1AIRBASE-NG(8)               System Manager's Manual              AIRBASE-NG(8)
2
3
4

NAME

6       airbase-ng  -  multi-purpose tool aimed at attacking clients as opposed
7       to the Access Point (AP) itself
8

SYNOPSIS

10       airbase-ng options] <interface name>
11

DESCRIPTION

13       airbase-ng is multi-purpose tool aimed at attacking clients as  opposed
14       to the Access Point (AP) itself. Since it is so versatile and flexible,
15       summarizing it is a challenge. Here are some of the feature highlights:
16
17       - Implements the Caffe Latte WEP client attack
18       - Implements the Hirte WEP client attack
19       - Ability to cause the WPA/WPA2 handshake to be captured
20       - Ability to act as an ad-hoc Access Point
21       - Ability to act as a full Access Point
22       - Ability to filter by SSID or client MAC addresses
23       - Ability to manipulate and resend packets
24       - Ability to encrypt sent packets and decrypt received packets
25
26       The main idea is of the implementation  is  that  it  should  encourage
27       clients  to associate with the fake AP, not prevent them from accessing
28       the real AP.
29
30       A tap interface (atX) is created when airbase-ng is run.  This  can  be
31       used to receive decrypted packets or to send encrypted packets.
32
33       As  real clients will most probably send probe requests for common/con‐
34       figured networks, these frames are important for binding  a  client  to
35       our softAP. In this case, the AP will respond to any probe request with
36       a proper probe response, which tells the client to authenticate to  the
37       airbase-ng BSSID. That being said, this mode could possibly disrupt the
38       correct functionality of many APs on the same channel.
39

OPTIONS

41       -H, --help
42              Shows the help screen.
43
44       -a <bssid>
45              If the BSSID is not explicitly specified by using "-a  <BSSID>",
46              then the current MAC of the specified interface is used.
47
48       -i <iface>
49              Also  capture and process from this interface in addition to the
50              replay interface.
51
52       -w <WEP key>
53              If WEP should be used as encryption, then the parameter "-w <WEP
54              key>"  sets  the  en-/decryption  key. This is sufficient to let
55              airbase-ng set all the appropriate flags by itself.  If the sof‐
56              tAP  operates  with WEP encryption, the client can choose to use
57              open system authentication or shared  key  authentication.  Both
58              authentication methods are supported by airbase-ng. But to get a
59              keystream, the user can try to force the client  to  use  shared
60              key authentication. "-s" forces a shared key auth and "-S <len>"
61              sets the challenge length.
62
63       -h <MAC>
64              This is the source MAC for  the  man-in-the-middle  attack.  The
65              "-M" must also be specified.
66
67       -f <disallow>
68              If this option is not specified, it defaults to "-f allow". This
69              means the various client MAC filters (-d and  -D)  define  which
70              clients to accept.
71
72              By  using  the "-f disallow" option, this reverses selection and
73              causes airbase to ignore the clients specified by the filters.
74
75       -W <0|1>
76              This sets the beacon WEP flag. Remember that clients  will  nor‐
77              mally  only  connect  to  APs  which are the same as themselves.
78              Meaning WEP to WEP, open to open.
79
80              The "auto" option is to allow airbase-ng  to  automatically  set
81              the  flag  based  on context of the other options specified. For
82              example, if you set a WEP key with  -w,  then  the  beacon  flag
83              would be set to WEP.
84
85              One  other use of "auto" is to deal with clients which can auto‐
86              matically adjust their connection type. However, these  are  few
87              and far between.
88
89              In  practice, it is best to set the value to the type of clients
90              you are dealing with.
91
92       -q     This suppresses printing any statistics or status information.
93
94       -v     This prints additional messages and details to assist in  debug‐
95              ging.
96
97       -M     This  option  is  not implemented yet. It is a man-in-the-middle
98              attack between specified clients and BSSIDs.
99
100       -A, --ad-hoc
101              This causes airbase-ng to act as an ad-hoc client instead  of  a
102              normal Access Point.
103
104              In  ad-hoc  mode airbase-ng also sends beacons, but doesn't need
105              any authentication/association. It can  be  activated  by  using
106              "-A".  The  soft  AP  will adjust all flags needed to simulate a
107              station in ad-hoc mode automatically and generate a random  MAC,
108              which  is  used  as  CELL  MAC instead of the BSSID. This can be
109              overwritten by the "-a <BSSID>" tag. The interface MAC will then
110              be   used   as  source  mac,  which  can  be  changed  with  "-h
111              <sourceMAC>".
112
113       -Y <in|out|both>
114              The parameter "-Y" enables the "external processing" Mode.  This
115              creates  a  second interface "atX", which is used to replay/mod‐
116              ify/drop or inject packets at will. This interface must also  be
117              brought  up with ifconfig and an external tool is needed to cre‐
118              ate a loop on that interface.
119
120              The packet structure is rather simple: the ethernet  header  (14
121              bytes)  is  ignored  and  right  after that follows the complete
122              ieee80211 frame the same way it is going to be processed by air‐
123              base-ng  (for  incoming  packets)  or before the packets will be
124              sent out of the wireless  card  (outgoing  packets).  This  mode
125              intercepts  all  data packets and loops them through an external
126              application, which decides what happens with them. The  MAC  and
127              IP  of the second tap interface doesn't matter, as real ethernet
128              frames on this interface are dropped anyway.
129
130              There are 3 arguments for "-Y": "in", "out"  and  "both",  which
131              specify  the  direction  of  frames to loop through the external
132              application. Obviously "in" redirects only incoming (through the
133              wireless  NIC)  frames,  while  outgoing  frames aren't touched.
134              "out" does the opposite, it  only  loops  outgoing  packets  and
135              "both"  sends  all both directions through the second tap inter‐
136              face.
137
138              There is a small and simple example application  to  replay  all
139              frames  on  the second interface. The tool is called "replay.py"
140              and is located in "./test". It's written in python, but the lan‐
141              guage doesn't matter. It uses pcapy to read the frames and scapy
142              to possibly alter/show and reinject the frames. The tool  as  it
143              is,  simply replays all frames and prints a short summary of the
144              received frames. The variable  "packet"  contains  the  complete
145              ieee80211  packet,  which  can  easily be dissected and modified
146              using scapy.
147
148              This can be compared to ettercap filters, but is more  powerful,
149              as  a  real  programming  language  can be used to build complex
150              logic for filtering and packet customization.  The  downside  on
151              using  python  is,  that it adds a delay of around 100ms and the
152              cpu utilizations is rather large on a high  speed  network,  but
153              its perfect for a demonstration with only a few lines of code.
154
155       -c <channel>
156              This  is  used to specify the channel on which to run the Access
157              Point.
158
159       -X, --hidden
160              This causes the Access Point to hide the SSID and to not  broad‐
161              cast the value.
162
163       -s     When  specfiied,  this  forces shared key authentication for all
164              clients.
165
166              The soft AP will send  an  "authentication  method  unsupported"
167              rejection  to  any open system authentication request if "-s" is
168              specified.
169
170       -S     It sets the shared key challenge length, which can  be  anything
171              from  16  to 1480. The default is 128 bytes. It is the number of
172              bytes used in the random challenge. Since one tag can contain  a
173              maximum  size  of 255 bytes, any value above 255 creates several
174              challenge tags until  all  specified  bytes  are  written.  Many
175              clients  ignore  values  different than 128 bytes so this option
176              may not always work.
177
178       -L, --caffe-latte
179              Airbase-ng also contains the new caffe-latte  attack,  which  is
180              also  implemented  in aireplay-ng as attack "-6". It can be used
181              with "-L"  or  "caffe-latte".  This  attack  specifically  works
182              against  clients, as it waits for a broadcast arp request, which
183              happens to be a gratuitous arp. See this for an  explanation  of
184              what a gratuitous arp is. It then flips a few bits in the sender
185              MAC and IP, corrects the ICV (crc32) value and sends it back  to
186              the  client, where it came from. The point why this attack works
187              in practice is, that at  least  windows  sends  gratuitous  arps
188              after  a connection on layer 2 is established and a static ip is
189              set,  or  dhcp  fails  and  windows  assigned  an  IP   out   of
190              169.254.X.X.
191
192              "-x  <pps>"  sets  the number of packets per second to send when
193              performing the caffe-latte attack. At the  moment,  this  attack
194              doesn't stop, it continuously sends arp requests. Airodump-ng is
195              needed to capture the replies.
196
197       -N, --cfrag
198              This attack listens for an ARP request or  IP  packet  from  the
199              client.  Once  one  is  received,  a  small  amount  of  PRGA is
200              extracted and then used to create an ARP request packet targeted
201              to the client. This ARP request is actually made of up of multi‐
202              ple packet fragments such that when received,  the  client  will
203              respond.
204
205              This  attack  works  especially well against ad-hoc networks. As
206              well it can  be  used  against  softAP  clients  and  normal  AP
207              clients.
208
209       -x <nbpps>
210              This  sets the number of packets per second that packets will be
211              sent (default: 100).
212
213       -y     When using this option, the fake AP will not respond  to  broad‐
214              cast  probes.  A broadcast probe is where the specific AP is not
215              identified uniquely. Typically, most APs will respond with probe
216              responses to a broadcast probe. This flag will prevent this hap‐
217              pening. It will only respond when the specific  AP  is  uniquely
218              requested.
219
220       -0     This  enables all WPA/WPA2/WEP Tags to be enabled in the beacons
221              sent. It cannot be specified when also using -z or -Z.
222
223       -z <type>
224              This specifies the  WPA  beacon  tags.  The  valid  values  are:
225              1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104.
226
227       -Z <type>
228              same as -z, but for WPA2
229
230       -V <type>
231              This  specifies  the  valid  EAPOL  types. The valid values are:
232              1=MD5 2=SHA1 3=auto
233
234       -F <prefix>
235              This option causes airbase-ng to write  all  sent  and  received
236              packets  to  a  pcap file on disk. This is the file prefix (like
237              airodump-ng -w).
238
239       -P     This causes the fake access  point  to  respond  to  all  probes
240              regardless of the ESSIDs specified.
241
242       -I <interval>
243              This sets the time in milliseconds between each beacon.
244
245       -C <seconds>
246              The  wildcard  ESSIDs  will also be beaconed this number of sec‐
247              onds. A good typical value to use is "-C 60" (require -P).
248
249       -n <hex>
250              ANonce (nonce from the AP) to use instead of a  randomized  one.
251              It must be 64 hexadecimal characters.
252
253       Filter options:
254
255       --bssid <MAC>, -b <MAC>
256              BSSID to filter/use.
257
258       --bssids <file>, -B <file>
259              Read a list of BSSIDs out of that file.
260
261       --client <MAC>, -d <MAC>
262              MAC of client to accept.
263
264       --clients <file>, -D <file>
265              Read a list of client's MACs out of that file.
266
267       --essid <ESSID>, -e <ESSID>
268              Specify  a single ESSID. For SSID containing special characters,
269              see  https://www.aircrack-ng.org/doku.php?id=faq#how_to_use_spa‐
270              ces_double_quote_and_single_quote_etc_in_ap_names
271
272       --essids <file>, -E <file>
273              Read  a  list  of  ESSIDs out of that file. It will use the same
274              BSSID for all AP which can generate some interesting  output  in
275              Airodump-ng like: http://www.chimplabs.com/blog/2015/09/24/unin
276              tentional-fun-with-aircrack-ng-at-derbycon-5-0/
277

AUTHOR

279       This manual page  was  written  by  Thomas  d'Otreppe.   Permission  is
280       granted to copy, distribute and/or modify this document under the terms
281       of the GNU General Public License, Version 2 or any later version  pub‐
282       lished  by the Free Software Foundation On Debian systems, the complete
283       text of the GNU General Public License can be found in  /usr/share/com‐
284       mon-licenses/GPL.
285

SEE ALSO

287       aireplay-ng(8)
288       airmon-ng(8)
289       airodump-ng(8)
290       airodump-ng-oui-update(8)
291       airserv-ng(8)
292       airtun-ng(8)
293       besside-ng(8)
294       easside-ng(8)
295       tkiptun-ng(8)
296       wesside-ng(8)
297       aircrack-ng(1)
298       airdecap-ng(1)
299       airdecloak-ng(1)
300       airolib-ng(1)
301       besside-ng-crawler(1)
302       buddy-ng(1)
303       ivstools(1)
304       kstats(1)
305       makeivs-ng(1)
306       packetforge-ng(1)
307       wpaclean(1)
308       airventriloquist(8)
309
310
311
312Version 1.5.2                    December 2018                   AIRBASE-NG(8)
Impressum