grcore

I cleaned out the directory where I had the .cap files, and now its working....

(there were a ton of .cap, .ivs etc in there. The disk was not full, so I don't know why it was doing that...)

g

grcore

I also noticed that the aireplay (-1) association does not work on G APs, I dont know if its impossible or it is not implemented, or something for the future...

King_Ice_Flash

When installing the MADWIFI drivers and patch, I got this:
make[1]: uudecode: Command not found

Fixed with:
#yum install sharutils

__________________
"Yeah," said a voice from under the table, "you go to pieces so fast people get hit by the shrapnel."

dudecrush

Sorry for being so ignorant, but I was wondering if it was possible that the README of the beta12 release was incorrect when referring to Attack 2: interactive packet replay. The line of code reads:

aireplay -f 0 -t 1 -d FF:FF:FF:FF:FF:FF -n 90 ath0

but when I run it in the console, it comes back with:

Please specify an attack mode.

Is correcting it to

aireplay -2 -f 0 -t 1 -d FF:FF:FF:FF:FF:FF -n 90 ath0

the correct fix?

__________________
There are only 10 types of people in the world: those who understand binary and those who don't.

dudecrush

I just want to confirm what grcore said about running the -1"fake authentication" atack on an AP running in G-only mode.
I get this message:

Association denied (code 18)

When the AP is in B-only or mixed mode, the attack works fine.

__________________
There are only 10 types of people in the world: those who understand binary and those who don't.

syrou

Thanks! It now works perfectly with madwifi CVS 20050707 files.

shinryux

When I launch aireplay with attack 3 I receive the following error.

Make sure enhanced rtc device support is enabled in the kernel (module
rtc, not genrtc) - also try 'echo 1024 >/proc/sys/dev/rtc/max-user-freq'.
(Obviously I tried 'echo 1024 >/proc/sys/dev/rtc/max-user-freq' but it makes no difference)

It goes on to start capturing and then sending packets, but I am not seeing any increase in traffic being dumped from airodump (seems that packet injection is not working)

Here is some background info:

linux:~ # uname -a
Linux linux 2.6.8-24.16-default #2 Tue Aug 2 11:47:38 PDT 2005 i686 i686 i386 GNU/Linux

linux:~ # lsmod |grep rtc
rtc 8212 0

linux:~ # modinfo ath_pci
filename: /lib/modules/2.6.8-24.16-default/extra/ath_pci.ko
parm: countrycode:Override default country code
parm: outdoor:Enable/disable outdoor use
parm: xchanmode:Enable/disable extended channel mode
parm: ifname:Interface name prefix (default: ath)
author: Errno Consulting, Sam Leffler
description: Support for Atheros 802.11 wireless LAN cards.
license: Dual BSD/GPL
vermagic: 2.6.8-24.16-default 586 REGPARM gcc-3.3
depends: ath_hal,wlan,ath_rate_onoe,wlan,ath_rate_sample
alias: pci:v0000168Cd00000007sv*sd*bc*sc*i*
alias: pci:v0000168Cd00000012sv*sd*bc*sc*i*
alias: pci:v0000168Cd00000013sv*sd*bc*sc*i*
alias: pci:v0000A727d00000013sv*sd*bc*sc*i*
alias: pci:v000010B7d00000013sv*sd*bc*sc*i*
alias: pci:v0000168Cd00001014sv*sd*bc*sc*i*
alias: pci:v0000168Cd00000015sv*sd*bc*sc*i*
alias: pci:v0000168Cd00000016sv*sd*bc*sc*i*
alias: pci:v0000168Cd00000017sv*sd*bc*sc*i*
alias: pci:v0000168Cd00000018sv*sd*bc*sc*i*
alias: pci:v0000168Cd00000019sv*sd*bc*sc*i*
alias: pci:v0000168Cd0000001Asv*sd*bc*sc*i*

!!Below is a complete lsmod::

linux:~ # lsmod
Module Size Used by
ath_pci 75548 0
ath_rate_sample 15752 1 ath_pci
wlan 133532 3 ath_pci,ath_rate_sample
ath_hal 148432 3 ath_pci,ath_rate_sample
rtc 8212 0
rfcomm 35356 0
l2cap 22916 3 rfcomm
bluetooth 44932 2 rfcomm,l2cap
af_packet 20872 2
nvram 8328 0
usbserial 26856 0
parport_pc 37824 1
lp 10536 0
parport 37960 2 parport_pc,lp
edd 10012 0
cpufreq_userspace 5208 2
speedstep_ich 5004 0
speedstep_lib 4228 1 speedstep_ich
freq_table 4228 1 speedstep_ich
thermal 17800 0
processor 25640 1 thermal
fan 5380 0
button 8464 0
battery 11396 0
ac 6276 0
snd_pcm_oss 57896 0
snd_mixer_oss 19200 1 snd_pcm_oss
snd_intel8x0 31268 1
snd_ac97_codec 69728 1 snd_intel8x0
ipv6 237312 15
snd_pcm 96776 3 snd_pcm_oss,snd_intel8x0,snd_ac97_codec
snd_timer 24580 1 snd_pcm
snd 60164 8 snd_pcm_oss,snd_mixer_oss,snd_intel8x0,snd_ac97_co dec,snd_pcm,snd_timer
soundcore 9056 1 snd
snd_page_alloc 10120 2 snd_intel8x0,snd_pcm
usbhid 40132 0
joydev 9536 0
sg 35744 0
st 37404 0
sd_mod 16912 0
sr_mod 16292 0
scsi_mod 111052 4 sg,st,sd_mod,sr_mod
ide_cd 38048 0
cdrom 36380 2 sr_mod,ide_cd
ds 17796 2
uhci_hcd 29584 0
yenta_socket 19840 1
pcmcia_core 66100 2 ds,yenta_socket
intel_agp 21024 1
agpgart 32168 2 intel_agp
evdev 8960 0
subfs 7552 1
3c59x 37416 0
dm_mod 54524 0
usbcore 106724 5 usbserial,usbhid,uhci_hcd
reiserfs 242000 1


linux:~ # iwpriv ath0
ath0 Available private ioctl :
setoptie (8BE8) : set 256 byte & get 0
getoptie (8BE9) : set 0 & get 256 byte
setkey (8BE2) : set 60 byte & get 0
delkey (8BE4) : set 7 byte & get 0
setmlme (8BE6) : set 42 byte & get 0
addmac (8BEA) : set 1 addr & get 0
delmac (8BEC) : set 1 addr & get 0
chanlist (8BEE) : set 32 byte & get 0
setparam (8BE0) : set 2 int & get 0
getparam (8BE1) : set 1 int & get 1 int
turbo (0001) : set 1 int & get 0
get_turbo (0001) : set 0 & get 1 int
mode (0002) : set 1 int & get 0
get_mode (0002) : set 0 & get 1 int
authmode (0003) : set 1 int & get 0
get_authmode (0003) : set 0 & get 1 int
protmode (0004) : set 1 int & get 0
get_protmode (0004) : set 0 & get 1 int
mcastcipher (0005) : set 1 int & get 0
get_mcastcipher (0005) : set 0 & get 1 int
mcastkeylen (0006) : set 1 int & get 0
get_mcastkeylen (0006) : set 0 & get 1 int
ucastciphers (0007) : set 1 int & get 0
get_uciphers (0007) : set 0 & get 1 int
ucastcipher (0008) : set 1 int & get 0
get_ucastcipher (0008) : set 0 & get 1 int
ucastkeylen (0009) : set 1 int & get 0
get_ucastkeylen (0009) : set 0 & get 1 int
keymgtalgs (0015) : set 1 int & get 0
get_keymgtalgs (0015) : set 0 & get 1 int
rsncaps (0016) : set 1 int & get 0
get_rsncaps (0016) : set 0 & get 1 int
roaming (000C) : set 1 int & get 0
get_roaming (000C) : set 0 & get 1 int
privacy (000D) : set 1 int & get 0
get_privacy (000D) : set 0 & get 1 int
countermeasures (000E) : set 1 int & get 0
get_countermeas (000E) : set 0 & get 1 int
dropunencrypted (000F) : set 1 int & get 0
get_dropunencry (000F) : set 0 & get 1 int
wpa (000A) : set 1 int & get 0
get_wpa (000A) : set 0 & get 1 int
driver_caps (0010) : set 1 int & get 0
get_driver_caps (0010) : set 0 & get 1 int
maccmd (0011) : set 1 int & get 0
wme (0012) : set 1 int & get 0
get_wme (0012) : set 0 & get 1 int
hide_ssid (0013) : set 1 int & get 0
get_hide_ssid (0013) : set 0 & get 1 int
ap_bridge (0014) : set 1 int & get 0
get_ap_bridge (0014) : set 0 & get 1 int
inact (0017) : set 1 int & get 0
get_inact (0017) : set 0 & get 1 int
inact_auth (0018) : set 1 int & get 0
get_inact_auth (0018) : set 0 & get 1 int
inact_init (0019) : set 1 int & get 0
get_inact_init (0019) : set 0 & get 1 int
ibss (001A) : set 1 int & get 0
get_ibss (001A) : set 0 & get 1 int
pureg (001B) : set 1 int & get 0
get_pureg (001B) : set 0 & get 1 int
reset (0063) : set 1 int & get 0

linux:~ # dmesg
PCI: Enabling device 0000:03:00.0 (0000 -> 0002)
ACPI: PCI interrupt 0000:03:00.0[A] -> GSI 11 (level, low) -> IRQ 11
Build date: Jul 28 2005
Debugging version (IEEE80211)
ath0: 11a rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
ath0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
ath0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
ath0: turboA rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
ath0: H/W encryption support: WEP AES AES_CCM TKIP
ath0: mac 5.6 phy 4.1 5ghz radio 1.7 2ghz radio 2.3
ath0: Use hw queue 1 for WME_AC_BE traffic
ath0: Use hw queue 0 for WME_AC_BK traffic
ath0: Use hw queue 2 for WME_AC_VI traffic
ath0: Use hw queue 3 for WME_AC_VO traffic
ath0: Use hw queue 8 for CAB traffic
ath0: Use hw queue 9 for beacons
Debugging version (ATH)
ath0: Atheros 5212: mem=0x30800000, irq=11


From here I am stumped I made sure genrtc was not loaded (modprobe -r genrtc) and reloaded rtc. I am also using patched madwifi drivers (confirmed above if modinfo). Now everything appears to be working except that I get an error message and don't see a significant increase in packet rate when using aireplay (arp attack).

I can't find any refrences to anyone else having these problems.

If anyone could help I would greately appreciate it.

Thanks.

Shin

Dutch

Any particular reason you had to start a new thread, instead of posting in the EXISTING, Stickyfied for easy access, Aircrack suite Bugreporting thread ?

Merged.

Dutch

__________________
All your answers are belong to Google. SEARCH DAMMIT!
Warning. Warning.
Low C8H10N4O2 level detected. Operator halted....

shinryux

Other than obviously missing the bug sticky thread. Nope.. Thanks for merging though.

Dutch

For the sake of your own survivability on the forums, I'd hope you haven't missed any of the posts in the Welcome Desk section. If you have, then RUN, don't walk, to that section and start reading.

Dutch

__________________
All your answers are belong to Google. SEARCH DAMMIT!
Warning. Warning.
Low C8H10N4O2 level detected. Operator halted....

shinryux

I also noticed this in /var/log/messages

Aug 2 14:20:47 linux kernel: ath0 (WE) : Buffer for request SIOCGIWPRIV too small (16<64)
Aug 2 14:20:47 linux kernel: ath0 (WE) : Buffer for request SIOCGIWPRIV too small (32<64)
Aug 2 14:20:48 linux kernel: device ath0 entered promiscuous mode
Aug 2 14:20:48 linux kernel: ath0 (WE) : Buffer for request SIOCGIWPRIV too small (16<64)
Aug 2 14:20:48 linux kernel: ath0 (WE) : Buffer for request SIOCGIWPRIV too small (32<64)
Aug 2 14:20:50 linux kernel: device ath0 left promiscuous mode

Not sure if it is relevant or not.

devine

It's irrelevant. The problem is that enhanced RTC support is mostly broken in many 2.6 kernels, I recommend using 2.6.11.x (not 2.6.12 though) or better, 2.4.x.

As for attack -1 with G only access points: the current aireplay only send B rates in the association request, so I'll add extended G rates in the next beta.

BTW, if anyone is experiencing kernel crashes with the current (beta12) 20050707 madwifi patch, please let me know! Thanks

syrou

Kernel 2.6.12.3 + patched madwifi 20050707 + beta12 works perfectly for me.

abx5

I would like to ask about the Aircrack 2.2 Beta 12 and final one. It's about to crack WEP, I found that you increased the fudge factor from 2 to 3 for 128-bit and 2 to 6 for 64-bit aims at the success rate of the crack process. The default fudge factor shown in Aircrack 2.2 Final is 2. (When typing aircrack with no options.) That should be changed.

This fudge factor changed seems to be really slow down the whole cracking process. From my test, with the same packet I got the following result (Use default setting with -n 128 option):

128-bit 400,130 Unique Packets
- Aircrack 2.1 took more than 10 mins. So, I stop.
- Aircrack 2.2 Beta 7 took only 7 seconds and success
- Aircrack 2.2 Beta 12 and Final took 21.43 mins

I also tested it with 500k - 800k Unique packets. One of them already took 7 hours and I'm waiting for the result. The same packets with Aircrack 2.2 Beta 7 took only 18 second.

I remember that I also try to reduce fudge factor once but the result seems to be slow anyway. I will test it again once I'm done with above 7 hours process I'm waiting right now. (Tested with fudge factor set to 2 but it took more than an hour anyway.)

abx5

I also just tested Aircrack 2.2 under Windows with the same packet I'm waiting for 7 hours. It took only 17 seconds to get the key under Windows. I'm wondering if there is any different between Linux and Windows version. (I use Auditor installed on HDD.)

Thank you,