User Tools

Site Tools


korek_chopchop

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Last revisionBoth sides next revision
korek_chopchop [2007/07/03 00:13] – fixed typo mister_xkorek_chopchop [2007/12/20 17:59] – add unauthenticated chopchop example darkaudax
Line 19: Line 19:
  
 Although it is not shown, you may use any of the other [[aireplay-ng]] filters.  The main page of [[aireplay-ng]] has the complete list.  Additional typical filters could be the -m and -n to set the minimum and maximum packet sizes to select. Although it is not shown, you may use any of the other [[aireplay-ng]] filters.  The main page of [[aireplay-ng]] has the complete list.  Additional typical filters could be the -m and -n to set the minimum and maximum packet sizes to select.
 +
 +If the "-h" option is omitted, then a unauthenticated chopchop attack is performed.  See the example below for more details.
  
  
Line 26: Line 28:
  
 ==== Example with sample output ==== ==== Example with sample output ====
 +
 +This is an example an authenticated chopchop attack.  Meaning you must first perform a fake authentication and use the source MAC with the "-h" option.  Essentially this causes all packets to be sent with the source MAC specified by "-h" and the destination MAC will  vary with 256 combinations.
  
    aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0    aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0
Line 120: Line 124:
  
 Success!  The file "replay_dec-0201-191706.xor" above can then be used in the next step to generate a packet with [[packetforge-ng]] such as an arp packet.  You may also use tcpdump or Wireshark to view the decrypted packet which is stored in replay_dec-0201-191706.cap. Success!  The file "replay_dec-0201-191706.xor" above can then be used in the next step to generate a packet with [[packetforge-ng]] such as an arp packet.  You may also use tcpdump or Wireshark to view the decrypted packet which is stored in replay_dec-0201-191706.cap.
 +
 +
 +==== Chopchop Without Authentication ====
 +
 +This is an example of chopchop attack without authentication.  Meaning you do not need to perform a fake authentication first and you omit the "-h" option.  Essentially this causes all packets to be sent with the 256 random source MAC addresses and a broadcast destination MAC.
 +
 +This only works with a very limited number Access Points (AP).  For APs which are vulnerable, they will only send a deauthentication packet if the source packet was valid.  If this is the case, then one byte has been successfully determined.
 +
 +   aireplay-ng -4 -b 00:14:6C:7E:40:80 ath0
 +
 +Where:
 +  *-4 means the chopchop attack
 +  * -b 00:14:6C:7E:40:80 is the access point MAC address
 +  *ath0 is the wireless interface name
 +
  
 ==== Generating an ARP packet ==== ==== Generating an ARP packet ====
korek_chopchop.txt · Last modified: 2009/06/02 19:24 by mister_x