====== Tutorial: Packets Supported for the PTW Attack ======
Version: 1.03 August 14, 2008\\
By: darkAudax


===== Introduction =====

Sometimes people report that PTW fails even though they have sufficient packets.  Sufficient meaning roughly 20,000 to 100,000 data packets.  For PTW to work correctly, it assumes packets are IP (ethertype 0x0800) or ARP (ethertype 0x0806).  The real life problem comes when some of the packets being used with aircrack-ng do not match this assumption.  In this case, they disrupt the PTW calculations and PTW fails to find the key.

This tutorial is intended to explore this problem in more detail.  Hopefully it will allow people to understand when alternate techniques are to be used.

Another important limitation is that the PTW attack currently can only crack 40 and 104 bit WEP keys.

This [[http://www.erg.abdn.ac.uk/users/gorry/course/lan-pages/llc.html|web page]] briefly describes the IEEE 802.3 Logical Link Control.  It explains the following terms which are used in the table below:
Destination Service Access Point (DSAP) and the second address a Source Service Access Point (SSAP).  The LLC contains the following total of 8 bytes:

  * DSAP - 1
  * SSAP - 1
  * Control Frame Type - 1
  * Organization Code - 3
  * Protocol - 2

For IP (TCP/UDP/ICMP) packets:

   DSAP 0xAA SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x000000 Ethertype 0x0800

For ARP packets:

   DSAP 0xAA SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x000000 Ethertype 0x0806

Aircrack-ng is programmed by default to use the PTW method to determine the key.  This PTW method is broken into two phases.  The first phase uses only ARP packets for decryption.  ARP being defined as a broadcast destination MAC (FF:FF:FF:FF:FF:FF) and a length of 68 or 86 data bytes.  Please keep in mind that non-ARP packets can sometimes match this criteria and disrupt PTW.  The second phase uses all available data packets.  During the second phase, certain packets are ignored since they are known to be unusable with PTW.  The table below describes the packets known at this time.  Again, please keep in mind the fact that other packets may be inadvertently included which disrupt the PTW calculations.

The bottom line is that the PTW method normally works well but bad packets can sometimes cause it to fail.  If this is the case then you need to gather a much larger number of packets and use the Korek method to determine the WEP key.


===== Non-standard Packet Support =====

All IP and ARP packets are known to be supported.  The following table documents the current status of non-standard packet support for PTW.

^ Protocol ^ Address Information ^ Packet Information ^ Comments ^ PTW ^
|Spanning Tree 802.1D (STP)|Destination MAC 01:80:C2:00:00:00|DSAP 0x42, SSAP 0x42, Control Frame Type 0x03|The Spanning Tree protocol is used to prevent routing loops between switches|No.|
|Port Aggregation Protocol (PAgP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x0104|Used to bundle ports on Catalys switches into EtherChannel.  Similar to Ethernet bonding in the linux world.|No|
|VLAN Trunking Protocol (VTP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2003|Provides information about configured virtual  LANs (VLANs)|No|
|Cisco Inter Switch Link (ISL)|Destination MAC 01:00:0C:00:00:00|Unknown|Cisco Version.  Functionally similar to 802.1q.|Unknown|
|Dynamic Trunking Protocol (DTP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2004|Negotiates trunk port mode between Cisco Catalyst switches.|No|
|Cisco Spanning Tree PVST+|Destination MAC 01:00:0C:CC:CC:CD|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x010B|Cisco proprietary verson of the Spanning Tree Protocol.|No|
|Cisco STP Uplink Fast|Destination MAC 01:00:0C:CD:CD:CD|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x200A|Speeds up STP convergence time in the presence of reducant links on networks consisting of Catalys switches.|No|
|Cisco VLAN Bridge STP|Destination MAC 01:00:0C:CD:CD:CE|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x010C|Operates on top of IEEE STP to bridge VLANS while running single instance of  STP.  Indicates presence of Catalyst 6000/6500 switches with Multilayer Switch Feature Cards (MSFCs) installed.|No|
|Cisco Sync|Destination MAC 01:00:0C:EE:EE:EE|Unknown|Sent by the root bridge on VLAN 1 every 2 minutes.  Helps to maintain an accurate STP topology.|Unknown|
|Cisco Discovery Protocol (STP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2000|CDP is used to discover and announce network devices.|No|
|Cisco Group Management Protocol (CGMP)|Destination MAC 01:00:0C:DD:DD:DD|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2001|Limits the forwarding of IP multicast packets only to those ports associated with IP multicast clients on Catalyst switches.|No|


===== Bytes Needed for Decryption =====

For PTW we need "key length plus 3 bytes" keystream length.  As an example: A 40 bit WEP key is 5 bytes long.  So we need "5 bytes plus 3 bytes", thus 8 keystream bytes.  Keystream bytes are bytes that we know the unencrypted value.

For ARP packets, we know 22 keystream bytes.  ARPs can be used for 40 and 104 bit WEP cracking.

For IP packets, we know 9 bytes for sure so 40 bit WEP is no problem.  For 104 bit WEP, there are 2 bytes which are completely unknown.  These are bruteforced.  And one final byte is guessed since there are only three possibilities.


===== Handy URLs =====

  * [[http://www.cavebear.com/archive/cavebear/Ethernet/multicast.html|Multicast Addresses]]
  * [[http://www.iana.org/assignments/ethernet-numbers|Ether Types]]