[Pauldotcom] AP without DHCP
Bert Van Kets
mailing at vankets.com
Thu Nov 12 15:05:45 UTC 2009
Thanks for all the replies.
I have mentioned here before that two if the biggest broadband providers
in Belgium install wireless APs with WEP encryption (if the customer is
lucky enough to get encryption set up). I want to demonstrate to those
people, with permission of course, the danger of running WEP. I want to
be as prepared as possible and sharpen my skills in penetration testing
at the same time. I am a newbie and want to use this project to get to
some level of expertise. Thanks for y'all's patience and help.
I could ask the customer to switch on a wireless device to get some
traffic running, but if possible I'd like to avoid that.
In the particular case I mentioned earlier in this thread I'm 100% sure
I have the correct key. I used aircrack-ng to get the key and hacked it
several times. It came back with the same key every time. Also I could
connect to the AP without any problem. The trouble started when I
discovered no dhcp to be present and the default IP ranges 192.168.*.*
and 10.*.*.* (op to 10.32.*.* at least) were not used when using an arp
I'll try using rarp and broadcast ping and see where I get. Wost case
I'll have to do capture some client traffic and get the IP info from that.
Robin Wood wrote:
> 2009/11/12 Bert Van Kets <mailing at vankets.com>:
>> Hi guys,
>> I was wondering what methods or commands can be used to get past the
>> following situation:
>> You access a WiFi AP with WEP encryption, you get the key and can
>> connect but do not get an IP address. I assume this is due to the use of
>> fixed IPs only (no dhcp). How do you get past this? How do you get info
>> in the IP range? Do I need to nMap scan every possible internal IP range???
>> What if no clients are connected and Mac address filtering is switched
>> on on top of the lack of dhcp? I luckily do have a client Mac address,
>> but if I didn't have this it would be an extra hurdle.
>> My knowledge and experience have encountered a concrete wall. How do I
>> climb it?
> If you have MAC address filtering and no traffic to get a MAC address
> from then I'd say you were out of luck.
> Once past filtering and you've managed to connect or just have the WEP key ...
> You can sniff and decrypt data and just pick out IP addresses with
> wireshark or tcpdump. Kismet will also tell you IP addresses or
> subnets if it can work them out.
> if there are no wireless clients then I'd still sniff traffic, there
> will probably be broadcast traffic leaking out which should give IP
> details away.
> If it does come down to scanning then go for the common IP ranges
> first, I doubt anyone would be using 10.241.0.0/16 for their subnet,
> more likely something like 192.168.0.0/24 or something in the low 10.
> range. Some research on the AP would also give you default IP ranges
> that you could try, for example Fons are usually on 192.168.10.0/24.
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> Main Web Site: http://pauldotcom.com
More information about the Pauldotcom