NetStumbler.org Forums - View Single Post - Bugreports for the Aircrack suite, version 2.2betaX

cybergibbons · 08-29-2005

Many apologies - this is my mistake - I think.

Aireplay was taking a packet, re-writing it with the destination address as broadcast, and FromDS=0, ToDS=1. This is expected. It was then sending out that packet, with that IV. This is also expected.

I then receive back the same packet - yet it has been re-encrypted. I thought that the AP would just re-broadcast the packet, as it has the source and destination address there. Maybe check that the WEP key is right, but not tamper with the packet. I thought the reason behind ARP re-injection was that you got the reponses with different IVs, not that the AP broadcast it with different IVs, otherwise re-injecting any packet with any valid source/address would cause IV increases.

So are these APs playing about with stuff they wouldn't? If so, and I think it is, is this not a serious vulnerability, as any replay will cause IV generation?

08-29-2005	#102 (permalink)
cybergibbons Registered Member Join Date: May 2005 Posts: 15	Many apologies - this is my mistake - I think. Aireplay was taking a packet, re-writing it with the destination address as broadcast, and FromDS=0, ToDS=1. This is expected. It was then sending out that packet, with that IV. This is also expected. I then receive back the same packet - yet it has been re-encrypted. I thought that the AP would just re-broadcast the packet, as it has the source and destination address there. Maybe check that the WEP key is right, but not tamper with the packet. I thought the reason behind ARP re-injection was that you got the reponses with different IVs, not that the AP broadcast it with different IVs, otherwise re-injecting any packet with any valid source/address would cause IV increases. So are these APs playing about with stuff they wouldn't? If so, and I think it is, is this not a serious vulnerability, as any replay will cause IV generation?