User Tools

Site Tools


fake_authentication

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
fake_authentication [2008/11/09 15:59]
darkaudax Added troubleshooting tip for Denied code 12
fake_authentication [2010/11/21 13:18] (current)
sleek typos
Line 4: Line 4:
 ===== Description ===== ===== Description =====
  
-The fake authentication attack allows you to perform the two types of WEP authentication (Open System and Shared Key) plus associate with the access point (AP).  This is useful ​is only useful when you need an associated MAC address in various [[aireplay-ng]] attacks and there is currently no associated client. ​ It should be noted that the fake authentication attack does NOT generate any ARP packets. ​ Fake authentication cannot be used to authenticate/​associate with WPA/WPA2 Access Points.+The fake authentication attack allows you to perform the two types of WEP authentication (Open System and Shared Key) plus associate with the access point (AP).  This is only useful when you need an associated MAC address in various [[aireplay-ng]] attacks and there is currently no associated client. ​ It should be noted that the fake authentication attack does NOT generate any ARP packets. ​ Fake authentication cannot be used to authenticate/​associate with WPA/WPA2 Access Points.
  
 ===== Usage ===== ===== Usage =====
Line 15: Line 15:
   *-e teddy is the wireless network name   *-e teddy is the wireless network name
   *-a 00:​14:​6C:​7E:​40:​80 is the access point MAC address   *-a 00:​14:​6C:​7E:​40:​80 is the access point MAC address
-  *-h 00:​09:​5B:​EC:​EE:​F2 is our card MAC addresss+  *-h 00:​09:​5B:​EC:​EE:​F2 is our card MAC address
   *-y sharedkeyxor is the name of file containing the PRGA xor bits.  This is only used for shared key authentication. ​ Open system authentication,​ which is typical, does not require this.   *-y sharedkeyxor is the name of file containing the PRGA xor bits.  This is only used for shared key authentication. ​ Open system authentication,​ which is typical, does not require this.
   *ath0 is the wireless interface name   *ath0 is the wireless interface name
Line 43: Line 43:
   *-e teddy is the wireless network name   *-e teddy is the wireless network name
   *-a 00:​14:​6C:​7E:​40:​80 is the access point MAC address   *-a 00:​14:​6C:​7E:​40:​80 is the access point MAC address
-  *-h 00:​09:​5B:​EC:​EE:​F2 is our card MAC addresss+  *-h 00:​09:​5B:​EC:​EE:​F2 is our card MAC address
   *ath0 is the wireless interface name   *ath0 is the wireless interface name
  
Line 70: Line 70:
   # and so on.   # and so on.
  
-Here is an example of a shared key authentication. ​ It does assume you have a PRGA xor file.  See the [[http://​aircrack-ng.org/​doku.php?​id=shared_key|How to do shared key fake authentication]] tutorial for more details.+Here is an example of a shared key authentication. ​ It does assume you have a PRGA xor file.  See the [[shared_key|How to do shared key fake authentication]] tutorial for more details.
  
    ​aireplay-ng -1 0  -e teddy -y sharedkey-04-00-14-6C-7E-40-80.xor -a 00:​14:​6C:​7E:​40:​80 -h 00:​09:​5B:​EC:​EE:​F2 ath0    ​aireplay-ng -1 0  -e teddy -y sharedkey-04-00-14-6C-7E-40-80.xor -a 00:​14:​6C:​7E:​40:​80 -h 00:​09:​5B:​EC:​EE:​F2 ath0
Line 76: Line 76:
 Where: Where:
   * -1 means fake authentication   * -1 means fake authentication
-  * 0 means only athenticate ​once+  * 0 means only authenticate ​once
   * -e teddy is the SSID of the network   * -e teddy is the SSID of the network
   * -y sharedkey-04-00-14-6C-7E-40-80.xor is the name of file containing the PRGA xor bits   * -y sharedkey-04-00-14-6C-7E-40-80.xor is the name of file containing the PRGA xor bits
Line 99: Line 99:
 It is good practice to set your card's MAC address to the one you specify via the "​-h"​ parameter if they are different. Having them the same, ensures that wireless "​ACK"​s are sent by your card. This means subsequent attacks work smoothly. ​ It is good practice to set your card's MAC address to the one you specify via the "​-h"​ parameter if they are different. Having them the same, ensures that wireless "​ACK"​s are sent by your card. This means subsequent attacks work smoothly. ​
  
-Detailed instructions on changing the card MAC address can be found in the FAQ: [[http://​aircrack-ng.org/​doku.php?​id=faq#​how_do_i_change_my_card_s_mac_address|How do I change my card's MAC address ?]].+Detailed instructions on changing the card MAC address can be found in the FAQ: [[faq#​how_do_i_change_my_card_s_mac_address|How do I change my card's MAC address ?]].
  
 Troubleshooting Tip: A normal MAC address looks like this: 00:​09:​5B:​EC:​EE:​F2. ​ It is composed of six octets. ​ The first half (00:09:5B) of each MAC address is known as the Organizationally Unique Identifier (OUI). ​ Simply put, it is the card manufacturer. The second half (EC:EE:F2) is known as the extension identifier and is unique to each network card within the specific OUI. Many access points will ignore MAC addresses with invalid OUIs. So make sure you use a valid OUI code code when you make up MAC addresses. Otherwise, your packets may be ignored by the Access Point. ​ The current list of OUIs may be found [[http://​standards.ieee.org/​regauth/​oui/​oui.txt|here]]. Troubleshooting Tip: A normal MAC address looks like this: 00:​09:​5B:​EC:​EE:​F2. ​ It is composed of six octets. ​ The first half (00:09:5B) of each MAC address is known as the Organizationally Unique Identifier (OUI). ​ Simply put, it is the card manufacturer. The second half (EC:EE:F2) is known as the extension identifier and is unique to each network card within the specific OUI. Many access points will ignore MAC addresses with invalid OUIs. So make sure you use a valid OUI code code when you make up MAC addresses. Otherwise, your packets may be ignored by the Access Point. ​ The current list of OUIs may be found [[http://​standards.ieee.org/​regauth/​oui/​oui.txt|here]].
Line 124: Line 124:
 ==== Examples of successful authentications ==== ==== Examples of successful authentications ====
  
-When toubleshooting ​failed fake authentications,​ it can be helpful to do a packet capture and compare it to successful ones.  As well, simply reviewing this packet captures with WireShark can be very educational.+When troubleshooting ​failed fake authentications,​ it can be helpful to do a packet capture and compare it to successful ones.  As well, simply reviewing this packet captures with WireShark can be very educational.
  
 Here are packet captures of the two types of authentication - open and shared key: Here are packet captures of the two types of authentication - open and shared key:
Line 178: Line 178:
    ​Please specify a PRGA-file (-y).    ​Please specify a PRGA-file (-y).
  
-See the [[http://​aircrack-ng.org/​doku.php?​id=shared_key|How to do shared key fake authentication]] tutorial.+See the [[shared_key|How to do shared key fake authentication]] tutorial.
  
  
Line 193: Line 193:
   * The wireless card is set to a channel which is different then the AP.  Solution: Use iwconfig and confirm the card is set to the same channel as the AP.   * The wireless card is set to a channel which is different then the AP.  Solution: Use iwconfig and confirm the card is set to the same channel as the AP.
   * The card is scanning channels. ​ Solution: Start airodump-ng with the "​-c"​ or "​--channel"​ parameter and set it to the same channel as the AP.   * The card is scanning channels. ​ Solution: Start airodump-ng with the "​-c"​ or "​--channel"​ parameter and set it to the same channel as the AP.
-  * The ESSID is wrong. ​ Solution: Enter the correct value. ​ If if contains spaces or special characters then enclose it in quotes. ​ For the complete details, see this [[http://​aircrack-ng.org/​doku.php?​id=faq#​how_to_use_spaces_double_quote_and_single_quote_in_ap_names|FAQ entry]].+  * The ESSID is wrong. ​ Solution: Enter the correct value. ​ If if contains spaces or special characters then enclose it in quotes. ​ For the complete details, see this [[faq#​how_to_use_spaces_double_quote_and_single_quote_in_ap_names|FAQ entry]].
   * The BSSID is wrong. ​ Solution: Enter the correct value.   * The BSSID is wrong. ​ Solution: Enter the correct value.
   * You are too far away from the AP and are not receiving any beacons. ​ Solution: ​ You can use tcpdump and/or airodump-ng to confirm you are in fact receiving beacons for the AP.  If not, move closer.   * You are too far away from the AP and are not receiving any beacons. ​ Solution: ​ You can use tcpdump and/or airodump-ng to confirm you are in fact receiving beacons for the AP.  If not, move closer.
Line 205: Line 205:
 Airodump-ng does not show the ESSID! ​ How do I do fake authentication since this is a required parameter? Airodump-ng does not show the ESSID! ​ How do I do fake authentication since this is a required parameter?
  
-Answer: ​ You need to patient. ​ When a client associates with the AP, then airodump-ng will obtain and display the ESSID. ​ If you are impatient then [[http://​aircrack-ng.org/​doku.php?​id=deauthentication|deathenticate ​a client]] to get the  ESSID immediately.+Answer: ​ You need to patient. ​ When a client associates with the AP, then airodump-ng will obtain and display the ESSID. ​ If you are impatient then [[deauthentication|deauthenticate ​a client]] to get the  ESSID immediately.
  
  
Line 234: Line 234:
  
 ==== Error message "code (XX)" ==== ==== Error message "code (XX)" ====
-You receive an error messages referencing a code number. ​ This [[http://www.gthill.com/​managementframes.pdf|Management Frames description]] is an excellent description of the various error codes you may receive. ​ Just look for the number relating to the authentication or association phase when you received the error.+You receive an error messages referencing a code number. ​ This [[http://download.aircrack-ng.org/​wiki-files/​other/​managementframes.pdf|Management Frames description]] is an excellent description of the various error codes you may receive. ​ Just look for the number relating to the authentication or association phase when you received the error.
  
  
fake_authentication.1226242773.txt.gz ยท Last modified: 2008/11/09 15:59 by darkaudax