Hi all

Ok, so now I'm ok with cracking most WEP wlans with clients.

My next step - learn how to do it if there are NO clients.

I know Aireplay can associate with the AP, but this doesnt generate any ARP packets.

So how would one approach this?

Thanks

Hong

Still stuck on this one!

sometimes there really are clients on a network but you can't see them. I don't know your scenario, but sending a mass deauth causes some clients to come out of the woodwork. This happens all the time with really quiet networks.

keep your eye on airodump while it's running to see if any clients are exposed after a mass deauth.

Cool, thanks for that info.

WHat is the correct command for mass deauth using Aireplay?

Just do attack 0 without the -c option.

Ok, so you can maybe get some 'quiet' clients to appear by doing a mass deauth.

What about if there are truky no clients? Is it possible then?

Use the fake-auth attack to put a client on the network, then de-auth it and grab the SYN packet.

Is SYN the same as ARP?

Watch this video , it works like a charm

tested it and aproved


http://hardware-place.com/download.php?view.42

That's awsome, man, thanks for doing that.

Thanks!!!

Looks like an interesting site as well!

Yes, very good video, thanks:)

Hehe, nice video and yes nice site as well. Thank you =)

Video seems to be 404, yes I registered.
Can anyone fix it or upload it somewhere else like rapidshare?

The video file is no more available on this site.

Any way to have it up back ?

:o

Start aireplay with:

aireplay -1 30 -e essid -a apmac -h clientmac wifidevice

This will periodically try to reassociate with the ap every thirty seconds. I've had much better luck with using a real mac address associated with the AP as opposed to 00:11:22:33:44:55 or whatever else you care to use.
next start the normal deauth attack with:

aireplay -3 -e essid -b apmac -h client -x 512 wifidevice

you can use -x whatever you like and you can also use

aireplay -0 4 -a apmac -c clientmac wifidevice

to try to generate some arp requests...realize though that this will force you to restart the aireplay -1 command generally. With some persistence this attack is pretty easy to perform and i've actually found that using the interactive packet replay -2 is sometimes easier. Your best bet is to really read the aircrack documentation in all seriousness :)

Many thanks XzifT.

I will try and advise if successfull...


:cool:

Does this work by anyone?

I tryed this method on three different APs already.

I never got any succes.

I do the fake authentication and then the faked client shows up (however under 'Probed' the network where I associated it with doesn't appear).

Then I run the aireplay -3 attack. After like 15 minutes I get my first requests and it starts sending. However the dataflow doesn't increment...

So I don't get the data up... So no use for WEP cracking.

Then I associate with a real client to my AP and I get ARP quest (pretty fast) en then when I send the packets the dataflow now does increase.

So I don't know if you guys got any succes and maybe if you know why my faked client has't got the network it is associated with under 'Probed' in airodump?

Thnx

C'mon ppl someone must have tried this...

Yea I tried once so far and with one of those dam 2WIRE's. I'm sooo determined to break into one of those, I know most of them are SBC Yahoo DSL. Anyone every successfully broken into one? They come by default with 64-bit wep encryption so that helps us out a little bit, we know it's wep 64-bit. They also have no external antenna's.

Anyway I attempted this same attack and was not even successful to associate my wifidevice. The only thing I can see stoppin me from associating successfully is mac filtering, but I'm not sure.

Do we really need an ESSID to make this work? I'm trying to crack the wireless network I setup myself and I don't have another laptop to associate it with (this is my only guy). I also turned my ssid broadcast off to make it harder for myself (sure I could just turn it back on, but what's the fun in that?). Do you always get an ESSID if you leave Kismet on long enough?

yeah you have to have another Client conected to be able to pick up and generate traffic. or else how would you pick up the key if there is no key use?

Yea I tried once so far and with one of those dam 2WIRE's. I'm sooo determined to break into one of those, I know most of them are SBC Yahoo DSL. Anyone every successfully broken into one? They come by default with 64-bit wep encryption so that helps us out a little bit, we know it's wep 64-bit. They also have no external antenna's.

Anyway I attempted this same attack and was not even successful to associate my wifidevice. The only thing I can see stoppin me from associating successfully is mac filtering, but I'm not sure.

Hmmm, yes those damn 2wire's, hahahaha! I've got the same problem g-stress. Anybody have any luck with these?

Once I get my lappy fixed I will get into one of these 2WIRE's it's just a matter of time.

I was getting an error code 13 while sending fake authentication requests at my buddy's house. Something about this router doesn't support open system authentication. Must be Mac filtering.

Yea I tried once so far and with one of those dam 2WIRE's. I'm sooo determined to break into one of those, I know most of them are SBC Yahoo DSL. Anyone every successfully broken into one? They come by default with 64-bit wep encryption so that helps us out a little bit, we know it's wep 64-bit. They also have no external antenna's.

Anyway I attempted this same attack and was not even successful to associate my wifidevice. The only thing I can see stoppin me from associating successfully is mac filtering, but I'm not sure.

not to fear. Mac filtering is the easiest thing to bypass I say. Once you know a mac that you can use ( albeit a client, or maybe the AP mac will suffice?).
once you have it just type into any empty konsole:

macchanger --mac=XX:XX:XX:XX:XX:XX interfacehere

if you get an error its probably because you need to down your card first.

hope that helps ^.^

not to fear. Mac filtering is the easiest thing to bypass I say. Once you know a mac that you can use ( albeit a client, or maybe the AP mac will suffice?).
once you have it just type into any empty konsole:

macchanger --mac=XX:XX:XX:XX:XX:XX interfacehere

if you get an error its probably because you need to down your card first.

hope that helps ^.^
Hmmm, cool. Have you gotten this to work on a 2wire router though without knowing the client mac by any chance?

Watch this video , it works like a charm

tested it and aproved


http://hardware-place.com/download.php?view.42


This video link doesn't work anymore. Anybody has the instructions from the site for cracking a wep without a client?

thx,
C

I'm using Final version with d-link usb g122.

Vid is gone, who can re upload it?

Thank you for your posts.

Does any-1 saved the Video from the page ? hardware-place.com site ?

or maybe someone have a mirro-page ?

thank you.

Greetings

Well.... there is plenty video on milworm and aircrack-ng sites....and in many places.....or

i will spoonfeed newbees again
if you want the complete commands...made search by yourself...lazy boys....


1 sniff APs................write down essid & bssid
2 fakeauth with ap with a reauth each 10 sec --fakeauth 10 option
3 you can now do a chopchop or a fragment attack
4 if succeed will get a keystream in xor format
5 forge an arp packet from the previous xor file with packetforge
6 replay this packet............

iv should start flying...........

how hard is it to go to the backtrack wiki. There is already a bookmark that comes with your bt firefox browser. there is a excellent movie by mutts on wep/no client cracking. Ive recently found out from my peers though that all that is not even nesesary . all you have to do is use the aireplay -3 option and be patient. Thanx to xploits

Ive recently found out from my peers though that all that is not even nesesary . all you have to do is use the aireplay -3 option and be patient. Thanx to xploits

Peer?? Me a freaking peer?? So thats all I am to you huh? :p

And yes patience is the key..and patience is the essence of growth says Confucius. It can take anywhere from 2 seconds to 30 minutes..depending how lucky with your timing you are with the -3 attack.

Peer?? Me a freaking peer?? So thats all I am to you huh? :p

And yes patience is the key..and patience is the essence of growth says Confucius. It can take anywhere from 2 seconds to 30 minutes..depending how lucky with your timing you are with the -3 attack.

I though peer sounded grown up and official. oh wait Im already grown up but I forgot official:D

sorry for my question.

I checked all the tutorials but it never works for me.. now i know i have to wait more time :) i canceld always after 10-15 min. thought its more easyly.

Thank you for your help

greetings

I though peer sounded grown up and official. oh wait Im already grown up but I forgot official:D

The words "Mentor" and "Confidant" come to mind.:D

sorry for my question.

I checked all the tutorials but it never works for me.. now i know i have to wait more time :) i canceld always after 10-15 min. thought its more easyly.

Thank you for your help

greetings

No apologies necessary. Were here to help. Now you know, and knowing is half the battle. GO JOE! http://i32.photobucket.com/albums/d25/Pirate1976/Half20the20Battle20Mousepad.jpg

how about "super double first homeboy"

LOL>....I remeber that...ok..ok...We had our fun..lets quit flooding this thread sorry super prez and Admins/. :o

I cannot see the video. Can you past the new link pls?

I cannot see the video. Can you past the new link pls?

If you cant navigate your way to the backtrack wiki I'm afraid you have the wrong distro and maby you are out of your leauge,