AP without DHCP

[dninja at gmail.com (Robin Wood)]

2009/11/12 Bert Van Kets <mailing at vankets.com>:
> Thanks for all the replies.
>
> I have mentioned here before that two if the biggest broadband providers
> in Belgium install wireless APs with WEP encryption (if the customer is
> lucky enough to get encryption set up). I want to demonstrate to those
> people, with permission of course, the danger of running WEP. I want to
> be as prepared as possible and sharpen my skills in penetration testing
> at the same time. I am a newbie and want to use this project to get to
> some level of expertise. Thanks for y'all's patience and help.


If most APs get shipped out with default settings and you are trying
to prove that those default settings are weak then as well as having
default (or predictable) WEP keys the devices you are testing will all
have default (or predictable) IP rages.

Robin

> I could ask the customer to switch on a wireless device to get some
> traffic running, but if possible I'd like to avoid that.
> In the particular case I mentioned earlier in this thread I'm 100% sure
> I have the correct key. I used aircrack-ng to get the key and hacked it
> several times. It came back with the same key every time. Also I could
> connect to the AP without any problem. The trouble started when I
> discovered no dhcp to be present and the default IP ranges 192.168.*.*
> and 10.*.*.* (op to 10.32.*.* at least) were not used when using an arp
> nmap scan.
> I'll try using rarp and broadcast ping and see where I get. Wost case
> I'll have to do capture some client traffic and get the IP info from that.
>
> Bert
>
>
> Robin Wood wrote:
> > 2009/11/12 Bert Van Kets <mailing at vankets.com>:
> >
> > > Hi guys,
> > >
> > > I was wondering what methods or commands can be used to get past the
> > > following situation:
> > > You access a WiFi AP with WEP encryption, you get the key and can
> > > connect but do not get an IP address. I assume this is due to the use of
> > > fixed IPs only (no dhcp). How do you get past this? How do you get info
> > > in the IP range? Do I need to nMap scan every possible internal IP range???
> > > What if no clients are connected and Mac address filtering is switched
> > > on on top of the lack of dhcp? I luckily do have a client Mac address,
> > > but if I didn't have this it would be an extra hurdle.
> > > My knowledge and experience have encountered a concrete wall. How do I
> > > climb it?
> >
> > If you have MAC address filtering and no traffic to get a MAC address
> > from then I'd say you were out of luck.
> >
> > Once past filtering and you've managed to connect or just have the WEP key ...
> >
> > You can sniff and decrypt data and just pick out IP addresses with
> > wireshark or tcpdump. Kismet will also tell you IP addresses or
> > subnets if it can work them out.
> >
> > if there are no wireless clients then I'd still sniff traffic, there
> > will probably be broadcast traffic leaking out which should give IP
> > details away.
> >
> > If it does come down to scanning then go for the common IP ranges
> > first, I doubt anyone would be using 10.241.0.0/16 for their subnet,
> > more likely something like 192.168.0.0/24 or something in the low 10.
> > range. Some research on the AP would also give you default IP ranges
> > that you could try, for example Fons are usually on 192.168.10.0/24.
> >
> > Robin
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com