Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision |
tkiptun-ng [2009/03/10 16:43] – updated to reflect which drivers are now working and which parts are working. darkaudax | tkiptun-ng [2009/09/26 20:41] – Fiex typos darkaudax |
---|
===== Description ===== | ===== Description ===== |
| |
NOTE: This documention is still under development. Please check back on a regular basis to obtain the latest updates. If you have any feedback on the documentation, please post your comments to the [[http://forum.tinyshell.be|Forum]]. | NOTE: This documentation is still under development. Please check back on a regular basis to obtain the latest updates. If you have any feedback on the documentation, please post your comments to the [[http://forum.aircrack-ng.org|Forum]]. |
| |
**IMPORTANT NOTE:** The tkiptun-ng SVN version is not fully working. The final attack phase is not yet implemented. The other portions are working with the ieee80211 drivers for RT73 and RTL8187L chipsets. The madwifi-ng driver is definitely broken and is known to completely fail. tkiptun-ng may work with other drivers but has not been tested so your mileage may vary. | **IMPORTANT NOTE:** The tkiptun-ng SVN version is not fully working. The final attack phase is not yet implemented. The other portions are working with the ieee80211 drivers for RT73 and RTL8187L chipsets. The madwifi-ng driver is definitely broken and is known to completely fail. tkiptun-ng may work with other drivers but has not been tested so your mileage may vary. |
Tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS. He worked with Erik Tews (who created PTW attack) for a conference in [[http://pacsec.jp/|PacSec 2008]]: "Gone in 900 Seconds, Some Crypto Issues with WPA". | Tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS. He worked with Erik Tews (who created PTW attack) for a conference in [[http://pacsec.jp/|PacSec 2008]]: "Gone in 900 Seconds, Some Crypto Issues with WPA". |
| |
Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. This attack is described in the paper, [[http://dl.aircrack-ng.org/breakingwepandwpa.pdf|Practical attacks against WEP and WPA]] written by Martin Beck and Erik Tews. The paper describes advanced attacks on WEP and the first practical attack on WPA. An additional excellent references explaining how tkiptun-ng does its magic is this ars technica article [[http://arstechnica.com/articles/paedia/wpa-cracked.ars/|Battered, but not broken: understanding the WPA crack]] by Glenn Fleishman. | Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. This attack is described in the paper, [[http://dl.aircrack-ng.org/breakingwepandwpa.pdf|Practical attacks against WEP and WPA]] written by Martin Beck and Erik Tews. The paper describes advanced attacks on WEP and the first practical attack on WPA. An additional excellent references explaining how tkiptun-ng does its magic is this ars technica article [[http://arstechnica.com/security/news/2008/11/wpa-cracked.ars/|Battered, but not broken: understanding the WPA crack]] by Glenn Fleishman. |
| |
Basically tkiptun-ng starts by obtaining the plaintext of a small packet and the MIC (Message Integrity Check). This is done via [[chopchoptheory|chopchop]]-type method. Once this is done, the MICHAEL algorithm is reversed the MIC key used to protect packets being sent from the AP to the client can be calculated. | Basically tkiptun-ng starts by obtaining the plaintext of a small packet and the MIC (Message Integrity Check). This is done via [[chopchoptheory|chopchop]]-type method. Once this is done, the MICHAEL algorithm is reversed the MIC key used to protect packets being sent from the AP to the client can be calculated. |
At this point, tkiptun-ng has recovered the MIC key and knows a keystram for access point to client communication. Subsequently, using the XOR file, you can create new packets and inject them. The creation and injection are done using the other aircrack-ng suite tools. | At this point, tkiptun-ng has recovered the MIC key and knows a keystram for access point to client communication. Subsequently, using the XOR file, you can create new packets and inject them. The creation and injection are done using the other aircrack-ng suite tools. |
| |
Please remember this is an extremely advanced attack. You require advanced linux and aircrack-ng skills to use this tool. DO NOT EXPECT support unless you can demonstrate you have these skills. Novices will NOT BE SUPPORTED. | [[http://download.aircrack-ng.org/wiki-files/doc/tkip_master.pdf|Cryptanalysis of IEEE 802.11i TKIP]] by Finn Michael Halvorsen and Olav Haugen, June 2009 provides an excellent detailed description of how tkiptun-ng works. As well, their paper includes detailed descriptions of many other attacks against WEP/WPA/WPA2. |
| |
| Please remember this is an extremely advanced attack. You must possess advanced linux and aircrack-ng skills to use this tool. DO NOT EXPECT support unless you can demonstrate you have these skills. Novices will NOT BE SUPPORTED. |
| |
| |
===== Specific Requirements ===== | ===== Specific Requirements ===== |
| |
The network card MAC address that is used by tkiptun-ng needs to be set to the MAC address of the client you are attacking. | The network card MAC address used by tkiptun-ng needs to be set to the MAC address of the client you are attacking. |
| |
| |