how_to_crack_wep_with_no_clients
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
how_to_crack_wep_with_no_clients [2007/04/27 18:54] – updated to reflect v.8 darkaudax | how_to_crack_wep_with_no_clients [2010/11/21 09:19] – typos sleek | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Tutorial: How to crack WEP with no clients ====== | + | ====== Tutorial: How to crack WEP with no wireless |
- | Version: 1.07 April 27, 2007 \\ | + | Version: 1.15 September 26, 2009 \\ |
By: darkAudax \\ | By: darkAudax \\ | ||
Video: [[http:// | Video: [[http:// | ||
===== Introduction ===== | ===== Introduction ===== | ||
- | There are many times when a wireless network has no clients associated with it. This tutorial describes how to crack the WEP key when there are no clients. | + | There are many times when a wireless network has no wireless |
+ | |||
+ | If there ARP requests being broadcast from the wire side, then the standard [[fake authentication]] combined with [[arp-request_reinjection|ARP request replay technique]] may be used. | ||
It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. | It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. | ||
- | I would like to acknowledge and thank the [[http:// | + | I would like to acknowledge and thank the [[http:// |
Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | ||
Line 17: | Line 19: | ||
First, this solution assumes: | First, this solution assumes: | ||
- | * You are using drivers patched for injection. | + | * You are using drivers patched for injection. |
- | * You are physically close enough to send and receive access point packets. | + | * You are physically close enough to send and receive access point packets. |
*There are some data packets coming from the access point. | *There are some data packets coming from the access point. | ||
- | * The access point uses WEP "open authentication" | + | * The access point uses WEP "open authentication" |
- | * You are using v0.8 of aircrack-ng. If you use a different version then some of the command options may have to be changed. | + | * You use the native MAC address of your wireless card for all the steps and do not change it. Do NOT use any other MAC address as the source for transmitting packets. |
+ | * You are using v0.9 of aircrack-ng. If you use a different version then some of the command options may have to be changed. | ||
Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change " | Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change " | ||
- | |||
- | In the examples, the option " | ||
Line 49: | Line 50: | ||
*2 - Start the wireless interface in monitor mode on the specific AP channel | *2 - Start the wireless interface in monitor mode on the specific AP channel | ||
*3 - Use aireplay-ng to do a fake authentication with the access point | *3 - Use aireplay-ng to do a fake authentication with the access point | ||
- | *4 - Use aireplay-ng chopchop or fragmenation | + | *4 - Use aireplay-ng chopchop or fragmentation |
*5 - Use packetforge-ng to create an arp packet using the PRGA obtain in the previous step | *5 - Use packetforge-ng to create an arp packet using the PRGA obtain in the previous step | ||
*6 - Start airodump-ng on AP channel with filter for bssid to collect the new unique IVs | *6 - Start airodump-ng on AP channel with filter for bssid to collect the new unique IVs | ||
Line 60: | Line 61: | ||
To be honest, we will not be changing the wireless card MAC address. | To be honest, we will not be changing the wireless card MAC address. | ||
- | This is a reminder to use your wireless card MAC address as the source MAC. I mention this explicitly as a reminder to use the actual MAC address from your card in "Step 3 - fake authentication" | + | This is a reminder to use your wireless card MAC address as the source MAC. I mention this explicitly as a reminder to use the actual MAC address from your card in "Step 3 - fake authentication" |
==== Step 2 - Start the wireless interface in monitor mode on AP channel ==== | ==== Step 2 - Start the wireless interface in monitor mode on AP channel ==== | ||
Line 66: | Line 68: | ||
Enter the following command to start the wireless card on channel 9 in monitor mode: | Enter the following command to start the wireless card on channel 9 in monitor mode: | ||
- | airmon-ng start wifi0 9 | + | airmon-ng start wifi0 9 |
- | Note: In this command we use " | + | Note: In this command we use " |
The system will respond: | The system will respond: | ||
Line 78: | Line 80: | ||
You will notice that " | You will notice that " | ||
- | |||
- | Then enter " | ||
To confirm the interface is properly setup, enter " | To confirm the interface is properly setup, enter " | ||
Line 101: | Line 101: | ||
Tx excessive retries: | Tx excessive retries: | ||
- | In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. | + | In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. |
- | To match the frequency to the channel, check out: | + | To match the frequency to the channel, check out: http://www.cisco.com/en/US/ |
- | http://www.rflinx.com/help/calculations/# | + | |
=== Troubleshooting Tips === | === Troubleshooting Tips === | ||
- | *If another interface started other then ath0 then you can use that one or use "airomon-ng stop athX" where X is each interface you want to stop. | + | *If another interface started other than ath0 then stop all of them first by using "airmon-ng stop athX" where X is each interface you want to stop. |
+ | *On mac80211-based drivers, airmon-ng will respond with something like this: | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | For such interfaces, use the interface name after " | ||
==== Step 3 - Use aireplay-ng to do a fake authentication with the access point ==== | ==== Step 3 - Use aireplay-ng to do a fake authentication with the access point ==== | ||
Line 122: | Line 127: | ||
To associate with an access point, use fake authentication: | To associate with an access point, use fake authentication: | ||
- | aireplay-ng -1 0 -e teddy -a 00: | + | aireplay-ng -1 0 -e teddy -a 00: |
Where: | Where: | ||
Line 129: | Line 134: | ||
*-e teddy is the wireless network name | *-e teddy is the wireless network name | ||
*-a 00: | *-a 00: | ||
- | *-h 00: | + | *-h 00: |
*ath0 is the wireless interface name | *ath0 is the wireless interface name | ||
Line 173: | Line 178: | ||
=== Troubleshooting Tips === | === Troubleshooting Tips === | ||
- | *Some access points are configure | + | *Some access points are configured |
*If at any time you wish to confirm you are properly associated is to use tcpdump and look at the packets. | *If at any time you wish to confirm you are properly associated is to use tcpdump and look at the packets. | ||
| | ||
- | Run: "tcpdump -n -e -s0 -vvv -i ath0" | + | Run: |
+ | tcpdump -n -e -s0 -vvv -i ath0 | ||
Here is a typical tcpdump error message you are looking for: | Here is a typical tcpdump error message you are looking for: | ||
Line 185: | Line 190: | ||
Notice that the access point (00: | Notice that the access point (00: | ||
- | If you want to select only the DeAuth packets with tcpdump then you can use: " | + | If you want to select only the DeAuth packets with tcpdump then you can use: " |
- | + | ||
- | + | ||
==== Step 4 - Use aireplay-ng chopchop or fragmenation attack to obtain PRGA ==== | ==== Step 4 - Use aireplay-ng chopchop or fragmenation attack to obtain PRGA ==== | ||
- | The objective of the [[korek_chopchop|chopchop]] and [[fragmentation]] attacks is to obtain a PRGA (pseudo random | + | The objective of the [[korek_chopchop|chopchop]] and [[fragmentation]] attacks is to obtain a PRGA (pseudo random |
- | Either chopchop or fragmentation attacks can be to obtain the PRGA bit file. The result is the same so use whichever one works for you. The pros and cons of each attack are described on the [[aircrack-ng]] page. | + | Either chopchop or fragmentation attacks can be to obtain the PRGA bit file. The result is the same so use whichever one works for you. The pros and cons of each attack are described on the [[aircrack-ng]] page. |
- | We will cover the fragmentation | + | We will cover the fragmentation |
- | aireplay-ng -5 -b 00: | + | aireplay-ng -5 -b 00: |
Where: | Where: | ||
Line 231: | Line 233: | ||
When a packet from the access point arrives, enter " | When a packet from the access point arrives, enter " | ||
- | When successful, the system | + | When successful, the system |
| | ||
Line 251: | Line 253: | ||
If the fragmentation attack was not successful, you can then try the chopchop technique next. Run: | If the fragmentation attack was not successful, you can then try the chopchop technique next. Run: | ||
- | aireplay-ng -4 -h 00: | + | aireplay-ng -4 -h 00: |
Where: | Where: | ||
Line 347: | Line 349: | ||
=== Helpful Tips === | === Helpful Tips === | ||
- | *Be sure the packet is 68 or more bytes otherwise you may not have enough PRGA data to subsquently | + | *Be sure the packet is 68 or more bytes otherwise you may not have enough PRGA data to subsequently |
- | *At home, to generate some packets to force chopchop to start, ping a non-existant | + | *At home, to generate some packets to force chopchop to start, ping a nonexistent |
- | *You can check decrypted packet by running " | + | *You can check the decrypted packet by running " |
| | ||
19: | 19: | ||
Line 360: | Line 362: | ||
* The chopchop attack will not be successful on some access points. If this happens, move onto the fragmentation attack. | * The chopchop attack will not be successful on some access points. If this happens, move onto the fragmentation attack. | ||
* Make sure you are properly associated. To check this, follow the tcpdump instructions in step 2. | * Make sure you are properly associated. To check this, follow the tcpdump instructions in step 2. | ||
+ | |||
==== Step 5 - Use packetforge-ng to create an arp packet ==== | ==== Step 5 - Use packetforge-ng to create an arp packet ==== | ||
- | In the previous step, we obtained PRGA. It does not matter which attack generated the PRGA, both are equal. | + | In the previous step, we obtained PRGA. It does not matter which attack generated the PRGA, both are equal. |
But first, lets generate the arp packet for injection by entering: | But first, lets generate the arp packet for injection by entering: | ||
- | packetforge-ng -0 -a 00: | + | packetforge-ng -0 -a 00: |
Where: | Where: | ||
Line 375: | Line 378: | ||
*-h 00: | *-h 00: | ||
*-k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255) | *-k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255) | ||
- | *-l 255.255.255.255.255 is the source IP (most APs respond to 255.255.255.255) | + | *-l 255.255.255.255 is the source IP (most APs respond to 255.255.255.255) |
*-y fragment-0203-180343.xor is file to read the PRGA from | *-y fragment-0203-180343.xor is file to read the PRGA from | ||
*-w arp-request is name of file to write the arp packet to | *-w arp-request is name of file to write the arp packet to | ||
Line 387: | Line 390: | ||
*After creating the packet, use tcpdump to review it from a sanity point of view. See below. | *After creating the packet, use tcpdump to review it from a sanity point of view. See below. | ||
- | tcpdump -n -vvv -e -s0 -r arp-request | + | tcpdump -n -vvv -e -s0 -r arp-request |
- | + | ||
| | ||
| | ||
Line 394: | Line 397: | ||
Since you are testing against your own AP (you are, right?), then decrypt the packet and ensure it is correct. | Since you are testing against your own AP (you are, right?), then decrypt the packet and ensure it is correct. | ||
- | Decrypt the packet: airdecap-ng -e teddy -w <put your WEP key here> arp-request | + | Decrypt the packet: |
- | View the decrypted packet: tcpdump -n -r arp-request-dec | + | |
+ | airdecap-ng -e teddy -w <put your WEP key here> arp-request | ||
+ | |||
+ | View the decrypted packet: | ||
+ | |||
+ | tcpdump -n -r arp-request-dec | ||
It should be something like: | It should be something like: | ||
| | ||
Line 406: | Line 415: | ||
Open another console session to capture the generated IVs. Then enter: | Open another console session to capture the generated IVs. Then enter: | ||
- | airodump-ng -c 9 --bssid 00: | + | airodump-ng -c 9 --bssid 00: |
Where: | Where: | ||
*-c 9 is the channel for the wireless network | *-c 9 is the channel for the wireless network | ||
- | *- -bssid 00: | + | *-'''' |
- | *- -ivs specfifies that you only want to capture the IVs. This keeps the file as small as possible. | + | *-w capture is file name prefix for the file which will contain the captured packets. |
- | *-w capture is file name prefix for the file which will contain the IVs. | + | |
*ath0 is the interface name. | *ath0 is the interface name. | ||
- | + | ==== Step 7 - Inject the arp packet ==== | |
- | ==== Step 7 - | + | |
Using the console session where you generated the arp packet, enter: | Using the console session where you generated the arp packet, enter: | ||
- | aireplay-ng -2 -r arp-request ath0 | + | aireplay-ng -2 -r arp-request ath0 |
Where: | Where: | ||
Line 443: | Line 450: | ||
Use this packet ? y | Use this packet ? y | ||
- | Enter " | + | Enter " |
| | ||
Line 466: | Line 473: | ||
=== Troubleshooting Tips === | === Troubleshooting Tips === | ||
- | *If the BSSID data packets are not increasing make sure you are still associated with the access point. | + | *If the BSSID data packets are not increasing, make sure you are still associated with the access point. |
Line 473: | Line 480: | ||
Start another console session and enter: | Start another console session and enter: | ||
- | aircrack-ng | + | aircrack-ng -b 00: |
Where: | Where: | ||
- | **.ivs selects all files ending in "ivs". | + | *capture*.cap selects all dump files starting with " |
*-b 00: | *-b 00: | ||
- | You can run this while generating packets. | + | You can run this while generating packets. |
Troubleshooting Tips: | Troubleshooting Tips: | ||
*Sometimes you need to try various techniques to crack the WEP key. Try " | *Sometimes you need to try various techniques to crack the WEP key. Try " | ||
+ | |||
===== Alternate Solution ===== | ===== Alternate Solution ===== | ||
Line 500: | Line 508: | ||
*-2 means use interactive frame selection | *-2 means use interactive frame selection | ||
*-p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. | *-p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client. | ||
- | *c FF: | + | *-c FF: |
*-b 00: | *-b 00: | ||
*-h 00: | *-h 00: | ||
Line 540: | Line 548: | ||
Where " -r capture-01.cap" | Where " -r capture-01.cap" | ||
+ | |||
+ | ===== Using Another Source MAC Address ===== | ||
+ | |||
+ | The base tutorial assumes you are using the native MAC address of your wireless device as the source MAC. If this is not the case, then you need to change the process used. Since this is an advanced topic, I will provide the general guidelines and not the specific detail. | ||
+ | |||
+ | Preferably, you should change the native MAC address of your wireless device to the MAC you will be spoofing. |
how_to_crack_wep_with_no_clients.txt · Last modified: 2018/03/11 20:15 by mister_x