User Tools

Site Tools


easside-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
easside-ng [2007/07/22 17:16] darkaudaxeasside-ng [2009/09/08 01:20] – removed availability warning (1.0 is released) mister_x
Line 1: Line 1:
 ====== Easside-ng ====== ====== Easside-ng ======
- 
-++++++ IMPORTANT ++++++\\ 
-++++++ IMPORTANT ++++++\\ 
-++++++ IMPORTANT ++++++\\ 
- 
-This functionality will be available in a future release. It is NOT available currently. 
- 
-++++++ IMPORTANT ++++++\\ 
-++++++ IMPORTANT ++++++\\ 
-++++++ IMPORTANT ++++++\\ 
- 
  
 ===== Description ===== ===== Description =====
Line 16: Line 5:
 Easside-ng is an auto-magic tool which allows you to communicate via an WEP-encrypted access point (AP) without knowing the WEP key.  It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme and then setup a TAP interface so that you can communicate with the AP without requiring the WEP key.  All this is done without your intervention. Easside-ng is an auto-magic tool which allows you to communicate via an WEP-encrypted access point (AP) without knowing the WEP key.  It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme and then setup a TAP interface so that you can communicate with the AP without requiring the WEP key.  All this is done without your intervention.
  
-There are two primary papers "The Fragmentation Attack in Practice"  by Andrea Bittau and "The Final Nail in WEP's Coffin" by Andrea Bittau, Mark Handley and Josua Lockey which are of interest.  See the the [[http://aircrack-ng.org/doku.php?id=links|links page]] for these papers and more.  The papers referenced provide excellent background information if you would like to understand the underlying methodologies.  The concepts for the fragment attack currently incorporated in aircrack-ng came from these papers.+There are two primary papers "The Fragmentation Attack in Practice"  by Andrea Bittau and "The Final Nail in WEP's Coffin" by Andrea Bittau, Mark Handley and Josua Lockey which are of interest.  See the the [[links|links page]] for these papers and more.  The papers referenced provide excellent background information if you would like to understand the underlying methodologies.  The concepts for the fragment attack currently incorporated in aircrack-ng came from these papers.
  
 In order to access the wireless network without knowing the WEP key is done by having the AP itself decrypt the packets.  This is achieved having a "buddy" process running on a server accessible on the Internet.  This "buddy" server echoes back the decrypted packets to the system running easside-ng.  This imposes a number of critical requirements for easside-ng to work: In order to access the wireless network without knowing the WEP key is done by having the AP itself decrypt the packets.  This is achieved having a "buddy" process running on a server accessible on the Internet.  This "buddy" server echoes back the decrypted packets to the system running easside-ng.  This imposes a number of critical requirements for easside-ng to work:
Line 40: Line 29:
   - Once the program has successfully authenticated then it associates with the AP.   - Once the program has successfully authenticated then it associates with the AP.
   - After sniffing a single data packet, it proceeds to discover at least 1504 bytes of PRGA by sending out larger broadcasts and intercepting the relayed packets.  This is what is known as the fragmentation attack.  The PRGA is written to the prga.log file.   - After sniffing a single data packet, it proceeds to discover at least 1504 bytes of PRGA by sending out larger broadcasts and intercepting the relayed packets.  This is what is known as the fragmentation attack.  The PRGA is written to the prga.log file.
-  - It then decrypts the IP network by guessing the next three bytes of PRGA using multicast frames and the linear keystream expansion technique.  By decrypting the ARP request, the network number scheme can be determined.  This is used to build the ARP request which is used for subsequent injection.  Easside-ng can also use an IP packet to determine the IP network as well, it just takes a bit longer.+  - It then decrypts the IP network by guessing the next four bytes of PRGA using multicast frames and the linear keystream expansion technique.  By decrypting the ARP request, the network number scheme can be determined.  This is used to build the ARP request which is used for subsequent injection.  Easside-ng can also use an IP packet to determine the IP network as well, it just takes a bit longer.
   - It creates a permanent TCP connection with the "buddy" server and verifies connectivity.   - It creates a permanent TCP connection with the "buddy" server and verifies connectivity.
   - ARPs to get the MAC addresses for the router and source IP.  The defaults are .1 for the router and .123 for the client IP.   - ARPs to get the MAC addresses for the router and source IP.  The defaults are .1 for the router and .123 for the client IP.
Line 88: Line 77:
   *  The buddy server receives the decrypted packet from the AP by UDP.  It then resends the decrypted information back to easside-ng.   *  The buddy server receives the decrypted packet from the AP by UDP.  It then resends the decrypted information back to easside-ng.
   *  Easside-ng then sends the decrypted packet out the at0 (TAP) interface.   *  Easside-ng then sends the decrypted packet out the at0 (TAP) interface.
- 
  
 ==== Fragmentation Technique ==== ==== Fragmentation Technique ====
Line 98: Line 86:
 Basically, the program obtains a small amount of keying material from the packet then attempts to send packets with known content to the access point (AP).  If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet.  This cycle is repeated several times until 1504 bytes of PRGA are obtained. Basically, the program obtains a small amount of keying material from the packet then attempts to send packets with known content to the access point (AP).  If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet.  This cycle is repeated several times until 1504 bytes of PRGA are obtained.
  
-The original paper, [[http://darkircop.org/bittau-wep.pdf|The Fragmentation Attack in Practice]], by Andrea Bittau provides a much more detailed technical description of the technique.  A local copy is located [[http://wiki-files.aircrack-ng.org/doc/Fragmentation-Attack-in-Practice.pdf|here]].  Here are [[http://darkircop.org/frag.pdf|presentation slides]] of a related paper.  A local copy of the slides is located [[http://wiki-files.aircrack-ng.org/doc/Final-Nail-in-WEPs-Coffin.slides.pdf|here]].  Also see the paper "The Final Nail in WEP's Coffin" on this page. +The original paper, [[http://darkircop.org/bittau-wep.pdf|The Fragmentation Attack in Practice]], by Andrea Bittau provides a much more detailed technical description of the technique.  A local copy is located [[http://download.aircrack-ng.org/wiki-files/doc/Fragmentation-Attack-in-Practice.pdf|here]].  A local copy of the presentation slides is located [[http://download.aircrack-ng.org/wiki-files/doc/Final-Nail-in-WEPs-Coffin.slides.pdf|here]].  Also see the paper "The Final Nail in WEP's Coffin" on this page.
- +
  
 ==== Linear Keystream Expansion Technique ==== ==== Linear Keystream Expansion Technique ====
Line 112: Line 98:
 The linear keystream expansion technique (Arbaugh inductive) is reverse  The linear keystream expansion technique (Arbaugh inductive) is reverse 
 [[korek_chopchop|chopchop]].  Chopchop decrypts packets from back to the front.  Linear decrypts packets from the front to the back.  Actually, chopchop is reverse Arbaugh. [[korek_chopchop|chopchop]].  Chopchop decrypts packets from back to the front.  Linear decrypts packets from the front to the back.  Actually, chopchop is reverse Arbaugh.
- 
  
 ==== Easside-ng compared to Wesside-ng ==== ==== Easside-ng compared to Wesside-ng ====
Line 130: Line 115:
 |Aircrack-ng PTW attack|No|Yes| |Aircrack-ng PTW attack|No|Yes|
 |Recovers WEP key|No|Yes| |Recovers WEP key|No|Yes|
- 
  
 ==== Why easside-ng when aircrack-ng has PTW? ==== ==== Why easside-ng when aircrack-ng has PTW? ====
Line 139: Line 123:
   * easside-ng is handy for a quick and stealthy attack.  It is significantly faster than PTW.  It's "instant" and requires no flooding.   * easside-ng is handy for a quick and stealthy attack.  It is significantly faster than PTW.  It's "instant" and requires no flooding.
  
- 
-==== Limitations ==== 
- 
-There are a few known limitations: 
-  * Only open authentication is support. Shared key authentication is not supported. 
-  * Only B and G networks are supported. 
  
 ===== Usage ===== ===== Usage =====
  
  
-Usage: easside-ng <arg[v0]+Usage: easside-ng <args>
  
 Where: Where:
Line 161: Line 139:
   * -f                Wireless interface name. (Mandatory)   * -f                Wireless interface name. (Mandatory)
   * -c               Locks the card to the specified channel (Optional)   * -c               Locks the card to the specified channel (Optional)
-  * [v0]            Current version number.  Informational only. 
  
  
Line 284: Line 261:
   * Log into the AP with your favourite browser.  99% of the time, the APs have default ids and passwords.  Many times there are no passwords set.  Once logged into the AP, you can go to the WEP settings page  and read off the WEP key from the configuration page.  In some cases, where there are asterisks (*) for the key, you may need to look at the HTML source or use a tool to reveal the password.   * Log into the AP with your favourite browser.  99% of the time, the APs have default ids and passwords.  Many times there are no passwords set.  Once logged into the AP, you can go to the WEP settings page  and read off the WEP key from the configuration page.  In some cases, where there are asterisks (*) for the key, you may need to look at the HTML source or use a tool to reveal the password.
   * Now you can configure your wireless card with the WEP key and access the network normally.    * Now you can configure your wireless card with the WEP key and access the network normally. 
 +
 +
 +==== Test Setup ====
 +
 +This section will discuss what works and what does not work with regards to testing easside-ng against your own wireless LAN.
 +
 +6969 is the standard port used by easside-ng and buddy-ng.  If you change it, then of course, use the revised port number in all references below.
 +
 +First, some simple assumptions about your wireless LAN:
 +
 +  * It has access to the Internet.
 +  * Outbound UDP port 6969 to the Internet is not blocked.  Some firewalls only allow communication on ports which have been explicitly allowed.
 +  * You have tested your ability to connect to the buddy-ng server.  See how to perform this test below.
 +
 +Assumptions about your buddy-ng server:
 +
 +  * It is running on Internet with a routeable IP address
 +  * It is accessable by both the system running easside-ng and the wireless LAN
 +  * Inbound and outbound UDP and TCP port 6969 is permitted.
 +
 +Assumptions about the system running easside-ng;
 +
 +  * It is running on Internet with a routeable IP address.
 +  * Outbound TCP port 6969 to the Internet is not blocked.  Some firewalls only allow communication on ports which have been explicitly allowed.
 +  * You have tested your ability to connect to the buddy-ng server.  See how to perform this test below.
 +  * It contains a wireless device supported by aircrack-ng and it is in monitor mode.
 +
 +The easiest way to test connectivity to the buddy-ng server is by using telnet.  Be sure to start your buddy server process prior to doing this test!  Otherwise it will fail for sure.
 +
 +Enter:
 +
 +   telnet <ip of buddy server> 6969
 +
 +The system should respond:
 +
 +   Trying <ip of buddy server>...
 +   Connected to <ip of buddy server>.
 +   Escape character is '^]'.
 +
 +The buddy server should look like this:
 +
 +   Waiting for connexion
 +   Got connection from <ip of the easside-ng system>
 +
 +When you terminate the telnet session, it should look like this:
 +
 +   That was it
 +   Waiting for connexion
 +
 +The above examples show a successful test.  If your test fails then use tcpdump or wireshark on the source and destination systems to sniff port 6969.  Determine the problem with these tools and others then correct the root problem.
 +
 +If you are running easside-ng and buddy-ng on the same system then the system must have a routeable Internet IP address.  You cannot be on a LAN behind a firewall which does network address translation (NAT).
 +
 +The ideal situation is to have the buddy-ng server running on a separate system someplace on the Internet.  Then have a second system with easside-ng running with a routeable IP address.
 +
 +
 +===== Tap interface under Windows =====
 +
 +To obtain a tap interface in a MS Windows environment, install OpenVPN.
  
  
 ===== Usage Troubleshooting ===== ===== Usage Troubleshooting =====
  
-Make sure your card is in monitor mode.+  * Make sure your card is in monitor mode.
  
-Make sure your card can inject by testing it with the [[http://aircrack-ng.org/doku.php?id=injection_test|aireplay-ng injection test]].  Also specifically ensure you can communicate with the AP in question.+  * Make sure your card can inject by testing it with the [[injection_test|aireplay-ng injection test]].  Also specifically ensure you can communicate with the AP in question.
  
-Make sure your card supports the fragmentation attack.  Again, this can be confirmed with the aireplay-ng injection test.+  * Make sure your card supports the fragmentation attack.  Again, this can be confirmed with the aireplay-ng injection test.
  
-Make sure to delete prga.log if you are changing access points or if you want to restart cleanly.  In general, if you have problems, it is a good idea to delete it.+  * Make sure to delete **prga.log** if you are changing access points or if you want to restart cleanly.  In general, if you have problems, it is a good idea to delete it.
  
-There are a few known limitations: +  * There are a few known limitations: 
-  * Only open authentication is support.  Shared key authentication is not supported. +    * Only open authentication is support.  Shared key authentication is not supported. 
-  * Only B and G networks are supported.+    * Only B and G networks are supported.
  
easside-ng.txt · Last modified: 2013/03/19 18:21 by jano