aireplay pretty slow...

zony · 02-06-2006

Hello.

Let me explain my setup first: my router is a Linksys WRT54GS using a 128bit WEP key that I want to crack. My notebook (approximately 1 meter away from the router) has a built-in Intel PRO/Wireless 2200 card (Centrino) and an MSI CB54G2 PCMCIA card (Ralink chipset). For the MSI card I am using the latest CVS drivers. I've started airodump on the Intel card and aireplay on the MSI card:

Code:

aireplay -3 -b <MAC of router> -h <MAC of an associated client> ra0

This actually works but the IV count seems to increase a bit too slow from what I read elsewhere - I only get about 300 IV's per minute. I also played with aireplay's '-x' switch but that didn't speed things up. Any idea why this is so slow and what I could do against it?

Thanks.

theprez98 · 02-06-2006

Quote:

Originally Posted by zony

Hello.

Let me explain my setup first: my router is a Linksys WRT54GS using a 128bit WEP key that I want to crack. My notebook (approximately 1 meter away from the router) has a built-in Intel PRO/Wireless 2200 card (Centrino) and an MSI CB54G2 PCMCIA card (Ralink chipset). For the MSI card I am using the latest CVS drivers. I've started airodump on the Intel card and aireplay on the MSI card:

Code:

aireplay -3 -b <MAC of router> -h <MAC of an associated client> ra0

This actually works but the IV count seems to increase a bit too slow from what I read elsewhere - I only get about 300 IV's per minute. I also played with aireplay's '-x' switch but that didn't speed things up. Any idea why this is so slow and what I could do against it?

Thanks.

Did you start with the 3 attack first? You need either the MAC address of an associated client or of a fake MAC from attack 1 before attack 3 will do anything for you.

zony · 02-06-2006

Quote:

Originally Posted by theprez98

Did you start with the 3 attack first? You need either the MAC address of an associated client or of a fake MAC from attack 1 before attack 3 will do anything for you.

Thanks for your reply. The first thing I did was starting airodump in order to get the MAC of an associated client. Then I started aireplay with this MAC as the source MAC. As the IV count is still increasing although the previously associated client is offline now makes me assume that aireplay is working correctly - it's just a bit slow. Which IV rates do you get?

theprez98 · 02-06-2006

Quote:

Originally Posted by zony

Thanks for your reply. The first thing I did was starting airodump in order to get the MAC of an associated client. Then I started aireplay with this MAC as the source MAC. As the IV count is still increasing although the previously associated client is offline now makes me assume that aireplay is working correctly - it's just a bit slow. Which IV rates do you get?

To use attack 3, first you need to generate an ARP request. Attack 0 (deauth) will do this while Attack 1 (fake auth) does not. Attack 3 will then re-inject the ARP request. Using an atheros card, I've been able to capture roughly 100,000/min. Given ~500,000 to crack 128-bit WEP, you should be able to do this in about 5 min.

renderman · 02-06-2006

The real trick is to try getting the nessecary IV's with no associated clients or no traffic on a client.

Barry · 02-06-2006

Quote:

Originally Posted by renderman

The real trick is to try getting the nessecary IV's with no associated clients or no traffic on a client.

Yea, but you just have to look at a wrt and it rolls over and pisses itself.

zony · 02-07-2006

Quote:

Originally Posted by theprez98

To use attack 3, first you need to generate an ARP request. Attack 0 (deauth) will do this while Attack 1 (fake auth) does not. Attack 3 will then re-inject the ARP request. Using an atheros card, I've been able to capture roughly 100,000/min. Given ~500,000 to crack 128-bit WEP, you should be able to do this in about 5 min.

Ehm, as I already wrote I am receiving ARP requests and aireplay is also sending packets, it's just too slow! I've let the computer run over night and the number of IV's has reached 415,000 - in nearly 24 hours. Using attack 0 before attack 3 doesn't change anything...

How can I speed things up? Thanks.

theprez98 · 02-07-2006

Quote:

Originally Posted by zony

Ehm, as I already wrote I am receiving ARP requests and aireplay is also sending packets, it's just too slow! I've let the computer run over night and the number of IV's has reached 415,000 - in nearly 24 hours. Using attack 0 before attack 3 doesn't change anything...

How can I speed things up? Thanks.

Actually, if you read back, you didn't write anything about ARP requests, that's why I mentioned it.

Without doing any sort of packet re-injection, you should be able to collect several hundred thousand IVs (or more) in a 24 hour period, assuming the network is in use. If someone is downloading large files (CD images, for example), you could conceivably get this many IVs in several hours. All this again, without using any packet reinjection.

I would guess that whatever packet you are reinjecting is simply not working.

renderman · 02-07-2006

Are you actually injecting packets?

Does the rate of packet capture increase when you fire up aireplay? Double check you've patched everything you need to patch for injection.

zony · 02-07-2006

Thanks for your replies.

Quote:

Originally Posted by theprez98

Actually, if you read back, you didn't write anything about ARP requests, that's why I mentioned it.

You are right, sorry. Must have missed it...

Quote:

Originally Posted by theprez98

Without doing any sort of packet re-injection, you should be able to collect several hundred thousand IVs (or more) in a 24 hour period, assuming the network is in use. If someone is downloading large files (CD images, for example), you could conceivably get this many IVs in several hours. All this again, without using any packet reinjection.

The network was not in use by any "legal" client during this period so the only traffic was the one generated from aireplay. Yesterday I only connected a client to gather ARP requests and disconnected it after aireplay started sending packets. Seems like it is sending too few packets per second...

Quote:

Originally Posted by renderman

Are you actually injecting packets?

I think I do as there is no other network traffic and the IV count is still increasing (430K now).

Quote:

Originally Posted by renderman

Does the rate of packet capture increase when you fire up aireplay?

Yes, but only about 300 IV's per minute.

Quote:

Originally Posted by renderman

Double check you've patched everything you need to patch for injection.

What do I have to patch?

I just used the rt2500 nightly CVS tarball as 100h.org is down. What patches do I have to apply and where do I get them?

renderman · 02-07-2006

Quote:

Originally Posted by zony

Thanks for your replies.

You are right, sorry. Must have missed it...

The network was not in use by any "legal" client during this period so the only traffic was the one generated from aireplay. Yesterday I only connected a client to gather ARP requests and disconnected it after aireplay started sending packets. Seems like it is sending too few packets per second...

I think I do as there is no other network traffic and the IV count is still increasing (430K now).

Yes, but only about 300 IV's per minute.

What do I have to patch?

I just used the rt2500 nightly CVS tarball as 100h.org is down. What patches do I have to apply and where do I get them?

If you actually RTFM the readme for Aircrack you'll see that depending on which drivers your using (madwifi, hostap, etc) you need to patch them. Looking at the matrix of support you see:

Quote:

Ralink NO YES (rt2500 / rt2570 driver) YES (driver patching required)

Crack open the readme and look at the section: How do I patch the driver for injection with aireplay ?

Google will provide copies of the files you need

zony · 02-07-2006

Quote:

Originally Posted by renderman

If you actually RTFM the readme for Aircrack you'll see that depending on which drivers your using (madwifi, hostap, etc) you need to patch them.

Well, actually I RTFM, look at the section covering the "patching" for Ralink chipsets:

Code:

Installing the rt2500 driver (Ralink b/g PCI/CardBus)

ifconfig ra0 down
rmmod rt2500

cd /usr/src
wget http://100h.org/wlan/linux/ralink/rt2500-cvs-20051112.tgz
tar -xvzf rt2500-cvs-20051112.tgz
cd rt2500-cvs-20051112
cd Module
make && make install
modprobe rt2500

Make sure to load the driver with modprobe (not insmod) and to put
the card in Monitor mode before bringing the interface up.

It's just installing the CVS driver, no patching mentioned. But anyways, packet injection seems to work or would the IV count keep increasing without a single client connected otherwise? At least it stops increasing after killing the aireplay process...

And I say it again - it is a speed issue, not a "I cannot get aireplay working at all" one. Hints still welcome.

renderman · 02-07-2006

Quote:

Originally Posted by zony

Well, actually I RTFM, look at the section covering the "patching" for Ralink chipsets:

Code:

Installing the rt2500 driver (Ralink b/g PCI/CardBus)

ifconfig ra0 down
rmmod rt2500

cd /usr/src
wget http://100h.org/wlan/linux/ralink/rt2500-cvs-20051112.tgz
tar -xvzf rt2500-cvs-20051112.tgz
cd rt2500-cvs-20051112
cd Module
make && make install
modprobe rt2500

Make sure to load the driver with modprobe (not insmod) and to put
the card in Monitor mode before bringing the interface up.

It's just installing the CVS driver, no patching mentioned. But anyways, packet injection seems to work or would the IV count keep increasing without a single client connected otherwise? At least it stops increasing after killing the aireplay process...

And I say it again - it is a speed issue, not a "I cannot get aireplay working at all" one. Hints still welcome.

Ah my bad. Still, given that the above matrix said that a driver patch was required, it's probobly best to re-compile it as the instructions say.

Also, Have you tried any other wireless cards/drivers with aireplay? Not haveing a ralink card handy I can't test it's replay speed. It may be that the ralink chipset can't do it very fast.

zony · 02-08-2006

Quote:

Originally Posted by renderman

Ah my bad. Still, given that the above matrix said that a driver patch was required, it's probobly best to re-compile it as the instructions say.

Don't think recompiling the driver would help at all because the CVS driver was the first Ralink driver that touched my disk. And of course I compiled it from the sources as mentioned in the docs.

Quote:

Originally Posted by renderman

Also, Have you tried any other wireless cards/drivers with aireplay?

Unfortunately not. Well, at least no card with an aireplay-compatible chipset (only Intel, Zydas and Atmel chipsets

).

Quote:

Originally Posted by renderman

It may be that the ralink chipset can't do it very fast.

Hm, I thought about the same thing. But consider this: if this Ralink-based card wasn't suited well for aireplay would they mention it as a suggested card in the documentation? Maybe the Linksys WRT54GS (with Sveasoft Talisman Basic V1.1 firmware) has some sort of protection? Will try a Linksys WAP54G access point and a D-Link DI-614+ router at the weekend when I'm at home...

wrzwaldo · 02-08-2006

Quote:

Originally Posted by zony

Hm, I thought about the same thing. But consider this: if this Ralink-based card wasn't suited well for aireplay would they mention it as a suggested card in the documentation? Maybe the Linksys WRT54GS (with Sveasoft Talisman Basic V1.1 firmware) has some sort of protection? Will try a Linksys WAP54G access point and a D-Link DI-614+ router at the weekend when I'm at home...

What is the FCCID # of your card? I'd like to see if there are any weird revisions.

02-06-2006	#1 (permalink)
zony Registered Member Join Date: Feb 2006 Posts: 11	aireplay pretty slow... Hello. Let me explain my setup first: my router is a Linksys WRT54GS using a 128bit WEP key that I want to crack. My notebook (approximately 1 meter away from the router) has a built-in Intel PRO/Wireless 2200 card (Centrino) and an MSI CB54G2 PCMCIA card (Ralink chipset). For the MSI card I am using the latest CVS drivers. I've started airodump on the Intel card and aireplay on the MSI card: Code: aireplay -3 -b <MAC of router> -h <MAC of an associated client> ra0 This actually works but the IV count seems to increase a bit too slow from what I read elsewhere - I only get about 300 IV's per minute. I also played with aireplay's '-x' switch but that didn't speed things up. Any idea why this is so slow and what I could do against it? Thanks.

02-06-2006	#5 (permalink)
renderman Drunken Stumbler Join Date: Jun 2002 Location: Anywhere but Utah Posts: 1,803	The real trick is to try getting the nessecary IV's with no associated clients or no traffic on a client. __________________ Never drink anything larger than your head! Scaramental Wine Taster for the Church Of WiFi Buy our books! "I reject your reality, and substitute my own!" – Adam Savage CoWF WPA Hash Tables

02-07-2006	#9 (permalink)
renderman Drunken Stumbler Join Date: Jun 2002 Location: Anywhere but Utah Posts: 1,803	Are you actually injecting packets? Does the rate of packet capture increase when you fire up aireplay? Double check you've patched everything you need to patch for injection. __________________ Never drink anything larger than your head! Scaramental Wine Taster for the Church Of WiFi Buy our books! "I reject your reality, and substitute my own!" – Adam Savage CoWF WPA Hash Tables

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode