few questions

[caballero]

Howdy fellas,

Since I kept playing with BT3 further I have a few certain questions to which I could not find answers, so there they are:

1. My neighbour agreed to let me try to crack his AP's WEP, but since we wanted it to be more realistic (if you wanna predict actions of a hacker you have to put yourself in his position), so he did not say when he's online, etc. So when I am running "aireplay-ng --arpreplay" (also use --deauth one time) the lines are running and the numbers of "got ARP requests" are increasing, packet injection is working (i suppose). But suddenly lines stop running, though ARP request's and etc. are increasing in the last line. What does that mean, does that mean that I am still geting IV's or is something wrong? Or does that mean, that there is no trafic on my neighbours AP? I'm including a picture for a clearer view:



2. Does the range and other abilities of the wlan adapter have much influence on how much packets I can intercept/inject? When trying on my AP I was able to crack the WEP in 14 minutes (with considerable traffic of course, my HTC Diamond was watching youtube at the time), however with my neighbour's AP different story - I can keep running airdump, aireplay and aircrack the whole day and it hardly collects 25000 IV's... resulting not cracking WEP. Does the range is vital to such an attack?

3. There is a public (without password) AP in my vicinity (could be a cafee wifi or smth., so I don't think checking it out is illegal) always with 7 or so clients like kismet shows. But I am unable to connect to it even with cloning some of the clients MAC adress, so I made assumption that it's not MAC-list enabled. What could be the reason then?

EDIT:
question 4. is it possible to use several *.cap files at once to crack WEP? For example if I'm running aireplay-ng each day at the end of the day stopping it collecting ~25000 ivs, so after 4 days I would have 4 cap files each approx 25000 ivs.

[m1cha3l]

1. have you tried a clientless attack?

2. Of course range effects the injection process. most WEP is crackable in under five mins.

3.

There is a public (without password) AP in my vicinity

just because there is no encryption does not make it public. If you do not have permission from the owner then it is still illegal.

4. as for several .cap files you have the syntax already!! it would be

Code:

aircrack-ng -b 00:11:22:33:44:55  *.cap

to use all .cap files in the pwd or

Code:

aircrack-ng -s -b 00:11:22:33:44:55 filename*.cap

to use only cap files of that name

[caballero]

1. have you tried a clientless attack?

2. Of course range effects the injection process. most WEP is crackable in under five mins.

3.

just because there is no encryption does not make it public. If you do not have permission from the owner then it is still illegal.

4. as for several .cap files you have the syntax already!! it would be

Code:

aircrack-ng -b 00:11:22:33:44:55  *.cap

to use all .cap files in the pwd or

Code:

aircrack-ng -s -b 00:11:22:33:44:55 filename*.cap

to use only cap files of that name

Of course, that few commands are very useful, didn't think of that. Also there might be a naive question, but what is clientless attack?

[imported_wyze]

Of course, that few commands are very useful, didn't think of that. Also there might be a naive question, but what is clientless attack?

Just as the name infers, an attack on an access point that has no connected cients.

[caballero]

Just as the name infers, an attack on an access point that has no connected cients.

So I guess that means that it's a is futile attack which wouldn't be so futile if the client was online? I have one more question, I am somehow confused by how programs detect AP's encryption. For example WiCrawl shows, that AP is WEP encrypted, kismet shows that the same AP is WPA encrypted. Or another example - kismet shows, that AP is WEP encrypted and Wireless Assistant shows that the same AP is not encrypted at all. What does that mean? This is a real mess that I was not expecting from linux.

[imported_=Tron=]

So I guess that means that it's a is futile attack which wouldn't be so futile if the client was online?

What it means is that you have to use a different method than the ARP-replay one to be able to obtain the WEP key.

I have one more question, I am somehow confused by how programs detect AP's encryption. For example WiCrawl shows, that AP is WEP encrypted, kismet shows that the same AP is WPA encrypted. Or another example - kismet shows, that AP is WEP encrypted and Wireless Assistant shows that the same AP is not encrypted at all. What does that mean? This is a real mess that I was not expecting from linux.

I have not noticed any inconsistencies of this kind, but I would rely on the information given by Kismet as it is one of the best wireless scanners available for any platform.

[caballero]

What it means is that you have to use a different method than the ARP-replay one to be able to obtain the WEP key. I have not noticed any inconsistencies of this kind, but I would rely on the information given by Kismet as it is one of the best wireless scanners available for any platform.

I see. Yes, usually kismet agrees with airodump-ng. Would you care to shed at least some basic info about that different method to obtain the WEP key when there are no clients connected or if there are client connected, but his traffic is rather low? Because from all I have read in this forum I thought it's impossible.

[m1cha3l]

try typing "aircrack-ng" into google!

[caballero]

try typing "aircrack-ng" into google!

is it something that sounds like "Fake authentication" method then?

[imported_=Tron=]

I see. Yes, usually kismet agrees with airodump-ng. Would you care to shed at least some basic info about that different method to obtain the WEP key when there are no clients connected or if there are client connected, but his traffic is rather low? Because from all I have read in this forum I thought it's impossible.

It is most definitely possible and I do not know which posts on the forum would make you think any different. A tutorial on how to crack WEP without any connected clients can be found on the following location:
http://aircrack-ng.org/doku.php?id=h...ith_no_clients
There are also several good howtos on this subject posted on the forum.

is it something that sounds like "Fake authentication" method then?

Sounds like you should take some time to actually get to understand the process of cracking WEP a bit better. More good tutorials can be found here:
http://aircrack-ng.org/doku.php?id=tutorial