Sunday, January 13, 2008

Using aireplay attack 1

The simplest scenario is when these attacks, 1 and 0, work together. There are situations when attack 1 will not work (i.e. MAC filtering is on), but it will work most of the time, and it's real quick.

Currently, if you're following along, you should have 2 Konsoles open and running airodump and aireplay attack 3. If not, go back and follow the directions in the past 2 posts.

If yes, the fun is almost here. Open another Konsole shell, and at the prompt

Type : aireplay-ng -1 0 -e 07B402920894 rausb0

Like always, you must replace -e .... with your own target ESSID and substitute rausb0 with your own network interface name. Most of what you just typed should already be understood by you. If not, go back and read the past few posts. The new stuff is this:

-1 - This is the number attack we're using. It is a fake authentication attack, making us authenticated with the AP so that we can deauthenticate, as you'll soon see.

0 - This is the delay between tries, if it doesn't happen on the first try, for a variety of reasons.

The rest is old stuff.

You must have fairly good power showing in airodump for this to work. With my rausb0 I need over 40 showing in the power column. Your experience may differ greatly. If all goes well, when you press Enter you should see something like:

12:41:58 Sending authentication request (Open System)
12:41:58 Authentication successful
12:41:58 Sending Association Request
12:41:58 Association successful :-)

What just happened is that you became associated with the AP, meaning that if you lose association, the AP will send out a call to get you back. This is what will usually start the ARP request. If you take a look at you Konsole running attack 3, it possibly started shooting already now. More often than not, you'll have to wait for the next step.

There can be many reasons that you won't be able to associate with the AP, meaning this attack failed. First of all, the AP may have MAC filtering on, which may be able to be circumvented. We'll get to that at a later time. Or you may not be close enough to the AP to associate. It can also be that the encryption is WPA, not WEP, so you cannot use this method to inject. If all went as described above, you are ready to read on.

No comments: