Like every other website on the planet, SmallNetBuilder uses cookies. Our cookies track login status, but we only allow admins to log in anyway, so those don't apply to you. Any other cookies you pick up during your visit come from advertisers, which we don't control.
If you continue to use the site, you agree to tolerate our use of cookies. Thank you!

Wi-Fi Router Charts

Click for Wi-Fi Router Charts

Mesh System Charts

Click for Wi-Fi Mesh System Charts

Packet replay via Aireplay

While a deauth attack generates traffic, it generally doesn't generate enough to effectively speed up our IV gathering process. It's also a pretty blunt instrument and severly interferes with normal WLAN operations. For more efficient traffic generation, we'll need to employ a different technique called a replay attack.

A replay attack simply captures a valid packet generated by a Target client, then spoofs the client that it captured the packet from and replays the packet over and over again more frequently than normal. Since the traffic looks like it is coming from a valid client, it doesn't interfere with normal network operations and goes about its IV-generating duties quietly.

So what we need is to capture a packet that is sure to be generated by the void11 deauth attack, stop the deauth attack, then start a replay attack using the captured packet. A perfect candidate for capture are Address Resolution Protocol (ARP) packets since they're small (68 Bytes long), have a fixed and easily recongnizable format, and are part of every reassociation attempt.

aireplay setup

Figure 11: aireplay setup
(click image to enlarge)

Let's start with a clean slate and reboot both Auditor-A and Auditor-B. Figure 12 shows the roles that Auditor-A and Auditor-B are playing. Notice that Auditor-A is running only aireplay and is just serving to stimulate traffic (and IVs) to shorten the time it takes to crack a WEP key. Also notice that Auditor-B is used for either running the deauth attack (via void11) or capturing traffic (via airodump) and running the actual crack against the captured data via aircrack which we'll get to shortly.

The full WEP-cracking monty

Figure 12: The full WEP-cracking monty

We'll first start aireplay. Go to Auditor-A, open a shell and type in these commands:

Commands to set up aireplay to listen for an ARP packet
cardctl eject
cardctl insert
monitor.wlan wlan0 THECHANNELNUM
cd /ramdisk
aireplay -i wlan0 -b MACADDRESSOFAP -m 68 -n 68 -d ff:ff:ff:ff:ff:ff

- switch-to-wlanng and monitor.wlan are custom scripts that come installed on the Auditor CD to simplify commands and reduce typing
- Replace THECHANNELNUM with the channel number of your Target WLAN

At first, nothing too exciting will happen. You should see aireplay reporting it has seen a certain number of packets, but little else since the packets haven't matched the filter we've set (68 Byte packet with a destination MAC address of FF:FF:FF:FF:FF:FF).

Support Us!

If you like what we do and want to thank us, just buy something on Amazon. We'll get a small commission on anything you buy. Thanks!

Don't Miss These

  • 1
  • 2