User Tools

Site Tools


korek_chopchop

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
korek_chopchop [2007/05/03 01:05] – added: When to say no? darkaudaxkorek_chopchop [2009/06/02 19:24] (current) – Fixed packetforge command (thanks wims) mister_x
Line 19: Line 19:
  
 Although it is not shown, you may use any of the other [[aireplay-ng]] filters.  The main page of [[aireplay-ng]] has the complete list.  Additional typical filters could be the -m and -n to set the minimum and maximum packet sizes to select. Although it is not shown, you may use any of the other [[aireplay-ng]] filters.  The main page of [[aireplay-ng]] has the complete list.  Additional typical filters could be the -m and -n to set the minimum and maximum packet sizes to select.
 +
 +If the "-h" option is omitted, then a unauthenticated chopchop attack is performed.  See the example below for more details.
  
  
 ===== Usage Examples ===== ===== Usage Examples =====
 +
  
  
 ==== Example with sample output ==== ==== Example with sample output ====
 +
 +This is an example an authenticated chopchop attack.  Meaning you must first perform a fake authentication and use the source MAC with the "-h" option.  Essentially this causes all packets to be sent with the source MAC specified by "-h" and the destination MAC will  vary with 256 combinations.
  
    aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0    aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0
Line 118: Line 123:
    Completed in 21s (2.29 bytes/s)    Completed in 21s (2.29 bytes/s)
  
-Success!  The file "replay_dec-0201-191706.xor" above can then be used in the next step to generate a packet with [[packetforge-ng]] such as an arp packet.  You may also use tcpdump or Wireshark to view the decrpted packet which is stored in replay_dec-0201-191706.cap.+Success!  The file "replay_dec-0201-191706.xor" above can then be used in the next step to generate a packet with [[packetforge-ng]] such as an arp packet.  You may also use tcpdump or Wireshark to view the decrypted packet which is stored in replay_dec-0201-191706.cap. 
 + 
 + 
 +==== Chopchop Without Authentication ==== 
 + 
 +This is an example of chopchop attack without authentication.  Meaning you do not need to perform a fake authentication first and you omit the "-h" option.  Essentially this causes all packets to be sent with the 256 random source MAC addresses and a broadcast destination MAC. 
 + 
 +This only works with a very limited number Access Points (AP).  For APs which are vulnerable, they will only send a deauthentication packet if the source packet was valid.  If this is the case, then one byte has been successfully determined. 
 + 
 +   aireplay-ng -4 -b 00:14:6C:7E:40:80 ath0 
 + 
 +Where: 
 +  *-4 means the chopchop attack 
 +  * -b 00:14:6C:7E:40:80 is the access point MAC address 
 +  *ath0 is the wireless interface name 
  
 ==== Generating an ARP packet ==== ==== Generating an ARP packet ====
Line 139: Line 159:
 The source IP (192.168.1.100) doesn't matter, but the destination IP (192.168.1.2) must respond to ARP requests. The source MAC must belong to an associated station, in case the access point is filtering unauthenticated traffic. The source IP (192.168.1.100) doesn't matter, but the destination IP (192.168.1.2) must respond to ARP requests. The source MAC must belong to an associated station, in case the access point is filtering unauthenticated traffic.
  
-      packetforge-ng replay_dec-0627-022301.xor 1 00:13:10:30:24:9C 00:09:5B:EB:C5:2B 192.168.1.100 192.168.1.arp.cap+      packetforge-ng --00:14:6C:7E:40:80 -h 00:09:5B:EB:C5:2B -k 192.168.1.2 -l 192.168.1.100 -y replay_dec-0627-022301.xor -w arp.cap
  
 4. And replay our forged ARP request 4. And replay our forged ARP request
Line 154: Line 174:
   * You were looking to decrypt a packet to/from a specific client and you would wait for   a packet to/from that client MAC address.   * You were looking to decrypt a packet to/from a specific client and you would wait for   a packet to/from that client MAC address.
   * You may want to purposely pick a short packet.  The reason being that the decryption time is linear to the length of the packet.  IE Small packets take less time.   * You may want to purposely pick a short packet.  The reason being that the decryption time is linear to the length of the packet.  IE Small packets take less time.
 +
 +
  
  
Line 159: Line 181:
  
 Also see the general aireplay-ng troubleshooting ideas: [[aireplay-ng#usage_troubleshooting|aireplay-ng usage troubleshooting]]. Also see the general aireplay-ng troubleshooting ideas: [[aireplay-ng#usage_troubleshooting|aireplay-ng usage troubleshooting]].
 +
 +Although not a direct troubleshooting tip for the chopchop attack, if you are unable to get the attack to work, there are some alternate attacks you should consider:
 +
 +  * [[fragmentation|Fragmentation Attack]]: This is an alternate technique to obtain PRGA for building packets for subsequent injection.
 +  * [[interactive_packet_replay#other_examples|-p 0841 method]]: This technique allows you to reinject any data packet received from the access point and generate IVs.
  
  
korek_chopchop.1178147128.txt.gz · Last modified: 2007/05/03 01:05 by darkaudax