Originally Posted by trevelyn
Also, have you looked at your captures with tcpdump??
Another way to identify a failed fake authentication is to run tcpdump and look at the packets. Start another session while you are injecting and…
Run:Here is a typical tcpdump error message you are looking for:Code:tcpdump -n -e -s0 -vvv -i ath0
Notice that the access point (00:14:6c:7e:40:80) is telling the source (00:0f:b5:46:11:19) you are not associated. Meaning, the AP will not process or accept the injected packets.Code:11:04:34.360700 314us BSSID:00:14:6c:7e:40:80 DA:00:0f:b5:46:11:19 SA:00:14:6c:7e:40:80 DeAuthentication: Class 3 frame received from nonassociated station
If you want to select only the DeAuth packets with tcpdump then you can use: “tcpdump -n -e -s0 -vvv -i ath0 | grep DeAuth”. You may need to tweak the phrase “DeAuth” to pick out the exact packets you want.
Also use wireshark to take a look at whats going on.>>>>>
Examples of successful authentications
When toubleshooting failed fake authentications, it can be helpful to do a packet capture and compare it to successful ones. As well, simply reviewing this packet captures with WireShark can be very educational.
Here are packet captures of the two types of authentication - open and shared key:
