Aireplay-ng is used to generate packets. If your wireless access point nobody is accordingly no traffic to capture and subsequent analysis (hacking). Description
The main function of the program is to generate traffic for use in aircrack-ng to crack WEP and WPA-PSK keys. There are several different attacks, with which you can make: reassociation nodes to obtain data WPA handshake, fake authentication, interactive replay (Interactive packet replay), manually produce injection ARP-requests and ARP-repeated requests. With the tool packetforge-ng can create custom packages.
Most drivers need to patch to be able to generate packets, do not forget to read the Driver Installation. Using attacks
The program is currently implementing several different attacks:
Attack 0: reassociation nodes
Attack 1: Fake authentication
Attack 2: Interactive generation packages
Attack 3: Repeat ARP request
Attack 4: KoreK chopchop (very quickly) attack
Attack 5: Fragmentation
Attack 6: Coffee latte attack (Caffe-latte attack) (Coming in the next issue! Not available at this time.)
Attack 7: Customer-oriented fragmented attack (Coming in the next issue! Not available at this time.)
Attack 9: Test injection
Use
This section gives an overview of the tool. Not all options apply settings to all attacks. See details for each attack.
aireplay-ng <option> <Interface>
For all attacks except reassociation nodes and false authentication, you can use these filters to limit the packages that will be involved in a particular attack. The most commonly used filter option «-b», to select a specific access point. Usually option «-b» is the only key that you are using.
Filtering options: Option settings. Description -B bssid MAC-address of the access point -D dmac MAC-address, the recipient -S smac MAC-address, source -M len minimum packet size -N len The maximum packet size -U type frame control field type (type field) -V subt control frame subtype field (subtype field) -T tods control frame, To DS bit -F fromds control frame, From DS bit -W iswep frame control, WEP bit
When generating packets (by injection), the following options parameters. Keep in mind that not every parameter is relevant to every attack. For each attack will be below are examples of possible options.
Generation parameters (repetition) packages: Option settings. Description -X nbpps packets per second -P fctrl set frame control word (hex) -A bssid set MAC-address of the access point -C dmac set MAC-address of Recipient -H smac set MAC-address Source -E essid attack "fake authentication": set SSID (network identifier) access point -J arpreplay attack FromDS generation packages -G value to change the size of the circular buffer (default: 8) -K IP set the destination IP address in the snippets -L IP set the source IP address in fragments -O npckts number of packets in a pack (1) -Q sec number of seconds between sending keep-alive packets (messages confirming activity) (-1) -Y prga keystream (keystream) for public key authentication
When attacking have the opportunity to receive packages to generate from two sources. The first source - a stream of packets in real vremenis your wireless card. The second source - from pcap file. Standard format Pcap (Packet CAPture, associated with the libpcap library http://www.tcpdump.org), recognized by most commercial and open (open-source) software to capture and analyze paketov.Pri reading from a file are often ignored especially aireplay-ng. This allows you to read the packets from other sessions dovolnochasto packet capture and generate various attacks in pcap files for easy reuse.
Options for source selection:
iface: capture packets from this interface
-R file: receiving packets from this pcap file format
Here you specify the way in which mode the program will work. Depending on the specified mode, not all options will be available.
Modes of attack (for mode numbers can be used): Friendly Description - Deauth count reassociation one or all stations (users) (-0) - Fakeauth delay Fake authentication to the access point (-1) - Interactive Interactive selection of frames (-2) - Arpreplay Standard repetition ARP-request (-3) - Chopchop Deciphering / chopchop WEP packet (-4) - Fragment generates a valid key stream (keystream) (-5) - Test test injection (-9)
Fragmentation attacks against chopchop
Below are the differences in the attacks "fragmentation" and chopchop. Fragmentation
Pros:
Usually received packet length is 1500 bytes. This means that you can later create a package of any size. Even in those cases where the length of the received packet is less than 1500 bytes, it is sufficient to generate ARP-request.
Can work where chopchop attack does not work.
Very fast. It gives xor stream extremely quickly when successful.
Cons:
Need more information to run - information about IE IP address. Quite often, this address can be guessed. Moreover, aireplay-ngprisvaivaet IP-source and destination address of 255.255.255.255 that if nothing is specified. This works successfully on most, if not all access points. So it's a small minus.
Settings to perform the attack depends on device drivers. For example, Atheros-based cards do not generate the correct packets if modified MAC-address of the wireless card.
You have to be physically closer to the access point, because if any packets are lost, the attack fails.
This attack fails on access points that do not properly handle fragmented packets. Chopchop
Pros:
Can work where the attack "fragmentation" is not working.
You do not need to know any IP address.
Cons:
Can not be used against each access point.
Maximum length xor package is limited. Although it is theoretically possible to get xor stream longer than 1500 bytes, in practice, you will rarely see wireless packets of 1500 bytes, if ever see this.
Much slower than the attack "fragmentation." Tips on using Optimize the speed packet generation (injection)
Optimize the speed is more art than science. First, try to use the tools "as is." You can try to use the «-x», to change the speed of injection. Surprisingly, sometimes lowering this value can increase the overall rate of packets.
You can try to play with the speed of your wireless card «iwconfig wlan0 rate 11M». Depending on the driver and how you set up the card in monitor mode, it is usually 1 or 11MBit default. If you are close to the access point, set a high speed, for example 54M, so you get more packets per second. If you're too far away, and the packets do not reach, try to reduce it (for example) 1M. Troubleshooting For madwifi-ng, should not be running other VAPs
Make sure that no other VAPs (application running in a network environment) is not running. Can be a problem when creating a new VAP in monitor mode, if before VAP was launched in a controlled manner.
You must first stop ath0, then start wifi0: airmon-ng stop ath0 airmon-ng start wifi0 or wlanconfig ath0 destroy wlanconfig ath create wlandev wifi0 wlanmode monitor Aireplay-ng hangs without any output
You enter the command, the command hangs and report output does not occur.
Typically, this problem occurs if the wrong channel is selected as compared with the channel running the access point. Another potential cause of this problem is when you are using an older version of the firmware on prism2 chipset. You must verify that your firmware version 1.7.4 and above. See Prism card for more information. Instructions for updating the firmware can be found here.
Also, if you have another instance of aireplay-ng in the background, it can lead to hang if the startup options are in conflict. Aireplay-ng hangs on packet generation
See this thread: Aireplay-ng hangs on packet generation
Or look at this thread: Commenting out RTC. Also see previous entries. write failed: Cannot allocate memory wi_write (): Illegal seek
When using Broadcom chipset and related drivers you get something like this: write failed: Cannot allocate memory wi_write (): Illegal seek This is caused by a bug in the original patch for bcm43xx. Using a modified Sud patch can fix this situation. Or you can try to use the driver B43 instead bcm43xx. (B43 requires aireplay-ng-1.0-beta2 or later, we recommend version 1.0 RC1 or SVN) Low speed packet generation, «rtc: lost some interrupts at 1024Hz»
Symptoms: The packet generation rate is very low, about 30 packets per second (pps). Whenever you start generating traffic, you will receive the following or similar message content:
«Rtc: lost some interrupts at 1024Hz»
This message is repeated several thousand times. There are a few workarounds. First, start a second instance of aireplay-ng, then the packet generation rate increases to around 300 PPS. Second workaround is as follows: rmmod rtc modprobe genrtc or if you rtc-cmos in the kernel: rmmod rtc modprobe rtc-cmos Currently there is no simple solution to get around this problem. See this forum. Low speed packet generation in general
If you are too close to the access point, it can lead to a decrease in the rate of generation of packets. This is due to the distortion of packages and / or overload the access point. See this thread for an example. An error message, «open (/ dev / rtc) failed: Device or resource busy»
This is due to the fact that two or more running instance aireplay-ng simultaneously. The program will still run, but the timing will be less accurate. «Interface MAC doesn't match the specified MAC» («MAC address of the interface does not match the specified MAC address"
After entering the command similar to this: aireplay-ng -1 0-e horcer-a 00:50:18:4 C: A5: 02-h 00:13: A7: 12:3 C: 5B ath0 You will receive a message similar to: The interface MAC (06:13: F7: 12:23:4 A) doesn't match the specified MAC (-h). ifconfig ath1 hw ether 00:13: A7: 12:3 C: 5B This occurs when the original MAC-address to generate a packet (specified by-h) of different MAC-addresses on your wireless card. In the case above, MAC-address 00:13: A7: 12:3 C: 5B in the command does not match the MAC-address of 06:13: F7: 12:23:4 A karty.V some cases, but not all, this will cause an unsuccessful packet generation. Therefore, the program gives you this warning. It is recommended to always MAC-address specified at startup packet generation coincided with the MAC-address card.
Detailed instructions on changing MAC-address cards can be found in the FAQ: How do I change the MAC-address of the card? Hidden SSIDs «<length:?>» (Hidden SSIDs)
To run many commands aireplay-ng want to know SSID (network identifier). You can sometimes see: «<length:?>» as SSIDv program airodump-ng. This means that the SSID is hidden. Typically, on-site "?" Length is specified SSID. For example, if the SSID is «test123», then it will appear as «<length: 7>», where seven characters. When the length is equal to 0 or 1, this means that the access point is not indicative of the actual length and the actual length can be arbitrary.
To get the hidden SSID have several options:
- Wait a wireless client to the access point. When this happens, airodump-ng can intercept and display the SSID of the access point.
- Make reassociation nodes to disable existing wireless clients to get them to join again. See the previous advice.
- Use a tool for selecting mdk3 (bruteforce) SSID. How to use spaces, single and double quotation marks and other special characters in the names of AP?
See article in this FAQ Waiting for beacon frame (Waiting for the control packet)
When you enter the command, the system hangs or outputs lines «Wainting for beacon frame» (Waiting for the control packet) or "no available BSSID» and further activity occurs.
There are several major reasons for this problem:
- The map is set to a different channel than the channel of the access point. Solution: Use iwconfig and make sure the card is set to the same channel as the AP.
- Map scans channels. Solution: Run airodump-ng with the parameter «-c» or «-channel» and select the channel that runs the access point.
- Invalid ESSID (network name). Solution: Enter the correct value. If the ESSID contains spaces or special characters, enclose it in quotation marks. For more information, see this FAQ.
- Invalid BSSID (MAC-address of the access point). Solution: Enter the correct value.
- You are too far from the access point and do not get any packages. Solution: You can use tcpdump and / iliairodump-ng, to confirm that you actually get packets from the access point. If not, you need to approach.
- You do not get packages from the access point. Solution: Use the «tcpdump-n-vvv-e-s0-i <interface name>" to check the receipt of packets. The problem may be with a driver or you do not have switched the card in monitor mode.
For all the above problems, run airodump-ng and the corresponding text file should provide you with all the information to identify and correct the problem. General information
Also, make sure that:
- Most of the modes aireplay-ng require that your MAC address has been associated with an access point. Exceptions are modes: reassociation nodes test injection and fake authentication. Or need to do fake authentication to associate your MAC-address with the access point or use the MAC-address of the client that is already associated with an access point. If you can not do it, it means that the access point will not accept your packages. Look at the messages in the reassociation of nodes and during the generation of packets that indicate to you that you are not connected to an access point. aireplay-ng, usually refers to this problem or it can be done using tcpdump: «tcpdump-n-e-s0-vvv-i <interface name>." You can filter the information using Grep, something like «tcpdump-n-e-s0-vvv-i ath0 | grep-E" DeAuth | assoc ».
- Driver wireless card properly patched and installed. Use the injection test to verify that your card can generate packets.
- You must be physically close enough to the access point. You can confirm that you can communicate with a specific access point by following these instructions.
- Another method to confirm that you can communicate with the access point, is that you make sure to polucheniiACK packets for each packet that you pass. In wireless communication, the receiver must acknowledge receipt of each packet paketaACK. This is a mandatory part of wireless communication protocol. When generating packets without filters on the wireless channel, you must see ACK-packets. Analyze the captured packets, you can use wireshark or tcpdump. If you do it in real time, the «tcpdump-n-vvv-e-s0-i <interface name>." Inability to make any ACK-packets from the access point means that the point can not hear you. Thus, you are physically too far.
- Wireless card should be in monitor mode. Use «iwconfig», to check it out.
- The card is set to the same channel as the AP. Use «iwconfig», to check it out.
- Make sure you use a real MAC-address. See the discussion of the definition MAC-address.
- Some access points are configured to accept connections only from certain MAC-addresses. In this case, you will need to get the real MAC address of the client through observation using airodump-ng, and use the MAC-adres.Ne do fake authentication on a particular MAC-address, if the client is connected to the access point. If you use access control MAC-address, reassociation nodes inapplicable. See troubleshooting tips in access control poMAC address here.
- BSSID and ESSID (-a /-e options) are correct.
- If the chipset Prism2, make sure that the firmware has been updated.
- Make sure you have the latest stable version. Some options are not available in earlier versions of the program. In addition, the latest stable version contains many bug fixes.
- Also does not hurt to check Trac System, to see your "problems" that can is a known bug in the current stable version. SVN or release candidate version. Notes
This section applies only to the last SVN version and to some extent release candidate version aircrack-ng Suite. Once they are recognized as "stable", above documentation will be updated. Changes:
«-E» is not required, provided: ESSID is not hidden. (Refers to the fake authentication and testing)
«-B» or «-bittest» test speed (used for testing)
«-F» or «-fast» quick test (used for testing)
«-D» disables detection of hotspots. Some modes will not operate if the beacon packets from the access point will not be captured. This option disables this feature.
«-F» selects the first matching packet.
«-R» disables the use of / dev / rtc. Some systems hang or have other problems with RTC. This option disables the use of RTC.
Комментариев нет:
Отправить комментарий