Sunday, January 13, 2008

Injecting using Aireplay

Now that we're monitoring our target, it's time to get those data numbers up. Leave open the window that has airodump running, and open a new Konsole shell. We will start by starting aireplay attack 3. This attack waits until it finds an ARP, whatever that is, and it replays it multiplie times a second to create artificial data. It most usually will not find any ARP until we create them, so we'll let it run and start another attack to create the ARP. To start attack 3

Type : aireplay-ng -3 -e 07B402920894 rausb0

aireplay-ng - is the name of the program
-3 - is the number attack we're using. There are 6 attacks numbered from 0 - 5. For the time being, we'll be using only attacks 0,1, and 3.
-e 07B402920894 - is the ESSID of the connection. You must substitute this with the name (ESSID) of your target
rausb0 - is the name of my network interface. Here again, you must replace it with the name of your network card (ath0,eth0,ath1,rausb0...)

It is extremely important to note that while the BSSID is not case-sensitive, the ESSID is, meaning if it's capital letters, you must enter it in captial letters, and the same with small letters. If you enter the BSSID instead using -b (as explained below) then you don't have to worry about this.

If you look around online, you'll always see people using more parameters for this attack and others. One is -h which specifies the MAC address the attack is coming from. By default, if you don't specify a MAC, it will use the MAC address of your card, so I don't see the real necessity to use it in simple attacks as ours. Another parameter used is -b which specifies the BSSID of the target AP. Here again, if you enter the ESSID (which is usually simpler to enter than the BSSID) then aireplay will retrieve the BSSID when it receives beacons from the AP. Therefore, for simplicity, we used the least parameters necessary.

When you press Enter, you should see something like:

No source MAC (-h) specified. Using the device MAC(xx:xx:xx:xx:xx:xx)
12:00:23 Waiting for beacon frame (ESSID 07B402920894) on channel 6
Found BSSID.....
Saving ARP requests...
You should also start airodump-ng to capture replies
Read 66 packets( got 0 ARP requests and 0 ACKs), sent 0 packets...(0 PPS)

In the first line it's telling us that by default it's using of MAC for the source
Next 2 lines it's retrieving the BSSID for the beacons using the ESSID supplied
Next it tells you where it's saving the ARPs it finds
Next it tells you to start airodump, which we already did.
The last line is where you want to see action. Currently there haven't been any ARP requests found. We will work to change that. Once it finds one ARP request, it will duplicate it, to artificially create many thousands of them. Wait for the fun to start. In next post we'll use attacks 1 and 0 to get the ants crawling all over the connection.

1 comment:

Phishy said...

I stumbled into your blog while teaching myself the aircrack method. I'm quite interested in learning this as part of my IT knowledge base and your site is going to come in handy.

A few points worth mentioning are driver issues, most of the people that try your guide won't have drivers that support injection (most intel chipsets) and there's a simple fix for most here are the lines of code to replace intel drivers with ipwraw to support injection on almost all HP notebooks:

tar -xjf ipwraw-ng*
cd ipwraw-ng
sudo make install
sudo make install_ucode
echo "blacklist ipwraw" | sudo tee /etc/modprobe.d/ipwraw
sudo depmod -ae

(to switch drivers to go into monitor mode)
sudo modprobe -r ipw3945
sudo modprobe ipwraw

(replacing ipw3945 with your driver)

to test injection
aireplay-ng --test INTERFACE