backtrack 4 WEP injection

[soddarkangel]

I sat at home on Saturday and set up a router to crack the WEP on my a wifi router. Linksys wrt310n, and none of the injections were working. I eventually was able to get enough IVs to get the hex, but it took 6 hours of sniffing and setting 2 machines to continually ping invalid IP addresses. I tried every type of injection aireplay-ng had, changed my cards mac addy to simulate another machine and everything. Nothing seemed to make the IVs go up any faster. I'm using a centrino based laptop so intel wifi, that is supported, and I was right next to the AP. I was wondering if I'm missing some fundamental part of this. I went through tons of video and blogged tutorials trying to make the injection work, but it just never seemed to work.

[digininja]

It should be possible in a few minutes and a few thousand packets (I've done it in 5k but realistically it needs 10k+).

Were you channel hopping on the card doing the sniffing? That is a common mistake I've found, you only pick up a fraction of the packets that way.

You shouldn't have to change the mac address.

The attack you need is --arpreplay, what did aireplay say when you ran it?

Were you sniffing and injecting on the same machine? You weren't pinging and injecting on the same machine were you?

[soddarkangel]

I was using just the channel of the wifi router. I was not pinging from the machine I was on, I used 2 other machines. I let the -3 (arp replay) run the whole time, but it never seemed to make a difference at all. I also had an interactive replay going. But I was using airomon-ng and aireplay-ng on the same machine. All of the tutorials showed it that way so I figured that should be fine. It really did take a tad over 6 hours to collect the packets =(

[digininja]

Sounds like you were doing it right but missed something.

Did aireplay show that it was injecting packets? When it does it gives you a count of how many packets it has sent. Maybe you were just unlucky and didn't generate an arp request for it to replay. Try it again and once it is running try pinging various random IPs on your subnet to see if that helps.

[soddarkangel]

Sounds like you were doing it right but missed something.

Did aireplay show that it was injecting packets? When it does it gives you a count of how many packets it has sent. Maybe you were just unlucky and didn't generate an arp request for it to replay. Try it again and once it is running try pinging various random IPs on your subnet to see if that helps.

Unfortunately I did all of that, and the ARP injection attack found plenty of ARPS and ACKS, but the IVs were only increasing from the random pings on my monitoring, not from the injection. I just tested to make sure my card could inject again, and it said Injection is working, 30/30 on the router.

[digip]

There are plenty of tutorials on the topic. Maybe you were missing a step or your card is not supported for some of the injection tactics.

Take a look here: http://www.offensive-security.com/videos/b...ss-attacks.html

[soddarkangel]

There are plenty of tutorials on the topic. Maybe you were missing a step or your card is not supported for some of the injection tactics.

Take a look here: http://www.offensive-security.com/videos/b...ss-attacks.html

It's pretty funny actually...I've been through an insane number of videos and tutorials. In fact I've tested injection on the card and it's worked perfectly according to aireplay-ng against my AP...it seems really crazy to me.

[digininja]

This is the truth of WEP cracking. The industry makes it out to be the easiest thing in the world, in reality in can actually be quite tricky at times, especially if you've got something slightly wrong in your setup.

Can you send a screenshot of aireplay in action? Are you using the -h parameter with aireplay? You need that to make sure the source MAC address is set correctly.

[soddarkangel]

This is the truth of WEP cracking. The industry makes it out to be the easiest thing in the world, in reality in can actually be quite tricky at times, especially if you've got something slightly wrong in your setup.

Can you send a screenshot of aireplay in action? Are you using the -h parameter with aireplay? You need that to make sure the source MAC address is set correctly.

Actually after spending some time in irc with the remote exploit guys, and scouring their forums for several days I've come to find that BT4 pre-final and Intel 3945ABG (laptop cards in some Centrinos) have a few issues still with injection. You can dig up the deprecated ipwraw driver, wait until they fix it, or just get something different. I took Darren's advice and ordered an alfa external.

[digininja]

Can't go wrong with an Alfa

[easycheese]

I sat at home on Saturday and set up a router to crack the WEP on my a wifi router. Linksys wrt310n, and none of the injections were working. I eventually was able to get enough IVs to get the hex, but it took 6 hours of sniffing and setting 2 machines to continually ping invalid IP addresses. I tried every type of injection aireplay-ng had, changed my cards mac addy to simulate another machine and everything. Nothing seemed to make the IVs go up any faster. I'm using a centrino based laptop so intel wifi, that is supported, and I was right next to the AP. I was wondering if I'm missing some fundamental part of this. I went through tons of video and blogged tutorials trying to make the injection work, but it just never seemed to work.

What Wifi card are you using?

Did you try and test the Injection Percetage? `aireplay-ng -9 interface`

That should tell you injection is working and a percentage on how well it was able to inject. Also what attack are you running. I have the best luck with Packet Fragmitation i believe thats option 5.

I usually setup airodump on the AP

airodump-ng -c 11 -bssid 00:11:22:33:44:55 -w /tmp/owned interface

then fake ath on the Router

aireplay-ng -1 30 -a {MAC of AP} interface

then:

aireplay-ng -5 -b {MAC of AP} interface

after it finds a packet and writes the fragmention to your drive run Packetforge to create a packet to replay back to the AP.

packetforge -0 -a {MAC of AP} -h {MAC OF YOUR CARD} -k 255.255.255.255 -l 255.255.255.255 -y {The Fragmintaion File that was created should end with .xor} -w packet

`-w is writing the packet to replay back to the AP`

then using aireplay again to replay "packet" to the AP.

aireplay-ng -2 -x 150 -r packet interface

after gathering some IV's run aircrack for some good ol fun

aircrack-ng capturefile

*remember only test your own AP*

[soddarkangel]

What Wifi card are you using?

Did you try and test the Injection Percetage? `aireplay-ng -9 interface`

That should tell you injection is working and a percentage on how well it was able to inject. Also what attack are you running. I have the best luck with Packet Fragmitation i believe thats option 5.

I usually setup airodump on the AP

airodump-ng -c 11 -bssid 00:11:22:33:44:55 -w /tmp/owned interface

then fake ath on the Router

aireplay-ng -1 30 -a {MAC of AP} interface

then:

aireplay-ng -5 -b {MAC of AP} interface

after it finds a packet and writes the fragmention to your drive run Packetforge to create a packet to replay back to the AP.

packetforge -0 -a {MAC of AP} -h {MAC OF YOUR CARD} -k 255.255.255.255 -l 255.255.255.255 -y {The Fragmintaion File that was created should end with .xor} -w packet

`-w is writing the packet to replay back to the AP`

then using aireplay again to replay "packet" to the AP.

aireplay-ng -2 -x 150 -r packet interface

after gathering some IV's run aircrack for some good ol fun

aircrack-ng capturefile

*remember only test your own AP*

yep, did it all the way you're saying except the -x 150 on the -2 aireplay-ng. I've tried all sorts of different attacks on my wifi router. The -9 injection test comes out working, and the injection thinks it's working but it's not seeming to really do anything. It looks like it's a common problem with the ipw3945 driver on the 3945abg chipset. I found it all over the remote exploit forums. I've also been living in the remote exploit IRC. I'm looking for an ipwraw download now, even though I get my alfa on Friday.

[easycheese]

yep, did it all the way you're saying except the -x 150 on the -2 aireplay-ng. I've tried all sorts of different attacks on my wifi router. The -9 injection test comes out working, and the injection thinks it's working but it's not seeming to really do anything. It looks like it's a common problem with the ipw3945 driver on the 3945abg chipset. I found it all over the remote exploit forums. I've also been living in the remote exploit IRC. I'm looking for an ipwraw download now, even though I get my alfa on Friday.

Let me know how it goes. The `-x 150` is how many packets you inject every second. I found that most AP's work the best with injecting 150 a second. Now that being said, i have an Orinoco AP2000 that will only let me inject 20 a second before it deaths me and will not let me fake auth.

[soddarkangel]

Let me know how it goes. The `-x 150` is how many packets you inject every second. I found that most AP's work the best with injecting 150 a second. Now that being said, i have an Orinoco AP2000 that will only let me inject 20 a second before it deaths me and will not let me fake auth.

I never got de-auth from the server unless I sent it to myself via aireplay-ng.

[Timmo]

i have found that there must be some setting in the router to stop replying to the injected packets, never got around to figuring it out but the occasional WEP AP wasnt crackable unless you just collected packets. not too sure what the setting would be, may even be a factory set setting

[easycheese]

i have found that there must be some setting in the router to stop replying to the injected packets, never got around to figuring it out but the occasional WEP AP wasnt crackable unless you just collected packets. not too sure what the setting would be, may even be a factory set setting

Yeah like i was saying, my Orinoco AP2000 AP will only let me inject 15 packets a second. Anything more than that it just rejects the traffic from my laptop. I would try and lower the injection rate. Lets say you used fragment attack. Then to replay the packet you forged using packetforge, you use "aireplay-ng -2 -x 150 -r packet [interface]

-x lets you say how many packets a second you inject.

I would try and lower the number until you find how much you can inject before your AP stops allowing you to inject.