Aircrack-ng
Welcome, Guest. Please login or register.
February 09, 2010, 04:49:20 am

Login with username, password and session length
Search:     Advanced search
Read forum rules, "Read this before posting". Post that do not respect them will be trashed.
31095 Posts in 5430 Topics by 14833 Members
Latest Member: Salgawitiadia
* Home Help Search Login Register
+  Aircrack-ng
|-+  Members only
| |-+  Help
| | |-+  Determining an IP address for the fragmentation attack		 « previous next »
Pages: [1] Print
Author Topic: Determining an IP address for the fragmentation attack  (Read 2724 times)
darkAudax
Administrator
Hero Member
*****
Posts: 5597
Determining an IP address for the fragmentation attack
« on: January 04, 2007, 05:40:34 pm »
Greetings,

In order to use the aireplay-ng fragmentation attack, you must know the network address space used for the access point.  There is no direct way to determine this.

Some indirect ways are:
1) Based on the wireless access point, a good guess is the default address range for the make/model.
2) Try commonly used networks such 192.168.0.0, 192.168.1.0, 10.10.10.0, etc. (Has anyone seen a analysis or study of the most common network addresses?  If yes, where?)
3) See if internal IPs leak via web servers/pages, e-mail headers, etc.
4) Social engineering.

None of these provide an easy or sure method of determining the network address space in use by an access point.  I have been experimenting with a variety of arp type packets as a means to ferret out the actual network address space in use.  All with no success.

So here is the question.  What ideas do people have for an automated way of determining the network address space of the access point?

d.

Edit January 14/2007: aireplay now has improvements whereby it defaults to a source and destination IP of 255.255.255.255.  This works with most access points.  So it minimizes/eliminates the need to know the IPs.
« Last Edit: January 14, 2007, 03:32:18 pm by darkAudax » Logged
sorbo
Newbie
*
Posts: 39
Re: Determining an IP address for the fragmentation attack
« Reply #1 on: February 27, 2007, 10:22:46 pm »
Why is the IP address necessary?  I guess you want it in order to send a "valid" ARP request that will generate a response.  This is not necessary.  The basic algorithm for recovering a keystream via frag attack is as follows:
1) Obtain the first ~8 bytes of keystream with the usual plain-text XOR cipher-text trick.
2) Send a packet using ~8 byte frags and capture relayed version from AP.  XOR the cipher-text [relayed from AP] and clear-text [whatever you sent].

In order to do #2, you can send any packet that is a broadcast.  The AP must, and will, relay any broadcast packets.  Indeed, the packet need not be ARP.  It can be a packet full of zeros.  In that case, the relayed version will simply contain the keystream [it even saves you from having to XOR Grin].  Thus, it is not necessary to send a "valid" ARP request---any broadcast packet will do.

In short, I do not think that knowing the net's IP range is a requirement for the frag attack [for recovering a keystream, which is what it seems you are doing].
Logged
daouid
airoscript
Full Member
*****
Posts: 118


WWW
Re: Determining an IP address for the fragmentation attack
« Reply #2 on: February 27, 2007, 10:28:10 pm »
Hi Sorbo,

just wanted to say :

nice first post !

i'm hoping to see more from you in the future.

the aircrack-ng wiki and trac can greatly be enhanced by this type of explainations
Logged
Other usefull ressources:


http://daouid.googlepages.com

http://airoscript.aircrack-ng.org/



Forum threads

http://tinyshell.be/aircrackng/forum/index.php?board=12.0

http://tinyshell.be/aircrackng/forum/index.php?board=13.0

http://tinyshell.be/aircrackng/forum/index.php?board=14.0
Pages: [1] Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Aircrack-ng | Powered by SMF 1.0.10.
© 2005, Simple Machines LLC. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!