Another AirCrack Guide for IPW2200 Driver (Intel PRO/Wireless 2200BG)

Shamelessly copied from some forum for my own personal notes.


Here’s a quick guide for anyone trying to get injection working on an ipw2200 with BackTrack 2. This is intended for first-time aircrack-ng users, so it will only detail the most basic procedure. You can find more complicated guides with troubleshooting for some of the more complicated access points in other threads.

I will be demonstrating a simple WEP crack using ARP request replay. Please also read the newbie guide first so that you generally know what you are doing.

** This tutorial is for open authenticted networks only. Shared key authentication is more complicated. **

By the way: if you are very new to linux, selecting text in the terminal window (with the mouse) will automatically copy it, and clicking both mouse buttons at the same time will paste. You can stop any aircrack programs with ctrl+c. To see the history of the terminal window, you can scroll with shift+pageUp/pageDown.

BackTrack 2 supports ipw2200 injection out of the box, but there are some limitations. Injection is slightly more complex when using the ipw2200 as opposed to other cards – you have to use different interfaces to inject and monitor. You can only use the following aireplay-ng attacks with the ipw2200:
2 (–interactive)
3 (–arpreplay)
4 (–chopchop)

You will need the following information first. You can find access point details using: “iwlist eth1 scan” after you log into BackTrack.:
Access point bssid
Access point channel


0. (optional) The aircrack-ng team has done such a great job lately that there have been 2 releases since BackTrack 2. So the first thing that you should do is update aircrack-ng to v0.9. You should start backtrack connected to a LAN so that you can download the updates.
tar -zxvf aircrack-ng-0.9.tar.gz
cd aircrack-ng-0.9
make install

1. Enable the rtap0 interface.
rmmod ipw2200
modprobe ipw2200 rtap_iface=1

2. Make a ‘dummy’ connection to the access point. You don’t need to know the key at this stage – we just make up a fake one (“fakekey”). This step is required because of a limitation in the ipw2200 driver. ipw2200 must be in managed mode and connected to an access point before it will work with aireplay-ng.
iwconfig eth1 ap <access point bssid>
iwconfig eth1 key s:fakekey
iwconfig eth1 mode managed

3. Bring up the interfaces:
ifconfig eth1 up
ifconfig rtap0 up

3a. Optional: at this point, you can type “iwconfig” to see if the dummy connection from step 2 has worked. The connection details will be listed beside the “eth1” interface.

4. Run airodump-ng to capture packets from your access point to dumpfile*.cap. You should always specify a channel with airodump, because otherwise it will try to scan through all channels, and that will break your injection attack.
airodump-ng –channel <Access Point channel> –bssid <Access Point bssid> -w dumpfile rtap0

4a. After a few seconds in airodump-ng, you should notice that there are clients connected to the access point (they will be listed under “STATION”). Take note of the MAC address of one of the clients. You will use it in the next step.

5. Open another terminal window. Run an ARP replay attack. Note the commands at the end of the line (“-i rtap0 eth1”) which tell aireplay-ng to listen on rtap0 and inject on eth1. After some time, an ARP packet will come through and the #/s figure in the airodump-ng window will increase. If the RXQ (receive quality %) column is >90 then you should be getting #/s of 200 or higher, but more importantly, it should be much higher than what it was before.
aireplay-ng –arpreplay -b <Access Point bssid> -h <client MAC addr. from step 4a> -i rtap0 eth1

6. Wait a few minutes until the #Data reaches 100 000 (if you updated in step 0), or 1 000 000 (if you did not update in step 0). This should be more than enough, but we leave the attack running just in case.

7. Open another terminal window and run aircrack-ng.

  • If you did not update aircrack-ng in step 0, you will need 1 000 000 IVs, and will have to run aircrack-ng without -z:
    aircrack-ng -b <Access Point bssid> dumpfile*.cap
  • If you did update in step 0, you can use the PTW attack (-z option). Aircrack should say that it is processing approx. 100 000 IVs. If this number is low (less than 1000), there is some problem with your injection attack. Aircrack will then display “Key Found”. You should know what to do after that.
    aircrack-ng -z -b <Access Point bssid> dumpfile*.cap

You should now have the key.



3 Responses to “Another AirCrack Guide for IPW2200 Driver (Intel PRO/Wireless 2200BG)”

  1. A great post, very useful and informative.

    But I am stuck at step 4 while running airodump

    root@bt:~# airodump-ng -c 11 –bssid 00:XX:57:XX:XX:7D -w hack3r rtap0
    SIOCGIWMODE: Operation not supported

  2. Martin Coombs Says:

    Hi, I’m very new to Linux and Aircrack. I’ve been playing with Aircrack for a few months now and have some familiarity with the programs. I can capture 4-way handshakes and run Aircrack on those. Your tutorial on how to use Linux to set up rtap0 and eth1 on an ipw2200 is the first one I have been able to understand. So, thanks for that.

    I have just upgraded to Aircrack-ng 1.2 beta3 and am trying to properly patch my Intel 2915ABG wireless card so I can explore WPS attacks. I have installed ieee80211-1.2.18 and have found both the ipw2200-1.2.1 and ipw2200-1.2.2 card drivers but (1) I cannot find an ipw2200-1.2.1-inject.patch that works with my 1.2.1 diver and (2) cannot find an ipw2200-1.2.2-inject.patch
    anywhere ! I have spent at least 2 days looking for these.

    I am running kali-linux 3.18.0 kali3-686-pae.

    Can you point me somewhere where I can find a card driver and patch pair that will be compatible with my card. As I am sure you are aware the Aircrack Linux Newbie Guide for patching ipw2200 drivers talks about ver 1.2.1 but all the external links in the guide are broken and the latest version available at is version 1.1.14.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: