IPW2200 Injection (v2)

[LatinSuD]

Now that i'm on holidays i found the time for enhancing injection patch. Even I had trouble getting it to work.
New version still have limitations, but should be less problematic and be still compatible with normal operation. This time i make use of sysfs interface for injecting data.

Same firmware limitations apply:
- Card has to be associated to any AP (on the channel you want to inject) while injecting (you can inject to a different ap).
- Card has to be in managed mode (you can still sniff through rtap0).
- Only data frames can be sent (no auth/assoc/disassoc/deauth, etc).

* IPW2200
- Download ipw2200-1.1.3 or use in-kernel driver.
- Patch
- Compile
- insmod ipw2200.ko rtap_iface=1

* AIRCRACK-NG
- Get aircrack-ng 0.6.2 or higher.

Sample usage (more or less):

Code:

cd ipw2200-1.1.3-inject
insmod ipw2200.ko rtap_iface=1
ifconfig eth1 up
ifconfig rtap0 up
# Associate to the ap with any random key. In theory you could associate to any ap on the same channel as the victim.
iwconfig eth1 essid MYNETWORK
iwconfig eth1 key s:anykey
# We cannot perform attack 1, but if we are associated to the victim ap we can use our real mac
cd ../aircrack-ng-0.6-ipw2200
./aireplay-ng -2 -h 00:0E:35:42:AC:75 -c ff:ff:ff:ff:ff:ff -i rtap0 eth1
./aireplay-ng -3 -h 00:0E:35:42:AC:75 -i rtap0 eth1
./aireplay-ng -4 -h 00:0E:35:42:AC:75 -i rtap0 eth1

Using attack 2, close to the ap, with a small packet, i can generate about 400-500 ivs per second.

[ASPj]

Nice!!

I am just playing around with the first version.
Its not very useful, as far as injection is very slow and only data frames could be injected.
But nonetheless: GREAT WORK!

I discovered a strange thing: Sometimes after enabling the injection mode, my ipw2200 turns crazy and is somehow JAMMING the whole channel, I was unable to receive or send A SINGLE FRAME. I almost thought, my other card was broken, but then I switched the RFKill switch and there were the packets again.

[LatinSuD]

I used to experience that jamming problem while using old version of the patch. New version still works fine for me. I'm not saying there are no bugs, but in my system works by now.

About speed, you may try getting closer to the AP.
Tuning "iwconfig retry" parameter may help, though i have noticed no difference.

[ASPj]

Ok, will try that later, but, that jamming may also be a nice feature if you can control it 

[blue]

I've noticed the same "jamming" problem.  I also noticed all the clients loosing connection until I shutdown my interface.  I will try the new version and let you know if I get the same thing.

[blue]

This is odd, I tried the new patches and now I get this:

Code:

#airodump-ng -c 6 -w capinj --ivs rtap0
ioctl(SIOCSIWMODE) failed: Operation not supported
Error setting monitor mode on rtap0

I was able to use rtap0 to capture packets on before but now it doesn't work.  I can, however, use eth1 to do this.

[nx5]

I don't remember if I mentioned it the first time i tried injecting with IPW2200 with the old patches, but I also had the jamming problem. It made the AP jump channels, it was kind of fun. I could make it jump to another channel after the jamming. It can be useful in case someone has their AP in a commonly used channel (like 1 or 3) and there's more APs in that channel interfering, to make them jump to an "empty" channel.

[/dev/nihil]

Same here with rtap0.

[LatinSuD]

You can consider rtap issue a driver/aircrack-ng bug. Rtap0 device does not implement wireless extensions at all, so no mode or channel change are allowed. With airodump (old version) it works.

Note that you want to inject you cannot directoy choose channel. This is because card is in managed mode, and will remain in the channel of the ap it connected to.

If you don't want to inject it's better to use eth1 interface in monitor mode.

[vincent]

Hello,

Thanks for your topic. Could you explain me what you mean writing patch and compile. I would like to use my Centrino wifi card in injection mode but I don't understand how to use your files.

Thanks a lot

[/dev/nihil]

Answered off forum - via email, since it's a basic question.

[/dev/nihil]

Hola de nuevo, LatinSud. Here's my report:

I've only tested attack #2, and for some reason I haven't been able to inject with these new patches. I'm able to carry out attack #2 with unZIP patches on this same network, but yours doesn't work for me. The target network is one of those Imagenio WLAN_XX with default password and a Zyxel 660 router. BTW, I do know it's crack-able with one single IV, but it's the only network I can reach at this moment.

And you are right, old versions of airodump (tested ng 0.21) are able to use rtap0 iface.

Gracias.

[LatinSuD]

What are unZIP patches ?

Don't forget to patch aircrack-ng and use --ipwsys flag. Anyway shit happens, my patches have only been tested on my laptop before release.

Status of IPW2200-ap:
  + Allows attack 0
  * Allows attack 1, but it immediately triggers firmware error.
  - Does not implement rtap0 interface
  - Is not as stable as ipw2200-1.1.3

[li]

I use the 2.6.17 kernel from debian sid with the apropriate kernel-headers. I compiled and installed the newest ieee80211-1.1.14 and then compiled the patched ipw2200-1.1.3. While compiling i got these warnings:

Code:

hermes:~/wireless/ipw2200-1.1.3# make
mkdir -p /root/wireless/ipw2200-1.1.3/tmp/.tmp_versions
cp /lib/modules/2.6.17-1-686/net/ieee80211/.tmp_versions/*.mod /root/wireless/ipw2200-1.1.3/tmp/.tmp_versions
make -C /lib/modules/2.6.17-1-686/build M=/root/wireless/ipw2200-1.1.3 MODVERDIR=/root/wireless/ipw2200-1.1.3/tmp/.tmp_versions modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.17-1-686'
  CC [M]  /root/wireless/ipw2200-1.1.3/ipw2200.o
/root/wireless/ipw2200-1.1.3/ipw2200.c:2015: warning: ‘dev_attr_inject’ defined but not used
  Building modules, stage 2.
  MODPOST
WARNING: "free_ieee80211" [/root/wireless/ipw2200-1.1.3/ipw2200.ko] undefined!
WARNING: "alloc_ieee80211" [/root/wireless/ipw2200-1.1.3/ipw2200.ko] undefined!
WARNING: "ieee80211_wx_get_encode" [/root/wireless/ipw2200-1.1.3/ipw2200.ko] undefined!
WARNING: "ieee80211_wx_set_encode" [/root/wireless/ipw2200-1.1.3/ipw2200.ko] undefined!
WARNING: "ieee80211_wx_get_scan" [/root/wireless/ipw2200-1.1.3/ipw2200.ko] undefined!
WARNING: "ieee80211_wx_get_encodeext" [/root/wireless/ipw2200-1.1.3/ipw2200.ko] undefined!
WARNING: "ieee80211_wx_set_encodeext" [/root/wireless/ipw2200-1.1.3/ipw2200.ko] undefined!
WARNING: "ieee80211_rx_mgt" [/root/wireless/ipw2200-1.1.3/ipw2200.ko] undefined!
WARNING: "ieee80211_rx" [/root/wireless/ipw2200-1.1.3/ipw2200.ko] undefined!
WARNING: "escape_essid" [/root/wireless/ipw2200-1.1.3/ipw2200.ko] undefined!
WARNING: "ieee80211_txb_free" [/root/wireless/ipw2200-1.1.3/ipw2200.ko] undefined!
  CC      /root/wireless/ipw2200-1.1.3/ipw2200.mod.o
  LD [M]  /root/wireless/ipw2200-1.1.3/ipw2200.ko
make[1]: Leaving directory `/usr/src/linux-headers-2.6.17-1-686'

nevertheless i tried to load the module:

Code:

hermes:~/wireless/ipw2200-1.1.3# insmod ipw2200.ko rtap_iface=1
insmod: error inserting 'ipw2200.ko': -1 Unknown symbol in module

dmesg gives me this:

Code:

ieee80211_crypt: registered algorithm 'NULL'
ieee80211: 802.11 data/management/control stack, 1.1.14
ieee80211: Copyright (C) 2004-2005 Intel Corporation <jketreno@linux.intel.com>
ipw2200: Unknown parameter `rtap_iface'

Loading the module without rtap_iface=1 works fine, but then:

Code:

aireplay-ng --ipwsys -2 eth1
ERROR: Cannot open sysfs file (/sys/class/net/eth1/device/inject)

Do you have an idea what the problem could be?

[LatinSuD]

nevertheless i tried to load the module:

Code:

hermes:~/wireless/ipw2200-1.1.3# insmod ipw2200.ko rtap_iface=1
insmod: error inserting 'ipw2200.ko': -1 Unknown symbol in module

So ipw2200 is not loaded, so perhaps you had an old version already.

Check dmesg to see what is the missing error message...