I was reading a tutorial about how to hack a WEP network that has no other clients connected to the AP. It says that fake authentication must be used and it appears to work, but I don't understand how the fake authentication works without there being another client on the network that can be deauthenticated, reauthenticate so that the hacker can sniff this handshake and determine the PRGA so they themselves can then authenticate using the same IV and RC4 stream discovered from sniffing that exchange to authenticate.
It seems that they authenticate without ever knowing the RC4 stream. This is implied by the fact they later have to determine it by waiting for a packet on the network to get the 8 byte LLC to use in the ARP packetforge. (I still don't know how they authenticate without the RC4 stream (it is not OSA) and how there is a packet on the network to be received and fragment-attacked if there are no clients on the network)
