Professional Documents
Culture Documents
id=fake_authentication
Fake authentication
Description
The fake authentication attack allows you to perform the two types of WEP authentication (Open System and Shared Key) plus associate with the access
point (AP). This is only useful when you need an associated MAC address in various aireplay-ng attacks and there is currently no associated client. It
should be noted that the fake authentication attack does NOT generate any ARP packets. Fake authentication cannot be used to authenticate/associate
with WPA/WPA2 Access Points.
Usage
Where:
Where:
6000 - Reauthenticate very 6000 seconds. The long period also causes keep alive packets to be sent.
-o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs.
-q 10 - Send keep alive packets every 10 seconds.
Usage Examples
The lack of association with the access point is the single biggest reason why injection fails.
Where:
Where:
6000 - Reauthenticate very 6000 seconds. The long period also causes keep alive packets to be sent.
-o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs.
-q 10 - Send keep alive packets every 10 seconds.
Here is an example of a shared key authentication. It does assume you have a PRGA xor file. See the How to do shared key fake authentication tutorial
for more details.
Where:
1 de 4 22/10/2010 21:38
fake_authentication [Aircrack-ng] http://www.aircrack-ng.org/doku.php?id=fake_authentication
If you receive the messages above, you are good to go forward with the standard injection techniques.
Usage Tips
Detailed instructions on changing the card MAC address can be found in the FAQ: How do I change my card's MAC address ?.
Troubleshooting Tip: A normal MAC address looks like this: 00:09:5B:EC:EE:F2. It is composed of six octets. The first half (00:09:5B) of each MAC
address is known as the Organizationally Unique Identifier (OUI). Simply put, it is the card manufacturer. The second half (EC:EE:F2) is known as the
extension identifier and is unique to each network card within the specific OUI. Many access points will ignore MAC addresses with invalid OUIs. So make
sure you use a valid OUI code code when you make up MAC addresses. Otherwise, your packets may be ignored by the Access Point. The current list of
OUIs may be found here [http://standards.ieee.org/regauth/oui/oui.txt].
sysctl -w dev.ath0.rawdev=1
ifconfig ath0raw up
airodump-ng ath0raw out 6
Then you can run attack 3 or 4 (aireplay-ng will automatically replace ath0 with ath0raw below):
Here are packet captures of the two types of authentication - open and shared key:
wep.open.system.authentication.cap [http://download.aircrack-ng.org/wiki-files/other/wep.open.system.authentication.cap]
wep.shared.key.authentication.cap [http://download.aircrack-ng.org/wiki-files/other/wep.shared.key.authentication.cap]
Usage Troubleshooting
Notice the “Got a deauthentication packet” and the continuous retries above. Do not proceed with other attacks until you have the fake authentication
running correctly.
Another way to identify a failed fake authentication is to run tcpdump and look at the packets. Start another session while you are injecting and…
11:04:34.360700 314us BSSID:00:14:6c:7e:40:80 DA:00:0f:b5:46:11:19 SA:00:14:6c:7e:40:80 DeAuthentication: Class 3 frame received from nonassociated station
Notice that the access point (00:14:6c:7e:40:80) is telling the source (00:0f:b5:46:11:19) you are not associated. Meaning, the AP will not process or
accept the injected packets.
2 de 4 22/10/2010 21:38
fake_authentication [Aircrack-ng] http://www.aircrack-ng.org/doku.php?id=fake_authentication
If you want to select only the DeAuth packets with tcpdump then you can use: “tcpdump -n -e -s0 -vvv -i ath0 | grep DeAuth”. You may need to tweak
the phrase “DeAuth” to pick out the exact packets you want.
The wireless card is set to a channel which is different then the AP. Solution: Use iwconfig and confirm the card is set to the same channel as the
AP.
The card is scanning channels. Solution: Start airodump-ng with the ”-c” or ”–channel” parameter and set it to the same channel as the AP.
The ESSID is wrong. Solution: Enter the correct value. If if contains spaces or special characters then enclose it in quotes. For the complete
details, see this FAQ entry.
The BSSID is wrong. Solution: Enter the correct value.
You are too far away from the AP and are not receiving any beacons. Solution: You can use tcpdump and/or airodump-ng to confirm you are in
fact receiving beacons for the AP. If not, move closer.
You are not receiving beacons for the AP: Solution: Use “tcpdump -n -vvv -e -s0 -i <interface name>” to confirm you are receiving beacons.
Assuming you have dealt with with potential problems above, it could be the drivers or you have not put the card into monitor mode.
For all of the above, running airodump-ng and the related text file should provide all the information you require identify and correct the problem.
Answer: You need to patient. When a client associates with the AP, then airodump-ng will obtain and display the ESSID. If you are impatient then
deauthenticate a client to get the ESSID immediately.
You cannot use fake authentication with a WPA/WPA Access Point. It may only be used with WEP Access Points.
The most likely reason to get this error message is when the ESSID specified with ”-e” does not EXACTLY match the real ESSID. Capitalization, spaces,
special characters and so on must match exactly. See this FAQ entry FAQ entry for instructions on how to handle unusual ESSIDs.
3 de 4 22/10/2010 21:38
fake_authentication [Aircrack-ng] http://www.aircrack-ng.org/doku.php?id=fake_authentication
You are physically close enough to the access point. You can confirm that you can communicate with the specific AP by following these
instructions.
Make sure you are using a real MAC address (see discussion above)
The wireless card driver is properly patched and installed. Use the injection test to confirm your card can inject.
The card is configured on the same channel as the AP. Use “iwconfig” to confirm.
The BSSID and ESSID (-a / -e options) are correct.
If Prism2, make sure the firmware was updated.
4 de 4 22/10/2010 21:38