easside-ng
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
easside-ng [2007/07/21 20:34] – major update of content darkaudax | easside-ng [2009/08/14 18:53] – use dokuwiki internal link mister_x | ||
---|---|---|---|
Line 16: | Line 16: | ||
Easside-ng is an auto-magic tool which allows you to communicate via an WEP-encrypted access point (AP) without knowing the WEP key. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme and then setup a TAP interface so that you can communicate with the AP without requiring the WEP key. All this is done without your intervention. | Easside-ng is an auto-magic tool which allows you to communicate via an WEP-encrypted access point (AP) without knowing the WEP key. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme and then setup a TAP interface so that you can communicate with the AP without requiring the WEP key. All this is done without your intervention. | ||
- | There are two primary papers "The Fragmentation Attack in Practice" | + | There are two primary papers "The Fragmentation Attack in Practice" |
In order to access the wireless network without knowing the WEP key is done by having the AP itself decrypt the packets. | In order to access the wireless network without knowing the WEP key is done by having the AP itself decrypt the packets. | ||
Line 40: | Line 40: | ||
- Once the program has successfully authenticated then it associates with the AP. | - Once the program has successfully authenticated then it associates with the AP. | ||
- After sniffing a single data packet, it proceeds to discover at least 1504 bytes of PRGA by sending out larger broadcasts and intercepting the relayed packets. | - After sniffing a single data packet, it proceeds to discover at least 1504 bytes of PRGA by sending out larger broadcasts and intercepting the relayed packets. | ||
- | - It then decrypts the IP network by guessing the next three bytes of PRGA using multicast frames and the linear keystream expansion technique. | + | - It then decrypts the IP network by guessing the next four bytes of PRGA using multicast frames and the linear keystream expansion technique. |
- It creates a permanent TCP connection with the " | - It creates a permanent TCP connection with the " | ||
- ARPs to get the MAC addresses for the router and source IP. The defaults are .1 for the router and .123 for the client IP. | - ARPs to get the MAC addresses for the router and source IP. The defaults are .1 for the router and .123 for the client IP. | ||
Line 88: | Line 88: | ||
* The buddy server receives the decrypted packet from the AP by UDP. It then resends the decrypted information back to easside-ng. | * The buddy server receives the decrypted packet from the AP by UDP. It then resends the decrypted information back to easside-ng. | ||
* Easside-ng then sends the decrypted packet out the at0 (TAP) interface. | * Easside-ng then sends the decrypted packet out the at0 (TAP) interface. | ||
- | |||
==== Fragmentation Technique ==== | ==== Fragmentation Technique ==== | ||
Line 98: | Line 97: | ||
Basically, the program obtains a small amount of keying material from the packet then attempts to send packets with known content to the access point (AP). If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet. | Basically, the program obtains a small amount of keying material from the packet then attempts to send packets with known content to the access point (AP). If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet. | ||
- | The original paper, [[http:// | + | The original paper, [[http:// |
==== Linear Keystream Expansion Technique ==== | ==== Linear Keystream Expansion Technique ==== | ||
Line 110: | Line 108: | ||
The linear keystream expansion technique (Arbaugh inductive) is reverse | The linear keystream expansion technique (Arbaugh inductive) is reverse | ||
- | [[chopchop]]. | + | [[korek_chopchop|chopchop]]. |
==== Easside-ng compared to Wesside-ng ==== | ==== Easside-ng compared to Wesside-ng ==== | ||
Line 118: | Line 115: | ||
^Feature^easside-ng^wesside-ng^ | ^Feature^easside-ng^wesside-ng^ | ||
- | |Fake Authentication to AP|Included|Included| | + | |Stability of the program|Stable|Proof of concept| |
- | |Fragmentation attack to obtain PRGA|Included|Included| | + | |Finds a MAC address to spoof|No|Yes| |
- | |Linear Keystream Expansion Technique|Included|Included| | + | |Fake Authentication to AP|Yes|Yes| |
+ | |Can use ARP packets for fragmentation|Yes|Yes| | ||
+ | |Can use IP packets for fragmentation|Yes|No| | ||
+ | |Fragmentation attack to obtain PRGA|Yes|Yes| | ||
+ | |Linear Keystream Expansion Technique|Yes|Yes| | ||
|Communication with wifi network without WEP key|Yes|No| | |Communication with wifi network without WEP key|Yes|No| | ||
|Network ARP request flooding|No|Yes| | |Network ARP request flooding|No|Yes| | ||
- | |aircrack-ng PTW attack|No|Yes| | + | |Aircrack-ng PTW attack|No|Yes| |
+ | |Recovers WEP key|No|Yes| | ||
==== Why easside-ng when aircrack-ng has PTW? ==== | ==== Why easside-ng when aircrack-ng has PTW? ==== | ||
Line 133: | Line 134: | ||
* easside-ng is handy for a quick and stealthy attack. | * easside-ng is handy for a quick and stealthy attack. | ||
- | |||
- | ==== Limitations ==== | ||
- | |||
- | There are a few known limitations: | ||
- | * Only open authentication is support. Shared key authentication is not supported. | ||
- | * Only B and G networks are supported. | ||
===== Usage ===== | ===== Usage ===== | ||
- | Usage: easside-ng <arg> [v0] | + | Usage: easside-ng <args> |
Where: | Where: | ||
Line 155: | Line 150: | ||
* -f Wireless interface name. (Mandatory) | * -f Wireless interface name. (Mandatory) | ||
* -c Locks the card to the specified channel (Optional) | * -c Locks the card to the specified channel (Optional) | ||
- | * [v0] Current version number. | ||
Line 254: | Line 248: | ||
- | ==== Specific AP Usage Example ==== | + | ==== Scanning for APs Usage Example ==== |
The " | The " | ||
Line 267: | Line 261: | ||
First run easside-ng to obtain the prga file. Then run wesside-ng to flood the network and obtain the WEP key. It is really that simple! | First run easside-ng to obtain the prga file. Then run wesside-ng to flood the network and obtain the WEP key. It is really that simple! | ||
+ | Playfully, this is known as " | ||
==== Demonstrating Insecurity! ==== | ==== Demonstrating Insecurity! ==== | ||
Line 275: | Line 270: | ||
* Use easside-ng to create an access mechanism to the WIFI network. | * Use easside-ng to create an access mechanism to the WIFI network. | ||
- | * Log into the AP with your favourite browser | + | * Log into the AP with your favourite browser. |
* Now you can configure your wireless card with the WEP key and access the network normally. | * Now you can configure your wireless card with the WEP key and access the network normally. | ||
+ | |||
+ | |||
+ | ==== Test Setup ==== | ||
+ | |||
+ | This section will discuss what works and what does not work with regards to testing easside-ng against your own wireless LAN. | ||
+ | |||
+ | 6969 is the standard port used by easside-ng and buddy-ng. | ||
+ | |||
+ | First, some simple assumptions about your wireless LAN: | ||
+ | |||
+ | * It has access to the Internet. | ||
+ | * Outbound UDP port 6969 to the Internet is not blocked. | ||
+ | * You have tested your ability to connect to the buddy-ng server. | ||
+ | |||
+ | Assumptions about your buddy-ng server: | ||
+ | |||
+ | * It is running on Internet with a routeable IP address | ||
+ | * It is accessable by both the system running easside-ng and the wireless LAN | ||
+ | * Inbound and outbound UDP and TCP port 6969 is permitted. | ||
+ | |||
+ | Assumptions about the system running easside-ng; | ||
+ | |||
+ | * It is running on Internet with a routeable IP address. | ||
+ | * Outbound TCP port 6969 to the Internet is not blocked. | ||
+ | * You have tested your ability to connect to the buddy-ng server. | ||
+ | * It contains a wireless device supported by aircrack-ng and it is in monitor mode. | ||
+ | |||
+ | The easiest way to test connectivity to the buddy-ng server is by using telnet. | ||
+ | |||
+ | Enter: | ||
+ | |||
+ | | ||
+ | |||
+ | The system should respond: | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | The buddy server should look like this: | ||
+ | |||
+ | | ||
+ | Got connection from <ip of the easside-ng system> | ||
+ | |||
+ | When you terminate the telnet session, it should look like this: | ||
+ | |||
+ | That was it | ||
+ | | ||
+ | |||
+ | The above examples show a successful test. If your test fails then use tcpdump or wireshark on the source and destination systems to sniff port 6969. Determine the problem with these tools and others then correct the root problem. | ||
+ | |||
+ | If you are running easside-ng and buddy-ng on the same system then the system must have a routeable Internet IP address. | ||
+ | |||
+ | The ideal situation is to have the buddy-ng server running on a separate system someplace on the Internet. | ||
+ | |||
+ | |||
+ | ===== Tap interface under Windows ===== | ||
+ | |||
+ | To obtain a tap interface in a MS Windows environment, | ||
===== Usage Troubleshooting ===== | ===== Usage Troubleshooting ===== | ||
- | Make sure your card is in monitor mode. | + | * Make sure your card is in monitor mode. |
- | Make sure your card can inject by testing it with the [[http:// | + | * Make sure your card can inject by testing it with the [[injection_test|aireplay-ng injection test]]. |
- | Make sure your card supports the fragmentation attack. | + | * Make sure your card supports the fragmentation attack. |
- | Make sure to delete prga.log if you are changing access points or if you want to restart cleanly. | + | * Make sure to delete |
- | There are a few known limitations: | + | * There are a few known limitations: |
- | * Only open authentication is support. | + | * Only open authentication is support. |
- | * Only B and G networks are supported. | + | * Only B and G networks are supported. |
easside-ng.txt · Last modified: 2013/03/19 18:21 by jano