This thread was created as a companion to the Quick Guide to Breaking WEP (http://forums.remote-exploit.org/showthread.php?t=569)because it exceeded the character limit. Still, useful.

Checking for injection

If you are unsure if your card is injecting properly there is a simple test you can do. First you will need to bring your card into monitor mode (iwconfig DEV mode monitor where DEV is your wifi device. There may be additional steps involved in preparing your system for injection. Some cards do not support monitor mode, either.)

Then start wireshark (it's in the sniffers menu, or type "wireshark" into a console. It's worth noting that until recently his tool was called ethereal.) Click the button to show the capture options (second from the left, little wrench icon) and select your wifi device from the drop down menu. Check the box to update the list of packets in realtime and then start the capture. If you want to display only the deauth frames you are about to broadcast, enter the following into the display filter of wireshark (NOTE: Display filters and Capture filters are not the same thing. The display filter input box is labled "Filter:" and is located just below the options button.)

Display filter for deauth packets in wireshark

wlan.fc.type_subtype == 12

Next, in a fresh konsole or xterm window, type: aireplay -0 10 -a 01:02:03:04:05:06 DEVICE . This command will broadcast 10 deauth frames to a nonexistant AP. If all goes well the deauth packets should show up in the wireshark capture frame.


As usual, I'm open to corrections and additions, PM me if you have any.

Links

Ethereal Wireless Filter List (http://www.remote-exploit.org/index.php/Release_Sep_02)

Original WEP Cracking Tutorial (http://forums.remote-exploit.org/showthread.php?t=569)

Nice job. That is usefull for those who have problem with aireplay and are unsure of what the can do to investigate further.

thanx for this!

after I enter

aireplay -0 -10 -a 00:00:00:00:00 ath0

I get

please specify a BSSID (-a).

Any clue what I must be doing wrong?

after I enter

aireplay -0 -10 -a 00:00:00:00:00 ath0

I get

please specify a BSSID (-a).

Any clue what I must be doing wrong?

Enter it. Google essid, ssid, bssid.

after I enter

aireplay -0 -10 -a 00:00:00:00:00 ath0

I get

please specify a BSSID (-a).

Any clue what I must be doing wrong?

try aireplay -0 -10 -a 00:11:22:33:44:55 ath0

Enter it. Google essid, ssid, bssid.

Darthn, as you can see in my post I did enter a BSSID (OO:OO:OO:OO:OO:OO) as was said above. The error came after entering exactly what was said.

The MAC address must be six (6) hex characters long. As in 11:22:33:44:55:66.

the reason I posted the 00:11:22:33:44:55 was that I also had problems just using 0's but 00:11:22:33:44:55 worked fine

"Next, in a fresh konsole or xterm window, type: aireplay -0 10 -a 00:00:00:00:00:00 DEVICE . This command will broadcast 10 deauth frames to a nonexistant AP. If all goes well the deauth packets should show up in the ethereal capture frame."

As stated above, entering 00:00:00:00:00:00 gave me that error. So I entered 00:11:22:33:44:55 and did not get the error I had gotten before.

After doing that, nothing came up in Ethereal, so I assume my wireless card is not injecting anything. Oh fun.... At least I know one thing thats giving me problems now. Thanks for the help.

"Next, in a fresh konsole or xterm window, type: aireplay -0 10 -a 00:00:00:00:00:00 DEVICE . This command will broadcast 10 deauth frames to a nonexistant AP. If all goes well the deauth packets should show up in the ethereal capture frame."

As stated above, entering 00:00:00:00:00:00 gave me that error. So I entered 00:11:22:33:44:55 and did not get the error I had gotten before.

After doing that, nothing came up in Ethereal, so I assume my wireless card is not injecting anything. Oh fun.... At least I know one thing thats giving me problems now. Thanks for the help.

when capturing with ethereal try selecting ath0raw you should see the deauth packets then

when capturing with ethereal try selecting ath0raw you should see the deauth packets then

In ethereal i dont see an option to select ath0raw

Im using a DWL-G650 rev C3 F/W 4.11 Atheros Chipset

If I do try this as described, I don't seem to sniff anything with ethereal.
If I disable the filter, I receive some packets. Are those still deauth-packets, or not?
I use a z-com 325HP+ in hostap-mode, wlanng doesn't work.

i have tryd to follow the guide to crackin WEP , it seems to work fine but in aircrack its not working , so i tryd this guide end the weard thing is i get is Malformd Packet i quote ethereal [Malformed Packet : Prism]
is this correct ??? i just don't know .

o , i didnt understand why aircack wont find the key i got 1900000 IV's and the cap file was over 500 Megs ??? the key was a 128 bit key maybe not the right post but hey just pasting it in

sorry for the poor English

Greets Pinni3

/edit
whoops, bullshit. sorry.

i have tryd to follow the guide to crackin WEP , it seems to work fine but in aircrack its not working , so i tryd this guide end the weard thing is i get is Malformd Packet i quote ethereal [Malformed Packet : Prism]
is this correct ??? i just don't know .

o , i didnt understand why aircack wont find the key i got 1900000 IV's and the cap file was over 500 Megs ??? the key was a 128 bit key maybe not the right post but hey just pasting it in

sorry for the poor English

Greets Pinni3

I have the exact same problem as you have! But still no solution.:( I use a Senao 2511CD Ext2 card.
Can anybody help us out here?

This is really amazing :confused:

I have a ralink card on my desktop that works great on backtrack II, including injection :D (verified this with ethereal)

So, i started daouid's airoscript and collected 1,8 million IV's, started up Aircrack on my AMD Athlon 3800+ X2 (dualcore) desktop, but after one hour of cracking....no key found :eek: I even indicated that it is a 128 bit wep key....:o

So tell me.... Is my AP just uncrackable or what?

I have heard lots of people saying that injection works on the DWL-G122, but performing this test seems to indicate it does not inject. I'm getting the malformed error as well. I have tried two different DWL-G122's that I own. Both do the same thing.

uh, any advice on how to run this test with WireShark? Is it still even viable with BT 2? Thanks for any pointers.
Peace

uh, any advice on how to run this test with WireShark? Is it still even viable with BT 2? Thanks for any pointers.
Peace

1) Put your card in monitor mode.

2) Start ethereal (or wireshark in BT 2) to listen on the card you want to test for injection, and add display filter wlan.fc.type_subtype == 12

3) Open xterm and start aireplay. aireplay-ng -0 10 -a 01:02:03:04:05:06 YOURCARD

Normally the deauth packets should show up in the ethereal capture frame. If not, you card is not injection. If you have MALFORMED PACKETS then injection does not work properly.

Thanks for the quick response!
Those steps were EXACTLY what I tried, and no dice. However, having done quite a bit of web scouring, I have to say that I'm confused as to why my card (an Atheros 5005G cardbus) is not injecting, as it is supposed to, at least in theory. I read on MadWiFi's page that said app does not support G or superG mode enabled, so perhaps that could be an issue (and if it is, does anyone have any clue how one would go about DISabling that mode?) Or do I need to apply a patch to MadWiFi? To be honest, MadWiFi runs automatically when I start kismet or run airmon, and I wonder if there's a way to manually adjust which Mad driver its using?
Lot of blind postulating, sorry. If anyone else has had this problem, please help.
One last thing - if my card is not associating in BT, could that be a related issue? (it still works fine in windows)
Thanks in advance
Peace

so.. if I try it and sniff with wlan0, I get malformed packets, if I sniff with wifi0 they're deauth-packets. (always injecting with wlan0, though). wifi0 and wlan0 are both my zcom 325hp+, for some reason with hostap I get those two adapters in iwconfig.
so is it working now?

(I tried to crack my own wlan recently, injected and dumped via wlan0, got 1000000+ ivs and couldn't crack it - might this be due to this issue? )

i tried it with wireshark and captured the deauth packets, but when i analysed the packets i saw the Receiver as "Broadcast" is it normal?, i think that deauthenticating must be directed not broadcast. Receiver : AP MAC Transmitter: Client MAC it should be. Dont u agree?

and there is another issue. in TCP/IP all the packets are routed from the localhost. Seeing the packets on local does not mean that u are sending these packets. I think it should be seen from another device.

i tried it with wireshark and captured the deauth packets, but when i analysed the packets i saw the Receiver as "Broadcast" is it normal?, i think that deauthenticating must be directed not broadcast...

It is normal. Because the aireplay-ng deauth command does not include a specific client mac it is classified as broadcast as any client on the AP can recieve it. The deauth command can only come from the AP so aireplay-ng generates a packet coming from the target AP directed to either a client you specify or it just broadcasts it to all clients connected to that AP. Hope this answers your question.

It is normal. Because the aireplay-ng deauth command does not include a specific client mac it is classified as broadcast as any client on the AP can recieve it. The deauth command can only come from the AP so aireplay-ng generates a packet coming from the target AP directed to either a client you specify or it just broadcasts it to all clients connected to that AP. Hope this answers your question.


very useful information, thank you

FTI: I just wanted to say that my Intel Pro Wireless 2915ABG mini-pci on a dell 9300 does not do packet injection. Didn't pass the test.

I've tried both of the instructions for the DWL-G122 B1, and when I run the "injection test" I only get malformed packets. I've got the DWL-G122 B1 and here's what I do...

1: after boot is done: modprobe rt2570
2: insert card
3: ifconfig rausb0 up
4: iwconfig rausb0 mode monitor
5: airmon-ng start rausb0 (just in case iwconfig didn't actually do it.)
6: aireplay -0 10 -a 01:02:03:04:05:06 rausb0
7: launch wireshark (ethereal) and look for deauth packets.
8: be sad because there were no deauth packets but a lot of malformed packets.

it might be important to note: when i run airmon-ng start rausb0 it says monitor mode enabled but then says unable to find command force prism header.

1: after boot is done: modprobe rt2570
2: insert card
3: ifconfig rausb0 up
4: iwconfig rausb0 mode monitor
5: airmon-ng start rausb0 (just in case iwconfig didn't actually do it.)
6: aireplay -0 10 -a 01:02:03:04:05:06 rausb0
7: launch wireshark (ethereal) and look for deauth packets.
8: be sad because there were no deauth packets but a lot of malformed packets.


Do this:

1: after boot is done insert card
2: airmon-ng start (DO NOT PUT rausb0 here)
3: aireplay -0 10 -a 01:02:03:04:05:06 rausb0
4: launch wireshark (ethereal) and look for deauth packets.


Continue as before.

Do this:

1: after boot is done insert card
2: airmon-ng start (DO NOT PUT rausb0 here)
3: aireplay -0 10 -a 01:02:03:04:05:06 rausb0
4: launch wireshark (ethereal) and look for deauth packets.


Continue as before.
Do I still modprobe rt2570 and ifconfig rausb0 up?

No just do exactly what I said.

No just do exactly what I said.

So,
1: after boot is done: modprobe rt2570
2: insert card
3: ifconfig rausb0 up
4: iwconfig rausb0 mode monitor
5: airmon-ng start rausb0 (just in case iwconfig didn't actually do it.)
6: aireplay -0 10 -a 01:02:03:04:05:06 rausb0
7: launch wireshark (ethereal) and look for deauth packets.
8: be sad because there were no deauth packets but a lot of malformed packets.

is just:

1: after boot is done insert card
2: airmon-ng start (DO NOT PUT rausb0 here)
3: aireplay -0 10 -a 01:02:03:04:05:06 rausb0
4: launch wireshark (ethereal) and look for deauth packets.

Doesn't work though. When I run airmon-ng start, it lists rausb0 but doesn't start the monitor mode. If I run iwconfig it still shows it as having mode managed and ifconfig doesn't list it unless I use the -a flag. If I do aireplay -0 10 -a 01:02:03:04:05:06 rausb0, I get an error write Failed: Network is Down.

So There has to be another step there somewhere. Would doing ifconfig rausb0 up before airmon-ng work? airmon-ng doesn't put the card into monitor mode unless I put rausb0 after start, but then I get the forced prism header error. I'm not quite sure what to do.:confused:

Ok I took a look at it.

Looks like the quick fix is to run airodump-ng before you run the aireplay command.

I've made a video to prove this works. I have a dwl-g122 B1 too.

1: after boot is done insert card
2: airmon-ng start (DO NOT PUT rausb0 here)
2a: airodump-ng rausb0
3: aireplay -0 10 -a 01:02:03:04:05:06 rausb0
4: launch wireshark (ethereal) and look for deauth packets.


I used airodump-ng -c 13 rausb0 in the video because that's where I knew to find my AP, on channel 13, you don't have to have that option in there.
LINK TO VIDEO (Rapidshare) (http://rapidshare.com/files/4757478/wephelp.avi)

Ok I took a look at it.

Looks like the quick fix is to run airodump-ng before you run the aireplay command.

I've made a video to prove this works. I have a dwl-g122 B1 too.

1: after boot is done insert card
2: airmon-ng start (DO NOT PUT rausb0 here)
2a: airodump-ng rausb0
3: aireplay -0 10 -a 01:02:03:04:05:06 rausb0
4: launch wireshark (ethereal) and look for deauth packets.


I used airodump-ng -c 13 rausb0 in the video because that's where I knew to find my AP, on channel 13, you don't have to have that option in there.
LINK TO VIDEO (Rapidshare) (http://rapidshare.com/files/4757478/wephelp.avi)

I am in no way doubting you that it works, I'll give that airodump-ng a shot and see what happens. Thank you.

Edit: Also, I can't watch your movie I'm on a mac and apparently the codec for techsmith doesn't exit on mac.

I am in no way doubting you that it works, I'll give that airodump-ng a shot and see what happens. Thank you.


Actually i'm having the same problem. Using the above procudure doesn't give me any packets however if i use the airoscript it does work. I see death packets.

My problem is that i don't receive any ARP replies :(

I am in no way doubting you that it works, I'll give that airodump-ng a shot and see what happens. Thank you.

Edit: Also, I can't watch your movie I'm on a mac and apparently the codec for techsmith doesn't exit on mac.

Ok, doing airodump-ng before hand does indeed put it into monitor mode from what I can tell, properly. When I try aireplay though, still doesn't work. and when I try to use airoscript, i still get malformed packets. I have no idea what is wrong. I download BT 1.0 Final from the site, the md5 matches, I applied your patches and am trying it in parallels on my mac. Parallels is the same thing as vmware so this should be working the same. I have my mac set to never touch the card and i wait until the virtual machine is booted to insert the card.

Well that is strange, as the only difference between our systems is Mac/PC I can only deduce it's that.....

(Even though it shouldn't be)

My problem is that i don't receive any ARP replies :(

Sometimes I have to wait nearly 5-10mins before the first ARP packet arrives and I can then re-inject.

Firstly a big thanks to pilotsnipes - really,really good guide on getting this card working on BT 1.0 :)

I've tried both the modified 1.0 Final CD (as per your guide) and the beta 2.0 CD - and I'm basically seeing [Malformed Packet: Prism] when I use Wireshark to look for deauth packets.

I'm using a DWL-G122 rev B1 (with firmware ver 2.03 according to the back) - and I've followed your mini-howto video above to ensure I'm not doing anything too stupid (I hope anyway..)

I've posted the video cap file from VMWare here - http://rapidshare.com/files/5469830/DWLG122_Inject.avi.html - hopefully a video speaks a thousand words..

I get the same thing when I run Ethereal under 1.0 final - it sounds like others have had this same problem with the DWL-G122, is it maybe a firmware related thing ??

Firstly a big thanks to pilotsnipes - really,really good guide on getting this card working on BT 1.0 :)

I've tried both the modified 1.0 Final CD (as per your guide) and the beta 2.0 CD - and I'm basically seeing [Malformed Packet: Prism] when I use Wireshark to look for deauth packets.

I'm using a DWL-G122 rev B1 (with firmware ver 2.03 according to the back) - and I've followed your mini-howto video above to ensure I'm not doing anything too stupid (I hope anyway..)

I've posted the video cap file from VMWare here - http://rapidshare.com/files/5469830/DWLG122_Inject.avi.html - hopefully a video speaks a thousand words..

I get the same thing when I run Ethereal under 1.0 final - it sounds like others have had this same problem with the DWL-G122, is it maybe a firmware related thing ??

YAY finally someone is having the exact same problem I am. I feel bad for you but at the same time I'm elated because someone else feels my frustration. Mine is fw 2.02. However ignoring the injection test, I tried cracking a WEP AP and it worked. I'm pretty sure the injection works, however ethereal(wireshark) shows malformed packets. I think I figured out what the problem might be though... if you go to the page for the drivers from the airocrack-ng newbie guide the guy says the forceprism thing is solved with iwpriv but I'm not sure exactly what to do.

Firstly a big thanks to pilotsnipes - really,really good guide on getting this card working on BT 1.0 :)

I've tried both the modified 1.0 Final CD (as per your guide) and the beta 2.0 CD - and I'm basically seeing [Malformed Packet: Prism] when I use Wireshark to look for deauth packets.



OK - I think I've got it sorted on my own - booted into the Beta 2.0 CD, and in this order:

airmon-ng start
iwpriv rausb0 rfprismhdr 0
airodump-ng rausb0
aireplay-ng -0 100 -a 11:22:33:44:55:66 rausb0

Open Wireshark - and OMG there they are - deauth frames :)

Looking on the driver page - http://homepages.tu-darmstadt.de/~p_larbig/wlan/


Only difference is, that the official one is still doing automatic prism header switching, which is annoying, but can be disabled via an iwpriv command now.


Anyway, hope this helps someone cos its been driving me crazy all day.. I guess that the "rfprismhdr" is set to "1" by default when the driver starts, and that this is causing the hassle ?

OK - I think I've got it sorted on my own - booted into the Beta 2.0 CD, and in this order:

airmon-ng start
iwpriv rausb0 rfprismhdr 0
airodump-ng rausb0
aireplay-ng -0 100 -a 11:22:33:44:55:66 rausb0

Open Wireshark - and OMG there they are - deauth frames :)

Looking on the driver page - http://homepages.tu-darmstadt.de/~p_larbig/wlan/



Anyway, hope this helps someone cos its been driving me crazy all day.. I guess that the "rfprismhdr" is set to "1" by default when the driver starts, and that this is causing the hassle ?

AHAH! i thought it was supposed to be a 1. :mad:

You've saved me and made my day. I thank you sir.

Specs: BT2.0 / Netgear WAG511 & Ubiquiti SRC (same results)
I boot
I start Kismet
I type: "wlanconfig ath1 wlandev wifi0 wlanmode monitor"
I start wireshark on ath1
I type "aireplay-ng -0 10 -a 01:02:03:04:05:06 ath1"

This is my result:
CLICK HERE FOR IMAGE (http://members.optusnet.com.au/voss/what.jpg)
It says "prism monitoring header" but my card is atheros!?

I type: "wlan.fc.type_subtype == 12" in the filter of wireshark

All the packets now listed are Deathentication ones, and the malformed ones are gone.

Is this correct?

Anyway, hope this helps someone cos its been driving me crazy all day.. I guess that the "rfprismhdr" is set to "1" by default when the driver starts, and that this is causing the hassle ?



Well done.

You may be interested in this thread:

http://tinyshell.be/aircrackng/forum/index.php?topic=180.15

Hey ho party people!

Pls help me, can you pls check my result!?

http://img183.imageshack.us/img183/5039/snapshot1oj1.th.png (http://img183.imageshack.us/my.php?image=snapshot1oj1.png)

Here is a thread in which a have it also posted...
http://forums.remote-exploit.org/showthread.php?t=5739

Is my card injection in the right way?

Thank you very much!!!

ok, i just got my wg511t in the mail today and when i run airmon-ng start ath0 it wont put it into monitor mode so i yse airmon-ng start wifi0 and i get ath1 as monitor mode. So i am checking for the deauth packets and i use the dropdown list in wireshark and i do not get ath1 so i type it in manually and i use my airodump-ng script and wireshark show up bad. so i used wifi0 and wireshark shows me all the deauth packets so when i am wardriving what do i use ath1 or wifi0???

franky_402: Did you bring the ath1 device up using ifconfig? There's also a handy guide on creating a monitor mode interface at the madwifi-ng wiki (http://madwifi.org/wiki/UserDocs/MonitorModeInterface). NOTE: use the second wlanconfig command as backtrack will automatically create an ath0 interface.

dopefish1337: Yes.

i thought i didnt have to do that i run airmon-ng start wifi0 because if i use ath1 instead nothing goes into monitor mode i get the vap cannot be put into monitor mode when i run wifi0 it tells me that ath1 is now in monitor mode with wifi0 is the parent. Then another thing that happens when i try to crack wep i always get a messege !notice recieved aa dissasociation/deauth packet..is the source mac associated. wg511t btw

Thanks, this was really helpful!
Sadly, not good news for me but at least it made it clear that it's my device that's not injecting the right way and nothing else that make my attempts to crack my AP unsuccessful.

My device is a Netgear WG111 v2 USB dongle, using the rt8187 chipset/drivers.

Tried bringing the dongle into monitor mode both via airomon and iwconfig and everything seems good so far but when I check the packets in Wireshark they turn up as Malformed.
This is confusing, I was under the impression that this chipset should work just fine in BT2 Final.

*screenshot was supposed to go here but seems I can't post URLs yet*
The interesting parts from Wireshark's reporting seems to be these:

Packet length: 26 bytes
Protocols in frame: Prism
Malformed packet: Prism

Why does the packets turn up as Prism when I'm using rt8187?

Anyone? Would appreciate any help...

hit for later reading.

i get a "No such BSSID available.
Please specify an ESSID (-e)"
why???

when i start it, it says:
"Waiting for becon frame (BSSID: 01:02:03:04:05:06) on channel 10"

What can I do when theres nothing showing up after doing the aireplay thing?

Do i just have to forget about it all, or is there still sth that i can do?

I have the same problem as kirbyfree.


bt ~ # aireplay-ng -0 10 -a 01:02:03:04:05:06 wifi0
Waiting for beacon frame (BSSID: 01:02:03:04:05:06) on channel 13
No such BSSID available.
Please specify an ESSID (-e).


wifi0 is my device, this is what i get when i do an iwconfig

wifi0 unassociated ESSID: off/any
Mode:Monitor Channel=13 Bit Rate=1 Mb/s


I guess my question is, what are you supposed to see when you do an aireplay-ng command? As far as I know, this command sends death packets to a non-existent mac address, so the response it gives makes sense, but it doesn't seem like the command does anything, so I must have something wrong.

As far as I know, this command sends death packets to a non-existent mac address, so the response it gives makes sense, but it doesn't seem like the command does anything, so I must have something wrong.As no AP with the specified MAC address is found aireplay-ng will not inject anything. Therefore it, as you say, does nothing. Use the MAC address of your own WEP encrypted AP instead and you should start to see some results.