Now this may sound noobish but if you are at no fault.
Then maybe your card burnt out?
I have read about it happening on certain chipsets with injection.
ARP Request + de-authentication
Hi guys!
We are 3 friends, playing around with our routers and trying to study wireless! We read quite a pile of documents about how it works, the keystream, xor, cypher text, RC4, fragmentation, etc, etc...
Then we started to play with BackTrack 3 something like 3 weeks ago, so I assume we know a bit the basis
We decided to try to break our WEP keys step by step. We started with a basic 64bit WEP key and with associated clients. Each of us succeeded to get the key of the other ones, yeah!
Then we decided to try without clients, and that's where I've got troubles.
I'll try to explain globally the problem I have.
One of my friend is living in the next building across the street. The signal power is about 25 in airodump. For this friend, I succeeded to get the key. I started airodump on channel 6 (his channel, so), and wrote the complete packets. Then I did a fake association, which succeeded. Then, I started aireplay with the fragment method. I got the keystream quite quickly, created the ARP request, and sent it back. Data came really fast. I got 20 000 IVs in less than 2 minutes, and run aircrack with PTW, and got the key! Perfect
Then, I tried with my other friend, which is living just next to my doorThe power of the signal in airodump is around 55. I did EXACTLY the same thing, but I have a trouble when sending back the ARP request. First, it takes a long time to get this ARP request. I have to read a lot of packets. Then, when I have it, it's hard to get the keystream. Usually it fails, telling me that there is no answer from the AP, or it needs more ACK packets. I don't know what is wrong there? I succeeded once to get the keystream, then I XORed, and got the ARP request. I sent it back to the AP, and then, I started having some deauth answers! So, only one ARP is sent, the IVs are not increasing, and I got several deauth request. After having read around, I'm suspecting a bad association, but I'm using the same MAC address for the association and the injection. The only solution I see is a MAC filter, but my friend keeps on telling me no. Do you have any idea of what could be the problem?
Thanks in advance!
Guillaume
Now this may sound noobish but if you are at no fault.
Then maybe your card burnt out?
I have read about it happening on certain chipsets with injection.
have you tried slowing down the card rate "iwconfig [interface] rate 1M (or 2M)?
you can even do injection test using aireplay-ng -9 -B -e ESSID [interface] and see what works best
I'm by no means an expert at cracking WEP. However, it would be a lot easier to diagnose your problem if you supplied us with the commands you used, your friend's router info (Brand, model, etc.), and the wireless card you're using.
My suggestion would be to try a chop chop attack because they seem to have a higher success rate than a fragmentation attack. It also might be because your friend's router is picky. I found a great tutorial that explains everything: Search "aircrack no clients tutorial" in Google... It's the first result. Hope I helped!
Sorry, I'm not an english native speaker. What do you mean by burnt out? Dead?Originally Posted by Oligarchy
If it's the case, I don't think so, as I can still work with the AP of my other friend
I haven't tried! I forgot this. I tried to inject less packets per second, and actually I had a difference. If I send too many, I've got a deauth message. If I send less, I don't have the deauth message, but the data didn't increase.have you tried slowing down the card rate "iwconfig [interface] rate 1M (or 2M)?
you can even do injection test using aireplay-ng -9 -B -e ESSID [interface] and see what works best
I'll try the -9 to check whether there is a problem and I'll give you the result, thanks!
Yeah, I didn't because I was not at home, but I'll try to write all them down when I'll be at home.
But actually, it's the basic stuff that you can find in any tutorial.
About the routers I know that they have the same, a linksys, but cannot remember the model. I'll ask, thanks!
I tried the chopchop attack also, but without success. I've got a message telling me that it failed because of too many deauth answers.
Thanks for the tutorial, but I actually printed it already a long time ago and I'm using it
Everything is fine until I send packets. My fake authentication is working well, and since I send packets, I receive deauth answers.
If the MAC filtering was active, I wouldn't be able to use the aireplay-ng --fakeauth right? That's where I'm getting lost. It seems that I can associate correctly, but when I send packet, I'm being disassociate.
I'm wondering if my friend is not trying to drive me mad with a MAC filtering
Anyway, I'll give you the commands and the results soon.
Thanks a lot for your help, very interesting.
edit: Just to precise. As I'm working on that for about 1 week now (my friend is quite happy about that
Hey!have you tried slowing down the card rate "iwconfig [interface] rate 1M (or 2M)?
you can even do injection test using aireplay-ng -9 -B -e ESSID [interface] and see what works best
I've tried the injection test. It worked well on one of my friend's AP (PWR 25), the one I succeeded to get the key, but it doesn't work on my other's friend one (PWR 55)! I went to ask him yesterday about the MAC filtering, he told me that it's not activated. To check, we got the MAC address of one of his client, I change mine to this one, and I fake authenticate with it. It works. But when I start injection, nothing happens except receiving deauth messages!
Very strange, right?
I'll write the commands I use soon.
Thanks for your help anyway!
Hi there!
I tried again yesterday, same results. Success with one friend, failure with the other one. I used the same commands, I write them below:
First, I changed the mac address of my card and activate the monitor mode
I fix the channel and the ap and write the capture file with airodump-ngifconfig ath0 down
ifconfig wifi0 down
macchanger -m MYMACADDR ath0
macchanger -m MYMACADDR ath0
ifconfig ath0 up
ifconfig wifi0 up
airmon-ng ath0 stop
airmon-ng wifi0 start
Then, I do a fake authenticationairodum-ng -c 11 --bssid APMACADDR -w out ath0
Until here, it works well!aireplay-ng --fakeauth 30 -q 10 -a APMACADDR -h MYMACADDR ath0
Then, I start the arpreplay, fragment, or chopchop attack:
So, here, on one friend it's working, and then I do the packetforge-ng with the file created. But with the other friend, the fragment fails as well as the chopchop, and the arpreplay just send back 1 ARP which actually doesn't create any IVs.aireplay-ng --arpreplay -b APMACADDR -h MYMACADDR ath0
or
aireplay-ng --fragment -b APMACADDR -h MYMACADDR ath0
or
aireplay-ng --chopchop -b APMACADDR -h MYMACADDR ath0
During the arpreplay and chopchop, I've got messages telling me that I received deauth answers.
So, I don't know what's wrong!
I tried also the --interactive attack but without success.
Any idea?
If you need more information, just tell me which ones
Thanks!
ok, i can knock a couple of comands off that first one for you, try this:
that takes your 8 lines to 4.Code:airmon-ng stop ath0 ifconfig wifi0 down macchanger -m 00:11:22:33:44:55 wifi0 airmon-ng start wifi0
Question: when you do your fakeauth do you get teh cheeky smile? ;-)
because the de-auth packets look to me that your fakeauth isnt true.
what brand/model is your friends AP?
See my link below for a clientless WEP128 video, pay carefull attention just incase your making a slight mistake.
http://merlin051.blip.tv
Try this to authenticate instead.
Then learn what each of those commands do by typing:Code:aireplay-ng -1 6000 -o 1 -q 10 -e <essid> -a <ap mac> -h <yourmac> ath0
Code:aireplay-ng --help
Yeah, thanks.
I knew that something faster was possible, but I knew at least with my typing that it worked correctly. Thanks for the tip.
Yep, the fakeauth works well, I've got the ;-)
Both of them have the Linksys WRT54G.
Ok, I watch a lot already, but I'll have a look to see if I missed something.
Thanks for the command, but I've used it already without success.
Actually, I followed many different tutorials, and particularly the one of aircrack-ng where your command is listed.
I definitely think that it's not a problem about the commands or anything else, but more about a problem of hardware, or protection from the AP's side.
Oh, one thing I noticed, that can explain a lot actually.
In airodump-ng, for the friend I succeeded to get the key, the power is 25 but the Received Quality (RXQ) is 100, for the other one the power is 55 but the RXQ is around 3
Sorry that I didn't notice that before
I think that's why I've got troubles, but we don't know why the RXQ is so bad ?!
Posting Permissions