airbase-ng
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
airbase-ng [2009/09/08 01:19] – removed availability warning (1.0 is released) mister_x | airbase-ng [2010/04/18 20:57] – Cosmetic fix for airodump-ng screen (wpa) mister_x | ||
---|---|---|---|
Line 132: | Line 132: | ||
There are 3 arguments for " | There are 3 arguments for " | ||
- | There is a small and simple example application to replay all frames on the second interface. The tool is called " | + | There is a small and simple example application to replay all frames on the second interface. The tool is called " |
- | This can be compared to ettercap filters, but is more powerful, as a real programming language can be used to build complex logic for filtering and packet customization. The downside on using python is, that it adds a delay of around 100ms and the cpu utilizations | + | This can be compared to ettercap filters, but is more powerful, as a real programming language can be used to build complex logic for filtering and packet customization. The downside on using python is, that it adds a delay of around 100ms and the cpu utilization |
==== -c Channel Flag ==== | ==== -c Channel Flag ==== | ||
Line 166: | Line 166: | ||
This attack listens for an ARP request or IP packet from the client. | This attack listens for an ARP request or IP packet from the client. | ||
- | This attack works especially well against ad-hoc networks. | + | This attack works especially well against ad-hoc networks. |
This option includes added compatibility with some clients. As well, random source IPs and MACs for cfrag attack are included to evade simple flood protection. | This option includes added compatibility with some clients. As well, random source IPs and MACs for cfrag attack are included to evade simple flood protection. | ||
Line 172: | Line 172: | ||
==== -x Number of Packets per Second ==== | ==== -x Number of Packets per Second ==== | ||
- | This sets the number of packets per second | + | This sets the number of packets per second |
==== -y Disable Broadcast Probes ==== | ==== -y Disable Broadcast Probes ==== | ||
- | When using this option, the fake AP will not respond to broadcast probes. | + | When using this option, the fake AP will not respond to broadcast probes. |
==== -0 Set WPA/WEP Tags ==== | ==== -0 Set WPA/WEP Tags ==== | ||
Line 203: | Line 203: | ||
The -P option must also be specified in order to use this option. | The -P option must also be specified in order to use this option. | ||
- | When running in the default mode (no ESSIDs) or with the -P parameter, the -C option can be used to enable beacon broadcasting of the ESSIDs seen by the directed probes. This allows one client which is probing for a network to result in a beacon for the same network for a brief period of time (the -C parameter, which is the number of seconds to broadcast new probe requests). This works well when some clients are sending directed probes, while others listen passively for beacons. A client which does directed probes results in a beacon which wakes up the passive client and causes the passive client to joint he network as well. This is especially useful with Vista clients (which listens passively for beacons in many cases) which share the same WiFi? network as Linux/Mac OS X clients which send directed probes. | + | When running in the default mode (no ESSIDs) or with the -P parameter, the -C option can be used to enable beacon broadcasting of the ESSIDs seen by the directed probes. This allows one client which is probing for a network to result in a beacon for the same network for a brief period of time (the -C parameter, which is the number of seconds to broadcast new probe requests). This works well when some clients are sending directed probes, while others listen passively for beacons. A client which does directed probes results in a beacon which wakes up the passive client and causes the passive client to join the network as well. This is especially useful with Vista clients (which listens passively for beacons in many cases) which share the same WiFi? network as Linux/Mac OS X clients which send directed probes. |
==== Beacon Frames ==== | ==== Beacon Frames ==== | ||
Line 211: | Line 211: | ||
==== Control Frame Handling ==== | ==== Control Frame Handling ==== | ||
- | Control frames (ack/ | + | Control frames (ack/ |
It has been implemented in a way to maximizes the compatibility and the chances to keep a station connected. | It has been implemented in a way to maximizes the compatibility and the chances to keep a station connected. | ||
Line 217: | Line 217: | ||
==== Filtering ==== | ==== Filtering ==== | ||
- | There is rich filtering | + | There are rich filtering |
To limit the supported ESSIDs, you can specify "-e < | To limit the supported ESSIDs, you can specify "-e < | ||
Line 276: | Line 276: | ||
* -d 00: | * -d 00: | ||
* -w specifies the file name prefix of the captured data | * -w specifies the file name prefix of the captured data | ||
- | * ath0 specifies the wireless interface | + | * wlan0 specifies the wireless interface to capture data on |
Here is what the window looks like when airbase-ng has received a packet from the client and has successfully started the attack: | Here is what the window looks like when airbase-ng has received a packet from the client and has successfully started the attack: | ||
Line 410: | Line 410: | ||
* -c 9 specifies the channel | * -c 9 specifies the channel | ||
- | * -d 00: | + | * -d 00: |
* -w specifies the file name of the captured data | * -w specifies the file name of the captured data | ||
* wlan0 specifies the wireless interface to capture data on | * wlan0 specifies the wireless interface to capture data on | ||
When the client connects, notice the "WPA handshake: 00: | When the client connects, notice the "WPA handshake: 00: | ||
- | + | ||
| | ||
| | ||
Line 478: | Line 478: | ||
==== How Does the Hirte Attack Work? ==== | ==== How Does the Hirte Attack Work? ==== | ||
- | This is client attack which can use any IP or ARP packet. | + | This is a client attack which can use any IP or ARP packet. |
The basic idea is to generate an ARP request to be sent back to the client such that the client responds. | The basic idea is to generate an ARP request to be sent back to the client such that the client responds. | ||
Line 486: | Line 486: | ||
The source IP is in the packet received from the client is in a known position - position 23 for ARP or 21 for IP. ARP is assumed if the packet is 68 or 86 bytes in length plus a broadcast destination MAC address. | The source IP is in the packet received from the client is in a known position - position 23 for ARP or 21 for IP. ARP is assumed if the packet is 68 or 86 bytes in length plus a broadcast destination MAC address. | ||
- | In order to send a valid ARP request back to the client, we need move the source IP to position 33. Of course you can't simply move bytes around, that would invalidate the packet. | + | In order to send a valid ARP request back to the client, we need to move the source IP to position 33. Of course you can't simply move bytes around, that would invalidate the packet. |
In the case of an IP packet, a similar technique is used. However due to the more limited amount of PRGA available, there are three fragments plus the original packet used. | In the case of an IP packet, a similar technique is used. However due to the more limited amount of PRGA available, there are three fragments plus the original packet used. | ||
In all cases, bit flipping is used to ensure the CRC is correct. | In all cases, bit flipping is used to ensure the CRC is correct. | ||
+ | |||
+ | ==== SoftAP with Internet connection and MITM sniffing ==== | ||
+ | |||
+ | This [[http:// | ||
+ | |||
===== Usage Troubleshooting ===== | ===== Usage Troubleshooting ===== | ||
Line 496: | Line 501: | ||
==== Driver Limitations ==== | ==== Driver Limitations ==== | ||
- | Some drivers like r8187 don't capture packets by itself. | + | Some drivers like r8187 don't capture packets |
The madwifi-ng currently does not support the Caffe-Latte or Hirte attacks. | The madwifi-ng currently does not support the Caffe-Latte or Hirte attacks. | ||
Line 508: | Line 513: | ||
See this [[http:// | See this [[http:// | ||
+ | ==== Error creating tap interface: Permission denied ==== | ||
- | ===== Related Commands ===== | + | See the following [[faq# |
- | Since the version has not been officially released, the aireplay-ng documentation does not reflect new features which are related to airbase-ng. | + | ===== Related Commands ===== |
" | " |
airbase-ng.txt · Last modified: 2018/03/11 18:54 by mister_x