Bugreports for the Aircrack suite, version 2.2betaX - Page 4

devine · 07-16-2005

Quote:

Originally Posted by grcore

beta7, prism2.5 card, 1.7.4 firmware

somethng is wrong with airodump in beta7, it does not see very many APs, and only captures a packet here and there. something is wrong. beta6 works great.

Ok. Were you using hostap or wlan-ng with beta6 ? When testing beta7, which driver were you using ?

grcore · 07-16-2005

Quote:

Originally Posted by devine

Ok. Were you using hostap or wlan-ng with beta6 ? When testing beta7, which driver were you using ?

hostap

devine · 07-17-2005

Quote:

Originally Posted by grcore

hostap

Ok. In fact this issue is irrelevant to the driver itself. I forgot to remove a piece of code I added when debugging some stuff:

Code:

<     ap_cur->nb_pkt++;
---
>     if( h80211[0] != 0x80 )
>         ap_cur->nb_pkt++;

(0x80 is the frame type of beacons)

This will be fixed in beta8, along with a new algorithm which should make WEP cracking more reliable when you got more than 1M IVs. The basic idea is that, sometimes the key isn't found even with lots and lots of IVs, because all keybytes but one have been found. So this algorithm assumes all votes are correct except for one keybyte, and then tries the 256 possibilities for each keybyte, starting from KB 12 to KB 0.

grcore · 07-19-2005

Not a bug per-se, but for the life of me I cannot get the hostap drivers to work with the 1.7.4 firmware. I am using 1.5.6, and it seems to work fine.

I had some problems getting hostap to work at all after reloading linux on my laptop, and for some reason now I have to issue 'iwpriv wlan0 reset 1' prior to running airodump, or i get no networks, patckets, zero, nada, nil.

I don't know if anyone else had this problem with hostap, but i thought I would mention it....

thanks cd

g

devine · 07-21-2005

Quote:

Originally Posted by grcore

Not a bug per-se, but for the life of me I cannot get the hostap drivers to work with the 1.7.4 firmware. I am using 1.5.6, and it seems to work fine.

I had some problems getting hostap to work at all after reloading linux on my laptop, and for some reason now I have to issue 'iwpriv wlan0 reset 1' prior to running airodump, or i get no networks, patckets, zero, nada, nil.

Thanks, I've added the iwpriv wlan0 reset command in airodump, and released beta8. Also mentioned firmware 1.5.6 in the README.

grcore · 07-21-2005

I noticed beta9 is out....

Using the HostAP drivers, the power level listed in airodump as -1 for all APs. If I run an earlier version (ie beta7) first, then the power level is reported fine in with beta9.

Other than that, no problems....(so far)

g

Dutch · 07-23-2005

Madwifi patch for reinjection can't be applied to the current cvs revision of the Madwifi driver, most probably due to the latter's changes to accomodate radiotap headers at a future date.

Hunks 1, 2, 6, 7, 9 & 10 fails.
Reject file follows :

Code:

***************
*** 1113,1119 ****
  	/*
  	 * Encapsulate the packet for transmission.
  	 */
- 	skb = ieee80211_encap(ic, skb, &ni);
  	if (skb == NULL) {
  		DPRINTF(sc, ATH_DEBUG_XMIT,
  			"%s: discard, encapsulation failure\n", __func__);
--- 1113,1120 ----
  	/*
  	 * Encapsulate the packet for transmission.
  	 */
+ 	if (ic->ic_opmode != IEEE80211_M_MONITOR)
+ 		skb = ieee80211_encap(ic, skb, &ni);
  	if (skb == NULL) {
  		DPRINTF(sc, ATH_DEBUG_XMIT,
  			"%s: discard, encapsulation failure\n", __func__);
***************
*** 2843,2849 ****
  	hdrlen = ieee80211_anyhdrsize(wh);
  	pktlen = skb->len;
  
- 	if (iswep) {
  		const struct ieee80211_cipher *cip;
  		struct ieee80211_key *k;
  
--- 2844,2850 ----
  	hdrlen = ieee80211_anyhdrsize(wh);
  	pktlen = skb->len;
  
+ 	if (iswep && ic->ic_opmode != IEEE80211_M_MONITOR) {
  		const struct ieee80211_cipher *cip;
  		struct ieee80211_key *k;
  
***************
*** 4309,4319 ****
  		break;
  	case IEEE80211_FC0_TYPE_DATA:
  		atype = HAL_PKT_TYPE_NORMAL;		/* default */
  		/*
  		 * Data frames; consult the rate control module.
  		 */
- 		ath_rate_findrate(sc, an, shortPreamble, skb->len,
- 			&rix, &try0, &txrate);
  		/*
  		 * Default all non-QoS traffic to the background queue.
  		 */
--- 4320,4333 ----
  		break;
  	case IEEE80211_FC0_TYPE_DATA:
  		atype = HAL_PKT_TYPE_NORMAL;		/* default */
+ 		rix = 0;			/* XXX lowest rate */
+ 		try0 = ATH_TXMAXTRY;
  		/*
  		 * Data frames; consult the rate control module.
  		 */
+ 		if (ic->ic_opmode != IEEE80211_M_MONITOR)
+ 			ath_rate_findrate(sc, an, shortPreamble, skb->len,
+ 				&rix, &try0, &txrate);
  		/*
  		 * Default all non-QoS traffic to the background queue.
  		 */
***************
*** 4324,4329 ****
  			txq = sc->sc_ac2q[WME_AC_BK];
  		break;
  	default:
  		printk("%s: bogus frame type 0x%x (%s)\n", dev->name,
  			wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK, __func__);
  		/* XXX statistic */
--- 4338,4348 ----
  			txq = sc->sc_ac2q[WME_AC_BK];
  		break;
  	default:
+         if (ic->ic_opmode == IEEE80211_M_MONITOR) {
+ 		    atype = HAL_PKT_TYPE_NORMAL;		/* default */
+ 			txq = sc->sc_ac2q[skb->priority];
+             break;
+         }
  		printk("%s: bogus frame type 0x%x (%s)\n", dev->name,
  			wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK, __func__);
  		/* XXX statistic */
***************
*** 4508,4514 ****
  		, pktlen		/* packet length */
  		, hdrlen		/* header length */
  		, atype			/* Atheros packet type */
- 		, MIN(ni->ni_txpower,60)/* txpower */
  		, txrate, try0		/* series 0 rate/tries */
  		, keyix			/* key cache index */
  		, sc->sc_txantenna	/* antenna mode */
--- 4533,4539 ----
  		, pktlen		/* packet length */
  		, hdrlen		/* header length */
  		, atype			/* Atheros packet type */
+ 		, 60                    /* txpower */
  		, txrate, try0		/* series 0 rate/tries */
  		, keyix			/* key cache index */
  		, sc->sc_txantenna	/* antenna mode */
***************
*** 4516,4521 ****
  		, ctsrate		/* rts/cts rate */
  		, ctsduration		/* rts/cts duration */
  	);
  	/*
  	 * Setup the multi-rate retry state only when we're
  	 * going to use it.  This assumes ath_hal_setuptxdesc
--- 4541,4547 ----
  		, ctsrate		/* rts/cts rate */
  		, ctsduration		/* rts/cts duration */
  	);
+ 
  	/*
  	 * Setup the multi-rate retry state only when we're
  	 * going to use it.  This assumes ath_hal_setuptxdesc

Dutch

devine · 07-23-2005

Quote:

Originally Posted by Dutch

Madwifi patch for reinjection can't be applied to the current cvs revision of the Madwifi driver, most probably due to the latter's changes to accomodate radiotap headers at a future date.

Thanks, I added a patch for the current CVS in beta10. However, the latest CVS is a bit unstable and sometimes crashes the kernel, so I recommend using 2005-05-25 instead. Also rewrote the whole documentation in HTML format.

grcore · 07-25-2005

using beta10, hostap 0.3.9, smc2532w-b card

I tried the -3 and -4 attacks on a belkin ap, and found that the -3 attack never see's any ARPs, and the -4 attack does not generate any IVs (after forging). Strangely enough the -2 attack works fine when you select a size 68 arp packet and replay it to death...

maybe I am doing something wrong, but even with the -2 attack running and collecting ivs, the -3 attack never see's any arps....

most of my tests previously just used the -1 alongside the -3 attack, and that seems to work fine on my linksys, but not my belkin....

I noticed also that when saving dumps with the .ivs (1) format, specifying the essid in arircrack does not work, only the bssid

g

devine · 07-25-2005

Quote:

Originally Posted by grcore

maybe I am doing something wrong, but even with the -2 attack running and collecting ivs, the -3 attack never see's any arps....

That's quite wierd. Could you connect a client to your belkin, generate an ARP request (for example by pinging an non-existent IP) and send me the resulting airodump capture with your smc ? And repeat the process with the linksys.

Thanks.

Quote:

Originally Posted by grcore

I noticed also that when saving dumps with the .ivs (1) format, specifying the essid in arircrack does not work, only the bssid

Yep, it was a bit cumbersome to implement. So I didn't implement it.

grcore · 07-25-2005

I went to do it all over again and it works fine. I took a look back at the command history, and found out why one pc was not picking it up. Wrong channel...now I have egg on my face...haha (thats what I get for using numbers as filenames).

Anyway, just a note on the documentation. For the Prism54 drivers you need to add "depmod -a" at the end of the instructions.

And in the instructions for the HostAP driver patching, -beta10/ is missing (but I suppose that will sort itself out when the final2.2 is released)

G

BTW: For those of you looking for compatible cards, justdeals.com has 2 of them on the cheap. An a/b/g Atheros card (NEC WarpStar) and a Prism54 (Netgear WG511) card, both for 19.95 ea shipped price (not sure about international shipping). The NEC card has an external antenna connector, but its a real oddball and I doubt you would find a plug anywhere.

grcore · 07-26-2005

this one is sortofa bug:

when using aireplay with the -2 option and specifying -f 1, it will wait until a ToDS=1 packet arrives, then if you choose to replay this packet and then stop the replay via ctrl-c, it will then continue snifffing but it looses the -f 1 option and will respond to any packet...

I know the -2 option is considered useless for capture/replay, but I have found instances where it is usefull.

g

devine · 07-26-2005

Quote:

Originally Posted by grcore

when using aireplay with the -2 option and specifying -f 1, it will wait until a ToDS=1 packet arrives, then if you choose to replay this packet and then stop the replay via ctrl-c, it will then continue snifffing but it looses the -f 1 option and will respond to any packet...

Thanks, I'll try to reproduce your bug. In other news, I released beta11 with the new madwifi patch for injection in mixed b/g mode. The current madwifi CVS crashes, so I recommend using 20050525 instead.

zerlan · 07-27-2005

This means you don't need to use :
#iwpriv ath0 mode 2 anymore?
To set the atheros card in b mode...

zer

devine · 07-27-2005

Quote:

Originally Posted by zerlan

This means you don't need to use :
#iwpriv ath0 mode 2 anymore? To set the atheros card in b mode...

Indeed, young zerlan.

07-25-2005	#54 (permalink)
grcore Member at large Join Date: Aug 2004 Posts: 121	using beta10, hostap 0.3.9, smc2532w-b card I tried the -3 and -4 attacks on a belkin ap, and found that the -3 attack never see's any ARPs, and the -4 attack does not generate any IVs (after forging). Strangely enough the -2 attack works fine when you select a size 68 arp packet and replay it to death... maybe I am doing something wrong, but even with the -2 attack running and collecting ivs, the -3 attack never see's any arps.... most of my tests previously just used the -1 alongside the -3 attack, and that seems to work fine on my linksys, but not my belkin.... I noticed also that when saving dumps with the .ivs (1) format, specifying the essid in arircrack does not work, only the bssid g Last edited by grcore : 07-25-2005 at 11:26 AM.

07-25-2005	#56 (permalink)
grcore Member at large Join Date: Aug 2004 Posts: 121	I went to do it all over again and it works fine. I took a look back at the command history, and found out why one pc was not picking it up. Wrong channel...now I have egg on my face...haha (thats what I get for using numbers as filenames). Anyway, just a note on the documentation. For the Prism54 drivers you need to add "depmod -a" at the end of the instructions. And in the instructions for the HostAP driver patching, -beta10/ is missing (but I suppose that will sort itself out when the final2.2 is released) G BTW: For those of you looking for compatible cards, justdeals.com has 2 of them on the cheap. An a/b/g Atheros card (NEC WarpStar) and a Prism54 (Netgear WG511) card, both for 19.95 ea shipped price (not sure about international shipping). The NEC card has an external antenna connector, but its a real oddball and I doubt you would find a plug anywhere. Last edited by grcore : 07-25-2005 at 05:51 PM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

07-19-2005	#49 (permalink)
grcore Member at large Join Date: Aug 2004 Posts: 121	Not a bug per-se, but for the life of me I cannot get the hostap drivers to work with the 1.7.4 firmware. I am using 1.5.6, and it seems to work fine. I had some problems getting hostap to work at all after reloading linux on my laptop, and for some reason now I have to issue 'iwpriv wlan0 reset 1' prior to running airodump, or i get no networks, patckets, zero, nada, nil. I don't know if anyone else had this problem with hostap, but i thought I would mention it.... thanks cd g

07-21-2005	#51 (permalink)
grcore Member at large Join Date: Aug 2004 Posts: 121	I noticed beta9 is out.... Using the HostAP drivers, the power level listed in airodump as -1 for all APs. If I run an earlier version (ie beta7) first, then the power level is reported fine in with beta9. Other than that, no problems....(so far) g

07-26-2005	#57 (permalink)
grcore Member at large Join Date: Aug 2004 Posts: 121	this one is sortofa bug: when using aireplay with the -2 option and specifying -f 1, it will wait until a ToDS=1 packet arrives, then if you choose to replay this packet and then stop the replay via ctrl-c, it will then continue snifffing but it looses the -f 1 option and will respond to any packet... I know the -2 option is considered useless for capture/replay, but I have found instances where it is usefull. g

07-27-2005	#59 (permalink)
zerlan Registered Member Join Date: Jan 2005 Posts: 4	This means you don't need to use : #iwpriv ath0 mode 2 anymore? To set the atheros card in b mode... zer