joeypesci Posted May 13, 2010 Share Posted May 13, 2010 Messing about in my lab with my Linksys WAP54G set to WEP 128bit. I've loaded Backtrack 4 in a VM with my Alfa sat right next to the Linksys. I do the following once I've got the BSSID etc and done airodump-ng: aireplay-ng -1 30 -h 00:11:22:33:44:55 -a 00:02:6F:33:BC:BE mon0 Then aireplay-ng -3 -h 00:11:22:33:44:55 -b 00:02:6F:33:BC:BE mon0 I get this issue Now I forgot to take the screen shot before so I've just started it again to get it. It authenticates with the AP just fine as you can see. This gets kept alive everything 30 secs (did that because it seemed to kick up the data counter really quick, I could be imaging it having that affect). Then with the -3 attack as you can see in the picture it appears to go up and up but no data is ever created for capturing. It appears to take ages, sometimes I have to wait till it gets to something like 20k packets or more before data starts running through it. Is this a signal issue or something else? Quote Link to comment Share on other sites More sharing options...
Inked Posted May 13, 2010 Share Posted May 13, 2010 I would be interested to see an answer about this as well. When I do packet injection it also seems to take a LOT of packets before the IV’s start climbing. Quote Link to comment Share on other sites More sharing options...
digip Posted May 13, 2010 Share Posted May 13, 2010 (edited) aireplay-ng -3, thats the deauth, right? Cant remember th menu o foptions, but doign a deauth when no one is associated with the router wont help your situation. If thats the case, you need to be able to inject packets(if your card can) or generate fake IV's. Theres an option in there somewhere for it. Also, you can try forgring an arp packet, at some point like every 5 or 15 minutes the router will do an arp to refresh its table, just need to be able to capture an arp, then replay that packet, or use packetforge-ng to send the same arp multiple times, which will cause the IV's to climb VERY rapidly and get you enough data to crack the wep key. try aireplay-ng -5 -e routerName interfaceName (replace the corresponding with your setup, dont use the actual text rotuerName and interfaceName) and capture an arp to save for use in packetforge-ng, then replay it to the device using packetforge-ng : packetforge-ng -0 -n 5 -a macofrouter -h yournicmac -k gatewayaddressofrouter -l anyvalidiprange -y fragment.xorfile -w arp interfaceName Now we have a file called arp with all out packet data in it so we can feed it to the AP and watch our IV's skyrocket. In about 3 minutes, you should have all the IV's you need to crack the AP's Wep. We have to send the "arp" packet we created, so run aireplay-ng again and feed it to our AP. aireplay-ng -r arp -3 -e essidofrouter interfaceName (where arp is the name of our forged packet!) Edited May 13, 2010 by digip Quote Link to comment Share on other sites More sharing options...
joeypesci Posted May 13, 2010 Author Share Posted May 13, 2010 aireplay-ng -3, thats the deauth, right? Cant remember th menu o foptions, but doign a deauth when no one is associated with the router wont help your situation. If thats the case, you need to be able to inject packets(if your card can) or generate fake IV's. Theres an option in there somewhere for it. Also, you can try forgring an arp packet, at some point like every 5 or 15 minutes the router will do an arp to refresh its table, just need to be able to capture an arp, then replay that packet, or use packetforge-ng to send the same arp multiple times, which will cause the IV's to climb VERY rapidly and get you enough data to crack the wep key. try aireplay-ng -5 -e routerName interfaceName (replace the corresponding with your setup, dont use the actual text rotuerName and interfaceName) and capture an arp to save for use in packetforge-ng, then replay it to the device using packetforge-ng : packetforge-ng -0 -n 5 -a macofrouter -h yournicmac -k gatewayaddressofrouter -l anyvalidiprange -y fragment.xorfile -w arp interfaceName Now we have a file called arp with all out packet data in it so we can feed it to the AP and watch our IV's skyrocket. In about 3 minutes, you should have all the IV's you need to crack the AP's Wep. We have to send the "arp" packet we created, so run aireplay-ng again and feed it to our AP. aireplay-ng -r arp -3 -e essidofrouter interfaceName (where arp is the name of our forged packet!) No I believe the -3 is the ARP request relay attack. -0 is the deauth. Thanks for the reply though. Quote Link to comment Share on other sites More sharing options...
joeypesci Posted May 14, 2010 Author Share Posted May 14, 2010 Stuck up a Youtube vid of me doing it http://www.youtube.com/watch?v=ROGjDcUdsLg And you can see there it took 17mins just to crack WEP. Set to 64bit and my ALFA was sat next to the Linksys I was cracking. But it wasn't until it hit about 20k packets that IVs appear to start racking up. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.