AP WEP Vulnerablility when there are no associated clients

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View


I'm looking at my Wireless AP using a laptop & kismet (from the auditor
collection) from across the street.

I can see encrypted/broadcast packets from the AP and although i have a
client connected, the signal's low enough that kismet doesnt show any
clients associated with the AP.

Using airodump to collect packets the IV's come in rather slowly.
Because the laptop cannot see any clients, i was unable to find any good
arp packets that can be used with aireplay to inject assoc requests.

Are there other packets that can be injected to generate a bunch of
traffic that dont require the FromDS = 0 and ToDS = 1

Can i assume then that it would take a very long time for someone to
crack my WEP or are there other tools that can be used to inject packets
into my network resulting in my AP responding the tons of IV's nessecary
to crack the key?

simply... what's the likelyhood that someone can inject packets and
crack my AP's WEP if there are no clients associated with it?

By my understanding they would just have to collect traffic for days and
days before they get enough IV's to crack it instead of a few minutes if
they can use aireplay.

Re: AP WEP Vulnerablility when there are no associated clients


Quoted text here. Click to load it

Try using arpforge
 
Quoted text here. Click to load it

See above and if not, as soon as you start using your network, they just
deauth you then capture the arp upon reauth and then inject.  20 mins
later they're done and you're cracked.
 
Quoted text here. Click to load it

But if you're not going to use it, just turn it off! :)  I presume you
have an AP because you want to use it at some point?

Quoted text here. Click to load it

See above.  Can you just switch to WPA and just move away from WEP?

David.

Re: AP WEP Vulnerablility when there are no associated clients


David Taylor wrote:
Quoted text here. Click to load it

Thanks, I'll read up on that.

Quoted text here. Click to load it

Well let's assume my computer is using the network, but the signal is
too weak to be detected from across the street. As in, only packets from
the AP are being detected. Without a mac address or any information on
my client how could they send a deauth packet? and then capture the
reauth if they did somehow guess the correct MAC address?

They can't right?

Quoted text here. Click to load it

It's not something i'm terribly concerned about. I -can- switch routers
to one that has WPA. The two questions were more hypothetical for my own
understanding of the way things work.

Rephrasing: Apart from using arpforge as you mentioned above, What are
the requirements for cracking an AP's WEP if there are no clients
associated with it? As in, would they have to just sit and collect the
slowly incoming IV's (1pkt/~10sec) for days and days until they got lucky?

Quoted text here. Click to load it

Thanks for your reply.

Site Timeline