Aireplay freezes when injecting

Aircrack-ng

Welcome, Guest. Please login or register.
August 01, 2010, 02:24:21 am

Monthly news, July 2010: http://aircrack-ng.blogspot.com/2010/07/monthly-news-july-2010.html

34568 Posts in 6337 Topics by 20712 Members
Latest Member: illino87t

Just to note, I have read the wiki and the forums and although it seems like this problem has been addressed, I have not seen any post or solution which addresses my situation.

First, I am using Ubuntu "Ultimate Edition" which is essentially Ubuntu Gutsy with a lot of pre-installed programs.
Second, I am using a HP 5188-3296 802.11g PCI card which uses an AR5006X chipset which can be found here: http://3btech.net/hp51wi80pcic.html
Third, I installed the latest madwifi-ng drivers both manually and with airdriver-ng with the same result
Fourth, I am using the latest svn revision.
Fifth, no compile errors with either the driver or the aircrack suite.

Now for the description of the problem. Essentially, everything works perfectly up until injection. I have use aircrack before quite successfully, and because this is an atheros chipset, I didn't expect any problems, but here is what happens:

Standard commands:

First window:

airmon-ng stop ath0
airmon-ng start wifi0

airodump-ng --bssid 00:11:22:33:44:55 -c11 -w capture ath0 (works no problems)

Second window (authentication):

aireplay-ng -1 6000 -q5 -o1 -a 00:11:22:33:44:55 -h 01:12:23:34:45:56 ath0 (association successful, and persists)

Third window (fragmentation attack);

aireplay-ng -5 -b 00:11:22:33:44:55 -h 01:12:23:34:45:56 ath0 (attack successful, writes data to fragment-0123-12345.xor)

packetforge-ng -0 -a 00:11:22:33:44:55 -h 01:12:23:34:45:56 -k 255.255.255.255 -l 255.255.255.255 -y fragment-0123-12345.xor -w arp-request.cap

Now for the problem, all of this is successful, but when I go to inject the packet now made with packetforge. I get this (actual capture of output):

Quote

root@Omega:~# aireplay-ng -2 -r arp-request1.cap ath0
open(/dev/rtc) failed: Device or resource busy
No source MAC (-h) specified. Using the device MAC (00:C0:A8:C1:6B:59)

Size: 68, FromDS: 0, ToDS: 1 (WEP)

BSSID = 00:04:E2:46:8A:47
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:C0:A8:C1:6B:59

0x0000: 0841 0201 0004 e246 8a47 00c0 a8c1 6b59 .A.....F.G....kY
0x0010: ffff ffff ffff 8001 d03f b800 035a 333b .........?...Z3;
0x0020: 322c 145b 2204 9953 d33f 9932 bbb3 2b8b 2,.["..S.?.2..+.
0x0030: 7f9a 94f3 ba05 5f6c bf02 4209 2ff2 832d ....._l..B./..-
0x0040: 92ef 34e0 ..4.

Use this packet ? y

Saving chosen packet in replay_src-0127-213226.cap
You should also start airodump-ng to capture replies.

And it freezes. In fact, any attack when it comes to the full injection rate (-3) (-2) will freeze it.

Now, I read in the wiki that "open(/dev/rtc) failed: Device or resource busy" is given when there are more than one instance of aireplay-ng running, but I have done these attacks before in the same sequence, and I have never seen this on BT2 or BT3. In fact, I can use BT3 with this card and it works fine.

More over, I get "open(/dev/rtc) failed: Device or resource busy" even when I just test injection with aireplay-ng. I looked around for a solution, but I have found nothing that sounds useful, most of the other problems relating to "open(/dev/rtc) failed: Device or resource busy" are dealing with audio and sound applications. I tried reinstalling the drivers. I suspect it may have something to do with udev, but am not sure how to investigate it.

Any help is appreciated.

Which version of the madwifi-ng drivers are you using? Make sure it is r2834. Older versions can cause the system to freeze.

As well, "open(/dev/rtc) failed: Device or resource busy" can be caused by having multiple instances of aireplay-ng injecting at the same time. Do "ps aux" and look for multiple instances.

d.

Thanks for the reply,

Maybe I wasn't clear in my first post.

First I was using the latest madwifi-ng drivers. I tested this with both doing it manually with the tutorial found here:

http://www.aircrack-ng.org/doku.php?id=madwifi-ng

and using airdriver-ng, same result. Since the tutorial uses r. 2834 that is the one I'm using. Again, there were no compile errors.

Second, the only thing that freezes is the window that is injecting, as I said in my original post everything else works up to the point of continuous injection. That window freezes, the rest of the system is fine.

Regarding the "Device or resource busy" this happens when there is NO other instances of aireplay-ng running. I tested this, I rebooted, opened up a console, and tried the injection test. While the injection test will be successful, It still says the same thing, and this is the only instance of aireplay running. "ps aux" doesn't show any other instances running.

I am at a loss.

Leopard1,

I checked with hirte (one of the developers), here is his response:

<hirte> regarding the thread: i saw that, there is another process, not aireplay, using the rtc device
<hirte> and there is a bug in aireplay-ng which just stalls the tool in case rtc is not available
<hirte> so a "lsof | grep rtc" should show the process
<hirte> another thing that could have happened is that he uses a different rtc driver
<hirte> which doesn't work the same way the old driver used to work

d.

Quote from: darkAudax on January 29, 2008, 08:23:27 pm

Thank you for you're research. A few things. First, I executed the command "lsof | grep rtc" and there was no output

Second, now I am getting something quite odd that I never experienced before using atheros cards. The adapter has been renamed to: ath0_rename. Here is the output:

Quote

root@Omega:~# lsof | grep rtc
root@Omega:~# iwconfig
lo no wireless extensions.

eth0 no wireless extensions.

vmnet1 no wireless extensions.

vmnet8 no wireless extensions.

wifi0 no wireless extensions.

ath0_rename IEEE 802.11b ESSID:"" Nickname:""
Mode:Managed Channel:0 Access Point: Not-Associated
Bit Rate:0 kb/s Tx-Power:0 dBm Sensitivity=1/1
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=0/70 Signal level=-256 dBm Noise level=-256 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

root@Omega:~# airmon-ng stop ath0_rename

Interface Chipset Driver

wifi0 Atheros madwifi-ng
ath0_rename Atheros madwifi-ng VAP (parent: wifi0) (VAP destroyed)

root@Omega:~# airmon-ng start wifi0

Interface Chipset Driver

wifi0 Atheros madwifi-ngError for wireless request "Set Frequency" (8B04) :
SET failed on device ath0 ; No such device.
ath0: ERROR while getting interface flags: No such device

ath0_rename Atheros madwifi-ng VAP (parent: wifi0)

root@Omega:~# iwconfig
lo no wireless extensions.

eth0 no wireless extensions.

vmnet1 no wireless extensions.

vmnet8 no wireless extensions.

wifi0 no wireless extensions.

ath0_rename IEEE 802.11b ESSID:"" Nickname:""
Mode:Monitor Channel:0 Access Point: Not-Associated
Bit Rate:0 kb/s Tx-Power:16 dBm Sensitivity=1/1
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=0/70 Signal level=-98 dBm Noise level=-98 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

root@Omega:~#

I am stuck, any help is appreciated.

Leopard1,

You have the strangest set of symptoms. Of course, that does not help you!

The rename comes from udev problems. It is best to search the internet for solutions.

Make sure you have blacklisted the ath5k.ko module.

Beyond that, I have no idea.

d.

OK, I just wanted to report back with some news, and to help anyone else that may be having the same problems.

Initially, darkaudax you were correct about the rename problem. Udev had to be modified to fix that.

In addition, hirte was correct about other processes using rtc stalling aireplay.

While lsof | grep rtc didn't show what processes were using rtc, lsmod | grep rtc did show me which modules were utilizing rtc.

These modules turned out to be:

snd_rtctimer
snd_timer

I'm assuming that these have to do with the sound processes. I blacklisted these modules; however, I have yet to notice any difference in sound output.
The good news is that aireplay-ng inject without problems now. So if anyone is having any freezing problems with aireplay-ng due to conflicts with rtc processes. This is one way to solve them.

Also, hirte, mentioned that this rtc problem was a "bug" in aireplay. Does that mean it will be fixed in the future, or did he mean that more loosely?

Leopard1,

Thanks for the feedback, I am sure it will be helpful to other people. I have added it to the wiki.

d.

if rtc is not found/cannot be used, aireplay tries to compensate that by using usleep() together with gettimeofday() to have some sort of timer. however the "bug" is, that gettimeofday together with usleep sometimes just stalls the process, i never investigated that. so its possible to fix, i'd just need to reproduce it.

try to use macchanger to change your card to the mac adress you are inserting after the -h

I had the same problem, but after making sure the -h xxx and my card matched, voila.. no more problems!

I get lockups as well with the latest ipwraw drivers. Ubuntu Gutsy here as well.

Kind of annoying but very noticable if I have something with sound playing as it even freezes that and disables all keyboard input.

Quote from: ebolla on February 28, 2008, 01:00:11 am

experienced that too on ubuntu feisty.
yet the above commands didnt reveal any other modules.

my experiences with aireplay kinda fit in this thread,
i run 3 terminals using
- airodump-ng
- aireplay-ng -fakeauth
- aireplay-ng -packet replay

now while doing this i get random "stops" while replaying packets.
once aireplay would run up to 100.000 sent packets for example,take a break (well, the output), continues;
the other times it stops at 300 sent packets and slowly continues. also experiencing that CTRL-C doesn't work then for a time.

also the mac adress of my wifi adapater looks strange, but seems to work in aireplay:

wlan0 Protokoll:UNSPEC Hardware Adresse 00-0D-F0-10-52-DD-00-00-00-00-00-00-00-00-00-00
UP BROADCAST NOTRAILERS RUNNING PROMISC ALLMULTI MTU:1500 Metric:1
RX packets:456496 errors:14 dropped:0 overruns:0 frame:0
TX packets:40117 errors:27826 dropped:0 overruns:0 carrier:0

hi guys,
i have the same problem of leopard1.
when i use aireplay-ng with -2 or -3 option aireplay-ng freeze.

here are the output of the lsmod | grep rtc command

Code:

[root@nazgul ~]# lsmod | grep rtc
rtc_cmos 7584 0
rtc_core 15496 1 rtc_cmos
rtc_lib 2944 1 rtc_core

if i blacklist this modules the system don't works well

i'm using aircrack-ng beta2 with madwifi-ng-r2756 patched for the ar5007 chipset and for injection on ArchLinux 2.6.24

bye

locust,

Try using a current svn version of madwifi-ng. Some old versions were known to lock up systems when use with aircrack-ng suite.

d.

thanks for the reply,
but i have two question:
i need to patch the svn madwifi driver if i want them to work with ar5007 chipset?
i also need to patch them for injection?
thank you

EDIT:

the latest snapshot doesn't work with my chipset, i used this

http://snapshots.madwifi.org/special/madwifi-nr-r3366+ar5007.tar.gz

and the injection works (i did the test with aireplay-ng -9) but aireplay freeze again!