Ettercap ARP poison - Alfa AWUS036H fail but Air Live Turbo-G el cheapo works?

[mythan]

Hi,

I've been looking through numerous sources to try and track down what the problem could be but I'm stumped. Using Backtrack 4 final and tried this on both USB and VMWare versions (VMware on workstation and USB thumbdrive on HP laptop).

I've tested ARP poisoning (MITM with Ettercap) with 4 wireless cards but can only get it to work on one.

Cards:

1) AWUS036H 500mW (tried both rtl8187 & r8187 modules) - No poisoning
2) AWUS036H 1000mW (tried both rtl8187 & r8187 modules) - No posoning
3) Internal HP laptop wifi (Intel 4965 according to airmon-ng) - No poisoning
4) USB Air Live Turbo-G (Ralink 2573 USB rt73usb) - Poisoning process succesful!

I've made the changes to ettercap.conf:

a) ec_uid and ec_gid is set to root (0)
b) Uncommented the two lines "redir_command_on = "iptables..." and "redir_command_off = "iptables..."

Using Wireshark I can see that requests are coming through even if it says the "No ARP poisoning at all" in ettercap, but it significantly hinders the connection between Target 1 and Target 2. Websites fail to load up and slow to a crawl. With the Air Live USB card it works like a charm, no slow downs or timeouts and logging into sites like GMAIL, Facebook etc all comes up with the typical certificate warning where I don't have any of that luck with the other 3 cards.

I've tested ARP injection with the AWUS036H cards and they both inject without any problems (aireplay-ng -9 <interface>). Quite easily cracked WEP and can use all 4 cards with WICD without any problems.

Why would my "better" cards be struggling? Anyone with an Alfa poisoning ARP succesfully? Any other information I can provide to clarify my setup?

Any help much appreciated!

[Snayler]

I tried this with a Alfa'36h 1000mw and the same happens to me. With my TP-Link WN422G everything works fine. I'll try to investigate further and I will post back once I get the results.

[mythan]

Hi Snayler,

Strange eh? If this is a wider issue I'm surprised it hasn't been mentioned earlier (unless somebody owns me with a link to a thread/URL where this has been discussed before).

I'd be very keen to find out what the result of your investigation is. I thought at some point it may have been the access point (Linksys WAG54GP2) but I get the same result on a Netgear WGR614 with the same cards.

Thanks for looking into this.

[MassAppeal]

Works for me with AWUS036H =P

[mythan]

Hi MassAppeal,

1) Did you make any changes (driver module?), application updates etc to your Backtrack 4 USB/VMWare distro?
2) What type of encryption does your AP use? I've tested it on WEP and WPA2.

Following is basically what I'd do:

a) ifconfig <int> down
b) macchanger -r <int>
c) wicd start
d) wicd-client, connect it up to access point, verify it's ok by pinging gateway, test gateway by browsing to random website.
e) startup ettercap GTK, unified sniffing, start sniffing, scan for hosts & set found gateway and client, activate ARP poisoning

Works fine with AirLive Turbo, fails with Alfa

It's like the Alfa has trouble forwarding the packets through causing timeouts between the two targets. As soon as I switch of ARP poisoning, *poof*, all back to normal between client and gateway.

You do any other steps or in a different order?

Thank you