Has anyone used Airpwn yet? its in the backtrack radio folder in the start menu but i cant find the folder so i can change the config? Its not in the pentest directory...
The problem is there isnt any documentation... all the videos all the tutorials dont show were this conf/greet file is or how to make things work. just the switches to use. Im a bit lost to be honest. I understand how it works i just cant find the files :P
Ive tried searching, but it just lags to much
Last edited by MassAppeal; 01-20-2010 at 11:15 AM.
Did you try here, because it tells me how the configuration file works.
I no, Ive read that page 3 times. It still doesn't tell me were this config file is or do i just simply make my own html page?
on BT3 there were some pre-made templates to use with airpwn. There is a site that has some cool ones brico-wifi: airpwn download and how to
A book has some info: Security Power Tools, in chapter 8. http://oreilly.com/catalog/9780596009632
It's an old tool so google is your best friend. Lots of things out there. But essentially here is what it breaks down to.
You have a Filter, and a response to a filter. Both of which are a file. In the config file, it is really the packet filter and has a "response" line which links to another file of whatever type to respond to the filter with.
the version 1.4 in BT4 final, works well in open network
with alfa awus036h
But something wrong with mode wep key
with -F :
airpwn -c conf/bsod_html -d rtl8187 -i mon0 -vvv -k 8f:7d:b2:a8:b6:58:1d:8d:4c:a6:8e:c0:96 -F
WEP encrypted packet found.
WEP decryption failed..
....unsuccessfull !!! nothing injected
without -F :
airpwn -c conf/bsod_html -d rtl8187 -i mon0 -vvv -k 8f:7d:b2:a8:b6:58:1d:8d:4c:a6:8e:c0:96
WEP encrypted packet found.
WEP decryption succesful.
Matched pattern for conf 'bsod_html'
wrote 390 bytes to the wire(less)
[17:39:57] injecting data for conf 'bsod_html'
...successfull !!! But inject only me (attack), and in network my 2nd laptop (victim) not injected, surf well
thanks for your help
Last edited by testairpwn; 01-22-2010 at 01:46 AM.
sorry, 2 same post
Last edited by testairpwn; 01-22-2010 at 01:37 AM.
Well, the way it works is... the airpwn device has to be able to respond faster than the actual access point. So it should be closer to the actual access point in order to respond to the unknowing client faster than the real access point they want.
-F Assume no FCS headers at the end of the 802.11 frames. Some drivers append these and others don’t. If WEP decryption is failing when you’re positive you have the correct key, try using/not using -F.
So using -F is dependent on your drivers.
today i tried to play with airpwn, but without luck. I own a Alfa AWUS036H (rtl8187), so the hardware requirements are check.
The first thing i noticed was packet-version in Backtrack4 final, it says 1.0. Am I wrong? Is this just a joke of the packet-manager?
Next step i disabled the encryption on my router and fired up airpwn. Now i realized that the standard config files are not included in bt4f, so i downloaded airpwn 1.4 and placed them on the desktop. (edited the conf file that the location of the html was right) I hope the style of the conf file hasn't changed since 1.0?
airpwn -c /root/greet_html -d rtl8187 -i wlan0 -vvv
-> Parsing configuration file..
-> Opening command socket..
-> Opening monitor socket..
-> Opening injection socket..
-> Listing for packets...
-> Channel changing thread starting..
-> data packet len: 234, flags: 66 <-- DS
The two laptops are right next to each other and the router is in another room.
I tried this also with airmon-ng start wlan0 and used in the airpwn command line -i mon0, but nothing changed. I could surf the web on the target laptop normally.
I noticed that i could write quite everything after -d without producing an error? (I tried -d rtl8081 as well, without luck)
Thx for help!
Last edited by seeknet; 02-20-2010 at 05:13 PM.