Aircrack-ng forum

General Category => General help => Topic started by: buddha on July 18, 2013, 06:47:19 pm

Title: Can we use airbase-ng to host WPA2 Access point?
Post by: buddha on July 18, 2013, 06:47:19 pm
Can we use airbase-ng to host WPA2 Access point?, i have tried it to host open network, how to host a wpa2 network with airbase-ng.
Title: Re: Can we use airbase-ng to host WPA2 Access point?
Post by: jaimechiquita111 on July 18, 2013, 10:43:25 pm
Choose a network that has connected clients. You can create an AP Twin
(APT) named Wireless Lab or  the same ESSID but different BSSID and MAC with the command
root@kali:~# airbase-ng-a aa: aa: aa: aa: aa: aa - essid "Wireless Lab"-c 11 mon0
the shell window show all communications with the twin.
Title: Re: Can we use airbase-ng to host WPA2 Access point?
Post by: buddha on July 19, 2013, 08:38:52 am
Hi,

The above command only creates a AP with no encryption, my question is to apply encryption on fake AP.Hi,
Title: Re: Can we use airbase-ng to host WPA2 Access point?
Post by: jaimechiquita111 on July 22, 2013, 09:07:00 pm
airbase-ng only can use WEP key, it's the -w option, to see the full capabilities do root@linux:~#airbase-ng --help
Title: Re: Can we use airbase-ng to host WPA2 Access point?
Post by: musket33 on August 17, 2013, 09:34:22 am
As Musket Team Alpha is working on this matter we appended a kali-linux entry(not ours) for your purview.
You will see commands for WPA2 in the airebase-ng command line. Our interest is in setting up a rogueAP that indicates it is encrypted with WPA2 but in fact is open. Hence our interets cross only in that airebase-ng may support WPA2.

We have yet to test the information below:
*************
This is a common easy way to set a rogue acces point to do a mitm attack. the last step is very important and many times forgotten. Bring the bridge up with ifconfig.

if you do so you should also be able to see the bridge when running ifconfig. # brctl show will enable you to show all available bridges and its interfaces connected

to it.
this way you don't need script. Any client connected to the rogue acces point should have an internet connection and the ability to use it.


# airbase-ng --essid rogue -c (channel) -a (bssid) mon0 ==> for open authentication or [-W 1 (for wep)/ -W 1 -z 2 (for wpa)/ -W 1 -Z 2 (for wpa2)]
# brctl addbr (wifi-bridge)
# brctl addif (wifi-bridge) eth0
# brctl addif (wifi-bridge) ar0
# ifconfig at0 0.0.0.0 up
# ifconfig eth0 0.0.0.0 up
# echo 1 > /proc/sys/net/ipv4/ip_forward
# ifconfig (wifi-bridge) up

Self Add
## -a mac address of access point


apt-get install bridge-utils

Title: Re: Can we use airbase-ng to host WPA2 Access point?
Post by: rastamouse on March 29, 2014, 09:49:01 pm
I hate to resurrect an old thread, but I'm in search of some more up-to-date info on this topic.

I am also trying to bring up a WPA2 AES (CCMP) AP using airbase-ng but I'm not having much luck.  I am using the following command:

# airbase-ng -c 6 --essid "test" -a AA:AA:AA:AA:AA:AA -W 1 -Z 4 -V 3 wlan0mon

I have a Windows 7 host which throws up an error when trying to connect, and a Windows XP host which seems to momentarily connect but then drops off.  This is the case when using -z and -Z.  I've also tried a few variations such as removing the -V and -W arguments, but I get the same results.
I've also tried no encryption and WEP encryption, which my Windows host can successfully connect to and ping the at0 interface.
I'm running this on Kali Linux with airbase-ng 1.2 beta2 and an Alfa AWUS036H (rtl8187 chipset with the mac80211 driver).

I haven't yet taken proper analysis of a packet capture, I shall be doing that in due course but I'm by no means an expert.  Happy to provide any dumps if that would prove useful.  Any thoughts from anybody?
Title: Re: Can we use airbase-ng to host WPA2 Access point?
Post by: musket33 on April 06, 2014, 09:30:08 am
For starters in your example you are using Z 4 not Z 2

If we understand your thread correctly airbase-ng is working for you except when you try and add WPA Encryption.
Title: Re: Can we use airbase-ng to host WPA2 Access point?
Post by: rastamouse on April 07, 2014, 04:33:58 pm
Hi musket,

I've tried Z 4 and Z 2 with the same results.

But yes, you understand me correctly.
Title: Re: Can we use airbase-ng to host WPA2 Access point?
Post by: musket33 on April 08, 2014, 12:01:25 am
You might try testing association with:

 aireplay-ng -1 10 -a  ta:rg:et:ma:co:de mon0

For WPA you should get  a warning that it is WPA. For WPA2 association is allowed.
Title: Re: Can we use airbase-ng to host WPA2 Access point?
Post by: rastamouse on April 20, 2014, 04:51:30 pm
I've been back over this and created two access points (separately) with:

Code: [Select]
airbase-ng -a AA:AA:AA:AA:AA:AA -c 1 -e "Wi-Fu" -W 1 -z 2 -V 3 mon1
airbase-ng -a AA:AA:AA:AA:AA:AA -c 1 -e "Wi-Fu" -W 1 -Z 4 -V 3 mon1

So WPA TKIP and WPA2 CCMP (AES) APs.

On each occasion, I attempted a fake association (as musket suggested).

Code: [Select]
aireplay-ng -1 10 -a AA:AA:AA:AA:AA:AA mon0
However contrary to what he implied, the association was successful on both APs.

I also attempted to join these APs using my Windows host, and took an airodump of the exchange.  It seems that the fake APs terminate the handshake process, as they do not respond with Message 3.  The Windows host re-transmits Message 2 a bunch of times, and then gives up.
Title: Re: Can we use airbase-ng to host WPA2 Access point?
Post by: musket33 on April 30, 2014, 06:54:37 am
Dear rastamouse

       We have been studying this fake WPA2 matter with airbase-ng. First there is no way to put a WPA key in the command line. You can put a WEP key in the command line with:

airbase-ng -a 00:11:22:33:44:55 -c 1 --essid test -w 1234567890  mon0

       It seems that airbase-ng has this WPA facility so that you can induce a client to associate and you can collect a handshake. See:

     http://theunl33t.blogspot.com/2011/09/no-access-point-no-problem-how-to-get.html


       All this being said we are having little success in even getting an association to an open essid using just airbase-ng.

        We will run some tests with PwnStar. We will change the airbase-ng command line in the Eterm window do that it is seen as a WPA2 site and add the -w and use a WEP hex code and see what happens.

        If successful we will get back to you here.

Musket Team D
Title: Re: Can we use airbase-ng to host WPA2 Access point?
Post by: musket33 on April 30, 2014, 11:32:40 am
We tested association and data transference ability of airbase-ng using PwnStar9.0 and various encryptions. We setup a simple webserver with DNS Spoof. The Eterm window running the Bulleye AP setup that starts airbase-ng with a specific essid name was altered.

The following worked as outlined:

The below command line in PwnStar gave us a WEP labeled site with a OPEN WEP Key and allowed data exchange.

airbase-ng -c 1 -e test -w 1234567890 -z 1 -v mon0
airbase-ng -c 1 -e test -w 12345678901234567890123456 -z 1 -v mon0

The below command line gave us a TKIP labeled site encrypted with a OPEN WEP key. If you force the client to associate using Open WEP, the association can take place and data exchanged even though the site is labeled as WPA TKIP

airbase-ng -c 1 -e test -w 1234567890 -z 2 -v mon0
airbase-ng -c 1 -e test -w 12345678901234567890123456 -z 2 -v mon0

The below command line gave us a AES labeled site encrypted with a OPEN WEP key. If you force the client to associate using Open WEP, the association can take place and data exchanged even though the site is labeled as AES

airbase-ng -c 1 -e test -w 1234567890 -Z 4 -v mon0
airbase-ng -c 1 -e test -w 12345678901234567890123456 -Z 4 -v mon0

How this can be used is under review. You can certainly confuse any attacker on the surface by labeling your AP as AES while using WEP. They might not even consider looking to see if it can be broken using the various WEP cracking techniques available and collecting handshakes would be worthless. As airbase-ng only allows you one encryption type hiding the vulnerable WEP behind a AES mask would seem prudent.

The key must be in hex(ie A thru F and 0 thru 9). Only 10 hex digits or 26 hex digits in length are accepted (ie WEP40 and WEP104). We found no way to setup a site that actually used WPA as the encryption type. The same key must be used in the clients computer. For the alphabetical hex characters A thru F you can use capitals or small caps either works fine.

Musket Team Delta
Title: Re: Can we use airbase-ng to host WPA2 Access point?
Post by: rastamouse on April 30, 2014, 01:44:09 pm
We found no way to setup a site that actually used WPA as the encryption type.
Do you know what is causing this limitation?  Is it simply not coded properly into airbase-ng; or is there something fundamental about how WPA works that makes this not possible?
As far as I understand, if it were possible to feed a WPA passphrase into airbase (just like you can for WEP), then as long as the client had the same passphrase then communication between the two would be possible.
Title: Re: Can we use airbase-ng to host WPA2 Access point?
Post by: musket33 on April 30, 2014, 02:54:42 pm
   The menu for airbase-ng has no method to input a WPA key in the airbase-ng command line. Only the -w WEP entry is found. We did not outline all our failures during these tests. For example if you put a number string eleven in length after the -w then airebase-ng fails. It will only take 10 or 26 in length regardless of the -z or -Z entries.
    The author of airbase-ng needs to put a WPA routine into the program. We would like to see the facility incorporated as it will let us develop more advanced WPA phishing procedures.
Title: Re: Can we use airbase-ng to host WPA2 Access point?
Post by: rastamouse on April 30, 2014, 08:44:55 pm
The author of airbase-ng needs to put a WPA routine into the program. We would like to see the facility incorporated as it will let us develop more advanced WPA phishing procedures.

Agreed  :)  This is what I was trying to do also.
Title: Re: Can we use airbase-ng to host WPA2 Access point?
Post by: misterx on May 01, 2014, 04:36:06 am
musket33, adding WPA encryption to airbase-ng is not as easy as you think.

Check out the code for WEP encryption and I can tell you that it's gonna be a lot more complicated to do WPA. We have to maintain per client session key, a GTK, and we have to handle both TKIP and AES as well as renewing the keys (per client and GTK).
Title: Re: Can we use airbase-ng to host WPA2 Access point?
Post by: musket33 on May 01, 2014, 08:25:59 am
Dear Mr X.
     We are happy with the tools you have provided for our use. Do not take our desire for features to imply that you are in any way obligated to provide them.

Musket Teams