Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: WEP on an AP with no datatraffic

  1. #1
    Just burned his ISO
    Join Date
    May 2007
    Posts
    8

    Default WEP on an AP with no datatraffic

    Hi all,

    I've setup an AP with WEP encryption to play around with. The AP is not connected to any network, no clients are associated and no data is being transferred. The goal is to aquire the WEP key. I've setup an 40-bit key to make it a bit easier on myself.

    So, I did a fake auth. That worked, I succesfully associated to the AP. (open authentication on the AP).
    Then, i tried to ARP replay, frag attack and chop-chop attack. I also tried to force ARP request from the AP bij deauthing my fake connection. I wasn't able to gather any datapackets and thus IV's.

    I don't get it. It seems to me that ARP packets are sent between the AP and the (fake) client when initiating the connection.

    So, my question: do i need datatraffic on the AP for the attacks to be succesful?
    Or am i doing something wrong here?
    Could someone please explain this me, because I don't get it. I'm particularly interested in a technical answer instead of what tools to use, because I want to understand why it doesn't work.

    BTW: my AP has no DHCP support.

    Thanks in advance!!

  2. #2
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by wotterspoon View Post
    Hi all,

    I've setup an AP with WEP encryption to play around with. The AP is not connected to any network, no clients are associated and no data is being transferred. The goal is to aquire the WEP key. I've setup an 40-bit key to make it a bit easier on myself.

    So, I did a fake auth. That worked, I succesfully associated to the AP. (open authentication on the AP).
    Then, i tried to ARP replay, frag attack and chop-chop attack. I also tried to force ARP request from the AP bij deauthing my fake connection. I wasn't able to gather any datapackets and thus IV's.

    I don't get it. It seems to me that ARP packets are sent between the AP and the (fake) client when initiating the connection.

    So, my question: do i need datatraffic on the AP for the attacks to be succesful?
    Or am i doing something wrong here?
    Could someone please explain this me, because I don't get it. I'm particularly interested in a technical answer instead of what tools to use, because I want to understand why it doesn't work.

    BTW: my AP has no DHCP support.

    Thanks in advance!!
    The fragmentation attack should work without any clients. I have run it against my AP which is also not connected to any network. Are you following any tutorial? muts posted a very good 'clientless WEP cracking using the fragmentation attack' over at Milw0rm.

    The ARP request replay attack (-2) will fail if there is no traffic.

    I haven't used chopchop, so I couldn't tell you anything useful regarding it.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  3. #3
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    Quote Originally Posted by theprez98 View Post
    The ARP request replay attack (-2) will fail if there is no traffic.
    I rarely disagree with theprez98 cause he helped me out when I was a rookie to all of this and I respect him...but this time I beg to differ with you theprez98...the ARP request actually is the -3 attack not the -2 attack ...and it WILL work if there is no traffic. How do I know this??? Because I had my internet connection turned off cause I didn't pay the bill...and I can still associate, authenticate and get ALL attacks to work. The -3 or ARP request attack works cause the AP (router) sends out an ARP request every few minutes or so. So I suggest wotterspoon that you make sure your on the same channel as your AP and try the -3 attack after you successfully associate with your AP and wait a few minutes for your AP to produce a single ARP request. Patience is always the key with the -3 attack
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  4. #4
    Just burned his ISO
    Join Date
    Apr 2007
    Posts
    4

    Question

    As I understand Wotterspoon has a simple AP, not a router. The AP doesn't have a DHCP server and it is not connected to any network. Can anybody explain me what event would trigger the AP to send an ARP; and above all, why?

    I don't understand the suggestion of 'unpredictable' sending of ARP's by the AP. Why would the AP do that? TIA.

  5. #5
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    Quote Originally Posted by Jhonnie View Post
    As I understand Wotterspoon has a simple AP, not a router. The AP doesn't have a DHCP server and it is not connected to any network.
    An AP (access point) is a wireless router..or at least I believe thats what an AP is or it could be another wireless laptop ..and he doesn't have it connected to a network...I know that you can take a router and completely disconnect it from ANY computer..and it will still spit out an ARP request.

    Quote Originally Posted by Jhonnie View Post
    Can anybody explain me what event would trigger the AP to send an ARP; and above all, why?

    I don't understand the suggestion of 'unpredictable' sending of ARP's by the AP. Why would the AP do that? TIA.
    Pinging an non extant IP address from the wired computer on a network would generate an ARP request ...as far as why..I admit I don't know why this works but it does. Mabey someone else can answer the technical details of the "how it works and why it works." I bet theprez would know if he reads this.
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  6. #6
    Senior Member shamanvirtuel's Avatar
    Join Date
    Mar 2010
    Location
    Somewhere in the "Ex" human right country
    Posts
    2,988

    Default

    i think some tools like arp-sk can help you

    or making a icmp ping flood will generate some arps
    Watch your back, your packetz will belong to me soon... xD

    BackTrack :
    Giving Machine Guns to Monkeys since 2006

  7. #7
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by Xploitz View Post
    I rarely disagree with theprez98 cause he helped me out when I was a rookie to all of this and I respect him...but this time I beg to differ with you theprez98...the ARP request actually is the -3 attack not the -2 attack ...and it WILL work if there is no traffic. How do I know this??? Because I had my internet connection turned off cause I didn't pay the bill...and I can still associate, authenticate and get ALL attacks to work. The -3 or ARP request attack works cause the AP (router) sends out an ARP request every few minutes or so. So I suggest wotterspoon that you make sure your on the same channel as your AP and try the -3 attack after you successfully associate with your AP and wait a few minutes for your AP to produce a single ARP request. Patience is always the key with the -3 attack
    While I mistyped the ARP Rrequest Replay attack as attack 2 vice attack 3, I stand by what I said, and the Aircrack-ng site says the same thing on the Aireplay page:

    (http://www.aircrack-ng.org/doku.php?...st_reinjection)

    If you scroll down to "Usage Example":
    "You may have to wait for a couple of minutes, or even longer, until an ARP request shows up. This attack will fail if there is no traffic.
    It may work, but according to the aireplay documentation for attack 3, it shouldn't work.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  8. #8
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    Quote Originally Posted by theprez98 View Post

    It may work, but according to the aireplay documentation for attack 3, it shouldn't work.
    Well...mabey it was just a fluke in my case then theprez??? But I swear the attack did work the one time I tried it with absolutely NO data, an clients..and no connection...with only the routers power plugged in.
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  9. #9
    Just burned his ISO
    Join Date
    May 2007
    Posts
    8

    Default

    Quote Originally Posted by Xploitz View Post
    An AP (access point) is a wireless router..or at least I believe thats what an AP is or it could be another wireless laptop ..and he doesn't have it connected to a network...I know that you can take a router and completely disconnect it from ANY computer..and it will still spit out an ARP request.
    No, an AP is not a wireless router. A router "routes" datapacket through networks and can interconnect networks, an AP is for connecting multiple computers together. This AP I'm using has no dhcp, so ip-adresses are not being desginated by the ap.

    Pinging an non extant IP address from the wired computer on a network would generate an ARP request ...as far as why..I admit I don't know why this works but it does. Mabey someone else can answer the technical details of the "how it works and why it works." I bet theprez would know if he reads this.
    If you ping, the pc first need to know which MAC corresponds to the IP you are pinging. That's where ARP comes in. ARP sends a packet away basically saying: "hey, who has IP xxx.xxx.x.x?" The ARP reply will be a datapacket like "hey, i'm IP xxx.xx.x.x, my mac is xx:xx:xx:xx:xx:xx".

  10. #10
    Just burned his ISO
    Join Date
    May 2007
    Posts
    8

    Default

    Quote Originally Posted by theprez98 View Post
    While I mistyped the ARP Rrequest Replay attack as attack 2 vice attack 3, I stand by what I said, and the Aircrack-ng site says the same thing on the Aireplay page:

    If you scroll down to "Usage Example":

    It may work, but according to the aireplay documentation for attack 3, it shouldn't work.

    Yep, the ARP replay doesn't work, untill I generate some traffic with a real client.
    So for the ARP replay I need datatraffic on the AP.

    The fragmentation doesn't work also when there's no traffic, all I get is "waiting for a data packet...."

    Can it be in the fact that I'm using an Access Point without a wireless router?
    If so, why will it work with a router and not with an AP?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •