10 – WEP – Open Authentication – ARP Replay

OK, we have covered a lot of WEP but there is still a lot that has not been covered and from time to time I will dive back into the land of WEP and have a look at a different attack in order to keep things interesting but also just try a different attack vector.

As the title suggests we are going to run an ARP replay which will involve capturing ARP packets in the air and using aireplay-ng to inject them back into the network in order to simulate ARP responses. This attack is very fast as a lot of data is generated during this time and a lot of IV’s are obtained which help in speeding up the cracking process. ARP packets have a fixed header in the protocol and because of this the ARP packet can easily be identified from all other packets even when traffic is encrypted.

Like we did every other time and as you are well used to by now we need to configure the access point to the following configuration in order to run this attack:1 - Configure access pointPut your card into monitor mode
2 - Enable monitor modeStart airodump-ng with your filters set to that of your access point writing to a file for cracking in a minute

“–bssid” for setting your access point MAC address
“-c” for your channel in this case 6
“-w” for writing to a file called WEP_ARP
“mon0” is the interface of our wireless card3 - airodump-ng filtersOutput in airodump-ng then looks like the following, notice how the data is low at this point4 - airodump-ng output startIn a separate terminal we need to set our aireplay-ng filters

“-3” is the option for ARP replay
“-b” is for the access point MAC address
“-h” is the client MAC address we are spoofing / or not spoofing as the case may be as it works either way
“mon0” is the interface of the wireless card5 - aireplay-ng filters setOnce it is running it looks like the following6 - aireplay-ng arp replay runningLooking at the output in airodump-ng now you should see the data and frames have risen a great deal7 - airodump-ng data growingYou can safely start up aircrack-ng now and try and crack the key8 - starting aircrack-ngSuccess looks like the following, notice how the time taken was 00:00:01 due the the amount of IV’s captured from the ARP replay.9 - aircrack-ng successLesson learned:

Don’t use WEP, don’t even think about using WEP as it can be easily defeated and is just not worth the hassle of a breach. Aireplay-ng can be used to speed up the cracking process by replaying ARP packets into the network which then causes the network to reply with ARP packets which greatly increases the number of data packets that can be captured over the air. It is then a trivial process for aircrack-ng to analyse the cryptographic weakness in these data packets and easily crack the key.


Leave a Reply