User Tools

Site Tools


wds

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
wds [2008/02/09 16:34]
darkaudax corrected a formating problem
wds [2010/11/20 23:04]
sleek typo
Line 1: Line 1:
 ====== Tutorial: ​ How to crack WEP on a Wireless Distribution System (WDS)? ====== ====== Tutorial: ​ How to crack WEP on a Wireless Distribution System (WDS)? ======
-Version: 1.02 February 9, 2008 \\+Version: 1.02.1 February 9, 2008 \\
 By: darkAudax \\ By: darkAudax \\
 \\ \\
Line 35: Line 35:
   * You have Wireshark installed and working. ​ Plus you have a basic understanding of how to use it.   * You have Wireshark installed and working. ​ Plus you have a basic understanding of how to use it.
   * You are using the latest aircrack-ng 1.0dev version or above.   * You are using the latest aircrack-ng 1.0dev version or above.
- 
-In the examples, the option "​double dash bssid" is shown as "- -bssid"​. ​ Remember to remove the space between the two dashes when using it in real life.  This also applies to  "- -ivs", "- -arpreplay",​ "- -deauth",​ "- -channel",​ "- -arp" and "- -fakeauth"​. 
- 
  
 ====Equipment used==== ====Equipment used====
Line 111: Line 108:
   * The WDS sends out probe packets for the specific AP as well as "​broadcast"​. ​ This continues, at least on these particular units, even after the WDS connects to the main AP.  I suspect this is a type of keep alive process but this is not an authoritative explanation. ​ I have seen other WDS implementations which do not continuously send probes.   * The WDS sends out probe packets for the specific AP as well as "​broadcast"​. ​ This continues, at least on these particular units, even after the WDS connects to the main AP.  I suspect this is a type of keep alive process but this is not an authoritative explanation. ​ I have seen other WDS implementations which do not continuously send probes.
   * The client line above only reflects the probes and probe responses. ​ Currently, the WDS traffic is not shown as client activity.   * The client line above only reflects the probes and probe responses. ​ Currently, the WDS traffic is not shown as client activity.
- 
- 
 ==== Attacks which work ==== ==== Attacks which work ====
  
Line 119: Line 114:
 Although fake authentication does work, each BSSID can be used as an authenticated MAC on the other unit.  So fake authentication is not required. ​ However, using a separate MAC seems to yield better injection rates. Although fake authentication does work, each BSSID can be used as an authenticated MAC on the other unit.  So fake authentication is not required. ​ However, using a separate MAC seems to yield better injection rates.
  
 +airtun-ng can inject plaintext and WEP packets into a WDS link. That's even possible when airtun-ng only sees one of the two WDS nodes! (Note that in this case only clients behind this node are reachable)
  
 ==== Attacks which do not work ==== ==== Attacks which do not work ====
Line 139: Line 135:
   * All tools: Ability to specify all four address fields on the command line   * All tools: Ability to specify all four address fields on the command line
   * aireplay-ng:​ Display all address fields based on context of To/FromDS bit combinations   * aireplay-ng:​ Display all address fields based on context of To/FromDS bit combinations
-  * aireplay-ng:​ For arp request replay, recognize the arp request packet being sent from the other unit (using 4 addresses plus exta 6 bytes) and replay that.+  * aireplay-ng:​ For arp request replay, recognize the arp request packet being sent from the other unit (using 4 addresses plus extra 6 bytes) and replay that.
  
  
Line 173: Line 169:
  
 The existing aircrack-ng tools can capture this and break the WEP key. The existing aircrack-ng tools can capture this and break the WEP key.
- 
wds.txt ยท Last modified: 2018/03/11 19:08 by mister_x