WEP Attack (OPEN) - Clients connected
1. Fake authentication attack (MAC association)
In a possible attack scenario, where an AP has MAC address filtering. We need to first obtain a valid mac address of a client, then wait until the client is no longer on the network and impersonate the client by performing fake authentication attack to associate our attacking machine with the victim access point.
More Importantly: This step may be required against targets that have mac whitelisting which the AP will only accept connections from specifically whitelisted MAC addresses. If this happens, we will need to observe in monitor mode for a client that is associated to the AP (lower part screen of the airodump-ng output) and wait for them to disconnect before impersonating their MAC address.
As usual begin all attacks with putting your adapter in monitor mode, mines on wlan0
airmon-ng check kill
airmon-ng start wlan0
# save capture file to disk - breaking it later (let it run)
aiodump-ng -c 3 --essid <SSID NAME> -w wepfile1 mon0
# perform fake authentication attack - on new terminal
# Authenticate my mac address to accesspoint (else traffic may be rejected)
#
# -1 fake auth attack
# 0 association timing in seconds
aireplay-ng -1 0 -e <AP_ESSID> -a <AP_MAC> -h <MY_MAC> mon0
# you should see this success
# 22:42:26 Sending Authentication Request (Open System) [ACK]
# 22:42:26 Authentication successful
# 22:42:26 Sending Association Request [ACK]
# 22:42:26 Association successful :-) (AID: 1)
You will see that your monitor MAC address is added (lower screen of your airmon-ng screen) showing that it is now associated with the target AP.
Info: iWireshark will show that there are 4 packets in this sequence of exchange. Protocol 802.11.
we send a "Open System" request (Authentication Algorithm) to AP
AP response with status code successful
we send a association request "SSID parameter set: AP_ESSID_NAME"
AP response with status code successful
2. Collect IV data using ARP replay attack
Using the interactive aireplay attack we choose a specific packet to replay against target network to get a response (eg. using ARP will make client respond the ARP response) to generate enough IV so that we can successfully crack the WEP password
Info: When a packet is captured, we can chose to use that packet to replay against the target to collect more IV (more IV collected will help crack the WEP password). You will see the 'data' field in your monitor count increasing rapidly, if not use other packets. About 40,000 data count collected should be enough to crack the WEP.
3. Cracking WEP
Now that we have enough IV collected (in the written cap file) we can easily crack it using
Last updated
Was this helpful?