AP WEP Vulnerablility when there are no associated clients

I'm looking at my Wireless AP using a laptop & kismet (from the auditor
collection) from across the street.

I can see encrypted/broadcast packets from the AP and although i have a
client connected, the signal's low enough that kismet doesnt show any
clients associated with the AP.

Using airodump to collect packets the IV's come in rather slowly.
Because the laptop cannot see any clients, i was unable to find any good
arp packets that can be used with aireplay to inject assoc requests.

Are there other packets that can be injected to generate a bunch of
traffic that dont require the FromDS = 0 and ToDS = 1

Can i assume then that it would take a very long time for someone to
crack my WEP or are there other tools that can be used to inject packets
into my network resulting in my AP responding the tons of IV's nessecary
to crack the key?

simply... what's the likelyhood that someone can inject packets and
crack my AP's WEP if there are no clients associated with it?

By my understanding they would just have to collect traffic for days and
days before they get enough IV's to crack it instead of a few minutes if
they can use aireplay.

> Are there other packets that can be injected to generate a bunch of
> traffic that dont require the FromDS = 0 and ToDS = 1

Try using arpforge

> Can i assume then that it would take a very long time for someone to
> crack my WEP or are there other tools that can be used to inject packets
> into my network resulting in my AP responding the tons of IV's nessecary
> to crack the key?

See above and if not, as soon as you start using your network, they just
deauth you then capture the arp upon reauth and then inject. 20 mins
later they're done and you're cracked.

> simply... what's the likelyhood that someone can inject packets and
> crack my AP's WEP if there are no clients associated with it?

But if you're not going to use it, just turn it off! :) I presume you
have an AP because you want to use it at some point?

> By my understanding they would just have to collect traffic for days and
> days before they get enough IV's to crack it instead of a few minutes if
> they can use aireplay.

See above. Can you just switch to WPA and just move away from WEP?

David.

David Taylor wrote:
>>Are there other packets that can be injected to generate a bunch of
>>traffic that dont require the FromDS = 0 and ToDS = 1
>
>
> Try using arpforge
>

Thanks, I'll read up on that.

>
>>Can i assume then that it would take a very long time for someone to
>>crack my WEP or are there other tools that can be used to inject packets
>>into my network resulting in my AP responding the tons of IV's nessecary
>>to crack the key?
>
>
> See above and if not, as soon as you start using your network, they just
> deauth you then capture the arp upon reauth and then inject. 20 mins
> later they're done and you're cracked.
>

Well let's assume my computer is using the network, but the signal is
too weak to be detected from across the street. As in, only packets from
the AP are being detected. Without a mac address or any information on
my client how could they send a deauth packet? and then capture the
reauth if they did somehow guess the correct MAC address?

They can't right?

>
>>simply... what's the likelyhood that someone can inject packets and
>>crack my AP's WEP if there are no clients associated with it?
>
>
> But if you're not going to use it, just turn it off! :) I presume you
> have an AP because you want to use it at some point?
>
>
>>By my understanding they would just have to collect traffic for days and
>>days before they get enough IV's to crack it instead of a few minutes if
>>they can use aireplay.
>
>
> See above. Can you just switch to WPA and just move away from WEP?

It's not something i'm terribly concerned about. I -can- switch routers
to one that has WPA. The two questions were more hypothetical for my own
understanding of the way things work.

Rephrasing: Apart from using arpforge as you mentioned above, What are
the requirements for cracking an AP's WEP if there are no clients
associated with it? As in, would they have to just sit and collect the
slowly incoming IV's (1pkt/~10sec) for days and days until they got lucky?

>
> David.

Thanks for your reply.