Tkiptun-ng is the proof-of-concept implementation the WPA/TKIP attack. This attack is described in the paper, Practical attacks against WEP and WPA written by Martin Beck and Erik Tews. The paper describes advanced attacks on WEP and the first practical attack on WPA.
tkiptun-ng – inject a few frames into a WPA TKIP network with QoS
root@kali:~# tkiptun-ng --help Tkiptun-ng 1.2 rc4 - (C) 2008-2015 Thomas d'Otreppe http://www.aircrack-ng.org usage: tkiptun-ng Filter options: -d dmac : MAC address, Destination -s smac : MAC address, Source -m len : minimum packet length (default: 80) -n len : maximum packet length (default: 80) -t tods : frame control, To DS bit -f fromds : frame control, From DS bit -D : disable AP detection -Z : select packets manually Replay options: -x nbpps : number of packets per second -a bssid : set Access Point MAC address -c dmac : set Destination MAC address -h smac : set Source MAC address -e essid : set target AP SSID -M sec : MIC error timeout in seconds  Debug options: -K prga : keystream for continuation -y file : keystream-file for continuation -j : inject FromDS packets -P pmk : pmk for verification/vuln testing -p psk : psk to calculate pmk with essid source options: -i iface : capture packets from this interface -r file : extract packets from this pcap file --help : Displays this usage screen
- Author: Martin Beck and Erik Tews
- License: GPLv2