Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: ARP Request + de-authentication

  1. #1
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    16

    Default ARP Request + de-authentication

    Hi guys!

    We are 3 friends, playing around with our routers and trying to study wireless! We read quite a pile of documents about how it works, the keystream, xor, cypher text, RC4, fragmentation, etc, etc...
    Then we started to play with BackTrack 3 something like 3 weeks ago, so I assume we know a bit the basis

    We decided to try to break our WEP keys step by step. We started with a basic 64bit WEP key and with associated clients. Each of us succeeded to get the key of the other ones, yeah!
    Then we decided to try without clients, and that's where I've got troubles.

    I'll try to explain globally the problem I have.
    One of my friend is living in the next building across the street. The signal power is about 25 in airodump. For this friend, I succeeded to get the key. I started airodump on channel 6 (his channel, so), and wrote the complete packets. Then I did a fake association, which succeeded. Then, I started aireplay with the fragment method. I got the keystream quite quickly, created the ARP request, and sent it back. Data came really fast. I got 20 000 IVs in less than 2 minutes, and run aircrack with PTW, and got the key! Perfect
    Then, I tried with my other friend, which is living just next to my door The power of the signal in airodump is around 55. I did EXACTLY the same thing, but I have a trouble when sending back the ARP request. First, it takes a long time to get this ARP request. I have to read a lot of packets. Then, when I have it, it's hard to get the keystream. Usually it fails, telling me that there is no answer from the AP, or it needs more ACK packets. I don't know what is wrong there? I succeeded once to get the keystream, then I XORed, and got the ARP request. I sent it back to the AP, and then, I started having some deauth answers! So, only one ARP is sent, the IVs are not increasing, and I got several deauth request. After having read around, I'm suspecting a bad association, but I'm using the same MAC address for the association and the injection. The only solution I see is a MAC filter, but my friend keeps on telling me no. Do you have any idea of what could be the problem?

    Thanks in advance!

    Guillaume

  2. #2
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    13

    Default

    Now this may sound noobish but if you are at no fault.
    Then maybe your card burnt out?

    I have read about it happening on certain chipsets with injection.

  3. #3
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    7

    Default

    have you tried slowing down the card rate "iwconfig [interface] rate 1M (or 2M)?
    you can even do injection test using aireplay-ng -9 -B -e ESSID [interface] and see what works best

  4. #4
    Just burned his ISO
    Join Date
    Nov 2007
    Posts
    12

    Default

    I'm by no means an expert at cracking WEP. However, it would be a lot easier to diagnose your problem if you supplied us with the commands you used, your friend's router info (Brand, model, etc.), and the wireless card you're using.

    My suggestion would be to try a chop chop attack because they seem to have a higher success rate than a fragmentation attack. It also might be because your friend's router is picky. I found a great tutorial that explains everything: Search "aircrack no clients tutorial" in Google... It's the first result. Hope I helped!

  5. #5
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    16

    Default

    Quote Originally Posted by Oligarchy View Post
    Now this may sound noobish but if you are at no fault.
    Then maybe your card burnt out?

    I have read about it happening on certain chipsets with injection.
    Sorry, I'm not an english native speaker. What do you mean by burnt out? Dead?
    If it's the case, I don't think so, as I can still work with the AP of my other friend

    Quote Originally Posted by SilentException View Post
    have you tried slowing down the card rate "iwconfig [interface] rate 1M (or 2M)?
    you can even do injection test using aireplay-ng -9 -B -e ESSID [interface] and see what works best
    I haven't tried! I forgot this. I tried to inject less packets per second, and actually I had a difference. If I send too many, I've got a deauth message. If I send less, I don't have the deauth message, but the data didn't increase.
    I'll try the -9 to check whether there is a problem and I'll give you the result, thanks!

    Quote Originally Posted by The Bandit View Post
    I'm by no means an expert at cracking WEP. However, it would be a lot easier to diagnose your problem if you supplied us with the commands you used, your friend's router info (Brand, model, etc.), and the wireless card you're using.
    Yeah, I didn't because I was not at home, but I'll try to write all them down when I'll be at home.
    But actually, it's the basic stuff that you can find in any tutorial.
    About the routers I know that they have the same, a linksys, but cannot remember the model. I'll ask, thanks!

    Quote Originally Posted by The Bandit View Post
    My suggestion would be to try a chop chop attack because they seem to have a higher success rate than a fragmentation attack. It also might be because your friend's router is picky. I found a great tutorial that explains everything: Search "aircrack no clients tutorial" in Google... It's the first result. Hope I helped!
    I tried the chopchop attack also, but without success. I've got a message telling me that it failed because of too many deauth answers.
    Thanks for the tutorial, but I actually printed it already a long time ago and I'm using it
    Everything is fine until I send packets. My fake authentication is working well, and since I send packets, I receive deauth answers.

    If the MAC filtering was active, I wouldn't be able to use the aireplay-ng --fakeauth right? That's where I'm getting lost. It seems that I can associate correctly, but when I send packet, I'm being disassociate.

    I'm wondering if my friend is not trying to drive me mad with a MAC filtering

    Anyway, I'll give you the commands and the results soon.
    Thanks a lot for your help, very interesting.

    edit: Just to precise. As I'm working on that for about 1 week now (my friend is quite happy about that ), I think I'm getting more and more clues. So, actually, what is going wrong is: my fake auth works (from aireplay message and checked with tcpdump), but once I send packet, I receive deauth answers. That's what the main problem is.

  6. #6
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    16

    Default

    Quote Originally Posted by SilentException View Post
    have you tried slowing down the card rate "iwconfig [interface] rate 1M (or 2M)?
    you can even do injection test using aireplay-ng -9 -B -e ESSID [interface] and see what works best
    Hey!
    I've tried the injection test. It worked well on one of my friend's AP (PWR 25), the one I succeeded to get the key, but it doesn't work on my other's friend one (PWR 55)! I went to ask him yesterday about the MAC filtering, he told me that it's not activated. To check, we got the MAC address of one of his client, I change mine to this one, and I fake authenticate with it. It works. But when I start injection, nothing happens except receiving deauth messages!

    Very strange, right?

    I'll write the commands I use soon.

    Thanks for your help anyway!

  7. #7
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    16

    Default

    Hi there!

    I tried again yesterday, same results. Success with one friend, failure with the other one. I used the same commands, I write them below:

    First, I changed the mac address of my card and activate the monitor mode
    ifconfig ath0 down
    ifconfig wifi0 down
    macchanger -m MYMACADDR ath0
    macchanger -m MYMACADDR ath0
    ifconfig ath0 up
    ifconfig wifi0 up
    airmon-ng ath0 stop
    airmon-ng wifi0 start
    I fix the channel and the ap and write the capture file with airodump-ng
    airodum-ng -c 11 --bssid APMACADDR -w out ath0
    Then, I do a fake authentication
    aireplay-ng --fakeauth 30 -q 10 -a APMACADDR -h MYMACADDR ath0
    Until here, it works well!

    Then, I start the arpreplay, fragment, or chopchop attack:
    aireplay-ng --arpreplay -b APMACADDR -h MYMACADDR ath0
    or
    aireplay-ng --fragment -b APMACADDR -h MYMACADDR ath0
    or
    aireplay-ng --chopchop -b APMACADDR -h MYMACADDR ath0
    So, here, on one friend it's working, and then I do the packetforge-ng with the file created. But with the other friend, the fragment fails as well as the chopchop, and the arpreplay just send back 1 ARP which actually doesn't create any IVs.
    During the arpreplay and chopchop, I've got messages telling me that I received deauth answers.

    So, I don't know what's wrong!
    I tried also the --interactive attack but without success.

    Any idea?
    If you need more information, just tell me which ones

    Thanks!

  8. #8
    Member
    Join Date
    Mar 2007
    Posts
    204

    Default

    ok, i can knock a couple of comands off that first one for you, try this:

    Code:
    airmon-ng  stop ath0
    ifconfig wifi0 down
    macchanger -m 00:11:22:33:44:55 wifi0
    airmon-ng start wifi0
    that takes your 8 lines to 4.

    Question: when you do your fakeauth do you get teh cheeky smile? ;-)

    because the de-auth packets look to me that your fakeauth isnt true.

    what brand/model is your friends AP?

    See my link below for a clientless WEP128 video, pay carefull attention just incase your making a slight mistake.
    http://merlin051.blip.tv

  9. #9
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default

    Try this to authenticate instead.

    Code:
    aireplay-ng -1 6000 -o 1 -q 10 -e <essid> -a <ap mac> -h <yourmac> ath0
    Then learn what each of those commands do by typing:

    Code:
    aireplay-ng --help

  10. #10
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    16

    Default

    Quote Originally Posted by merlin051 View Post
    ok, i can knock a couple of comands off that first one for you, try this:

    Code:
    airmon-ng  stop ath0
    ifconfig wifi0 down
    macchanger -m 00:11:22:33:44:55 wifi0
    airmon-ng start wifi0
    that takes your 8 lines to 4.
    Yeah, thanks.
    I knew that something faster was possible, but I knew at least with my typing that it worked correctly. Thanks for the tip.

    Quote Originally Posted by merlin051 View Post
    Question: when you do your fakeauth do you get teh cheeky smile? ;-)

    because the de-auth packets look to me that your fakeauth isnt true.
    Yep, the fakeauth works well, I've got the ;-)

    Quote Originally Posted by merlin051 View Post
    what brand/model is your friends AP?
    Both of them have the Linksys WRT54G.

    Quote Originally Posted by merlin051 View Post
    See my link below for a clientless WEP128 video, pay carefull attention just incase your making a slight mistake.
    ...
    Ok, I watch a lot already, but I'll have a look to see if I missed something.


    Quote Originally Posted by hhmatt81 View Post
    Try this to authenticate instead.

    Code:
    aireplay-ng -1 6000 -o 1 -q 10 -e <essid> -a <ap mac> -h <yourmac> ath0
    Then learn what each of those commands do by typing:

    Code:
    aireplay-ng --help
    Thanks for the command, but I've used it already without success.
    Actually, I followed many different tutorials, and particularly the one of aircrack-ng where your command is listed.

    I definitely think that it's not a problem about the commands or anything else, but more about a problem of hardware, or protection from the AP's side.

    Oh, one thing I noticed, that can explain a lot actually.
    In airodump-ng, for the friend I succeeded to get the key, the power is 25 but the Received Quality (RXQ) is 100, for the other one the power is 55 but the RXQ is around 3
    Sorry that I didn't notice that before
    I think that's why I've got troubles, but we don't know why the RXQ is so bad ?!

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •