Results 1 to 9 of 9

Thread: Aircrack-ng: Fakeauth against WEP-SKA w/ PRGA .xor

Threaded View

  1. #1
    Join Date
    Jun 2009

    Default Aircrack-ng: Fakeauth against WEP-SKA w/ PRGA .xor


    I have what I think is a simple question. I am in the middle of taking the OSWP course and have a question about authenticating against a WEP-encrypted network with SKA enabled. For reference:

    $ap = my AP's MAC
    $alfa = my MAC
    $pc = another laptop I have connected to my AP's MAC

    My goal is to fakeauth with my alfa card to my AP by using a PRGA .xor generated via a fragmentation attack. Yes I know there are other ways I can inject (e.g. spoof my other client's MAC as my own after deauthing the other client, etc and fakeauth as that source mac). I don't want to do that because in a real life scenario (i.e. a pentest) it could be noticed and a good attacker probably would try to avoid it. Anyway - that aside, I must be missing something stupid here:

    First I monitor my AP via airpdump-ng with:

    airodump-ng -c 6 --bssid $ap -w wepviaclient wlan0
    And see the output w/ no problem, my PC connected to it, etc. (I'm posting this from a different computer so I can't copy and paste the output right now and I don't think it's necessary for this cause I know it's correct).

    Then I fragment to generate the .xor file:

    aireplay-ng -5 -b $ap -h $alfa -l -k wlan0
    A .xor is generated.

    Then I attempt to fakeauth:

    aireplay-ng -1 0 -a $ap -h $alfa -y fragment-0629-233133.xor wlan0
    And I get:

    Sending Authentication Request (Shared Key) [ACK]
    Authentication 1/2 successful
    Sending encrypted challenge [ACK]
    Challenge failure
    Over, and over, and over.

    The one thing I don't quite understand are the -l and -k switches when generating the .xor (I assume this is just so the AP will pass the packet through but some clarification there might be the key). Any ideas what I'm doing wrong? I feel like it's something very simple that I'm missing. In the mean time, turning off SKA or generating ARPs as an auth'd client works fine to increase IVs and I have already cracked the key several times. I don't know if this is really relevant to the course or not but I really want to know why this doesn't work.

    Last edited by ThePistonDoctor; 06-30-2011 at 04:57 AM.
    cd ~
    cd ./fridge
    rm beer
    cd ../bedroom
    more beer

Similar Threads

  1. My BT3 hang when fakeauth
    By imported_gavin in forum OLD Newbie Area
    Replies: 2
    Last Post: 05-22-2008, 01:09 PM
  2. Prob with Fakeauth
    By damnation in forum OLD Newbie Area
    Replies: 6
    Last Post: 01-23-2008, 03:01 AM
  3. fakeauth a belkin
    By scully69 in forum OLD Wireless
    Replies: 2
    Last Post: 12-01-2007, 05:40 AM
  4. FakeAuth
    By merlin051 in forum OLD Newbie Area
    Replies: 4
    Last Post: 12-01-2007, 04:13 AM
  5. Changing MAC for Fakeauth
    By buggs187 in forum OLD BackTrack v2.0 Final
    Replies: 2
    Last Post: 03-11-2007, 08:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts