|
Pages: [1] 2 3 ... 6
|
  |
|
 Author
|
Topic: IPW2200 injection (Read 34949 times)
|
LatinSuD
Full Member
Posts: 149
You are free to become a slave
|
By the moment data packet injection is possible (the card must be associated to any ap when injecting). Both driver and aireplay need to be modified. I'm a little lost on kernel and driver internal boureaucracy, so i did it the dirty way: * Linktype is kept ARPHDR_ETHER. Userspace apps inject 802.11 over 802.3. * Then driver removes 802.3 header and leaves exactly the original 802.11 packet. * We also must inject/remove 6 extra bytes because they are clobbered somewhere. * Frame type must be 0x08 (data) or you'll get firmware error. * Some fields seem to be set by firmware and not modifiable (fragment count, etc). Or perhaps it's done by code i have not fully read. I guess with a little more knowledge this could be done more cleanly, and with the proper firmware (perhaps ipw2200-ap?) we could work packet types. UPDATE: PLEASE TRY NEWEST VERSION OF PATCH http://tinyshell.be/aircrackng/forum/index.php?topic=400.0 |
|
|
|
« Last Edit: August 09, 2006, 10:42:53 pm by LatinSuD »
|
Logged
|
|
|
|
meeas
Newbie
Posts: 2
|
Great work. Happen to have the paches for the driver and aireplay, or possibly a quick howto? I'm doing two wireless pentests next week and would love to try it on my 2915 card.
|
|
|
|
« Last Edit: April 01, 2006, 11:48:09 pm by meeas »
|
Logged
|
|
|
|
LatinSuD
Full Member
Posts: 149
You are free to become a slave
|
I'm not having much spare time so i'll put here some dirty notes if you want to try: I use ipw2200-1.1.1 with rtap interface patch as a base. And aircrack-ng-0.2.1. rmmod ipw2200 ; insmod ./ipw2200.ko rtap_iface=1 ; sleep 1; ifconfig eth1 192.168.0.33 ; iwconfig eth1 essid somewepnetwork; iwconfig eth1 key 0001020304 ; ifconfig rtap0 up; sleep 1; iwconfig eth1 key off I set a wep key, associate to an ap, and then remove wep key. I also used to do this (in order to sniff with my 11b card): iwconfig eth1 rate 11M Only tested with attack 2. http://latinsud.com/aircrack-ipw2200-inject.patchhttp://latinsud.com/ipw2200-inject.patchDisclaimer: patched versions of ipw2200 and aircrack-ng won't operate normally apart from this test. I don't recommend installing them. |
|
|
|
|
Logged
|
|
|
|
meeas
Newbie
Posts: 2
|
That should be enough. Thanks. I'll let you know how it went by the end of the week.
|
|
|
|
|
Logged
|
|
|
|
LatinSuD
Full Member
Posts: 149
You are free to become a slave
|
The very clean way of making this would be using interface rtap0 for writing, but by the moment i don't know how to do it :-(
|
|
|
|
|
Logged
|
|
|
|
jinn
Newbie
Posts: 1
|
Any luck with this? any progess? I would really love to see a easy to follow howto, if its not to much to ask.
cheers
Jinn
|
|
|
|
|
Logged
|
|
|
|
zoug
Newbie
Posts: 2
|
very interessted too about this thread... i'd love to inject with my centrino  let us know about any progress ! |
|
|
|
|
Logged
|
|
|
|
LatinSuD
Full Member
Posts: 149
You are free to become a slave
|
I have almost negative spare time, and my knowledge on kernel networking internals is very limited.
This is going to take a while.
|
|
|
|
|
Logged
|
|
|
|
layoyo
Jr. Member
Posts: 52
|
By now with the new driver from http://ipw2200.sourceforge.net/ we can sniff while associated to an AP and surfing. Someone know what must be done to inject raw packet with it ? Cause I think if we can send regular packets, raw ones could be feasible ? thx. |
|
|
|
|
Logged
|
|
|
|
obo
Jr. Member
Posts: 65
|
By now with the new driver from http://ipw2200.sourceforge.net/ we can sniff while associated to an AP and surfing. Someone know what must be done to inject raw packet with it ? Cause I think if we can send regular packets, raw ones could be feasible ? thx. I don't think this is up to the device driver as much as it is to the firmware. Also, if you're surfing on an AP, isn't it safe to assume you have the key already? What would be the point of injecting? |
|
|
|
|
Logged
|
|
|
|
nx5
ÜberAdministrator
Jr. Member
Posts: 82
Guns don't kill people, Chuck Norris kills people.
|
I applied latinsud's patches and it worked =)
2 things you should take into account: a) the association is not real and b) you need your driver to believe it's associated or the packets won't be injected
So you need someone else associated, because the association can't be faked either.
A cleaner patch for the latest aircrack version would be nice, but I don't have much time either... mayeb someday.
|
|
|
|
|
Logged
|
|
|
|
joeexample
Newbie
Posts: 12
|
I have ipw2200-1.1.2 - does one need to patch it even at this version to inject, and if so, how? Once patched, does "won't operate normally" mean that I won't be able to use my ipw2200 module for anything other than aircrack ever again? Or does it reset itself back to normal after a reboot? |
|
|
|
|
Logged
|
|
|
|
LatinSuD
Full Member
Posts: 149
You are free to become a slave
|
Patched module doesn't work apart from injecting. If you do "make install" then you lose your original module (until you reinstall original version). Hopefully you won't damage your card anyway  |
|
|
|
|
Logged
|
|
|
|
joeexample
Newbie
Posts: 12
|
Hi LatinSuD,
Thanks for getting back to me so quickly. Now, I admit I'm a complete n00b, but Is there any way to build the inject-only version as a completely separate module (say "ipw2200inject")?
|
|
|
|
|
Logged
|
|
|
|
ASPj
Global Moderator
Hero Member
Posts: 852
ASPj is GOD!
|
You can simply rename the module and copy it yourself to the /lib/modules location where the other module is.
After that you can switch between the modules by unloading the one and loading the other:
rmmod ipw2200
modprobe ipw2200inject
That's it!
|
|
|
|
|
Logged
|
|
|
|
|
|
Pages: [1] 2 3 ... 6
|
|
|
 |
Aircrack-ng
