Problems with Void11 (From Auditor CD)

Fr0zt · 02-13-2006

I'm using an Orinoco Gold Card and I'm testing out Auditor on a WEP encrypted networking. Following this tutorial - http://www.tomsnetworking.com/Sectio...e120-page4.php I have been able to use airodump to capture packets and IVs, but the process is going very slowly (would take a few days to complete) so I'm trying the deauthentication process to speed things up. The commands given from that tutorial are the following:

switch-to-hostap
cardctl eject
cardctl insert
iwconfig wlan0 channel THECHANNELNUM
iwpriv wlan0 hostapd 1
iwconfig wlan0 mode master
void11_penetration -D -s MACOFSTATION -B MACOFAP wlan0

Since I am using an atheros card, I have had to substitute all "wlan0"s for "ath0"s everything working until the 5th line:
"iwpriv wlan0 hostapd 1"
however I get the error:
"Invalid command: hostpad"

When I do a "man iwpriv" or "iwpriv --help" there is nothing about hostapd being a command. Just wondering if this was a mistake in that tutorial or if I'm doing something wrong. Thanks

theprez98 · 02-13-2006

Quote:

Originally Posted by Fr0zt

I'm using an Orinoco Gold Card and I'm testing out Auditor on a WEP encrypted networking. Following this tutorial - http://www.tomsnetworking.com/Sectio...e120-page4.php I have been able to use airodump to capture packets and IVs, but the process is going very slowly (would take a few days to complete) so I'm trying the deauthentication process to speed things up. The commands given from that tutorial are the following:

switch-to-hostap
cardctl eject
cardctl insert
iwconfig wlan0 channel THECHANNELNUM
iwpriv wlan0 hostapd 1
iwconfig wlan0 mode master
void11_penetration -D -s MACOFSTATION -B MACOFAP wlan0

Since I am using an atheros card, I have had to substitute all "wlan0"s for "ath0"s everything working until the 5th line:
"iwpriv wlan0 hostapd 1"
however I get the error:
"Invalid command: hostpad"

When I do a "man iwpriv" or "iwpriv --help" there is nothing about hostapd being a command. Just wondering if this was a mistake in that tutorial or if I'm doing something wrong. Thanks

First let's make sure you are authorized access to this network AND that you are authorized to crack the WEP, i.e., its your network or you are the network admin and have such responsibility.

Second, you'll need to make sure your madwifi driver is patched. I have the same card you are referring to.

Third, instead of using void11, since you're already using airodump (and presumably aircrack) why not just use aireplay. You can deauth with attack 0, fake auth with attack 1.

Finally, using attacks 2 or 3 (or both), you should be able to generate several hundred thousand IVs in a 10-15 minutes.

Fr0zt · 02-13-2006

Yes, it's my home network, I've been reading about WEP cracking, so I'm trying to test to see if my network is really as vulnerable as all of these articles state. I have not patched any drivers, but as I said, the card is working and I can get packets. As for aireplay, doesn't it just look for ARP packets? I would first need to initiate a deauth so that an ARP packet will be generated. Isn't that what Void11 does? Also, will I be able to run this at the same time as running airodump, will there be anything wrong with having 2 programs trying to access the wireless card? Again, this is my first time ever trying this and I have very limited knowledge in networking. I'm just trying to gain a basic understanding of how WEP cracking works and later, how I can defend myself against intrusion. Thanks.

Edit: Also, I may have access to a second laptop, but I am trying to do this as much as I can on a single laptop if it is possible.

theprez98 · 02-13-2006

Quote:

Originally Posted by Fr0zt

As for aireplay, doesn't it just look for ARP packets? I would first need to initiate a deauth so that an ARP packet will be generated. Isn't that what Void11 does?

Aireplay attack 0 is the deauth attack which also generates an ARP packet.

Quote:

Originally Posted by Fr0zt

Also, will I be able to run this at the same time as running airodump, will there be anything wrong with having 2 programs trying to access the wireless card?

No problems. You can run airodump to capture packets and aireplay attacks 2 or 3 at the same time.

Quote:

Originally Posted by Fr0zt

Edit: Also, I may have access to a second laptop, but I am trying to do this as much as I can on a single laptop if it is possible.

Assuming your madwifi driver is properly patched, you can do all of the above with one laptop. In fact, you can also inject packets in Managed Mode (see aircrack documentation) with this card.

Chris · 02-13-2006

The first time that I used Auditor was when I was researching for the Pen Testers Open Source Toolkit book and I have to be honest I found ALL of the WLAN attack tools included on the CD to be VERY buggy. I had used most of them before on versions I had compiled myself and in every instance was able to figure out how to make them work, but in almost every case they did NOT work the way they were supposed to without tweaking.

Fr0zt · 02-13-2006

Alright, how can I tell if my madwifi driver has been patched? Also, does anyone know where I can find documentation on how to use the different aireplay attacks? Or is the syntax easy and does someone just want to copy and paste it here? Also, for aircrack I have been using a pen drive to get the .cap files off the laptop and to my desktop (AMD Opteron dual core 2.75GHz) and have been trying to crack them from there. Does increasing the fudge factor in aircrack play a significant role in determining whether the key can be cracked? eg, how much more likely is it to crack a key with 50,000 IVs with a fudge factor of 13 than a fudge factor of 2? (13 takes just under 20 mins, 2 takes 2 seconds) Thanks for all the input. Great having people around who know what they're talking about.

theprez98 · 02-13-2006

Quote:

Originally Posted by Fr0zt

Alright, how can I tell if my madwifi driver has been patched? Also, does anyone know where I can find documentation on how to use the different aireplay attacks? Or is the syntax easy and does someone just want to copy and paste it here? Also, for aircrack I have been using a pen drive to get the .cap files off the laptop and to my desktop (AMD Opteron dual core 2.75GHz) and have been trying to crack them from there. Does increasing the fudge factor in aircrack play a significant role in determining whether the key can be cracked? eg, how much more likely is it to crack a key with 50,000 IVs with a fudge factor of 13 than a fudge factor of 2? (13 takes just under 20 mins, 2 takes 2 seconds) Thanks for all the input. Great having people around who know what they're talking about.

Apparently, I'm in a spoonfeeding mood today.

1) If you didn't personally patch your madwifi driver, chances are it is NOT patched. I'm no expert on patching so I'll pass that one to someone else.

2) The aireplay attacks are spelled out in the aircrack documentation (see here). I'll say it nicely before someone else does, in this case, RTFM! The last section of the documentation talks about the 5 aireplay attacks.

3) In terms of cracking WEP, I generally ignore the fudge factor feature (and maybe that is to my detriment). It is generally thought that ~500,000 IVs is sufficient to crack. I've done it with ~200,000, but I have also had to go past 1,000,000 in some cases.

Fr0zt · 02-13-2006

Alright, thank you, also do you have a link to the manual/documentation for patching the madwifi driver and explaining what it does? Thanks for the spoonfeeding

Edit: wait, same guide that you linked to for the madwifi drivers. Let me rephrase that question then... What is the purpose of patching the madwifi driver, what does it help with, and is it needed for just the aireplay attacks and airodump? Thanks again, you guys have been a great help

theprez98 · 02-13-2006

Quote:

Originally Posted by Fr0zt

Alright, thank you, also do you have a link to the manual/documentation for patching the madwifi driver and explaining what it does? Thanks for the spoonfeeding

Don't get used to spoonfeeding. We generally don't do it here because we expect people to do the research on their own and come here only when their options are exhausted. Occasionally I find people such as myself who are genuinely interested in something and just need the nudge in the right direction, and that is why I'll step in.

As for patching the madwifi driver, I have the procedure somewhere, I just need to find it, and then figure it out.

Fr0zt · 02-13-2006

alright, guess i'll just have to exploit it when you guys are in the mood... slowly bringing my reputation down... lol ya, i'm just reading that guide you linked to, will try the deathentication soon...

Edit: alright, found the following syntax:

airmon.sh start wlan0
airodump wlan0 out 6 (switch to another console)
aireplay -0 10 -a 00:13:10:30:24:9C wlan0
aireplay -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0

I guess I'll have to change out the wlan0's for ath0's, but I'm confused about the different mac addresses. I think I can assume that the WAPs address is 00:13:10:30:24:9C and the internal computers address is 00:09:5B:EB:C5:2B. Just basing this on the fact that the target computer's mac address isn't usually unacompanied by the WAPs mac. Also, found a problem in the WEP Cracking Part 2 article. It says to use /dev/uba1 for mounting the usb stick, but it should be /dev/sda1... Thanks again

Edit: also I think I remember this from the airodump syntax, the "6" means channel 6? so I should change that number to the channel that the target AP is on?

theprez98 · 02-13-2006

Quote:

Originally Posted by Fr0zt

alright, guess i'll just have to exploit it when you guys are in the mood... slowly bringing my reputation down... lol ya, i'm just reading that guide you linked to, will try the deathentication soon...

Edit: alright, found the following syntax:

airmon.sh start wlan0
airodump wlan0 out 6 (switch to another console)
aireplay -0 10 -a 00:13:10:30:24:9C wlan0
aireplay -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0

I guess I'll have to change out the wlan0's for ath0's, but I'm confused about the different mac addresses. I think I can assume that the WAPs address is 00:13:10:30:24:9C and the internal computers address is 00:09:5B:EB:C5:2B. Just basing this on the fact that the target computer's mac address isn't usually unacompanied by the WAPs mac. Also, found a problem in the WEP Cracking Part 2 article. It says to use /dev/uba1 for mounting the usb stick, but it should be /dev/sda1... Thanks again

Edit: also I think I remember this from the airodump syntax, the "6" means channel 6? so I should change that number to the channel that the target AP is on?

If you type "aireplay" with nothing else, you'll get the short help screen which will tell you what each option means a, b, h, etc. From the aircrack docs:

Quote:

In the following examples, 00:13:10:30:24:9C is the MAC address of the access point (on channel 6), and 00:09:5B:EB:C5:2B is the MAC address of a wireless client.

Then you can make sense of the examples they use. And yes, the 6 in the example above is the channel number.

Quote:

airmon.sh start ath0
airodump ath0 yourcapturefilename channel#
etc...

Fr0zt · 02-13-2006

Another comment, I'm using Auditor, this doesn't come with pre-patched madwifi drivers does it?

theprez98 · 02-13-2006

Quote:

Originally Posted by Fr0zt

Another comment, I'm using Auditor, this doesn't come with pre-patched madwifi drivers does it?

I don't believe so. I have Auditor installed to my HD so I use it all the time. With the standard madwifi driver in Auditor, aireplay locks up my card and laptop. With the patched driver, it works fine. If I could only remember which kernel to boot from (thanks, Dutch!).

Fr0zt · 02-13-2006

Alright... and can I test right now whether my driver works right now? What are the symptoms if the driver isn't working correctly?

theprez98 · 02-13-2006

Quote:

Originally Posted by Fr0zt

Alright... and can I test right now whether my driver works right now? What are the symptoms if the driver isn't working correctly?

Well, you could try running aireplay attacks 0 or 1. Without the patched driver, they lock up my laptop (Dell Inspiron 4100). However, assuming you have different hardware, it may or may not do the same thing. I guess its even possible they may work, that is a little bit beyond my expertise. Also, there is nothing "wrong" with the madwifi driver that would make it work or not work. It's just a matter of capability, and what one driver can or cannot do vs. another.

02-13-2006	#1 (permalink)
Fr0zt Registered Member Join Date: Nov 2004 Posts: 9	Problems with Void11 (From Auditor CD) I'm using an Orinoco Gold Card and I'm testing out Auditor on a WEP encrypted networking. Following this tutorial - http://www.tomsnetworking.com/Sectio...e120-page4.php I have been able to use airodump to capture packets and IVs, but the process is going very slowly (would take a few days to complete) so I'm trying the deauthentication process to speed things up. The commands given from that tutorial are the following: switch-to-hostap cardctl eject cardctl insert iwconfig wlan0 channel THECHANNELNUM iwpriv wlan0 hostapd 1 iwconfig wlan0 mode master void11_penetration -D -s MACOFSTATION -B MACOFAP wlan0 Since I am using an atheros card, I have had to substitute all "wlan0"s for "ath0"s everything working until the 5th line: "iwpriv wlan0 hostapd 1" however I get the error: "Invalid command: hostpad" When I do a "man iwpriv" or "iwpriv --help" there is nothing about hostapd being a command. Just wondering if this was a mistake in that tutorial or if I'm doing something wrong. Thanks

02-13-2006	#3 (permalink)
Fr0zt Registered Member Join Date: Nov 2004 Posts: 9	Yes, it's my home network, I've been reading about WEP cracking, so I'm trying to test to see if my network is really as vulnerable as all of these articles state. I have not patched any drivers, but as I said, the card is working and I can get packets. As for aireplay, doesn't it just look for ARP packets? I would first need to initiate a deauth so that an ARP packet will be generated. Isn't that what Void11 does? Also, will I be able to run this at the same time as running airodump, will there be anything wrong with having 2 programs trying to access the wireless card? Again, this is my first time ever trying this and I have very limited knowledge in networking. I'm just trying to gain a basic understanding of how WEP cracking works and later, how I can defend myself against intrusion. Thanks. Edit: Also, I may have access to a second laptop, but I am trying to do this as much as I can on a single laptop if it is possible. Last edited by Fr0zt : 02-13-2006 at 11:59 AM.

02-13-2006	#5 (permalink)
Chris Bad as Can Join Date: Jul 2002 Posts: 1,141	The first time that I used Auditor was when I was researching for the Pen Testers Open Source Toolkit book and I have to be honest I found ALL of the WLAN attack tools included on the CD to be VERY buggy. I had used most of them before on versions I had compiled myself and in every instance was able to figure out how to make them work, but in almost every case they did NOT work the way they were supposed to without tweaking. __________________ perl -e 'print pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'

02-13-2006	#8 (permalink)
Fr0zt Registered Member Join Date: Nov 2004 Posts: 9	Alright, thank you, also do you have a link to the manual/documentation for patching the madwifi driver and explaining what it does? Thanks for the spoonfeeding Edit: wait, same guide that you linked to for the madwifi drivers. Let me rephrase that question then... What is the purpose of patching the madwifi driver, what does it help with, and is it needed for just the aireplay attacks and airodump? Thanks again, you guys have been a great help Last edited by Fr0zt : 02-13-2006 at 07:57 PM.

02-13-2006	#10 (permalink)
Fr0zt Registered Member Join Date: Nov 2004 Posts: 9	alright, guess i'll just have to exploit it when you guys are in the mood... slowly bringing my reputation down... lol ya, i'm just reading that guide you linked to, will try the deathentication soon... Edit: alright, found the following syntax: airmon.sh start wlan0 airodump wlan0 out 6 (switch to another console) aireplay -0 10 -a 00:13:10:30:24:9C wlan0 aireplay -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0 I guess I'll have to change out the wlan0's for ath0's, but I'm confused about the different mac addresses. I think I can assume that the WAPs address is 00:13:10:30:24:9C and the internal computers address is 00:09:5B:EB:C5:2B. Just basing this on the fact that the target computer's mac address isn't usually unacompanied by the WAPs mac. Also, found a problem in the WEP Cracking Part 2 article. It says to use /dev/uba1 for mounting the usb stick, but it should be /dev/sda1... Thanks again Edit: also I think I remember this from the airodump syntax, the "6" means channel 6? so I should change that number to the channel that the target AP is on? Last edited by Fr0zt : 02-13-2006 at 08:17 PM.

02-13-2006	#6 (permalink)
Fr0zt Registered Member Join Date: Nov 2004 Posts: 9	Alright, how can I tell if my madwifi driver has been patched? Also, does anyone know where I can find documentation on how to use the different aireplay attacks? Or is the syntax easy and does someone just want to copy and paste it here? Also, for aircrack I have been using a pen drive to get the .cap files off the laptop and to my desktop (AMD Opteron dual core 2.75GHz) and have been trying to crack them from there. Does increasing the fudge factor in aircrack play a significant role in determining whether the key can be cracked? eg, how much more likely is it to crack a key with 50,000 IVs with a fudge factor of 13 than a fudge factor of 2? (13 takes just under 20 mins, 2 takes 2 seconds) Thanks for all the input. Great having people around who know what they're talking about.

02-13-2006	#12 (permalink)
Fr0zt Registered Member Join Date: Nov 2004 Posts: 9	Another comment, I'm using Auditor, this doesn't come with pre-patched madwifi drivers does it?

02-13-2006	#14 (permalink)
Fr0zt Registered Member Join Date: Nov 2004 Posts: 9	Alright... and can I test right now whether my driver works right now? What are the symptoms if the driver isn't working correctly?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode