User Tools

Site Tools


interactive_packet_replay

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
interactive_packet_replay [2007/11/27 20:54] darkaudaxinteractive_packet_replay [2010/11/21 09:05] (current) – typos sleek
Line 1: Line 1:
 ====== Interactive packet replay ====== ====== Interactive packet replay ======
- 
- 
 ===== Description ===== ===== Description =====
  
 This attack allows you to choose a specific packet for replaying (injecting).  The attack can obtain packets to replay from two sources.  The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://www.tcpdump.org), is recognized by most commercial and open-source traffic capture and analysis tools.  Reading from a file is an often overlooked feature of aireplay-ng.  This allows you read packets from other capture sessions or quite often, various attacks generate pcap files for easy reuse.  A common use of reading  a file containing a packet your created with [[packetforge-ng]]. This attack allows you to choose a specific packet for replaying (injecting).  The attack can obtain packets to replay from two sources.  The first being a live flow of packets from your wireless card.  The second being from a pcap file.  Standard Pcap format (Packet CAPture, associated with the libpcap library http://www.tcpdump.org), is recognized by most commercial and open-source traffic capture and analysis tools.  Reading from a file is an often overlooked feature of aireplay-ng.  This allows you read packets from other capture sessions or quite often, various attacks generate pcap files for easy reuse.  A common use of reading  a file containing a packet your created with [[packetforge-ng]].
  
-In order to use the interactive packet replay successfully, it it important to understand a bit more about the wireless packet flow.  You cannot simply capture and replay any packet.  Only certain packets can be replayed successfully.  Successfully means that it is accepted by the access point and causes a new inititialization vectory (IV) to be generated since that is the whole objective.+In order to use the interactive packet replay successfully, it it important to understand a bit more about the wireless packet flow.  You cannot simply capture and replay any packet.  Only certain packets can be replayed successfully.  Successfully means that it is accepted by the access point and causes a new initialization vector (IV) to be generated since that is the whole objective.
  
 To do this, we either have to select a packet which naturally will be successful or manipulate a captured packet into a natural one.  We will now explore these two concepts in more detail. To do this, we either have to select a packet which naturally will be successful or manipulate a captured packet into a natural one.  We will now explore these two concepts in more detail.
Line 14: Line 12:
 So the aireplay-ng filter options we require to select these packets are: So the aireplay-ng filter options we require to select these packets are:
  
-  * -b 00:14:6C:7E:40:80 selects packes with the MAC of the access point we are interested in+  * -b 00:14:6C:7E:40:80 selects packets with the MAC of the access point we are interested in
   * -d FF:FF:FF:FF:FF:FF selects packets with a broadcast destination   * -d FF:FF:FF:FF:FF:FF selects packets with a broadcast destination
   * -t 1 selects packets with the "To Distribution System" flag set on   * -t 1 selects packets with the "To Distribution System" flag set on
Line 22: Line 20:
 Next, we will look at packets which need to be manipulated in order to be successfully replayed by the access point.  The objective, as always, is to have the access point rebroadcast the packet you inject and generate a new IV.  As simple as it sounds, the only selection criteria you need is the "-t 1" to select packets going to the distribution system (ethernet): Next, we will look at packets which need to be manipulated in order to be successfully replayed by the access point.  The objective, as always, is to have the access point rebroadcast the packet you inject and generate a new IV.  As simple as it sounds, the only selection criteria you need is the "-t 1" to select packets going to the distribution system (ethernet):
  
-  * -b 00:14:6C:7E:40:80 selects packes with the MAC of the access point we are interested in+  * -b 00:14:6C:7E:40:80 selects packets with the MAC of the access point we are interested in
   * -t 1 selects packets with the "To Distribution System" flag set on   * -t 1 selects packets with the "To Distribution System" flag set on
  
 We don't care what the destination MAC address is.  This because in this case we will modify the packet being injected.  The following options will result in the packet looking like a "natural" packet above.  Here are the options required: We don't care what the destination MAC address is.  This because in this case we will modify the packet being injected.  The following options will result in the packet looking like a "natural" packet above.  Here are the options required:
  
-  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client to the access point.+  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client to the access point.  IE Set the "To DS" field to 1.
   * -c FF:FF:FF:FF:FF:FF sets the destination MAC address to be a broadcast.  This is required to cause the AP to replay the packet and thus getting the new IV.   * -c FF:FF:FF:FF:FF:FF sets the destination MAC address to be a broadcast.  This is required to cause the AP to replay the packet and thus getting the new IV.
  
Line 49: Line 47:
 ==== Natural Packet Replay ==== ==== Natural Packet Replay ====
  
-For this example, you do not need do a fake authenticaion first, since the source MAC address is already associated with the access point.  The source MAC address is from the existing wireless client.+For this example, you do not need do a fake authentication first, since the source MAC address is already associated with the access point.  The source MAC address is from the existing wireless client.
  
 Putting it all together: Putting it all together:
Line 58: Line 56:
  
   * -2 means interactive replay   * -2 means interactive replay
-  * -b 00:14:6C:7E:40:80 selects packes with the MAC of the access point we are interested in+  * -b 00:14:6C:7E:40:80 selects packets with the MAC of the access point we are interested in
   * -d FF:FF:FF:FF:FF:FF selects packets with a broadcast destination   * -d FF:FF:FF:FF:FF:FF selects packets with a broadcast destination
   * -t 1 selects packets with the "To Distribution System" flag set on   * -t 1 selects packets with the "To Distribution System" flag set on
Line 100: Line 98:
  
   * -2 means interactive replay   * -2 means interactive replay
-  * -b 00:14:6C:7E:40:80 selects packes with the MAC of the access point we are interested in+  * -b 00:14:6C:7E:40:80 selects packets with the MAC of the access point we are interested in.
   * -t 1 selects packets with the "To Distribution System" flag set on   * -t 1 selects packets with the "To Distribution System" flag set on
   * -c FF:FF:FF:FF:FF:FF sets the destination MAC address to be a broadcast.  This is required to cause the AP to replay the packet and thus getting the new IV.   * -c FF:FF:FF:FF:FF:FF sets the destination MAC address to be a broadcast.  This is required to cause the AP to replay the packet and thus getting the new IV.
-  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.+  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.  IE Set the "To DS" field to 1.
   * ath0 is the wireless interface   * ath0 is the wireless interface
  
Line 144: Line 142:
  
   * -2 means the interactive replay attack   * -2 means the interactive replay attack
-  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.+  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.  IE Set the "To DS" field to 1.
   * -c FF:FF:FF:FF:FF:FF sets the destination MAC address to be a broadcast.  This is required to cause the AP to replay the packet and thus getting the new IV.   * -c FF:FF:FF:FF:FF:FF sets the destination MAC address to be a broadcast.  This is required to cause the AP to replay the packet and thus getting the new IV.
   * -b 00:14:6C:7E:40:80 is the MAC address of the access point (BSSID).  This is a filter to select a single AP.   * -b 00:14:6C:7E:40:80 is the MAC address of the access point (BSSID).  This is a filter to select a single AP.
Line 188: Line 186:
  
   * -2 means the interactive replay attack   * -2 means the interactive replay attack
-  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.+  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.  IE Set the "To DS" field to 1.
   * -m 68 is the minimum packet length   * -m 68 is the minimum packet length
   *  -n 86 is the maximum packet length    *  -n 86 is the maximum packet length 
Line 231: Line 229:
  
   * -2 means the interactive replay attack   * -2 means the interactive replay attack
-  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.+  * -p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.  IE Set the "To DS" field to 1.
   * -c FF:FF:FF:FF:FF:FF NOTE: This is not included because an ARP packet already has the destination MAC address set to broadcast.   * -c FF:FF:FF:FF:FF:FF NOTE: This is not included because an ARP packet already has the destination MAC address set to broadcast.
   * -b 00:14:6C:7E:40:80 is the MAC address of the access point (BSSID).  This is a filter to select a single AP.   * -b 00:14:6C:7E:40:80 is the MAC address of the access point (BSSID).  This is a filter to select a single AP.
Line 264: Line 262:
  
 ===== Usage Tips ===== ===== Usage Tips =====
 +
  
  
Line 273: Line 272:
 This would also work on APs with clients.  It would be faster since you don't have to wait for an ARP, any packet will do. This would also work on APs with clients.  It would be faster since you don't have to wait for an ARP, any packet will do.
  
-IMPORTANT:  The MAC address you use must first be associated with the AP via fake authentication.+IMPORTANT:  The source MAC address you use must first be associated with the AP via fake authentication.
  
 ==== Injecting Management Frames ==== ==== Injecting Management Frames ====
Line 290: Line 289:
 Check the [[i_am_injecting_but_the_ivs_don_t_increase|I am injecting but the ivs don't increase tutorial]]. Check the [[i_am_injecting_but_the_ivs_don_t_increase|I am injecting but the ivs don't increase tutorial]].
  
-One situation that may affect interactive replay: Exception of wireless client separation option - http://tinyshell.be/aircrackng/forum/index.php?topic=194+One situation that may affect interactive replay: Exception of wireless client separation option - http://forum.aircrack-ng.org/index.php?topic=194
  
 Also see the general aireplay-ng troubleshooting ideas: [[aireplay-ng#usage_troubleshooting|aireplay-ng usage troubleshooting]]. Also see the general aireplay-ng troubleshooting ideas: [[aireplay-ng#usage_troubleshooting|aireplay-ng usage troubleshooting]].
  
interactive_packet_replay.1196193271.txt.gz · Last modified: 2007/11/27 20:54 by darkaudax