Intel Wifi Link 1000 BGN not working with injection in BT5

[r0gue]

So I've looked all over for a solution to this, and I can't seem to find one. I'm trying to get injection to work on my wireless card, which is an Intel Wifi Link 1000. What I don't get, is I also tried installing Backtrack 4-r1 and 4-r2, and on BOTH those releases, the card was fully supported with packet injection. Does anyone know what I could do to get whatever drivers were used for those releases to be used in this one?

[chuckles87]

I am also having problems with getting airmon-ng to run in BT5 with my Intel WiFi Link 1000 card. The card model number is 112bnhmw and im still trying to figure out a chipset, i believe its centrino.

The wireless networking works awesome. I am able to connect to WEP/WPA networks and surf out of the box however i would like to learn about security side of networking in preparation for taking classes toward CEH.

Here are the commands that i have run and their output:

Code:

root@bt:~/Desktop# lspci | grep WiFi

0d:00.0 Network controller: Intel Corporation WiFi Link 1000 Series

root@bt:~/Desktop# ifconfig wlan0

wlan0     Link encap:Ethernet  HWaddr 8c:a9:82:76:ea:52  
          inet addr:192.168.1.108  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::8ea9:82ff:fe76:ea52/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:20335 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15563 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:14519443 (14.5 MB)  TX bytes:2107441 (2.1 MB)

root@bt:~/Desktop# iwconfig wlan0

wlan0     IEEE 802.11bgn  ESSID:"home network"  
          Mode:Managed  Frequency:2.437 GHz  Access Point: 00:21:29:6B:68:86   
          Bit Rate=1 Mb/s   Tx-Power=14 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Encryption key:D260-D68D-2C1B-2B30-E367-5987-5F
          Power Management:off
          Link Quality=50/70  Signal level=-60 dBm  
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:26   Missed beacon:0

root@bt:~/Desktop# lsmod | grep iw

Module                  Size  Used by

iwlagn                201091  0 
iwlcore                72890  1 iwlagn
mac80211              277247  2 iwlagn,iwlcore
cfg80211              166113  3 iwlagn,iwlcore,mac80211

After running those i ran

Code:

airmon-ng check

and it said i had to kill some proccesses so i ran

Code:

airmon-ng check kill

and it killed the processes however wicd was still running so i couldnt kill the last DHCP process.

i proceded to run:

Code:

root@bt:~# /etc/init.d/wicd stop
 * Stopping Network connection manager 
wicd                                                                [ OK ] 

root@bt:~# ifconfig wlan0

wlan0     Link encap:Ethernet  HWaddr 8c:a9:82:76:ea:52  
          inet addr:192.168.1.108  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::8ea9:82ff:fe76:ea52/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:20862 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15996 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:14905989 (14.9 MB)  TX bytes:2172564 (2.1 MB)

root@bt:~# ifconfig wlan0 down

root@bt:~# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11bgn  ESSID:off/any  
          Mode:Managed  Frequency:2.437 GHz  Access Point: Not-Associated   
          Tx-Power=14 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Encryption key:D260-D68D-2C1B-2B30-E367-5987-5F
          Power Management:off
          
root@bt:~# airmon-ng check


Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID     Name
5095    wpa_supplicant
9311    dhclient
Process with PID 5095 (wpa_supplicant) is running on interface wlan0
Process with PID 9311 (dhclient) is running on interface wlan0

root@bt:~# airmon-ng check kill


Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID     Name
5095    wpa_supplicant
9311    dhclient
Process with PID 5095 (wpa_supplicant) is running on interface wlan0
Process with PID 9311 (dhclient) is running on interface wlan0
Killing all those processes...

After all of that i ran

Code:

root@bt:~# airmon-ng check

and it returned without error.

I ran

Code:

root@bt:~# airmon-ng start wlan0


Interface       Chipset         Driver

it has not returned or printed anything else in the past 10 minutes.

I read that BT4 had support for Intel WiFi Link 1000 after adding the iwlwifi-1000-3.ucode firmware and were able to inject and use airmon-ng.

I have tried using compat wireless but i am unsure of what version to download so i downloaded the one that corresponded to

Code:

root@bt:/lib/firmware# uname -rso
Linux 2.6.38 GNU/Linux

I assume it has something to do with the driver not being able to work in monitor mode. Next I am going to lookin into how the driver is set up in BT4 and see what differences I see between BT4 and BT5 and see if i can work something out.


After all of that, I'm wondering if anyone has any direction they think I should go? I'm willing to read and research any think you think i need to know to figure out how to get this up and working then i will post a full how-to in the BT5 How-To section for other users.

Thank you in advance for any help or insight you are able to provide me.

Also, if i have posted this in the wrong place or need to add any other system info or command output, let me know.

_D

[Movitec]

I'm having the same issue.

My wireless card is: iwlagn 0000:03:00.0: Detected Intel(R) Centrino(R) Wireless-N 1000 BGN, REV=0x6C

I didn't fix it yet, but it appears to me that the root cause of this problem is in the airmon-ng script.
This script contains a function to detect the chipset (which looks at first glance only cosmetic and not used for any real purpose).
Source of the script: http://trac.aircrack-ng.org/browser/...ipts/airmon-ng

See line 350:

Code:

DETECTED_STR="`dmesg | grep iwlagn | grep Detected | tail -n 1 `"

Followed by while-loop line 356-360:

Code:

while [ $FOUND = "0" ]
do
                      FOUND=`echo "$DETECTED_STR" | cut -d' ' -f $LINK_POS | grep Link | wc -l`
                      LINK_POS=$(($LINK_POS+1))
done

This loop searches for the word "Link" in "iwlagn 0000:03:00.0: Detected Intel(R) Centrino(R) Wireless-N 1000 BGN, REV=0x6C" in such a way it ends up in an endless loop.

This script needs fixing...

Hope this helps.

[Movitec]

Here's my proposed fix for this issue for the airmon-ng version included in BT5. Not sure if it works in all cases, but it does for me.

Code:

337c337,338
< 		while [ $FOUND = "0" ]
---
> 		#while [ $FOUND = "0" ]
> 		while [ $FOUND = "0" ] && [ x$LINK_POS != "x20" ]
343c344,347
< 		TEMP_CHIPSET=`echo "$DETECTED_STR" | cut -d' ' -f $LINK_POS`
---
> 		if [ x$LINK_POS != "x20" ]
> 		then
> 		
> 			TEMP_CHIPSET=`echo "$DETECTED_STR" | cut -d' ' -f $LINK_POS`
345,361c349,371
< 		case "x${TEMP_CHIPSET}" in
< 	#               x5100AGN)
< 	#                       CHIPSET="Intel $TEMP_CHIPSET"
< 	#                       ;;
< 			x5300)
< 				TYPE_TEMP=`echo "$DETECTED_STR" | cut -d' ' -f $(($LINK_POS+1)) | awk -F, '{ print $1 }' `
< 				CHIPSET="Intel ${TEMP_CHIPSET}${TYPE_TEMP}"
< 				;;
< 			x1000)
< 				TYPE_TEMP=`echo "$DETECTED_STR" | cut -d' ' -f $[$LINK_POS+2]`
< 				CHIPSET="Intel ${TEMP_CHIPSET}${TYPE_TEMP}"
< 				;;
< 			*)
< 				CHIPSET="Intel $TEMP_CHIPSET"
< 				;;
< 		esac
<         fi
---
> 			case "x${TEMP_CHIPSET}" in
> 		#               x5100AGN)
> 		#                       CHIPSET="Intel $TEMP_CHIPSET"
> 		#                       ;;
> 				x5300)
> 					TYPE_TEMP=`echo "$DETECTED_STR" | cut -d' ' -f $(($LINK_POS+1)) | awk -F, '{ print $1 }' `
> 					CHIPSET="Intel ${TEMP_CHIPSET}${TYPE_TEMP}"
> 					;;
> 				x1000)
> 					TYPE_TEMP=`echo "$DETECTED_STR" | cut -d' ' -f $[$LINK_POS+2]`
> 					CHIPSET="Intel ${TEMP_CHIPSET}${TYPE_TEMP}"
> 					;;
> 				*)
> 					CHIPSET="Intel $TEMP_CHIPSET"
> 					;;
> 			esac
> 
>        		else
> 			TEMP_TYPE=`echo "$DETECTED_STR" | grep -o -P '(?<=[\040,]{1})[0-9]{4}(?=[\040,]{1})'`
> 			TEMP_CHIPSET=`echo "$DETECTED_STR" | grep -o -P '(?<=[\040,]{1})[aAbBgGnN]{3}(?=[\040,]{1})'`
> 			CHIPSET="Intel "${TEMP_CHIPSET}${TEMP_TYPE}
> 		fi
> 	fi

You can apply this with patch I guess...

[Vaporx07]

Here's my proposed fix for this issue for the airmon-ng version included in BT5. Not sure if it works in all cases, but it does for me.

Code:

337c337,338
< 		while [ $FOUND = "0" ]
---
> 		#while [ $FOUND = "0" ]
> 		while [ $FOUND = "0" ] && [ x$LINK_POS != "x20" ]
343c344,347
< 		TEMP_CHIPSET=`echo "$DETECTED_STR" | cut -d' ' -f $LINK_POS`
---
> 		if [ x$LINK_POS != "x20" ]
> 		then
> 		
> 			TEMP_CHIPSET=`echo "$DETECTED_STR" | cut -d' ' -f $LINK_POS`
345,361c349,371
< 		case "x${TEMP_CHIPSET}" in
< 	#               x5100AGN)
< 	#                       CHIPSET="Intel $TEMP_CHIPSET"
< 	#                       ;;
< 			x5300)
< 				TYPE_TEMP=`echo "$DETECTED_STR" | cut -d' ' -f $(($LINK_POS+1)) | awk -F, '{ print $1 }' `
< 				CHIPSET="Intel ${TEMP_CHIPSET}${TYPE_TEMP}"
< 				;;
< 			x1000)
< 				TYPE_TEMP=`echo "$DETECTED_STR" | cut -d' ' -f $[$LINK_POS+2]`
< 				CHIPSET="Intel ${TEMP_CHIPSET}${TYPE_TEMP}"
< 				;;
< 			*)
< 				CHIPSET="Intel $TEMP_CHIPSET"
< 				;;
< 		esac
<         fi
---
> 			case "x${TEMP_CHIPSET}" in
> 		#               x5100AGN)
> 		#                       CHIPSET="Intel $TEMP_CHIPSET"
> 		#                       ;;
> 				x5300)
> 					TYPE_TEMP=`echo "$DETECTED_STR" | cut -d' ' -f $(($LINK_POS+1)) | awk -F, '{ print $1 }' `
> 					CHIPSET="Intel ${TEMP_CHIPSET}${TYPE_TEMP}"
> 					;;
> 				x1000)
> 					TYPE_TEMP=`echo "$DETECTED_STR" | cut -d' ' -f $[$LINK_POS+2]`
> 					CHIPSET="Intel ${TEMP_CHIPSET}${TYPE_TEMP}"
> 					;;
> 				*)
> 					CHIPSET="Intel $TEMP_CHIPSET"
> 					;;
> 			esac
> 
>        		else
> 			TEMP_TYPE=`echo "$DETECTED_STR" | grep -o -P '(?<=[\040,]{1})[0-9]{4}(?=[\040,]{1})'`
> 			TEMP_CHIPSET=`echo "$DETECTED_STR" | grep -o -P '(?<=[\040,]{1})[aAbBgGnN]{3}(?=[\040,]{1})'`
> 			CHIPSET="Intel "${TEMP_CHIPSET}${TEMP_TYPE}
> 		fi
> 	fi

You can apply this with patch I guess...

This is the output of a differential from two files...

The lines beginning with < shows the original airmon-ng script... the > shows the lines from the modified file...

Numbers like 343c344,347 mean... on the line 343, there was a change from 344-347

You have to edit your airmon-ng script to reflect the changes. Always backup the original first before hand.



This worked for me.

Thanks Movitec!

[MrBucket22]

You have to edit your airmon-ng script to reflect the changes.


Thanks Movitec!

I am extremely new to Backtrack and Linux. I have the Intel WiFi link 1000 BGN network adapter. airmon-ng doesn't seem to recognize it as we all know. I read the above post but being so new to this, I don't know how to execute it. Can someone break it down to noob-language please? I have searched everywhere and can't figure this out. I would hate to have to purchase a different network adapter if I didn't have to. I would be very much appreciative! Thank you for your time and effort! -MrBucket

[samato]

Here are the EXACT steps I used in BackTrack 5 in order to work around the script error. Thanks, by the way for writing the patch as it was most helpful.

1.) Download the .patch file here (http://trac.aircrack-ng.org/ticket/934)
2.) Place the .patch file in this directory: /pentest/wireless/aircrack-ng/scripts/
3.) Open a terminal window and do the following commands:

Code:

cd /
cd pentest/wireless/aircrack-ng/scripts
patch -u airmon-ng airmon-ng.patch
make install

Now you can use airmon perfectly, or at least SHOULD be able to. Hope this helps somebody out there.
Regards,
samato

[Movitec]

I've opened a bugticket for this on aircrack-ng.org: http://trac.aircrack-ng.org/ticket/934