User Tools

Site Tools


tkiptun-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
tkiptun-ng [2009/03/05 23:06]
darkaudax Added complete example of working output
tkiptun-ng [2009/09/26 20:41]
darkaudax Fiex typos
Line 3: Line 3:
 ===== Description ===== ===== Description =====
  
-NOTE: This documention ​is still under development. ​ Please check back on a regular basis to obtain the latest updates. ​ If you have any feedback on the documentation,​ please post your comments to the [[http://​forum.tinyshell.be|Forum]].+NOTE: This documentation ​is still under development. ​ Please check back on a regular basis to obtain the latest updates. ​ If you have any feedback on the documentation,​ please post your comments to the [[http://​forum.aircrack-ng.org|Forum]].
  
-NOTE: The tkiptun-ng SVN version is not fully working.  ​working ​version will be released shortly.+**IMPORTANT ​NOTE:** The tkiptun-ng SVN version is not fully working.  ​The final attack phase is not yet implemented. ​ The other portions are working ​with the ieee80211 drivers for RT73 and RTL8187L chipsets. ​ The madwifi-ng driver is definitely broken and is known to completely fail.  tkiptun-ng may work with other drivers but has not been tested so your mileage may vary.
  
 Tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS.  He worked with Erik Tews (who created PTW attack) for a conference in [[http://​pacsec.jp/​|PacSec 2008]]: "Gone in 900 Seconds, Some Crypto Issues with WPA". Tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS.  He worked with Erik Tews (who created PTW attack) for a conference in [[http://​pacsec.jp/​|PacSec 2008]]: "Gone in 900 Seconds, Some Crypto Issues with WPA".
  
-Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. ​ This attack is described in the paper, [[http://​dl.aircrack-ng.org/​breakingwepandwpa.pdf|Practical attacks against WEP and WPA]] written by Martin Beck and Erik Tews.  The paper describes advanced attacks on WEP and the first practical attack on WPA.  An additional excellent references explaining how tkiptun-ng does its magic is this ars technica article [[http://​arstechnica.com/​articles/paedia/​wpa-cracked.ars/​|Battered,​ but not broken: understanding the WPA crack]] by Glenn Fleishman.+Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. ​ This attack is described in the paper, [[http://​dl.aircrack-ng.org/​breakingwepandwpa.pdf|Practical attacks against WEP and WPA]] written by Martin Beck and Erik Tews.  The paper describes advanced attacks on WEP and the first practical attack on WPA.  An additional excellent references explaining how tkiptun-ng does its magic is this ars technica article [[http://​arstechnica.com/​security/news/​2008/​11/​wpa-cracked.ars/​|Battered,​ but not broken: understanding the WPA crack]] by Glenn Fleishman.
  
 Basically tkiptun-ng starts by obtaining the plaintext of a small packet and the MIC (Message Integrity Check). ​ This is done via [[chopchoptheory|chopchop]]-type method. ​ Once this is done, the MICHAEL algorithm is reversed the MIC key used to protect packets being sent from the AP to the client can be calculated. Basically tkiptun-ng starts by obtaining the plaintext of a small packet and the MIC (Message Integrity Check). ​ This is done via [[chopchoptheory|chopchop]]-type method. ​ Once this is done, the MICHAEL algorithm is reversed the MIC key used to protect packets being sent from the AP to the client can be calculated.
Line 15: Line 15:
 At this point, tkiptun-ng has recovered the MIC key  and knows a keystram for access point to client communication. ​ Subsequently,​ using the XOR file, you can create new packets and inject them.  The creation and injection are done using the other aircrack-ng suite tools. At this point, tkiptun-ng has recovered the MIC key  and knows a keystram for access point to client communication. ​ Subsequently,​ using the XOR file, you can create new packets and inject them.  The creation and injection are done using the other aircrack-ng suite tools.
  
-Please remember this is an extremely advanced attack. ​ You require ​advanced linux and aircrack-ng skills to use this tool.  DO NOT EXPECT support unless you can demonstrate you have these skills. ​ Novices will NOT BE SUPPORTED.+[[http://​download.aircrack-ng.org/​wiki-files/​doc/​tkip_master.pdf|Cryptanalysis of IEEE 802.11i TKIP]] by Finn Michael Halvorsen and Olav Haugen, June 2009 provides an excellent detailed description of how tkiptun-ng works. ​ As well, their paper includes detailed descriptions of many other attacks against WEP/​WPA/​WPA2. 
 + 
 +Please remember this is an extremely advanced attack. ​ You must possess ​advanced linux and aircrack-ng skills to use this tool.  DO NOT EXPECT support unless you can demonstrate you have these skills. ​ Novices will NOT BE SUPPORTED.
  
  
Line 29: Line 31:
 ===== Specific Requirements ===== ===== Specific Requirements =====
  
-The network card MAC address ​that is used by tkiptun-ng needs to be set to the MAC address of the client you are attacking.+The network card MAC address used by tkiptun-ng needs to be set to the MAC address of the client you are attacking.
  
  
tkiptun-ng.txt · Last modified: 2009/09/27 16:01 by darkaudax