1AIRBASE-NG(1) General Commands Manual AIRBASE-NG(1)
2
6 airbase-ng - multi-purpose tool aimed at attacking clients as opposed
7 to the Access Point (AP) itself
8
10 airbase-ng [options] <interface name>
11
13 airbase-ng is multi-purpose tool aimed at attacking clients as opposed
14 to the Access Point (AP) itself. Since it is so versatile and flexible,
15 summarizing it is a challenge. Here are some of the feature highlights:
16 - Implements the Caffe Latte WEP client attack
17 - Implements the Hirte WEP client attack
18 - Ability to cause the WPA/WPA2 handshake to be captured
19 - Ability to act as an ad-hoc Access Point
20 - Ability to act as a full Access Point
21 - Ability to filter by SSID or client MAC addresses
22 - Ability to manipulate and resend packets
23 - Ability to encrypt sent packets and decrypt received packets
24 The main idea is of the implementation is that it should encourage
26 clients to associate with the fake AP, not prevent them from accessing
27 the real AP.
28 A tap interface (atX) is created when airbase-ng is run. This can be
30 used to receive decrypted packets or to send encrypted packets.
31 As real clients will most probably send probe requests for common/con‐
33 figured networks, these frames are important for binding a client to
34 our softAP. In this case, the AP will respond to any probe request with
35 a proper probe response, which tells the client to authenticate to the
36 airbase-ng BSSID. That being said, this mode could possibly disrupt the
37 correct functionality of many APs on the same channel.
38
40 -H, --help
41 Shows the help screen.
42 -a <bssid>
44 If the BSSID is not explicitly specified by using "-a <BSSID>",
45 then the current MAC of the specified interface is used.
46 -i <iface>
48 Also capture and process from this interface in addition to the
49 replay interface.
50 -w <WEP key>
52 If WEP should be used as encryption, then the parameter "-w <WEP
53 key>" sets the en-/decryption key. This is sufficient to let
54 airbase-ng set all the appropriate flags by itself. If the sof‐
55 tAP operates with WEP encryption, the client can choose to use
56 open system authentication or shared key authentication. Both
57 authentication methods are supported by airbase-ng. But to get a
58 keystream, the user can try to force the client to use shared
59 key authentication. "-s" forces a shared key auth and "-S <len>"
60 sets the challenge length.
61 -h <MAC>
63 This is the source MAC for the man-in-the-middle attack. The
64 "-M" must also be specified.
65 -f <disallow>
67 If this option is not specified, it defaults to "-f allow". This
68 means the various client MAC filters (-d and -D) define which
69 clients to accept.
70 By using the "-f disallow" option, this reverses selection and
72 causes airbase to ignore the clients specified by the filters.
73 -W <0|1>
75 This sets the beacon WEP flag. Remember that clients will nor‐
76 mally only connect to APs which are the same as themselves.
77 Meaning WEP to WEP, open to open.
78 The "auto" option is to allow airbase-ng to automatically set
80 the flag based on context of the other options specified. For
81 example, if you set a WEP key with -w, then the beacon flag
82 would be set to WEP.
83 One other use of "auto" is to deal with clients which can auto‐
85 matically adjust their connection type. However, these are few
86 and far between.
87 In practice, it is best to set the value to the type of clients
89 you are dealing with.
90 -q This surpresses printing any statistics or status information.
92 -v This prints additional messages and details to assist in debug‐
94 ging.
95 -M This option is not implemented yet. It is a man-in-the-middle
97 attack between specified clients and BSSIDs.
98 -A, --ad-hoc
100 This causes airbase-ng to act as an ad-hoc client instead of a
101 normal Access Point.
102 In ad-hoc mode airbase-ng also sends beacons, but doesn't need
104 any authentication/association. It can be activated by using
105 "-A". The soft AP will adjust all flags needed to simulate a
106 station in ad-hoc mode automatically and generate a random MAC,
107 which is used as CELL MAC instead of the BSSID. This can be
108 overwritten by the "-a <BSSID>" tag. The interface MAC will then
109 be used as source mac, which can be changed with "-h
110 <sourceMAC>".
111 -Y <in|out|both>
113 The parameter "-Y" enables the "external processing" Mode. This
114 creates a second interface "atX", which is used to replay/mod‐
115 ify/drop or inject packets at will. This interface must also be
116 brought up with ifconfig and an external tool is needed to cre‐
117 ate a loop on that interface.
118 The packet structure is rather simple: the ethernet header (14
120 bytes) is ignored and right after that follows the complete
121 ieee80211 frame the same way it is going to be processed by air‐
122 base-ng (for incoming packets) or before the packets will be
123 sent out of the wireless card (outgoing packets). This mode
124 intercepts all data packets and loops them through an external
125 application, which decides what happens with them. The MAC and
126 IP of the second tap interface doesn't matter, as real ethernet
127 frames on this interface are dropped dropped anyway.
128 There are 3 arguments for "-Y": "in", "out" and "both", which
130 specify the direction of frames to loop through the external
131 application. Obviously "in" redirects only incoming (through the
132 wireless NIC) frames, while outgoing frames aren't touched.
133 "out" does the opposite, it only loops outgoing packets and
134 "both" sends all both directions through the second tap inter‐
135 face.
136 There is a small and simple example application to replay all
138 frames on the second interface. The tool is called "replay.py"
139 and is located in "./test". It's written in python, but the lan‐
140 guage doesn't matter. It uses pcapy to read the frames and scapy
141 to possibly alter/show and reinject the frames. The tool as it
142 is, simply replays all frames and prints a short summary of the
143 received frames. The variable "packet" contains the complete
144 ieee80211 packet, which can easily be dissected and modified
145 using scapy.
146 This can be compared to ettercap filters, but is more powerful,
148 as a real programming language can be used to build complex
149 logic for filtering and packet customization. The downside on
150 using python is, that it adds a delay of around 100ms and the
151 cpu utilizations is rather large on a high speed network, but
152 its perfect for a demonstration with only a few lines of code.
153 -c <channel>
155 This is used to specify the channel on which to run the Access
156 Point.
157 -X, --hidden
159 This causes the Access Point to hide the SSID and to not broad‐
160 cast the value.
161 -s When specfiied, this forces shared key authentication for all
163 clients.
164 The soft AP will send an "authentication method unsupported"
166 rejection to any open system authentication request if "-s" is
167 specified.
168 -S It sets the shared key challenge length, which can be anything
170 from 16 to 1480. The default is 128 bytes. It is the number of
171 bytes used in the random challenge. Since one tag can contain a
172 maximum size of 255 bytes, any value above 255 creates several
173 challenge tags until all specified bytes are written. Many
174 clients ignore values different than 128 bytes so this option
175 may not always work.
176 -L, --caffe-latte
178 Airbase-ng also contains the new caffe-latte attack, which is
179 also implemented in aireplay-ng as attack "-6". It can be used
180 with "-L" or "caffe-latte". This attack specifically works
181 against clients, as it waits for a broadcast arp request, which
182 happens to be a gratuitous arp. See this for an explaination of
183 what a gratuitous arp is. It then flips a few bits in the sender
184 MAC and IP, corrects the ICV (crc32) value and sends it back to
185 the client, where it came from. The point why this attack works
186 in practice is, that at least windows sends gratuitous arps
187 after a connection on layer 2 is established and a static ip is
188 set, or dhcp fails and windows assigned an IP out of
189 169.254.X.X.
190 "-x <pps>" sets the number of packets per second to send when
192 performing the caffe-latte attack. At the moment, this attack
193 doesn't stop, it continuously sends arp requests. Airodump-ng is
194 needed to capture the replys.
195 -N, --cfrag
197 This attack listens for an ARP request or IP packet from the
198 client. Once one is received, a small amount of PRGA is
199 extracted and then used to create an ARP request packet targeted
200 to the client. This ARP request is actually made of up of multi‐
201 ple packet fragments such that when received, the client will
202 respond.
203 This attack works especially well against ad-hoc networks. As
205 well it can be used against softAP clients and normal AP
206 clients.
207 -x <nbpps>
209 This sets the number of packets per second that packets will be
210 sent (default: 100).
211 -y When using this option, the fake AP will not respond to broad‐
213 cast probes. A broadcast probe is where the the specific AP is
214 not identified uniquely. Typically, most APs will respond with
215 probe responses to a broadcast probe. This flag will prevent
216 this happening. It will only respond when the specific AP is
217 uniquely requested.
218 -0 This enables all WPA/WPA2/WEP Tags to be enabled in the beacons
220 sent. It cannot be specified when also using -z or -Z.
221 -z <type>
223 This specifies the WPA beacon tags. The valid values are:
224 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104.
225 -Z <type>
227 same as -z, but for WPA2
228 -V <type>
230 This specifies the valid EAPOL types. The valid values are:
231 1=MD5 2=SHA1 3=auto
232 -F <prefix>
234 This option causes airbase-ng to write all sent and received
235 packets to a pcap file on disk. This is the file prefix (like
236 airodump-ng -w).
237 -P This causes the fake access point to respond to all probes
239 regardless of the ESSIDs specified.
240 -I <interval>
242 This sets the time in milliseconds between each beacon.
243 -C <seconds>
245 The wildcard ESSIDs will also be beaconed this number of sec‐
246 onds. A good typical value to use is "-C 60" (require -P).
247 Filter options:
249 --bssid <MAC>, -b <MAC>
251 BSSID to filter/use.
252 --bssids <file>, -B <file>
254 Read a list of BSSIDs out of that file.
255 --client <MAC>, -d <MAC>
257 MAC of client to accept.
258 --clients <file>, -D <file>
260 Read a list of client's MACs out of that file
261 --essid <ESSID>, -e <ESSID>
263 Specify a single ESSID. For SSID containing special characters,
264 see http://www.aircrack-ng.org/doku.php?id=faq#how_to_use_spa‐
265 ces_double_quote_and_single_quote_etc._in_ap_names
266 --essids <file>, -E <file>
268 read a list of ESSIDs out of that file.
269
271 This manual page was written by Thomas d'Otreppe. Permission is
272 granted to copy, distribute and/or modify this document under the terms
273 of the GNU General Public License, Version 2 or any later version pub‐
274 lished by the Free Software Foundation On Debian systems, the complete
275 text of the GNU General Public License can be found in /usr/share/com‐
276 mon-licenses/GPL.
277
279 aircrack-ng(1)
280 airdecap-ng(1)
281 airdecloak-ng(1)
282 airdriver-ng(1)
283 aireplay-ng(1)
284 airmon-ng(1)
285 airodump-ng(1)
286 airolib-ng(1)
287 airserv-ng(1)
288 buddy-ng(1)
289 easside-ng(1)
290 ivstools(1)
291 kstats(1)
292 makeivs-ng(1)
293 packetforge-ng(1)
294 tkiptun-ng(1)
295 wesside-ng(1)
296Version 1.1 April 2010 AIRBASE-NG(1)