Airbase-ng Description

Airbase-ng is included in the aircrack-ng package. It is a multi-purpose tool aimed at attacking clients as opposed to the Access Point itself. Some of its many features are:

  • Implements the Caffe Latte WEP client attack
  • Implements the Hirte WEP client attack
  • Ability to cause the WPA/WPA2 handshake to be captured
  • Ability to act as an ad-hoc Access Point
  • Ability to act as a full Access Point
  • Ability to filter by SSID or client MAC addresses
  • Ability to manipulate and resend packets
  • Ability to encrypt sent packets and decrypt received packets

Source: Airbase-ng Wiki
Airbase-ng Homepage | Kali aircrack-ng Repo

  • Author: Thomas d’Otreppe, Original work: Martin Beck
  • License: GPLv2
airbase-ng – multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself
root@kali:~# airbase-ng --help

  Airbase-ng 1.5.2 - (C) 2008-2018 Thomas d'Otreppe
  Original work: Martin Beck
  https://www.aircrack-ng.org

  usage: airbase-ng <options> <replay interface>

  Options:

      -a bssid         : set Access Point MAC address
      -i iface         : capture packets from this interface
      -w WEP key       : use this WEP key to en-/decrypt packets
      -h MAC           : source mac for MITM mode
      -f disallow      : disallow specified client MACs (default: allow)
      -W 0|1           : [don't] set WEP flag in beacons 0|1 (default: auto)
      -q               : quiet (do not print statistics)
      -v               : verbose (print more messages)
      -A               : Ad-Hoc Mode (allows other clients to peer)
      -Y in|out|both   : external packet processing
      -c channel       : sets the channel the AP is running on
      -X               : hidden ESSID
      -s               : force shared key authentication (default: auto)
      -S               : set shared key challenge length (default: 128)
      -L               : Caffe-Latte WEP attack (use if driver can't send frags)
      -N               : cfrag WEP attack (recommended)
      -x nbpps         : number of packets per second (default: 100)
      -y               : disables responses to broadcast probes
      -0               : set all WPA,WEP,open tags. can't be used with -z & -Z
      -z type          : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
      -Z type          : same as -z, but for WPA2
      -V type          : fake EAPOL 1=MD5 2=SHA1 3=auto
      -F prefix        : write all sent and received frames into pcap file
      -P               : respond to all probes, even when specifying ESSIDs
      -I interval      : sets the beacon interval value in ms
      -C seconds       : enables beaconing of probed ESSID values (requires -P)
      -n hex           : User specified ANonce when doing the 4-way handshake

  Filter options:
      --bssid MAC      : BSSID to filter/use
      --bssids file    : read a list of BSSIDs out of that file
      --client MAC     : MAC of client to filter
      --clients file   : read a list of MACs out of that file
      --essid ESSID    : specify a single ESSID (default: default)
      --essids file    : read a list of ESSIDs out of that file

      --help           : Displays this usage screen

airbase-ng Usage Examples

Hirte Attack – Access Point Mode

The Hirte attack attempts to retrieve a WEP key via a client. This example creates an access point on channel 6 (-c 6) with the specified ESSID (-e TotallyNotATrap) and uses the cfrag WEP attack (-N), setting the WEP flag in the beacons (-W 1).

root@kali:~# root@kali:~# airbase-ng -c 6 -e TotallyNotATrap -N -W 1 wlan0mon
15:51:11  Created tap interface at0
15:51:11  Trying to set MTU on at0 to 1500
15:51:11  Trying to set MTU on wlan0mon to 1800
15:51:11  Access Point with BSSID 3C:46:D8:4E:EF:AA started.
Caffe Latte Attack – Access Point Mode

As with the Hirte attack, the Caffe Latte Attack attempts to retrieve a WEP key via a client. This example creates an access point on channel 6 (-c 6) with the specified ESSID (-e AlsoNotATrap) and uses the Caffe Latte WEP attack (-L), setting the WEP flag in the beacons (-W 1).

root@kali:~# airbase-ng -c 6 -e AlsoNotATrap -L -W 1 wlan0mon
15:56:05  Created tap interface at0
15:56:05  Trying to set MTU on at0 to 1500
15:56:05  Access Point with BSSID 3C:46:D8:4E:EF:AA started.
Menu