Thanks for all the replies. I have mentioned here before that two if the biggest broadband providers in Belgium install wireless APs with WEP encryption (if the customer is lucky enough to get encryption set up). I want to demonstrate to those people, with permission of course, the danger of running WEP. I want to be as prepared as possible and sharpen my skills in penetration testing at the same time. I am a newbie and want to use this project to get to some level of expertise. Thanks for y'all's patience and help.
I could ask the customer to switch on a wireless device to get some traffic running, but if possible I'd like to avoid that. In the particular case I mentioned earlier in this thread I'm 100% sure I have the correct key. I used aircrack-ng to get the key and hacked it several times. It came back with the same key every time. Also I could connect to the AP without any problem. The trouble started when I discovered no dhcp to be present and the default IP ranges 192.168.*.* and 10.*.*.* (op to 10.32.*.* at least) were not used when using an arp nmap scan. I'll try using rarp and broadcast ping and see where I get. Wost case I'll have to do capture some client traffic and get the IP info from that. Bert Robin Wood wrote: > 2009/11/12 Bert Van Kets <[email protected]>: > >> Hi guys, >> >> I was wondering what methods or commands can be used to get past the >> following situation: >> You access a WiFi AP with WEP encryption, you get the key and can >> connect but do not get an IP address. I assume this is due to the use of >> fixed IPs only (no dhcp). How do you get past this? How do you get info >> in the IP range? Do I need to nMap scan every possible internal IP range??? >> What if no clients are connected and Mac address filtering is switched >> on on top of the lack of dhcp? I luckily do have a client Mac address, >> but if I didn't have this it would be an extra hurdle. >> My knowledge and experience have encountered a concrete wall. How do I >> climb it? >> > > If you have MAC address filtering and no traffic to get a MAC address > from then I'd say you were out of luck. > > Once past filtering and you've managed to connect or just have the WEP key ... > > You can sniff and decrypt data and just pick out IP addresses with > wireshark or tcpdump. Kismet will also tell you IP addresses or > subnets if it can work them out. > > if there are no wireless clients then I'd still sniff traffic, there > will probably be broadcast traffic leaking out which should give IP > details away. > > If it does come down to scanning then go for the common IP ranges > first, I doubt anyone would be using 10.241.0.0/16 for their subnet, > more likely something like 192.168.0.0/24 or something in the low 10. > range. Some research on the AP would also give you default IP ranges > that you could try, for example Fons are usually on 192.168.10.0/24. > > Robin > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
