When cracking a WEP protected WiFi network an attacker may conduct an ARP Request Replay attack against the affected network. There are cases where is not likely to succeed, such as when there are no clients authenticated to the AP. Traditionally an ARP Request Replay attack, replays requests from other authenticated clients to increase the number of generated IVs. Without an authenticated client, these IVs cannot be generated in the standard way.
In this video, I demonstrate how to authenticate with to a client-less WEP protected network, and using various aircrack-ng tools, break the WEP encryption password.
I was using BackTrack 4 R1 in this video but the default driver doesn’t work too well with my AWUS036H USB WiFi card, so I removed the new drivers and loaded the older BackTrack 3 drivers.
The next step I took was to enable monitor mode on my wireless card using airmon-ng and starting airodump-ng on channel 6 to see what networks were around.
After I identified the target network, I started up screen and ran airodump-ng again on channel 6 and began to output the captured data to a file called ‘linksys.’
I then attempted to perform a fake authentication attack with the target network using aireplay-ng and started listening for data packets from the client-less network. Wifi routers will regularly send out broadcast ARP requests every few minutes checking for client connectivity. This makes it possible to obtain a PRGA for the network which would allow me to create my own packets for later injection.
Once obtained, I use packetforge-ng to create a generic ARP Request packet using the broadcast range 255.255.255.255 as most wireless Access Points respond to these, and hopefully would create new IV’s for the target network.
Using the newly crafted packet, I used aireplay-ng again to inject this packet, which caused the Access Point to produce new IVs.
Once enough IV’s were captured I used aircrack-ng to work out the HEX encryption code for the network.