Help! I've spent 3 days of trying to airpwn injection working - with no luck. Airpwn starts without errors, and sees plenty of traffic from the router to a 2nd laptop - but apparently doesn't want to inject any traffic. Using wireshark, I see the traffic from the 2nd laptop to the router. Injection supposedly works according to aireplay-ng --test. I've tried plenty of "match" lines in the airpwn configuration file. Any help would be greatly appreciated!


-------------
My setup:
  • laptop 1: tried with both BT4 Final and BT4 R1 BlackHat Edition. Tried with both internal Intel 5100AGN and external AWUS036H.
  • laptop 2: Windows Vista
  • router: Linksys WRT160N (with no WEP/WPA/WPA2)



I have tried many many variations such as:
  • setting or not setting the channel (e.g. iwconfig wlan0 channel 1)
  • running or not running wireshark
  • the order of some of the commands entered
  • supplying different drivers to airpwn with -d (iwlwifi, iwlagn, mac80211, iwl3945, iwl4965, ...)
  • overloaded the airpwn config file with plenty of sections with match's that are pretty wide open (e.g. should match just about every HTTP request)
  • moved laptops around to different physical locations
  • instead of Intel 5100AGN, tried with external rtl8180 (and -d rtl8180 instead)
  • connecting and not connecting to the AP (e.g. wicd)



Here is a sequence of commands that I believed *should* work (but obviously aren't):
-reboot BT4
-ifconfig wlan0 promisc
-airmon-ng start wlan0
Interface Chipset Driver
wlan0 Intel 4965/5xxx iwlagn - [phy0]
(monitor mode enabled on mon0)

-airpwn -i mon0 -c myconf -d iwlwifi -vvv -l log.1 #I've tried -d iwlagn, -d mac80211, and many others too...
-on laptop2: use firefox to fire off dozens of HTTP requests (e.g. a whole slew of pages)
-no injection with airpwn


-------------
typical output:
data packet len: 456, flags: 2 <-- DS
data packet len: 448, flags: 2 <-- DS
data packet len: 393, flags: 2 <-- DS
data packet len: 432, flags: 2 <-- DS
data packet len: 464, flags: 2 <-- DS
data packet len: 393, flags: 2 <-- DS
data packet len: 452, flags: 2 <-- DS
data packet len: 446, flags: 2 <-- DS
data packet len: 448, flags: 2 <-- DS
data packet len: 188, flags: 2 <-- DS
data packet len: 188, flags: 2 <-- DS
data packet len: 188, flags: 2 <-- DS
data packet len: 359, flags: 2 <-- DS
data packet len: 350, flags: 2 <-- DS
data packet len: 424, flags: 2 <-- DS
data packet len: 414, flags: 2 <-- DS
data packet len: 393, flags: 2 <-- DS
data packet len: 452, flags: 2 <-- DS
data packet len: 446, flags: 2 <-- DS
data packet len: 448, flags: 2 <-- DS
data packet len: 80, flags: 2 <-- DS


-------------
where myconf:

Code:
begin greet0_html
match ^GET [^ ?]+\.(jpg|jpeg|gif|png|tif|tiff)
response test.html
begin greet0b_html
match ^GET [^ ?]*+\.(?i:jpg|jpeg|gif|png)
response response_picture
begin greet1_html
match [a-zA-Z]
option reset
response response_index
begin greet2_html
match ^[a-zA-Z]
option reset
response response_index
begin greet3_html
match ^(GET|POST)
option reset
response response_index
begin greet4_html
match GET
option reset
response response_index
begin greet5_html
match POST
option reset
response response_index
begin greet6_html
match ^GET
option reset
response response_index
begin greet7_html
match ^POST
option reset
response response_index
begin greet8_html
match .*
option reset
response response_index
begin star1_html
match .*
response response_index
begin star2_html
match /^GET/
response response_index
begin star3_html
match m/GET/
response response_index
begin star4_html
match ^.*
response response_index
begin star5_html
match (.*)
response response_index
begin star6_html
match ^(.*)
response response_index
begin star7_html
match ^(.*)$
response response_index
begin star8_html
match ^.*$
response response_index
begin star9_html
match ^GET *
response response_index
begin star10_html
match ^POST *
response response_index
begin star11_html
match GET *
response response_index
begin star12_html
match POST *
response response_index
begin star13_html
match ^GET .*html
response response_index
begin star14_html
match ^GET .*js
response response_index

----------------------
Here are more details:

root@bt:~# dmesg | grep -i iwlagn
iwlagn: Intel(R) Wireless WiFi Link AGN driver for Linux, in-tree:d
iwlagn: Copyright(c) 2003-2010 Intel Corporation
iwlagn 0000:04:00.0: PCI INT A -> GSI 17 (level, low) -> IRQ 17
iwlagn 0000:04:00.0: setting latency timer to 64
iwlagn 0000:04:00.0: Detected Intel Wireless WiFi Link 5100AGN REV=0x54
iwlagn 0000:04:00.0: Tunable channels: 13 802.11bg, 24 802.11a channels
iwlagn 0000:04:00.0: irq 29 for MSI/MSI-X
iwlagn 0000:04:00.0: firmware: requesting iwlwifi-5000-2.ucode
iwlagn 0000:04:00.0: loaded firmware version 8.24.2.12


-------------------
root@bt:~# iwconfig
lo no wireless extensions.

eth0 no wireless extensions.

wlan0 IEEE 802.11abgn Mode:Managed Access Point: Not-Associated
Tx-Power=15 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off

mon0 IEEE 802.11abgn Mode:Monitor Tx-Power=15 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:off




-------------------
root@bt:~# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:11:22:33:44:55
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:17

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

mon0 Link encap:UNSPEC HWaddr 00-11-22-33-44-56-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:333491 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:37992994 (37.9 MB) TX bytes:0 (0.0 B)

wlan0 Link encap:Ethernet HWaddr 00:11:22:33:44:57
BROADCAST PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)


Thanks for any pointers/help!!!