ARP Request Replay Attack - Ethical Hacking Guide

Introduction to ARP Request Replay Attack

Once successfully associated with a target network, ethical hackers can leverage the ARP Request Replay Attack to rapidly collect the data needed to crack WEP encryption. This technique is particularly valuable when targeting idle networks with minimal traffic.

Key Concept: The ARP Request Replay technique injects packets into the network traffic, forcing the access point to generate new packets with new Initialization Vectors (IVs). This accelerates data collection, enabling WEP cracking in minutes rather than hours or days.

While multiple packet injection methods exist, the ARP request replay attack stands out as the most reliable approach, offering high success rates against most networks when you have a good signal and a capable wireless adapter.

How ARP Request Replay Works

ARP Request Replay Attack Workflow

The Address Resolution Protocol (ARP) is fundamental to how devices communicate on a local network. The attack works as follows:

Wait for an ARP packet to be transmitted over the network
Capture the ARP packet using your wireless adapter in monitor mode
Retransmit (replay) the captured packet back into the network
This forces the router to generate a new packet with a new IV
Repeat the process to rapidly collect numerous IVs
Once sufficient data is collected, run aircrack-ng to crack the WEP key

Each time an ARP packet is replayed, the access point must respond with a new packet containing a new IV. Since WEP's primary vulnerability stems from IV reuse, collecting large numbers of different IVs is the key to cracking the encryption.

Practical Implementation

Prerequisites

A wireless adapter with packet injection capabilities
The adapter must be in monitor mode
You must be associated with the target network
Tools: airmon-ng, airodump-ng, aireplay-ng, aircrack-ng

Step-by-Step Process

1 Monitor the Target Network

Run airodump-ng to capture packets from the target network:

airodump-ng --bssid [TARGET_MAC] --channel [CHANNEL] --write arpreplay wlan0mon

2 Associate with the Network

Perform fake authentication to associate with the target network:

aireplay-ng --fakeauth 0 -a [TARGET_MAC] -h [YOUR_MAC] wlan0mon

3 Launch ARP Replay Attack

Execute the ARP replay attack to inject packets:

aireplay-ng --arpreplay -b [TARGET_MAC] -h [YOUR_MAC] wlan0mon

4 Crack the WEP Key

Once sufficient data is collected, crack the WEP key:

aircrack-ng arpreplay-01.cap

Command Breakdown

aireplay-ng --arpreplay -b [TARGET_MAC] -h [YOUR_MAC] wlan0mon

--arpreplay: Specifies the ARP replay attack
-b [TARGET_MAC]: The MAC address of the target access point
-h [YOUR_MAC]: The MAC address of your wireless adapter
wlan0mon: Your wireless interface in monitor mode

Attack Effectiveness

The effectiveness of the ARP request replay attack varies based on several factors:

Data Collection Rate Comparison

Key Factors Affecting Success

Signal Strength: A stronger connection to the target network improves packet capture and injection success rates
Wireless Adapter Capabilities: Higher-quality adapters with good injection support perform better
WEP Key Length: 64-bit keys require fewer IVs (typically 20,000-40,000) compared to 128-bit keys (40,000-85,000)
Access Point Model: Some access points implement countermeasures that may slow down the attack

Note: Even on idle networks with no active users, the ARP request replay attack can collect sufficient data to crack WEP encryption in minutes, demonstrating the fundamental insecurity of the WEP protocol.

Key Takeaways

ARP request replay attack is a reliable method to inject packets and force access points to generate new packets with new IVs
Capturing and retransmitting ARP packets accelerates data collection, enabling WEP cracking even on idle networks
The process involves associating with the target network, running aireplay-ng with ARP replay attack options, and then cracking the key with aircrack-ng
Longer WEP keys (128-bit) require more data packets but can still be cracked using this method
This vulnerability demonstrates why WEP encryption should never be used in production environments

Ethical Considerations

Remember that performing these techniques on networks without explicit permission is illegal in most jurisdictions. This information is provided for educational purposes only, to help network administrators understand the vulnerabilities in WEP encryption and why it should be replaced with more secure alternatives like WPA2 or WPA3.

Legal Warning: Always obtain proper authorization before performing security testing on any network. Unauthorized access to computer networks may result in severe civil and criminal penalties.