Fake Authentication Attack in Ethical Hacking

Introduction to WEP Cracking Challenges

In ethical hacking, cracking WEP (Wired Equivalent Privacy) encryption can be straightforward if you capture sufficient data. However, networks with low activity present a significant challenge - the data capture process becomes extremely slow, potentially requiring hours or even days before you have enough initialization vectors (IVs) to successfully crack the key.

Note: WEP is an outdated security protocol that has been largely replaced by WPA/WPA2/WPA3 due to its security vulnerabilities. This content is for educational purposes only.

The Problem: Slow Data Capture

When monitoring a network with low activity, the data column in airodump-ng stays at zero or increases very slowly. This indicates that initialization vectors (IVs) - which are critical for cracking WEP - are being generated at an extremely slow rate.

Understanding Network Association

Before we can force an access point to generate new packets, we need to associate with the target network. Association is a critical concept in wireless networking that differs from connection:

Association vs. Connection

Association	Connection
Tells the network "I want to communicate with you"	Establishes a complete authenticated session
Similar to clicking on a network in your Wi-Fi list	Requires successful password authentication
Allows the AP to recognize your requests	Provides actual network access and connectivity
Does not require the encryption key	Requires the correct encryption key

Important distinction: Association only tells the access point to accept communications from your device. It does not give you access to the network or internet connectivity.

Performing a Fake Authentication Attack

The fake authentication attack allows us to associate with a target network without knowing the encryption key. This is the first step in accelerating data capture for WEP cracking.

1

Run airodump-ng to identify the target network

Terminal

airodump-ng mon0

Identify your target network and note its BSSID (MAC address) and channel

↓

2

Start capturing data from the target network

Terminal

airodump-ng --bssid 00:11:22:33:44:55 --channel 6 --write arpreplay mon0

This captures data specifically from the target network and saves it to files with the prefix "arpreplay"

↓

3

Find your wireless adapter's MAC address

Terminal

ifconfig mon0

Look for the "unspec" field and convert the format (replacing dashes with colons)

↓

4

Execute the fake authentication attack

Terminal

aireplay-ng --fakeauth 0 -a 00:11:22:33:44:55 -h AA:BB:CC:DD:EE:FF mon0

Where:
--fakeauth 0: Perform the fake authentication once
-a: Specify the target AP's MAC address
-h: Specify your wireless adapter's MAC address

Command Breakdown

The fake authentication command uses aireplay-ng with several important parameters:

Parameter	Description
--fakeauth 0	Perform the fake authentication attack once (use a higher number or no number for continuous attempts)
-a [MAC]	The MAC address (BSSID) of the target access point
-h [MAC]	The MAC address of your wireless adapter
mon0	The wireless interface in monitor mode

Warning: This technique should only be performed on networks you own or have explicit permission to test. Unauthorized penetration testing is illegal and unethical.

Verifying Successful Association

After running the fake authentication command, you can confirm successful association by observing changes in airodump-ng's output:

Before Association

airodump-ng output

BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
00:11:22:33:44:55  -67  76     2145        0    0   6  54e  WEP  WEP    -   Test AP

After Successful Association

airodump-ng output

BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
00:11:22:33:44:55  -67  76     2198        0    0   6  54e  WEP  WEP   OPN  Test AP

STATION            PWR   Rate    Lost    Frames  Probe
AA:BB:CC:DD:EE:FF  -67   0 - 1      0        4

Key indicators of successful association:

The AUTH column changes from "-" to "OPN" (Open)
Your adapter's MAC address appears as a connected STATION
The Frames column for your station shows activity

What Comes Next: ARP Replay Attack

After successfully associating with the target network, the next step in WEP cracking is to inject packets to force the network to generate new IVs. This is typically done using the ARP replay attack, which:

Captures ARP packets from the network
Reinjects these packets back into the network
Forces the access point to respond with new packets containing new IVs
Dramatically accelerates the data collection process

Key Takeaways

Cracking WEP encryption requires capturing sufficient initialization vectors (IVs), which can be slow on networks with low activity.
Association with a network is different from connection - it allows communication without requiring the encryption key.
Fake authentication is a technique to associate with a network without knowing the password, allowing further attacks like ARP replay.
After successful association, you can inject packets to force the access point to generate new IVs, accelerating the data collection process.
These techniques should only be used for educational purposes and on networks you own or have permission to test.