can't get airpwn injection working with BT4
Help! I've spent 3 days of trying to airpwn injection working - with no luck. Airpwn starts without errors, and sees plenty of traffic from the router to a 2nd laptop - but apparently doesn't want to inject any traffic. Using wireshark, I see the traffic from the 2nd laptop to the router. Injection supposedly works according to aireplay-ng --test. I've tried plenty of "match" lines in the airpwn configuration file. Any help would be greatly appreciated!
-------------
My setup:
- laptop 1: tried with both BT4 Final and BT4 R1 BlackHat Edition. Tried with both internal Intel 5100AGN and external AWUS036H.
- laptop 2: Windows Vista
- router: Linksys WRT160N (with no WEP/WPA/WPA2)
I have tried many many variations such as:
- setting or not setting the channel (e.g. iwconfig wlan0 channel 1)
- running or not running wireshark
- the order of some of the commands entered
- supplying different drivers to airpwn with -d (iwlwifi, iwlagn, mac80211, iwl3945, iwl4965, ...)
- overloaded the airpwn config file with plenty of sections with match's that are pretty wide open (e.g. should match just about every HTTP request)
- moved laptops around to different physical locations
- instead of Intel 5100AGN, tried with external rtl8180 (and -d rtl8180 instead)
- connecting and not connecting to the AP (e.g. wicd)
Here is a sequence of commands that I believed *should* work (but obviously aren't):
-reboot BT4
-ifconfig wlan0 promisc
-airmon-ng start wlan0
Interface Chipset Driver
wlan0 Intel 4965/5xxx iwlagn - [phy0]
(monitor mode enabled on mon0)
-airpwn -i mon0 -c myconf -d iwlwifi -vvv -l log.1 #I've tried -d iwlagn, -d mac80211, and many others too...
-on laptop2: use firefox to fire off dozens of HTTP requests (e.g. a whole slew of pages)
-no injection with airpwn
-------------
typical output:
data packet len: 456, flags: 2 <-- DS
data packet len: 448, flags: 2 <-- DS
data packet len: 393, flags: 2 <-- DS
data packet len: 432, flags: 2 <-- DS
data packet len: 464, flags: 2 <-- DS
data packet len: 393, flags: 2 <-- DS
data packet len: 452, flags: 2 <-- DS
data packet len: 446, flags: 2 <-- DS
data packet len: 448, flags: 2 <-- DS
data packet len: 188, flags: 2 <-- DS
data packet len: 188, flags: 2 <-- DS
data packet len: 188, flags: 2 <-- DS
data packet len: 359, flags: 2 <-- DS
data packet len: 350, flags: 2 <-- DS
data packet len: 424, flags: 2 <-- DS
data packet len: 414, flags: 2 <-- DS
data packet len: 393, flags: 2 <-- DS
data packet len: 452, flags: 2 <-- DS
data packet len: 446, flags: 2 <-- DS
data packet len: 448, flags: 2 <-- DS
data packet len: 80, flags: 2 <-- DS
-------------
where myconf:
Code:
begin greet0_html
match ^GET [^ ?]+\.(jpg|jpeg|gif|png|tif|tiff)
response test.html
begin greet0b_html
match ^GET [^ ?]*+\.(?i:jpg|jpeg|gif|png)
response response_picture
begin greet1_html
match [a-zA-Z]
option reset
response response_index
begin greet2_html
match ^[a-zA-Z]
option reset
response response_index
begin greet3_html
match ^(GET|POST)
option reset
response response_index
begin greet4_html
match GET
option reset
response response_index
begin greet5_html
match POST
option reset
response response_index
begin greet6_html
match ^GET
option reset
response response_index
begin greet7_html
match ^POST
option reset
response response_index
begin greet8_html
match .*
option reset
response response_index
begin star1_html
match .*
response response_index
begin star2_html
match /^GET/
response response_index
begin star3_html
match m/GET/
response response_index
begin star4_html
match ^.*
response response_index
begin star5_html
match (.*)
response response_index
begin star6_html
match ^(.*)
response response_index
begin star7_html
match ^(.*)$
response response_index
begin star8_html
match ^.*$
response response_index
begin star9_html
match ^GET *
response response_index
begin star10_html
match ^POST *
response response_index
begin star11_html
match GET *
response response_index
begin star12_html
match POST *
response response_index
begin star13_html
match ^GET .*html
response response_index
begin star14_html
match ^GET .*js
response response_index
----------------------
Here are more details:
root@bt:~# dmesg | grep -i iwlagn
iwlagn: Intel(R) Wireless WiFi Link AGN driver for Linux, in-tree:d
iwlagn: Copyright(c) 2003-2010 Intel Corporation
iwlagn 0000:04:00.0: PCI INT A -> GSI 17 (level, low) -> IRQ 17
iwlagn 0000:04:00.0: setting latency timer to 64
iwlagn 0000:04:00.0: Detected Intel Wireless WiFi Link 5100AGN REV=0x54
iwlagn 0000:04:00.0: Tunable channels: 13 802.11bg, 24 802.11a channels
iwlagn 0000:04:00.0: irq 29 for MSI/MSI-X
iwlagn 0000:04:00.0: firmware: requesting iwlwifi-5000-2.ucode
iwlagn 0000:04:00.0: loaded firmware version 8.24.2.12
-------------------
root@bt:~# iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
wlan0 IEEE 802.11abgn Mode:Managed Access Point: Not-Associated
Tx-Power=15 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
mon0 IEEE 802.11abgn Mode:Monitor Tx-Power=15 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:off
-------------------
root@bt:~# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:11:22:33:44:55
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:17
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
mon0 Link encap:UNSPEC HWaddr 00-11-22-33-44-56-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:333491 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:37992994 (37.9 MB) TX bytes:0 (0.0 B)
wlan0 Link encap:Ethernet HWaddr 00:11:22:33:44:57
BROADCAST PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Thanks for any pointers/help!!!
Re: can't get airpwn injection working with BT4
you probably have, but have you tried running the gerix-wifi-Cracker?
Seems to work a little better sometimes.
good luck!
Re: can't get airpwn injection working with BT4
I would also like some advice on this issue. I have two cards/drivers alfa 050nh/036nh rt2800usb/rtl8187. I have tryed the airpwn that is included in Bt4 Final and a 1.4 compiled version and i cant seem to get it to inject.
The injectiontest works and i get the same kind of output "data packet len: 456, flags: 2 <-- DS"
I even locked the card on the right channel so packetloss shouldnt be the issue.
So if someone have experience with this please share.
//zlate
Re: can't get airpwn injection working with BT4
I am having the same problem, running airpwn from Ubuntu 10.10. Basically it says everything is working, but it isn't! Please let me know if you figure this out, I've tried everything!
Re: can't get airpwn injection working with BT4
Quote:
Originally Posted by
Nazagul
you probably have, but have you tried running the gerix-wifi-Cracker?
Seems to work a little better sometimes.
good luck!
For airpwn-ing? I think you think we're talking about aircrack-ng. Airpwn is a different program..
Re: can't get airpwn injection working with BT4
Quote:
Originally Posted by
zlate
I would also like some advice on this issue. I have two cards/drivers alfa 050nh/036nh rt2800usb/rtl8187. I have tryed the airpwn that is included in Bt4 Final and a 1.4 compiled version and i cant seem to get it to inject.
The injectiontest works and i get the same kind of output "data packet len: 456, flags: 2 <-- DS"
I even locked the card on the right channel so packetloss shouldnt be the issue.
So if someone have experience with this please share.
//zlate
How'd you lock your card? Are you using a mon0 interface?
Re: can't get airpwn injection working with BT4
Hey I am a real nob with airpwn and it seemed not work well.
My wifi card is ARTHEROS 982X
Interface Chipset Driver
wlan0 Atheros ath9k - [phy0]
mon0 Atheros ath9k - [phy0]
(mon0 was created from the command: sudo airmon-ng start wlan0, and it was tested successfully with aireplay-ng -9 mon0 - injection is working )
then I started my airpwn:
sudo airpwn -c conf/greet_html -i mon0 -d ath9k -vvv
(since the network is not encrypted so we don't need -F -k )
The output:
Parsing configuration file..
Opening command socket..
Opening monitor socket..
Opening injection socket..
LORCON - tx80211_setmode(...) is deprecated, please use tx80211_setfunctionalmode(...) instead
Listening for packets...
Channel changing thread starting..
data packet len: 90, flags: 2 <-- DS
data packet len: 108, flags: 2 <-- DS
data packet len: 108, flags: 2 <-- DS
data packet len: 256, flags: 2 <-- DS
data packet len: 108, flags: 2 <-- DS
I could not see the matched configuration file or something like that. Nothing happened in the vic computer, my ipod.
So what i was stuck with?
I wonder i use ath9k driver with the parameter -d right? because i did not see it in airpwn supported driver? but in some website, someone get it worked with ath5k? I've installed madwifi-ng but it did not work too.
Someone help me. Thx so much. I love linux at the first sight=))
