User Tools

Site Tools


interactive_packet_replay

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
interactive_packet_replay [2008/12/02 21:18]
darkaudax packes
interactive_packet_replay [2010/11/21 09:05]
sleek typos
Line 1: Line 1:
 ====== Interactive packet replay ====== ====== Interactive packet replay ======
- 
- 
 ===== Description ===== ===== Description =====
  
 This attack allows you to choose a specific packet for replaying (injecting). ​ The attack can obtain packets to replay from two sources. ​ The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://​www.tcpdump.org),​ is recognized by most commercial and open-source traffic capture and analysis tools. ​ Reading from a file is an often overlooked feature of aireplay-ng. ​ This allows you read packets from other capture sessions or quite often, various attacks generate pcap files for easy reuse. ​ A common use of reading ​ a file containing a packet your created with [[packetforge-ng]]. This attack allows you to choose a specific packet for replaying (injecting). ​ The attack can obtain packets to replay from two sources. ​ The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://​www.tcpdump.org),​ is recognized by most commercial and open-source traffic capture and analysis tools. ​ Reading from a file is an often overlooked feature of aireplay-ng. ​ This allows you read packets from other capture sessions or quite often, various attacks generate pcap files for easy reuse. ​ A common use of reading ​ a file containing a packet your created with [[packetforge-ng]].
  
-In order to use the interactive packet replay successfully,​ it it important to understand a bit more about the wireless packet flow.  You cannot simply capture and replay any packet. ​ Only certain packets can be replayed successfully. ​ Successfully means that it is accepted by the access point and causes a new inititialization vectory ​(IV) to be generated since that is the whole objective.+In order to use the interactive packet replay successfully,​ it it important to understand a bit more about the wireless packet flow.  You cannot simply capture and replay any packet. ​ Only certain packets can be replayed successfully. ​ Successfully means that it is accepted by the access point and causes a new initialization vector ​(IV) to be generated since that is the whole objective.
  
 To do this, we either have to select a packet which naturally will be successful or manipulate a captured packet into a natural one.  We will now explore these two concepts in more detail. To do this, we either have to select a packet which naturally will be successful or manipulate a captured packet into a natural one.  We will now explore these two concepts in more detail.
Line 27: Line 25:
 We don't care what the destination MAC address is.  This because in this case we will modify the packet being injected. ​ The following options will result in the packet looking like a "​natural"​ packet above. ​ Here are the options required: We don't care what the destination MAC address is.  This because in this case we will modify the packet being injected. ​ The following options will result in the packet looking like a "​natural"​ packet above. ​ Here are the options required:
  
-  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client to the access point. IE Set "To DS" field to 1.+  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client to the access point. ​ IE Set the "To DS" field to 1.
   * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV.   * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV.
  
Line 49: Line 47:
 ==== Natural Packet Replay ==== ==== Natural Packet Replay ====
  
-For this example, you do not need do a fake authenticaion ​first, since the source MAC address is already associated with the access point. ​ The source MAC address is from the existing wireless client.+For this example, you do not need do a fake authentication ​first, since the source MAC address is already associated with the access point. ​ The source MAC address is from the existing wireless client.
  
 Putting it all together: Putting it all together:
Line 100: Line 98:
  
   * -2 means interactive replay   * -2 means interactive replay
-  * -b 00:​14:​6C:​7E:​40:​80 selects packets with the MAC of the access point we are interested in+  * -b 00:​14:​6C:​7E:​40:​80 selects packets with the MAC of the access point we are interested in.
   * -t 1 selects packets with the "To Distribution System"​ flag set on   * -t 1 selects packets with the "To Distribution System"​ flag set on
   * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV.   * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV.
-  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. ​ IE Set "To DS" field to 1.+  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. ​ IE Set the "To DS" field to 1.
   * ath0 is the wireless interface   * ath0 is the wireless interface
  
Line 144: Line 142:
  
   * -2 means the interactive replay attack   * -2 means the interactive replay attack
-  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. IE Set "To DS" field to 1.+  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. ​ IE Set the "To DS" field to 1.
   * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV.   * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV.
   * -b 00:​14:​6C:​7E:​40:​80 is the MAC address of the access point (BSSID). ​ This is a filter to select a single AP.   * -b 00:​14:​6C:​7E:​40:​80 is the MAC address of the access point (BSSID). ​ This is a filter to select a single AP.
Line 188: Line 186:
  
   * -2 means the interactive replay attack   * -2 means the interactive replay attack
-  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. ​ IE Set "To DS" field to 1.+  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. ​ IE Set the "To DS" field to 1.
   * -m 68 is the minimum packet length   * -m 68 is the minimum packet length
   *  -n 86 is the maximum packet length ​   *  -n 86 is the maximum packet length ​
Line 231: Line 229:
  
   * -2 means the interactive replay attack   * -2 means the interactive replay attack
-  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. ​ IE Set "To DS" field to 1.+  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. ​ IE Set the "To DS" field to 1.
   * -c FF:​FF:​FF:​FF:​FF:​FF NOTE: This is not included because an ARP packet already has the destination MAC address set to broadcast.   * -c FF:​FF:​FF:​FF:​FF:​FF NOTE: This is not included because an ARP packet already has the destination MAC address set to broadcast.
   * -b 00:​14:​6C:​7E:​40:​80 is the MAC address of the access point (BSSID). ​ This is a filter to select a single AP.   * -b 00:​14:​6C:​7E:​40:​80 is the MAC address of the access point (BSSID). ​ This is a filter to select a single AP.
Line 291: Line 289:
 Check the [[i_am_injecting_but_the_ivs_don_t_increase|I am injecting but the ivs don't increase tutorial]]. Check the [[i_am_injecting_but_the_ivs_don_t_increase|I am injecting but the ivs don't increase tutorial]].
  
-One situation that may affect interactive replay: Exception of wireless client separation option - http://​tinyshell.be/​aircrackng/​forum/​index.php?​topic=194+One situation that may affect interactive replay: Exception of wireless client separation option - http://​forum.aircrack-ng.org/​index.php?​topic=194
  
 Also see the general aireplay-ng troubleshooting ideas: [[aireplay-ng#​usage_troubleshooting|aireplay-ng usage troubleshooting]]. Also see the general aireplay-ng troubleshooting ideas: [[aireplay-ng#​usage_troubleshooting|aireplay-ng usage troubleshooting]].
  
interactive_packet_replay.txt ยท Last modified: 2010/11/21 09:05 by sleek