Aircrack/Packet Injection Testing
From charlesreid1
Basic Injection Test
In order to confirm that packet injection works, you can use aireplay-ng in packet injection test mode (mode 9). The command looks like this:
$ aireplay-ng -9 -a AA:BB:CC:DD:EE wlan2mon
where -9 or --test tells it to operate in packet injection test mode, -a AA:BB:CC:DD:EE is the MAC address of the target access point, wlan2mon is the wireless device that has already been put into monitoring mode with airomon-ng.
Here's what the output should look like:
$ aireplay-ng -9 -a AA:BB:CC:DD:EE wlan2mon 12:47:05 Waiting for beacon frame (BSSID: AA:BB:CC:DD:EE) on channel 7 12:47:05 Trying broadcast probe requests... 12:47:06 Injection is working! 12:47:07 Found 1 AP 12:47:07 Trying directed probe requests... 12:47:07 AA:BB:CC:DD:EE - channel: 7 - 'Walrus' 12:47:08 Ping (min/avg/max): 0.891ms/15.899ms/32.832ms Power: -21.72 12:47:08 29/30: 96%
Attack Tests
Now you can insert a second wireless card into the laptop (I used a second USB dongle of the same type/manufacturer/chipset).
Setup
Look for it in the list:
$ airmon-ng
In my case it was called wlan3. Now bring it online:
$ airmon-ng start wlan3
This will rename the device to wlan3mon. List wireless devices again:
$ airmon-ng
If you want to test your new wireless card really quick, you can do:
$ aireplay-ng -9 wlan3mon
Get Wireless Devices on Same Channel
Now get both cards listening on the same channel. Run a quick airodump-ng command for the new wireless card to ensure it's listening on the right channel:
$ airdoump-ng -bssid AA:BB:CC:DD:EE -c 7 -w /tmp/junk wlan3mon
and kill it as soon as you've run it. This will switch the card to channel 7 (or, our channel of choice) and make sure both cards are on the same channel.
Run Attack Test
Now you can run the attack test:
$ aireplay-ng -9 -i wlan3mon wlan2mon
And the output:
$ aireplay-ng -9 -i wlan3mon wlan2mon 13:05:50 Trying broadcast probe requests... 13:05:50 Injection is working! 13:05:51 Found 3 APs 13:05:51 Trying directed probe requests... 13:05:51 AA:BB:CC:DD:EE - channel: 7 - 'Walrus' 13:05:52 Ping (min/avg/max): 1.273ms/20.986ms/33.943ms Power: -26.67 13:05:52 30/30: 100% 13:05:52 34:95:3B:84:5C:18 - channel: 7 - '' 13:05:53 Ping (min/avg/max): 5.004ms/28.884ms/64.336ms Power: -30.13 13:05:53 30/30: 100% 13:05:53 F7:71:85:13:6A:4B - channel: 7 - 'Dee' 13:05:54 Ping (min/avg/max): 1.262ms/8.353ms/31.431ms Power: -60.40 13:05:54 25/30: 83% 13:05:54 Trying card-to-card injection... 13:05:54 Attack -0: OK 13:05:54 Attack -1 (open): OK 13:05:54 Attack -1 (psk): OK 13:05:54 Attack -2/-3/-4/-6: OK 13:05:58 Attack -5/-7: Failed
From this site: "If you get a failure on attack 5, it may still work in the field if the injection MAC address matches the current card MAC address. With some drivers, it will fail if they are not the same."