Howdy all,

I'm trying my hand at WEP cracking again after trying it a couple of years ago. Back then, I didn't do any aireplay stuff, so it was just airodump, wait a few weeks, and then run aircrack.

I'm now experimenting with aireplay/injection, with zero results to show for it. So, I've got some questions which are along the lines of "Injection isn't working. Why not?", but I'm hoping that I've managed to do a little more homework and that I'm providing a bit more detail about the issues that I'm having, in the hopes that it will help future readers know whether they're having the same problem that I'm having.

To help pay back the community here in exchange for help with this long post, I'm putting together a little script that should make it a lot easier to use the aircrack tools (it's not as fancy as airoscript... but it will work without xterm, though). It looks through the .txt file that airodump-ng creates and generates a list of all of the aireplay-ng command-lines necessary for all of the AP's and clients found... sorted in order of most-recent activity (so you don't try to deauth a client that was last seen 6 hours ago). This way, you don't have to keep jotting down BSSID's and ESSID's and typing them into other command windows. You just copy/paste a whole line into another command window and you're off and running.

However, I'm still learning how to actually use these tools, so I'm not sure that I'm putting the correct MAC/BSSID's in for the right parameters. I was hoping you guys could help me out.

First off, setting the mode of the card. Some of the WEP cracking HOWTO's I've come across first tell you to put your nic into monitor mode with a host of commands... iwconfig this, iwpriv that, set the channel, etc, etc, etc. All I did was just use airmon-ng and, after that, iwconfig shows the nic as being in "Mode: Monitor" and airodump-ng collects lots of packets, sees lots of AP's and clients. HOWEVER... none of the aireplay-ng stuff is giving the results I see in the tutorial.

QUESTION: Is it enough to just use airmon-ng to turn on monitor mode on my card? If I get "Mode: Monitor" in iwconfig, is that enough, or is there something more that I have to do?

Next, regarding the various aireplay-ng attacks....

A --fragment attack gives:
Saving chosen packet in replay_src-0414-172606.cap
Data packet found!
Sending fragmented packet
No answer, repeating...
Trying a LLC NULL packet
Sending fragmented packet
No answer, repeating...
Sending fragmented packet
No answer, repeating...

A --fakeauth attack gives:
17:28:50 Sending Authentication Request
17:28:53 Sending Authentication Request
17:28:56 Sending Authentication Request

A --arpreplay attack claims to find some ARP packets and claims to be sending them back out, but I never see any increase in number of IV's/sec.

A --deauth attack gives:
17:31:33 Sending DeAuth to station -- STMAC: [00:11:22:33:44:55]
17:31:34 Sending DeAuth to station -- STMAC: [00:11:22:33:44:55]
17:31:36 Sending DeAuth to station -- STMAC: [00:11:22:33:44:55]

These results are from my RT2500 card, but I get the same thing with both of my Atheros cards. Also, this is using the same card that I'm using for airodump. I don't know if this means that my cards are just not really doing the injection or if they are doing the injection and I'm just hitting up against AP's that are immune to it or something.

QUESTION: If my card/driver doesn't support aireplay injection, am I guaranteed to get some warning or error from aireplay, or, instead, will aireplay just act like it's doing what it's supposed to (like in the above examples) and then nothing ever happens?

As the various injection attacks come into vogue, I imagine that the AP manufacturers might actually be immunizing their AP's (as much as they can, anyway) against such attacks aimed at increasing IV's.

QUESTION: Is that a realistic concern? Has anybody noticed newer AP's being less susceptible to aireplay? Or is any failure to generate more IV's almost always due to injection problems on the card?

Next, which MAC addresses to use. With the various aireplay attacks, you usually have to supply two MAC addresses. One is the BSSID of the target AP. The second, however, seems to sometimes be the MAC of a client and sometimes is the MAC of the interface you're using for the attack.

QUESTION: For once and for all, which attacks (deauth, fragment, fakeauth, chopchop, arpreplay) require the MAC of an associated client, which require your MAC, and which, if any, require, allow, or recommend you use a fake one? For the ones which require an associated client, how "fresh" does the client need to be (how recently seen?).

Next, capturing/injecting on the same card. In my recent dealings with airodump, I've noticed that I can now capture from all channels at once. A couple of years ago, I had to set the channel, explicitly. So, I'm wondering what else has changed since then. Back then, you also had to use separate cards to capture and to inject.

QUESTIONS: Is it now possible to capture and inject with the same card? Or does it depend upon the card. If it depends upon the card, which ones let you do everything with just one? If you do have a card that lets you do everything with one, is there still some advantage to using separate cards?

Lastly, I'm considering buying some more wifi adaptors to use with my laptop or carputer. For that reason, they need to either be USB or PCMCIA. Secondly, I've served my time in the past fetching kernel patches or latest CVS drivers and then rebuilding either the kernel or the drivers and hassling with compiler errors, etc. Those days are over. I only want a card that supports everything airodump and aireplay can throw at it, and can do it with the existing drivers in the standard mainline linux kernel 2.6.18 or higher that comes with Debian/Ubuntu... or, failing that, with the kernel on the BT2 disc. Lastly, it's gotta have a RP-SMX or MMCX (or similar) antenna connector (preferably RP-SMX) because all of my antennas have that on the other end. I've read a bunch of the compatibility stuf at and the "What card should I buy?" sticky thread here, but I'm having a hard time cross-referencing that data to finding something on eBay that I know is going to spell the end of my problems. Any suggestions? By that, I don't mean "Something with an Atheros chip". I'm looking for a specific model number that I can plug-n-play, attach an antenna, airodump with channel-hopping, aireplay, etc. Ideas?

Looking at a few items currently on eBay, does anybody have any experience with items #110113390647, 290103277486 (the Alfa USB-Key type), 290104727259 (the Alfa pack-of-cigarettes-sized 500mW one)?

Millions of thanks in advance...
- Joe