fake_authentication
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
fake_authentication [2006/11/19 16:12] – darkaudax | fake_authentication [2010/11/21 13:18] (current) – typos sleek | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Fake authentication ====== | ====== Fake authentication ====== | ||
- | This attack is only useful when you need an associated MAC address in attacks 2, 3, 4 (-h option) and there is currently no associated client. However it is genereally better to use the MAC address of a real client (like here, 00: | ||
- | Also, subsequent attacks will likely perform better if you update the MAC address of the card, so that it properly sends ACKs: | + | ===== Description ===== |
- | ifconfig ath0 down | + | The fake authentication attack allows you to perform the two types of WEP authentication (Open System and Shared Key) plus associate with the access point (AP). This is only useful when you need an associated MAC address in various [[aireplay-ng]] attacks and there is currently no associated client. |
- | ifconfig ath0 hw ether 00: | + | |
- | ifconfig ath0 up | + | |
+ | ===== Usage ===== | ||
- | | + | aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 -y sharedkeyxor |
- | 12: | + | |
- | 12: | + | |
- | 12: | + | |
- | 12: | + | |
- | \\ | + | |
- | ======================================= | + | |
+ | Where: | ||
+ | *-1 means fake authentication | ||
+ | *0 reassociation timing in seconds | ||
+ | *-e teddy is the wireless network name | ||
+ | *-a 00: | ||
+ | *-h 00: | ||
+ | *-y sharedkeyxor is the name of file containing the PRGA xor bits. This is only used for shared key authentication. | ||
+ | *ath0 is the wireless interface name | ||
+ | |||
+ | |||
+ | Or another variation for picky access points: | ||
+ | |||
+ | aireplay-ng -1 6000 -o 1 -q 10 -e teddy -a 00: | ||
+ | |||
+ | Where: | ||
+ | * 6000 - Reauthenticate very 6000 seconds. | ||
+ | * -o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs. | ||
+ | * -q 10 - Send keep alive packets every 10 seconds. | ||
+ | |||
+ | |||
+ | ===== Usage Examples ===== | ||
+ | |||
+ | The lack of association with the access point is the single biggest reason why injection fails. | ||
+ | |||
+ | To associate with an access point, use fake authentication: | ||
+ | |||
+ | aireplay-ng -1 0 -e teddy -a 00: | ||
+ | |||
+ | Where: | ||
+ | *-1 means fake authentication | ||
+ | *0 reassociation timing in seconds | ||
+ | *-e teddy is the wireless network name | ||
+ | *-a 00: | ||
+ | *-h 00: | ||
+ | *ath0 is the wireless interface name | ||
+ | |||
+ | Success looks like: | ||
+ | 18: | ||
+ | 18: | ||
+ | 18: | ||
+ | 18: | ||
+ | |||
+ | Or another variation for picky access points: | ||
+ | |||
+ | aireplay-ng -1 6000 -o 1 -q 10 -e teddy -a 00: | ||
+ | |||
+ | Where: | ||
+ | * 6000 - Reauthenticate very 6000 seconds. | ||
+ | * -o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs. | ||
+ | * -q 10 - Send keep alive packets every 10 seconds. | ||
+ | |||
+ | Success looks like: | ||
+ | 18: | ||
+ | 18: | ||
+ | 18: | ||
+ | 18: | ||
+ | 18: | ||
+ | 18: | ||
+ | # and so on. | ||
+ | |||
+ | Here is an example of a shared key authentication. | ||
+ | |||
+ | | ||
+ | |||
+ | Where: | ||
+ | * -1 means fake authentication | ||
+ | * 0 means only authenticate once | ||
+ | * -e teddy is the SSID of the network | ||
+ | * -y sharedkey-04-00-14-6C-7E-40-80.xor is the name of file containing the PRGA xor bits | ||
+ | * -a 00: | ||
+ | * -h 00: | ||
+ | * ath0 is the interface name | ||
+ | |||
+ | Here is an example of a successful shared key authentication: | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | Code 0 - Authentication SUCCESSFUL :) | ||
+ | | ||
+ | Code 0 - Association SUCCESSFUL :) | ||
+ | |||
+ | If you receive the messages above, you are good to go forward with the standard injection techniques. | ||
+ | |||
+ | ===== Usage Tips ===== | ||
+ | ==== Setting MAC address ==== | ||
+ | |||
+ | It is good practice to set your card's MAC address to the one you specify via the " | ||
+ | |||
+ | Detailed instructions on changing the card MAC address can be found in the FAQ: [[faq# | ||
+ | |||
+ | Troubleshooting Tip: A normal MAC address looks like this: 00: | ||
+ | |||
+ | ==== Injecting in Managed Mode ==== | ||
With patched madwifi-old CVS 2005-08-14, it's possible to inject packets while in Managed mode (the WEP key itself doesn' | With patched madwifi-old CVS 2005-08-14, it's possible to inject packets while in Managed mode (the WEP key itself doesn' | ||
Line 35: | Line 121: | ||
aireplay-ng -4 -h 00: | aireplay-ng -4 -h 00: | ||
- | ============================== | + | |
- | \\ | + | ==== Examples of successful authentications |
- | Some access points require to reassociate every 30 seconds, otherwise | + | |
+ | When troubleshooting failed fake authentications, | ||
+ | |||
+ | Here are packet captures of the two types of authentication - open and shared key: | ||
+ | |||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | |||
+ | |||
+ | ===== Usage Troubleshooting | ||
+ | |||
+ | ==== Identifying failed authentications ==== | ||
+ | Here is an example of what a failed authentication looks like: | ||
+ | 8: | ||
+ | 18: | ||
+ | 18: | ||
+ | 18: | ||
+ | 18: | ||
+ | 18: | ||
+ | 18: | ||
+ | 18: | ||
+ | 18: | ||
+ | 18: | ||
+ | 18: | ||
+ | |||
+ | Notice the "Got a deauthentication packet" | ||
+ | |||
+ | Another way to identify a failed fake authentication is to run tcpdump and look at the packets. | ||
+ | |||
+ | Run: " | ||
+ | |||
+ | Here is a typical tcpdump error message you are looking for: | ||
+ | |||
+ | 11: | ||
+ | |||
+ | Notice that the access point (00: | ||
+ | |||
+ | If you want to select only the DeAuth packets with tcpdump then you can use: " | ||
+ | |||
+ | See the next sections for possible solutions. | ||
+ | |||
+ | ==== Reassociating on periodic basis ==== | ||
+ | |||
+ | Sometimes you periodically get disassociation events. | ||
aireplay-ng -1 30 -e 'the ssid' -a 00: | aireplay-ng -1 30 -e 'the ssid' -a 00: | ||
- | If this attacks seems to fail (aireplay-ng keeps sending authentication requests), MAC address filtering may be in place. Also make sure that: | + | ==== Error Message "AP rejects open-system authentication" |
+ | |||
+ | You receive the following error message when trying | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | See the [[shared_key|How to do shared key fake authentication]] tutorial. | ||
+ | |||
+ | |||
+ | ==== MAC access controls enabled on the AP ==== | ||
+ | |||
+ | If fake authentication is never successful | ||
+ | |||
+ | |||
+ | ==== Waiting for beacon frame ==== | ||
+ | When you enter the command, the system freezes or a line is printed with " | ||
+ | |||
+ | There are many possible root causes of this problem: | ||
+ | |||
+ | * The wireless card is set to a channel which is different then the AP. Solution: Use iwconfig and confirm the card is set to the same channel as the AP. | ||
+ | * The card is scanning channels. | ||
+ | * The ESSID is wrong. | ||
+ | * The BSSID is wrong. | ||
+ | * You are too far away from the AP and are not receiving any beacons. | ||
+ | * You are not receiving beacons for the AP: Solution: | ||
+ | |||
+ | For all of the above, running airodump-ng and the related text file should provide all the information you require identify and correct the problem. | ||
+ | |||
+ | |||
+ | ==== Airodump-ng does not show the ESSID ==== | ||
+ | |||
+ | Airodump-ng does not show the ESSID! | ||
+ | |||
+ | Answer: | ||
+ | |||
+ | |||
+ | ==== Error Message " | ||
+ | |||
+ | You get something similar to this: | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | You cannot use fake authentication with a WPA/WPA Access Point. | ||
+ | |||
+ | |||
+ | ==== Error Message " | ||
+ | |||
+ | You cannot use fake authentication with an Open AP. Open meaning there is no WEP encryption enabled. | ||
+ | |||
+ | |||
+ | ==== Error Message " | ||
+ | |||
+ | First, ensure the AP you are trying to connect to is WEP. You cannot do fake authentication to a WPA/WPA2 network. | ||
+ | |||
+ | The most likely reason to get this error message is when the ESSID specified with " | ||
+ | |||
+ | |||
+ | ==== Error message "code (XX)" ==== | ||
+ | You receive an error messages referencing a code number. | ||
+ | |||
+ | |||
+ | ==== Other problems and solutions ==== | ||
+ | |||
+ | Also make sure that: | ||
+ | |||
+ | * You are physically close enough to the access point. | ||
+ | * Make sure you are using a real MAC address (see discussion above) | ||
+ | * The wireless card driver is properly patched and installed. | ||
+ | * The card is configured on the same channel as the AP. Use " | ||
+ | * The BSSID and ESSID (-a / -e options) are correct. | ||
+ | * If Prism2, make sure the firmware was updated. | ||
+ | See also: [[aireplay-ng# | ||
- | * You are close enough to the access point. | ||
- | * The driver is properly patched and installed. | ||
- | * The card is configured on the same channel as the AP. | ||
- | * The BSSID and ESSID (-a / -e options) are correct. | ||
- | * If Prism2, make sure the firmware was updated. |
fake_authentication.1163949138.txt.gz · Last modified: 2007/02/27 22:07 (external edit)