Skip to main content

How To Crack WEP - Part 2: Performing the Crack

Packet replay via Aireplay - more

Now go to the Target client computer and open its wireless utility so that you can monitor its connection status. Then go to Auditor-B and start a void11 deauth attack by following the previous instructions. Once you’ve started void11, you should see the Target client lose contact with the Target AP. You should also see see the packet rate reported by aireplay increase at a faster rate.

At some point, aireplay will display a captured packet and ask if you want to replay it (Figure 13).

Figure 13: aireplay bags a packet
(click image to enlarge)

You want a packet that matches the following criteria (also illustrated in Figure 13):

FromDS - 0

Type n (for no) if the packet does not match these criteria and aireplay will resume capture. When aireplay successfully finds a packet matching the above criteria, answer y (for yes) to the replay question and aireplay will switch from capture to replay mode and start the replay attack. Immediately go back to Auditor-B and stop the void11 deauth attack.

Tips:

- The capture of a packet via a deauth attack can be the trickiest part of the WEP cracking process. While the deauth attack generates traffic, it generally doesn’t generate very much because of the time it takes for a client to realize that it has lost connection with its AP and then more time for the re-association process to complete.

- Capture can be further complicated by the fact that the timing of these processes is different among client drivers (and operating systems). void11 can easily overwhelm a client with deauth packets so that it doesn’t even have time to complete a re-association and generate the packets we’ll be looking to capture.

- Sometimes you may luck out with the first packet captured. But other times you may have to wait for multiple captures.

- If aireplay doesn’t produce a captured packet within a few thousand packets, void11 could be overwhelming the AP and client and not giving them any time any time to complete a reassociation. Try stopping void11 manually (control-C) and then restarting it. You can also try adding the -d parameter to the void11 command line (the delay value is in microseconds) and experimenting with different values to allow time for a successful reassociation. Be aware that some wireless clients lock up when subjected to a deauth attack and may need to be rebooted to recover!

- You may have difficulty capturing ARP packets via a deauth attack if the Target client is idle. This is unlikely to happen with a real Target WLAN, but could be a problem with your practice Target WLAN. If aireplay is not flagging packets for you to approve, you may need to go to your Target client and run a continuous ping or start a download before you start the deauth attack.

- As a final tip, if you absolutely cannot get void11 to work, you can test if aireplay is really working by cheating a little bit. Keep aireplay running on AUDITOR-A and turn off void11 on AUDITOR-B. Go to the TARGET computer and manually disconnect from the wireless network. You can do this through either the wireless connection properties or by simply turning the computer off. Now reconnect the computer or turn the computer back on. Within thirty seconds, aireplay on AUDITOR-A should see an ARP packet sent by the TARGET computer as it reconnects to the WLAN and requests an IP address.