aireplay-ng does not get AP

Aircrack-ng

Welcome, Guest. Please login or register.
September 09, 2010, 06:12:55 pm

Monthly news, August 2010: http://aircrack-ng.blogspot.com/2010/08/monthly-news-august-2010.html

35360 Posts in 6590 Topics by 22913 Members
Latest Member: xiaomu

Got the problem:
Use Kubuntu 10.04LTS kernel 2.6.32-23-generic
Card - Broadcom with 4315 (LP-PHY) chip, so i use b43 driver.
Getting WEP protected AP
when i try to run aireplay-ng in arp request replay mode it gives "no such bssid" error.
Injection test works, also if i try to assossiate with AP Before running airodump-ng, its also ok.
But after i try to run aireplay-ng -3 or airodump-ng, everything ends with no such bssid error.
when i try airmon-ng check it returns :

found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID Name
4059 NetworkManager
4063 dhclient
4134 avahi-daemon
4135 avahi-daemon
4138 wpa_supplicant

and if i kill any of them they just restart.

I triple checked essid&bssid , channel also(i tried several APs on different channels)

Here is tcpdump log

~$ sudo tcpdump -n -e -s0 -vvv -i mon0
tcpdump: WARNING: mon0: no IPv4 address assigned
tcpdump: listening on mon0, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 65535 bytes
18:55:10.181808 1.0 Mb/s [0x0000000f] 0us BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:00:24:2c:7a:5f:f7 Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
18:55:10.263039 1.0 Mb/s [0x0000000f] 0us BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:00:24:2c:7a:5f:f7 Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
18:55:10.346452 1.0 Mb/s [0x0000000f] 0us BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:00:24:2c:7a:5f:f7 Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
18:55:10.419425 1.0 Mb/s [0x0000000f] 0us BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:00:24:2c:7a:5f:f7 Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
18:55:10.499433 1.0 Mb/s [0x0000000f] 0us BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:00:24:2c:7a:5f:f7 Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
18:55:10.578271 1.0 Mb/s [0x0000000f] 0us BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:00:24:2c:7a:5f:f7 Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
18:55:10.657765 1.0 Mb/s [0x0000000f] 0us BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:00:24:2c:7a:5f:f7 Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
18:55:10.737676 1.0 Mb/s [0x0000000f] 0us BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:00:24:2c:7a:5f:f7 Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
18:55:10.817394 1.0 Mb/s [0x0000000f] 0us BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:00:24:2c:7a:5f:f7 Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
18:55:10.900048 1.0 Mb/s [0x0000000f] 0us BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:00:24:2c:7a:5f:f7 Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]
18:55:10.979432 1.0 Mb/s [0x0000000f] 0us BSSID:ff:ff:ff:ff:ff:ff DA:ff:ff:ff:ff:ff:ff SA:00:24:2c:7a:5f:f7 Probe Request () [1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 Mbit]

which looks quite strange to me.
airodump gives:

sudo airodump-ng -c 6 --bssid 00:13:49:F3:29:2F -w aaa mon0

CH 6 ][ Elapsed: 0 s ][ 2010-07-20 19:03

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

BSSID STATION PWR Rate Lost Packets Probes

Sometimes it sees someone on the net transmitting data

What could be the problem, any ideas?

Those processes are almost for sure changing the channel or you did not lock to a single channel that has the AP. You absolutely need to stop processes like network manager wpa_supplicant.

d.

cant get it:

alex@alex-laptop:~$ sudo airmon-ng check

Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID Name
2864 wpa_supplicant
3024 NetworkManager
3028 dhclient
3280 avahi-daemon
3281 avahi-daemon
alex@alex-laptop:~$ sudo kill -9 2864
alex@alex-laptop:~$ sudo kill -9 3024
alex@alex-laptop:~$ sudo kill -9 3028
kill: No such process
alex@alex-laptop:~$ sudo kill -9 3280
alex@alex-laptop:~$ sudo kill -9 3281
alex@alex-laptop:~$ sudo airmon-ng check

Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID Name
3962 NetworkManager
3965 dhclient
3966 wpa_supplicant
4038 avahi-daemon
4039 avahi-daemon

And also:

alex@alex-laptop:~$ sudo airmon-ng start wlan0 6

Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID Name
3962 NetworkManager
3965 dhclient
3966 wpa_supplicant
4038 avahi-daemon
4039 avahi-daemon

Interface Chipset Driver

wlan0 Broadcom b43 - [phy0]
(monitor mode enabled on mon0)

alex@alex-laptop:~$ sudo aireplay-ng -9 -e aaa mon0
20:01:34 Waiting for beacon frame (ESSID: aaa) on channel 6
20:01:44 No such BSSID available.
Please specify a BSSID (-a).
alex@alex-laptop:~$ iwconfig
lo no wireless extensions.

eth0 no wireless extensions.

wlan0 IEEE 802.11bg ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:off

mon0 IEEE 802.11bg Mode:Monitor Frequency:2.437 GHz Tx-Power=20 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:off

The wiki airmon-ng page has instructions regarding problems killing processes. Please read and use it.

d.

The channel stays the same, seems to me, an i not right?

alex@alex-laptop:~$ sudo aireplay-ng -9 -e aaa mon0
20:01:34 Waiting for beacon frame (ESSID: aaa) on channel 6
20:01:44 No such BSSID available.
Please specify a BSSID (-a).
alex@alex-laptop:~$ iwconfig
lo no wireless extensions.

eth0 no wireless extensions.

wlan0 IEEE 802.11bg ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:off

mon0 IEEE 802.11bg Mode:Monitor Frequency:2.437 GHz Tx-Power=20 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:off

I killed them all, smth changed, card is waiting for frame, not giving "no bssid" error, may be need to go closer? signal is around 70% strength

So I guess the essid 'aaa' does not exist on channel 6. If it does, then use -D to disable automatic detection.

Still no progress.
I stopped services& killed all the processes that could interfere. Now if i start aireplay-ng after airdump it just shows "Watitng for beacon frame"

here is iwlist output:
Cell 04 - Address: 00:13:49:F3:29:2F
Channel:6
Frequency:2.437 GHz (Channel 6)
Quality=36/70 Signal level=-74 dBm
Encryption key:on
ESSID:"aaa"
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 22 Mb/s
Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s
36 Mb/s; 48 Mb/s; 54 Mb/s
Mode:Master
Extra:tsf=00000066c9d8e37c
Extra: Last beacon: 900ms ago
IE: Unknown: 000D7665747261746F7269612E7275
IE: Unknown: 010582848B962C
IE: Unknown: 030106
IE: Unknown: 2A0103
IE: Unknown: 32080C1218243048606C

Last beacon: 900 ms ago means that AP sends beacon frames?
And also can this problem accure if there no one communicating to the AP?
If i start aireplay-ng BEFORE airodump, it seems OK, but dont recive ARP reqs

And please dont tell me on wrong bssid,essid, no ap on channel,etc; i checked this not once, i may be stupid but not so much.

try -D to disable automatic detection.

sudo aireplay-ng -D -e aaa -1 0 -a 00:13:49:F3:29:2F mon0
No source MAC (-h) specified. Using the device MAC

18:45:27 Sending Authentication Request (Open System)

18:46:12 Sending Authentication Request (Open System)
Attack was unsuccessful. Possible reasons:

* Perhaps MAC address filtering is enabled.
* Check that the BSSID (-a option) is correct.
* Try to change the number of packets (-o option).
* The driver/card doesn't support injection.
* This attack sometimes fails against some APs.
* The card is not on the same channel as the AP.
* You're too far from the AP. Get closer, or lower
the transmit rate.

Then i tried again :
alex@alex-laptop:~$ sudo airmon-ng stop mon0

Interface Chipset Driver

wlan0 Broadcom b43 - [phy0]
mon0 Broadcom b43 - [phy0] (removed)

alex@alex-laptop:~$ sudo airmon-ng start wlan0 6

Interface Chipset Driver

wlan0 Broadcom b43 - [phy0]
(monitor mode enabled on mon0)

alex@alex-laptop:~$ sudo aireplay-ng -D -e aaa -1 0 -a 00:13:49:F3:29:2F mon0
No source MAC (-h) specified. Using the device MAC

18:52:19 Sending Authentication Request (Open System) [ACK]
18:52:19 Authentication successful
18:52:19 Sending Association Request [ACK]
18:52:19 Association successful :-) (AID: 1)

alex@alex-laptop:~$

I couldn't explain why without a capture file.

So, when you do it, before running aireplay-ng, use tcpdump to capture on mon0 to a file (tcpdump -i mon0 -s 65535 -n -w outputfile.pcap)
and then post the capture that fails.

Here's output, not sure its correct.

outputfile.pcap.tar.gz (3.68 KB - downloaded 14 times.)

The capture file is ok.

I noticed that there's no packets coming from the card when you send the authentication (btw, the access point name is not 'aaa'), only packets sent. Without these aireplay-ng cannot tell that the authentication (and then association) was accepted and thus fake auth fails.

You can try the following:
- Make sure there's no process that will interfere with aireplay-ng, ... by running "airmon-ng check"
- Update to the latest version of compat-wireless (the versions with a date in them), maybe they will solve your problem.

Also note that the frequency reported in the radiotap header is 32 (in wireshark) and that is strange since I see in the beacons that the AP on channel 6.

I know bout names of APs, there's 2 routers i try with.
Also strange that evryth's ok before i start anything that uses wirless(airodump,aireplay, network-manager,etc). Run airmon-ng check always before anything else.
Ok, I'll try to update compat, its the only solution left, yet i updated kernel week ago, and injection works here since 2.6.26

So
I installed compat-wireless-2010-07-23, it needed little patching, because it had problem with channel handling, as described here:
http://trac.aircrack-ng.org/ticket/742
After patch problem seemed to have gone, but still same situation with fake auth, arp replay. etc. Actually i found out that as soos as i so any action with airodump, airpelay it stoppes working:

alex@alex-laptop:~$ sudo aireplay-ng -9 -e aaa mon0
21:12:13 Waiting for beacon frame (ESSID: aaa) on channel 6
Found BSSID "00:13:49:F3:29:2F" to given ESSID "aaa".
21:12:13 Trying broadcast probe requests...
21:12:13 Injection is working!
21:12:15 Found 1 AP

21:12:15 Trying directed probe requests...
21:12:15 00:13:49:F3:29:2F - channel: 6 - 'aaa'
21:12:17 Ping (min/avg/max): 1.242ms/32.993ms/52.569ms Power: -78.76
21:12:17 25/30: 83%

alex@alex-laptop:~$ sudo aireplay-ng -9 -e aaa mon0
21:12:19 Waiting for beacon frame (ESSID: aaa) on channel 6
21:12:29 No such BSSID available.
Please specify a BSSID (-a).
alex@alex-laptop:~$

So may be probably aircrack suite changes channel? On Karmic everything worked good, problems started when I upgraded to Lucid.
So i want to try another config, backtrack or slitaz.
Also i'm eager to know if someone exeperiences same problems on same config. I have dell vostro 1320 with 1392 wirless dell minicard, chip 14e4:4315