Aireplay not effective against all APs?

whoisvince · 03-25-2005

I've been playing aireplay with the new madwifi patch for my Atheros AR5211 and I must say, I am very impressed. I collected over 1,000,000 IVs from my DI-614+ in just about 10 mins!

Here's my question: are some APs less vulnerable to replay attacks than others?

I had originally been trying this attack on my 2Wire HomePortal 1000HW DSL Router (firmware rev. 3.5.5) and I could not get aireplay to decode packets using any of the attacks used in the README file, regardless of whether I tried only packets with a length larger than 60 B, ARP forgery, ARP-request resend, associating a network card, whatever.

On the other hand, my DI-614+ (firmware rev 2.33) cracked like an egg. The ARP-request forgery attack worked extremely well, and the only problem I had was limiting aireplay's packet broadcast rate (-x 100) to keep from DoSing the thing.

Both routers were set up identically including 64 bit WEP. Is there anything special about 2Wire setups that keeps them from replaying packets?

tekn0 · 03-25-2005

Would you still happen to have the replay_dec file around that the -k chopchop function decoded? If so could you post the tcpdump output here just like the readme does? I have not had any success decoding a packet with any ip information in it and i am wondering if you have any in your packet... Also about how long did it take for you to chopchop the data packet?

whoisvince · 03-25-2005

Thanks for the quick response, tekn0.

The -k function wouldn't generate the replay_dec file that I needed when capturing from the 1000HW. Aireplay would send the packets, but I wasn't getting any decoding responses from the AP, so there was no replay_dec file to resend. Unfortunately, I don't have any tcpdump info to post without being able to decode the packet--that's been my problem.

With the DI-614+, it only took me about 25 packets or so to aquire a suitable one, then it took 5 seconds to decode the packet--it was a longer data packet, but the decoding was still quite fast.

I associated a network card (without entering the WEP key) from another machine each time I attacked the AP so I could run the attack in authenticated mode, and I tried increasing and decreasing the -x option to avoid DoSing the 2Wire.

Is there any other output I should post for you?

tekn0 · 03-25-2005

"it only took me about 25 packets or so to aquire a suitable one"

Is that meaning you used -k on 25 packets and after that 1 of the packets showed you the ip information that you then used in airforge? If so could you display the tcpdumo output of that one packet?

whoisvince · 03-25-2005

Ok, this the command I'm using to attack the DI-614+:

AP MAC: 00:80:C8:0B:9D:B6
Associated client MAC: 00:0b:6b:10:08:97

aireplay -k -h 00:0b:6b:10:08:97 -x 100 ath0

This is the info from the packet (I used the first packet that popped up):

Seen 78 packets...

FromDS = 1, ToDS = 0, WEP = 1
BSSID = 00:80:C8:0B:9D:B6
Src. MAC = 00:80:C8:0B:9D:B6
Dst. MAC = FF:FF:FF:FF:FF:FF

Here's the tcpdump:

reading from file replay_dec-050325-214321.pcap, link-type IEEE802_11 (802.11)
DA:ff:ff:ff:ff:ff:ff BSSID:00:80:c8:0b:9d:b6 SA:00:80:c8:0b:9d:b6 LLC, dsap 0xaa, ssap 0xaa, cmd 0x03, sap aa ui/C len=278

Here's the airforge command:

airforge replay_dec-050325-214321.prga 1 00:80:c8:0b:9d:b6 00:0b:6b:10:08:97 10.0.0.2 10.0.0.3 arp.pcap

Something to note about the airforge command--I just made up IP addresses--this isn't in the IP range of the AP or the client at all.

After that, I replay the packet with aireplay -r and it works beautifully as long as I keep the client associated with the AP.

For some reason, with the 2Wire, I can't get aireplay to decode a packet. It's interesting to note, unless the clients are associated with the proper WEP keys, I don't think the packets will have any IP info--the AP won't assign one.

tekn0 · 03-25-2005

Thank you very much for the info, So for airforge 10.10.10.* is in fact "not" your iprange and the ap still gives out valid unique IV'ed replies...very intresting.

whoisvince · 03-25-2005

But do you have any idea why the 1000HW won't decode packets like the DI-614+?

tekn0 · 03-25-2005

What part of the attack is not working? Will chopchop -k not work or will the airforged arp not work? If it's the forged arp i would try to make sure the iprange is correct.

whoisvince · 03-26-2005

The chopchop -k part is not working. The chopchop functions in all of the aireplay attacks I've tried haven't worked. I can't forge the packet b/c I can't get my hands on a prga and decoded packet.

Do you really need a correct IP for the forged arp packet? I got away with just making one up for the DI-614+. I wonder if that's because it's older hardware (although it does have the latest firmware)...

devine · 03-26-2005

Quote:

Originally Posted by whoisvince

The chopchop -k part is not working. The chopchop functions in all of the aireplay attacks I've tried haven't worked. I can't forge the packet b/c I can't get my hands on a prga and decoded packet.

Do you really need a correct IP for the forged arp packet? I got away with just making one up for the DI-614+. I wonder if that's because it's older hardware (although it does have the latest firmware)...

Right, some APs are not vulnerable to the chopchop attack. And yes, you absolutely need a correct IP, and moreover one IP that responds to arp-requests.

whoisvince · 03-26-2005

Do I need the IP of the associated client, the IP of the router, or both?

I wonder why I got away with making up a random IP for the DI-614+. It worked fine with IPs that were nowhere near its range.

whoisvince · 03-26-2005

Oh, and one other thing. Has anyone else been successful in cracking his own HomePortal 1000HW? If so, which firmware version are you using?

devine · 03-27-2005

Quote:

Originally Posted by whoisvince

Do I need the IP of the associated client, the IP of the router, or both?

I wonder why I got away with making up a random IP for the DI-614+. It worked fine with IPs that were nowhere near its range.

Any IP of a wireless or wired host that is curerntly up should do. Note: the attack can produce IVs even if the IP doesn't respond, because some APs do re-encapsulate WEP data broadcast before sending them, so you do get new IVs, even though there's no arp-reply (this is actually attack 3 in the aireplay README).

whoisvince · 03-27-2005

Thanks, devine. That makes sense. I'll associate a WEP enabled client with the 1000HW and post the results here.

17hz · 03-27-2005

Quote:

Originally Posted by devine

Right, some APs are not vulnerable to the chopchop attack. And yes, you absolutely need a correct IP, and moreover one IP that responds to arp-requests.

Hmm, So the IP that you need really only needs to be able to respond; What about an Internet IP on a network that happens to be providing internet acces via NAT or IP Maquerading? Would this always generate a response?

03-25-2005	#1 (permalink)
whoisvince Registered Member Join Date: Mar 2005 Posts: 21	Aireplay not effective against all APs? I've been playing aireplay with the new madwifi patch for my Atheros AR5211 and I must say, I am very impressed. I collected over 1,000,000 IVs from my DI-614+ in just about 10 mins! Here's my question: are some APs less vulnerable to replay attacks than others? I had originally been trying this attack on my 2Wire HomePortal 1000HW DSL Router (firmware rev. 3.5.5) and I could not get aireplay to decode packets using any of the attacks used in the README file, regardless of whether I tried only packets with a length larger than 60 B, ARP forgery, ARP-request resend, associating a network card, whatever. On the other hand, my DI-614+ (firmware rev 2.33) cracked like an egg. The ARP-request forgery attack worked extremely well, and the only problem I had was limiting aireplay's packet broadcast rate (-x 100) to keep from DoSing the thing. Both routers were set up identically including 64 bit WEP. Is there anything special about 2Wire setups that keeps them from replaying packets? Last edited by whoisvince : 03-25-2005 at 05:37 PM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

03-25-2005	#2 (permalink)
tekn0 Registered Member Join Date: Jan 2005 Posts: 36	Would you still happen to have the replay_dec file around that the -k chopchop function decoded? If so could you post the tcpdump output here just like the readme does? I have not had any success decoding a packet with any ip information in it and i am wondering if you have any in your packet... Also about how long did it take for you to chopchop the data packet?

03-25-2005	#3 (permalink)
whoisvince Registered Member Join Date: Mar 2005 Posts: 21	Thanks for the quick response, tekn0. The -k function wouldn't generate the replay_dec file that I needed when capturing from the 1000HW. Aireplay would send the packets, but I wasn't getting any decoding responses from the AP, so there was no replay_dec file to resend. Unfortunately, I don't have any tcpdump info to post without being able to decode the packet--that's been my problem. With the DI-614+, it only took me about 25 packets or so to aquire a suitable one, then it took 5 seconds to decode the packet--it was a longer data packet, but the decoding was still quite fast. I associated a network card (without entering the WEP key) from another machine each time I attacked the AP so I could run the attack in authenticated mode, and I tried increasing and decreasing the -x option to avoid DoSing the 2Wire. Is there any other output I should post for you?

03-25-2005	#4 (permalink)
tekn0 Registered Member Join Date: Jan 2005 Posts: 36	"it only took me about 25 packets or so to aquire a suitable one" Is that meaning you used -k on 25 packets and after that 1 of the packets showed you the ip information that you then used in airforge? If so could you display the tcpdumo output of that one packet?

03-25-2005	#5 (permalink)
whoisvince Registered Member Join Date: Mar 2005 Posts: 21	Ok, this the command I'm using to attack the DI-614+: AP MAC: 00:80:C8:0B:9D:B6 Associated client MAC: 00:0b:6b:10:08:97 aireplay -k -h 00:0b:6b:10:08:97 -x 100 ath0 This is the info from the packet (I used the first packet that popped up): Seen 78 packets... FromDS = 1, ToDS = 0, WEP = 1 BSSID = 00:80:C8:0B:9D:B6 Src. MAC = 00:80:C8:0B:9D:B6 Dst. MAC = FF:FF:FF:FF:FF:FF Here's the tcpdump: reading from file replay_dec-050325-214321.pcap, link-type IEEE802_11 (802.11) DA:ff:ff:ff:ff:ff:ff BSSID:00:80:c8:0b:9d:b6 SA:00:80:c8:0b:9d:b6 LLC, dsap 0xaa, ssap 0xaa, cmd 0x03, sap aa ui/C len=278 Here's the airforge command: airforge replay_dec-050325-214321.prga 1 00:80:c8:0b:9d:b6 00:0b:6b:10:08:97 10.0.0.2 10.0.0.3 arp.pcap Something to note about the airforge command--I just made up IP addresses--this isn't in the IP range of the AP or the client at all. After that, I replay the packet with aireplay -r and it works beautifully as long as I keep the client associated with the AP. For some reason, with the 2Wire, I can't get aireplay to decode a packet. It's interesting to note, unless the clients are associated with the proper WEP keys, I don't think the packets will have any IP info--the AP won't assign one.

03-25-2005	#6 (permalink)
tekn0 Registered Member Join Date: Jan 2005 Posts: 36	Thank you very much for the info, So for airforge 10.10.10.* is in fact "not" your iprange and the ap still gives out valid unique IV'ed replies...very intresting.

03-25-2005	#7 (permalink)
whoisvince Registered Member Join Date: Mar 2005 Posts: 21	But do you have any idea why the 1000HW won't decode packets like the DI-614+?

03-25-2005	#8 (permalink)
tekn0 Registered Member Join Date: Jan 2005 Posts: 36	What part of the attack is not working? Will chopchop -k not work or will the airforged arp not work? If it's the forged arp i would try to make sure the iprange is correct.

03-26-2005	#9 (permalink)
whoisvince Registered Member Join Date: Mar 2005 Posts: 21	The chopchop -k part is not working. The chopchop functions in all of the aireplay attacks I've tried haven't worked. I can't forge the packet b/c I can't get my hands on a prga and decoded packet. Do you really need a correct IP for the forged arp packet? I got away with just making one up for the DI-614+. I wonder if that's because it's older hardware (although it does have the latest firmware)...

03-26-2005	#11 (permalink)
whoisvince Registered Member Join Date: Mar 2005 Posts: 21	Do I need the IP of the associated client, the IP of the router, or both? I wonder why I got away with making up a random IP for the DI-614+. It worked fine with IPs that were nowhere near its range.

03-26-2005	#12 (permalink)
whoisvince Registered Member Join Date: Mar 2005 Posts: 21	Oh, and one other thing. Has anyone else been successful in cracking his own HomePortal 1000HW? If so, which firmware version are you using?

03-27-2005	#14 (permalink)
whoisvince Registered Member Join Date: Mar 2005 Posts: 21	Thanks, devine. That makes sense. I'll associate a WEP enabled client with the 1000HW and post the results here.