Both sides previous revisionPrevious revisionNext revision | Previous revision |
airbase-ng [2010/04/18 20:57] – Cosmetic fix for airodump-ng screen (wpa) mister_x | airbase-ng [2018/03/11 18:54] (current) – Updated link to issue mister_x |
---|
==== -q Quiet Flag ==== | ==== -q Quiet Flag ==== |
| |
This surpresses printing any statistics or status information. | This suppresses printing any statistics or status information. |
| |
==== -v Verbose Flag ==== | ==== -v Verbose Flag ==== |
==== -s Force Shared Key Authentication ==== | ==== -s Force Shared Key Authentication ==== |
| |
When specfiied, this forces shared key authentication for all clients. | When specified, this forces shared key authentication for all clients. |
| |
The soft AP will send an "authentication method unsupported" rejection to any open system | The soft AP will send an "authentication method unsupported" rejection to any open system |
==== -L Caffe Latte Attack ==== | ==== -L Caffe Latte Attack ==== |
| |
Airbase-ng also contains the new caffe-latte attack, which is also implemented in aireplay-ng as attack "-6". It can be used with "-L" or "--caffe-latte". This attack specifically works against clients, as it waits for a broadcast arp request, which happens to be a gratuitous arp. See [[http://wiki.wireshark.org/Gratuitous_ARP|this]] for an explaination of what a [[http://wiki.wireshark.org/Gratuitous_ARP|gratuitous arp]] is. It then flips a few bits in the sender MAC and IP, corrects the ICV (crc32) value and sends it back to the client, where it came from. The point why this attack works in practice is, that at least windows sends gratuitous arps after a connection on layer 2 is established and a static ip is set, or dhcp fails and windows assigned an IP out of 169.254.X.X. | Airbase-ng also contains the new caffe-latte attack, which is also implemented in aireplay-ng as attack "-6". It can be used with "-L" or "--caffe-latte". This attack specifically works against clients, as it waits for a broadcast arp request, which happens to be a gratuitous arp. See [[http://wiki.wireshark.org/Gratuitous_ARP|this]] for an explanation of what a [[http://wiki.wireshark.org/Gratuitous_ARP|gratuitous arp]] is. It then flips a few bits in the sender MAC and IP, corrects the ICV (crc32) value and sends it back to the client, where it came from. The point why this attack works in practice is, that at least windows sends gratuitous arps after a connection on layer 2 is established and a static ip is set, or dhcp fails and windows assigned an IP out of 169.254.X.X. |
| |
"-x <pps>" sets the number of packets per second to send when performing the caffe-latte attack. At the moment, this attack doesn't stop, it continuously sends arp requests. Airodump-ng is needed to capture the replys. | "-x <pps>" sets the number of packets per second to send when performing the caffe-latte attack. At the moment, this attack doesn't stop, it continuously sends arp requests. Airodump-ng is needed to capture the replys. |
==== Caffe Latte Attack in Access Point mode ==== | ==== Caffe Latte Attack in Access Point mode ==== |
| |
This attack obtains the WEP key from a client. It depends on receiving at least one gratutitous ARP request from the client after it has associated with the fake AP. | This attack obtains the WEP key from a client. It depends on receiving at least one gratuitous ARP request from the client after it has associated with the fake AP. |
| |
Enter: | Enter: |
==== Broken SKA error message ==== | ==== Broken SKA error message ==== |
| |
You receive "Broken SKA: <MAC address> (expected: ??, got ?? bytes)" or similar. When using the "-S" option with values different then 128, some clients fail. This message indicates the number of bytes actually received was different that the number requested. Either don't use the option or try different values of "-S" to see which one elminates the error. | You receive "Broken SKA: <MAC address> (expected: ??, got ?? bytes)" or similar. When using the "-S" option with values different then 128, some clients fail. This message indicates the number of bytes actually received was different that the number requested. Either don't use the option or try different values of "-S" to see which one eliminates the error. |
| |
==== "write failed: Message too long" / "wi_write(): Illegal seek" error messages ==== | ==== "write failed: Message too long" / "wi_write(): Illegal seek" error messages ==== |
| |
See this [[http://trac.aircrack-ng.org/ticket/469|trac ticket]] for a workaround. The trac ticket explains the root cause and how to adjust the MTU to avoid the problem. | See this [[https://github.com/aircrack-ng/aircrack-ng/issues/469|GitHub issue]] for a workaround. The issue explains the root cause and how to adjust the MTU to avoid the problem. |
| |
==== Error creating tap interface: Permission denied ==== | ==== Error creating tap interface: Permission denied ==== |