Packetforge-ng
Inhaltsverzeichnis |
[Bearbeiten] Packetforge-ng
[Bearbeiten] Beschreibung
packetforge-ng dient dazu verschlüsselte Pakete herzustellen, die für das Injecten benutzt werden können. Man kann die verschiedensten Arten von Pakete erstellen z.B. arp requests, UDP, ICMP und spezifische Pakete. Normalerweise nutzt man aber nur den ARP-Request für das injecten.
Um ein verschlüsseltes Paket zu generieren benötigt man das PRGA (pseudo random genration algorithm) File das man über Interactive Packet Replay, chopchop oder Fragmentation Angriff erhält.
[Bearbeiten] Anwendung
packetforge-ng <mode> <options>
Forge Optionen:
*-p <fctrl> : set frame control word (hex)
*-a <bssid> : set Access Point MAC address
*-c <dmac> : set Destination MAC address
*-h <smac> : set Source MAC address
*-j : set FromDS bit
*-o : clear ToDS bit
*-e : disables WEP encryption
*-k <ip[:port]> : set Destination IP [Port]
*-l <ip[:port]> : set Source IP [Port] (Dash lowercase letter L)
*-t ttl : set Time To Live
*-w <file> : write packet to this pcap file
Source options:
*-r <file> : read packet from this raw file
*-y <file> : read PRGA from this file
Modes ("long modes" benötigt double dashes):
*--arp : forge an ARP packet (-0)
*--udp : forge an UDP packet (-1)
*--icmp : forge an ICMP packet (-2)
*--null : build a null packet (-3)
*--custom : build a custom packet (-9)
[Bearbeiten] Anwendungsbeispiele
[Bearbeiten] Arp-Request packet generieren
Zuerst muss man ein xor file (PRGA) erstellen, entweder mit aireplay-ng, chopchop, oder fragmentation Angriff.
Befehl:
packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D -k 192.168.1.100 -l 192.168.1.1 -y fragment-0124-161129.xor -w arp-request
Erklärung:
*-0 indicates you want a arp request packet generated *-a 00:14:6C:7E:40:80 is the Access Point MAC address *-h 00:0F:B5:AB:CB:9D is the source MAC address you wish to use *-k 192.168.1.100 is the destination IP. IE In an arp it is the "Who has this IP" *-l 192.168.1.1 is the source IP. IE In an arp it is the "Tell this IP" *-y fragment-0124-161129.xor *-w arp-packet
So sieht das Paket, welches wir gerade erstellt haben entschlüsselt aus:
airdecap-ng -w <access point encryption key> arp-request
Ergebnis:
Total number of packets read 1 Total number of WEP data packets 1 Total number of WPA data packets 0 Number of plaintext data packets 0 Number of decrypted WEP packets 1 Number of decrypted WPA packets 0
Um das entschlüsselte Paket anzusehen geben wir folgenden Befehl ein:
tcpdump -n -vvv -e -s0 -r arp-request-dec
Ergebnis:
reading from file arp-request-dec, link-type EN10MB (Ethernet) 18:09:27.743303 00:0f:b5:ab:cb:9d > Broadcast, ethertype ARP (0x0806), length 42: arp who-has 192.168.1.100 tell 192.168.1.1
Genau das was wir erwartet haben. Jetzt können wir injecten.
aireplay-ng -2 -r arp-request ath0
Das System antwortet:
Size: 68, FromDS: 0, ToDS: 1 (WEP)
BSSID = 00:14:6C:7E:40:80
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:0F:B5:AB:CB:9D
0x0000: 0841 0201 0014 6c7e 4080 000f b5ab cb9d .A....l~@.......
0x0010: ffff ffff ffff 8001 6c48 0000 0999 881a ........lH......
0x0020: 49fc 21ff 781a dc42 2f96 8fcc 9430 144d I.!.x..B/....0.M
0x0030: 3ab2 cff5 d4d1 6743 8056 24ec 9192 c1e1 :.....gC.V$.....
0x0040: d64f b709 .O..
Use this packet ? y
Saving chosen packet in replay_src-0124-163529.cap
You should also start airodump-ng to capture replies.
End of file.
Wenn man jetzt "y" eingibt wird ein mit packetforge-ng erstelltes Paket injiziert.
[Bearbeiten] Null Packet erstellen
This option allows you to generate LLC null packets. These are the smallest possible packets and contain no data. The switch "-s" is used to manually set the size of the packet. This a simple way to generate small packets for injection.
Remember that the size value (-s) defines the absolute size of an unencrypted packet, so you need to add 8 bytes to get its final length after encrypting it (4 bytes for iv+idx and 4 bytes for icv). This value also includes the 802.11 header with a length of 24bytes.
Befehl:
packetforge-ng --null -s 42 -a BSSID -h SMAC -w short-packet.cap -y fragment.xor
Erklärung:
* --null means generate a LLC null packet (requires double dash). * -s 42 specifies the packet length to be generated. * -a BSSID is the MAC address of the access point. * -h SMAC is the source MAC address of the packet to be generated. * -w short-packet.cap is the name of the output file. * -y fragment.xor is the name of the file containing the PRGA.
[Bearbeiten] Custom Packet erstellen
If you want to generate a customer packet, first create a packet with the tool of your choice. This could a specialized tool, a hex editor or even from a previous capture. Then save it as a pcap file. Following this, run the command:
packetforge-ng -9 -r input.cap -y keystream.xor -w output.cap
Erklärung:
* -9 means generate a custom packet. * -r input.cap is the input file. * -y keystream.xor is the file containing the PRGA. * -w output.cap is the output file.
When it runs, packetforge-ng will ask you which packet to use and then output the file.
[Bearbeiten] Tipps
Die Meisten Access Points kümmern sich nicht darum welche IP's für die ARP Attacke verwendet werden. Deswegen können wir die IP 255.255.255.255 als Quell und Ziel IP verwenden.
Also sieht der neue packetforge-ng Befehl so aus:
packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:AB:CB:9D -k 192.168.1.100 -l 192.168.1.1 -y fragment-0124-161129.xor -w arp-request
[Bearbeiten] Including both -j and -o flags
A common mistake people make is to include either or both -j and -o flags and create invalid packets. These flags adjust the FromDS and ToDS flages in the packet generated. Unless you are doing something special and really know what you are doing, don't use them. In general, they are not needed.
[Bearbeiten] Fehlermeldung "Mode already specified"
Das liegt daran dass man -1 (minus Eins) benutzt statt wie richtig -l (minus l wie luder).
Befehl:
packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 -k 255.255.255.255 -1 255.255.255.255 -y 00:14:6C:7E:40:80-03-00-14-6C-7E-40-80.xor -w arp-request
Fehlermeldung:
Mode already specified. "packetforge-ng --help" for help.
