1AIRBASE-NG(8) System Manager's Manual AIRBASE-NG(8)
2
6 airbase-ng - multi-purpose tool aimed at attacking clients as opposed
7 to the Access Point (AP) itself
8
10 airbase-ng [options] <interface name>
11
13 airbase-ng is multi-purpose tool aimed at attacking clients as opposed
14 to the Access Point (AP) itself. Since it is so versatile and flexible,
15 summarizing it is a challenge. Here are some of the feature highlights:
16 - Implements the Caffe Latte WEP client attack
18 - Implements the Hirte WEP client attack
19 - Ability to cause the WPA/WPA2 handshake to be captured
20 - Ability to act as an ad-hoc Access Point
21 - Ability to act as a full Access Point
22 - Ability to filter by SSID or client MAC addresses
23 - Ability to manipulate and resend packets
24 - Ability to encrypt sent packets and decrypt received packets
25 The main idea is of the implementation is that it should encourage
27 clients to associate with the fake AP, not prevent them from accessing
28 the real AP.
29 A tap interface (atX) is created when airbase-ng is run. This can be
31 used to receive decrypted packets or to send encrypted packets.
32 As real clients will most probably send probe requests for common/con‐
34 figured networks, these frames are important for binding a client to
35 our softAP. In this case, the AP will respond to any probe request with
36 a proper probe response, which tells the client to authenticate to the
37 airbase-ng BSSID. That being said, this mode could possibly disrupt the
38 correct functionality of many APs on the same channel.
39
41 -H, --help
42 Shows the help screen.
43 -a <bssid>
45 If the BSSID is not explicitly specified by using "-a <BSSID>",
46 then the current MAC of the specified interface is used.
47 -i <iface>
49 Also capture and process from this interface in addition to the
50 replay interface.
51 -w <WEP key>
53 If WEP should be used as encryption, then the parameter "-w <WEP
54 key>" sets the en-/decryption key. This is sufficient to let
55 airbase-ng set all the appropriate flags by itself. If the sof‐
56 tAP operates with WEP encryption, the client can choose to use
57 open system authentication or shared key authentication. Both
58 authentication methods are supported by airbase-ng. But to get a
59 keystream, the user can try to force the client to use shared
60 key authentication. "-s" forces a shared key auth and "-S <len>"
61 sets the challenge length.
62 -h <MAC>
64 This is the source MAC for the man-in-the-middle attack. The
65 "-M" must also be specified.
66 -f <disallow>
68 If this option is not specified, it defaults to "-f allow". This
69 means the various client MAC filters (-d and -D) define which
70 clients to accept.
71 By using the "-f disallow" option, this reverses selection and
73 causes airbase-ng to ignore the clients specified by the fil‐
74 ters.
75 -W <0|1>
77 This sets the beacon WEP flag. Remember that clients will nor‐
78 mally only connect to APs which are the same as themselves.
79 Meaning WEP to WEP, open to open.
80 The "auto" option is to allow airbase-ng to automatically set
82 the flag based on context of the other options specified. For
83 example, if you set a WEP key with -w, then the beacon flag
84 would be set to WEP.
85 One other use of "auto" is to deal with clients which can auto‐
87 matically adjust their connection type. However, these are few
88 and far between.
89 In practice, it is best to set the value to the type of clients
91 you are dealing with.
92 -q This suppresses printing any statistics or status information.
94 -v This prints additional messages and details to assist in debug‐
96 ging.
97 -M This option is not implemented yet. It is a man-in-the-middle
99 attack between specified clients and BSSIDs.
100 -A, --ad-hoc
102 This causes airbase-ng to act as an ad-hoc client instead of a
103 normal Access Point.
104 In ad-hoc mode airbase-ng also sends beacons, but doesn't need
106 any authentication/association. It can be activated by using
107 "-A". The soft AP will adjust all flags needed to simulate a
108 station in ad-hoc mode automatically and generate a random MAC,
109 which is used as CELL MAC instead of the BSSID. This can be
110 overwritten by the "-a <BSSID>" tag. The interface MAC will then
111 be used as source mac, which can be changed with "-h
112 <sourceMAC>".
113 -Y <in|out|both>
115 The parameter "-Y" enables the "external processing" Mode. This
116 creates a second interface "atX", which is used to replay/mod‐
117 ify/drop or inject packets at will. This interface must also be
118 brought up with ifconfig and an external tool is needed to cre‐
119 ate a loop on that interface.
120 The packet structure is rather simple: the ethernet header (14
122 bytes) is ignored and right after that follows the complete
123 ieee80211 frame the same way it is going to be processed by air‐
124 base-ng (for incoming packets) or before the packets will be
125 sent out of the wireless card (outgoing packets). This mode in‐
126 tercepts all data packets and loops them through an external ap‐
127 plication, which decides what happens with them. The MAC and IP
128 of the second tap interface doesn't matter, as real ethernet
129 frames on this interface are dropped anyway.
130 There are 3 arguments for "-Y": "in", "out" and "both", which
132 specify the direction of frames to loop through the external ap‐
133 plication. Obviously "in" redirects only incoming (through the
134 wireless NIC) frames, while outgoing frames aren't touched.
135 "out" does the opposite, it only loops outgoing packets and
136 "both" sends all both directions through the second tap inter‐
137 face.
138 There is a small and simple example application to replay all
140 frames on the second interface. The tool is called "replay.py"
141 and is located in "./test". It's written in python, but the lan‐
142 guage doesn't matter. It uses pcapy to read the frames and scapy
143 to possibly alter/show and reinject the frames. The tool as it
144 is, simply replays all frames and prints a short summary of the
145 received frames. The variable "packet" contains the complete
146 ieee80211 packet, which can easily be dissected and modified us‐
147 ing scapy.
148 This can be compared to ettercap filters, but is more powerful,
150 as a real programming language can be used to build complex
151 logic for filtering and packet customization. The downside on
152 using python is, that it adds a delay of around 100ms and the
153 cpu utilizations is rather large on a high speed network, but
154 its perfect for a demonstration with only a few lines of code.
155 -c <channel>
157 This is used to specify the channel on which to run the Access
158 Point.
159 -X, --hidden
161 This causes the Access Point to hide the SSID and to not broad‐
162 cast the value.
163 -s When specfiied, this forces shared key authentication for all
165 clients.
166 The soft AP will send an "authentication method unsupported" re‐
168 jection to any open system authentication request if "-s" is
169 specified.
170 -S It sets the shared key challenge length, which can be anything
172 from 16 to 1480. The default is 128 bytes. It is the number of
173 bytes used in the random challenge. Since one tag can contain a
174 maximum size of 255 bytes, any value above 255 creates several
175 challenge tags until all specified bytes are written. Many
176 clients ignore values different than 128 bytes so this option
177 may not always work.
178 -L, --caffe-latte
180 Airbase-ng also contains the new caffe-latte attack, which is
181 also implemented in aireplay-ng as attack "-6". It can be used
182 with "-L" or "caffe-latte". This attack specifically works
183 against clients, as it waits for a broadcast arp request, which
184 happens to be a gratuitous arp. See this for an explanation of
185 what a gratuitous arp is. It then flips a few bits in the sender
186 MAC and IP, corrects the ICV (crc32) value and sends it back to
187 the client, where it came from. The point why this attack works
188 in practice is, that at least windows sends gratuitous arps af‐
189 ter a connection on layer 2 is established and a static ip is
190 set, or dhcp fails and windows assigned an IP out of
191 169.254.X.X.
192 "-x <pps>" sets the number of packets per second to send when
194 performing the caffe-latte attack. At the moment, this attack
195 doesn't stop, it continuously sends arp requests. Airodump-ng is
196 needed to capture the replies.
197 -N, --cfrag
199 This attack listens for an ARP request or IP packet from the
200 client. Once one is received, a small amount of PRGA is ex‐
201 tracted and then used to create an ARP request packet targeted
202 to the client. This ARP request is actually made of up of multi‐
203 ple packet fragments such that when received, the client will
204 respond.
205 This attack works especially well against ad-hoc networks. As
207 well it can be used against softAP clients and normal AP
208 clients.
209 -x <nbpps>
211 This sets the number of packets per second that packets will be
212 sent (default: 100).
213 -y When using this option, the fake AP will not respond to broad‐
215 cast probes. A broadcast probe is where the specific AP is not
216 identified uniquely. Typically, most APs will respond with probe
217 responses to a broadcast probe. This flag will prevent this hap‐
218 pening. It will only respond when the specific AP is uniquely
219 requested.
220 -0 This enables all WPA/WPA2/WEP Tags to be enabled in the beacons
222 sent. It cannot be specified when also using -z or -Z.
223 -z <type>
225 This specifies the WPA beacon tags. The valid values are:
226 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104.
227 -Z <type>
229 same as -z, but for WPA2
230 -V <type>
232 This specifies the valid EAPOL types. The valid values are:
233 1=MD5 2=SHA1 3=auto
234 -F <prefix>
236 This option causes airbase-ng to write all sent and received
237 packets to a pcap file on disk. This is the file prefix (like
238 airodump-ng -w).
239 -P This causes the fake access point to respond to all probes re‐
241 gardless of the ESSIDs specified.
242 -I <interval>
244 This sets the time in milliseconds between each beacon.
245 -C <seconds>
247 The wildcard ESSIDs will also be beaconed this number of sec‐
248 onds. A good typical value to use is "-C 60" (require -P).
249 -n <hex>
251 ANonce (nonce from the AP) to use instead of a randomized one.
252 It must be 64 hexadecimal characters.
253 Filter options:
255 --bssid <MAC>, -b <MAC>
257 BSSID to filter/use.
258 --bssids <file>, -B <file>
260 Read a list of BSSIDs out of that file.
261 --client <MAC>, -d <MAC>
263 MAC of client to accept.
264 --clients <file>, -D <file>
266 Read a list of client's MACs out of that file.
267 --essid <ESSID>, -e <ESSID>
269 Specify a single ESSID. For SSID containing special characters,
270 see https://www.aircrack-ng.org/doku.php?id=faq#how_to_use_spa‐
271 ces_double_quote_and_single_quote_etc_in_ap_names
272 --essids <file>, -E <file>
274 Read a list of ESSIDs out of that file. It will use the same
275 BSSID for all AP which can generate some interesting output in
276 Airodump-ng like: http://www.chimplabs.com/blog/2015/09/24/unin‐
277 tentional-fun-with-aircrack-ng-at-derbycon-5-0/
278
280 This manual page was written by Thomas d'Otreppe. Permission is
281 granted to copy, distribute and/or modify this document under the terms
282 of the GNU General Public License, Version 2 or any later version pub‐
283 lished by the Free Software Foundation On Debian systems, the complete
284 text of the GNU General Public License can be found in /usr/share/com‐
285 mon-licenses/GPL.
286
288 aireplay-ng(8)
289 airmon-ng(8)
290 airodump-ng(8)
291 airodump-ng-oui-update(8)
292 airserv-ng(8)
293 airtun-ng(8)
294 besside-ng(8)
295 easside-ng(8)
296 tkiptun-ng(8)
297 wesside-ng(8)
298 aircrack-ng(1)
299 airdecap-ng(1)
300 airdecloak-ng(1)
301 airolib-ng(1)
302 besside-ng-crawler(1)
303 buddy-ng(1)
304 ivstools(1)
305 kstats(1)
306 makeivs-ng(1)
307 packetforge-ng(1)
308 wpaclean(1)
309 airventriloquist(8)
310Version 1.7.0 May 2022 AIRBASE-NG(8)