Results 1 to 7 of 7

Thread: can't get airpwn injection working with BT4

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Aug 2010
    Posts
    2

    Default can't get airpwn injection working with BT4

    Help! I've spent 3 days of trying to airpwn injection working - with no luck. Airpwn starts without errors, and sees plenty of traffic from the router to a 2nd laptop - but apparently doesn't want to inject any traffic. Using wireshark, I see the traffic from the 2nd laptop to the router. Injection supposedly works according to aireplay-ng --test. I've tried plenty of "match" lines in the airpwn configuration file. Any help would be greatly appreciated!


    -------------
    My setup:
    • laptop 1: tried with both BT4 Final and BT4 R1 BlackHat Edition. Tried with both internal Intel 5100AGN and external AWUS036H.
    • laptop 2: Windows Vista
    • router: Linksys WRT160N (with no WEP/WPA/WPA2)



    I have tried many many variations such as:
    • setting or not setting the channel (e.g. iwconfig wlan0 channel 1)
    • running or not running wireshark
    • the order of some of the commands entered
    • supplying different drivers to airpwn with -d (iwlwifi, iwlagn, mac80211, iwl3945, iwl4965, ...)
    • overloaded the airpwn config file with plenty of sections with match's that are pretty wide open (e.g. should match just about every HTTP request)
    • moved laptops around to different physical locations
    • instead of Intel 5100AGN, tried with external rtl8180 (and -d rtl8180 instead)
    • connecting and not connecting to the AP (e.g. wicd)



    Here is a sequence of commands that I believed *should* work (but obviously aren't):
    -reboot BT4
    -ifconfig wlan0 promisc
    -airmon-ng start wlan0
    Interface Chipset Driver
    wlan0 Intel 4965/5xxx iwlagn - [phy0]
    (monitor mode enabled on mon0)

    -airpwn -i mon0 -c myconf -d iwlwifi -vvv -l log.1 #I've tried -d iwlagn, -d mac80211, and many others too...
    -on laptop2: use firefox to fire off dozens of HTTP requests (e.g. a whole slew of pages)
    -no injection with airpwn


    -------------
    typical output:
    data packet len: 456, flags: 2 <-- DS
    data packet len: 448, flags: 2 <-- DS
    data packet len: 393, flags: 2 <-- DS
    data packet len: 432, flags: 2 <-- DS
    data packet len: 464, flags: 2 <-- DS
    data packet len: 393, flags: 2 <-- DS
    data packet len: 452, flags: 2 <-- DS
    data packet len: 446, flags: 2 <-- DS
    data packet len: 448, flags: 2 <-- DS
    data packet len: 188, flags: 2 <-- DS
    data packet len: 188, flags: 2 <-- DS
    data packet len: 188, flags: 2 <-- DS
    data packet len: 359, flags: 2 <-- DS
    data packet len: 350, flags: 2 <-- DS
    data packet len: 424, flags: 2 <-- DS
    data packet len: 414, flags: 2 <-- DS
    data packet len: 393, flags: 2 <-- DS
    data packet len: 452, flags: 2 <-- DS
    data packet len: 446, flags: 2 <-- DS
    data packet len: 448, flags: 2 <-- DS
    data packet len: 80, flags: 2 <-- DS


    -------------
    where myconf:

    Code:
    begin greet0_html
    match ^GET [^ ?]+\.(jpg|jpeg|gif|png|tif|tiff)
    response test.html
    begin greet0b_html
    match ^GET [^ ?]*+\.(?i:jpg|jpeg|gif|png)
    response response_picture
    begin greet1_html
    match [a-zA-Z]
    option reset
    response response_index
    begin greet2_html
    match ^[a-zA-Z]
    option reset
    response response_index
    begin greet3_html
    match ^(GET|POST)
    option reset
    response response_index
    begin greet4_html
    match GET
    option reset
    response response_index
    begin greet5_html
    match POST
    option reset
    response response_index
    begin greet6_html
    match ^GET
    option reset
    response response_index
    begin greet7_html
    match ^POST
    option reset
    response response_index
    begin greet8_html
    match .*
    option reset
    response response_index
    begin star1_html
    match .*
    response response_index
    begin star2_html
    match /^GET/
    response response_index
    begin star3_html
    match m/GET/
    response response_index
    begin star4_html
    match ^.*
    response response_index
    begin star5_html
    match (.*)
    response response_index
    begin star6_html
    match ^(.*)
    response response_index
    begin star7_html
    match ^(.*)$
    response response_index
    begin star8_html
    match ^.*$
    response response_index
    begin star9_html
    match ^GET *
    response response_index
    begin star10_html
    match ^POST *
    response response_index
    begin star11_html
    match GET *
    response response_index
    begin star12_html
    match POST *
    response response_index
    begin star13_html
    match ^GET .*html
    response response_index
    begin star14_html
    match ^GET .*js
    response response_index

    ----------------------
    Here are more details:

    root@bt:~# dmesg | grep -i iwlagn
    iwlagn: Intel(R) Wireless WiFi Link AGN driver for Linux, in-tree:d
    iwlagn: Copyright(c) 2003-2010 Intel Corporation
    iwlagn 0000:04:00.0: PCI INT A -> GSI 17 (level, low) -> IRQ 17
    iwlagn 0000:04:00.0: setting latency timer to 64
    iwlagn 0000:04:00.0: Detected Intel Wireless WiFi Link 5100AGN REV=0x54
    iwlagn 0000:04:00.0: Tunable channels: 13 802.11bg, 24 802.11a channels
    iwlagn 0000:04:00.0: irq 29 for MSI/MSI-X
    iwlagn 0000:04:00.0: firmware: requesting iwlwifi-5000-2.ucode
    iwlagn 0000:04:00.0: loaded firmware version 8.24.2.12


    -------------------
    root@bt:~# iwconfig
    lo no wireless extensions.

    eth0 no wireless extensions.

    wlan0 IEEE 802.11abgn Mode:Managed Access Point: Not-Associated
    Tx-Power=15 dBm
    Retry long limit:7 RTS thr:off Fragment thr:off
    Encryption key:off
    Power Management:off

    mon0 IEEE 802.11abgn Mode:Monitor Tx-Power=15 dBm
    Retry long limit:7 RTS thr:off Fragment thr:off
    Power Management:off




    -------------------
    root@bt:~# ifconfig -a
    eth0 Link encap:Ethernet HWaddr 00:11:22:33:44:55
    BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
    Interrupt:17

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

    mon0 Link encap:UNSPEC HWaddr 00-11-22-33-44-56-00-00-00-00-00-00-00-00-00-00
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:333491 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:37992994 (37.9 MB) TX bytes:0 (0.0 B)

    wlan0 Link encap:Ethernet HWaddr 00:11:22:33:44:57
    BROADCAST PROMISC MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)


    Thanks for any pointers/help!!!

  2. #2
    Member
    Join Date
    Feb 2010
    Posts
    69

    Default Re: can't get airpwn injection working with BT4

    you probably have, but have you tried running the gerix-wifi-Cracker?
    Seems to work a little better sometimes.
    good luck!

  3. #3
    Just burned his ISO
    Join Date
    Jun 2010
    Posts
    9

    Default Re: can't get airpwn injection working with BT4

    I would also like some advice on this issue. I have two cards/drivers alfa 050nh/036nh rt2800usb/rtl8187. I have tryed the airpwn that is included in Bt4 Final and a 1.4 compiled version and i cant seem to get it to inject.
    The injectiontest works and i get the same kind of output "data packet len: 456, flags: 2 <-- DS"
    I even locked the card on the right channel so packetloss shouldnt be the issue.

    So if someone have experience with this please share.

    //zlate

  4. #4
    Junior Member
    Join Date
    Oct 2010
    Posts
    45

    Exclamation Re: can't get airpwn injection working with BT4

    I am having the same problem, running airpwn from Ubuntu 10.10. Basically it says everything is working, but it isn't! Please let me know if you figure this out, I've tried everything!

  5. #5
    Junior Member
    Join Date
    Oct 2010
    Posts
    45

    Default Re: can't get airpwn injection working with BT4

    Quote Originally Posted by zlate View Post
    I would also like some advice on this issue. I have two cards/drivers alfa 050nh/036nh rt2800usb/rtl8187. I have tryed the airpwn that is included in Bt4 Final and a 1.4 compiled version and i cant seem to get it to inject.
    The injectiontest works and i get the same kind of output "data packet len: 456, flags: 2 <-- DS"
    I even locked the card on the right channel so packetloss shouldnt be the issue.

    So if someone have experience with this please share.

    //zlate
    How'd you lock your card? Are you using a mon0 interface?

  6. #6
    Just burned his ISO
    Join Date
    Feb 2011
    Posts
    1

    Default Re: can't get airpwn injection working with BT4

    Hey I am a real nob with airpwn and it seemed not work well.

    My wifi card is ARTHEROS 982X

    Interface Chipset Driver

    wlan0 Atheros ath9k - [phy0]
    mon0 Atheros ath9k - [phy0]

    (mon0 was created from the command: sudo airmon-ng start wlan0, and it was tested successfully with aireplay-ng -9 mon0 - injection is working )

    then I started my airpwn:
    sudo airpwn -c conf/greet_html -i mon0 -d ath9k -vvv
    (since the network is not encrypted so we don't need -F -k )

    The output:

    Parsing configuration file..
    Opening command socket..
    Opening monitor socket..
    Opening injection socket..
    LORCON - tx80211_setmode(...) is deprecated, please use tx80211_setfunctionalmode(...) instead
    Listening for packets...
    Channel changing thread starting..
    data packet len: 90, flags: 2 <-- DS
    data packet len: 108, flags: 2 <-- DS
    data packet len: 108, flags: 2 <-- DS
    data packet len: 256, flags: 2 <-- DS
    data packet len: 108, flags: 2 <-- DS

    I could not see the matched configuration file or something like that. Nothing happened in the vic computer, my ipod.

    So what i was stuck with?
    I wonder i use ath9k driver with the parameter -d right? because i did not see it in airpwn supported driver? but in some website, someone get it worked with ath5k? I've installed madwifi-ng but it did not work too.

    Someone help me. Thx so much. I love linux at the first sight=))

  7. #7
    Junior Member
    Join Date
    Oct 2010
    Posts
    45

    Default Re: can't get airpwn injection working with BT4

    Quote Originally Posted by Nazagul View Post
    you probably have, but have you tried running the gerix-wifi-Cracker?
    Seems to work a little better sometimes.
    good luck!
    For airpwn-ing? I think you think we're talking about aircrack-ng. Airpwn is a different program..

Similar Threads

  1. AirPwn not working well
    By ffix410 in forum Beginners Forum
    Replies: 1
    Last Post: 11-24-2010, 06:44 PM
  2. Airpwn 1.4 injection
    By BloodRaven in forum OLD Newbie Area
    Replies: 17
    Last Post: 12-21-2009, 08:35 AM
  3. packet injection not working
    By rotceh_dnih in forum OLD Feature requests
    Replies: 0
    Last Post: 02-18-2008, 06:03 AM
  4. Anyone know or have a tutorial to get airpwn working?
    By Coleman in forum OLD Newbie Area
    Replies: 4
    Last Post: 07-18-2007, 09:44 PM
  5. Injection working!
    By scumgiant in forum OLD Newbie Area
    Replies: 0
    Last Post: 05-08-2007, 03:35 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •