johnmac99

My principle interest is in using the aireplay code from the aircrack tools to send an ARP flood that will generate enough IV packets for collection by airodump and cracking by aircrack or another similar program. Aireplay beta 2.2 supports single-NIC injection/monitor on prism2 (wlan-ng), atheros (madwifi) and prism54.

I did not see anything similar in the forums, please correct any areas where you think I have gone wrong. I used the following for this guide: aireplay mini-howto (included in the source code here http://www.cr0.net:8040/code/network/aireplay-2.2.tgz) and Christopher Devine's aircrack documentation here (http://www.cr0.net:8040/code/network/aircrack/)

This tutorial describes using airplay for "Attack 2: classic ARP-request resend" as described in the mini-howto attack number 2.

It is assumed that you already have a basic working knowlege of Linux and were able to patch your kernel and load the appropriate drivers. If have not accomplished these tasks, I suggest you try auditor (http://remote-exploit.org/).

You now need to capture arp traffic. You can use airodump, however, I prefer to use Kismet and use the .dump files -- for either of these tools you will have to put the wireless interface in monitoring mode prior to executing the tool. Once you have what you believe is a large enough dump file to have generated at least one arp request, you can examine it with Ethereal to determine if you have a arp from a particular BSSID that you are interested in (filter frame.pkt_len==68 and wlan.da==ff:ff:ff:ff:ff:ff). An easier option is to execute aireplay and let it tell you the BSSID of the ARP packets it has collected. Prior to running aireplay, you need to ensure your wireless card is properly configured. I personally use both a senao and linksys card with no problems. Run the following commands (subsitute wlan0, wlan1, etc as appropriate):

# iwpriv wlan0 hostapd 1
# iwpriv wlan0ap host_encrypt 1
# iwpriv wlan0ap host_decrypt 1
# iwconfig wlan0ap retry 1
# iwconfig wlan0ap mode Master
# iwconfig wlan0ap key 01:02:04:08:10
# iwconfig wlan0ap channel <channel of the AP that you are interested in cracking>
# ifconfig wlan0 hw ether <put a random MAC here, should follow this format ff:ff:ff:ff:ff:ff>
# ifconfig wlan0ap up

Now you are ready to run aireplay.

# aireplay wlan0ap replay.pcap <where replay.cap is the name of your airodump or kismet .dump file from the previous step>

The last line executes aireplay, it will parse the supplied log and will report whethr a suitable ARP packet was found. If one was not found, aireplay will report "got 0 poetnetial ARP requests", if aireplay it finds an ARP request, it will report the name of the BSSID and ask whether or not to use it. If the ARP packet BSSID matches that of the AP of interet (refer to kismet and airodump) then indicate "yes". Aireplay will begin to replay / retransmit the arp request to the AP, aireplay will also indicate that you should open another window and capture the replies with airodump. This will allow you to force the AP to rapidly generate traffic. Collect to your hearts desire and then attempt to crack the collected traffic using aircrack, weplab, airsnort, etc.

Please feel free to flame me if I have left out a pertinent piece of information. I will gladly correct this as required or answer any questions you may pose.

MarkieUSA

Thanks for the guide, the Ethereal filter syntax is especially useful.

One question, does the client that the ARP was sniffed from need to remain associated with the AP while reinjecting.

Using two NICs on my AP, I have to disassociate after sniffing the ARP broadcast so that I can use that client to then do the injection with the second laptop being the IV collector, though I see encrypted traffic hugely increase, though the IVs are not unique and therefore useless (I'm seeing my injection and nothing back from the AP)
Can anyone verify if the client needs to remain or can the replay be performed on an AP without clients?
cheers.

__________________
Doc, It hurts when IP, and last week I pinged myself and I got a loop back.

johnmac99

Good question and one I have also had problems with, perhaps someone else can answer this. I thought this might be due to the fact that non-arp traffic was being re-injected.

[quote=MarkieUSA]I see encrypted traffic hugely increase, though the IVs are not unique and therefore useless (I'm seeing my injection and nothing back from the AP)
QUOTE]

Mother

Hi,

For the most part, the client needs to be associated to the AP in order to get a reply to the injected ARP packets.

While testing aireplay on a WAP54G, I noticed that the client was being flooded by aireplay, and wasn't aswering the power save polls from the AP, and thus after some 2-3 minutes, the AP deauthenticated the station (internally, there was no visible deauth packet sent). I would have to sniff from another box to see the entire exchange, maybe I'm missing the initial deauth packet.

When this happened, from then onwards the AP replied always with a deauth packet to every ARP packet injected, with the reason that a frame was received from an unassociated station. In airodump, the IV count stopped increasing.

I am now trying to get aireplay to send the flood at slower rates, to try and keep the client associated.

Regards,

Mother

__________________
Out of paper on drive C:

tech.am

G8tK33per

MOM!!

How ya' been?

__________________
"Benjamin is nobody's friend. If Benjamin were an ice cream flavor, he'd be pralines and dick."

Sons of Confederate Veterans

Dutch

-x param works with the -3 arp replay attack. Used -x 800 to get 49K IV's a minute on my test setup. Reduce the 800 as applicable in your case.

Dutch

__________________
All your answers are belong to Google. SEARCH DAMMIT!
Warning. Warning.
Low C8H10N4O2 level detected. Operator halted....

MarkieUSA

I concur, the only time not specifying -x time delay is viable is when replaying an airforge deauth packet, and even then it is unecessary to "spray" the deauth if the client is close or you're using a directional antenna, -x 1 is effective enough when the client is in line of sight for deauth.

(of course a deauth being a good way to cause a WPA-PSK EAPOL four way handshake to re-occur on the current, sniffed main channel of the AP or a method used to kick pay as you go customers from public APs to grab the MAC and DHCP renew as their IP)

__________________
Doc, It hurts when IP, and last week I pinged myself and I got a loop back.

Mother

LOL I've been under a rock for some time...seriously, work and new kids have kept me really busy. I take all is OK in stumblerland?

As for aireplay, beta6 is out and I'll be trying the new modes out, it looks quite promising and some favourable reports have been heard.

BTW I've worked out what was happening - the client is a Nokia 9500 phone (yes, it has wifi), and it was being DoS'd by the aireplay flood!!! What then happened is that the phone wasn't answering the AP's power-saving polls, and after a few unanswered ones it deauthenticated the client, thus dropping all further ARP packets. The only way to get the phone to work again was to remove and reinsert the battery. Ain't wireless fun?

Cheers,

Mother

__________________
Out of paper on drive C:

tech.am

devine

Heh, I'm not that surprised

Also aireplay -1 before beta6 causes OpenBSD in master mode to crash -- that's what you call "secure by default"

killa-berlin

I need the airforge program to do the following:

'airforge <bssid> <dst mac> <packet-name>'

It should create a the file <packet-name> (normally 'deauth.cap').

I have the the packets 'aireplay2.2.tgz' and 'aircrack2.2.tgz' and everything runs fine. But I googled for 'airforge' and found at least nothing. Where can I get 'airforge'????

regards,
killa-berlin

Dutch

Nowhere.
It's "arpforge", not "airforge", and it is included in the aircrack 2.2 & aircrack 2.2betaX tarballs.

Dutch

__________________
All your answers are belong to Google. SEARCH DAMMIT!
Warning. Warning.
Low C8H10N4O2 level detected. Operator halted....

killa-berlin

... please see:
http://new.remote-exploit.org/index.php/Research

and also the WPA cracking tutorial on

http://new.remote-exploit.org/index.php/Tutorials

Thats what I want to test here on my local Wlan. The syntax
of arpforge is something different from the airforge-tool I am looking for.

Regards,
killa-berlin

Dutch

Look in your tarballs. In aireplay beta 2.2 as well as in aircrack 2.2beta1 arpforge was named airforge. From aircrack 2.2beta2 it was renamed more appropriately to arpforge.

Dutch

__________________
All your answers are belong to Google. SEARCH DAMMIT!
Warning. Warning.
Low C8H10N4O2 level detected. Operator halted....

killa-berlin

... I believe. THX anyway.

devine

About WPA cracking with an Atheros card:

I've noted that, in a G network, the handshake usually takes place in G mode. However, when using aireplay w/ attack -0 the card must be set in B mode, thus airodump won't capture G packets.

There's a workaround for it: start airodump on the proper channel, then start aireplay -0 1 -a [ap mac] ath0, it sends a deauth, then quickly press Ctrl-C and run "iwpriv ath0 mode 0". If you're fast enough you should catch a WPA handshake.

I've changed the aireplay -0 option in the current devel code: it specifies the deauth count (and not the delay anymore). So running "aireplay -0 3 ..." will send 256*3 deauth broadcast packets and then exit; each batch being separated by a 100ms delay. Thus, it's easier to capture a handshake by just running "aireplay -0 5 -a [ap mac] ath0; iwpriv ath0 mode 0".

Of course you can still perform a DoS attack by specifying -0 0, in this case aireplay will run until it's stopped by the user. You can use the -c option to target a specific wireless station instead of broadcast.