packet injection on ipw2200bg

[mailing at vankets.com (Bert Van Kets)]

Hi all,

I would like to use the build in network card of my Dell Latitude D510
(Intel IPW2200BG) to demonstrate the (in)security of WEP. The two major
internet providers in Belgium install wireless routers using WEP
encryption. A perfect situation for an IT consultant like me to set up
security properly afterwards. Of course I will have to able to
demonstrate how easy it is to crack WEP. I would like to do this without
added hardware like PCMCIA cards or USB dongles and *without any
connected clients*.
I have managed to crack my own WEP key using aircrack-ng by creating
traffic using a second computer. That required moving about 600MB of
data over the wireless. Not an ideal situation for demo purposes. Hence
the requirement for packet injection.
I'm using Backtrack 3 for this. AFAIK this live CD contains the patched
kernel module.
Here's what I do:
- airodump-ng eth1 (to get the channel and possibly the ESSID of the AP)
- rmmod ipw2200
- modprobe ipw2200 rtap_iface=1 channel=<AP-channel>
- ifconfig eth1 essid <essid>
- ifconfig eth1 key s:fakekey
- ifconfig eth1 mode managed
- ifconfig eth1 up
- ifconfig rtap0 up
- airodump-ng -c <AP-channel> -w dump -bssid <AP-Mac> -ivs eth1

In new window
- aireplay-ng --arpreplay -b <AP-Mac> -h <Mac> -i rtap0 eth1

As I do not manage to capture any arp packages I can not replay them and
can not get any IVs so running aicrack-ng has not been at order yet. :-(

What am I missing? What are the requirements for the IPW2200 card to be
able to use arpreplay attacks?
I can not successfully run "iwconfig eth1 ap <AP-Mac>". I always get
errors saying that the AP parameter does not accept a Mac address even
though the manual says the command is correct. Do I need to configure an
AP? How???

Thanks for any help.

Bert