User Tools

Site Tools


supported_packets

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
supported_packets [2008/08/06 18:27]
darkaudax created
supported_packets [2010/11/20 23:18] (current)
sleek typos
Line 1: Line 1:
 ====== Tutorial: Packets Supported for the PTW Attack ====== ====== Tutorial: Packets Supported for the PTW Attack ======
-Version: 1.00 August ​6, 2008\\+Version: 1.03 August ​14, 2008\\
 By: darkAudax By: darkAudax
  
Line 10: Line 10:
 This tutorial is intended to explore this problem in more detail. ​ Hopefully it will allow people to understand when alternate techniques are to be used. This tutorial is intended to explore this problem in more detail. ​ Hopefully it will allow people to understand when alternate techniques are to be used.
  
-Another important limitation is that only ARP packets can be used for all WEP lengths. ​ All others are limited to 40 and 104 bit WEP.+Another important limitation is that the PTW attack currently can only crack 40 and 104 bit WEP keys.
  
 This [[http://​www.erg.abdn.ac.uk/​users/​gorry/​course/​lan-pages/​llc.html|web page]] briefly describes the IEEE 802.3 Logical Link Control. ​ It explains the following terms which are used in the table below: This [[http://​www.erg.abdn.ac.uk/​users/​gorry/​course/​lan-pages/​llc.html|web page]] briefly describes the IEEE 802.3 Logical Link Control. ​ It explains the following terms which are used in the table below:
Line 39: Line 39:
  
 ^ Protocol ^ Address Information ^ Packet Information ^ Comments ^ PTW ^ ^ Protocol ^ Address Information ^ Packet Information ^ Comments ^ PTW ^
-|Spanning Tree|Destination MAC 01:​80:​C2:​00:​00:​00|DSAP 0x42, SSAP 0x42, Control Frame Type 0x03|The Spanning Tree protocol is used to prevent routing loops between switches|Yes.  Limited to 40bits.| +|Spanning Tree 802.1D (STP)|Destination MAC 01:​80:​C2:​00:​00:​00|DSAP 0x42, SSAP 0x42, Control Frame Type 0x03|The Spanning Tree protocol is used to prevent routing loops between switches|No.| 
-|Port Aggregation Protocol (PAgP)|Destination MAC 01:​00:​0C:​CC:​CC:​CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x0104|Used to bundle ​porfts ​on Catalys switches into EtherChannel. ​ Similar to Ethernet bonding in the linux world.|No|+|Port Aggregation Protocol (PAgP)|Destination MAC 01:​00:​0C:​CC:​CC:​CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x0104|Used to bundle ​ports on Catalys switches into EtherChannel. ​ Similar to Ethernet bonding in the linux world.|No|
 |VLAN Trunking Protocol (VTP)|Destination MAC 01:​00:​0C:​CC:​CC:​CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2003|Provides information about configured virtual ​ LANs (VLANs)|No| |VLAN Trunking Protocol (VTP)|Destination MAC 01:​00:​0C:​CC:​CC:​CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2003|Provides information about configured virtual ​ LANs (VLANs)|No|
 |Cisco Inter Switch Link (ISL)|Destination MAC 01:​00:​0C:​00:​00:​00|Unknown|Cisco Version. ​ Functionally similar to 802.1q.|Unknown| |Cisco Inter Switch Link (ISL)|Destination MAC 01:​00:​0C:​00:​00:​00|Unknown|Cisco Version. ​ Functionally similar to 802.1q.|Unknown|
-|Dynamic Trunking Protocol (DTP)|Destination MAC 01:​00:​0C:​CC:​CC:​CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2004|Negotiates trunk port mode between Cisco Catalyst ​swtiches.|No|+|Dynamic Trunking Protocol (DTP)|Destination MAC 01:​00:​0C:​CC:​CC:​CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2004|Negotiates trunk port mode between Cisco Catalyst ​switches.|No|
 |Cisco Spanning Tree PVST+|Destination MAC 01:​00:​0C:​CC:​CC:​CD|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x010B|Cisco proprietary verson of the Spanning Tree Protocol.|No| |Cisco Spanning Tree PVST+|Destination MAC 01:​00:​0C:​CC:​CC:​CD|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x010B|Cisco proprietary verson of the Spanning Tree Protocol.|No|
-|Cisco STP Uplink Fast|Destination MAC 01:​00:​0C:​CD:​CD:​CD|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x200A|Speeds up STP convergence time in the prescence ​of reducant links on networks ​consistening ​of Catalys switches.|No| +|Cisco STP Uplink Fast|Destination MAC 01:​00:​0C:​CD:​CD:​CD|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x200A|Speeds up STP convergence time in the presence ​of reducant links on networks ​consisting ​of Catalys switches.|No| 
-|Cisco VLAN Bridge STP|Destination MAC 01:​00:​0C:​CD:​CD:​CE|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x010C|Operates on top of IEEE STP to bridge VLANS while running single instance of  STP.  Indicates presence of Catalyst 6000/6500 switches with Multilayer ​Swtich ​Feature Cards (MSFCs) installed.|No|+|Cisco VLAN Bridge STP|Destination MAC 01:​00:​0C:​CD:​CD:​CE|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x010C|Operates on top of IEEE STP to bridge VLANS while running single instance of  STP.  Indicates presence of Catalyst 6000/6500 switches with Multilayer ​Switch ​Feature Cards (MSFCs) installed.|No|
 |Cisco Sync|Destination MAC 01:​00:​0C:​EE:​EE:​EE|Unknown|Sent by the root bridge on VLAN 1 every 2 minutes. ​ Helps to maintain an accurate STP topology.|Unknown| |Cisco Sync|Destination MAC 01:​00:​0C:​EE:​EE:​EE|Unknown|Sent by the root bridge on VLAN 1 every 2 minutes. ​ Helps to maintain an accurate STP topology.|Unknown|
 |Cisco Discovery Protocol (STP)|Destination MAC 01:​00:​0C:​CC:​CC:​CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2000|CDP is used to discover and announce network devices.|No| |Cisco Discovery Protocol (STP)|Destination MAC 01:​00:​0C:​CC:​CC:​CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2000|CDP is used to discover and announce network devices.|No|
Line 56: Line 56:
 For PTW we need "key length plus 3 bytes" keystream length. ​ As an example: A 40 bit WEP key is 5 bytes long.  So we need "5 bytes plus 3 bytes",​ thus 8 keystream bytes. ​ Keystream bytes are bytes that we know the unencrypted value. For PTW we need "key length plus 3 bytes" keystream length. ​ As an example: A 40 bit WEP key is 5 bytes long.  So we need "5 bytes plus 3 bytes",​ thus 8 keystream bytes. ​ Keystream bytes are bytes that we know the unencrypted value.
  
-For ARP packets, we know 22 keystream bytes.  ​That is why ARP packets ​can be used to crack any length of WEP key.+For ARP packets, we know 22 keystream bytes.  ​ARPs can be used for 40 and 104 bit WEP cracking.
  
 For IP packets, we know 9 bytes for sure so 40 bit WEP is no problem. ​ For 104 bit WEP, there are 2 bytes which are completely unknown. ​ These are bruteforced. ​ And one final byte is guessed since there are only three possibilities. For IP packets, we know 9 bytes for sure so 40 bit WEP is no problem. ​ For 104 bit WEP, there are 2 bytes which are completely unknown. ​ These are bruteforced. ​ And one final byte is guessed since there are only three possibilities.
 +
 +
 +===== Handy URLs =====
 +
 +  * [[http://​www.cavebear.com/​archive/​cavebear/​Ethernet/​multicast.html|Multicast Addresses]]
 +  * [[http://​www.iana.org/​assignments/​ethernet-numbers|Ether Types]]
  
supported_packets.1218040051.txt.gz · Last modified: 2008/08/06 18:27 by darkaudax