WEP Cracking

[strakar]

Hello everyone, i've been learning about backtrack for a while and i already can do some things with it.

Well today I was talking with a Cousin which is also a backtrack lover just like me and while i was talking to him and cracking a wep network (open system) and with a client connected, which i created just to make a tutorial, i was talking to him that it takes some time to get an arp request. Well then i got an idea. What if i try to deauth a non existent client like "aireplay-ng -0 10 -a 12:3A:5D:64:33:AB -c 00:11:22:33:44:55 mon0". The mac 00:11:22:33:44:55 is not used by the connected client. Well once the deauth packets arrive to the AP and it will forward those packets to the "owner" of that MAC since the Router doesnt know who has that MAC it will send an ARP request to get the info about who have got that MAC. Am I right? I tried it and it worked, does anyone do this or ever tried it? I wanna see if it was luck. I don't really think so since i got some ARP request every time i tried it.

Who ever could try that reply here the result please.


Thanks a lot.

[strakar]

Well well i know that another way to get an ARP request it could be pinging a non existent client with the client i have connected but that would be cheating

[comaX]

I thought -c option made directed deauths, both sent to victim and AP. So it doesn't make really sense. Moreover, aircrack page states :

Of course, this attack is totally useless if there are no associated wireless client or on fake authentications.

With that in mind, I never tried. I'm interested in others' input on this too.

When I have the time to try I will and report back.

[ShadowMaster]

I believe it wont work. Since ARP is there to find the MAC from an IP, if it has the MAC already, it won't send an ARP.

[strakar]

Yes but if it has the mac but not the IP the AP will make an ARP request to get the IP. I think it makes sence and it worked with me but i don't know if it is luck because i get an arp request every time i do that.

[comaX]

I believe it wont work. Since ARP is there to find the MAC from an IP, if it has the MAC already, it won't send an ARP.

You made me think of something I forgot to say : I believe deauths have nothing to do with IP or TCP, afaik. So, again, it doesn't make sens to me.

[ShadowMaster]

You made me think of something I forgot to say : I believe deauths have nothing to do with IP or TCP, afaik. So, again, it doesn't make sens to me.

He's talking about something else. He just wants to make the AP pass along traffic to a (nonexistent) client. He doesn't need the deuath, technically he could just use aireplay-ng -2 -r (a packet for the client sent to the AP). My problem is that ARP is part of ICMP? The header for IP,TCP,ICMP, and so on all need a sender and receiver IP. To send a directing deauth, the AP already has the client's IP in his ARP table. The only way I can think of this working is if the ARP is broadcasted. Try using wireshark to see what type of ARP is generated then please tell us. If this actually works, then it's really cool.

[strakar]

I tried it again and it was a coincidence. Possibly that ARP Request came from the wired side of the network. So it doesn't work.