Results 1 to 4 of 4

Thread: Need to add additional control switches to generate IVS for my file??

  1. #1
    Junior Member
    Join Date
    Apr 2010

    Default Need to add additional control switches to generate IVS for my file??

    I know I just joined but I have been reading here for quite some time. I was trying to work through this on my own, but I need a steer because I am stuck. For the past week I have been reading until my eyes bleed and have attempted to go through every guide I can find on the subject trying to learn and get better.

    My background is that I am on old DOS guy that has lived in the Windows world for the past decade or so. I am planning on installing BT4 and linux on a 10 Gig partition of my hard drive. Before I do that I wanted to make certain that my hardware and specifically my chipset (Atheros AR5007eg named ath9k by airmon-ng) is compatible with BT4.

    To verify hardware compatibility; I downloaded the BT4 final iso and burned it to a bootable USB. BT4 fires up and "drives" very well. It has neat splash screens and seems amazingly organized and thought out. Now it is time to take my computer and BT4 for a test drive. To simplify the learning curve I installed an old WEP router to my network and am currently using that router to post to this forum. The router is working perfectly fine on my network. Using the simplicity of WEP as a starting point, here is the progress I have made to date:

    A. BT4 seems very slick and responsive, booting well and never misses a beat that I can see.

    B. Using basic aircrack-ng components my chipset responds quickly and displays all the correct responses --- mostly.

    1. airmon starts, stops, and responds exactly as all the guides indicate it should when I compare the guide displays to what I actually see. iwconfig displays exactly as the guides show too.

    2. injection test ---- perfect -- using aireplay I show a 30/30 100% on my AP, which is the old WEP router I installed.

    3. airodump launches well and by scanning my AP's channel, I see all the AP's on that channel, bssid, stations, etc...

    4. aireplay -- I am able to establish a quick and strong ASSOCIATION/fake authentication with my router. For the purposes of learning I use a laptop that is NOT already associated with the router itself. Anyway, the display shows successful and matches those printed on the guides I find.

    5. Once the monitor is running properly and on my channel (mon0), the chip shows its injecting 100% (30/30) to/with my AP, I have established a solid fake authentication, and with airodump launched and monitoring for IV's, then I start another aireplay to make ARP requests as described in all the guides. Here is where something goes not as planned. This is where I am having problems. I have tried this tons of times and usually I don't get any ARP requests. Sometimes I will get a packet to start generating IVS and aireplay establishes the .xor or .cap files but then they never amount to tons of IVS being generated.

    In addition, I have tried using the simple GUI type scripts included in BT4 with the same results (Gerix, etc...). I have manually attempted fragmentation, chop/chop, caffe latte, packetforge, etc... and they all have the same result. My computer/athero sees the AP, injecting and authenticating all along the way. But even though everything is rock solid up to making ARP requests I cannot get the IV's to take off. I have tried a hundred times and gone through every guide I can find.

    Since the generic do it for you scripts (Gerix and others here) have the exact same results, I am sort of concluding that I need to use additional non-generic restriction/control commands to custom tailer how my hardware handshakes with the AP.

    Is there someone here that would be willing to step UP and give me a steer? Is there a script/program already on BT4 that I can run, which will provide information/analysis as to why my IV's will not spike/generate via ARP stimulation? I have a hunch that either slowing down, speeding up, varying packet length/structure might allow me to get the job done. I don't have a clue how to use such commands but I will read and study if given directions and links. I am just stuck here and need a hand to work through this. Anyone please??????

    Last: I noticed that aircrack 1.1 was just released. Any chance that using 1.1 on BT4 would help me on this issue? For the record, how can I install 1.1 on my USB flash using a windows OS to do so? Is that possible?

    I am reaching out here and hoping for a lifeline. Thanks in advance.

  2. #2
    Join Date
    Jan 2010
    The new forums

    Default Re: Need to add additional control switches to generate IVS for my file??

    Try having another client connected to the AP and generate some traffic or de-authenticate the client. Also post the actual steps you use (command line syntax).

    Here's a good read also: i_am_injecting_but_the_ivs_don_t_increase [Aircrack-ng]

    Good luck

  3. #3
    Junior Member
    Join Date
    Apr 2010



    Thanks for the quick and helpful response.

    I read through the first part of that link/thread a few days ago. But - I stopped short of the point where I actually used the replay options discussed further down in the guide. Aireplay created the replay.cap files but I never did specifically instruct aireplay to continually utilize that one good specific packet.

    I am going to try the two -r replay procedures that are mentioned for use AFTER successfully capturing a packet. I have captured a successful packet many times already but didn't know how to tell aireplay to continually use that one good packet to stimulate IVs generation. Hopefully this will allow my IV's to build quickly.

    I also downloaded the P0841 guide and will try that IF the aireplay -r approach doesn't work.

    As a note reminder: What about placing the new aircrack 1.1 on BT4? Can that be done on my bootable USB via a Windows OS install?

    Wow, still fighting this thing.

    OK so I am bringing some feedback in hopes that someone can give me a steer. Just kind of reminding you that I still get perfect reports on injection and association as well as my mon0 are on the correct channel and all appears fine up to this point. So, lets proceed and I'll give you what I see on this end. Once all is associated, injecting, monitoring, etc.....

    I am trying to run a fragmentation attack to create the fragment-XXX.xor needed to run packetforge and get the ARP packet for injection. It appears to run fine. As a reference here is the command line for my frag attack along with the steps I am taking:

    1. aireplay-ng -5 -b (AP MAC) -h (card MAC here) mon0

    2. A packet is generated and I select Y to use the packet. Sometimes I may need to select Y 2 or 3 times until it sees "Got RELAYED packet". Once it gets RELAYED packet it will create the fragment-XXX.xor file, which I then use in packetforge to attempt to create the needed ARP packet.

    3. command line: packetforge-ng -0 -a (AP-MAC) -h (card MAC) -k -l -y frag-XXX.xor -w arp-request

    4. system responds "Wrote packet to: arp-rquesst"

    5. I make sure airodump is running to capture IV's

    6. I attempt to inject the arp-request packet via the following command line, and IN the same console as where the ARP packet was generated (as per the guide instructions).

    7. aireplay-ng -2 -r arp-request mon0

    8. Does NOT inject.

    Analysis using tcpdump command line: tcpdump -n -vvv -e s0 -r arp-request

    To me the generated ARP packet appears invalid as per the report shown below:

    Output is the same as the guide demonstrates up to the DA portion of the dump. The guide shows an expectation of this:

    DA: Broadcast Data IV: 8f Pad 0 Key II

    however I see this;

    DA: ff:ff:ff:ff:ff:ff Data IV: 14552 Pad 0 Key ID 0

    One additional observation that I noticed while doing the frag attack: When I selected Y for yes and received "RELAYED packet" I noticed that I never saw the "That's our ARP packet!" line as it was generating the .xor for packetforge. I am using BT4 ISO on usb and I don't know if that line was removed from the aircrack software compared to the version referenced in the guides I am using. Don't know but thought it might be pertinent to trying to examine what my issue is here.

    I am really beating myself up here and have been for a some time now. I am starting to wonder if I have a hardware issue on this laptop card. From reading around it seems like the ath9k card is easy to use and especially on an old Linksys WEP router you would think this would be a walk in the park.

    Anyone have something to help me out here?
    Last edited by Archangel-Amael; 05-01-2010 at 06:40 PM.

  4. #4
    Junior Member
    Join Date
    Apr 2010

    Default Re: Need to add additional control switches to generate IVS for my file??

    Researching a bit more.

    I logged into HP's website and did some additional research on this laptop. Turns out the onboard chipset (according to HP) is an atheros AR5009 and not the AR5007 that I thought I had. I am using an HP dv7-1130us for this project.

    I am wondering if BT4 USB shows ath9k as the wlan0/mon0 for both of these chipsets.

    This is really frustrating that I have spent so much time trying to examine the workings of an AR5007 card, when in fact I don't even have that wireless card on the computer.

    Let this be a lesson to new members here. Take a few minutes and accurately determine what you are up against before losing a ton of time going down the wrong path.

    The above being mentioned, I am starting to feel like maybe the AR5009 drivers are not fully operational on the BT4 final burned to a USB (non-persistent). I have looked at the included Gerix tool and others along with trying many combinations of aircrack commands manually.

    I am still reading alot but PLEASE help me if you know the answer to this question:

    If the BT4 final iso is burned to a USB ---- are all the drivers needed for the AR5009 there? I just can't imagine what else would result in what I am seeing other than maybe lacking driver support. The Gerix tool appears well thought out and attacking an old Linksys WEP router that I totally control should be sooooooooo easy.

    Anybody here running an AR5009 atheros using BT4 on a USB (non-persistent)??

    Other than read read read and keep learning what should I do to help conquer this?

Similar Threads

  1. AP switches from wep to wpa when injecting
    By Lucifer in forum OLD Newbie Area
    Replies: 11
    Last Post: 10-15-2009, 07:57 PM
  2. How to add additional world list for WPA penetration.
    By xxVirtualWorldxx in forum OLD Newbie Area
    Replies: 1
    Last Post: 08-04-2009, 05:57 AM
  3. help install additional locale
    By lupus7 in forum OLD Newbie Area
    Replies: 8
    Last Post: 10-27-2008, 01:50 AM
  4. Preventing ARP and DHCP Spoofing on Cisco Switches
    By TTA89 in forum OLD General IT Discussion
    Replies: 5
    Last Post: 10-25-2008, 04:40 AM
  5. Replies: 3
    Last Post: 03-14-2007, 11:52 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts