Usage: easside-ng <args>
  
 Where: Where:
Line 149: Line 150:
   * -f                Wireless interface name. (Mandatory)   * -f                Wireless interface name. (Mandatory)
   * -c               Locks the card to the specified channel (Optional)   * -c               Locks the card to the specified channel (Optional)
-  * [v0]            Current version number.  Informational only. 
  
  
Line 326: Line 326:
  
 The ideal situation is to have the buddy-ng server running on a separate system someplace on the Internet.  Then have a second system with easside-ng running with a routeable IP address. The ideal situation is to have the buddy-ng server running on a separate system someplace on the Internet.  Then have a second system with easside-ng running with a routeable IP address.
 +
 +
 +===== Tap interface under Windows =====
 +
 +To obtain a tap interface in a MS Windows environment, install OpenVPN.
  
  
 ===== Usage Troubleshooting ===== ===== Usage Troubleshooting =====
  
-Make sure your card is in monitor mode.+  * Make sure your card is in monitor mode.
  
-Make sure your card can inject by testing it with the [[injection_test|aireplay-ng injection test]].  Also specifically ensure you can communicate with the AP in question.+  * Make sure your card can inject by testing it with the [[injection_test|aireplay-ng injection test]].  Also specifically ensure you can communicate with the AP in question.
  
-Make sure your card supports the fragmentation attack.  Again, this can be confirmed with the aireplay-ng injection test.+  * Make sure your card supports the fragmentation attack.  Again, this can be confirmed with the aireplay-ng injection test.
  
-Make sure to delete prga.log if you are changing access points or if you want to restart cleanly.  In general, if you have problems, it is a good idea to delete it.+  * Make sure to delete **prga.log** if you are changing access points or if you want to restart cleanly.  In general, if you have problems, it is a good idea to delete it.
  
-There are a few known limitations: +  * There are a few known limitations: 
-  * Only open authentication is support.  Shared key authentication is not supported. +    * Only open authentication is support.  Shared key authentication is not supported. 
-  * Only B and G networks are supported.+    * Only B and G networks are supported.
  
easside-ng.txt · Last modified: 2013/03/19 18:21 by jano