packetforge-ng
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
packetforge-ng [2007/01/25 01:24] – created darkaudax | packetforge-ng [2010/08/22 20:59] (current) – update "Usage" and fixed "mode" rendering mister_x | ||
---|---|---|---|
Line 3: | Line 3: | ||
===== Description ===== | ===== Description ===== | ||
- | The purpose of packetforge-ng is to create encrypted packets that can subsequently be used for injection. | + | The purpose of packetforge-ng is to create encrypted packets that can subsequently be used for injection. You may create various types of packets such as arp requests, UDP, ICMP and custom packets. |
- | To create an encrypted packet, you must have a PRAGA (pseudo random genration algorithm) file. This is used to encrypt the packet you create. | + | To create an encrypted packet, you must have a PRGA (pseudo random genration algorithm) file. This is used to encrypt the packet you create. |
===== Usage ===== | ===== Usage ===== | ||
Usage: packetforge-ng < | Usage: packetforge-ng < | ||
- | | + | ====Forge options==== |
*-p < | *-p < | ||
Line 20: | Line 20: | ||
*-e : disables WEP encryption | *-e : disables WEP encryption | ||
*-k < | *-k < | ||
- | *-l < | + | *-l < |
*-t ttl : set Time To Live | *-t ttl : set Time To Live | ||
*-w < | *-w < | ||
- | | + | ====Source options==== |
*-r < | *-r < | ||
*-y < | *-y < | ||
- | | + | ====Modes ==== |
+ | |||
+ | *-'''' | ||
+ | *-'''' | ||
+ | *-'''' | ||
+ | *-'''' | ||
+ | *-'''' | ||
- | *--arp | ||
- | *--udp | ||
- | *--icmp | ||
- | *--custom | ||
===== Usage Example ===== | ===== Usage Example ===== | ||
+ | ==== Generating an arp request packet ==== | ||
Here is an example of how to generate an arp request packet. | Here is an example of how to generate an arp request packet. | ||
- | First, obtain a xor file (PRAGA) with either the aireplay-ng chopchop or fragmentation method. | + | First, obtain a xor file (PRGA) with either the aireplay-ng chopchop or fragmentation method. |
Then use the following command: | Then use the following command: | ||
- | packetforge-ng -0 -a 00: | + | |
Where: | Where: | ||
Line 50: | Line 53: | ||
*-a 00: | *-a 00: | ||
*-h 00: | *-h 00: | ||
- | *-k 255.255.255.255 is the destination IP. IE In an arp it is the "Who has this IP" | + | *-k 192.168.1.100 is the destination IP. IE In an arp it is the "Who has this IP" |
- | *-l 255.255.255.255 is the source IP. IE In an arp is the "Tells this IP" | + | *-l 192.168.1.1 is the source IP. IE In an arp it is the "Tell this IP" |
*-y fragment-0124-161129.xor | *-y fragment-0124-161129.xor | ||
*-w arp-packet | *-w arp-packet | ||
Line 60: | Line 63: | ||
The results look like this: | The results look like this: | ||
- | Total number of packets read 1 | + | |
- | Total number of WEP data packets | + | Total number of WEP data packets |
- | Total number of WPA data packets | + | Total number of WPA data packets |
- | Number of plaintext data packets | + | Number of plaintext data packets |
- | Number of decrypted WEP packets | + | Number of decrypted WEP packets |
- | Number of decrypted WPA packets | + | Number of decrypted WPA packets |
To view the packet that was just decrypted, enter " | To view the packet that was just decrypted, enter " | ||
The results look like this: | The results look like this: | ||
- | reading from file arp-request-dec, | + | |
- | 18: | + | 18: |
- | Which is exactly what we expected. | + | Which is exactly what we expected. Now you can inject this arp request packet as follows " |
The program will respond as follows: | The program will respond as follows: | ||
Size: 68, FromDS: 0, ToDS: 1 (WEP) | Size: 68, FromDS: 0, ToDS: 1 (WEP) | ||
+ | | ||
| | ||
Dest. MAC = FF: | Dest. MAC = FF: | ||
Source MAC = 00: | Source MAC = 00: | ||
+ | | ||
0x0000: | 0x0000: | ||
0x0010: | 0x0010: | ||
Line 88: | Line 91: | ||
0x0030: | 0x0030: | ||
0x0040: | 0x0040: | ||
+ | | ||
+ | Use this packet ? y | ||
+ | | ||
+ | Saving chosen packet in replay_src-0124-163529.cap | ||
+ | You should also start airodump-ng to capture replies. | ||
+ | End of file. | ||
- | Use this packet ? y | + | By entering "y" above, the packet you created with packetforge-ng is then injected. |
- | Saving chosen packet in replay_src-0124-163529.cap | ||
- | You should also start airodump-ng to capture replies. | ||
- | End of file. | + | ==== Generating a null packet ==== |
- | By entering | + | This option allows you to generate LLC null packets. |
+ | |||
+ | Remember that the size value (-s) defines the absolute size of an unencrypted packet, so you need to add 8 bytes to get its final length after encrypting it (4 bytes for iv+idx and 4 bytes for icv). This value also includes | ||
+ | |||
+ | The command is: | ||
+ | |||
+ | | ||
+ | |||
+ | Where: | ||
+ | * --null means generate a LLC null packet (requires double dash). | ||
+ | * -s 42 specifies the packet length to be generated. | ||
+ | * -a BSSID is the MAC address of the access point. | ||
+ | * -h SMAC is the source MAC address of the packet to be generated. | ||
+ | * -w short-packet.cap is the name of the output file. | ||
+ | * -y fragment.xor is the name of the file containing the PRGA. | ||
+ | |||
+ | |||
+ | ==== Generating a custom | ||
+ | If you want to generate a customer packet, first create a packet | ||
+ | |||
+ | packetforge-ng | ||
+ | |||
+ | Where: | ||
+ | * -9 means generate a custom packet. | ||
+ | * -r input.cap | ||
+ | * -y keystream.xor is the file containing the PRGA. | ||
+ | * -w output.cap is the output file. | ||
+ | |||
+ | When it runs, packetforge-ng will ask you which packet to use and then output the file. | ||
+ | |||
+ | |||
+ | |||
+ | ===== Usage Tips ===== | ||
+ | |||
+ | Most access points really don't care what IPs are used for the arp request. | ||
+ | |||
+ | So the packetforge-ng command becomes: | ||
+ | | ||
+ | |||
+ | |||
+ | ===== Usage Troubleshooting ===== | ||
+ | |||
+ | ==== Including both -j and -o flags ==== | ||
+ | |||
+ | A common mistake people make is to include either or both -j and -o flags and create invalid packets. | ||
+ | |||
+ | |||
+ | ==== Error message "Mode already specified" | ||
+ | |||
+ | This is commonly caused by using the number one (-1) instead of dash lowercase L (-l) in the command. | ||
+ | |||
+ | Entering: | ||
+ | | ||
+ | |||
+ | Gives: | ||
+ | Mode already specified. | ||
+ | " | ||
+ | |||
+ | This because -1 (number one) was used instead of the correct -l (the letter ell). So simply use " | ||
packetforge-ng.1169684670.txt.gz · Last modified: 2007/01/25 01:24 (external edit)