In my study and review of wireless attacks, I have recently grown very frustrated because I simply could get any of the basic WEP attacks working: ARP replay, Korek chop-chop, fragmentation, interactive packet replay. This is without even using any WEP shared key authentication, just open authentication! I had read of people having trouble with Korek chop-chop and fragmentation attacks, but everything else???
My initial thought was that I had a driver or hardware problem. My lab setup is the following:
- DLINK DIR-601 WAP with WEP open authentication
- OpenWRT WAP with WEP shared key authentication
- Alfa AWUS036NHA wireless card with AR9271 chipset (ath9k_htc driver in Kali)
- Panda PAU05 USB wireless card (RT5372 driver in Kali)
- Windows 10 Laptop with Kali Linux 2020.1 in a VM
- Ancient Windows 7 Laptop as a “client”
I returned to the basics, making sure I could “fake authenticate” with a WEP open authentication system. I captured traffic using wireshark, making sure I was seeing the authentication and association message flow from the the station to and from the AP. It all looked good so far. Next I added a de-authentication attack, and according to the wireshark analysis, that was working too.
Next I started the ARP replay attack, and on careful inspection of airmon-ng, I noticed that whenever I started aireplay-ng with the ARP replay attack, I was losing all of my packets to errors. Odd…the counter for packet loss was quickly increasing and rolling over. I reproduced this several times, and feeling somewhat puzzled, I tried switching from the Alfa card to the PAU05 wireless card. No luck, same issue with packet loss. I tried unloading kernel modules, removing and reattaching the wireless cards, even rebooting, but the packet loss issue continued.
I slept on the problem for a night, trying my best not to throw all this equipment in the dumpster and move on. Both PentesterAcademy and WiFu use Backtrack Linux rather than Kali (though this is supposed to work on Kali too), so I decided to try Backtrack. I setup a VM with Backtrack provided with the WiFu course. Backtrack (2.6.38) has been superseded by Kali, and sure enough, its not possible to install third party packages because the links to the package repositories are down. I couldn’t install gvim, terminator, tmux, etc., but at least all of the core tools were there: aircrack-ng and wireshark.
Still not sure what the problem is, I plugged in the PAU05 wireless card first, but Backtrack did not have the drivers for this device. FAIL. Feeling like defeat would be near, I plugged in the Alfa card…and it was recognized! Still feeling anxious, I proceeded to setup my APs and the Windows 7 client, and started working on the ARP replay attack.
And it worked! I successfully cracked the WEP key:
root@bt:~# aircrack-ng arp_replay_lab-01.cap Opening arp_replay_lab-01.cap Read 356979 packets. # BSSID ESSID Encryption 1 B8:A3:86:4C:61:84 CACTUS WEP (38159 IVs) Choosing first network as target. Opening arp_replay_lab-01.cap Attack will be restarted every 5000 captured ivs. Starting PTW attack with 38159 ivs. KEY FOUND! [ DE:AD:BE:EF:00 ] Decrypted correctly: 100%
Finally, it felt great to finally see results that matched the WiFu lab manual.
So what went wrong? I seriously doubt it is the hardware since I could verify the packet loss issue with two different wireless cards using different chipsets. Is it an aircrack-ng issue? Is it a Kali issue? Well, for now I’m not going to worry about Kali and I will keep using Backtrack so I can focus on the material and wireless technology. Perhaps when I’ve finished all of the labs I’ll be able to troubleshoot some more with Kali.