1AIRBASE-NG(8)               System Manager's Manual              AIRBASE-NG(8)
2
3
4

NAME

6       airbase-ng  -  multi-purpose tool aimed at attacking clients as opposed
7       to the Access Point (AP) itself
8

SYNOPSIS

10       airbase-ng [options] <interface name>
11

DESCRIPTION

13       airbase-ng is multi-purpose tool aimed at attacking clients as  opposed
14       to the Access Point (AP) itself. Since it is so versatile and flexible,
15       summarizing it is a challenge. Here are some of the feature highlights:
16
17       - Implements the Caffe Latte WEP client attack
18       - Implements the Hirte WEP client attack
19       - Ability to cause the WPA/WPA2 handshake to be captured
20       - Ability to act as an ad-hoc Access Point
21       - Ability to act as a full Access Point
22       - Ability to filter by SSID or client MAC addresses
23       - Ability to manipulate and resend packets
24       - Ability to encrypt sent packets and decrypt received packets
25
26       The main idea is of the implementation  is  that  it  should  encourage
27       clients  to associate with the fake AP, not prevent them from accessing
28       the real AP.
29
30       A tap interface (atX) is created when airbase-ng is run.  This  can  be
31       used to receive decrypted packets or to send encrypted packets.
32
33       As  real clients will most probably send probe requests for common/con‐
34       figured networks, these frames are important for binding  a  client  to
35       our softAP. In this case, the AP will respond to any probe request with
36       a proper probe response, which tells the client to authenticate to  the
37       airbase-ng BSSID. That being said, this mode could possibly disrupt the
38       correct functionality of many APs on the same channel.
39

OPTIONS

41       -H, --help
42              Shows the help screen.
43
44       -a <bssid>
45              If the BSSID is not explicitly specified by using "-a  <BSSID>",
46              then the current MAC of the specified interface is used.
47
48       -i <iface>
49              Also  capture and process from this interface in addition to the
50              replay interface.
51
52       -w <WEP key>
53              If WEP should be used as encryption, then the parameter "-w <WEP
54              key>"  sets  the  en-/decryption  key. This is sufficient to let
55              airbase-ng set all the appropriate flags by itself.  If the sof‐
56              tAP  operates  with WEP encryption, the client can choose to use
57              open system authentication or shared  key  authentication.  Both
58              authentication methods are supported by airbase-ng. But to get a
59              keystream, the user can try to force the client  to  use  shared
60              key authentication. "-s" forces a shared key auth and "-S <len>"
61              sets the challenge length.
62
63       -h <MAC>
64              This is the source MAC for  the  man-in-the-middle  attack.  The
65              "-M" must also be specified.
66
67       -f <disallow>
68              If this option is not specified, it defaults to "-f allow". This
69              means the various client MAC filters (-d and  -D)  define  which
70              clients to accept.
71
72              By  using  the "-f disallow" option, this reverses selection and
73              causes airbase-ng to ignore the clients specified  by  the  fil‐
74              ters.
75
76       -W <0|1>
77              This  sets  the beacon WEP flag. Remember that clients will nor‐
78              mally only connect to APs which  are  the  same  as  themselves.
79              Meaning WEP to WEP, open to open.
80
81              The  "auto"  option  is to allow airbase-ng to automatically set
82              the flag based on context of the other  options  specified.  For
83              example,  if  you  set  a  WEP key with -w, then the beacon flag
84              would be set to WEP.
85
86              One other use of "auto" is to deal with clients which can  auto‐
87              matically  adjust  their connection type. However, these are few
88              and far between.
89
90              In practice, it is best to set the value to the type of  clients
91              you are dealing with.
92
93       -q     This suppresses printing any statistics or status information.
94
95       -v     This  prints additional messages and details to assist in debug‐
96              ging.
97
98       -M     This option is not implemented yet. It  is  a  man-in-the-middle
99              attack between specified clients and BSSIDs.
100
101       -A, --ad-hoc
102              This  causes  airbase-ng to act as an ad-hoc client instead of a
103              normal Access Point.
104
105              In ad-hoc mode airbase-ng also sends beacons, but  doesn't  need
106              any  authentication/association.  It  can  be activated by using
107              "-A". The soft AP will adjust all flags  needed  to  simulate  a
108              station  in ad-hoc mode automatically and generate a random MAC,
109              which is used as CELL MAC instead of  the  BSSID.  This  can  be
110              overwritten by the "-a <BSSID>" tag. The interface MAC will then
111              be  used  as  source  mac,  which  can  be  changed   with   "-h
112              <sourceMAC>".
113
114       -Y <in|out|both>
115              The  parameter "-Y" enables the "external processing" Mode. This
116              creates a second interface "atX", which is used  to  replay/mod‐
117              ify/drop  or inject packets at will. This interface must also be
118              brought up with ifconfig and an external tool is needed to  cre‐
119              ate a loop on that interface.
120
121              The  packet  structure is rather simple: the ethernet header (14
122              bytes) is ignored and right  after  that  follows  the  complete
123              ieee80211 frame the same way it is going to be processed by air‐
124              base-ng (for incoming packets) or before  the  packets  will  be
125              sent  out of the wireless card (outgoing packets). This mode in‐
126              tercepts all data packets and loops them through an external ap‐
127              plication,  which decides what happens with them. The MAC and IP
128              of the second tap interface doesn't  matter,  as  real  ethernet
129              frames on this interface are dropped anyway.
130
131              There  are  3  arguments for "-Y": "in", "out" and "both", which
132              specify the direction of frames to loop through the external ap‐
133              plication.  Obviously  "in" redirects only incoming (through the
134              wireless NIC) frames,  while  outgoing  frames  aren't  touched.
135              "out"  does  the  opposite,  it  only loops outgoing packets and
136              "both" sends all both directions through the second  tap  inter‐
137              face.
138
139              There  is  a  small and simple example application to replay all
140              frames on the second interface. The tool is  called  "replay.py"
141              and is located in "./test". It's written in python, but the lan‐
142              guage doesn't matter. It uses pcapy to read the frames and scapy
143              to  possibly  alter/show and reinject the frames. The tool as it
144              is, simply replays all frames and prints a short summary of  the
145              received  frames.  The  variable  "packet" contains the complete
146              ieee80211 packet, which can easily be dissected and modified us‐
147              ing scapy.
148
149              This  can be compared to ettercap filters, but is more powerful,
150              as a real programming language can  be  used  to  build  complex
151              logic  for  filtering  and packet customization. The downside on
152              using python is, that it adds a delay of around  100ms  and  the
153              cpu  utilizations  is  rather large on a high speed network, but
154              its perfect for a demonstration with only a few lines of code.
155
156       -c <channel>
157              This is used to specify the channel on which to run  the  Access
158              Point.
159
160       -X, --hidden
161              This  causes the Access Point to hide the SSID and to not broad‐
162              cast the value.
163
164       -s     When specfiied, this forces shared key  authentication  for  all
165              clients.
166
167              The soft AP will send an "authentication method unsupported" re‐
168              jection to any open system authentication  request  if  "-s"  is
169              specified.
170
171       -S     It  sets  the shared key challenge length, which can be anything
172              from 16 to 1480. The default is 128 bytes. It is the  number  of
173              bytes  used in the random challenge. Since one tag can contain a
174              maximum size of 255 bytes, any value above 255  creates  several
175              challenge  tags  until  all  specified  bytes  are written. Many
176              clients ignore values different than 128 bytes  so  this  option
177              may not always work.
178
179       -L, --caffe-latte
180              Airbase-ng  also  contains  the new caffe-latte attack, which is
181              also implemented in aireplay-ng as attack "-6". It can  be  used
182              with  "-L"  or  "caffe-latte".  This  attack  specifically works
183              against clients, as it waits for a broadcast arp request,  which
184              happens  to  be a gratuitous arp. See this for an explanation of
185              what a gratuitous arp is. It then flips a few bits in the sender
186              MAC  and IP, corrects the ICV (crc32) value and sends it back to
187              the client, where it came from. The point why this attack  works
188              in  practice is, that at least windows sends gratuitous arps af‐
189              ter a connection on layer 2 is established and a  static  ip  is
190              set,   or   dhcp  fails  and  windows  assigned  an  IP  out  of
191              169.254.X.X.
192
193              "-x <pps>" sets the number of packets per second  to  send  when
194              performing  the  caffe-latte  attack. At the moment, this attack
195              doesn't stop, it continuously sends arp requests. Airodump-ng is
196              needed to capture the replies.
197
198       -N, --cfrag
199              This  attack  listens  for  an ARP request or IP packet from the
200              client. Once one is received, a small  amount  of  PRGA  is  ex‐
201              tracted  and  then used to create an ARP request packet targeted
202              to the client. This ARP request is actually made of up of multi‐
203              ple  packet  fragments  such that when received, the client will
204              respond.
205
206              This attack works especially well against  ad-hoc  networks.  As
207              well  it  can  be  used  against  softAP  clients  and normal AP
208              clients.
209
210       -x <nbpps>
211              This sets the number of packets per second that packets will  be
212              sent (default: 100).
213
214       -y     When  using  this option, the fake AP will not respond to broad‐
215              cast probes. A broadcast probe is where the specific AP  is  not
216              identified uniquely. Typically, most APs will respond with probe
217              responses to a broadcast probe. This flag will prevent this hap‐
218              pening.  It  will  only respond when the specific AP is uniquely
219              requested.
220
221       -0     This enables all WPA/WPA2/WEP Tags to be enabled in the  beacons
222              sent. It cannot be specified when also using -z or -Z.
223
224       -z <type>
225              This  specifies  the  WPA  beacon  tags.  The  valid values are:
226              1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104.
227
228       -Z <type>
229              same as -z, but for WPA2
230
231       -V <type>
232              This specifies the valid EAPOL  types.  The  valid  values  are:
233              1=MD5 2=SHA1 3=auto
234
235       -F <prefix>
236              This  option  causes  airbase-ng  to write all sent and received
237              packets to a pcap file on disk. This is the  file  prefix  (like
238              airodump-ng -w).
239
240       -P     This  causes  the fake access point to respond to all probes re‐
241              gardless of the ESSIDs specified.
242
243       -I <interval>
244              This sets the time in milliseconds between each beacon.
245
246       -C <seconds>
247              The wildcard ESSIDs will also be beaconed this  number  of  sec‐
248              onds. A good typical value to use is "-C 60" (require -P).
249
250       -n <hex>
251              ANonce  (nonce  from the AP) to use instead of a randomized one.
252              It must be 64 hexadecimal characters.
253
254       Filter options:
255
256       --bssid <MAC>, -b <MAC>
257              BSSID to filter/use.
258
259       --bssids <file>, -B <file>
260              Read a list of BSSIDs out of that file.
261
262       --client <MAC>, -d <MAC>
263              MAC of client to accept.
264
265       --clients <file>, -D <file>
266              Read a list of client's MACs out of that file.
267
268       --essid <ESSID>, -e <ESSID>
269              Specify a single ESSID. For SSID containing special  characters,
270              see  https://www.aircrack-ng.org/doku.php?id=faq#how_to_use_spa‐
271              ces_double_quote_and_single_quote_etc_in_ap_names
272
273       --essids <file>, -E <file>
274              Read a list of ESSIDs out of that file. It  will  use  the  same
275              BSSID  for  all AP which can generate some interesting output in
276              Airodump-ng like: http://www.chimplabs.com/blog/2015/09/24/unin
277              tentional-fun-with-aircrack-ng-at-derbycon-5-0/
278

AUTHOR

280       This  manual  page  was  written  by  Thomas  d'Otreppe.  Permission is
281       granted to copy, distribute and/or modify this document under the terms
282       of  the GNU General Public License, Version 2 or any later version pub‐
283       lished by the Free Software Foundation On Debian systems, the  complete
284       text  of the GNU General Public License can be found in /usr/share/com‐
285       mon-licenses/GPL.
286

SEE ALSO

288       aireplay-ng(8)
289       airmon-ng(8)
290       airodump-ng(8)
291       airodump-ng-oui-update(8)
292       airserv-ng(8)
293       airtun-ng(8)
294       besside-ng(8)
295       easside-ng(8)
296       tkiptun-ng(8)
297       wesside-ng(8)
298       aircrack-ng(1)
299       airdecap-ng(1)
300       airdecloak-ng(1)
301       airolib-ng(1)
302       besside-ng-crawler(1)
303       buddy-ng(1)
304       ivstools(1)
305       kstats(1)
306       makeivs-ng(1)
307       packetforge-ng(1)
308       wpaclean(1)
309       airventriloquist(8)
310
311
312
313Version 1.7.0                      May 2022                      AIRBASE-NG(8)
Impressum