The theory work

[hongman]

Hi guys

Not been able to keep up for a long time, but decided now was a good time to start re-familiarising myself with BT and tools (and linux ._.)

I have decided that a nice simple 40bit WEP Crack with no clients would be a nice way to refamiliarise myself with stuff. So I have setup a Cisco Aironet 1100 for this purpose.

Following Xploitz vid (nicely done btw) and I have everything down except the last part - for reference this is the order I have things running.

1. Started card in monitor mode (WG511T)
2. Started Airodump-ng, filtered to only show the right channel and ssid
3. Used Aireplay-ng to fake auth my laptop (successful)
4. Ran Aireplay -3 and within seconds I got a healthy number of ARP and hovering around 500pps. Airodump reflects this also.
5. Restarted Airodump to capture to a file
6. Started Aircrack to start working on the key (just set at 1234567890)

So its been running for around 40 mins, and only 8 IV's. Tried re-authing and restarted -3, all the numbers look healthy, but no unique IV's.

Here's the catch - instead of just saying "Oh you need this command" or "gfto and look it up", I would like the kind members to either explain why, or link me. I have (and still am) looking but was hoping to speed the process up!

EDIT: Well I just re-read my post and it doesnt really portray what I am after...I am very interested at the packet level theory so if any of you feel the need to indulge me what is going on at each stage, please feel free ^^ (or link,, all I can find are guides like "Do this and do that, hey presto!)

EDIT2: EDIT2: Tried with a real client and cracked it in 46s...now I know its has to be something to do with fake auth, and not a command I missed etc.

[.lonewolf]

EDIT: Well I just re-read my post and it doesnt really portray what I am after...I am very interested at the packet level theory so if any of you feel the need to indulge me what is going on at each stage, please feel free ^^ (or link,, all I can find are guides like "Do this and do that, hey presto!)

EDIT2: EDIT2: Tried with a real client and cracked it in 46s...now I know its has to be something to do with fake auth, and not a command I missed etc.

lmao, that's a first. I appreciate your honesty.

As well as the tutorials here, the aircrack tutorials section is an awesome resource.
http://www.aircrack-ng.org/doku.php?id=tutorial

[hongman]

Thanks.

Having too much information is just as frustrating at times as having too little...10 guides showing different ways, some outdated, etc etc....gets a bit daunting :P

All in good time.

Thanks again.

[purehate]

If you have no clients connected there are 2 other attacks which are designed for that. The -5 (frag) & -4 (chop)

[hongman]

Thanks, Ill look those up!

[shamanvirtuel]

and the
-2 -F -c FF:FF:FF:FF:FF:FF -b APMAC -h CLIMAC -p0841

also works well butis a little longer

[hongman]

Hmm, a little confused now I just tried it. I think it will become evident of my lack of understanding of these protocols >.<

At first I thought I would try the Fragmentation Attack, after reading about it on aircrack-ng.org.

So (following the guide on aircrack-ng.org):

1. Fired up airodump-ng, set channel and bssid
2. Fake Auth
3.

Code:

aireplay-ng -5 -b APMAC ath0

4. Selected "Yes" on first packet, got my .xor file
5.

Code:

packetforge-ng -0 -a APMAC -h CLIENTMAC -k RANDOMIP -l RANDOMIP2 -y fragment.xor -w arp-request

6.

Code:

airdecap-ng -w 1234567890 arp-request

7.

Code:

tcpdump -n -vvv -e -s0 -r arp-request-dec

Stop!

From Step 3 down, I'm not really sure what or why I am doing these things! Which is kind of pointless - if I dont understand an attack, its no good.

I have read the correspondence on various links, guess I need to read some more. But some key questions I have about the process so far which have come to mind:

1. Is the Fragmentatin attack and Interactive Packet Relay attack part of the same natural attack process, or are they completely seperate? Just that part 8 of this process is using -2 (this is when I decided to stop to get some understanding)

2. In part 6, using airdecap-ng - it says to input the wep key to decrypt the packet/fragment - isnt this a bit pointless if the exercise is to retreive the key? Or is this for demonstration purposes (i.e an extra step to show how it works)

Thanks for bearing with me ^^;

[abitaz]

If you want a real step-by-step tutorial, check out n00bhacker.blogspot.com Use the Table of Contents on top to get to the part you want

Hmm, a little confused now I just tried it. I think it will become evident of my lack of understanding of these protocols >.<

At first I thought I would try the Fragmentation Attack, after reading about it on aircrack-ng.org.

So (following the guide on aircrack-ng.org):

1. Fired up airodump-ng, set channel and bssid
2. Fake Auth
3.

Code:

aireplay-ng -5 -b APMAC ath0

4. Selected "Yes" on first packet, got my .xor file
5.

Code:

packetforge-ng -0 -a APMAC -h CLIENTMAC -k RANDOMIP -l RANDOMIP2 -y fragment.xor -w arp-request

6.

Code:

airdecap-ng -w 1234567890 arp-request

7.

Code:

tcpdump -n -vvv -e -s0 -r arp-request-dec

Stop!

From Step 3 down, I'm not really sure what or why I am doing these things! Which is kind of pointless - if I dont understand an attack, its no good.

I have read the correspondence on various links, guess I need to read some more. But some key questions I have about the process so far which have come to mind:

1. Is the Fragmentatin attack and Interactive Packet Relay attack part of the same natural attack process, or are they completely seperate? Just that part 8 of this process is using -2 (this is when I decided to stop to get some understanding)

2. In part 6, using airdecap-ng - it says to input the wep key to decrypt the packet/fragment - isnt this a bit pointless if the exercise is to retreive the key? Or is this for demonstration purposes (i.e an extra step to show how it works)

Thanks for bearing with me ^^;

[hongman]

Reading now, thanks for the linky

[hongman]

Hmm, read through the relevant sections, unfortunately he doesnt touch on frag attacks