Results 1 to 8 of 8

Thread: dd-wrt firmware WEP cracking

  1. #1
    Just burned his ISO
    Join Date
    Nov 2007
    Posts
    22

    Default dd-wrt firmware WEP cracking

    Hello,

    I recently have been trying dd-wrt on one of my somewhat unused routers and decided to try to put WEP on it and crack it. Oddly to my surprise all my previous methods fail. I usually am able to inject more packets by fake-authentication and interactive (frame control 0841).

    Tried this same thing and a few others on my dd-wrt router and am not able to inject and raise data count. Encryption is of course WEP OPN, only thing I notice different is MB = 54e but I don't think that has to do with encryption.

    Any advice on this more advanced firmware?

  2. #2
    Member
    Join Date
    Jan 2010
    Posts
    159

    Default

    Quote Originally Posted by PostalService View Post
    Hello,

    I recently have been trying dd-wrt on one of my somewhat unused routers and decided to try to put WEP on it and crack it. Oddly to my surprise all my previous methods fail. I usually am able to inject more packets by fake-authentication and interactive (frame control 0841).

    Tried this same thing and a few others on my dd-wrt router and am not able to inject and raise data count. Encryption is of course WEP OPN, only thing I notice different is MB = 54e but I don't think that has to do with encryption.

    Any advice on this more advanced firmware?
    I have had no difficulty breaking WEP on any firmware I have installed on my wrt's. I have tried Tomato, dd-wrt (.23 and .24) and OpenWRT, and all of them fall (more or less) equally fast. Sometimes you just need more ivs's for some keys than others.

    What method are you using?

  3. #3
    Just burned his ISO
    Join Date
    Nov 2007
    Posts
    22

    Default

    Well, I have tried fake authentication (which appears successful). After that some basic no-client attacks such as interactive (with frame selection 0841) and chopchop attacks. To add I am using the latest versions of airodump-ng/aireplay-ng 1.0rc3.

    These attacks never failed me before on my other access points but for some reason on the dd-wrt one I can't inject the packets so the data count does not increase. Another odd thing I should note from a fresh router boot I can't get aireplay-ng to read any packets in for its attack unless I force it (another machine authenticating to it), didn't know if the router needed some legit client on it to send that information?

  4. #4
    Member
    Join Date
    Jan 2010
    Posts
    159

    Default

    Quote Originally Posted by PostalService View Post
    Well, I have tried fake authentication (which appears successful). After that some basic no-client attacks such as interactive (with frame selection 0841) and chopchop attacks.

    These attacks never failed me before on my other access points but for some reason on the dd-wrt one I can't inject the packets so the data count does not increase. Another odd thing I should note from a fresh router boot I can't get aireplay-ng to read any packets in for its attack unless I force it (another machine authenticating to it), didn't know if the router needed some legit client on it to send that information?
    Do you have mac address authentication turned on? Check your dd-wrt settings, you may have set it to require a specific mac.

  5. #5
    Just burned his ISO
    Join Date
    Nov 2007
    Posts
    22

    Default

    Quote Originally Posted by Mr. Flibble View Post
    Do you have mac address authentication turned on? Check your dd-wrt settings, you may have set it to require a specific mac.
    Nope, I restored all factory settings in dd-wrt so the router is setup up with only a changed SSID and WEP encryption.

    Edit: Odd thing I found out which turned out to work. Seems as if the router wasn't giving me any good traffic to do a client-less attack but when a client connected (another wireless card) then it instantly captured that data. What I did was fake-authentication then I did "aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b <AP_BSSID> wlan0". It will read packets all day and not find anything but once a legit client does anything it finds a packet always.

    I can't understand how its a client-less attack?

  6. #6
    Just burned his ISO
    Join Date
    Nov 2007
    Posts
    22

    Default

    I don't understand this firmware I am able to successfully do fake authentication with the AP but can't get interactive packet relay or fragmentation attack to work even though they are known client-less attacks. They will constantly read packets and not find anything but once a legit client authenticates it finds information. Here is what I tried

    aireplay-ng -1 0 -a <AP BSSID> wlan0
    aireplay-ng -5 -b <AP BSSID> wlan0
    From all I read/watched up on it is a basic client-less attack. I show authenticated in airodump-ng but aireplay fragmentation attack doesn't get any data.

    Any help here, also isn't a issue with my wireless card I know that.

  7. #7
    Good friend of the forums
    Join Date
    Feb 2010
    Posts
    328

  8. #8
    Just burned his ISO
    Join Date
    Nov 2007
    Posts
    22

    Default

    Cheers mate this script helped me out. Nice work!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •