Hirte Attack

03 Feb

Hirte is a type of attack that aims to crack the WEP key of wireless networks that are not reachable but the client device (laptop, mobile, etc.) is in the area of the attacker. This can be achieved because the WEP key and the configuration details are still stored in the wireless device.

The only requirement for this attack is to setup a fake access point with the same SSID of the WEP network. When the client device will try to connect automatically then ARP packets will be sent from the fake access point (attacker machine) to the device and the other way around which they will contain part of the keystream.

Breakdown of the Hirte Attack

  1. Setup a fake WEP AP and waits for a client to connect
  2. Upon connection of a client waits for auto-configuration IP address
  3. Client sends an ARP packet
  4. Obtain the ARP packet and converts it into an ARP request for the same client
  5. Client replies
  6. Collect these packets
  7. Crack the WEP key

Deployment of Hirte Attack

The first step is to create the WEP access point with the use of the tool airbase-ng. The -c variable defines the channel, the -W sets the encryption bit, mon0 is the interface and the -N enables the Hirte attack mode.

Creation of Fake Access Point

Creation of Fake Access Point

The next step is to configure airodump-ng to capture packets and to write those in a file called Hirte.

Initiate Packet Capturing

Initiate Packet Capturing

As we can see the fake access point appears on the list of the available wireless networks.

Rogue Wireless Network

Rogue Wireless Network

The same network will appear and on the victim device.

Victim - Fake Wireless Network Available

Victim – Fake Wireless Network Available

The victim device will connect automatically on the Wireless Pentest Lab as it is a network that it was connected previously when the genuine Wireless Pentest Lab was in range. The Hirte attack will start and ARP packets will be sent as the device will try to obtain an IP address. However this will not be possible as there is no DHCP server running but the collection of IVs will start.

Hirte Attack Running

Hirte Attack Running

The final step is to start the aircrack-ng in order to crack the WEP key from the packets that have been captured on the file called Hirte.

Read the packets

Read the packets

As we can see from the image below the WEP key has been cracked for a wireless network that it was not even in the range of the attacker.

WEP Key Found

WEP Key Found


As we saw with the Hirte attack someone is able to crack the WEP wireless key from a network just by exploiting a roaming client and without attacking the access point at all. This happened because the wireless configuration including the WEP key was stored on the device and client had the option to connect automatically to this wireless network when it was found in range. In a summary this attack uses the following principles:

  • It is a fragmentation attack
  • Targets isolated clients
  • Collects ARP packets that contain the WEP key

Posted by on February 3, 2015 in Wireless


Tags: , , , , , , ,

3 responses to “Hirte Attack

  1. Samina Ali

    February 17, 2015 at 6:00 pm

    i am getting invalid WEP length ?? Why ??


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: