tkiptun-ng (1) - Linux Manuals

tkiptun-ng: inject a few frames into a WPA TKIP network with QoS


tkiptun-ng - inject a few frames into a WPA TKIP network with QoS


tkiptun-ng [options] <replay interface>


tkiptun-ng is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS. He worked with Erik Tews (who created PTW attack) for a conference in PacSec 2008: "Gone in 900 Seconds, Some Crypto Issues with WPA".


-H, --help
Shows the help screen.
Filter options:
-d <dmac>
MAC address of destination.
-s <smac>
MAC address of source.
-m <len>
Minimum packet length.
-n <len>
Maximum packet length.
-t <tods>
Frame control, "To" DS bit.
-f <fromds>
Frame control, "From" DS bit.
Disable AP Detection.

Replay options:
-x <nbpps>
Number of packets per second.
-p <fctrl>
Set frame control word (hex).
-a <bssid>
Set Access Point MAC address.
-c <dmac>
Set destination MAC address.
-h <smac>
Set source MAC address.
Choose first matching packet.
-e <essid>
Set target SSID.

Debug options:
-K <prga>
Keystream for continuation.
-y <file>
Keystream file for continuation.
Inject FromFS packets.
-P <PMK>
Pairwise Master key (PMK) for verification or vulnerability testing.
-p <PSK>
Preshared key (PSK) to calculate PMK with essid.

Source options:
-i <iface>
Capture packets from this interface.
-r <file>
Extract packets from this pcap file.


This manual page was written by Thomas d'Otreppe. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL.