1AIRBASE-NG(1)               General Commands Manual              AIRBASE-NG(1)
2
3
4

NAME

6       airbase-ng  -  multi-purpose tool aimed at attacking clients as opposed
7       to the Access Point (AP) itself
8

SYNOPSIS

10       airbase-ng [options] <interface name>
11

DESCRIPTION

13       airbase-ng is multi-purpose tool aimed at attacking clients as  opposed
14       to the Access Point (AP) itself. Since it is so versatile and flexible,
15       summarizing it is a challenge. Here are some of the feature highlights:
16       - Implements the Caffe Latte WEP client attack
17       - Implements the Hirte WEP client attack
18       - Ability to cause the WPA/WPA2 handshake to be captured
19       - Ability to act as an ad-hoc Access Point
20       - Ability to act as a full Access Point
21       - Ability to filter by SSID or client MAC addresses
22       - Ability to manipulate and resend packets
23       - Ability to encrypt sent packets and decrypt received packets
24
25       The main idea is of the implementation  is  that  it  should  encourage
26       clients  to associate with the fake AP, not prevent them from accessing
27       the real AP.
28
29       A tap interface (atX) is created when airbase-ng is run.  This  can  be
30       used to receive decrypted packets or to send encrypted packets.
31
32       As  real clients will most probably send probe requests for common/con‐
33       figured networks, these frames are important for binding  a  client  to
34       our softAP. In this case, the AP will respond to any probe request with
35       a proper probe response, which tells the client to authenticate to  the
36       airbase-ng BSSID. That being said, this mode could possibly disrupt the
37       correct functionality of many APs on the same channel.
38

OPTIONS

40       -H, --help
41              Shows the help screen.
42
43       -a <bssid>
44              If the BSSID is not explicitly specified by using "-a  <BSSID>",
45              then the current MAC of the specified interface is used.
46
47       -i <iface>
48              Also  capture and process from this interface in addition to the
49              replay interface.
50
51       -w <WEP key>
52              If WEP should be used as encryption, then the parameter "-w <WEP
53              key>"  sets  the  en-/decryption  key. This is sufficient to let
54              airbase-ng set all the appropriate flags by itself.  If the sof‐
55              tAP  operates  with WEP encryption, the client can choose to use
56              open system authentication or shared  key  authentication.  Both
57              authentication methods are supported by airbase-ng. But to get a
58              keystream, the user can try to force the client  to  use  shared
59              key authentication. "-s" forces a shared key auth and "-S <len>"
60              sets the challenge length.
61
62       -h <MAC>
63              This is the source MAC for  the  man-in-the-middle  attack.  The
64              "-M" must also be specified.
65
66       -f <disallow>
67              If this option is not specified, it defaults to "-f allow". This
68              means the various client MAC filters (-d and  -D)  define  which
69              clients to accept.
70
71              By  using  the "-f disallow" option, this reverses selection and
72              causes airbase to ignore the clients specified by the filters.
73
74       -W <0|1>
75              This sets the beacon WEP flag. Remember that clients  will  nor‐
76              mally  only  connect  to  APs  which are the same as themselves.
77              Meaning WEP to WEP, open to open.
78
79              The "auto" option is to allow airbase-ng  to  automatically  set
80              the  flag  based  on context of the other options specified. For
81              example, if you set a WEP key with  -w,  then  the  beacon  flag
82              would be set to WEP.
83
84              One  other use of "auto" is to deal with clients which can auto‐
85              matically adjust their connection type. However, these  are  few
86              and far between.
87
88              In  practice, it is best to set the value to the type of clients
89              you are dealing with.
90
91       -q     This surpresses printing any statistics or status information.
92
93       -v     This prints additional messages and details to assist in  debug‐
94              ging.
95
96       -M     This  option  is  not implemented yet. It is a man-in-the-middle
97              attack between specified clients and BSSIDs.
98
99       -A, --ad-hoc
100              This causes airbase-ng to act as an ad-hoc client instead  of  a
101              normal Access Point.
102
103              In  ad-hoc  mode airbase-ng also sends beacons, but doesn't need
104              any authentication/association. It can  be  activated  by  using
105              "-A".  The  soft  AP  will adjust all flags needed to simulate a
106              station in ad-hoc mode automatically and generate a random  MAC,
107              which  is  used  as  CELL  MAC instead of the BSSID. This can be
108              overwritten by the "-a <BSSID>" tag. The interface MAC will then
109              be   used   as  source  mac,  which  can  be  changed  with  "-h
110              <sourceMAC>".
111
112       -Y <in|out|both>
113              The parameter "-Y" enables the "external processing" Mode.  This
114              creates  a  second interface "atX", which is used to replay/mod‐
115              ify/drop or inject packets at will. This interface must also  be
116              brought  up with ifconfig and an external tool is needed to cre‐
117              ate a loop on that interface.
118
119              The packet structure is rather simple: the ethernet  header  (14
120              bytes)  is  ignored  and  right  after that follows the complete
121              ieee80211 frame the same way it is going to be processed by air‐
122              base-ng  (for  incoming  packets)  or before the packets will be
123              sent out of the wireless  card  (outgoing  packets).  This  mode
124              intercepts  all  data packets and loops them through an external
125              application, which decides what happens with them. The  MAC  and
126              IP  of the second tap interface doesn't matter, as real ethernet
127              frames on this interface are dropped dropped anyway.
128
129              There are 3 arguments for "-Y": "in", "out"  and  "both",  which
130              specify  the  direction  of  frames to loop through the external
131              application. Obviously "in" redirects only incoming (through the
132              wireless  NIC)  frames,  while  outgoing  frames aren't touched.
133              "out" does the opposite, it  only  loops  outgoing  packets  and
134              "both"  sends  all both directions through the second tap inter‐
135              face.
136
137              There is a small and simple example application  to  replay  all
138              frames  on  the second interface. The tool is called "replay.py"
139              and is located in "./test". It's written in python, but the lan‐
140              guage doesn't matter. It uses pcapy to read the frames and scapy
141              to possibly alter/show and reinject the frames. The tool  as  it
142              is,  simply replays all frames and prints a short summary of the
143              received frames. The variable  "packet"  contains  the  complete
144              ieee80211  packet,  which  can  easily be dissected and modified
145              using scapy.
146
147              This can be compared to ettercap filters, but is more  powerful,
148              as  a  real  programming  language  can be used to build complex
149              logic for filtering and packet customization.  The  downside  on
150              using  python  is,  that it adds a delay of around 100ms and the
151              cpu utilizations is rather large on a high  speed  network,  but
152              its perfect for a demonstration with only a few lines of code.
153
154       -c <channel>
155              This  is  used to specify the channel on which to run the Access
156              Point.
157
158       -X, --hidden
159              This causes the Access Point to hide the SSID and to not  broad‐
160              cast the value.
161
162       -s     When  specfiied,  this  forces shared key authentication for all
163              clients.
164
165              The soft AP will send  an  "authentication  method  unsupported"
166              rejection  to  any open system authentication request if "-s" is
167              specified.
168
169       -S     It sets the shared key challenge length, which can  be  anything
170              from  16  to 1480. The default is 128 bytes. It is the number of
171              bytes used in the random challenge. Since one tag can contain  a
172              maximum  size  of 255 bytes, any value above 255 creates several
173              challenge tags until  all  specified  bytes  are  written.  Many
174              clients  ignore  values  different than 128 bytes so this option
175              may not always work.
176
177       -L, --caffe-latte
178              Airbase-ng also contains the new caffe-latte  attack,  which  is
179              also  implemented  in aireplay-ng as attack "-6". It can be used
180              with "-L"  or  "caffe-latte".  This  attack  specifically  works
181              against  clients, as it waits for a broadcast arp request, which
182              happens to be a gratuitous arp. See this for an explaination  of
183              what a gratuitous arp is. It then flips a few bits in the sender
184              MAC and IP, corrects the ICV (crc32) value and sends it back  to
185              the  client, where it came from. The point why this attack works
186              in practice is, that at  least  windows  sends  gratuitous  arps
187              after  a connection on layer 2 is established and a static ip is
188              set,  or  dhcp  fails  and  windows  assigned  an  IP   out   of
189              169.254.X.X.
190
191              "-x  <pps>"  sets  the number of packets per second to send when
192              performing the caffe-latte attack. At the  moment,  this  attack
193              doesn't stop, it continuously sends arp requests. Airodump-ng is
194              needed to capture the replys.
195
196       -N, --cfrag
197              This attack listens for an ARP request or  IP  packet  from  the
198              client.  Once  one  is  received,  a  small  amount  of  PRGA is
199              extracted and then used to create an ARP request packet targeted
200              to the client. This ARP request is actually made of up of multi‐
201              ple packet fragments such that when received,  the  client  will
202              respond.
203
204              This  attack  works  especially well against ad-hoc networks. As
205              well it can  be  used  against  softAP  clients  and  normal  AP
206              clients.
207
208       -x <nbpps>
209              This  sets the number of packets per second that packets will be
210              sent (default: 100).
211
212       -y     When using this option, the fake AP will not respond  to  broad‐
213              cast  probes.  A broadcast probe is where the the specific AP is
214              not identified uniquely. Typically, most APs will  respond  with
215              probe  responses  to  a  broadcast probe. This flag will prevent
216              this happening. It will only respond when  the  specific  AP  is
217              uniquely requested.
218
219       -0     This  enables all WPA/WPA2/WEP Tags to be enabled in the beacons
220              sent. It cannot be specified when also using -z or -Z.
221
222       -z <type>
223              This specifies the  WPA  beacon  tags.  The  valid  values  are:
224              1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104.
225
226       -Z <type>
227              same as -z, but for WPA2
228
229       -V <type>
230              This  specifies  the  valid  EAPOL  types. The valid values are:
231              1=MD5 2=SHA1 3=auto
232
233       -F <prefix>
234              This option causes airbase-ng to write  all  sent  and  received
235              packets  to  a  pcap file on disk. This is the file prefix (like
236              airodump-ng -w).
237
238       -P     This causes the fake access  point  to  respond  to  all  probes
239              regardless of the ESSIDs specified.
240
241       -I <interval>
242              This sets the time in milliseconds between each beacon.
243
244       -C <seconds>
245              The  wildcard  ESSIDs  will also be beaconed this number of sec‐
246              onds. A good typical value to use is "-C 60" (require -P).
247
248       Filter options:
249
250       --bssid <MAC>, -b <MAC>
251              BSSID to filter/use.
252
253       --bssids <file>, -B <file>
254              Read a list of BSSIDs out of that file.
255
256       --client <MAC>, -d <MAC>
257              MAC of client to accept.
258
259       --clients <file>, -D <file>
260              Read a list of client's MACs out of that file
261
262       --essid <ESSID>, -e <ESSID>
263              Specify a single ESSID. For SSID containing special  characters,
264              see   http://www.aircrack-ng.org/doku.php?id=faq#how_to_use_spa‐
265              ces_double_quote_and_single_quote_etc._in_ap_names
266
267       --essids <file>, -E <file>
268              read a list of ESSIDs out of that file.
269

AUTHOR

271       This manual page  was  written  by  Thomas  d'Otreppe.   Permission  is
272       granted to copy, distribute and/or modify this document under the terms
273       of the GNU General Public License, Version 2 or any later version  pub‐
274       lished  by the Free Software Foundation On Debian systems, the complete
275       text of the GNU General Public License can be found in  /usr/share/com‐
276       mon-licenses/GPL.
277

SEE ALSO

279       aircrack-ng(1)
280       airdecap-ng(1)
281       airdecloak-ng(1)
282       airdriver-ng(1)
283       aireplay-ng(1)
284       airmon-ng(1)
285       airodump-ng(1)
286       airolib-ng(1)
287       airserv-ng(1)
288       buddy-ng(1)
289       easside-ng(1)
290       ivstools(1)
291       kstats(1)
292       makeivs-ng(1)
293       packetforge-ng(1)
294       tkiptun-ng(1)
295       wesside-ng(1)
296
297
298
299Version 1.1                       April 2010                     AIRBASE-NG(1)
Impressum