A fragmentation attack obtains the pseudorandom generation algorithm (PRGA) of network packets used in WEP. The PRGA can be used to craft encrypted packets that you can inject into the access point. These injected packets can speed up the process of cracking the WEP password, as otherwise it might take awhile to receive enough packets to get the repeated IV.
In a fragmentation attack, you extract part of the key material from at least one packet and use this to send an ARP request to the AP. If successful, the AP responds with more of the key material in the packet that is echoed back to you. You repeat this process many times until around 1500 bytes of the PRGA is captured, at which point you can then use a packet crafting tool to begin the injection process.
The following is an example of using the aircrack-ng tool suite (specifically, aireplay-ng) to perform a fragmentation attack:
aireplay-ng -5 -b <AP MAC address> -h <source MAC address> wlan0The -5 flag indicates that aireplay-ng will perform a fragmentation attack. Once you input this command, you must select the packet to use in the attack. The tool then begins the attack by sending a fragmented packet, receiving part of the key material from the AP, then repeating the process until it gets 1500 bytes of the PRGA. The key material is then saved to a file.
Next, you're ready to craft a packet using a tool like packetforge-ng:
packetforge-ng -0 -a <AP MAC address> -h <source MAC address> -y <saved PRGA file> -w <crafted packet output>This tells the tool to craft an ARP packet using the PRGA material you recovered, then save the crafted packet to a file. You can then inject your crafted packet into the AP like so:
aireplay-ng -r <crafted packet output> wlan0This will send the crafted packet over and over, and if successful, you'll be able to obtain a large amount of IVs that you can put toward cracking the WEP key.
aircrack-ngggreer