User Tools

Site Tools


how_to_crack_wep_with_no_clients

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
how_to_crack_wep_with_no_clients [2007/11/27 23:43] – Too many 255 (5 instead of 4) in IP address mister_xhow_to_crack_wep_with_no_clients [2018/03/11 20:15] (current) – [Introduction] Removed link to trac mister_x
Line 1: Line 1:
 ====== Tutorial: How to crack WEP with no wireless clients ====== ====== Tutorial: How to crack WEP with no wireless clients ======
-Version: 1.12 November 112007 \\+Version: 1.16 August 28201 \\
 By: darkAudax \\ By: darkAudax \\
 Video: [[http://video.aircrack-ng.org/noclient/|http://video.aircrack-ng.org/noclient/]] Video: [[http://video.aircrack-ng.org/noclient/|http://video.aircrack-ng.org/noclient/]]
- 
- 
  
 ===== Introduction ===== ===== Introduction =====
-There are many times when a wireless network has no wireless clients associated with it and there are no ARP requests coming from the wired side.  This tutorial describes how to crack the WEP key when there are no wireless clients and there are no ARP requests coming from the wired side.  Although this topic has been discussed many times over in the [[http://forum.tinyshell.be/|Forum]], this tutorial is intended to address the topic in more detail and provide working examples.+There are many times when a wireless network has no wireless clients associated with it and there are no ARP requests coming from the wired side.  This tutorial describes how to crack the WEP key when there are no wireless clients and there are no ARP requests coming from the wired side.  Although this topic has been discussed many times over in the [[http://forum.aircrack-ng.org|Forum]], this tutorial is intended to address the topic in more detail and provide working examples.
  
-If there ARP requests being broadcast from the wire side, then the standard [[fake_authentication|fake authentication]] combined with [[arp-request_reinjection|ARP request replay technique]] may be used.+If there ARP requests being broadcast from the wire side, then the standard [[fake authentication]] combined with [[arp-request_reinjection|ARP request replay technique]] may be used.
  
 It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.
- 
-I would like to acknowledge and thank the [[http://trac.aircrack-ng.org/wiki/Team|Aircrack-ng team]] for producing such a great robust tool.  
  
 Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome. Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.
Line 25: Line 21:
   *There are some data packets coming from the access point.  Beacons and other management frame packets are totally useless for our purposes in this tutorial.  A quick way to check is to run airodump-ng and see if there are any data packets counted for the access point.  Having said that, if you have data captured from the access point from another session, then this can be used.  This is an advanced topic and this tutorial does not provide detailed instructions for this case.   *There are some data packets coming from the access point.  Beacons and other management frame packets are totally useless for our purposes in this tutorial.  A quick way to check is to run airodump-ng and see if there are any data packets counted for the access point.  Having said that, if you have data captured from the access point from another session, then this can be used.  This is an advanced topic and this tutorial does not provide detailed instructions for this case.
   * The access point uses WEP "open authentication" It will not work if "shared key authentication" (SKA) is being used.  With SKA, the only way to be successful with no clients present is if you captured the PRGA xor data with a airodump-ng handshake or an aireplay-ng attack previously.  This is because you will need the PRGA xor file to do the fake authentication successfully.   * The access point uses WEP "open authentication" It will not work if "shared key authentication" (SKA) is being used.  With SKA, the only way to be successful with no clients present is if you captured the PRGA xor data with a airodump-ng handshake or an aireplay-ng attack previously.  This is because you will need the PRGA xor file to do the fake authentication successfully.
 +  * You use the native MAC address of your wireless card for all the steps and do not change it.  Do NOT use any other MAC address as the source for transmitting packets.  Otherwise, some commands will not work correctly.  See the [[how_to_crack_wep_with_no_clients#using_another_source_mac_address|Using Another Source MAC Address Section]] for instructions on dealing with using a different source MAC address.
   * You are using v0.9 of aircrack-ng. If you use a different version then some of the command options may have to be changed.   * You are using v0.9 of aircrack-ng. If you use a different version then some of the command options may have to be changed.
  
 Ensure all of the above assumptions are true, otherwise the advice that follows will not work.  In the examples below, you will need to change "ath0" to the interface name which is specific to your wireless card. Ensure all of the above assumptions are true, otherwise the advice that follows will not work.  In the examples below, you will need to change "ath0" to the interface name which is specific to your wireless card.
- 
-In the examples, the option "double dash bssid" is shown as "- -bssid" Remember to remove the space between the two dashes when using it in real life.  This also applies to  "- -ivs". 
  
  
Line 53: Line 48:
   *2 - Start the wireless interface in monitor mode on the specific AP channel   *2 - Start the wireless interface in monitor mode on the specific AP channel
   *3 - Use aireplay-ng to do a fake authentication with the access point   *3 - Use aireplay-ng to do a fake authentication with the access point
-  *4 - Use aireplay-ng chopchop or fragmenation attack to obtain PRGA+  *4 - Use aireplay-ng chopchop or fragmentation attack to obtain PRGA
   *5 - Use packetforge-ng to create an arp packet using the PRGA obtain in the previous step   *5 - Use packetforge-ng to create an arp packet using the PRGA obtain in the previous step
   *6 - Start airodump-ng on AP channel with filter for bssid to collect the new unique IVs   *6 - Start airodump-ng on AP channel with filter for bssid to collect the new unique IVs
Line 64: Line 59:
 To be honest, we will not be changing the wireless card MAC address. To be honest, we will not be changing the wireless card MAC address.
  
-This is a reminder to use your wireless card MAC address as the source MAC.  I mention this explicitly as a reminder to use the actual MAC address from your card in "Step 3 - fake authentication" if you are replaying data from another session.  Detailed instructions can be found in the FAQ: [[http://aircrack-ng.org/doku.php?id=faq&DokuWiki=7bdcc4f1dd827e3aabb3bbf0a2f93c21#how_do_i_change_my_card_s_mac_address|How do I change my card's MAC address ?]].+This is a reminder to use your wireless card MAC address as the source MAC.  I mention this explicitly as a reminder to use the actual MAC address from your card in "Step 3 - fake authentication" if you are replaying data from another session.  Detailed instructions can be found in the FAQ: [[faq#how_do_i_change_my_card_s_mac_address|How do I change my card's MAC address ?]]. 
  
 ==== Step 2 - Start the wireless interface in monitor mode on AP channel ==== ==== Step 2 - Start the wireless interface in monitor mode on AP channel ====
Line 72: Line 68:
    airmon-ng start wifi0 9    airmon-ng start wifi0 9
  
-Note: In this command we use "wifi0" instead of our wireless interface of "ath0" This is because the madwifi-ng drivers are being used.+Note: In this command we use "wifi0" instead of our wireless interface of "ath0" This is because the madwifi-ng drivers are being used. For other drivers, use the actual interface name.
  
 The system will respond: The system will respond:
Line 103: Line 99:
              Tx excessive retries: Invalid misc:  Missed beacon:0              Tx excessive retries: Invalid misc:  Missed beacon:0
  
-In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card.  So everything is good.   It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.+In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card.  So everything is good.   It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. (Note: If you are using a driver other than madwifi, then the Access Point field will be either invisible or show something other than your card's MAC address. This is normal.)
  
-To match the frequency to the channel, check out: +To match the frequency to the channel, check out: http://www.cisco.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html#wp134132 .  This will give you the frequency for each channel.
-http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels then select the "Wifi Channel Selection and Channel Overlap" tab.  This will give you the frequency for each channel.+
  
 === Troubleshooting Tips === === Troubleshooting Tips ===
  
-  *If another interface started other then ath0 then stop all of them first by using "airmon-ng stop athX" where X is each interface you want to stop.+  *If another interface started other than ath0 then stop all of them first by using "airmon-ng stop athX" where X is each interface you want to stop. 
 +  *On mac80211-based drivers, airmon-ng will respond with something like this:
  
 +   Interface       Chipset         Driver
 +   
 +   wlan0           Broadcom 43xx   b43 - [phy0]
 +                                   (monitor mode enabled on mon0)
 +
 +For such interfaces, use the interface name after "monitor mode enabled on" (here "mon0") for further commands, rather than your card's actual interface.
  
 ==== Step 3 - Use aireplay-ng to do a fake authentication with the access point ==== ==== Step 3 - Use aireplay-ng to do a fake authentication with the access point ====
Line 130: Line 132:
   *-e teddy is the wireless network name   *-e teddy is the wireless network name
   *-a 00:14:6C:7E:40:80 is the access point MAC address   *-a 00:14:6C:7E:40:80 is the access point MAC address
-  *-h 00:09:5B:EC:EE:F2 is our card MAC addresss+  *-h 00:09:5B:EC:EE:F2 is our card MAC address
   *ath0 is the wireless interface name   *ath0 is the wireless interface name
  
Line 187: Line 189:
  
 If you want to select only the DeAuth packets with tcpdump then you can use: "tcpdump -n -e -s0 -vvv -i ath0 | grep -i DeAuth" You may need to tweak the phrase "DeAuth" to pick out the exact packets you want. If you want to select only the DeAuth packets with tcpdump then you can use: "tcpdump -n -e -s0 -vvv -i ath0 | grep -i DeAuth" You may need to tweak the phrase "DeAuth" to pick out the exact packets you want.
- 
- 
- 
  
 ==== Step 4 - Use aireplay-ng chopchop or fragmenation attack to obtain PRGA ==== ==== Step 4 - Use aireplay-ng chopchop or fragmenation attack to obtain PRGA ====
  
-The objective of the [[korek_chopchop|chopchop]] and [[fragmentation]] attacks is to obtain a PRGA (pseudo random genration algorithm) bit file.   This PRGA is not the WEP key and cannot be used to decrypt packets.  However, it can be used to create new packets for injection.  The creation of new packets will be covered later in the tutorial.+The objective of the [[korek_chopchop|chopchop]] and [[fragmentation]] attacks is to obtain a PRGA (pseudo random generation algorithm) file. This PRGA is not the WEP key and cannot be used to decrypt packets. However, it can be used to create new packets for injection. The creation of new packets will be covered later in the tutorial.
  
-Either chopchop or fragmentation attacks can be to obtain the PRGA bit file.  The result is the same so use whichever one works for you.  The pros and cons of each attack are described on the [[aircrack-ng]] page.+Either chopchop or fragmentation attacks can be to obtain the PRGA bit file. The result is the same so use whichever one works for you.  The pros and cons of each attack are described on the [[aircrack-ng]] page.
  
-We will cover the fragmentation techninque first.  Start anther console session and run:+We will cover the fragmentation technique first.  Start another console session and run:
  
    aireplay-ng -5 -b 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 ath0    aireplay-ng -5 -b 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 ath0
Line 230: Line 229:
            Use this packet ? y            Use this packet ? y
  
-When a packet from the access point arrives, enter "y" to proceed.  You may need to try a few to be successful.+When a packet from the access point arrives, enter "y" to proceed.  You may need to try a few different packets from the AP to be successful.  These packets have ""FromDS: 1".
  
-When successful, the system reponds:+When successful, the system responds:
  
    Saving chosen packet in replay_src-0203-180328.cap    Saving chosen packet in replay_src-0203-180328.cap
Line 348: Line 347:
 === Helpful Tips === === Helpful Tips ===
  
-  *Be sure the packet is 68 or more bytes otherwise you may not have enough PRGA data to subsquently generate a packet.  The PRGA captured has to equal or greater then the packet length we want to generate. +  *Be sure the packet is 68 or more bytes otherwise you may not have enough PRGA data to subsequently generate a packet.  The PRGA captured has to equal or greater then the packet length we want to generate. 
-  *At home, to generate some packets to force chopchop to start, ping a non-existant IP on your network using a wired client.  This forces an arp to be broadcast and this will show up in chopchop to be used.+  *At home, to generate some packets to force chopchop to start, ping a nonexistent IP on your network using a wired client.  This forces an arp to be broadcast and this will show up in chopchop to be used.
   *You can check the decrypted packet by running "tcpdump -n -vvv -e -s0 -r replay_dec-0201-191706.cap" In our example above:   *You can check the decrypted packet by running "tcpdump -n -vvv -e -s0 -r replay_dec-0201-191706.cap" In our example above:
    reading from file replay_dec-0201-191706.cap, link-type IEEE802_11 (802.11)    reading from file replay_dec-0201-191706.cap, link-type IEEE802_11 (802.11)
Line 366: Line 365:
 ==== Step 5 - Use packetforge-ng to create an arp packet ==== ==== Step 5 - Use packetforge-ng to create an arp packet ====
  
-In the previous step, we obtained PRGA.  It does not matter which attack generated the PRGA, both are equal.  This PRGA is stored in the files ending with "xor" We can then use this PRGA to generate a packet for injection.  We will be generating an arp packet for injection.  The objective is to have the access point rebroadcast the injected arp packet.  When it rebroacasts it, a new IV is obtained.  All these new IVs will ultimately be used to crack the WEP key.+In the previous step, we obtained PRGA.  It does not matter which attack generated the PRGA, both are equal.  This PRGA is stored in the files ending with "xor" We can then use this PRGA to generate a packet for injection.  We will be generating an arp packet for injection.  The objective is to have the access point rebroadcast the injected arp packet.  When it rebroadcasts it, a new IV is obtained.  All these new IVs will ultimately be used to crack the WEP key.
  
 But first, lets generate the arp packet for injection by entering: But first, lets generate the arp packet for injection by entering:
Line 378: Line 377:
   *-k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255)   *-k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255)
   *-l 255.255.255.255 is the source IP (most APs respond to 255.255.255.255)   *-l 255.255.255.255 is the source IP (most APs respond to 255.255.255.255)
-  *-y fragment-0203-180343.xor is file to read the PRGA from+  *-y fragment-0203-180343.xor is file to read the PRGA from (NOTE: Change the file name to the actual file name out in step 4 above)
   *-w arp-request is name of file to write the arp packet to   *-w arp-request is name of file to write the arp packet to
  
Line 418: Line 417:
 Where: Where:
   *-c 9 is the channel for the wireless network   *-c 9 is the channel for the wireless network
-  *- -bssid 00:14:6C:7E:40:80 is the access point MAC address.  This eliminate extraneous traffic+  *-''''-bssid 00:14:6C:7E:40:80 is the access point MAC address.  This eliminate extraneous traffic. 
-  *- -ivs specfifies that you only want to capture the IVs.  This keeps the file as small as possible.  Don't use this option when using "aircrack-ng -z"+  *-w capture is file name prefix for the file which will contain the captured packets.
-  *-w capture is file name prefix for the file which will contain the IVs.+
   *ath0 is the interface name.   *ath0 is the interface name.
  
- +==== Step 7 - Inject the arp packet ====
-==== Step 7 -   Inject the arp packet ====+
  
 Using the console session where you generated the arp packet, enter: Using the console session where you generated the arp packet, enter:
Line 451: Line 448:
         Use this packet ? y         Use this packet ? y
  
-Enter "y" to use this packet.  The system responds by showing how many packets it is injecting and reminds you to start airodumump if it has not already been started:+Enter "y" to use this packet.  The system responds by showing how many packets it is injecting and reminds you to start airodump-ng if it has not already been started:
  
    Saving chosen packet in replay_src-0204-104917.cap    Saving chosen packet in replay_src-0204-104917.cap
Line 481: Line 478:
 Start another console session and enter: Start another console session and enter:
  
-   aircrack-ng -z -b 00:14:6C:7E:40:80 capture*.cap +   aircrack-ng -b 00:14:6C:7E:40:80 capture*.cap 
  
 Where: Where:
-  *-z means to use the PTW WEP-cracking method. 
   *capture*.cap selects all dump files starting with "capture" and ending in "cap".   *capture*.cap selects all dump files starting with "capture" and ending in "cap".
   *-b 00:14:6C:7E:40:80 selects the one access point we are interested in   *-b 00:14:6C:7E:40:80 selects the one access point we are interested in
  
-You can run this while generating packets.  In a short time, the WEP key will be calculated and presented. Using the PTW method, 40-bit WEP can be cracked with as few as 20,000 data packets and 104-bit WEP with 40,000 data packets.  As a reminder, the PTW method only works successfully with arp request/reply packets. Since this tutorial covers injection arp request packets, you can properly use this method. The other requirement is that you capture the full packet with airodump-ng. Meaning, do not use the “- -ivs” option.   +You can run this while generating packets.  In a short time, the WEP key will be calculated and presented. Using the PTW method, 40-bit WEP can be cracked with as few as 20,000 data packets and 104-bit WEP with 40,000 data packets.  As a reminder, the requirement is that you capture the full packet with airodump-ng. Meaning, do not use the “-''''-ivs” option.  
- +
-If you don't use the "-z" option, then the FMS/Korek method is applied.  You will then need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128bit keys.   These are very approximate and there are many variables as to how many IVs you actually need to crack the WEP key.+
  
 Troubleshooting Tips: Troubleshooting Tips:
  
   *Sometimes you need to try various techniques to crack the WEP key.  Try "-n" to set various key lengths.  Use "-f" and try various fudge factors.  Use "-k" and try disabling various korek methods.   *Sometimes you need to try various techniques to crack the WEP key.  Try "-n" to set various key lengths.  Use "-f" and try various fudge factors.  Use "-k" and try disabling various korek methods.
 +
  
 ===== Alternate Solution ===== ===== Alternate Solution =====
  
 There is a neat trick which simplifies cracking WEP with no clients.  Essentially it takes any packet broadcast by the access point and converts it to a broadcast packet such that the access point generates a new IV. There is a neat trick which simplifies cracking WEP with no clients.  Essentially it takes any packet broadcast by the access point and converts it to a broadcast packet such that the access point generates a new IV.
- 
-It is important to understand that if you use this trick, then you can't use the "-z" PTW method option when crack the WEP key.  This is because the PTW method requires arp request/reply packets and this trick does not generate them. 
  
 OK, at this point you are asking why didn't you show me this technique right at the start?  The reason is that this technique rebroadcasts whatever size packet you receive.  So if you receive a 1000 byte packet you then rebroadcast 1000 bytes.  This potentially slows down the packets per second rate considerably.  However, on the good news side, it is simple and easy to use.  You might also get lucky and receive a very small packet for rebroadcasting.  In this case, the performance is comparable to the solution described above. OK, at this point you are asking why didn't you show me this technique right at the start?  The reason is that this technique rebroadcasts whatever size packet you receive.  So if you receive a 1000 byte packet you then rebroadcast 1000 bytes.  This potentially slows down the packets per second rate considerably.  However, on the good news side, it is simple and easy to use.  You might also get lucky and receive a very small packet for rebroadcasting.  In this case, the performance is comparable to the solution described above.
Line 513: Line 506:
   *-2 means use interactive frame selection   *-2 means use interactive frame selection
   *-p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.   *-p 0841 sets the Frame Control Field such that the packet looks like it is being sent from a wireless client.
-  *c FF:FF:FF:FF:FF:FF sets the destination MAC address to be a broadcast. This is required to cause the AP to replay the packet and thus getting the new IV.+  *-c FF:FF:FF:FF:FF:FF sets the destination MAC address to be a broadcast. This is required to cause the AP to replay the packet and thus getting the new IV.
   *-b 00:14:6C:7E:40:80 is the access point MAC address   *-b 00:14:6C:7E:40:80 is the access point MAC address
   *-h 00:09:5B:EC:EE:F2 is the MAC address of our card and must match the MAC used in the fake authentication   *-h 00:09:5B:EC:EE:F2 is the MAC address of our card and must match the MAC used in the fake authentication
Line 553: Line 546:
 Where " -r capture-01.cap" is data from a previous capture. Where " -r capture-01.cap" is data from a previous capture.
  
 +
 +===== Using Another Source MAC Address =====
 +
 +The base tutorial assumes you are using the native MAC address of your wireless device as the source MAC.  If this is not the case, then you need to change the process used.  Since this is an advanced topic, I will provide the general guidelines and not the specific detail.
 +
 +Preferably, you should change the native MAC address of your wireless device to the MAC you will be spoofing.  This could the MAC of a client already associated with the AP or one that you make up.  See [[faq#how_do_i_change_my_card_s_mac_address|this FAQ entry]] regarding how to change the MAC address of your card.
how_to_crack_wep_with_no_clients.txt · Last modified: 2018/03/11 20:15 by mister_x