Wireless Communications

Easside-ng is an auto-magic tool which allows you to communicate via an WEP-encrypted access point (AP) without knowing the WEP key. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme and then setup a TAP interface so that you can communicate with the AP without requiring the WEP key. All this is done without your intervention. There are two primary papers “The Fragmentation Attack in Practice” by Andrea Bittau and “The Final Nail in WEP's Coffin” by Andrea Bittau, Mark Handley and Josua Lockey which are of interest. See the the links page for these papers and more. The papers referenced provide excellent background information if you would like to understand the underlying methodologies. The concepts for the fragment attack currently incorporated in aircrack-ng came from these papers. In order to access the wireless network without knowing the WEP key is done by having the AP

Wesside-ng is an auto-magic tool which incorporates a number of techniques to seamlessly obtain a WEP key in minutes. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme, reinject ARP requests and finally determine the WEP key. All this is done without your intervention. The original wesside tool was written by Andrea Bittau and was a proof-of-concept program to accompany two published papers. The two papers are “The Fragmentation Attack in Practice” by Andrea Bittau and “The Final Nail in WEP's Coffin” by Andrea Bittau, Mark Handley and Josua Lockey. See the the links page for these papers and more. The papers referenced provide excellent background information if you would like to understand the underlying methodologies. The concepts for the fragment attack currently incorporated in aircrack-ng came from these papers. For you trivia buffs, who knows where the program name “we

The purpose of packetforge-ng is to create encrypted packets that can subsequently be used for injection. You may create various types of packets such as arp requests, UDP, ICMP and custom packets. The most common use is to create ARP requests for subsequent injection. To create an encrypted packet, you must have a PRGA (pseudo random genration algorithm) file. This is used to encrypt the packet you create. This is typically obtained from aireplay-ng chopchop or fragmentation attacks.

Airtun-ng is a virtual tunnel interface creator. There are two basic functions: Allow all encrypted traffic to be monitored for wireless Intrusion Detection System (wIDS) purposes. Inject arbitrary traffic into a network. In order to perform wIDS data gathering, you must have the encryption key and the bssid for the network you wish to monitor. Airtun-ng decrypts all the traffic for the specific network and passes it to a traditional IDS system such as snort. Traffic injection can be fully bidirectional if you have the full encyption key. It is outgoing unidirectional if you have the PRGA obtained via chopchop or fragmentation attacks. The prime advantage of airtun-ng over the other injection tools in the aircrack-ng suite is that you may use any tool subsequently to create, inject or sniff packets. Airtun-ng also has repeater and tcpreplay-type functionality. There is a repeater function which allows you to replay all traffic sniffed through a wireless device (interface specified by -

Airdecloak-ng is a tool that removes wep cloaking from a pcap file. Some WIPS (actually one) can actively “prevent” cracking a WEP key by inserting chaff (fake wep frames) in the air to fool aircrack-ng. In some rare cases, cloaking fails and the key can be recovered without removing this chaff. In the cases where the key cannot be recovered, use this tool to filter out chaff. The program works by reading the input file and selecting packets from a specific network. Each selected packet is put into a list and classified (default status is “unknown”). Filters are then applied (in the order specified by the user) on this list. They will change the status of the packets (unknown, uncloaked, potentially cloaked or cloaked). The order of the filters is really important since each filter will base its analysis amongst other things on the status of the packets and different orders will give different results. Important requirement: The pcap file needs to have all packets (including beacons an

Tkiptun-ng Description NOTE: This documention is still under development. Please check back on a regular basis to obtain the latest updates. If you have any feedback on the documentation, please post your comments to the Forum. NOTE: The tkiptun-ng SVN version is not fully working. A working version will be released shortly. Tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS. He worked with Erik Tews (who created PTW attack) for a conference in PacSec 2008: “Gone in 900 Seconds, Some Crypto Issues with WPA”. Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. This attack is described in the paper, Practical attacks against WEP and WPA written by Martin Beck and Erik Tews. The paper describes advanced attacks on WEP and the first practical attack on WPA. An additional excellent references explaining how tkiptun-ng does its magic is this ars technica article Batt