Caffe-Latte

Last updated 2 years ago

Caffe-Latte

This attack is called Caffe-Latte because of the time that it gets to break the password.

This attack doesn't attack the access point directly as other attacks, in this attack we will be attacking clients connected to it.

The idea behind the attack is that in WEP encryption the user has to authenticate while the Access Point does NOT.

This lack of mutual authentication means that a malicious attacker can impersonate an AP by copying ESSID (name) and BSSID (MAC address; necessary or not depending on the client configuration) and get to pair with the client to "do things".

Theory

An attacker creates a Wi-Fi access point (AP) with an ESSID exactly the same (the BSSID can also be copied if desired) as the one stored on a victim PC. This network will have WEP security but with a different key than the client (since it is NOT known). Although the attacker and the victim have different encryption keys, WEP encryption makes it possible to go as far as the client's association with the access point.
The client authentication process is done through the proposal of a challenge (fourth arrow; from attacker to client) which is nothing more than a cipher text with the shared key. The client will respond to the challenge (fifth arrow) and the FALSE Access Point will say that it is valid (although it is a lie) by sending an "Authentication Success" (sixth arrow).

Once the association is established, the client will try to obtain an IP via DHCP (but the Fake access point will not have DHCP) and after a timeout the client's OS will automatically assign a static IP corresponding to the APIPA range (169.254.0.1 to 169.254.255.255.254 with mask 255.255.0.0). The client will send free ARPs informing of the static IP that has been self-assigned to avoid network problems as shown in the following image.

The next and last step will be performed by the fake AP. From the free ARP the fake AP will introduce in the network ARP requests from any IP with destination IP the client's IP. The client will respond to the ARP packets that are arriving and in a short time we will have enough traffic to be able to crack the WEP password.

Execution

Start with filtering the wifi network and saving the packet to a file.

airodump-ng -c 7 -w capturecaffelatte wlan0mon

2nd step is create a fake access point with the same mac address as the access point and same name (ESSID).

airbase-ng -c 7 -a <BSSID> -e 'CaffeLatte' -L -W 1 -x 100 wlan0mon

Doing these two commands we will be capturing the packets (ARP request/response) that will allow us to crack the WEP key.
Remeber wait a minimum of 5 minutes running this attack.

 aircrack-ng -e captureCaffeLatte.cap

Once you wait the 5 minutes, use aircrack-ng to crack the WEP key.

PreviousWEP NextWPA/WPA2 - PSK

Last updated 2 years ago

This attack is called Caffe-Latte because of the time that it gets to break the password.

This attack doesn't attack the access point directly as other attacks, in this attack we will be attacking clients connected to it.

The idea behind the attack is that in WEP encryption the user has to authenticate while the Access Point does NOT.

Theory

An attacker creates a Wi-Fi access point (AP) with an ESSID exactly the same (the BSSID can also be copied if desired) as the one stored on a victim PC. This network will have WEP security but with a different key than the client (since it is NOT known). Although the attacker and the victim have different encryption keys, WEP encryption makes it possible to go as far as the client's association with the access point.
The client authentication process is done through the proposal of a challenge (fourth arrow; from attacker to client) which is nothing more than a cipher text with the shared key. The client will respond to the challenge (fifth arrow) and the FALSE Access Point will say that it is valid (although it is a lie) by sending an "Authentication Success" (sixth arrow).

Once the association is established, the client will try to obtain an IP via DHCP (but the Fake access point will not have DHCP) and after a timeout the client's OS will automatically assign a static IP corresponding to the APIPA range (169.254.0.1 to 169.254.255.255.254 with mask 255.255.0.0). The client will send free ARPs informing of the static IP that has been self-assigned to avoid network problems as shown in the following image.

The next and last step will be performed by the fake AP. From the free ARP the fake AP will introduce in the network ARP requests from any IP with destination IP the client's IP. The client will respond to the ARP packets that are arriving and in a short time we will have enough traffic to be able to crack the WEP password.

Execution

Start with filtering the wifi network and saving the packet to a file.

airodump-ng -c 7 -w capturecaffelatte wlan0mon

2nd step is create a fake access point with the same mac address as the access point and same name (ESSID).

airbase-ng -c 7 -a <BSSID> -e 'CaffeLatte' -L -W 1 -x 100 wlan0mon

Doing these two commands we will be capturing the packets (ARP request/response) that will allow us to crack the WEP key.
Remeber wait a minimum of 5 minutes running this attack.

 aircrack-ng -e captureCaffeLatte.cap

Once you wait the 5 minutes, use aircrack-ng to crack the WEP key.