the first ARP (never shows up)

[trevelyn]

Hi, I have a lot of routers now at the Labs from donations/family/friends/etc.. and found that some of them aren't vulnerable to the general WEP attack with the aircrack-ng suite. The Cisco routers are, and I can Fake Authenticate, and wait for the ARP call from the router. Onece i get it I inject fine. But, I have a few netgear and some others that After I successfully Authenticate and Associate, nothing happens. The router doesn't send a single ARP.
After a while Airodump-ng shows me (STATION) disappear and I have to reauthenticate (which works well).. any ideas on how to generate the ARP? (This is a clientless attack btw) (and I can physically generate it by unplugging a wired machine from the switch and plugging it back in after a second or two, or simply doing a dhclient call from another Ubuntu machine, but I was wondering is there a way to do it without physical access? or is that not possible? - thanks guys - Trev.

[-=Xploitz=-]

Your trying what attack?? The -3 arp request? No, it doesn't work with every router or AP. Try the -5 fragmentation attack or the -4 korek chopchop attack.

[trevelyn]

I did, I've treid each one. When it is reading packets and finds one to send, it doesn't work. says "Got a Deauthentication Packet!" and I'm thinking, it's not vulnerable to the attacks when there's no valid WLAN clients.

[-=Xploitz=-]

Did you try the -o 1 and -q 10 options for picky access points when fake associating??

Code:

aireplay-ng -1 6000 -o 1 -q 10 -e NetworkNameHere -a APmacHere -h YOURcardsMAChere ath0

Where:

• 6000 - Reauthenticate very 6000 seconds. The long period also causes keep alive packets to be sent.
• -o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs.
• -q 10 - Send keep alive packets every 10 seconds.

Success looks like:
18:22:32 Sending Authentication Request
18:22:32 Authentication successful
18:22:32 Sending Association Request
18:22:32 Association successful :-)
18:22:42 Sending keep-alive packet
18:22:52 Sending keep-alive packet
# and so on.

[trevelyn]

i always use the "-o" and the "-q" arguments, but for those three routers it doesnt work, says "Got a Deauthentication Packet!" right after the successful association. (the Keep alive packets are denied)

[-=Xploitz=-]

Interesting dilemma you got there.

Is MAC filtering enabled on these select routers / AP's perhaps?
Wouldn't hurt to check just to make sure.

[trevelyn]

there was with one, but i turned it off. not on the other two though :S

maybe we could compile a list of non vulnerable routers?

edit: also i think the fake auth/ass doesn't go through when there's a filter

[-=Xploitz=-]

The only reason I suggested this is because you said this here>>>

"Got a Deauthentication Packet!" and I'm thinking, it's not vulnerable to the attacks when there's no valid WLAN clients.

[773451]

great tip. I figured out for myself that I need to reauthorize every once in a while (some APs even 30-60 seconds), and the keep alive technique, but I had no clue about the -o 1 switch. I'm trying that tonight on a weird AP I have that won't break for me.

773451

[-=Xploitz=-]

there was with one, but i turned it off. not on the other two though :S

maybe we could compile a list of non vulnerable routers?

I've played with a lot of AP's / Routers before, and I can honestly say that I have never not been able to "Crack Da WEP" on any one of them with either the -3,-4,or-5 attack.

I'm almost 100% positive its some setting somewhere in the router / AP, or some command line thats bungled up your attacks on these select routers.