airtun-ng
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
airtun-ng [2007/04/26 17:28] – Added v.8 new features. Examples to come. darkaudax | airtun-ng [2015/04/12 23:15] (current) – Updated usage. mister_x | ||
---|---|---|---|
Line 8: | Line 8: | ||
In order to perform wIDS data gathering, you must have the encryption key and the bssid for the network you wish to monitor. Airtun-ng decrypts all the traffic for the specific network and passes it to a traditional IDS system such as [[http:// | In order to perform wIDS data gathering, you must have the encryption key and the bssid for the network you wish to monitor. Airtun-ng decrypts all the traffic for the specific network and passes it to a traditional IDS system such as [[http:// | ||
- | Traffic injection can be fully bidirectional if you have the full encyption | + | Traffic injection can be fully bidirectional if you have the full encryption |
- | Airtun-ng also has repeater and tcpreplay-type functionality. | + | Airtun-ng also has repeater and tcpreplay-type functionality. |
- | Airtun-ng only runs on linux platforms. | + | Airtun-ng only runs on linux platforms |
===== Usage ===== | ===== Usage ===== | ||
- | usage: airtun-ng < | + | Usage: airtun-ng < |
- | *-x nbpps : maximum number of packets per second (optional) | + | *-x nbpps : maximum number of packets per second (optional) |
- | *-a bssid : set Access Point MAC address (mandatory) | + | *-a bssid : set Access Point MAC address (mandatory). In WDS Mode this sets the Receiver |
- | *-i iface : capture packets from this interface (optional) | + | *-i iface : capture packets from this interface (optional) |
- | *-y file | + | *-y file : read PRGA from this file (optional / one of -y or -w must be defined) |
*-w wepkey : use this WEP-KEY to encrypt packets (optional / one of -y or -w must be defined) | *-w wepkey : use this WEP-KEY to encrypt packets (optional / one of -y or -w must be defined) | ||
- | *-t tods | + | |
- | *-r file : read frames out of pcap file (optional) | + | *-e essid : target network SSID (use with -p) |
+ | | ||
+ | *-r file : read frames out of pcap file (optional) | ||
+ | *-h MAC : source MAC address | ||
+ | *-H : Display help. Long form --help | ||
- | | + | WDS/Bridge Mode options: |
- | *--repeat | + | *-s transmitter : set Transmitter MAC address for WDS Mode |
- | *--bssid < | + | *-b : bidirectional mode. This enables communication in Transmitter' |
- | *--netmask < | + | |
+ | Repeater options (the following all require double dashes): | ||
+ | *- -repeat : activates repeat mode. Short form -f. | ||
+ | *- -bssid <mac> : BSSID to repeat. | ||
+ | *- -netmask < | ||
Line 50: | Line 58: | ||
| | ||
- | You notice above that it created the **at0** interface. Switch to another console | + | You notice above that it created the **at0** interface. Switch to another console |
| | ||
- | This interface (at0) will receive a copy of every wireless network packet. The packets will have been decrypted with the key you have provided. | + | This interface (at0) will receive a copy of every wireless network packet. The packets will have been decrypted with the key you have provided. |
==== WEP injection ==== | ==== WEP injection ==== | ||
Line 109: | Line 117: | ||
The next scenario is copying packets from the optional interface. | The next scenario is copying packets from the optional interface. | ||
+ | |||
+ | ==== Repeater Mode ==== | ||
+ | |||
+ | This scenario allows you to repeat all packets from one wireless card to another. | ||
+ | |||
+ | Prior to running the following command, you must use airmon-ng to put each card into monitor mode on the the appropriate channels: | ||
+ | |||
+ | | ||
+ | |||
+ | Where: | ||
+ | * -a 00: | ||
+ | * - -repeat specifies that inbound packets from the -i interface be repeated on the output interface. | ||
+ | * - -bssid 00: | ||
+ | * -i ath0 is input interface from which packets are read. | ||
+ | * wlan0 is the output interface. | ||
+ | |||
+ | The system responds: | ||
+ | |||
+ | | ||
+ | No encryption specified. Sending and receiving frames through wlan0. | ||
+ | | ||
+ | |||
+ | At this point, any packets for the AP (00: | ||
+ | |||
+ | ==== Packet Replay Mode ==== | ||
+ | |||
+ | You can replay any previous capture. | ||
+ | |||
+ | You enter the command: | ||
+ | |||
+ | | ||
+ | |||
+ | Where: | ||
+ | * -a 00: | ||
+ | * -r ath0one-01.cap in the name of the pcap file to be replayed. | ||
+ | * ath0 is the output interface. | ||
+ | |||
+ | The system responds: | ||
+ | |||
+ | | ||
+ | No encryption specified. Sending and receiving frames through ath0. | ||
+ | | ||
+ | | ||
+ | |||
+ | Please note that the file contents are transmitted exactly as is. You may ignore the message " | ||
+ | |||
+ | ==== Tunneling traffic into WDS networks or WiFi Bridges ==== | ||
+ | |||
+ | If you use a recent version of airtun-ng, you can use its WDS support to inject traffic into WDS networks and WiFi bridges. | ||
+ | Bridges are pretty secure since traffic may be sniffed, but it is impossible to connect with them to send data into the networks. | ||
+ | This is where airtun-ng comes into the game. With airtun-ng you can impersonate either of the two endpoints to interact with the other one. Lets assume you can only see one node of the bridge, this is how you can check if an attacker could inject traffic into this side of the network: | ||
+ | |||
+ | * There are two nodes AA: | ||
+ | * Your attacking client can only send to and receive from node A. | ||
+ | * In this case you will only see packets with Transmitter = A and Receiver = B on your interface. | ||
+ | * If you impersonate node B, you could inject traffic into the network behind node A. | ||
+ | |||
+ | This is how to setup airtun-ng for this scenario: | ||
+ | |||
+ | | ||
+ | |||
+ | If you are able to see both sides of a WDS/Bridge network, you can enable bidirectional mode. This enables communication with both endpoint' | ||
+ | |||
+ | | ||
+ | |||
+ | WDS mode is fully compatible with WEP encryption, so you can use the -w and -y flags as usual. | ||
+ | However, Repeater Mode hasn't been tested with WDS. | ||
===== Usage Tips ===== | ===== Usage Tips ===== | ||
Line 117: | Line 192: | ||
You can also inject management and control frames. | You can also inject management and control frames. | ||
- | |||
===== Usage Troubleshooting ===== | ===== Usage Troubleshooting ===== | ||
+ | ==== I can't find the airtun-ng tool! ==== | ||
Windows platforms - "I can't find the airtun-ng tool!" | Windows platforms - "I can't find the airtun-ng tool!" | ||
+ | ==== Error opening tap device: No such file or directory ==== | ||
+ | |||
+ | When you run airtun-ng, you get a message similar to "error opening tap device: No such file or directory" | ||
+ | |||
+ | Make sure you have the OpenVPN package installed and run: | ||
+ | |||
+ | | ||
+ | |||
+ | This loads the " | ||
+ | |||
+ | ==== Error creating tap interface: Permission denied ==== | ||
+ | |||
+ | See the following [[faq# | ||
airtun-ng.txt · Last modified: 2015/04/12 23:15 by mister_x