Aircrack-ng forum
General Category => General help => Topic started by: buddha on July 18, 2013, 06:47:19 pm
-
Can we use airbase-ng to host WPA2 Access point?, i have tried it to host open network, how to host a wpa2 network with airbase-ng.
-
Choose a network that has connected clients. You can create an AP Twin
(APT) named Wireless Lab or the same ESSID but different BSSID and MAC with the command
root@kali:~# airbase-ng-a aa: aa: aa: aa: aa: aa - essid "Wireless Lab"-c 11 mon0
the shell window show all communications with the twin.
-
Hi,
The above command only creates a AP with no encryption, my question is to apply encryption on fake AP.Hi,
-
airbase-ng only can use WEP key, it's the -w option, to see the full capabilities do root@linux:~#airbase-ng --help
-
As Musket Team Alpha is working on this matter we appended a kali-linux entry(not ours) for your purview.
You will see commands for WPA2 in the airebase-ng command line. Our interest is in setting up a rogueAP that indicates it is encrypted with WPA2 but in fact is open. Hence our interets cross only in that airebase-ng may support WPA2.
We have yet to test the information below:
*************
This is a common easy way to set a rogue acces point to do a mitm attack. the last step is very important and many times forgotten. Bring the bridge up with ifconfig.
if you do so you should also be able to see the bridge when running ifconfig. # brctl show will enable you to show all available bridges and its interfaces connected
to it.
this way you don't need script. Any client connected to the rogue acces point should have an internet connection and the ability to use it.
# airbase-ng --essid rogue -c (channel) -a (bssid) mon0 ==> for open authentication or [-W 1 (for wep)/ -W 1 -z 2 (for wpa)/ -W 1 -Z 2 (for wpa2)]
# brctl addbr (wifi-bridge)
# brctl addif (wifi-bridge) eth0
# brctl addif (wifi-bridge) ar0
# ifconfig at0 0.0.0.0 up
# ifconfig eth0 0.0.0.0 up
# echo 1 > /proc/sys/net/ipv4/ip_forward
# ifconfig (wifi-bridge) up
Self Add
## -a mac address of access point
apt-get install bridge-utils
-
I hate to resurrect an old thread, but I'm in search of some more up-to-date info on this topic.
I am also trying to bring up a WPA2 AES (CCMP) AP using airbase-ng but I'm not having much luck. I am using the following command:
# airbase-ng -c 6 --essid "test" -a AA:AA:AA:AA:AA:AA -W 1 -Z 4 -V 3 wlan0mon
I have a Windows 7 host which throws up an error when trying to connect, and a Windows XP host which seems to momentarily connect but then drops off. This is the case when using -z and -Z. I've also tried a few variations such as removing the -V and -W arguments, but I get the same results.
I've also tried no encryption and WEP encryption, which my Windows host can successfully connect to and ping the at0 interface.
I'm running this on Kali Linux with airbase-ng 1.2 beta2 and an Alfa AWUS036H (rtl8187 chipset with the mac80211 driver).
I haven't yet taken proper analysis of a packet capture, I shall be doing that in due course but I'm by no means an expert. Happy to provide any dumps if that would prove useful. Any thoughts from anybody?
-
For starters in your example you are using Z 4 not Z 2
If we understand your thread correctly airbase-ng is working for you except when you try and add WPA Encryption.
-
Hi musket,
I've tried Z 4 and Z 2 with the same results.
But yes, you understand me correctly.
-
You might try testing association with:
aireplay-ng -1 10 -a ta:rg:et:ma:co:de mon0
For WPA you should get a warning that it is WPA. For WPA2 association is allowed.
-
I've been back over this and created two access points (separately) with:
airbase-ng -a AA:AA:AA:AA:AA:AA -c 1 -e "Wi-Fu" -W 1 -z 2 -V 3 mon1
airbase-ng -a AA:AA:AA:AA:AA:AA -c 1 -e "Wi-Fu" -W 1 -Z 4 -V 3 mon1
So WPA TKIP and WPA2 CCMP (AES) APs.
On each occasion, I attempted a fake association (as musket suggested).
aireplay-ng -1 10 -a AA:AA:AA:AA:AA:AA mon0
However contrary to what he implied, the association was successful on both APs.
I also attempted to join these APs using my Windows host, and took an airodump of the exchange. It seems that the fake APs terminate the handshake process, as they do not respond with Message 3. The Windows host re-transmits Message 2 a bunch of times, and then gives up.
-
Dear rastamouse
We have been studying this fake WPA2 matter with airbase-ng. First there is no way to put a WPA key in the command line. You can put a WEP key in the command line with:
airbase-ng -a 00:11:22:33:44:55 -c 1 --essid test -w 1234567890 mon0
It seems that airbase-ng has this WPA facility so that you can induce a client to associate and you can collect a handshake. See:
http://theunl33t.blogspot.com/2011/09/no-access-point-no-problem-how-to-get.html
All this being said we are having little success in even getting an association to an open essid using just airbase-ng.
We will run some tests with PwnStar. We will change the airbase-ng command line in the Eterm window do that it is seen as a WPA2 site and add the -w and use a WEP hex code and see what happens.
If successful we will get back to you here.
Musket Team D
-
We tested association and data transference ability of airbase-ng using PwnStar9.0 and various encryptions. We setup a simple webserver with DNS Spoof. The Eterm window running the Bulleye AP setup that starts airbase-ng with a specific essid name was altered.
The following worked as outlined:
The below command line in PwnStar gave us a WEP labeled site with a OPEN WEP Key and allowed data exchange.
airbase-ng -c 1 -e test -w 1234567890 -z 1 -v mon0
airbase-ng -c 1 -e test -w 12345678901234567890123456 -z 1 -v mon0
The below command line gave us a TKIP labeled site encrypted with a OPEN WEP key. If you force the client to associate using Open WEP, the association can take place and data exchanged even though the site is labeled as WPA TKIP
airbase-ng -c 1 -e test -w 1234567890 -z 2 -v mon0
airbase-ng -c 1 -e test -w 12345678901234567890123456 -z 2 -v mon0
The below command line gave us a AES labeled site encrypted with a OPEN WEP key. If you force the client to associate using Open WEP, the association can take place and data exchanged even though the site is labeled as AES
airbase-ng -c 1 -e test -w 1234567890 -Z 4 -v mon0
airbase-ng -c 1 -e test -w 12345678901234567890123456 -Z 4 -v mon0
How this can be used is under review. You can certainly confuse any attacker on the surface by labeling your AP as AES while using WEP. They might not even consider looking to see if it can be broken using the various WEP cracking techniques available and collecting handshakes would be worthless. As airbase-ng only allows you one encryption type hiding the vulnerable WEP behind a AES mask would seem prudent.
The key must be in hex(ie A thru F and 0 thru 9). Only 10 hex digits or 26 hex digits in length are accepted (ie WEP40 and WEP104). We found no way to setup a site that actually used WPA as the encryption type. The same key must be used in the clients computer. For the alphabetical hex characters A thru F you can use capitals or small caps either works fine.
Musket Team Delta
-
We found no way to setup a site that actually used WPA as the encryption type.
Do you know what is causing this limitation? Is it simply not coded properly into airbase-ng; or is there something fundamental about how WPA works that makes this not possible?
As far as I understand, if it were possible to feed a WPA passphrase into airbase (just like you can for WEP), then as long as the client had the same passphrase then communication between the two would be possible.
-
The menu for airbase-ng has no method to input a WPA key in the airbase-ng command line. Only the -w WEP entry is found. We did not outline all our failures during these tests. For example if you put a number string eleven in length after the -w then airebase-ng fails. It will only take 10 or 26 in length regardless of the -z or -Z entries.
The author of airbase-ng needs to put a WPA routine into the program. We would like to see the facility incorporated as it will let us develop more advanced WPA phishing procedures.
-
The author of airbase-ng needs to put a WPA routine into the program. We would like to see the facility incorporated as it will let us develop more advanced WPA phishing procedures.
Agreed :) This is what I was trying to do also.
-
musket33, adding WPA encryption to airbase-ng is not as easy as you think.
Check out the code for WEP encryption and I can tell you that it's gonna be a lot more complicated to do WPA. We have to maintain per client session key, a GTK, and we have to handle both TKIP and AES as well as renewing the keys (per client and GTK).
-
Dear Mr X.
We are happy with the tools you have provided for our use. Do not take our desire for features to imply that you are in any way obligated to provide them.
Musket Teams