|Главная » Статьи » Мои статьи|
Aireplay-ng is a tool that is used to generate packages. Aireplay-ng - puts the packets in the wireless network to generate traffic. If your wireless access point no one is connected, hence no traffic for capture and subsequent analysis.
Utility Aireplay-ng it is also used for injection (injection) frames. The main function of the program is to generate traffic for the later use in aircrack-ng for cracking the WEP and WPA-PSK keys. There are several different attacks that you can use to make: reassociation units in order to obtain the WPA handshake data, fake authentication, interactive packet repetition (Interactive packet replay), manually produce an injector ARP requests and re-ARP requests. Tool packetforge-ng to create custom packages. Most drivers need patching to be able to generate packages.
Currently the program implements multiple different attacks:
Attacks can obtain packets to generate from two sources. The first source is a stream of packets in real vremeni your wireless card. The second source of the pcap file. Standard Pcap format (Packet CAPture, associated with the libpcap library http://www.tcpdump.org), is recognized by most commercial and open-source) programs to capture and analyze packets.When reading from a file are often ignored features of aireplay-ng. It allows you to read packets from other capture sessions and packages dovolnoye to generate various attacks in the pcap files for easy reuse.
The settings for selection source:
iface: capture packets from this interface
-r file: receiving a packet from this pcap file format
Here you specify the way in which mode the program will work. Depending on the method, not all options will be available. (for mode selection can be used numbers):
--deauth count : deauthenticate 1 or all stations (-0)
root@d1gg3r:~#aireplay-ng <options> <replay interface>
For all attacks, except for the reassociation of nodes and fake authentication, you can use the following filters to restrict the packets that will participate in a specific attack. The most commonly used filter-option "-b" to select a specific access point. Usually the option "-b" is the only key that you are using.
-b bssid : MAC address, Access Point
When generating packages (by injection), apply the following setting options. Keep in mind that not every parameter is relevant to each attack. For each attack below are given examples of possible options.
-x nbpps : number of packets per second
Fakeauth attack options:
-e essid : set target AP SSID
Arp Replay attack options:
-j : inject FromDS packets
Fragmentation attack options:
-k IP : set destination IP in fragments
Test attack options:
-B : activates the bitrate test
-i iface : capture packets from this interface
-R : disable /dev/rtc usage
Fragmentation vs. Сhopchop attack
Below shows the differences in the attacks, fragmentation and chopchop.
Typically, the received packet length equal to 1500 bytes. This means that you can later create a package of any size. Even in cases when the obtained packet length less than 1500 bytes then it is sufficient to create ARP requests.
May work where chopchop attack doesn't work.
Very fast. It gives the xor of the flow extremely quickly when successful.
Need more information to run — information on IE's IP address. Quite often, the address can be guessed. Moreover, aireplay-papriwal the IP addresses of the source and destination of 255.255.255.255 in the case if nothing is specified. It works successfully on most,if not all access points. So that's a small minus.
Settings to perform an attack depend on the device drivers. For example, the card on the Atheros chipset does not generate the correct packets if the updated MAC address of the wireless card.
You have to be physically closer to the access point, because if any packets are lost then the attack fails.
This attack will fail for access points that do not correctly handle fragmented packets.
Can work where they attack the "fragmentation" does not work.
You don't need to know any IP addresses.
Cannot be used against every access point.
The maximum length of the xor of the packets is limited. Although it is theoretically possible to obtain the xor of the stream with length more than 1500 bytes, in practice you rarely see wireless packets with length of 1500 bytes, if any, will see this.
Much slower than the charge of "fragmentation".
Optimization of the generation rate of packets is more art than science. First, try to use tools "as is".You can try to use option "-x", to change the injection speed. Surprisingly, sometimes reducing this setting can increase the overall speed level of the packet capture.
You can try to play with the speed of your wireless card "iwconfig wlan0 rate 11M". Depending on the driver and how you configured the card in monitor mode, it is usually 1 or 11MBit default. If you're near an access point, install a high speed, for example 54M, so you will get more packets per second. If you are too far, and packets do not reach,try to reduce it (for example) 1M.
-0 <count>, --deauth=<count>
This attack sends packets of deauthenticate one or more clients which are currently associated with a particular access point. Deauthenticate clients can be done for a number of reasons: Recovering a hidden ESSID. This ESSID is not shown in the broadcast. Another reason for this is "masking" or Capture the handshake of WPA/WPA2 by forcing re-authentication of clients, or Generate ARP requests (Windows clients sometimes clear their ARP cache after disconnecting). Of course, this attack is totally useless if not connected to the wireless network clients or the false authentication.
-1 <delay>, --fakeauth=<delay>
The fake authentication attack allows you to perform two types of WEP authentication (Open system and Shared key) plus associate with the access point (AP). This is only useful when you need an associated MAC address in various attacks aireplay-ng and associated clients at the moment. It should be noted that the fake authentication attack does NOT generate any ARP packets. Fake authentication cannot be used for authentication/Association with WPA/WPA2 access points.
This attack allows you to choose a certain package for replay (injection). Attacks can obtain packets to replay from two sources. The first is a live flow of packets from your wireless card. The second is a pcap file. Many overlooked this function of aireplay-ng as reading from a file. It allows you to read packets from the captured sessions or are often generated from the various to attack the pcap files for easy reuse. Popular usage is the reading of the file that you created with packetforge-ng.
Attack classic re-play the ARP request is the most effective way to generate new initialization vectors (IVs), and it works very reliably. The program looks for ARP packets, then forwards them back to the access point. This, in turn, causes the access point to repeat the ARP packet with a new IV. The program sends the same ARP packet over and over again. However, each ARP packet repeated by the access point, has a new IVs. This is an all new IVs which allow you to define a WEP key.
This attack, if successful, can decrypt a WEP data packet without knowing the key. It can even work against dynamic WEP. This attack does not recover the WEP key itself, but only reveals the plain text. However, some access points are not vulnerable to this attack. Some seem vulnerable, but actually drop data packets shorter than 60 bytes. If the access point abrasive packages carechem than 42 bytes, aireplay tries to guess the remaining missing data, because the header is predictable. If the captured IP packet, additionally checks header checksum for correctness after guessing the missing parts. This attack requires at least one WEP package.
This attack, when successful, can obtain 1500 bytes of PRGA (pseudo random generation algorithm). This attack does not reveal the WEP key itself, but only obtains the PRGA. This PRGA can be used to generate packet with packetforge-ng which are in turn used for various injection attacks. Required to obtain at least one packet from the access point to initiate this attack.
In General terms, in order for the attack to work, attackers need to be in the range TD and a connected client (fake or real). The Caffe Latte attack, allows to gather enough packets to crack a WEP key without the need of TD, simply the client in the range.
This attack turns IP or ARP packets from a client to ARP requests for the client. This attack works especially well against networks in ad-hoc. It can also be used against customers softAP (software access point) and the normal clients of TD.
This attack works against access points Cisco Aironet configured in WPA Migration Mode, which enables both WPA clients and WEP to connect to the access point using the same Service Set Identifier (SSID). The program listens for a WEP-encapsulated broadcast ARP packet, changes the bits to convert it into an ARP coming from the attacker MAC address, and forwards to the access point. This, in turn, causes the access point repeats the ARP packet with a new IV and also forwards the ARP reply to the attacker with a new IV. The program sends the same ARP packet over and over again. However, each ARP packet repeated by the access point, has a new IV, and the ARP response is forwarded to the access point to the attacker. All these new IV allows you to define a WEP key.
Test injection and the quality of communication.
The examples run Aireplay-NG
Go to channel 1 (iwconfig wlan0 channel 1), to make the attack Deauthenticate (-0) until it is stopped manually (0) against AP with the Mac address 20:25:64:16:58:8S and 20:25:64:16:58:8C) network interface wlan0 (wlan0):
channel 1 iwconfig wlan0
Go to channel 1 (iwconfig wlan0 channel 1), to make the attack Deauthenticate (-0), to send five packages of separation (5) in relation to AP with ESSID 20:25:64:16:58:8S (e-MIAL) with a network interface wlan0 (wlan0):
channel 1 iwconfig wlan0
The output of these two commands is identical:
root@d1gg3r:~# iwconfig wlan0 channel 1
To check whether wireless card injection (injection) (-9) on a network interface wlan0 (wlan0):
aireplay-NG -9 wlan0
oot@d1gg3r:~# aireplay-NG -9 wlan0
08:36:52 attempt directed probe requests...
08:36:53 64:66:B3:AE:8C:E7 - channel: 3 - 'TP-LINK_AP_AE8CE7'
|Просмотров: 792 | ||
|Всего комментариев: 0|