dd-wrt firmware WEP cracking
Hello,
I recently have been trying dd-wrt on one of my somewhat unused routers and decided to try to put WEP on it and crack it. Oddly to my surprise all my previous methods fail. I usually am able to inject more packets by fake-authentication and interactive (frame control 0841).
Tried this same thing and a few others on my dd-wrt router and am not able to inject and raise data count. Encryption is of course WEP OPN, only thing I notice different is MB = 54e but I don't think that has to do with encryption.
Any advice on this more advanced firmware?
I have had no difficulty breaking WEP on any firmware I have installed on my wrt's. I have tried Tomato, dd-wrt (.23 and .24) and OpenWRT, and all of them fall (more or less) equally fast. Sometimes you just need more ivs's for some keys than others.Originally Posted by PostalService
What method are you using?
Well, I have tried fake authentication (which appears successful). After that some basic no-client attacks such as interactive (with frame selection 0841) and chopchop attacks. To add I am using the latest versions of airodump-ng/aireplay-ng 1.0rc3.
These attacks never failed me before on my other access points but for some reason on the dd-wrt one I can't inject the packets so the data count does not increase. Another odd thing I should note from a fresh router boot I can't get aireplay-ng to read any packets in for its attack unless I force it (another machine authenticating to it), didn't know if the router needed some legit client on it to send that information?
Do you have mac address authentication turned on? Check your dd-wrt settings, you may have set it to require a specific mac.
Nope, I restored all factory settings in dd-wrt so the router is setup up with only a changed SSID and WEP encryption.
Edit: Odd thing I found out which turned out to work. Seems as if the router wasn't giving me any good traffic to do a client-less attack but when a client connected (another wireless card) then it instantly captured that data. What I did was fake-authentication then I did "aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b <AP_BSSID> wlan0". It will read packets all day and not find anything but once a legit client does anything it finds a packet always.
I can't understand how its a client-less attack?
I don't understand this firmware I am able to successfully do fake authentication with the AP but can't get interactive packet relay or fragmentation attack to work even though they are known client-less attacks. They will constantly read packets and not find anything but once a legit client authenticates it finds information. Here is what I tried
From all I read/watched up on it is a basic client-less attack. I show authenticated in airodump-ng but aireplay fragmentation attack doesn't get any data.aireplay-ng -1 0 -a <AP BSSID> wlan0
aireplay-ng -5 -b <AP BSSID> wlan0
Any help here, also isn't a issue with my wireless card I know that.
* use spoonwep
* use my script http://forums.remote-exploit.org/showthread.php?t=12767
Cheers mate this script helped me out. Nice work!
Posting Permissions
