Hey Guys, I wrote about this on my blog after a few people asked me how I did it so thought I would share it here too.

Here is the blog article Packet Injection From VMWare with BT4

And this is the short, sweet, and easy of it:

I have a MacBook that I LOVE. To use it as a penetration testing platform I installed all kinds of software, but mostly just found myself using BackTrack. The only thing I hated was having to reboot to Backtrack to do packet injection, and a few other wireless tools. that is till I found this baby:


This is the Fonera by Fon. It is currently running for $29, but you can usually find some decent coupon codes, and you can also pair it up with a better antenna for better range.

So why on earth do you want this router, and how does this in any way correlate with packet injection? Well you have to start by flashing the ROM to put a different firmware on it. While not the easiest task in the world, pretty much all you have to do is follow directions. Here is the guide to put Legend firmware on the Fonera.

The Legend firmware comes with the Aircrack-ng suite of tools. Including a very special tool we will use called Airserv-ng. Best described by the guys that made it:

Airserv-ng is a wireless card server which allows multiple wireless application programs to independently use a wireless card via a client-server TCP network connection. All operating system and wireless card driver specific code is incorporated into the server. This eliminates the need for each wireless application to contain the complex wireless card and driver logic. It is also supports multiple operating systems.

This is allowing you to use the Fonera for it’s great wireless transceiver, and the host machine as the number cruncher. This allows a machine with no wireless connection, non-compatible, or virtual machine to use the Fonera as it was an internal card. Which works great for running BT4 in a VMWare session and injecting from there. Usage is given on the Airserv-ng page:

At this point you may use any of the aircrack-ng suite programs on the second system and specify “” instead of the network interface. is the IP address of the server system and 666 is the port number that the server is running on. Remember that 666 is the default port number.

On the second system, you would enter “airodump-ng” to start scaning all the networks. You may run aircrack-ng applications on as many other systems as you want by simply specifying “” as the network interface.

Now I know what some of you are saying, “This is great, but not a useful mobile application.” Don’t worry baby bird, I have you taken care of, you really think I would leave you hanging like that? That’s not my style. (Thanks DT)


This 4 AA battery pack from Radio Shack, with the “L” size adapter, and even the crappy over priced batteries will set you back less than $10. So now you have a complete mobile solution for doing what ever you would like with wifi.

Fonera Link

Legend Link

Airserv-ng Link