Wep Crack Issue

[joeypesci]

Messing about in my lab with my Linksys WAP54G set to WEP 128bit.

I've loaded Backtrack 4 in a VM with my Alfa sat right next to the Linksys.

I do the following once I've got the BSSID etc and done airodump-ng:

aireplay-ng -1 30 -h 00:11:22:33:44:55 -a 00:02:6F:33:BC:BE mon0

Then

aireplay-ng -3 -h 00:11:22:33:44:55 -b 00:02:6F:33:BC:BE mon0

I get this issue

Now I forgot to take the screen shot before so I've just started it again to get it.

It authenticates with the AP just fine as you can see. This gets kept alive everything 30 secs (did that because it seemed to kick up the data counter really quick, I could be imaging it having that affect).

Then with the -3 attack as you can see in the picture it appears to go up and up but no data is ever created for capturing. It appears to take ages, sometimes I have to wait till it gets to something like 20k packets or more before data starts running through it.

Is this a signal issue or something else?

[Inked]

I would be interested to see an answer about this as well. When I do packet injection it also seems to take a LOT of packets before the IV’s start climbing.

[digip]

aireplay-ng -3, thats the deauth, right? Cant remember th menu o foptions, but doign a deauth when no one is associated with the router wont help your situation. If thats the case, you need to be able to inject packets(if your card can) or generate fake IV's. Theres an option in there somewhere for it. Also, you can try forgring an arp packet, at some point like every 5 or 15 minutes the router will do an arp to refresh its table, just need to be able to capture an arp, then replay that packet, or use packetforge-ng to send the same arp multiple times, which will cause the IV's to climb VERY rapidly and get you enough data to crack the wep key.

try aireplay-ng -5 -e routerName interfaceName (replace the corresponding with your setup, dont use the actual text rotuerName and interfaceName) and capture an arp to save for use in packetforge-ng, then replay it to the device using packetforge-ng :

packetforge-ng -0 -n 5 -a macofrouter -h yournicmac -k gatewayaddressofrouter -l anyvalidiprange -y fragment.xorfile -w arp interfaceName

Now we have a file called arp with all out packet data in it so we can feed it to the AP and watch our IV's skyrocket. In about 3 minutes, you should have all the IV's you need to crack the AP's Wep.

We have to send the "arp" packet we created, so run aireplay-ng again and feed it to our AP.

aireplay-ng -r arp -3 -e essidofrouter interfaceName (where arp is the name of our forged packet!)

Edited May 13, 2010 by digip

[joeypesci]

aireplay-ng -3, thats the deauth, right? Cant remember th menu o foptions, but doign a deauth when no one is associated with the router wont help your situation. If thats the case, you need to be able to inject packets(if your card can) or generate fake IV's. Theres an option in there somewhere for it. Also, you can try forgring an arp packet, at some point like every 5 or 15 minutes the router will do an arp to refresh its table, just need to be able to capture an arp, then replay that packet, or use packetforge-ng to send the same arp multiple times, which will cause the IV's to climb VERY rapidly and get you enough data to crack the wep key.

try aireplay-ng -5 -e routerName interfaceName (replace the corresponding with your setup, dont use the actual text rotuerName and interfaceName) and capture an arp to save for use in packetforge-ng, then replay it to the device using packetforge-ng :

packetforge-ng -0 -n 5 -a macofrouter -h yournicmac -k gatewayaddressofrouter -l anyvalidiprange -y fragment.xorfile -w arp interfaceName

Now we have a file called arp with all out packet data in it so we can feed it to the AP and watch our IV's skyrocket. In about 3 minutes, you should have all the IV's you need to crack the AP's Wep.

We have to send the "arp" packet we created, so run aireplay-ng again and feed it to our AP.

aireplay-ng -r arp -3 -e essidofrouter interfaceName (where arp is the name of our forged packet!)

No I believe the -3 is the ARP request relay attack. -0 is the deauth.

Thanks for the reply though.

[joeypesci]

Stuck up a Youtube vid of me doing it

http://www.youtube.com/watch?v=ROGjDcUdsLg

And you can see there it took 17mins just to crack WEP. Set to 64bit and my ALFA was sat next to the Linksys I was cracking. But it wasn't until it hit about 20k packets that IVs appear to start racking up.