Aircrack-ng forum

General Category => General help => Topic started by: Kali Hates Me on January 07, 2016, 10:04:13 pm

Title: Weird issue with Intel 3160 and packet injection
Post by: Kali Hates Me on January 07, 2016, 10:04:13 pm
Alright, so posting to the forums is my last, desperate chance to get aireplay-ng working.  Whenever I try to packet inject my dmesg fills with some funky stuff, which leads me to believe there is a firmware issue, but I have the correct firmware on the system (I think).  The following will take you through the steps I am using and what eventually happens at the end.

My system:
Code: [Select]
root@kali:~# uname -a
Linux kali 4.0.0-kali1-amd64 #1 SMP Debian 4.0.4-1+kali2 (2015-06-03) x86_64 GNU/Linux

Aircrack Version:
Code: [Select]
root@kali:~# aircrack-ng
  Aircrack-ng 1.2 rc3 - (C) 2006-2015 Thomas d'Otreppe

Wireless Card:
Code: [Select]
root@kali:~# lspci | grep Wireless
05:00.0 Network controller: Intel Corporation Wireless 3160 (rev 83)

** SIDE NOTE: lspci freezes my computer about 75% of the time.  I don't know if this is related, but I cannot find the cause  **Fixed - blacklisted nouveau

This card is supports packet injection and most other things using the iwlwifi driver according to the wiki: http://www.aircrack-ng.org/doku.php?id=compatibility_drivers (http://www.aircrack-ng.org/doku.php?id=compatibility_drivers)

Clicking on that link will take you to this page: https://wireless.wiki.kernel.org/en/users/Drivers/iwlwifi (https://wireless.wiki.kernel.org/en/users/Drivers/iwlwifi) showing that for the Intel-3160 on < 4.1 kernel I need the iwlwifi-3160-12.ucode firmware.  Alright, now let's see if we have that.

Code: [Select]
root@kali:~# ls /lib/firmware/ | grep iwlwifi-3160-12
iwlwifi-3160-12.ucode

Looks like it.  Now the iwlmvm module should be using this firmware (correct me I'm wrong this is all pretty new to me).  Getting modinfo of iwlmvm:

Code: [Select]
root@kali:~# modinfo iwlmvm
filename:       /lib/modules/4.0.0-kali1-amd64/kernel/drivers/net/wireless/iwlwifi/mvm/iwlmvm.ko
license:        GPL
author:         Copyright(c) 2003- 2014 Intel Corporation <ilw@linux.intel.com>
description:    The new Intel(R) wireless AGN driver for Linux
depends:        iwlwifi,mac80211,cfg80211
intree:         Y
vermagic:       4.0.0-kali1-amd64 SMP mod_unload modversions
parm:           init_dbg:set to true to debug an ASSERT in INIT fw (default: false (bool)
parm:           power_scheme:power management scheme: 1-active, 2-balanced, 3-low power, default: 2 (int)
parm:           tfd_q_hang_detect:TFD queues hang detection (default: true (bool)

modinfo of iwlwifi:
Code: [Select]
root@kali:~# modinfo iwlwifi
filename:       /lib/modules/4.0.0-kali1-amd64/kernel/drivers/net/wireless/iwlwifi/iwlwifi.ko
license:        GPL
author:         Copyright(c) 2003- 2014 Intel Corporation <ilw@linux.intel.com>
description:    Intel(R) Wireless WiFi driver for Linux
firmware:       iwlwifi-100-5.ucode
firmware:       iwlwifi-1000-5.ucode
firmware:       iwlwifi-135-6.ucode
firmware:       iwlwifi-105-6.ucode
firmware:       iwlwifi-2030-6.ucode
firmware:       iwlwifi-2000-6.ucode
firmware:       iwlwifi-5150-2.ucode
firmware:       iwlwifi-5000-5.ucode
firmware:       iwlwifi-6000g2b-6.ucode
firmware:       iwlwifi-6000g2a-5.ucode
firmware:       iwlwifi-6050-5.ucode
firmware:       iwlwifi-6000-4.ucode
firmware:       iwlwifi-7265D-10.ucode
firmware:       iwlwifi-7265-10.ucode
firmware:       iwlwifi-3165-10.ucode
firmware:       iwlwifi-3160-10.ucode
firmware:       iwlwifi-7260-10.ucode
firmware:       iwlwifi-8000-10.ucode
(lots of alia-pci)
depends:        cfg80211
intree:         Y
vermagic:       4.0.0-kali1-amd64 SMP mod_unload modversions
parm:           swcrypto:using crypto in software (default 0 [hardware]) (int)
parm:           11n_disable:disable 11n functionality, bitmap: 1: full, 2: disable agg TX, 4: disable agg RX, 8 enable agg TX (uint)
parm:           amsdu_size_8K:enable 8K amsdu size (default 0) (int)
parm:           fw_restart:restart firmware in case of error (default true) (bool)
parm:           antenna_coupling:specify antenna coupling in dB (default: 0 dB) (int)
parm:           nvm_file:NVM file name (charp)
parm:           d0i3_disable:disable d0i3 functionality (default: Y) (bool)
parm:           uapsd_disable:disable U-APSD functionality (default: Y) (bool)
parm:           bt_coex_active:enable wifi/bt co-exist (default: enable) (bool)
parm:           led_mode:0=system default, 1=On(RF On)/Off(RF Off), 2=blinking, 3=Off (default: 0) (int)
parm:           power_save:enable WiFi power management (default: disable) (bool)
parm:           power_level:default power save level (range from 1 - 5, default: 1) (int)
parm:           fw_monitor:firmware monitor - to debug FW (default: false - needs lots of memory) (bool)

Looks like it is not using iwlwifi-3160-12.ucode, but instead iwlwifi-3160-10.ucode.  Both are supported for aircrack, so to me this isn't a huge deal (maybe it is).

So to me, it looks like everything should work as intended.  Let me take you through the steps I use to get to the problem.

airmon-ng
Code: [Select]
root@kali:~# airmon-ng check kill

Killing these processes:

  PID Name
  884 wpa_supplicant
  885 dhclient

root@kali:~# airmon-ng start wlan0 4


PHY Interface Driver Chipset

phy0 wlan0 iwlwifi Intel Corporation Wireless 3160 (rev 83)

(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 station mode vif disabled for [phy0]wlan0)


dmesg looks like everything is fine...
Code: [Select]
[ 1944.212939] wlan0: deauthenticating from a0:21:b7:ac:78:97 by local choice (Reason: 3=DEAUTH_LEAVING)
[ 1944.225491] cfg80211: Calling CRDA to update world regulatory domain
[ 1944.227713] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 1944.241813] cfg80211: World regulatory domain updated:
[ 1944.241815] cfg80211:  DFS Master region: unset
[ 1944.241816] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[ 1944.241818] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[ 1944.241819] cfg80211:   (2457000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[ 1944.241820] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A)
[ 1944.241821] cfg80211:   (5170000 KHz - 5250000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2000 mBm), (N/A)
[ 1944.241822] cfg80211:   (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2000 mBm), (0 s)
[ 1944.241823] cfg80211:   (5490000 KHz - 5730000 KHz @ 160000 KHz), (N/A, 2000 mBm), (0 s)
[ 1944.241824] cfg80211:   (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[ 1944.241825] cfg80211:   (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 0 mBm), (N/A)
[ 1960.527471] iwlwifi 0000:05:00.0: L1 Disabled - LTR Enabled
[ 1960.527710] iwlwifi 0000:05:00.0: L1 Disabled - LTR Enabled

Now let's try the pack injection to see where stuff gets funky.

Code: [Select]
root@kali:~# aireplay-ng -9 -e Farkles wlan0mon
16:57:08  Waiting for beacon frame (ESSID: Farkles) on channel 4
Found BSSID "A0:21:B7:AC:78:97" to given ESSID "Farkles".
16:57:08  Trying broadcast probe requests...
16:57:09  No Answer...
16:57:09  Found 1 AP

16:57:09  Trying directed probe requests...
16:57:09  A0:21:B7:AC:78:97 - channel: 4 - 'Farkles'
16:57:15   0/30:   0%

It fails, even though the card supports packet injection.  Now to see what happened in dmseg

Code: [Select]
[ 2093.678592] device wlan0mon entered promiscuous mode
[ 2103.755505] iwlwifi 0000:05:00.0: Queue 0 stuck for 10000 ms.
[ 2103.755517] iwlwifi 0000:05:00.0: Current SW read_ptr 0 write_ptr 93
[ 2103.755544] iwl data: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
[ 2103.755559] iwlwifi 0000:05:00.0: FH TRBs(0) = 0x00000000
[ 2103.755574] iwlwifi 0000:05:00.0: FH TRBs(1) = 0x00000000
[ 2103.755588] iwlwifi 0000:05:00.0: FH TRBs(2) = 0x00000000
[ 2103.755603] iwlwifi 0000:05:00.0: FH TRBs(3) = 0x00000000
[ 2103.755617] iwlwifi 0000:05:00.0: FH TRBs(4) = 0x00000000
[ 2103.755631] iwlwifi 0000:05:00.0: FH TRBs(5) = 0x00000000
[ 2103.755646] iwlwifi 0000:05:00.0: FH TRBs(6) = 0x00000000
[ 2103.755660] iwlwifi 0000:05:00.0: FH TRBs(7) = 0x00709029
[ 2103.755719] iwlwifi 0000:05:00.0: Q 0 is active and mapped to fifo 3 ra_tid 0x0000 [0,93]
[ 2103.755776] iwlwifi 0000:05:00.0: Q 1 is active and mapped to fifo 2 ra_tid 0x0000 [0,0]
[ 2103.755834] iwlwifi 0000:05:00.0: Q 2 is active and mapped to fifo 1 ra_tid 0x0000 [0,30]
[ 2103.755891] iwlwifi 0000:05:00.0: Q 3 is active and mapped to fifo 0 ra_tid 0x0000 [0,0]
[ 2103.755948] iwlwifi 0000:05:00.0: Q 4 is inactive and mapped to fifo 0 ra_tid 0x0000 [0,0]
[ 2103.756005] iwlwifi 0000:05:00.0: Q 5 is inactive and mapped to fifo 0 ra_tid 0x0000 [0,0]
[ 2103.756063] iwlwifi 0000:05:00.0: Q 6 is inactive and mapped to fifo 0 ra_tid 0x0000 [0,0]
[ 2103.756120] iwlwifi 0000:05:00.0: Q 7 is inactive and mapped to fifo 0 ra_tid 0x0000 [0,0]
[ 2103.756177] iwlwifi 0000:05:00.0: Q 8 is inactive and mapped to fifo 0 ra_tid 0x0000 [0,0]
[ 2103.756235] iwlwifi 0000:05:00.0: Q 9 is active and mapped to fifo 7 ra_tid 0x0000 [42,42]
[ 2103.756292] iwlwifi 0000:05:00.0: Q 10 is inactive and mapped to fifo 0 ra_tid 0x0000 [0,0]
[ 2103.756349] iwlwifi 0000:05:00.0: Q 11 is inactive and mapped to fifo 0 ra_tid 0x0000 [0,0]
[ 2103.756407] iwlwifi 0000:05:00.0: Q 12 is inactive and mapped to fifo 0 ra_tid 0x0000 [0,0]
[ 2103.756464] iwlwifi 0000:05:00.0: Q 13 is inactive and mapped to fifo 0 ra_tid 0x0000 [0,0]
[ 2103.756522] iwlwifi 0000:05:00.0: Q 14 is inactive and mapped to fifo 0 ra_tid 0x0000 [0,0]
[ 2103.756579] iwlwifi 0000:05:00.0: Q 15 is active and mapped to fifo 5 ra_tid 0x0000 [0,0]
[ 2103.756636] iwlwifi 0000:05:00.0: Q 16 is inactive and mapped to fifo 0 ra_tid 0x0000 [0,0]
[ 2103.756694] iwlwifi 0000:05:00.0: Q 17 is inactive and mapped to fifo 0 ra_tid 0x0000 [0,0]
[ 2103.756752] iwlwifi 0000:05:00.0: Q 18 is inactive and mapped to fifo 0 ra_tid 0x0000 [0,0]
[ 2103.756809] iwlwifi 0000:05:00.0: Q 19 is inactive and mapped to fifo 0 ra_tid 0x0000 [0,0]
[ 2103.756870] iwlwifi 0000:05:00.0: Microcode SW error detected.  Restarting 0x2000000.
[ 2103.756873] iwlwifi 0000:05:00.0: CSR values:
[ 2103.756874] iwlwifi 0000:05:00.0: (2nd byte of CSR_INT_COALESCING is CSR_INT_PERIODIC_REG)
[ 2103.756879] iwlwifi 0000:05:00.0:        CSR_HW_IF_CONFIG_REG: 0X00c89204
[ 2103.756884] iwlwifi 0000:05:00.0:          CSR_INT_COALESCING: 0X80000040
[ 2103.756889] iwlwifi 0000:05:00.0:                     CSR_INT: 0X00000000
[ 2103.756897] iwlwifi 0000:05:00.0:                CSR_INT_MASK: 0X00000000
[ 2103.756901] iwlwifi 0000:05:00.0:           CSR_FH_INT_STATUS: 0X00000000
[ 2103.756906] iwlwifi 0000:05:00.0:                 CSR_GPIO_IN: 0X00000000
[ 2103.756910] iwlwifi 0000:05:00.0:                   CSR_RESET: 0X00000000
[ 2103.756915] iwlwifi 0000:05:00.0:                CSR_GP_CNTRL: 0X080403c5
[ 2103.756919] iwlwifi 0000:05:00.0:                  CSR_HW_REV: 0X00000164
[ 2103.756923] iwlwifi 0000:05:00.0:              CSR_EEPROM_REG: 0X00000000
[ 2103.756928] iwlwifi 0000:05:00.0:               CSR_EEPROM_GP: 0X80000000
[ 2103.756932] iwlwifi 0000:05:00.0:              CSR_OTP_GP_REG: 0X803a0000
[ 2103.756937] iwlwifi 0000:05:00.0:                 CSR_GIO_REG: 0X00080044
[ 2103.756941] iwlwifi 0000:05:00.0:            CSR_GP_UCODE_REG: 0X00000000
[ 2103.756955] iwlwifi 0000:05:00.0:           CSR_GP_DRIVER_REG: 0X00000000
[ 2103.756960] iwlwifi 0000:05:00.0:           CSR_UCODE_DRV_GP1: 0X00000000
[ 2103.756965] iwlwifi 0000:05:00.0:           CSR_UCODE_DRV_GP2: 0X00000000
[ 2103.756969] iwlwifi 0000:05:00.0:                 CSR_LED_REG: 0X00000060
[ 2103.756973] iwlwifi 0000:05:00.0:        CSR_DRAM_INT_TBL_REG: 0X880ca19a
[ 2103.756977] iwlwifi 0000:05:00.0:        CSR_GIO_CHICKEN_BITS: 0X27800200
[ 2103.756981] iwlwifi 0000:05:00.0:             CSR_ANA_PLL_CFG: 0Xd55555d5
[ 2103.756985] iwlwifi 0000:05:00.0:      CSR_MONITOR_STATUS_REG: 0X5bb7fff7
[ 2103.756989] iwlwifi 0000:05:00.0:           CSR_HW_REV_WA_REG: 0X0001001a
[ 2103.756994] iwlwifi 0000:05:00.0:        CSR_DBG_HPET_MEM_REG: 0Xffff0000
[ 2103.756995] iwlwifi 0000:05:00.0: FH register values:
[ 2103.757008] iwlwifi 0000:05:00.0:         FH_RSCSR_CHNL0_STTS_WPTR_REG: 0X41c0c000
[ 2103.757022] iwlwifi 0000:05:00.0:        FH_RSCSR_CHNL0_RBDCB_BASE_REG: 0X041c0c10
[ 2103.757036] iwlwifi 0000:05:00.0:                  FH_RSCSR_CHNL0_WPTR: 0X00000018
[ 2103.757050] iwlwifi 0000:05:00.0:         FH_MEM_RCSR_CHNL0_CONFIG_REG: 0X00801114
[ 2103.757064] iwlwifi 0000:05:00.0:          FH_MEM_RSSR_SHARED_CTRL_REG: 0X000000fc
[ 2103.757078] iwlwifi 0000:05:00.0:            FH_MEM_RSSR_RX_STATUS_REG: 0X03030000
[ 2103.757091] iwlwifi 0000:05:00.0:    FH_MEM_RSSR_RX_ENABLE_ERR_IRQ2DRV: 0X00000000
[ 2103.757105] iwlwifi 0000:05:00.0:                FH_TSSR_TX_STATUS_REG: 0X07ff0001
[ 2103.757118] iwlwifi 0000:05:00.0:                 FH_TSSR_TX_ERROR_REG: 0X00000000
[ 2103.757243] iwlwifi 0000:05:00.0: Start IWL Error Log Dump:
[ 2103.757244] iwlwifi 0000:05:00.0: Status: 0x00000000, count: 6
[ 2103.757245] iwlwifi 0000:05:00.0: Loaded firmware version: 25.17.12.0
[ 2103.757246] iwlwifi 0000:05:00.0: 0x00000084 | NMI_INTERRUPT_UNKNOWN       
[ 2103.757248] iwlwifi 0000:05:00.0: 0x00000230 | uPc
[ 2103.757248] iwlwifi 0000:05:00.0: 0x00000000 | branchlink1
[ 2103.757249] iwlwifi 0000:05:00.0: 0x00000B34 | branchlink2
[ 2103.757250] iwlwifi 0000:05:00.0: 0x00014AC4 | interruptlink1
[ 2103.757251] iwlwifi 0000:05:00.0: 0x000001CE | interruptlink2
[ 2103.757253] iwlwifi 0000:05:00.0: 0x00000000 | data1
[ 2103.757254] iwlwifi 0000:05:00.0: 0x00000080 | data2
[ 2103.757254] iwlwifi 0000:05:00.0: 0x07030000 | data3
[ 2103.757256] iwlwifi 0000:05:00.0: 0x00000000 | beacon time
[ 2103.757256] iwlwifi 0000:05:00.0: 0x0886E091 | tsf low
[ 2103.757257] iwlwifi 0000:05:00.0: 0x00000000 | tsf hi
[ 2103.757258] iwlwifi 0000:05:00.0: 0x00000000 | time gp1
[ 2103.757259] iwlwifi 0000:05:00.0: 0x0886E092 | time gp2
[ 2103.757260] iwlwifi 0000:05:00.0: 0x00000000 | time gp3
[ 2103.757261] iwlwifi 0000:05:00.0: 0x00041911 | uCode version
[ 2103.757262] iwlwifi 0000:05:00.0: 0x00000164 | hw version
[ 2103.757263] iwlwifi 0000:05:00.0: 0x00C89204 | board version
[ 2103.757264] iwlwifi 0000:05:00.0: 0x0929002C | hcmd
[ 2103.757265] iwlwifi 0000:05:00.0: 0x24022000 | isr0
[ 2103.757266] iwlwifi 0000:05:00.0: 0x00000000 | isr1
[ 2103.757267] iwlwifi 0000:05:00.0: 0x00000002 | isr2
[ 2103.757268] iwlwifi 0000:05:00.0: 0x0041FCC0 | isr3
[ 2103.757269] iwlwifi 0000:05:00.0: 0x00000000 | isr4
[ 2103.757270] iwlwifi 0000:05:00.0: 0x00000110 | isr_pref
[ 2103.757270] iwlwifi 0000:05:00.0: 0x00000000 | wait_event
[ 2103.757271] iwlwifi 0000:05:00.0: 0x00000850 | l2p_control
[ 2103.757272] iwlwifi 0000:05:00.0: 0x00010030 | l2p_duration
[ 2103.757274] iwlwifi 0000:05:00.0: 0x0000003F | l2p_mhvalid
[ 2103.757275] iwlwifi 0000:05:00.0: 0x00000000 | l2p_addr_match
[ 2103.757276] iwlwifi 0000:05:00.0: 0x00000005 | lmpm_pmg_sel
[ 2103.757277] iwlwifi 0000:05:00.0: 0x13041302 | timestamp
[ 2103.757278] iwlwifi 0000:05:00.0: 0x00341828 | flow_handler
[ 2103.757280] ieee80211 phy0: Hardware restart was requested
[ 2103.847768] iwlwifi 0000:05:00.0: L1 Disabled - LTR Enabled
[ 2103.848014] iwlwifi 0000:05:00.0: L1 Disabled - LTR Enabled


I don't know where to begin deciphering this, but to me it looks like something wrong in the firmware/driver even though everything should be correct as noted by previous points.  Or maybe I'm an idiot.  Any sort of assistance or points in the right direction would be awesome.  I'm not asking you to fix my computer (like a lot of 'help me' posts are) but just send me some links or shine insight on this issue!

Thanks for your time.
Title: Re: Weird issue with Intel 3160 and packet injection
Post by: misterx on January 07, 2016, 11:43:16 pm
The driver for this chipset might be too recent to suport monitor mode (or the firmware prevents it).

Other than maybe contacting linux-wireless (and checking on their wiki if that chipset supports injection first), you have done everything I would have suggested.
Title: Re: Weird issue with Intel 3160 and packet injection
Post by: Kali Hates Me on January 07, 2016, 11:50:28 pm
The driver for this chipset might be too recent to suport monitor mode (or the firmware prevents it).

Other than maybe contacting linux-wireless (and checking on their wiki if that chipset supports injection first), you have done everything I would have suggested.

Appreciate the response misterx, I will definitely check out the wireless forums and IRC.  I'm really excited to experiment with your tool, it just sucks I'm hitting this wall so early on.
Title: Re: Weird issue with Intel 3160 and packet injection
Post by: Trey on February 02, 2016, 06:26:51 pm
Hey
Can you tell me if you have fixed this issue pleas?
Thank you.
Title: Re: Weird issue with Intel 3160 and packet injection
Post by: misterx on February 02, 2016, 09:56:05 pm
Trey, no we haven't fixed the issue (linux wireless might have) because it isn't in Aircrack-ng, it's in the driver.
Title: Re: Weird issue with Intel 3160 and packet injection
Post by: Kali loves me not on March 23, 2016, 10:38:55 pm
I have the exact same problem with the exact same card. I hope this gets solved quickly.
Title: Re: Weird issue with Intel 3160 and packet injection
Post by: JonnyRobot on April 03, 2016, 03:53:59 pm
I've been trying to get my 3160 working for some time now.  It never passes the injection test.  If your network card doesn't state "injection is working" when you run the injection test, then you need a different driver or card.  I've tried several drivers for my 3160, after scouring these forums but was unable to get any of them working.  I recommend trying a different card.  a quick google search can tell you how to test injection if you don't know how to do that, and also what cards are confirmed for supporting injection with this fantastic tool.

I hope that helps!
Title: Re: Weird issue with Intel 3160 and packet injection
Post by: DanieleBianchin on November 01, 2016, 06:13:32 pm
Any update? I got the same problem.
Title: Re: Weird issue with Intel 3160 and packet injection
Post by: Jojo on March 02, 2018, 09:26:14 am
same problem here, please help !