1AIRBASE-NG(8) System Manager's Manual AIRBASE-NG(8)
2
3
4
6 airbase-ng - multi-purpose tool aimed at attacking clients as opposed
7 to the Access Point (AP) itself
8
10 airbase-ng [options] <interface name>
11
13 airbase-ng is multi-purpose tool aimed at attacking clients as opposed
14 to the Access Point (AP) itself. Since it is so versatile and flexible,
15 summarizing it is a challenge. Here are some of the feature highlights:
16
17 - Implements the Caffe Latte WEP client attack
18 - Implements the Hirte WEP client attack
19 - Ability to cause the WPA/WPA2 handshake to be captured
20 - Ability to act as an ad-hoc Access Point
21 - Ability to act as a full Access Point
22 - Ability to filter by SSID or client MAC addresses
23 - Ability to manipulate and resend packets
24 - Ability to encrypt sent packets and decrypt received packets
25
26 The main idea is of the implementation is that it should encourage
27 clients to associate with the fake AP, not prevent them from accessing
28 the real AP.
29
30 A tap interface (atX) is created when airbase-ng is run. This can be
31 used to receive decrypted packets or to send encrypted packets.
32
33 As real clients will most probably send probe requests for common/con‐
34 figured networks, these frames are important for binding a client to
35 our softAP. In this case, the AP will respond to any probe request with
36 a proper probe response, which tells the client to authenticate to the
37 airbase-ng BSSID. That being said, this mode could possibly disrupt the
38 correct functionality of many APs on the same channel.
39
41 -H, --help
42 Shows the help screen.
43
44 -a <bssid>
45 If the BSSID is not explicitly specified by using "-a <BSSID>",
46 then the current MAC of the specified interface is used.
47
48 -i <iface>
49 Also capture and process from this interface in addition to the
50 replay interface.
51
52 -w <WEP key>
53 If WEP should be used as encryption, then the parameter "-w <WEP
54 key>" sets the en-/decryption key. This is sufficient to let
55 airbase-ng set all the appropriate flags by itself. If the sof‐
56 tAP operates with WEP encryption, the client can choose to use
57 open system authentication or shared key authentication. Both
58 authentication methods are supported by airbase-ng. But to get a
59 keystream, the user can try to force the client to use shared
60 key authentication. "-s" forces a shared key auth and "-S <len>"
61 sets the challenge length.
62
63 -h <MAC>
64 This is the source MAC for the man-in-the-middle attack. The
65 "-M" must also be specified.
66
67 -f <disallow>
68 If this option is not specified, it defaults to "-f allow". This
69 means the various client MAC filters (-d and -D) define which
70 clients to accept.
71
72 By using the "-f disallow" option, this reverses selection and
73 causes airbase to ignore the clients specified by the filters.
74
75 -W <0|1>
76 This sets the beacon WEP flag. Remember that clients will nor‐
77 mally only connect to APs which are the same as themselves.
78 Meaning WEP to WEP, open to open.
79
80 The "auto" option is to allow airbase-ng to automatically set
81 the flag based on context of the other options specified. For
82 example, if you set a WEP key with -w, then the beacon flag
83 would be set to WEP.
84
85 One other use of "auto" is to deal with clients which can auto‐
86 matically adjust their connection type. However, these are few
87 and far between.
88
89 In practice, it is best to set the value to the type of clients
90 you are dealing with.
91
92 -q This suppresses printing any statistics or status information.
93
94 -v This prints additional messages and details to assist in debug‐
95 ging.
96
97 -M This option is not implemented yet. It is a man-in-the-middle
98 attack between specified clients and BSSIDs.
99
100 -A, --ad-hoc
101 This causes airbase-ng to act as an ad-hoc client instead of a
102 normal Access Point.
103
104 In ad-hoc mode airbase-ng also sends beacons, but doesn't need
105 any authentication/association. It can be activated by using
106 "-A". The soft AP will adjust all flags needed to simulate a
107 station in ad-hoc mode automatically and generate a random MAC,
108 which is used as CELL MAC instead of the BSSID. This can be
109 overwritten by the "-a <BSSID>" tag. The interface MAC will then
110 be used as source mac, which can be changed with "-h
111 <sourceMAC>".
112
113 -Y <in|out|both>
114 The parameter "-Y" enables the "external processing" Mode. This
115 creates a second interface "atX", which is used to replay/mod‐
116 ify/drop or inject packets at will. This interface must also be
117 brought up with ifconfig and an external tool is needed to cre‐
118 ate a loop on that interface.
119
120 The packet structure is rather simple: the ethernet header (14
121 bytes) is ignored and right after that follows the complete
122 ieee80211 frame the same way it is going to be processed by air‐
123 base-ng (for incoming packets) or before the packets will be
124 sent out of the wireless card (outgoing packets). This mode
125 intercepts all data packets and loops them through an external
126 application, which decides what happens with them. The MAC and
127 IP of the second tap interface doesn't matter, as real ethernet
128 frames on this interface are dropped anyway.
129
130 There are 3 arguments for "-Y": "in", "out" and "both", which
131 specify the direction of frames to loop through the external
132 application. Obviously "in" redirects only incoming (through the
133 wireless NIC) frames, while outgoing frames aren't touched.
134 "out" does the opposite, it only loops outgoing packets and
135 "both" sends all both directions through the second tap inter‐
136 face.
137
138 There is a small and simple example application to replay all
139 frames on the second interface. The tool is called "replay.py"
140 and is located in "./test". It's written in python, but the lan‐
141 guage doesn't matter. It uses pcapy to read the frames and scapy
142 to possibly alter/show and reinject the frames. The tool as it
143 is, simply replays all frames and prints a short summary of the
144 received frames. The variable "packet" contains the complete
145 ieee80211 packet, which can easily be dissected and modified
146 using scapy.
147
148 This can be compared to ettercap filters, but is more powerful,
149 as a real programming language can be used to build complex
150 logic for filtering and packet customization. The downside on
151 using python is, that it adds a delay of around 100ms and the
152 cpu utilizations is rather large on a high speed network, but
153 its perfect for a demonstration with only a few lines of code.
154
155 -c <channel>
156 This is used to specify the channel on which to run the Access
157 Point.
158
159 -X, --hidden
160 This causes the Access Point to hide the SSID and to not broad‐
161 cast the value.
162
163 -s When specfiied, this forces shared key authentication for all
164 clients.
165
166 The soft AP will send an "authentication method unsupported"
167 rejection to any open system authentication request if "-s" is
168 specified.
169
170 -S It sets the shared key challenge length, which can be anything
171 from 16 to 1480. The default is 128 bytes. It is the number of
172 bytes used in the random challenge. Since one tag can contain a
173 maximum size of 255 bytes, any value above 255 creates several
174 challenge tags until all specified bytes are written. Many
175 clients ignore values different than 128 bytes so this option
176 may not always work.
177
178 -L, --caffe-latte
179 Airbase-ng also contains the new caffe-latte attack, which is
180 also implemented in aireplay-ng as attack "-6". It can be used
181 with "-L" or "caffe-latte". This attack specifically works
182 against clients, as it waits for a broadcast arp request, which
183 happens to be a gratuitous arp. See this for an explanation of
184 what a gratuitous arp is. It then flips a few bits in the sender
185 MAC and IP, corrects the ICV (crc32) value and sends it back to
186 the client, where it came from. The point why this attack works
187 in practice is, that at least windows sends gratuitous arps
188 after a connection on layer 2 is established and a static ip is
189 set, or dhcp fails and windows assigned an IP out of
190 169.254.X.X.
191
192 "-x <pps>" sets the number of packets per second to send when
193 performing the caffe-latte attack. At the moment, this attack
194 doesn't stop, it continuously sends arp requests. Airodump-ng is
195 needed to capture the replies.
196
197 -N, --cfrag
198 This attack listens for an ARP request or IP packet from the
199 client. Once one is received, a small amount of PRGA is
200 extracted and then used to create an ARP request packet targeted
201 to the client. This ARP request is actually made of up of multi‐
202 ple packet fragments such that when received, the client will
203 respond.
204
205 This attack works especially well against ad-hoc networks. As
206 well it can be used against softAP clients and normal AP
207 clients.
208
209 -x <nbpps>
210 This sets the number of packets per second that packets will be
211 sent (default: 100).
212
213 -y When using this option, the fake AP will not respond to broad‐
214 cast probes. A broadcast probe is where the specific AP is not
215 identified uniquely. Typically, most APs will respond with probe
216 responses to a broadcast probe. This flag will prevent this hap‐
217 pening. It will only respond when the specific AP is uniquely
218 requested.
219
220 -0 This enables all WPA/WPA2/WEP Tags to be enabled in the beacons
221 sent. It cannot be specified when also using -z or -Z.
222
223 -z <type>
224 This specifies the WPA beacon tags. The valid values are:
225 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104.
226
227 -Z <type>
228 same as -z, but for WPA2
229
230 -V <type>
231 This specifies the valid EAPOL types. The valid values are:
232 1=MD5 2=SHA1 3=auto
233
234 -F <prefix>
235 This option causes airbase-ng to write all sent and received
236 packets to a pcap file on disk. This is the file prefix (like
237 airodump-ng -w).
238
239 -P This causes the fake access point to respond to all probes
240 regardless of the ESSIDs specified.
241
242 -I <interval>
243 This sets the time in milliseconds between each beacon.
244
245 -C <seconds>
246 The wildcard ESSIDs will also be beaconed this number of sec‐
247 onds. A good typical value to use is "-C 60" (require -P).
248
249 -n <hex>
250 ANonce (nonce from the AP) to use instead of a randomized one.
251 It must be 64 hexadecimal characters.
252
253 Filter options:
254
255 --bssid <MAC>, -b <MAC>
256 BSSID to filter/use.
257
258 --bssids <file>, -B <file>
259 Read a list of BSSIDs out of that file.
260
261 --client <MAC>, -d <MAC>
262 MAC of client to accept.
263
264 --clients <file>, -D <file>
265 Read a list of client's MACs out of that file.
266
267 --essid <ESSID>, -e <ESSID>
268 Specify a single ESSID. For SSID containing special characters,
269 see https://www.aircrack-ng.org/doku.php?id=faq#how_to_use_spa‐
270 ces_double_quote_and_single_quote_etc_in_ap_names
271
272 --essids <file>, -E <file>
273 Read a list of ESSIDs out of that file. It will use the same
274 BSSID for all AP which can generate some interesting output in
275 Airodump-ng like: http://www.chimplabs.com/blog/2015/09/24/unin‐
276 tentional-fun-with-aircrack-ng-at-derbycon-5-0/
277
279 This manual page was written by Thomas d'Otreppe. Permission is
280 granted to copy, distribute and/or modify this document under the terms
281 of the GNU General Public License, Version 2 or any later version pub‐
282 lished by the Free Software Foundation On Debian systems, the complete
283 text of the GNU General Public License can be found in /usr/share/com‐
284 mon-licenses/GPL.
285
287 aireplay-ng(8)
288 airmon-ng(8)
289 airodump-ng(8)
290 airodump-ng-oui-update(8)
291 airserv-ng(8)
292 airtun-ng(8)
293 besside-ng(8)
294 easside-ng(8)
295 tkiptun-ng(8)
296 wesside-ng(8)
297 aircrack-ng(1)
298 airdecap-ng(1)
299 airdecloak-ng(1)
300 airolib-ng(1)
301 besside-ng-crawler(1)
302 buddy-ng(1)
303 ivstools(1)
304 kstats(1)
305 makeivs-ng(1)
306 packetforge-ng(1)
307 wpaclean(1)
308 airventriloquist(8)
309
310
311
312Version 1.6.0 January 2020 AIRBASE-NG(8)