User Tools

Site Tools


interactive_packet_replay

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
interactive_packet_replay [2007/03/16 21:43]
darkaudax more detailed description and extra examples
interactive_packet_replay [2010/11/21 09:05] (current)
sleek typos
Line 1: Line 1:
 ====== Interactive packet replay ====== ====== Interactive packet replay ======
- 
- 
 ===== Description ===== ===== Description =====
  
 This attack allows you to choose a specific packet for replaying (injecting). ​ The attack can obtain packets to replay from two sources. ​ The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://​www.tcpdump.org),​ is recognized by most commercial and open-source traffic capture and analysis tools. ​ Reading from a file is an often overlooked feature of aireplay-ng. ​ This allows you read packets from other capture sessions or quite often, various attacks generate pcap files for easy reuse. ​ A common use of reading ​ a file containing a packet your created with [[packetforge-ng]]. This attack allows you to choose a specific packet for replaying (injecting). ​ The attack can obtain packets to replay from two sources. ​ The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://​www.tcpdump.org),​ is recognized by most commercial and open-source traffic capture and analysis tools. ​ Reading from a file is an often overlooked feature of aireplay-ng. ​ This allows you read packets from other capture sessions or quite often, various attacks generate pcap files for easy reuse. ​ A common use of reading ​ a file containing a packet your created with [[packetforge-ng]].
  
-In order to use the interactive packet replay successfully,​ it it important to understand a bit more about the wireless packet flow.  You cannot simply capture and replay any packet. ​ Only certain packets can be replayed successfully. ​ Successfully means that it is accepted by the access point and causes a new inititialization vectory ​(IV) to be generated since that is the whole objective.+In order to use the interactive packet replay successfully,​ it it important to understand a bit more about the wireless packet flow.  You cannot simply capture and replay any packet. ​ Only certain packets can be replayed successfully. ​ Successfully means that it is accepted by the access point and causes a new initialization vector ​(IV) to be generated since that is the whole objective.
  
 To do this, we either have to select a packet which naturally will be successful or manipulate a captured packet into a natural one.  We will now explore these two concepts in more detail. To do this, we either have to select a packet which naturally will be successful or manipulate a captured packet into a natural one.  We will now explore these two concepts in more detail.
Line 14: Line 12:
 So the aireplay-ng filter options we require to select these packets are: So the aireplay-ng filter options we require to select these packets are:
  
-  * -b 00:​14:​6C:​7E:​40:​80 selects ​packes ​with the MAC of the access point we are interested in+  * -b 00:​14:​6C:​7E:​40:​80 selects ​packets ​with the MAC of the access point we are interested in
   * -d FF:​FF:​FF:​FF:​FF:​FF selects packets with a broadcast destination   * -d FF:​FF:​FF:​FF:​FF:​FF selects packets with a broadcast destination
   * -t 1 selects packets with the "To Distribution System"​ flag set on   * -t 1 selects packets with the "To Distribution System"​ flag set on
Line 22: Line 20:
 Next, we will look at packets which need to be manipulated in order to be successfully replayed by the access point. ​ The objective, as always, is to have the access point rebroadcast the packet you inject and generate a new IV.  As simple as it sounds, the only selection criteria you need is the "-t 1" to select packets going to the distribution system (ethernet): Next, we will look at packets which need to be manipulated in order to be successfully replayed by the access point. ​ The objective, as always, is to have the access point rebroadcast the packet you inject and generate a new IV.  As simple as it sounds, the only selection criteria you need is the "-t 1" to select packets going to the distribution system (ethernet):
  
-  * -b 00:​14:​6C:​7E:​40:​80 selects ​packes ​with the MAC of the access point we are interested in+  * -b 00:​14:​6C:​7E:​40:​80 selects ​packets ​with the MAC of the access point we are interested in
   * -t 1 selects packets with the "To Distribution System"​ flag set on   * -t 1 selects packets with the "To Distribution System"​ flag set on
  
 We don't care what the destination MAC address is.  This because in this case we will modify the packet being injected. ​ The following options will result in the packet looking like a "​natural"​ packet above. ​ Here are the options required: We don't care what the destination MAC address is.  This because in this case we will modify the packet being injected. ​ The following options will result in the packet looking like a "​natural"​ packet above. ​ Here are the options required:
  
-  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client to the access point.+  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client to the access point.  IE Set the "To DS" field to 1.
   * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV.   * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV.
  
Line 49: Line 47:
 ==== Natural Packet Replay ==== ==== Natural Packet Replay ====
  
-For this example, you do not need do a fake authenticaion ​first, since the source MAC address is already associated with the access point. ​ The source MAC address is from the existing wireless client.+For this example, you do not need do a fake authentication ​first, since the source MAC address is already associated with the access point. ​ The source MAC address is from the existing wireless client.
  
 Putting it all together: Putting it all together:
Line 58: Line 56:
  
   * -2 means interactive replay   * -2 means interactive replay
-  * -b 00:​14:​6C:​7E:​40:​80 selects ​packes ​with the MAC of the access point we are interested in+  * -b 00:​14:​6C:​7E:​40:​80 selects ​packets ​with the MAC of the access point we are interested in
   * -d FF:​FF:​FF:​FF:​FF:​FF selects packets with a broadcast destination   * -d FF:​FF:​FF:​FF:​FF:​FF selects packets with a broadcast destination
   * -t 1 selects packets with the "To Distribution System"​ flag set on   * -t 1 selects packets with the "To Distribution System"​ flag set on
Line 100: Line 98:
  
   * -2 means interactive replay   * -2 means interactive replay
-  * -b 00:​14:​6C:​7E:​40:​80 selects ​packes ​with the MAC of the access point we are interested in+  * -b 00:​14:​6C:​7E:​40:​80 selects ​packets ​with the MAC of the access point we are interested in.
   * -t 1 selects packets with the "To Distribution System"​ flag set on   * -t 1 selects packets with the "To Distribution System"​ flag set on
   * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV.   * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV.
-  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.+  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.  IE Set the "To DS" field to 1.
   * ath0 is the wireless interface   * ath0 is the wireless interface
  
Line 144: Line 142:
  
   * -2 means the interactive replay attack   * -2 means the interactive replay attack
-  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.+  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.  IE Set the "To DS" field to 1.
   * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV.   * -c FF:​FF:​FF:​FF:​FF:​FF sets the destination MAC address to be a broadcast. ​ This is required to cause the AP to replay the packet and thus getting the new IV.
   * -b 00:​14:​6C:​7E:​40:​80 is the MAC address of the access point (BSSID). ​ This is a filter to select a single AP.   * -b 00:​14:​6C:​7E:​40:​80 is the MAC address of the access point (BSSID). ​ This is a filter to select a single AP.
Line 188: Line 186:
  
   * -2 means the interactive replay attack   * -2 means the interactive replay attack
-  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.+  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.  IE Set the "To DS" field to 1.
   * -m 68 is the minimum packet length   * -m 68 is the minimum packet length
   *  -n 86 is the maximum packet length ​   *  -n 86 is the maximum packet length ​
Line 231: Line 229:
  
   * -2 means the interactive replay attack   * -2 means the interactive replay attack
-  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.+  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.  IE Set the "To DS" field to 1.
   * -c FF:​FF:​FF:​FF:​FF:​FF NOTE: This is not included because an ARP packet already has the destination MAC address set to broadcast.   * -c FF:​FF:​FF:​FF:​FF:​FF NOTE: This is not included because an ARP packet already has the destination MAC address set to broadcast.
   * -b 00:​14:​6C:​7E:​40:​80 is the MAC address of the access point (BSSID). ​ This is a filter to select a single AP.   * -b 00:​14:​6C:​7E:​40:​80 is the MAC address of the access point (BSSID). ​ This is a filter to select a single AP.
Line 264: Line 262:
  
 ===== Usage Tips ===== ===== Usage Tips =====
 +
 +
 +
 +
 +==== Additional Interactive Application ====
  
 There are some interesting applications of the first example above. ​   It can be used to attack networks without any connected wireless clients. ​ Start the aireplay-ng attack per the example. ​ Now sit back and wait for any packet to be broadcast. ​ It does not matter what type.  Just say "​y"​ and bingo you are generating IVs.  The tradeoff is speed, big packets yield lower IVs per second. ​ The major advantages is it saves the steps of obtaining the xor stream (chopchop or fragmentation attacks), building a packet and launching relay attack. There are some interesting applications of the first example above. ​   It can be used to attack networks without any connected wireless clients. ​ Start the aireplay-ng attack per the example. ​ Now sit back and wait for any packet to be broadcast. ​ It does not matter what type.  Just say "​y"​ and bingo you are generating IVs.  The tradeoff is speed, big packets yield lower IVs per second. ​ The major advantages is it saves the steps of obtaining the xor stream (chopchop or fragmentation attacks), building a packet and launching relay attack.
Line 269: Line 272:
 This would also work on APs with clients. ​ It would be faster since you don't have to wait for an ARP, any packet will do. This would also work on APs with clients. ​ It would be faster since you don't have to wait for an ARP, any packet will do.
  
-IMPORTANT: ​ The MAC address you use must be associated with the AP either ​via fake authentication ​or an existing wireless client.+IMPORTANT: ​ The source ​MAC address you use must first be associated with the AP via fake authentication. 
 + 
 +==== Injecting Management Frames ==== 
 + 
 +You can also inject management and control frames on a per frame basis with aireplay-ng. ​ You just need to specify a matching filter since the default one just allows wep data packets.  
 + 
 +Examples: 
 +  * Setting -v 8 -u 0 -w 0 allows you to send beacons frames. 
 +  * Setting -v 12 -u 1 -w 0 -m 10 -n 2000 sets a filter for control frames (in this case clear-to-send frames). 
  
 ===== Usage Troubleshooting ===== ===== Usage Troubleshooting =====
Line 277: Line 289:
 Check the [[i_am_injecting_but_the_ivs_don_t_increase|I am injecting but the ivs don't increase tutorial]]. Check the [[i_am_injecting_but_the_ivs_don_t_increase|I am injecting but the ivs don't increase tutorial]].
  
-One situation that may affect interactive replay: Exception of wireless client separation option - http://​tinyshell.be/​aircrackng/​forum/​index.php?​topic=194+One situation that may affect interactive replay: Exception of wireless client separation option - http://​forum.aircrack-ng.org/​index.php?​topic=194
  
 Also see the general aireplay-ng troubleshooting ideas: [[aireplay-ng#​usage_troubleshooting|aireplay-ng usage troubleshooting]]. Also see the general aireplay-ng troubleshooting ideas: [[aireplay-ng#​usage_troubleshooting|aireplay-ng usage troubleshooting]].
  
interactive_packet_replay.1174077781.txt.gz · Last modified: 2007/03/16 21:43 by darkaudax