1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
.TH TKIPTUN-NG 8 "@MAN_RELEASE_DATE@" "@MAN_RELEASE_VERSION@"
.SH NAME
tkiptun-ng - inject a few frames into a WPA TKIP network with QoS
.SH SYNOPSIS
.B tkiptun-ng
[options] <replay interface>
.SH DESCRIPTION
.BI tkiptun-ng
is a tool created by Martin Beck aka hirte, a member of aircrack-ng team. This tool is able to inject a few frames into a WPA TKIP network with QoS. He worked with Erik Tews (who created PTW attack) for a conference in PacSec 2008: "Gone in 900 Seconds, Some Crypto Issues with WPA".
.SH OPERATION
.PP
.TP
.I -H, --help
Shows the help screen.
.TP
.B Filter options:
.TP
.I -d <dmac>
MAC address of destination.
.TP
.I -s <smac>
MAC address of source.
.TP
.I -m <len>
Minimum packet length.
.TP
.I -n <len>
Maximum packet length.
.TP
.I -t <tods>
Frame control, "To" DS bit.
.TP
.I -f <fromds>
Frame control, "From" DS bit.
.TP
.I -D
Disable AP Detection.
.PP
.TP
.B Replay options:
.TP
.I -x <nbpps>
Number of packets per second.
.TP
.I -p <fctrl>
Set frame control word (hex).
.TP
.I -a <bssid>
Set Access Point MAC address.
.TP
.I -c <dmac>
Set destination MAC address.
.TP
.I -h <smac>
Set source MAC address.
.TP
.I -e <essid>
Set target SSID.
.TP
.I -M <sec>
MIC error timeout in seconds. Default: 60 seconds
.PP
.TP
.B Debug options:
.TP
.I -K <prga>
Keystream for continuation.
.TP
.I -y <file>
Keystream file for continuation.
.TP
.I -j
Inject FromFS packets.
.TP
.I -P <PMK>
Pairwise Master key (PMK) for verification or vulnerability testing.
.TP
.I -p <PSK>
Preshared key (PSK) to calculate PMK with essid.
.PP
.TP
.B Source options:
.TP
.I -i <iface>
Capture packets from this interface.
.TP
.I -r <file>
Extract packets from this pcap file.
.SH AUTHOR
This manual page was written by Thomas d\(aqOtreppe.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License, Version 2 or any later version published by the Free Software Foundation
On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common-licenses/GPL.
.SH SEE ALSO
.br
.B airbase-ng(8)
.br
.B aireplay-ng(8)
.br
.B airmon-ng(8)
.br
.B airodump-ng(8)
.br
.B airodump-ng-oui-update(8)
.br
.B airserv-ng(8)
.br
.B airtun-ng(8)
.br
.B besside-ng(8)
.br
.B easside-ng(8)
.br
.B wesside-ng(8)
.br
.B aircrack-ng(1)
.br
.B airdecap-ng(1)
.br
.B airdecloak-ng(1)
.br
.B airolib-ng(1)
.br
.B besside-ng-crawler(1)
.br
.B buddy-ng(1)
.br
.B ivstools(1)
.br
.B kstats(1)
.br
.B makeivs-ng(1)
.br
.B packetforge-ng(1)
.br
.B wpaclean(1)
.br
.B airventriloquist(8)
|
