4

I'm pretty new to all of this so it might be a little stupid question... but why do we need to wait to capture an arp packet from a client to the AP? Can't we just send a 'fake' arp request to the AP with the client's MAC address instead of ours?

Rexi
  • 43
  • 4

1 Answers1

3

WEP CRACKING

Weak IVs : Weak Ivs are ivs which reveal information about the wep key itself

RC4 in its implementation in WEP has been found to have weak keys. Having a weak key means that there is more correlation between the key and the output than there should be for good security. Determining which packets were encrypted with weak keys is easy because the first three bytes of the key are taken from the IV that is sent unencrypted in each packet. This weakness can be exploited by a passive attack. All the attacker needs to do is be within a hundred feet or so of the AP.

Out of the 16 million IV values available, about 9000 are interesting to the most popular attack tool, meaning they indicate the presence of weak keys. The attacker captures “interesting packets”, filtering for IVs that suggest weak keys. After that attacker gathers enough interesting packets, he analyzes them and only has to try a small number of keys to gain access to the network. Because all of the original IP packets start with a known value, it’s easy to know when you have the right key. To determine a 104 bit WEP key, you have to capture between 2000 and 4000 interesting packets. On a fairly busy network that generates one million packets per day, a few hundred interesting packets might be captured. That would mean that a week or two of capturing would be required to determine the key

Now lets come to your question

why do we need to wait to capture an arp packet from a client to the AP? Can't we just send a 'fake' arp request to the AP with the client's MAC address instead of ours ?

Yes you are absolutly correct you can do this , this is what aireply-ng
do to crack WEP when there is no client associated with the AP

steps are 

1- Set the wireless card MAC address
2 - Start the wireless interface in monitor mode on the specific AP channel
3 - Use aireplay-ng to do a fake authentication with the access point
4 - Use aireplay-ng chopchop or fragmentation attack to obtain PRGA
5 - Use packetforge-ng to create an arp packet using the PRGA obtain in the previous step
6 - Start airodump-ng on AP channel with filter for bssid to collect the new unique IVs
7 - Inject the arp packet created in step 5
8 - Run aircrack-ng to crack key using the IVs collected
Arjun sharma
  • 660
  • 3
  • 20