(Aircrack)Yet another WEP cracking tool for Linux - Page 8

devine · 08-26-2004

Quote:

Originally Posted by sylvain

and what do you think of what I said earlier devine ?

It's a worthy suggestion. However, icmp echo-requests are typically not answered by windows machine, but linux machines do respond. So it will only work if there are one or more linux boxes on the local network.

post-edit: the above applies to broadcast echo-requests (like, ping 192.168.1.255)

topolb · 08-26-2004

Quote:

Originally Posted by devine

It's a worthy suggestion. However, icmp echo-requests are typically not answered by windows machine, but linux machines do respond. So it will only work if there are one or more linux boxes on the local network.

Not answered by windows machine? are you sure? Windows always answer icmp echo-request if it is directly sent to it and there is not any firewall blocking.

What windows are not used to answer is icmp echo-requests directed to broadcast.

As far as I know sylvain suggestion of spoofing icmp requests should work

devine · 08-26-2004

Quote:

Originally Posted by topolb

Not answered by windows machine? are you sure? Windows always answer icmp echo-request if it is directly sent to it and there is not any firewall blocking.

What windows are not used to answer is icmp echo-requests directed to broadcast.

Yep, that's what I was meaning.

topolb · 08-26-2004

Quote:

Originally Posted by devine

Yep, that's what I was meaning.

An UDP directed to broadcast on port 137 will make all windows boxes answer with their names }:-)

sylvain · 08-26-2004

Quote:

Originally Posted by topolb

An UDP directed to broadcast on port 137 will make all windows boxes answer with their names }:-)

so is this something you think you can implement independently from the type of cards we are using...

in fact I really think that we should find an attack which does not depend from the type of cards we are using (implementation aspect)

devine · 08-26-2004

Quote:

Originally Posted by sylvain

so is this something you think you can implement independently from the type of cards we are using...

in fact I really think that we should find an attack which does not depend from the type of cards we are using (implementation aspect)

Under Linux, you can't sniff with any wireless card - your driver must support the Monitor mode. Likewise, you can't send raw 802.11 frames with any wireless card, because the driver must support it too. So far, other people (airjack, airpwn) have only succeeded with Prism2-based cards. I got some feedback that it is not feasable with orinoco (Hermes) cards. It may be possible with Cisco, Prism54 or Atheros-based cards, but I don't have the hardware at hand to conduct the tests (donations welcomed

)

sylvain · 08-26-2004

Quote:

Originally Posted by devine

Under Linux, you can't sniff with any wireless card - your driver must support the Monitor mode. Likewise, you can't send raw 802.11 frames with any wireless card, because the driver must support it too. So far, other people (airjack, airpwn) have only succeeded with Prism2-based cards. I got some feedback that it is not feasable with orinoco (Hermes) cards. It may be possible with Cisco, Prism54 or Atheros-based cards, but I don't have the hardware at hand to conduct the tests (donations welcomed

)

hum I am sure to understand :
- for the monitor mode I agree
- but for sending raw 802.11 frames, why can't we use tools like Hping or any packet injector and to specify we want to use to send the raw frames...Indeed I am not sure Hping is able to create 802.11 frames...

devine · 08-26-2004

Quote:

Originally Posted by sylvain

for sending raw 802.11 frames, why can't we use tools like Hping or any packet injector

I'm not sure about other chipsets, but the Prism2 chipset in Monitor or Managed mode corrupts the 802.11 header if the SA differs from the card MAC, and also corrupts the BSSID. In Master mode however the chipset will accept any frame and sends it unmodified over the air (this is already explained in README.txt, by the way).

b0nk · 08-26-2004

DHCP requests are interesting to reinject ..
They are 368 bytes long.

sylvain · 08-26-2004

Quote:

Originally Posted by devine

I'm not sure about other chipsets, but the Prism2 chipset in Monitor or Managed mode corrupts the 802.11 header if the SA differs from the card MAC, and also corrupts the BSSID. In Master mode however the chipset will accept any frame and sends it unmodified over the air (this is already explained in README.txt, by the way).

So can't we imagine to make a tool which will reinject spoofed packets with the IP address of the AP as origin (broadcast ping) or spoofed packets with the IP of the clients as origin (dhcp requests, arp ...) in Master mode ?

KoreK · 08-26-2004

Quote:

Originally Posted by devine

I'm not sure about other chipsets, but the Prism2 chipset in Monitor or Managed mode corrupts the 802.11 header if the SA differs from the card MAC, and also corrupts the BSSID. In Master mode however the chipset will accept any frame and sends it unmodified over the air (this is already explained in README.txt, by the way).

Based on Abaddon's driver (and rma0251.pdf, google for it), it wasn't very difficult to patch wlan-ng to send raw 802.11 frame in monitor mode. I had a quick look at the hostap driver and the following patch (against 0.2.0) should put the chipset in a more receptive mood.

Code:

--- hostap_ioctl.c.orig 2004-08-26 13:52:07.000000000 +0100
+++ hostap_ioctl.c      2004-08-26 13:50:29.000000000 +0100
@@ -1043,7 +1043,7 @@
        hostap_monitor_set_type(local);
 
        if (hostap_set_word(dev, HFA384X_RID_CNFPORTTYPE,
-                           HFA384X_PORTTYPE_PSEUDO_IBSS)) {
+                           5)) {
                printk(KERN_DEBUG "Port type setting for monitor mode "
                       "failed\n");
                return -EOPNOTSUPP;
@@ -1067,6 +1067,14 @@
                return -EOPNOTSUPP;
        }
 
+       if (local->func->reset_port(dev) ||
+           local->func->cmd(dev, HFA384X_CMDCODE_TEST |
+                            (0x0a << 8),
+                            0, NULL, NULL)) {
+               printk(KERN_DEBUG "Tx Exception Suppression mode failed\n");
+               return -EOPNOTSUPP;
+       }
+
        return 0;
 }

Another nice thing in the prism2 chipset is promiscuous mode. You can associate with an AP (as long as it's opensystem), set the card in promiscuous mode and watch the encrypted traffic fly by.

devine · 08-26-2004

Quote:

Originally Posted by sylvain

So can't we imagine to make a tool which will reinject spoofed packets with the IP address of the AP as origin (broadcast ping) or spoofed packets with the IP of the clients as origin (dhcp requests, arp ...) in Master mode ?

There's no IP address in the 802.11 header, the IP header itself in located inside the encrypted payload.

Anyway, the basic ARP-request reinjection attack works reliably, I've used it several times with great success. I'm currently improving it with the help of b0nk so as to consider ICMP or UDP requests (like, DHCP discover packets).

sylvain · 08-26-2004

Quote:

Originally Posted by devine

There's no IP address in the 802.11 header, the IP header itself in located inside the encrypted payload.

Anyway, the basic ARP-request reinjection attack works reliably, I've used it several times with great success. I'm currently improving it with the help of b0nk so as to consider ICMP or UDP requests (like, DHCP discover packets).

the ARP-request reinjection attack works...if you have a Prism2 card...i think I will have to buy one..

sylvain · 08-26-2004

Quote:

Originally Posted by KoreK

Based on Abaddon's driver (and rma0251.pdf, google for it), it wasn't very difficult to patch wlan-ng to send raw 802.11 frame in monitor mode. I had a quick look at the hostap driver and the following patch (against 0.2.0) should put the chipset in a more receptive mood.

Code:

--- hostap_ioctl.c.orig 2004-08-26 13:52:07.000000000 +0100
+++ hostap_ioctl.c      2004-08-26 13:50:29.000000000 +0100
@@ -1043,7 +1043,7 @@
        hostap_monitor_set_type(local);
 
        if (hostap_set_word(dev, HFA384X_RID_CNFPORTTYPE,
-                           HFA384X_PORTTYPE_PSEUDO_IBSS)) {
+                           5)) {
                printk(KERN_DEBUG "Port type setting for monitor mode "
                       "failed\n");
                return -EOPNOTSUPP;
@@ -1067,6 +1067,14 @@
                return -EOPNOTSUPP;
        }
 
+       if (local->func->reset_port(dev) ||
+           local->func->cmd(dev, HFA384X_CMDCODE_TEST |
+                            (0x0a << 8),
+                            0, NULL, NULL)) {
+               printk(KERN_DEBUG "Tx Exception Suppression mode failed\n");
+               return -EOPNOTSUPP;
+       }
+
        return 0;
 }

Another nice thing in the prism2 chipset is promiscuous mode. You can associate with an AP (as long as it's opensystem), set the card in promiscuous mode and watch the encrypted traffic fly by.

did you already have a look at cisco drivers (included in the kernel airo.c , airo_cs.c ..) ?

KoreK · 08-26-2004

Quote:

Originally Posted by sylvain

did you already have a look at cisco drivers (included in the kernel airo.c , airo_cs.c ..) ?

From Abaddon's FAQ:

Quote:

Q: does it work with cisco cards?

A: no, there is little reason why it couldnt, the cards are very similar
in fact i have privately writen a version for the cisco, but i am under
NDA with aironet so i cant open any code up or discuss their cards
(which are very good cards btw)...

I did not look at the cisco driver. Maybe later.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

08-26-2004	#114 (permalink)
b0nk Registered Member Join Date: Aug 2004 Location: Paris, France Posts: 8	DHCP requests are interesting to reinject .. They are 368 bytes long.