Friday, January 9, 2009

Making Packet Injection work on Ubuntu 8.10 (Intrepid Ibex) kernel 2.6.27 on Intel 4965 AG/AGN wireless card

Primarily I followed the following link to make packet injection work on my new Intrepid Ibex (Ubuntu 8.10) kernel 2.6.27 with an Intel 4965 card on a THinkpad T61.
http://tinyshell.be/aircrackng/forum/index.php?PHPSESSID=395694818ce8f33e9810767d30518a2d&action=printpage;topic=3954.0

Before we start, I should suggest you read the complete document and all posts (the tinyshell link), so that as you complete the reading you will have an idea of what to do and what not to. I am not an expert at giving advice in linux, and so I will only mention the steps that worked for me. You may be required to apply your brains at some places and knowledge about patches etc and why we apply them. Remember I already screwed my Gutsy Gibbon (Ubuntu 7.10) while upgrading the kernel. So be prepared for any such occurences.
THese things happen while learning. :) THats the real fun.

Previously in my Gutsy, I was having a kernel 2.6.22, As I have read so far, packet injection doesn't work properly (http: //tinyshell.be/aircrackng/forum/index.php?topic=3954.0 ) below kernels 2.6.25. Even I had to install the driver for Intel 4965 wireless card. That made my wireless work but even after applying the relevant patches I couldn't make injection work. When I tried to update my kernel through apt-get it showed me some errors. And finally the newer kernel never booted and my 2.6.22 was rendered almost useless.
I never debugged as I was more interested in making injection work somehow.
My next endeavour included downloading Backtrack 3, installing it in a USB drive. But still the injection through aireplay-ng didn't work. I also downloaded the latest Ubuntu 8.10 Intrepid Ibex, which is having a kernel 2.6.27.

The good part is that the driver support for Intel 4965 is included in this kernel. What I read from the Intel site is that driver support for this card (Intel iwl4965) is included in kernels higher than 2.6.24. (http://www.intellinuxwireless.org/?p=iwlwifi) So, no doubt my wireless connection is working well with the default config.

But for making packet injection work, I read through the forum and learned that I need to download the latest compat driver to make injection work.
OK, so I downloaded

http://wireless.kernel.org/download/compat-wireless-2.6/compat-wireless-2.6.tar.bz2

from here:

http://linuxwireless.org/en/users/Download


Besides this there is a mention of separate injection patches for iwl4965 and mac80211 but nevertheless I never needed them. :) (Thanks to alex88)

After downloading the compat driver to my root folder.

tar -jxf compat-wireless-2.6.tar.bz2
cd compat-wireless-2009-01-08/
make
make install

and then reboot!!

After that I set my wireless interface in monitor mode by
airmon-ng start wlan0

The airmon-ng creates another interface mon0 in monitor mode. (NOt sure how and why but there is no need to mess with wlan0 :), something that I realised late :/)
and you can try the packet injection test:

root@r00t3r:/home/hax0r# aireplay-ng -9 mon0
14:41:02 Trying broadcast probe requests...
14:41:02 Injection is working!
14:41:04 Found 0 APs
root@r00t3r:/home/hax0r#

Although it says Injection is working, but it can be misleading as it showed me the same message when I ran it for the first time after patching in my Ubuntu 7.10 Gutsy.

So again went through the forum and used the following commands to reload the driver modules (I don't know why they again installed compat, I think once you have installed it correctly, reloading the modules should do the work)
Go to the compat directory (where you extracted compat driver) and issue the following commands:

make
make install
rmmod iwlagn
rmmod iwlcore
rmmod mac80211
rmmod cfg80211
modprobe iwlagn
modprobe mac80211
modprobe cfg80211

When I again tried the injection test it gave me positive results:

root@r00t3r:/home/aditya# aireplay-ng -9 mon0
19:43:21 Trying broadcast probe requests...
19:43:21 Injection is working!
19:43:22 Found 1 AP

19:43:22 Trying directed probe requests...
19:43:22 xx:xx:xx:xx:xx:xx - channel: 1 - 'Gamtal@280'
19:43:24 Ping (min/avg/max): 9.500ms/40.762ms/70.648ms Power: 167.00
19:43:24 28/30: 93%

As of now I only tried to run 'Interactive frame selection technique' the option 2 of aireplay-ng. And it seemed to work normally. Didn't do other tests, as I don't know the theory part of it. Will try them and let you know later. As of now I am more than elated that somehow injection is working on my machine. :)


Summary
**********
1. No injection patches required. (I havnt checked each and every attack, so this may change depending on the attack, like earliar we used to install specific patch for fakeauth. )
2. Download latest compat driver.
3. Install it using 'make' and 'make install'
4. reboot.

Guidelines
************
5. Make sure the 'Network Manager' of Ubuntu is not using your wireless card for wireless connections. Else while placing the interface in monitor mode, it will give a 'device busy' error. For this, Right Click the 'Network Manager' icon on your system tray and uncheck the enable wireless option. If you don't see the icon you can start it using 'nm-applet' command in the terminal. (as it used to happen in Ubuntu 7.10, the icon goes away sometimes :/)

6. Make sure your card is switched 'ON' if any hardware key exists in your laptop. (yes, this can happen as well :))

Hope this works for you.

BByes for nows. See you laters. :) MUha

Wednesday, January 7, 2009

Intel 4965 wifi driver Ubuntu wireless

Long Break
**************
So here we meet again. :) Almost after 1 year. I had almost forgotten this technoshit during the preparation of CAT. THe results will be out this weekend, my DI score was pathetic, so not many expectations :/. And now I think I am back.

Trying hands at wireless hacking these days. I had an old ubuntu 7.10 "Gutsy Gibbon", which was screwed few days back while updating the kernel. As packet injection is not supported with older kernels (2.6.22) esp in Ubuntu. You know what I feel, if you want to learn wireless hacking, try your hands asap, or else WEP will become obsolete in the coming days and stronger algos wont let you steal the fun.Anyways I aint a supporter of hacking, but I like learning new things esp which give me a technical advantage and a feeling of technical prowess among my peers. ok, lots of shit here. Here is what happened in the last few days:

I have a THinkpad T61 with an Intel iwl4965 wireless card with an Ubuntu 7.10. So from the aircrack forums I got an idea that making wireless hacking work on an intel 4965 card on ubuntu is still under development. In fact some guys said that its impossible with a kernel less than 2.6.25. Mine was 2.6.22 :/ so I tried an array of commands as mentioned in the posts. I am sorry I never saved the links, but you will ultimately reach there, if you search google for intel 4965 wireless hacking ubuntu.OK, I must tell you that in the process I screwed my Ubuntu 7.10, but still I will mention few things that I learnt in the process.

How I made my wireless work on Ubuntu 7.10.

You may be facing some problems with enabling wireless on your Ubuntu. First you need to understand what wireless card is there in your laptop. (Its something for idiots like me, I never knew what card exists inside :/)
From what I learned from the aircrack site (I will try my best to provide the original links at the bottom) articles is that there are many manufactureres of wireless cards in the market. For eg. Netgear, Cisco etc.
A wireless card consists of two main parts:

1. The outer radio device
2. and the internal chipset.

MOst of the wireless card manufactureres dont disclose what internal chipset they are using. But we need to find it out, if we need to install the concerned drivers.

If you dont know what card is there in your laptop, try the command lspci on your terminal. It will give you a list of all pci devices that are there in your laptop.
TRy to find keywords like "wireless"
For eg. this is the output on my laptop:

root@r00t3r:/# lspci
00:00.0 Host bridge: Intel Corporation Mobile PM965/GM965/GL960 Memory Controller Hub (rev 0c)
00:01.0 PCI bridge: Intel Corporation Mobile PM965/GM965/GL960 PCI Express Root Port (rev 0c)
00:19.0 Ethernet controller: Intel Corporation 82566MM Gigabit Network Connection (rev 03)
00:1a.0 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #4 (rev 03)
00:1a.1 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #5 (rev 03)
00:1a.7 USB Controller: Intel Corporation 82801H (ICH8 Family) USB2 EHCI Controller #2 (rev 03)
00:1b.0 Audio device: Intel Corporation 82801H (ICH8 Family) HD Audio Controller (rev 03)
00:1c.0 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 1 (rev 03)
00:1c.1 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 2 (rev 03)
00:1c.2 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 3 (rev 03)
00:1c.3 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 4 (rev 03)
00:1c.4 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 5 (rev 03)
00:1d.0 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #1 (rev 03)
00:1d.1 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #2 (rev 03)
00:1d.2 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #3 (rev 03)
00:1d.7 USB Controller: Intel Corporation 82801H (ICH8 Family) USB2 EHCI Controller #1 (rev 03)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev f3)
00:1f.0 ISA bridge: Intel Corporation 82801HBM (ICH8M-E) LPC Interface Controller (rev 03)
00:1f.2 IDE interface: Intel Corporation 82801HBM/HEM (ICH8M/ICH8M-E) SATA IDE Controller (rev 03)
00:1f.3 SMBus: Intel Corporation 82801H (ICH8 Family) SMBus Controller (rev 03)
01:00.0 VGA compatible controller: nVidia Corporation Quadro NVS 140M (rev a1)
03:00.0 Network controller: Intel Corporation PRO/Wireless 4965 AG or AGN [Kedron] Network Connection (rev 61)
15:00.0 CardBus bridge: Ricoh Co Ltd RL5c476 II (rev ba)
15:00.1 FireWire (IEEE 1394): Ricoh Co Ltd R5C832 IEEE 1394 Controller (rev 04)
root@r00t3r:/#


As you can see in the bold, the wireless chipset that my card is using.

Now we can google with this name and try to find, if we can install the driver for this card. This guide helped me with the install:

http://ubuntuforums.org/showpost.php?p=2514602&postcount=8

http://ubuntuforums.org/showthread.php?t=471794

I installed ndiswrapper through apt-get.

root@r00t3r:/# apt-get install ndiswrapper-common

After that I downloaded the concerned windows driver from Intel site
I dont really know how the windows driver worked for linux using ndiswrapper.
Never researched about it either.

http://downloadcenter.intel.com/Product_Filter.aspx?ProductID=2753&lang=eng

I downloaded the driver and issued the ndiswrapper commands as mentioned in the link, and after a reboot it started working. (As far as I remember)

So I felt good when I made my wifi work. BUt my aim was to make it work for wireless hacking.


Brief Info of Wireless Tools.


1. In order to see wireless networks, you need to have a tool like NetStumbler/Kismet/Airsnort

Netstumbler is for windows, Airsnort is obsolete. and I liked KIsmet very much.

#apt-get install kismet

you may be required to edit the kismet.conf file (generally in /etc/kismet) by changing the sources parameter. This may depend on your chipset.

MIne worked by changing it to:

source=wlanng,wlan0,kismet

and yes, run it with root privilege, or else change this line with your sudoer, and uncomment it:

#suiduser=your_user_here

Now, kismet is a wonderful tool, so please have a look at the detailed tutorials available on google.

2. THe other tool list is for sniffing wireless packets and cracking them. Whatever I am writing, is by assuming that you already understand how wifi works and why it is insecure. If you dont, then google for the basics of wifi, and in particular weaknesses in WEP (Initialisation vectors (what,why etc)). Or else you wont understand what the tools do.
install the aircrack suit.

#apt-get install aircrack-ng

After installing this suit, you will find the following tools (list not complete):
airodump-ng : for capturing data packets
airmon-ng : for setting your wireless interface in monitor mode
aircrack-ng : for cracking the captured data and finding the keys
aireplay-ng : for injecting packets

Please note that I am a noob as well, I might be missing some important tool or the explanation may not be that good, but this is the idea that I got after 1 week of play. :)