-=Xploitz=- VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial" - Page 11

tom73 · #**101** (**permalink**) 08-23-2007, 11:45 PM

Quote:

Originally Posted by -=Xploitz=-

Then if the -3 attack still doesn't work...look at my other vidoe tutorial....and remember not every ROUTER/Ap responds to the -3 attack right off the bat. Could take 1 second up to and over an hour.
[/URL]

I've tried everything as you said and also tried your Chopchop Attack Tutorial. Chopchop also doesn't even send any packets.

Here is what I noticed: I get a "your interface ath0 is channel hopping" message when doing the aireplay-ng -1 0 attack. I also noticed that after a while, I no longer see any AP showing up.

On a side note: what is one supposed to do when instead of the router's name, all I get is <length:10> or something? That only happens when I don't broadcast the SSID. Since I know my router's name, this isn't any problem, but how would one solve this in the real field?

thank you

pureh@te · #**102** (**permalink**) 08-23-2007, 11:51 PM

You are getting the length mess. because the essid is being stealthed in some way. Keep airodumping or deauth a connected client and that should do the trick.

You should lock your card on the specific channel "ifconfig -c 1 ath0"

And futher more there is another attack called the frag attack it is th -5 option in aireplay.

shamanvirtuel · #**103** (**permalink**) 08-24-2007, 01:00 AM

yep surely for decloak hidden essid there's is mdk2 on bt2

cd /pentest/wireless/mdk2-v31/

mdk2

p - Basic probing and ESSID Bruteforce mode
Probes AP and check for answer, useful for checking if SSID has
been correctly decloaked or if AP is in your adaptors sending range
Use -f and -t option to enable SSID Bruteforcing.
OPTIONS:
-e <ssid>
Tell mdk2 which SSID to probe for
-f <filename>
Read lines from file for bruteforcing hidden SSIDs
-t <bssid>
Set MAC adress of target AP
-s <pps>
Set speed (Default: unlimited, in Bruteforce mode: 300)
-b <character set>
Use full Bruteforce mode (recommended for short SSIDs only!)
Use this switch only to show its help screen.

and if it's your router , you must know the essid .....

BTW, if you need essid for auth, you can just remove the -e switch ....
i never use it now .....

tom73 · #**104** (**permalink**) 08-24-2007, 01:41 AM

the problem with channel jumping is solved now...I didn't close that survey window. Anyway, I'm getting the same messages like in the video up until this command:

Quote:

aireplay-ng -3 -b [AP] -h 00:11:22:33:44:55 ath0

it just sends packets forever but the ARP stays at 0.

I've also tried attack -4 and it just reads packets (several thousand) and that's it. According to the bt2 wiki, my wireless card supports all attack modes. I've got a Netgear WPN511 Range Max.

Any help would be greatly appreciated.

thank you

Brisch · #**105** (**permalink**) 08-24-2007, 12:30 PM

Quote:

Originally Posted by -=Xploitz=-

Your aireplay command line appears correct..but might want to add the -e <essid> in your aireplay command line. What is your card / chipset? If it the one that came with your laptop...chances are its a broadcom..and their sketchy at best. Your better off buying a widely supported card or USB. See the aircrack-ng main site for a good compatibility list. Also..are you using..

airmon-ng stop eth1
airmon-ng start eth1 6

Where 6 is the channel your ap is on??? And using the -c 6 and the --bssid <xx:xx:xx:xx:xx:xx> option in airodump-ng command line? The -c 6 means channel 6, and the --bssid will be --bssid <AP MAC address> This will help keep you from channel hopping and focusing on your AP.

BTW...your running the full
airodump -c 6 -w capture --bssid xx:xx:xx:xx:xx:xx eth1

BEFORE you run
aireplay-ng -1 0 -e Networksname -a apsMAC -h YOUR CARDSMAC eth1
right???

Hi,

ok thanks for your quick reply.

It took some time for myself.
I need to check the advices you gave me some time.

Thanks,

Brisch

-=Xploitz=- · #**106** (**permalink**) 08-24-2007, 03:18 PM

tom73...

just for shits and kicks..and maybe a little help..go ahead and add the -e <essid> option on your attacks..never know, it might just do the trick. Channel hopping is solved via..

airmon-ng stop <device>
airmon-ng start 6

where 6 is the channel of the AP is on

also airodump-ng -c 6 -w capture --bssid <APMAC> <device>

Hope this get you started.

tom73 · #**107** (**permalink**) 08-24-2007, 08:53 PM

Quote:

Originally Posted by -=Xploitz=-

just for shits and kicks..and maybe a little help..go ahead and add the -e <essid> option on your attacks..

I was always required to use that. But I still don't get the ARP requests.

In addition, I've also tried the following:

installed 0.9.1 release (latest stable), to eliminate the chance of messing up on the SQL module (it's not required in that release)
Always added the -e switch
uncloaked my router's SSID
skipped the fake mac address step and used my real one instead
re-authenticated my mac address several times (was always successful and was then listed as a client connected to my router)

Are you guys sure that my NetGear WPN511 is fully compatible?

Also, the funny thing is that I cannot connect to my WEP network from BT2.
I've tried all possible settings. It works fine in Windows though.

Is there a limitation on how many characters a SSID can have?
Underscores are supported, right?

I don't know what else to try. I just don't get the ARP requests to work.

Any help would be highly appreciated.
thank you