Differences

This shows you the differences between two versions of the page.

--- how_to_crack_wep_via_a_wireless_client [2007/07/12 23:50] – cosmetic changes mister_x
+++ how_to_crack_wep_via_a_wireless_client [2008/04/22 16:15] – Proper workaround for the double-dash wikitext problem, enhance compat info of fragmentation attack, and emphasize that "ath0" is a variable (to stop newbies with WL cards @ "wlan0" from typing "ath0"). netrolller3d
@@ Line 1: / Line 1: @@
 ====== Tutorial:  How to crack WEP via a wireless client ? ======
-Version: 1.15 June 9, 2007 \\
+Version: 1.16 August 25, 2007 \\
 By: darkAudax \\
 \\
 File linked to this tutorial: [[http://download.aircrack-ng.org/wiki-files/other/arpcapture-01.cap|arpcapture-01.cap]]
 ===== Introduction =====
@@ Line 17: / Line 18: @@
   * You are within range of a client but not the access point itself
-I would like to acknowledge and thank the aircrack-ng team for producing such a great robust tool.  And also acknowledge the many other people who came up with the ideas and techniques described in this tutorial.  I certainly don't take credit for the techniques in this tutorial.  My role was simply to pull them together in one place and describe them in detail.
+I would like to acknowledge and thank the [[http://trac.aircrack-ng.org/wiki/Team|Aircrack-ng Team]] for producing such a great robust tool.  And also acknowledge the many other people who came up with the ideas and techniques described in this tutorial.  I certainly don't take credit for the techniques in this tutorial.  My role was simply to pull them together in one place and describe them in detail.
 Please send me any constructive feedback, positive or negative.
 ===== Solution =====
 ====Assumptions used in this tutorial====
@@ Line 30: / Line 32: @@
   * You are physically close enough to the client to send packets to them and receive packets from them.
   * You have Wireshark installed and working.  Plus you have a basic understanding of how to use it.
-  * You are using the aircrack-ng stable version of 0.9.  This is very important since there is a bug in 0.6.2 aireplay-ng which switches -k and -l IP addresses.
+  * You are using the aircrack-ng stable version of 0.9 or the development version of 1.0.  This is very important since there is a bug in 0.6.2 aireplay-ng which switches -k and -l IP addresses.
-In the examples, the option "double dash bssid" is shown as "- -bssid".  Remember to remove the space between the two dashes when using it in real life.  This also applies to  "- -ivs", "- -arpreplay", "- -deauth", "- -channel", "- -arp" and "- -fakeauth".
 ====Equipment used====
@@ Line 48: / Line 48: @@
 Operating System: Linux \\
 MAC address: does not matter
+Wireless interface used: ath0
 ===Ethernet wired Workstation===
@@ Line 138: / Line 139: @@
   airodump-ng --channel 9 --bssid 00:14:6C:7E:40:80 -w aprcapture ath0
-Be sure NOT to use the "- -ivs" option since you will later use the PTW method to crack the WEP key. This is "aircrack-ng -z". The PTW requires the full packet and only works on arp request/reply packets.
+Be sure NOT to use the "-''''-ivs" option since you will later use the PTW method to crack the WEP key. This is "aircrack-ng -z". The PTW requires the full packet and only works on arp request/reply packets.
 Now use interactive replay in a second separate session:
@@ Line 149: / Line 150: @@
 ===Scenario Two - Interactively pulling packets from live communication===
-In this scenario we are going do the capture and injection in real time.
+In this scenario we are going do the capture and injection in real time.  The objective is to select an arp request for a wireless client going to the client.  Then we reinject it to cause the wireless client to generate new unique IVs.
 First, start capturing packets going to/from the access point in question.  To reduce the clutter, use a BSSID filter for the particular Access Point you are targeting and the specific channel.  In our example:
@@ Line 190: / Line 191: @@
   Use this packet ?
-Remember, you may need to try a few packets to get it work. The ARP must be for a wireless client. Once you are successfully injecting packets, start aircrack-ng to determine the WEP key.
+Remember, the objective is to select an arp request for a wireless client going to the client.  Since you don't know the contents of the packets you are selecting, you may need to try a few packets to get it to work. The ARP request must be for a wireless client. Once you are successfully injecting packets, start aircrack-ng to determine the WEP key.
 === Scenario Three - Creating a packet from a chopchop replay attack ===
@@ Line 353: / Line 354: @@
   * Atheros chipsets:  The MAC address of the card MUST be the same as source MAC address of the packets you are generating.  Use your favourite method to change the MAC of your card.
   * It sometimes does not work smoothly with ralink.
+  * It supports Broadcom chipsets only with the b43/b43legacy drivers, not bcm43xx.
+  * Mac80211-based drivers (b43, rt2x00, etc) currently require a patch for the mac80211 stack.
   * Keep an eye on the forms for more compatibility information.