easside-ng
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
easside-ng [2007/09/02 20:54] – Cosmetic changes mister_x | easside-ng [2013/03/19 18:21] (current) – Added link to the new page created of Besside-ng jano | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Easside-ng ====== | ====== Easside-ng ====== | ||
- | |||
- | ++++++ IMPORTANT ++++++\\ | ||
- | ++++++ IMPORTANT ++++++\\ | ||
- | ++++++ IMPORTANT ++++++\\ | ||
- | |||
- | This functionality will be available in a future release. It is NOT available currently. | ||
- | |||
- | ++++++ IMPORTANT ++++++\\ | ||
- | ++++++ IMPORTANT ++++++\\ | ||
- | ++++++ IMPORTANT ++++++\\ | ||
- | |||
===== Description ===== | ===== Description ===== | ||
Line 16: | Line 5: | ||
Easside-ng is an auto-magic tool which allows you to communicate via an WEP-encrypted access point (AP) without knowing the WEP key. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme and then setup a TAP interface so that you can communicate with the AP without requiring the WEP key. All this is done without your intervention. | Easside-ng is an auto-magic tool which allows you to communicate via an WEP-encrypted access point (AP) without knowing the WEP key. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme and then setup a TAP interface so that you can communicate with the AP without requiring the WEP key. All this is done without your intervention. | ||
- | There are two primary papers "The Fragmentation Attack in Practice" | + | There are two primary papers "The Fragmentation Attack in Practice" |
- | In order to access the wireless network without knowing the WEP key is done by having | + | In order to access the wireless network without knowing the WEP key, we have the AP itself decrypt the packets. |
* The target access point must be able to communicate with the Internet. | * The target access point must be able to communicate with the Internet. | ||
Line 39: | Line 28: | ||
- Once a network is found, it tries to authenticate. | - Once a network is found, it tries to authenticate. | ||
- Once the program has successfully authenticated then it associates with the AP. | - Once the program has successfully authenticated then it associates with the AP. | ||
- | - After sniffing a single data packet, it proceeds to discover at least 1504 bytes of PRGA by sending out larger broadcasts and intercepting the relayed packets. | + | - After sniffing a single data packet, it proceeds to discover at least 1504 bytes of PRGA by sending out larger broadcasts and intercepting the relayed packets. |
- | - It then decrypts the IP network by guessing the next three bytes of PRGA using multicast frames and the linear keystream expansion technique. | + | - It then decrypts the IP network by guessing the next four bytes of PRGA using multicast frames and the linear keystream expansion technique. |
- It creates a permanent TCP connection with the " | - It creates a permanent TCP connection with the " | ||
- ARPs to get the MAC addresses for the router and source IP. The defaults are .1 for the router and .123 for the client IP. | - ARPs to get the MAC addresses for the router and source IP. The defaults are .1 for the router and .123 for the client IP. | ||
Line 84: | Line 73: | ||
* Easside-ng constantly listens to the packets being transmitted by the AP. It then processes packets addressed to the TAP IP based on the MAC address or broadcasts. | * Easside-ng constantly listens to the packets being transmitted by the AP. It then processes packets addressed to the TAP IP based on the MAC address or broadcasts. | ||
* For each packet it needs to process, the packet must first be decrypted. | * For each packet it needs to process, the packet must first be decrypted. | ||
- | * Easside-ng creates a new packets composed of two fragments. | + | * Easside-ng creates a new packets composed of two fragments. |
* The AP receives the fragmented packet, decrypts each fragment and reassembles the fragments into a single packet. | * The AP receives the fragmented packet, decrypts each fragment and reassembles the fragments into a single packet. | ||
* The buddy server receives the decrypted packet from the AP by UDP. It then resends the decrypted information back to easside-ng. | * The buddy server receives the decrypted packet from the AP by UDP. It then resends the decrypted information back to easside-ng. | ||
Line 97: | Line 86: | ||
Basically, the program obtains a small amount of keying material from the packet then attempts to send packets with known content to the access point (AP). If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet. | Basically, the program obtains a small amount of keying material from the packet then attempts to send packets with known content to the access point (AP). If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet. | ||
- | The original paper, [[http:// | + | The original paper, [[http:// |
==== Linear Keystream Expansion Technique ==== | ==== Linear Keystream Expansion Technique ==== | ||
Line 105: | Line 94: | ||
So you may also be asking "What is the linear keystream expansion technique?" | So you may also be asking "What is the linear keystream expansion technique?" | ||
- | The program first obtains the PRGA from known plain text portion of the ARP request. Then it creates a new ARP request packet broken into two fragments. | + | The program first obtains the PRGA from known plain text portion of the ARP request. Then it creates a new ARP request packet broken into two fragments. |
The linear keystream expansion technique (Arbaugh inductive) is reverse | The linear keystream expansion technique (Arbaugh inductive) is reverse | ||
Line 143: | Line 132: | ||
* -h Displays the list of options. | * -h Displays the list of options. | ||
- | * -v MAC address of the Acess Point (Optional) | + | * -v MAC address of the Access |
* -m | * -m | ||
* -i Source IP address to be used on the wireless LAN. Defaults to the decoded network plus " | * -i Source IP address to be used on the wireless LAN. Defaults to the decoded network plus " | ||
Line 156: | Line 145: | ||
NOTE: There are no parameters for buddy-ng. | NOTE: There are no parameters for buddy-ng. | ||
- | + | When you run easside-ng, it creates a file automatically in the current directory: | |
- | + | ||
- | When you run easside-ng, it creates a file automatically in the current directory | + | |
* prga.log - Contains the PRGA obtained through the fragmentation attack. | * prga.log - Contains the PRGA obtained through the fragmentation attack. | ||
Line 198: | Line 185: | ||
Where: | Where: | ||
- | * -f ath0 This is the wireless | + | * -f ath0 |
- | * -v 00: | + | * -v 00: |
- | * -c 9 This is the channel | + | * -c 9 |
- | * -s 10.116.23.144 | + | * -s 10.116.23.144 |
The system responds: | The system responds: | ||
Line 245: | Line 232: | ||
| | ||
- | Now you can send and receive packets to and from the AP network which in this case is 192.168.1.0/ | + | Now you can send and receive packets to and from the AP network which in this case is 192.168.1.0/ |
Line 261: | Line 248: | ||
First run easside-ng to obtain the prga file. Then run wesside-ng to flood the network and obtain the WEP key. It is really that simple! | First run easside-ng to obtain the prga file. Then run wesside-ng to flood the network and obtain the WEP key. It is really that simple! | ||
- | Playfully, this is known as "besside-ng". | + | Playfully, this is known as [[besside-ng|Besside-ng]]. |
==== Demonstrating Insecurity! ==== | ==== Demonstrating Insecurity! ==== | ||
Line 289: | Line 276: | ||
* It is running on Internet with a routeable IP address | * It is running on Internet with a routeable IP address | ||
- | * It is accessable | + | * It is accessible |
* Inbound and outbound UDP and TCP port 6969 is permitted. | * Inbound and outbound UDP and TCP port 6969 is permitted. | ||
Line 326: | Line 313: | ||
The ideal situation is to have the buddy-ng server running on a separate system someplace on the Internet. | The ideal situation is to have the buddy-ng server running on a separate system someplace on the Internet. | ||
+ | |||
+ | |||
+ | ===== Tap interface under Windows ===== | ||
+ | |||
+ | To obtain a tap interface in a MS Windows environment, | ||
easside-ng.txt · Last modified: 2013/03/19 18:21 by jano