Jump to content

Recommended Posts

Hi, Anyone know a attack for WPA TKIP attack like, the famous wep recover key (I have a bad English so I will write the same in spanish), I mean, not a social engineering attack or brute force hash attack. Exploiting this vulnerability " http://mobile.wi-fiplanet.com/news/article.php/3784251/WPA-Vulnerability-Discovered.htm ".


Hola, primero discúlpenme el inglés, no es mi idioma materno. quería saber si alguien sabe como explotar la vulnerabilidad de las claves WPA descritas en el hipervinculo, un ataque similar al wep para recuperar las claves. Gracias de antemano.

Link to comment
Share on other sites

You're talking about a PTW attack, which Tkiptun-ng does. Only works on systems that use TKIP without AES, which most systems today, that use WPA with AES, or WPA2, aren't vulnerable to. Has to be specific to the attack. https://www.aircrack-ng.org/doku.php?id=tkiptun-ng explains in more detail.


General Requirements

Both the AP and the client must support QoS or sometimes called Wi-Fi Multi-media (WMM) on some APs.

The AP must be configured for WPA plus TKIP.

A fairly long rekeying time must be in use such as 3600 seconds. It should be at least 20 minutes.

Specific Requirements

The network card MAC address used by tkiptun-ng needs to be set to the MAC address of the client you are attacking.


Link to comment
Share on other sites

2 hours ago, MediaCresta said:

@digip thanks for your reply.

So if I want to make this attack, is the same process than the wep attack ?.

Reading the link that you post, I see that this kind of attack, isn't fully support by the aircrack suit, so it isn't functional ?, I will try it tomorrow.


Read the page. describes what works and doesn't, what is needed, but also that it was a POC, and not fully functional. It requires specific hardware and drivers to manage the attack and a setup scenario in place that allows the attack to happen, ie: QoS, TKIP, no AES/Encryption on the Router side with WPA. It is not a wep attack, although the chop-chop part I gather from aireplay-ng, was meant more as example to explain the method of attack, not that you would use a WEP chop-chop attack for things like IVs.

* Note, I stated incorrectly as "PTW attack". It was worked on by one of the Authors of the PTW attack ( which is for a specific type of WEP attack, see - https://www.aircrack-ng.org/doku.php?id=supported_packets ).

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...