Differences

This shows you the differences between two versions of the page.

--- packetforge-ng [2007/01/27 18:31] – Added troubleshooting tip darkaudax
+++ packetforge-ng [2010/08/22 20:59] (current) – update "Usage" and fixed "mode" rendering mister_x
@@ Line 1: / Line 1: @@
 ====== Packetforge-ng ======
@@ Line 12: / Line 10: @@
 Usage: packetforge-ng <mode> <options>
-====Forge options:====
+====Forge options====
       *-p <fctrl>     : set frame control word (hex)
@@ Line 22: / Line 20: @@
       *-e             : disables WEP encryption
       *-k <ip[:port]> : set Destination IP [Port]
-      *-l <ip[:port]> : set Source      IP [Port]
+      *-l <ip[:port]> : set Source      IP [Port] (Dash lowercase letter L)
       *-t ttl         : set Time To Live
       *-w <file>      : write packet to this pcap file
-====Source options:====
+====Source options====
       *-r <file>      : read packet from this raw file
       *-y <file>      : read PRGA from this file
-====Modes:====
+====Modes ====
-      *--arp          : forge an ARP packet    (-0)
-      *--udp          : forge an UDP packet    (-1)
-      *--icmp         : forge an ICMP packet   (-2)
-      *--custom       : build a custom packet  (-9)
+      *-''''-arp          : forge an ARP packet    (-0)
+      *-''''-udp          : forge an UDP packet    (-1)
+      *-''''-icmp         : forge an ICMP packet   (-2)
+      *-''''-null         : build a null packet (-3)
+      *-''''-custom       : build a custom packet  (-9)
 ===== Usage Example =====
+==== Generating an arp request packet ====
 Here is an example of how to generate an arp request packet.
@@ Line 102: / Line 101: @@
-Usage Tip:
+==== Generating a null packet ====
+This option allows you to generate LLC null packets.  These are the smallest possible packets and contain no data.  The switch "-s" is used to manually set the size of the packet.  This a simple way to generate small packets for injection.
+Remember that the size value (-s) defines the absolute size of an unencrypted packet, so you need to add 8 bytes to get its final length after encrypting it (4 bytes for iv+idx and 4 bytes for icv). This value also includes the 802.11 header with a length of 24bytes.
+The command is:
+   packetforge-ng --null -s 42 -a BSSID -h SMAC -w short-packet.cap -y fragment.xor
+Where:
+  * --null means generate a LLC null packet (requires double dash).
+  * -s 42 specifies the packet length to be generated.
+  * -a BSSID is the MAC address of the access point.
+  * -h SMAC is the source MAC address of the packet to be generated.
+  * -w short-packet.cap is the name of the output file.
+  * -y fragment.xor is the name of the file containing the PRGA.
+==== Generating a custom packet ====
+If you want to generate a customer packet, first create a packet with the tool of your choice.  This could be a specialized tool, a hex editor or even from a previous capture.  Then save it as a pcap file.  Following this, run the command:
+   packetforge-ng -9 -r input.cap -y keystream.xor -w output.cap
+Where:
+  * -9 means generate a custom packet.
+  * -r input.cap is the input file.
+  * -y keystream.xor is the file containing the PRGA.
+  * -w output.cap is the output file.
+When it runs, packetforge-ng will ask you which packet to use and then output the file.
+===== Usage Tips =====
+Most access points really don't care what IPs are used for the arp request.  So as a result you can use 255.255.255.255 for source and destination IPs.
+So the packetforge-ng command becomes:
+   packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D -k 255.255.255.255 -l 255.255.255.255 -y fragment-0124-161129.xor -w arp-request
+===== Usage Troubleshooting =====
+==== Including both -j and -o flags ====
+A common mistake people make is to include either or both -j and -o flags and create invalid packets.  These flags adjust the FromDS and ToDS flages in the packet generated.  Unless you are doing something special and really know what you are doing, don't use them.  In general, they are not needed.
+==== Error message "Mode already specified" ====
+This is commonly caused by using the number one (-1) instead of dash lowercase L (-l) in the command.
+Entering:
+   packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 -k 255.255.255.255 -1 255.255.255.255 -y 00:14:6C:7E:40:80-03-00-14-6C-7E-40-80.xor -w arp-request
-   Most access points really don't care what IPs are used for the arp request.
+Gives:
-   So as a result you can use 255.255.255.255 for source and destination IPs.
+   Mode already specified.
+   "packetforge-ng --help" for help.
-   So the packetforge-ng command becomes:
-   packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D -k 192.168.1.100
-   -l 192.168.1.1 -y fragment-0124-161129.xor -w arp-request
-Troubleshooting Tip:
+This because -1 (number one) was used instead of the correct -l (the letter ell).  So simply use "-l".
-   A common mistake people make is to include either or both -j and -o flags and
-   create invalid packets.  These flags adjust the FromDS and ToDS flages in the
-   packet generated.  Unless you are doing something special and really know what
-   you are doing, don't use them.  In general, they are not needed.