User Tools

Site Tools


how_to_crack_wep_with_no_clients

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
how_to_crack_wep_with_no_clients [2009/06/01 18:23]
mister_x updated forum link
how_to_crack_wep_with_no_clients [2011/08/28 16:08] (current)
darkaudax Edited tutorial based on feedback.
Line 1: Line 1:
 ====== Tutorial: How to crack WEP with no wireless clients ====== ====== Tutorial: How to crack WEP with no wireless clients ======
-Version: 1.14 March 242008 \\+Version: 1.16 August 28201 \\
 By: darkAudax \\ By: darkAudax \\
 Video: [[http://​video.aircrack-ng.org/​noclient/​|http://​video.aircrack-ng.org/​noclient/​]] Video: [[http://​video.aircrack-ng.org/​noclient/​|http://​video.aircrack-ng.org/​noclient/​]]
Line 23: Line 23:
   *There are some data packets coming from the access point. ​ Beacons and other management frame packets are totally useless for our purposes in this tutorial. ​ A quick way to check is to run airodump-ng and see if there are any data packets counted for the access point. ​ Having said that, if you have data captured from the access point from another session, then this can be used.  This is an advanced topic and this tutorial does not provide detailed instructions for this case.   *There are some data packets coming from the access point. ​ Beacons and other management frame packets are totally useless for our purposes in this tutorial. ​ A quick way to check is to run airodump-ng and see if there are any data packets counted for the access point. ​ Having said that, if you have data captured from the access point from another session, then this can be used.  This is an advanced topic and this tutorial does not provide detailed instructions for this case.
   * The access point uses WEP "open authentication"​. ​ It will not work if "​shared key authentication"​ (SKA) is being used.  With SKA, the only way to be successful with no clients present is if you captured the PRGA xor data with a airodump-ng handshake or an aireplay-ng attack previously. ​ This is because you will need the PRGA xor file to do the fake authentication successfully.   * The access point uses WEP "open authentication"​. ​ It will not work if "​shared key authentication"​ (SKA) is being used.  With SKA, the only way to be successful with no clients present is if you captured the PRGA xor data with a airodump-ng handshake or an aireplay-ng attack previously. ​ This is because you will need the PRGA xor file to do the fake authentication successfully.
-  * You use the native MAC address of your wireless card for all the steps and do not change it.  Do NOT use any other MAC address as the source for transmiting ​packets. ​ Otherwise, some commands will not work correctly. ​ See the [[how_to_crack_wep_with_no_clients#​using_another_source_mac_address|Using Another Source MAC Address Section]] for instructions on dealing with using a different source MAC address.+  * You use the native MAC address of your wireless card for all the steps and do not change it.  Do NOT use any other MAC address as the source for transmitting ​packets. ​ Otherwise, some commands will not work correctly. ​ See the [[how_to_crack_wep_with_no_clients#​using_another_source_mac_address|Using Another Source MAC Address Section]] for instructions on dealing with using a different source MAC address.
   * You are using v0.9 of aircrack-ng. If you use a different version then some of the command options may have to be changed.   * You are using v0.9 of aircrack-ng. If you use a different version then some of the command options may have to be changed.
  
Line 50: Line 50:
   *2 - Start the wireless interface in monitor mode on the specific AP channel   *2 - Start the wireless interface in monitor mode on the specific AP channel
   *3 - Use aireplay-ng to do a fake authentication with the access point   *3 - Use aireplay-ng to do a fake authentication with the access point
-  *4 - Use aireplay-ng chopchop or fragmenation ​attack to obtain PRGA+  *4 - Use aireplay-ng chopchop or fragmentation ​attack to obtain PRGA
   *5 - Use packetforge-ng to create an arp packet using the PRGA obtain in the previous step   *5 - Use packetforge-ng to create an arp packet using the PRGA obtain in the previous step
   *6 - Start airodump-ng on AP channel with filter for bssid to collect the new unique IVs   *6 - Start airodump-ng on AP channel with filter for bssid to collect the new unique IVs
Line 61: Line 61:
 To be honest, we will not be changing the wireless card MAC address. To be honest, we will not be changing the wireless card MAC address.
  
-This is a reminder to use your wireless card MAC address as the source MAC.  I mention this explicitly as a reminder to use the actual MAC address from your card in "Step 3 - fake authentication"​ if you are replaying data from another session. ​ Detailed instructions can be found in the FAQ: [[http://​aircrack-ng.org/​doku.php?​id=faq&​DokuWiki=7bdcc4f1dd827e3aabb3bbf0a2f93c21#​how_do_i_change_my_card_s_mac_address|How do I change my card's MAC address ?]].+This is a reminder to use your wireless card MAC address as the source MAC.  I mention this explicitly as a reminder to use the actual MAC address from your card in "Step 3 - fake authentication"​ if you are replaying data from another session. ​ Detailed instructions can be found in the FAQ: [[faq#​how_do_i_change_my_card_s_mac_address|How do I change my card's MAC address ?]].
  
  
Line 103: Line 103:
 In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card.  So everything is good.   It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. (Note: If you are using a driver other than madwifi, then the Access Point field will be either invisible or show something other than your card's MAC address. This is normal.) In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card.  So everything is good.   It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly. (Note: If you are using a driver other than madwifi, then the Access Point field will be either invisible or show something other than your card's MAC address. This is normal.)
  
-To match the frequency to the channel, check out: +To match the frequency to the channel, check out: http://www.cisco.com/en/US/​docs/​wireless/​technology/​channel/​deployment/​guide/Channel.html#​wp134132 ​.  This will give you the frequency for each channel.
-http://www.rflinx.com/help/calculations/#​2.4ghz_wifi_channels then select the "​Wifi ​Channel ​Selection and Channel Overlap"​ tab.  This will give you the frequency for each channel.+
  
 === Troubleshooting Tips === === Troubleshooting Tips ===
Line 135: Line 134:
   *-e teddy is the wireless network name   *-e teddy is the wireless network name
   *-a 00:​14:​6C:​7E:​40:​80 is the access point MAC address   *-a 00:​14:​6C:​7E:​40:​80 is the access point MAC address
-  *-h 00:​09:​5B:​EC:​EE:​F2 is our card MAC addresss+  *-h 00:​09:​5B:​EC:​EE:​F2 is our card MAC address
   *ath0 is the wireless interface name   *ath0 is the wireless interface name
  
Line 232: Line 231:
            Use this packet ? y            Use this packet ? y
  
-When a packet from the access point arrives, enter "​y"​ to proceed. ​ You may need to try a few to be successful.+When a packet from the access point arrives, enter "​y"​ to proceed. ​ You may need to try a few different packets from the AP to be successful.  These packets have ""​FromDS:​ 1".
  
-When successful, the system ​reponds:+When successful, the system ​responds:
  
    ​Saving chosen packet in replay_src-0203-180328.cap    ​Saving chosen packet in replay_src-0203-180328.cap
Line 350: Line 349:
 === Helpful Tips === === Helpful Tips ===
  
-  *Be sure the packet is 68 or more bytes otherwise you may not have enough PRGA data to subsquently ​generate a packet. ​ The PRGA captured has to equal or greater then the packet length we want to generate. +  *Be sure the packet is 68 or more bytes otherwise you may not have enough PRGA data to subsequently ​generate a packet. ​ The PRGA captured has to equal or greater then the packet length we want to generate. 
-  *At home, to generate some packets to force chopchop to start, ping a non-existant ​IP on your network using a wired client. ​ This forces an arp to be broadcast and this will show up in chopchop to be used.+  *At home, to generate some packets to force chopchop to start, ping a nonexistent ​IP on your network using a wired client. ​ This forces an arp to be broadcast and this will show up in chopchop to be used.
   *You can check the decrypted packet by running "​tcpdump -n -vvv -e -s0 -r replay_dec-0201-191706.cap"​. ​ In our example above:   *You can check the decrypted packet by running "​tcpdump -n -vvv -e -s0 -r replay_dec-0201-191706.cap"​. ​ In our example above:
    ​reading from file replay_dec-0201-191706.cap,​ link-type IEEE802_11 (802.11)    ​reading from file replay_dec-0201-191706.cap,​ link-type IEEE802_11 (802.11)
Line 368: Line 367:
 ==== Step 5 - Use packetforge-ng to create an arp packet ==== ==== Step 5 - Use packetforge-ng to create an arp packet ====
  
-In the previous step, we obtained PRGA.  It does not matter which attack generated the PRGA, both are equal. ​ This PRGA is stored in the files ending with "​xor"​. ​ We can then use this PRGA to generate a packet for injection. ​ We will be generating an arp packet for injection. ​ The objective is to have the access point rebroadcast the injected arp packet. ​ When it rebroacasts ​it, a new IV is obtained. ​ All these new IVs will ultimately be used to crack the WEP key.+In the previous step, we obtained PRGA.  It does not matter which attack generated the PRGA, both are equal. ​ This PRGA is stored in the files ending with "​xor"​. ​ We can then use this PRGA to generate a packet for injection. ​ We will be generating an arp packet for injection. ​ The objective is to have the access point rebroadcast the injected arp packet. ​ When it rebroadcasts ​it, a new IV is obtained. ​ All these new IVs will ultimately be used to crack the WEP key.
  
 But first, lets generate the arp packet for injection by entering: But first, lets generate the arp packet for injection by entering:
Line 380: Line 379:
   *-k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255)   *-k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255)
   *-l 255.255.255.255 is the source IP (most APs respond to 255.255.255.255)   *-l 255.255.255.255 is the source IP (most APs respond to 255.255.255.255)
-  *-y fragment-0203-180343.xor is file to read the PRGA from+  *-y fragment-0203-180343.xor is file to read the PRGA from (NOTE: Change the file name to the actual file name out in step 4 above)
   *-w arp-request is name of file to write the arp packet to   *-w arp-request is name of file to write the arp packet to
  
Line 451: Line 450:
         Use this packet ? y         Use this packet ? y
  
-Enter "​y"​ to use this packet. ​ The system responds by showing how many packets it is injecting and reminds you to start airodumump ​if it has not already been started:+Enter "​y"​ to use this packet. ​ The system responds by showing how many packets it is injecting and reminds you to start airodump-ng ​if it has not already been started:
  
    ​Saving chosen packet in replay_src-0204-104917.cap    ​Saving chosen packet in replay_src-0204-104917.cap
Line 554: Line 553:
 The base tutorial assumes you are using the native MAC address of your wireless device as the source MAC.  If this is not the case, then you need to change the process used.  Since this is an advanced topic, I will provide the general guidelines and not the specific detail. The base tutorial assumes you are using the native MAC address of your wireless device as the source MAC.  If this is not the case, then you need to change the process used.  Since this is an advanced topic, I will provide the general guidelines and not the specific detail.
  
-Preferably, you should change the native MAC address of your wireless device to the MAC you will be spoofing. ​ This could the MAC of a client already associated with the AP or one that you make up.  See [[http://​aircrack-ng.org/​doku.php?​id=faq#​how_do_i_change_my_card_s_mac_address|this FAQ entry]] regarding how to change the MAC address of your card.+Preferably, you should change the native MAC address of your wireless device to the MAC you will be spoofing. ​ This could the MAC of a client already associated with the AP or one that you make up.  See [[faq#​how_do_i_change_my_card_s_mac_address|this FAQ entry]] regarding how to change the MAC address of your card.
how_to_crack_wep_with_no_clients.1243873420.txt.gz · Last modified: 2009/06/01 18:23 by mister_x