Results 1 to 8 of 8

Thread: How to crack with broadcom4306

  1. #1
    Junior Member
    Join Date
    Oct 2007
    Posts
    68

    Default How to crack with broadcom4306

    I finally cracked my own WEP key with my broadcom 4306 also known as LInksys WMP54G. This card worked better than my rt61!
    The first thing you want to do is boot into bt2 and then update to the latest aircrack-ng 1.0 beta. Then after that we will use iwconfig to determine whihc interface the card is on and in my case it is eth1 We then use airmon-ng stop eth1 it should say chipset broadcom and driver should be bcm43xx(monitor mode disabled) After you run that run airmon-ng start eth1 which will then tell you that monitor mode is enabled for bcm43xx. Just to make sure it is working, please type in aireplay-ng -9 <interface> it should say broadcasting probe requests and it will say either (INjection is Working! or the failure is No Answer. If it says no answer and it says then that there is 0 APs found, you will run the command iwconfig eth1 channel 6 rate 1M (capital M) Which will set the card to channel 6 and if it still doesnt detect the AP make sure that you are close enough to the AP for your card to transmit packets back to the AP. If you see the injection is working message, we will then proceed to using airodump-ng. The command you want to run for that is airodump-ng -c 6 eth1. THis captures the BSsid of the AP you want to crack the WEP key with on there. Press clrt+c to break the operation which will come out with another command line. run aireplay-ng -1 0 -e <essid> -a <BSSID OF AP>
    -h <the source mac of your wireless card which you can find on the bottom of the card as a label> <interface> so the whole line should look like this
    aireplay-ng -1 0 -e linksys -a 00:11:22:33:44:55 -h 00:11:22:33:44:55 eth1
    If it says sending authentication request a couple of times, give it a few minutes to authenticate and associate
    Then you may close this shell and open up another shell and type in airodump-ng -c 6 -w capture eth1
    THis will write and capture
    Then open up another shell and type in aireplay-ng -3 -b <ap mac address> -h your mac address eth1 and then keep an eye on the packets coming in on airodump-ng
    Once you have 40000 packets you can crack a 104 bit key by typing in aircrack-ng -z capture*.cap

  2. #2
    Junior Member
    Join Date
    Dec 2007
    Posts
    27

    Thumbs up

    Kudos..... this worked wonderfully on my Dell 1350 Mini-PCI card with BCM4306 chipset.

    Your step-by-step was perfect and I cracked my 128 WEP in 30 minutes... (because this is my first time I'd tried all this out to test my security so I was going slow).

    Running BT3 "as is" with no modifications whatsoever off my laptop hard drive which is a dual boot with XP

    INjection worked just like you said.

    Once this card got an ARP... couple minutes.... Aireplay would grab about 10,000 packets swiftly and then fault.... just pressed Up Arrow and <Enter> to restart and same thing... wait a couple minutes for ARP, then away it flies... took just over 40,000 to get what I wanted.

    The fault I get is:

    Write failed: Cannot allocate memoryests and 2661 ACKs), sent 3169 packets...(499 pps)
    wi_write (): Illegal seek

    The numbers varied and were:
    3169 packets
    16587 packets
    10974 packets

    ... and then Aircrack coughed up the WEP Key

    Very cool! Thanks a bunch for the help!!

  3. #3
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    17

    Default

    I have a bcm4813 on my laptop, I got the live cd BT3 and was able to crack my own wep a couple of days ago. I just read your step by step and its basically what I do in precise detail. I wish I ran into it just after getting the live cd :P but I figure I learned more my own way by doing my own research, but good post!





    Quote Originally Posted by teachscuba View Post
    The fault I get is:

    [B]Write failed: Cannot allocate memoryests and 2661 ACKs), sent 3169 packets...(499 pps)
    wi_write (): Illegal seek

    The reason you get write failed after some time its because your chip can't handle too many PPS (499) is too fast for a broadcom. What you can do is add "-x 30" to the command and it will cap the PPS to 30, you wont get that error anymore but it will be slower.

  4. #4
    Junior Member
    Join Date
    Dec 2007
    Posts
    27

    Default

    sagan,

    was suspicious as to that being the problem; however, so new to Linux that was unsure... also, how to reset the speed.

    With you knowledgeable advice and an executive decision on my part, I "-x 250" instead of your suggested "-x 30" and it worked fine.

    8 (EIGHT) minutes later, I had the WEP key which came out of 1 single file...

    Thanks to both you and psp for the expert advice in pointing the way to success!!!

    Happy Holidays!

    teach

  5. #5
    Just burned his ISO
    Join Date
    Nov 2007
    Posts
    10

    Default

    When I do this: run aireplay-ng -1 0 -e <essid> -a <BSSID OF AP>
    -h <the source mac of your wireless card which you can find on the bottom of the card as a label> <interface> so the whole line should look like this.

    It says sending authentication, but just hangs. Anything I am doing wrong? I have a Intel 4965 wireless card

  6. #6
    Junior Member
    Join Date
    Dec 2007
    Posts
    27

    Default

    aireplay-ng -1 0 -e linksys -a 00:11:22:33:44:55 -h 00:11:22:33:44:55 -x 30 eth1

    This is what sagan suggested to SLOW the writing packets to file down so that you don't overload your wireless adapter.

    As suggested, -x 30 is slooooow... I chose to start at the mid point of -x 250 and worked my way up to -x 400 and it worked fine with the -3 attack.

    Hope this helps; it sure did me!

    teach

  7. #7

    Default

    You are maybe not close enough to the AP. You gotta have a strong signal otherwise it will fail. The problem with the Broadcom card as that you don't really know the strength of the signal.

  8. #8
    Senior Member imported_spankdidly's Avatar
    Join Date
    Feb 2006
    Posts
    1,031

    Default

    How many times are you going to post that????
    I felt like bending the bars back, and ripping out the window frames and eating them. yes, eating them! Leaping, leaping, leaping! Colonics for everyone! All right! You dumb*sses. I'm a mental patient. I'm *supposed* to act out!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •