I pulled this from the scapy list some time ago. Never tried it but it may be what you're looking for.

Originally posted by Xiphos
Nice find. Here's the full link to make it easier:

http://www.irongeek.com/i.php?page=security/networkprinterhacking

I didn't look that closely at your code. I just assumed you had already done the arp poisoning and were looking for a way to route the packets to their correct destination after you had received them.

I've never used it but you may want to look into using scapy's routing table. This will let you route packets differently than your system.

conf.route

I see what you're saying now. I never tried metasploit in vmware until now.
What I think has to be done is to make the top three lines of the new module similar to the existing browser modules. I...

You need to reread post number 3 where he clearly states he is using the zd1211rw driver. And he is also using BT3. He doesn't need to update to BT4b to do a deauthentication and capture the wpa...

Deauthentication works in BT2 and BT3 even with the older zd1211 chipset.

He is using the zd1211rw driver not the madwifi driver.

Looks like you may be too far away. Here's a link that explains what the number of ACKs indicate:
...

I don't know what you mean by 'strange', but it seems you have a bad module. The easiest way would be to download it from the website.
...

It works fine for me without 'exploit'. Did you download the module from the website?

I mean use the command without 'exploit'

./msfcli /windows/browser/ms09_002_memory_corruption SRVPORT=80 URIPATH=test PAYLOAD=windows/shell/bind_tcp LPORT=4444

Drop the exploit in your msfcli command.

Have you had any success running that exploit against Vista?

This may clarify things a little:

http://forums.remote-exploit.org/showthread.php?p=121140

It appears your card is equipped with a Ralink RT2587

As secure_it stated it is not an atheros card, it is a TI card and uses the acx100 driver.

Maybe this post may give you some ideas.

http://forums.remote-exploit.org/showthread.php?t=16546

If you're using the rt73 driver included with BT3, try setting the rate to 1M

Originally quoted by =Tron=

That ticket applies to the serialmonkey rt73 driver with kernel 2.6.25.15.

The airodump-ng output shows he is on channel 0.

Have you got this to work? I've tried SMB to SMB and HTTP to SMB with no luck.

For arp spoofing you can also use

arpcachepoison(target_IP, victim_IP, interval=5)

I don't use the hostap driver but according to the BT wiki the patched hostap driver is on BT3.

Check this to see if your card is listed:
...

http://www.win.tue.nl/hashclash/rogue-ca/

I never had that problem, perhaps you have the kernel and ettercap forwarding packets.

When you start up ettercap if will stop the kernel from forwarding packets, which will prevent you from packet forwarding between the at0 and eth0 interface.

I was asking because I've done it without the -p option and it works fine.

Is the -p option really needed?