Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Some detailed questions about WEP cracking

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Apr 2007
    Posts
    7

    Default Some detailed questions about WEP cracking

    Howdy all,

    I'm trying my hand at WEP cracking again after trying it a couple of years ago. Back then, I didn't do any aireplay stuff, so it was just airodump, wait a few weeks, and then run aircrack.

    I'm now experimenting with aireplay/injection, with zero results to show for it. So, I've got some questions which are along the lines of "Injection isn't working. Why not?", but I'm hoping that I've managed to do a little more homework and that I'm providing a bit more detail about the issues that I'm having, in the hopes that it will help future readers know whether they're having the same problem that I'm having.

    To help pay back the community here in exchange for help with this long post, I'm putting together a little script that should make it a lot easier to use the aircrack tools (it's not as fancy as airoscript... but it will work without xterm, though). It looks through the .txt file that airodump-ng creates and generates a list of all of the aireplay-ng command-lines necessary for all of the AP's and clients found... sorted in order of most-recent activity (so you don't try to deauth a client that was last seen 6 hours ago). This way, you don't have to keep jotting down BSSID's and ESSID's and typing them into other command windows. You just copy/paste a whole line into another command window and you're off and running.

    However, I'm still learning how to actually use these tools, so I'm not sure that I'm putting the correct MAC/BSSID's in for the right parameters. I was hoping you guys could help me out.

    First off, setting the mode of the card. Some of the WEP cracking HOWTO's I've come across first tell you to put your nic into monitor mode with a host of commands... iwconfig this, iwpriv that, set the channel, etc, etc, etc. All I did was just use airmon-ng and, after that, iwconfig shows the nic as being in "Mode: Monitor" and airodump-ng collects lots of packets, sees lots of AP's and clients. HOWEVER... none of the aireplay-ng stuff is giving the results I see in the tutorial.

    QUESTION: Is it enough to just use airmon-ng to turn on monitor mode on my card? If I get "Mode: Monitor" in iwconfig, is that enough, or is there something more that I have to do?

    Next, regarding the various aireplay-ng attacks....

    A --fragment attack gives:
    Saving chosen packet in replay_src-0414-172606.cap
    Data packet found!
    Sending fragmented packet
    No answer, repeating...
    Trying a LLC NULL packet
    Sending fragmented packet
    No answer, repeating...
    Sending fragmented packet
    No answer, repeating...
    ...

    A --fakeauth attack gives:
    17:28:50 Sending Authentication Request
    17:28:53 Sending Authentication Request
    17:28:56 Sending Authentication Request
    ...

    A --arpreplay attack claims to find some ARP packets and claims to be sending them back out, but I never see any increase in number of IV's/sec.

    A --deauth attack gives:
    17:31:33 Sending DeAuth to station -- STMAC: [00:11:22:33:44:55]
    17:31:34 Sending DeAuth to station -- STMAC: [00:11:22:33:44:55]
    17:31:36 Sending DeAuth to station -- STMAC: [00:11:22:33:44:55]

    These results are from my RT2500 card, but I get the same thing with both of my Atheros cards. Also, this is using the same card that I'm using for airodump. I don't know if this means that my cards are just not really doing the injection or if they are doing the injection and I'm just hitting up against AP's that are immune to it or something.

    QUESTION: If my card/driver doesn't support aireplay injection, am I guaranteed to get some warning or error from aireplay, or, instead, will aireplay just act like it's doing what it's supposed to (like in the above examples) and then nothing ever happens?

    As the various injection attacks come into vogue, I imagine that the AP manufacturers might actually be immunizing their AP's (as much as they can, anyway) against such attacks aimed at increasing IV's.

    QUESTION: Is that a realistic concern? Has anybody noticed newer AP's being less susceptible to aireplay? Or is any failure to generate more IV's almost always due to injection problems on the card?

    Next, which MAC addresses to use. With the various aireplay attacks, you usually have to supply two MAC addresses. One is the BSSID of the target AP. The second, however, seems to sometimes be the MAC of a client and sometimes is the MAC of the interface you're using for the attack.

    QUESTION: For once and for all, which attacks (deauth, fragment, fakeauth, chopchop, arpreplay) require the MAC of an associated client, which require your MAC, and which, if any, require, allow, or recommend you use a fake one? For the ones which require an associated client, how "fresh" does the client need to be (how recently seen?).

    Next, capturing/injecting on the same card. In my recent dealings with airodump, I've noticed that I can now capture from all channels at once. A couple of years ago, I had to set the channel, explicitly. So, I'm wondering what else has changed since then. Back then, you also had to use separate cards to capture and to inject.

    QUESTIONS: Is it now possible to capture and inject with the same card? Or does it depend upon the card. If it depends upon the card, which ones let you do everything with just one? If you do have a card that lets you do everything with one, is there still some advantage to using separate cards?

    Lastly, I'm considering buying some more wifi adaptors to use with my laptop or carputer. For that reason, they need to either be USB or PCMCIA. Secondly, I've served my time in the past fetching kernel patches or latest CVS drivers and then rebuilding either the kernel or the drivers and hassling with compiler errors, etc. Those days are over. I only want a card that supports everything airodump and aireplay can throw at it, and can do it with the existing drivers in the standard mainline linux kernel 2.6.18 or higher that comes with Debian/Ubuntu... or, failing that, with the kernel on the BT2 disc. Lastly, it's gotta have a RP-SMX or MMCX (or similar) antenna connector (preferably RP-SMX) because all of my antennas have that on the other end. I've read a bunch of the compatibility stuf at aircrack-ng.org and the "What card should I buy?" sticky thread here, but I'm having a hard time cross-referencing that data to finding something on eBay that I know is going to spell the end of my problems. Any suggestions? By that, I don't mean "Something with an Atheros chip". I'm looking for a specific model number that I can plug-n-play, attach an antenna, airodump with channel-hopping, aireplay, etc. Ideas?

    Looking at a few items currently on eBay, does anybody have any experience with items #110113390647, 290103277486 (the Alfa USB-Key type), 290104727259 (the Alfa pack-of-cigarettes-sized 500mW one)?

    Millions of thanks in advance...
    - Joe

  2. #2
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    ive only been using bt for a month or so and between this forum ,the aircrack site and the bt wiki every one of those questions have been covered.

    google is the sharpest tool in the hackers shed

  3. #3
    Itssid
    Guest

    Default

    we are not hackers just to let you know. and yeah try google

  4. #4
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Thumbs down

    im going to leave this alone since you seem to be a member of the idiot corner leauge

  5. #5
    Just burned his ISO
    Join Date
    Apr 2007
    Posts
    7

    Default

    Quote Originally Posted by purehate View Post
    ive only been using bt for a month or so and between this forum ,the aircrack site and the bt wiki every one of those questions have been covered.
    Well, I'm very glad for you that it "just worked" for you. I've googled for everything I can find on the topic and everybody seems to have conflicting advice.

    So far, I've tried a total of 8 different cards (a mini-pci ipw2200, 2 different pci rt2500's, 2 different pci Atheros cards, a pcmica Orinoco silver, a usb Ra2570, and a usb RT73) with 5 different antennas (a Proxim square plate, a home-made waveguide cantenna, a 4-foot home-made Yagi, a home-made bi-quad, and an off-the-shelf SMC 6dB) on three different PC's... trying to attack new and older AP's.

    Using various combinations of these, I can say that after about 20 hours of reading and 40-60 hours of working with BackTrack, I've *never* gotten a fragmentation attack to work even ONCE. It always gives me
    Sending fragmented packet
    No answer, repeating
    Trying a LLC NULL packet
    ...
    Since aireplay asks me if I should use each particular packet, I'd figure that I'm supposed to make some judgement regarding the packet's suitability (otherwise, why would it ask?), yet I've not come across a single site that details what I should be looking for in order to decide whether to tell aireplay yes or no.

    So, again...I'm glad that it worked for you. But don't assume, simply by virtue of the fact that it doesn't work for someone else and they ask for help, that they didn't bother to read or do a lot of legwork on their own and that they're just expecting the forum to do all of the work for them.

    - Joe

  6. #6
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by jemenake View Post
    So far, I've tried a total of 8 different cards (a mini-pci ipw2200, 2 different pci rt2500's, 2 different pci Atheros cards, a pcmica Orinoco silver, a usb Ra2570, and a usb RT73) with 5 different antennas (a Proxim square plate, a home-made waveguide cantenna, a 4-foot home-made Yagi, a home-made bi-quad, and an off-the-shelf SMC 6dB) on three different PC's... trying to attack new and older AP's.
    Instead of shooting in the dark, why not try a card that is already listed as being supported?
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  7. #7
    Just burned his ISO
    Join Date
    Apr 2007
    Posts
    7

    Default

    Quote Originally Posted by theprez98 View Post
    Instead of shooting in the dark, why not try a card that is already listed as being supported?
    Uhh... the BT2 hardware compatibility list at backtrack.offensive-security.com/index.php?title=HCL:Wireless#Wireless_Cards_And_Dr ivers says that the Atheros (aka MadWifi-ng), Prism54 (which I forgot to list earlier) and ipw2200 have been patched for injection on the BT2 disc. It doesn't say if the other drivers already supported iinjection (and so didn't need patching), but the information section for the RT73 lists specific instructions for enabling injection.

    So... ummm... what was that you said about I should use a card that's listed as having support?

  8. #8
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by jemenake View Post
    Uhh... the BT2 hardware compatibility list at backtrack.offensive-security.com/index.php?title=HCL:Wireless#Wireless_Cards_And_Dr ivers says that the Atheros (aka MadWifi-ng), Prism54 (which I forgot to list earlier) and ipw2200 have been patched for injection on the BT2 disc. It doesn't say if the other drivers already supported iinjection (and so didn't need patching), but the information section for the RT73 lists specific instructions for enabling injection.

    So... ummm... what was that you said about I should use a card that's listed as having support?
    There is a difference, albeit slight, in what I suggested and what you are saying. I understand full and well that the drivers listed are patched. However, I'm not talking about drivers, I'm talking about specific cards. What I am suggesting is to try a specific card that is listed or is known to work. Some cards, for whatever reason, even if they are using a compatible chipset, may not work with the listed drivers. Or maybe they will. My idea was to try to narrow down the problem.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  9. #9
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Lightbulb

    ok lets start over. Im using a netgear 511t with a atherous chipset . The reason Im using this card is because I did my Homework. Im sorry if I came of Rude its just that the"which card issue" has been exausted in these forums. As far as i know if you have a card with atheros chipset the madwifi drivers should work.
    Now then lets look at your problem of the fragment attack. how many times did you try the attack?somtimes it can take a few tries. how far are you from the ap? its been my experiance that with apower reading of less than ten in airodump that the attack will fail. Have you tried the chop-chop attack? this seem s to work for me i some situations. the end resulting arp request is the same as in the frag attack. and lastly since im assuming this is your ap or you have permision did you try to assoisiate with another laptop and then do a aireplay -3 attack from close by to see if you were injecting? and last have you tried another laptop? these are all questions you should have answered before you say nothing works. If all else fails maby you should reburn your iso i recomend doing it a x2 speed. Im not being a asshole really Its just that most of the problems I have with bt2 are user error {that being me} and not enough testing. and finnaly did you read the part in the aircrack instuctions were it says somtimes this doesnt work. tough shit move on to your next target.

  10. #10
    Junior Member
    Join Date
    Apr 2007
    Posts
    44

    Default

    QUESTION: Is it enough to just use airmon-ng to turn on monitor mode on my card? If I get "Mode: Monitor" in iwconfig, is that enough, or is there something more that I have to do?
    Actually, you also should lock into the channel you are monitoring. That's why i use Kismet. It automatically sets your adapter into monitor mode and also enables you to lock into a client. Also, it gives you some detailed info on the AP such as all the MAc's etc.

    QUESTION: If my card/driver doesn't support aireplay injection, am I guaranteed to get some warning or error from aireplay, or, instead, will aireplay just act like it's doing what it's supposed to (like in the above examples) and then nothing ever happens?
    No. I use among others the IPW2200 and it sents thousands of packets but it doesnt support injection (as far as i know)

    QUESTION: Is that a realistic concern? Has anybody noticed newer AP's being less susceptible to aireplay? Or is any failure to generate more IV's almost always due to injection problems on the card?
    Dunno

    Next, which MAC addresses to use. With the various aireplay attacks, you usually have to supply two MAC addresses. One is the BSSID of the target AP. The second, however, seems to sometimes be the MAC of a client and sometimes is the MAC of the interface you're using for the attack.

    QUESTION: For once and for all, which attacks (deauth, fragment, fakeauth, chopchop, arpreplay) require the MAC of an associated client, which require your MAC, and which, if any, require, allow, or recommend you use a fake one? For the ones which require an associated client, how "fresh" does the client need to be (how recently seen?).
    For De-auth and Packet injection (ARP Replay) you both need the AP MAC as as well as a MAC address of an associated clients. So the setup is: 1 AP, 1 laptop using BT to crack the code, 1 laptop (i.e. windows XP) that is associated with the AP
    For the De-auth and the ARP replay command you use the AP max and the WINXP client MAC. dont use the MAC of the laptop running BT

    QUESTIONS: Is it now possible to capture and inject with the same card? Or does it depend upon the card. If it depends upon the card, which ones let you do everything with just one? If you do have a card that lets you do everything with one, is there still some advantage to using separate cards?
    You should be able to do both with the same card. Unless you are using the IPW2200 which seems to be required to be associated with an AP before it can inject


    Good luck and please post that script

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •