hirte
Differences
This shows you the differences between two versions of the page.
hirte [2009/09/26 21:07] – created darkaudax | hirte [2009/10/11 16:29] (current) – Initial documentation darkaudax | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | Coming soon! | + | ====== Hirte attack ====== |
- | ==== aireplay-ng -7 (Hirte attack) | + | ===== Description ===== |
- | Example: aireplay-ng -7 -h 00: | + | The Hirte attack is a client attack which can use any IP or ARP packet. |
+ | The following describes the attack in detail. | ||
+ | |||
+ | The basic idea is to generate an ARP request to be sent back to the client such that the client responds. | ||
+ | |||
+ | The attack needs either an ARP or IP packet from the client. | ||
+ | |||
+ | The source IP is in the packet received from the client is in a known position - position 23 for ARP or 21 for IP. ARP is assumed if the packet is 68 or 86 bytes in length plus a broadcast destination MAC address. | ||
+ | |||
+ | In order to send a valid ARP request back to the client, we need to move the source IP to position 33. Of course you can't simply move bytes around, that would invalidate the packet. | ||
+ | |||
+ | In the case of an IP packet, a similar technique is used. However due to the more limited amount of PRGA available, there are three fragments plus the original packet used. | ||
+ | |||
+ | In all cases, bit flipping is used to ensure the CRC is correct. | ||
+ | |||
+ | |||
+ | ===== Usage ===== | ||
+ | |||
+ | aireplay-ng -7 -h 00: | ||
+ | |||
+ | Where: | ||
+ | *-7 means Hirte attack | ||
+ | *-h 00: | ||
+ | *-D disables AP detection. | ||
+ | *rausb0 is the wireless interface name | ||
+ | |||
+ | |||
+ | ===== Usage Examples ===== | ||
+ | |||
+ | None at this time. | ||
+ | |||
+ | |||
+ | ===== Usage Tips ===== | ||
+ | |||
+ | None at this time. | ||
+ | |||
+ | |||
+ | ===== Usage Troubleshooting ===== | ||
+ | |||
+ | None at this time. |
hirte.txt · Last modified: 2009/10/11 16:29 by darkaudax