Tutorial: How to crack WEP with no wireless clients
Version: 1.15 September 26, 2009 By: darkAudax Video: http://video.aircrack-ng.org/noclient/ [http://video.aircrack-ng.org/noclient/]
There are many times when a wireless network has no wireless clients associated with it and there are no ARP requests coming from the wiredside. This tutorial describes how to crack the WEP key when there are no wireless clients and there are no ARP requests coming from the wired side. Although this topic has been discussed many times over in the Forum [http://forum.aircrack-ng.org], this tutorial is intended to address the topic in more detail and provide working examples. If there ARP requests being broadcast from the wire side,then the standard fake authentication combined with ARP request replay technique may be used. It is recommended that you experiment with your home wireless acc ess point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it. I would like to acknowledge and thank t he Aircrack-ng team[http://trac.aircrack-ng.org/wiki/Team] for producing such a great robust tool. Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.
First, this solution assumes: You are using drivers patched for injection. Use the injection t est to confirm your card can inject prior to proceeding. You are physically closeenough to send and receive access point packets. Remember that just because you can receive packets from the access point does not mean you may will be able to transmit packets to the AP. The wireless card strength is typically less then the AP strength. So you have to be physically close enough for your transmitted packets to reach and be received by the AP. You should confirm that you cancommunicate with the specific AP by following these instructions. There are some data packets c oming from the access point. Beacons and other management frame packets are tot ally useless for our purposes in this tutorial. A quick way to check is to run airodump-ng and see if there are any dat a packets counted for the access point. Having said that, if you have data captured from the access point fromanother session, then this can be used. This is an advanced topic and this tutorial does not provide detailed instructions for this case. The access point uses WEP “open authentication”. It will not work if “shared key authentication” (SKA) is being used. With SKA, the only way to be successful with no clients present is if you captured t he PRGA xor data with a airodump-ng handshake or anaireplay-ng attack previously. This is because you will need the PRGA xor file to do the fake authentication successfully. You use the native MAC address of your wireless card for all the steps and do not change it. Do NOT use any other MAC address as the source for transmitting packets. Otherwise, some commands will not work correctly. See the Using Another Source MAC Address Section for instructions ondealing with using a different source MAC address. You are using v0.9 of aircrack-ng. If you use a different version then some of the command options may have to be changed. Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to c hange “ath0” to the interfac e name which is specific to your wireless card.Equipment used
In this tutorial, here is what was used: MAC address of PC running aircrack-ng suite: 00:09:5B:EC:EE:F2 BSSID (MAC address of access point): 00:14:6C:7E:40:80 ESSID (Wireless network name): teddy Access point channel: 9 Wireless interface: ath0 You should gather the equivalent information for the network you will be working on. Then just change the values in the examples below to the...