how_to_crack_wep_with_no_clients
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
how_to_crack_wep_with_no_clients [2008/07/12 16:28] – missing '-' mister_x | how_to_crack_wep_with_no_clients [2018/03/11 20:15] (current) – [Introduction] Removed link to trac mister_x | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Tutorial: How to crack WEP with no wireless clients ====== | ====== Tutorial: How to crack WEP with no wireless clients ====== | ||
- | Version: 1.14 March 24, 2008 \\ | + | Version: 1.16 August 28, 201 \\ |
By: darkAudax \\ | By: darkAudax \\ | ||
Video: [[http:// | Video: [[http:// | ||
===== Introduction ===== | ===== Introduction ===== | ||
- | There are many times when a wireless network has no wireless clients associated with it and there are no ARP requests coming from the wired side. This tutorial describes how to crack the WEP key when there are no wireless clients and there are no ARP requests coming from the wired side. Although this topic has been discussed many times over in the [[http:// | + | There are many times when a wireless network has no wireless clients associated with it and there are no ARP requests coming from the wired side. This tutorial describes how to crack the WEP key when there are no wireless clients and there are no ARP requests coming from the wired side. Although this topic has been discussed many times over in the [[http:// |
If there ARP requests being broadcast from the wire side, then the standard [[fake authentication]] combined with [[arp-request_reinjection|ARP request replay technique]] may be used. | If there ARP requests being broadcast from the wire side, then the standard [[fake authentication]] combined with [[arp-request_reinjection|ARP request replay technique]] may be used. | ||
It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. | It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. | ||
- | |||
- | I would like to acknowledge and thank the [[http:// | ||
Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. | ||
Line 23: | Line 21: | ||
*There are some data packets coming from the access point. | *There are some data packets coming from the access point. | ||
* The access point uses WEP "open authentication" | * The access point uses WEP "open authentication" | ||
- | * You use the native MAC address of your wireless card for all the steps and do not change it. Do NOT use any other MAC address as the source for transmiting | + | * You use the native MAC address of your wireless card for all the steps and do not change it. Do NOT use any other MAC address as the source for transmitting |
* You are using v0.9 of aircrack-ng. If you use a different version then some of the command options may have to be changed. | * You are using v0.9 of aircrack-ng. If you use a different version then some of the command options may have to be changed. | ||
Line 50: | Line 48: | ||
*2 - Start the wireless interface in monitor mode on the specific AP channel | *2 - Start the wireless interface in monitor mode on the specific AP channel | ||
*3 - Use aireplay-ng to do a fake authentication with the access point | *3 - Use aireplay-ng to do a fake authentication with the access point | ||
- | *4 - Use aireplay-ng chopchop or fragmenation | + | *4 - Use aireplay-ng chopchop or fragmentation |
*5 - Use packetforge-ng to create an arp packet using the PRGA obtain in the previous step | *5 - Use packetforge-ng to create an arp packet using the PRGA obtain in the previous step | ||
*6 - Start airodump-ng on AP channel with filter for bssid to collect the new unique IVs | *6 - Start airodump-ng on AP channel with filter for bssid to collect the new unique IVs | ||
Line 61: | Line 59: | ||
To be honest, we will not be changing the wireless card MAC address. | To be honest, we will not be changing the wireless card MAC address. | ||
- | This is a reminder to use your wireless card MAC address as the source MAC. I mention this explicitly as a reminder to use the actual MAC address from your card in "Step 3 - fake authentication" | + | This is a reminder to use your wireless card MAC address as the source MAC. I mention this explicitly as a reminder to use the actual MAC address from your card in "Step 3 - fake authentication" |
==== Step 2 - Start the wireless interface in monitor mode on AP channel ==== | ==== Step 2 - Start the wireless interface in monitor mode on AP channel ==== | ||
Line 69: | Line 68: | ||
| | ||
- | Note: In this command we use " | + | Note: In this command we use " |
The system will respond: | The system will respond: | ||
Line 100: | Line 99: | ||
Tx excessive retries: | Tx excessive retries: | ||
- | In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. | + | In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. |
- | To match the frequency to the channel, check out: | + | To match the frequency to the channel, check out: http://www.cisco.com/en/US/ |
- | http://www.rflinx.com/help/calculations/# | + | |
=== Troubleshooting Tips === | === Troubleshooting Tips === | ||
- | *If another interface started other then ath0 then stop all of them first by using " | + | *If another interface started other than ath0 then stop all of them first by using " |
+ | *On mac80211-based drivers, airmon-ng will respond with something like this: | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | For such interfaces, use the interface name after " | ||
==== Step 3 - Use aireplay-ng to do a fake authentication with the access point ==== | ==== Step 3 - Use aireplay-ng to do a fake authentication with the access point ==== | ||
Line 127: | Line 132: | ||
*-e teddy is the wireless network name | *-e teddy is the wireless network name | ||
*-a 00: | *-a 00: | ||
- | *-h 00: | + | *-h 00: |
*ath0 is the wireless interface name | *ath0 is the wireless interface name | ||
Line 224: | Line 229: | ||
Use this packet ? y | Use this packet ? y | ||
- | When a packet from the access point arrives, enter " | + | When a packet from the access point arrives, enter " |
- | When successful, the system | + | When successful, the system |
| | ||
Line 342: | Line 347: | ||
=== Helpful Tips === | === Helpful Tips === | ||
- | *Be sure the packet is 68 or more bytes otherwise you may not have enough PRGA data to subsquently | + | *Be sure the packet is 68 or more bytes otherwise you may not have enough PRGA data to subsequently |
- | *At home, to generate some packets to force chopchop to start, ping a non-existant | + | *At home, to generate some packets to force chopchop to start, ping a nonexistent |
*You can check the decrypted packet by running " | *You can check the decrypted packet by running " | ||
| | ||
Line 360: | Line 365: | ||
==== Step 5 - Use packetforge-ng to create an arp packet ==== | ==== Step 5 - Use packetforge-ng to create an arp packet ==== | ||
- | In the previous step, we obtained PRGA. It does not matter which attack generated the PRGA, both are equal. | + | In the previous step, we obtained PRGA. It does not matter which attack generated the PRGA, both are equal. |
But first, lets generate the arp packet for injection by entering: | But first, lets generate the arp packet for injection by entering: | ||
Line 372: | Line 377: | ||
*-k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255) | *-k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255) | ||
*-l 255.255.255.255 is the source IP (most APs respond to 255.255.255.255) | *-l 255.255.255.255 is the source IP (most APs respond to 255.255.255.255) | ||
- | *-y fragment-0203-180343.xor is file to read the PRGA from | + | *-y fragment-0203-180343.xor is file to read the PRGA from (NOTE: Change the file name to the actual file name out in step 4 above) |
*-w arp-request is name of file to write the arp packet to | *-w arp-request is name of file to write the arp packet to | ||
Line 443: | Line 448: | ||
Use this packet ? y | Use this packet ? y | ||
- | Enter " | + | Enter " |
| | ||
Line 546: | Line 551: | ||
The base tutorial assumes you are using the native MAC address of your wireless device as the source MAC. If this is not the case, then you need to change the process used. Since this is an advanced topic, I will provide the general guidelines and not the specific detail. | The base tutorial assumes you are using the native MAC address of your wireless device as the source MAC. If this is not the case, then you need to change the process used. Since this is an advanced topic, I will provide the general guidelines and not the specific detail. | ||
- | Preferably, you should change the native MAC address of your wireless device to the MAC you will be spoofing. | + | Preferably, you should change the native MAC address of your wireless device to the MAC you will be spoofing. |
how_to_crack_wep_with_no_clients.1215872900.txt.gz · Last modified: 2008/07/12 16:28 by mister_x