Madwifi, Kismet & Aireplay - Installation & Patching Guide.
By: TheGreatVirus / TiSnetworks (http://tisnetworks.org)
Other Resources From: duxzero (http://forums.remote-exploit.org/member.php?u=323) (Original Madwifi Guide), kimbell (http://forums.remote-exploit.org/member.php?u=51) (Aireplay Patch)


Note 1: This installation is based off of Backtrack (backtrack-beta-05022006) and is using the following fixes (splash-fix.mo, orinoco-fix.mo & nessus-fix.mo) you will also need a live connection to the internet.

Note 2: This should give you working Injection with Atheros Cards. I have tested it with the following cards: WG511T, UBIQUITI SRC 300mW 802.11b/g 100mW 802.11a Cardbus PCMCIA

---------------------------------------------------------------------------------------------

Download and Install Subversion: http://subversion.tigris.org/

Direct Link - http://subversion.tigris.org/downloads/subversion-1.3.0.tar.gz

Save it to your /root directory or anywhere else you wnat to do the work in.

Extract it with:

tar xvf subversion-1.3.0.tar.gz

CD Into the Directory:

cd subversion-1.3.0

Configure it:

./configure

Make and Install it:

make && make install

---------------------------------------------------------------------------------------------

Install the Madwifi Drivers

Use Subversion to Download Source:

svn checkout http://svn.madwifi.org/trunk madwifi-ng

CD Into the Directory:

cd madwifi-ng

Remove Old Modules:

rmmod -w ath_pci.ko

Note: If you get an error with this just ignore it.

Make and Install It:

make && make install

Note: During the install it will ask what to do with the old modules. I just remove them but you may back them up if you wish.

IMPORTANT: REBOOT YOUR LAPTOP!

---------------------------------------------------------------------------------------------

Install Kismet from Development Source

Use Subversion to Download Source:

svn co http://svn.kismetwireless.net/code/trunk kismet-devel

CD Into the Directory:

cd kismet-devel

Configure Without SUID:

./configure --disable-setuid

Make and Install:

make && make forceinstall

It is suggested you edit the following configs before you start Kismet:

/usr/local/etc/kismet.conf
/usr/local/etc/kismet_ui.conf

WARNING: Kismet no longer needs to be used with the "-c" command as of a current CVS update Kismet now supports creating a VAP in Monitor mode automaticaly. You now have no choice but to edit the source in the kismet.conf but once you have done so kismet is as easy to start as simple runnning kismet at the console.

Editing kismet.conf (UPDATED): The configs are strait forward and your source should be something like the following: madwifing_g,wifi0,Madwifing_g

Note 1: You may notice the Kismet UI is changed to restore it back to the way it was when you first installed Backtrack simply edit: /usr/local/etc/kismet_ui.conf and find & replace the following:

# What columns do we display? Comma seperated. Read the documentation for what
# columns are valid.
columns=decay,name,clients,type,wep,channel,maxrat e,signalbar,noise,packets,flags,ip,size,dupeiv,wea k
# What columns do we display for clients? Comma seperated.
clientcolumns=decay,type,mac,manuf,data,crypt,size ,ip,signal,quality,noise

^ WARNING: Not sure why "weak" is coming out as "wea k" up in the quote above. Be sure to correct it if you copy/paste.

---------------------------------------------------------------------------------------------

Patching Aireplay (Aircrack)

Download Aircrack Source Direct Link: http://freshmeat.net/redir/aircrack/52141/url_tgz/aircrack-2.4.tgz

Download Aireplay Patch: See Attached

Extract It With:

tar xvf aircrack-2.4.tgz

Extract the Patch into:

/aircrack-2.4/linux

Note: This directory will be where you extracted it. =P

CD Into the Directory:

cd aircrack-2.4/linux

Note: The patch below reads v2.41 just ignore it aircrack 2.4 is correct.

Patch Aireplay:

patch -Np1 -i aircrack-2.41-madwifing.patch

Note: When it asks what to patch type: aireplay.c

CD Up a Directory:

cd ..

Make and Install:

make && make install

---------------------------------------------------------------------------------------------

Placing the Madwifi Card in Monitor Mode:

wlanconfig ath1 create wlandev wifi0 wlanmode monitor

Note 1: Creates a Virtual Device that is in Monitor Mode for your Atheros Based Card. Please note that ath0 which should be in Managed Mode by default should not be in use while using the Virtual Device in Monitor Mode (ath1)

Note 2: You should now have the following devices ath0 & ath1 and only ath1 should be UP.

Stopping Monitor Mode:

wlanconfig ath1 destroy

---------------------------------------------------------------------------------------------

If you followed this guide correctly you should now have a working Atheros card! if you have any questions feel free to ask.

Appended Notes: airmon.sh will not work for the Atheros cards by default there is a patched version of airmon.sh offered by the aircrack-ng (http://freshmeat.net/projects/aircrack-ng/?branch_id=63481&release_id=222928) release.

-TGV

This is awsomes!

I was going to do something very similiar to this. Glad you beat me to it. :) haha...good work...everything looks accurate.

Oh momma... can't wait to give this a go. Thanks! :)


......... thanks so much! Your guide is a great one... worked like a dream!

To add to this, I didn't see where the Aireplay patch was:



Download Aireplay Patch: See Attached


I found it in another forum (although I suppose it is here somewhere, too) and attached it.


Thanks again for the great writeup!

lol, I had just fixed that. Thanks. Hope this guide worked out for you. =)

Dear TheGreatVirus,

First, thanks a lot for your tuto.

As i do not have internet access yet from my BackTrack installed, would you know where i can download the "Kismet package" (via my windows XP/firefox) refered in your command line :

svn co http://svn.kismetwireless.net/code/trunk kismet-devel

Thanks in advance for your help.

Rgds // Laurent

TheGreatVirus, thanks for the rundown on this - question about the card NG511T though. Is that a netgear WG511T or something else? I tried asking google but no luck. Was wanting to get the WG511T if it the one you used.

thanks!

Sorry guys I made a few mistakes with those model numbers. I corrected them. It was supposed to be the WG511T.

Also I attached the Patch As Well. :)

How do we know if we need this patch. Im a bit of a newb
Kismet works with my card, so does airodump, but when i use aireplay to deauth and replay i can get it to like scan and everything but it never seems to find packets or deauth people? do i need this patch? Thanks alot

First off what kind of card are you using?

I am using a Dlink DWL-G630 card, thanks for helping

^^^ I'm having the same prob with my dlink ag530 (atheros). I'm not done fooling around with it though.

My computer freezes when I get to rmmod -w ath_pci.ko of the Madwifi driver installation. All I can do to unfreeze is reboot. I've tried this several times with the same result each time. Any ideas? How long does it usually take before it completes this command?

I tried skipping that step as it just continuously keeps freezing my sheeiittt! So I went and typed make && make install but... It just popped a nice little error.

make: Makefile: Input/output error
make: stat:Makefile: Input/output error
make: *** No rule to make target 'Makefile'. Stop.

I completed the installation, but still nothing. When I open Kismet or Airodump I see no access points listed. I have a Orinoco/Proxim b/g gold card (8470-FC). I created the install disc using "MySlax Creator" so that I could add the three mods as requested in the guide. I downloaded the Beta-05022006 ISO. Any ideas why there are no access points is Kismet or Airodump?? There are a lot of access points around me...closest is about 3 feet away :)

Thanks in advance! :)

I also tried the guide and it froze at the same part as the above poster. When i skipped that step and removed the old modules when given an option, I still can't packet inject with my wg511t. Does anybody have a wg511t that they can use packet injection with? I installed the patch for aireplay and followed all the directions, but I still can't get it to work.

hmm i _think_ that it works. i can do some injection but im stuck at a rate of about 2k packets/40s. -> 50packets/s. this is the highest rate i can get. althought its not that bad it still takes ~5h to get my 800k data.
Note: This is with the aircrack patch but _without_ madwifi-ng-r1454-20060222 driver vers. for i couldnt get svn to work with proxy.

greez

glad to see i'm not the only one with the problems stated above. TheGreatVirus should be on the way to bail us out.

As soon as I install the newest madwifi, all of my connections change to ethernet and if I use the "wlanconfig ath1 create wlandev wifi0 wlanmode monitor" then ath1 is stated as 802.11 but doesn't see any traffic.

I have tried just using the newest aireplay with the patch, but I still can't use injection, only see traffic. I have successfully cracked the web key of my home access point, but I would like to be able to repeat it without it taking forever. Since I am obviously missing something because the wg511t is listed as working at the beginning of this thread for this fix, please include any detail that you think is obvious that you might have left out.

BTW, rmmod -w ath_pci.ko causes my computer to freeze, but I am using the wg511t pcmcia card so I guess it makes since for it to freeze (pci?) Is there a different driver I am supposed to remove? Thanks.

tried the driver vers. madwifi-ng-r1467-20060308.tar.tar (with WG511T)
with this driver airodump doesnt show any ap/station at all =(

Just like to say I followed these instructions to the letter on a hard disk install of back|track. Everything went fine and I was able to crack my routers WEP key in 12 minutes and under 200k IV frames.

The PCMCIA card I used was a Netgear WG511T.

Good work.

Your machine doesn't lock up with rmmod -w ath_pci.ko?

Well mine sure does.

Just an FYI. I was able to successfully update the madwifi drivers, patch aircrack and update kismet on my toshiba M2. While it ran great, it doesn't have a serial port for running gpsd, so, I tried it on a toshiba 8200. No workie at all. Same ubiquiti card, and everything shows it goes into monitor mode, but, it doesn't pick up anything on the 8200. Possibly a conflict with the older pcmcia controller?

LOL, I am an idiot. I didn't eject the card before running rmmod -w ath_pci.ko and that was what was causing my system to lock. I should be able to get it working now. Thanks.

I have a hard drive install of Backtrack with the splash-fix.mo

I ran by the tutorial for WEP cracking, seeing as last time I was doing this was with ASC and it confused me why airodump wasnt listing IVs. Needed the tut to say Data = IVs. Anyways, using the WG511T, I cant deauth my second computer. The command for deauth and arp are both executed and I get some verbose back, but the client never disconnects.

So here I am wondering if I need this fix. I'd go blindy doing it but Im confused.

What's all this virtual card and ath1 stuff? And how will this affect normal WEP cracking?

I dont feel like screwing up my install again, so post first and get the answers I figure are better.

Pilot

the installation went well but when i try and use kismet after putting my WG511T into monitor mode i dont see anything, no ap's are picked up or anything, anyone else have this problem? any help would be appriciated.


all the best,

MaNiaC.

Someone with more smarts than me might could answer this.

I have switched back to the laptop that I KNOW for a fact worked a few days ago, installed backtrack, installed the madwifi drivers, and now it doesn't work.

It is possible that some changes were made to the madwifi driver source within the last few days that broke that ath cards?

I can reboot to the live cd, and it goes into monitor mode fine, and I can see AP's, dump packets with airodump (no injection, of course).

But, now, it doesn't seem to be a problem with my other laptop. It seems to be a driver issue. Especially since others are having problems with their cards doing the same thing as mine.

Thoughts?

My problem sounds similar to kc5dep's problem. I follow the instructions EXACTLY with no errors and can't get airodump to see anything, even if I make the virtual device and try to use it, it starts and never sees anything. I can get internet access through ath0 by using iwconfig to log into my wireless access point, but if I try to start airodump with ath0 it gives me an error that arp is set to 1 (ethernet) and to ifconfig ath0 up; iwconfig ath0 mode monitor channel #, but if I try the iwconfig command I just get an error message. Ifconfig sees ath0 as ethernet (is that right?) while iwconfig sees it as 802.11. PLEASE HELP.

iwconfig ath0 mode monitor channel #The madwifi-ng project use diffrent syntax/commands. You must first destroy the original int by wlanconfig ath0 destroy, then wlanconfig ath0 create wlandev wifi0 wlanmode monitor, and finnaly ifconfig ath0 up. Look at http://madwifi.org/wiki/UserDocs for complete command examples.

Yea Im at that same problem. In a more simple English, what did you just say?

Yea Im at that same problem. In a more simple English, what did you just say?Read the USER DOCS.

Thses patches here maybe useful to get madwifi-ng working correctly. http://tinyshell.be/aircrackng/download/patches.tar.gz

If I just get a Senao NL-2511CD PLUS EXT2 can I skip all the patching stuff? Is this Senao card good for packet injection?? I just bought the card on eBay.

Ok, following the documentation on madwifi, I create "wlanconfig ath0 create wlandev wifi0 wlanmode sta" then if I use modprobe wlan_scan_sta and "wlanconfig ath0 list scan" I get a list of all the access points that I can see normally. Also, when it is in managed mode the device is listed as ethernet in ifconfig so I can't use airodump because it complains about it being listed as ethernet. If I create the device using "wlanconfig ath0 create wlandev wifi0 wlanmode monitor" then the device is listed as 802.11 in ifconfig and I can use airodump, but I see no traffic and "wlanconfig ath0 list scan" no longer lists anything.

So what am I missing? I following the patching and program updates without error, I reboot, I create the interface in sta and get traffic, I recreate the device in monitor mode and get no traffic (Bringing the interface down, destroying it, creating it, and bringing it back up again.

Just checked on madwifi's site, and they just re-updated their codebase 2 hours ago, and supposivly it was to fix monitor mode.

http://madwifi.org/browser/trunk/ath

I'm guessing they did make a change in the code from the other day when I was using the madwifi_ng source, and today, when it all the sudden didn't work. I'm going to bed, and trying it again in the morning, and I'll post the results.

Can anyone tell me if it is necessary to install the splash fix and the other things listed at the top of the guide for it to work because my computer still is hanging ??? then giving me them errors again.

remove your card when you try to remove the module

I can FINALLY confirm that it is working (though slower than I expected, but that might be because of my distance from the AP). madwifi-ng just got updated a few hours ago to fix monitor mode (my monitor mode was making ifconfig see ethernet encap and now it doesn't). Thanks for everyone's help and I will try to help others.

I spent a little time talking to people with reports about issues with the Madwifing Drivers and Yes, kc5deb there was some kind of issues with the Madwifi drivers. I suggest that those of you having the issue with not being able to find any AP's in Kismet etc, ether reinstall the Madwifi drivers or reinstall Back|Track and start over. I have had people test thig guide before it was posted and it did work at the time of testing. If anything is not working at the present time it's due to possible changes in the source for the applications and drivers or hardware issues.

I'm doing my best to stay on top of the questions you guys have but if you would like to speak to me directly you cna reach me on the remote exploit irc channel.

I'll try removing the card when i remove the modules thanks for the suggestion Axlemar. I'll reply once I try it.

Man, what a difference a couple lines of code (http://madwifi.org/changeset/1468) makes, eh?

*UPDATE*

I just svn'd the newest code for madwifi-ng this morning, and low-and-behold, monitor mode is working again!

I svn'ed it last night but didnt try it. I'll check it out now.

Hi, i also followed the documentation and it's working. I have an orinoco 8470-wd card, one question, my effective injection rate is about 3000 packets per minute, how about your injection speed?

i run
wlanconfig ath1 create wlandev wifi0 wlanmode monitor
than
airodump ath1 out 0
than
airodump ath1 out 9 1
9 is the AP channel
it works.
whan i try
aireplay -1 0 -e testwep -a 00:04:ED:0E:17:97 -h 0:1:2:3:4:5 ath1
it reply:
17:55:37 Sending Authentication Request
17:55:39 Sending Authentication Request
17:55:41 Sending Authentication Request
17:55:43 Sending Authentication Request
17:55:45 Sending Authentication Request
17:55:47 Sending Authentication Request
17:55:49 Sending Authentication Request

Attack was unsuccessful. Possible reasons:

* Perhaps MAC address filtering is enabled.
* Check that the BSSID (-a option) is correct.
* The driver hasn't been patched for injection.
* This attack sometimes fails against some APs.
* The card is not on the same channel as the AP.
* Injection is not supported AT ALL on HermesI,
Centrino, ndiswrapper and a few others chipsets.
* You're too far from the AP. Get closer, or lower
the transmit rate (iwconfig <iface> rate 1M).

what am i doing wrong?

:D I'm glad you guys got it figured out. Sorry for the confusion.


guymi: That attack is not always successful, Im not sure if you actually read the output there but as you can see it's basically telling you whats wrong.

Im averaging 3600 data packets per minute after aireplay attacks

In about 40 minutes, I've acquired 147000 data packets

Sounds about normal. Thats around what I get as well.


Also if you guys could please post the info on the card you were able to get "WORKING" with the Madwifing Drivers. Make sure it works in Monitor mode and has working injection before you post.

guymi: That attack is not always successful, Im not sure if you actually read the output there but as you can see it's basically telling you whats wrong.
I am reading, but cant undestand why.
i am about 3 meter from the AP. it has wep key of 64 bit length.
the driver is patched.
any idea?

To tell you the truth I have had the smae issues myself it just sometimes does not work on specific types of AP's etc etc. Try something else.

Inspiron 6000, 1gig or ram, 30gb 5400rpm drive, Netgear WG511T (version2 I think?:confused: )

With the steps you gave, and the new madwifi patch of last night, it works. Been going at it for about an hour and 20 minutes now, got 292000 Data packets, trying to crack my 128-bit WEP. I was too lazy to re-configure it to 64-bit. Back with ASC, I was able to crack my 64-bit WEP in abotu 20 minutes with 40000 IVs or so. Never tryed 128-bit, but its saying a mil + Data packets. Pitty CPU usage is 100% else I'd play a game while this was happening.

I'll try doing some traffic on the client computer. Maybe play CS or something.

Just to confirm my aircrack command line correct:

aircrack -a 1 -n 128 -b APMAC CAPTURE_FILE (for some reason it's not a .cap file but a .ivs file)

I seem to remember the with Auditor the command was something like -f 2(or3) fudge factor or something like that -q 3 or something. I dont recall having to put in the APMAC at all :confused:

Pilot

Please read this Guide to WEP Cracking (http://forums.remote-exploit.org/showthread.php?t=569).

Been there done that.

Mentions the whole -n thing. But that doesnt tell me if the command is valid or not.

What?! You command looks correct man but what the hell is this -n thing? If you are refering to the "-n 128" in your command there then yes it's correct. Also note that if you do not know what the encription is on the wlan you may omit the "-n" from the aircrack command. Also .ivs is what airodump produces when you use the airodump command like follows:

airodump <DEVICE> <DUMP_FILENAME> <CHANNEL> 1

The number one in red there tells airodump to dump only ivs.

The command Im questioning is the aircrack command, not the airodump one, silly :P

Also, I realise now the output is .ivs. But everywhere I've read it's always said .cap.

You told airodump to capture only IV packets, so it wrote the file with .ivs. It will still accomplish the same thing, but with a smaller file size.

For aircrack I usually just run aircrack -a 1 -b APMAC FILE and it will usually work, if not I can tweak it with the available commands (which can be found in the prog or documentation).

didnt know that on the ivs cap thing. Cheers.

[edit] 1mil data packets now. about 3 hours.

I have had problems with the rmmod -w ath_pci.ko causing my system to freeze, people have stated removing the card is the answear. Well I have a pci card (WG311T) erm what should I do ?

I dont think I had the card in at the time. But its a safe bet removing it would fix it.

Been busy today, so, haven't had much time to play.

Just to update, the lastest madwifi-ng drivers are working, and are injecting.

I only have an AP hooked with only 1 client associated, and with no internet connection, so, it's going pretty slow, but, it is working.

kc5deb or Axlemar,

Could you please tell me what is the revision of the madwifi-ng that really works with WG511T.

I have tried the madwifi-ng-r1467-20060308.tar.gz and followed exactly what is mentioned in madwifi doc and in monitor mode i do not have anything appears in airodump (same issue as Axlemar).

Could you please tell which rev of madwifi you use, as i suspect the pb is there (please note that i do not svn but download the gz file from http://snapshots.madwifi.org/madwifi-ng/)

Thanks //padou

Just popping in to post that I have successful results of WG511T injection with TheGreatVirus' How-To. I did this yesterday and someone mentioned that madwifi updated something, maybe that has something to do with it? I havent been able to let it run long enough to get enough data for a successful crack, but will post that soon. Thanks TheGreatVirus
ez

HTSPilot: I was not being silly if you read my rpely with care take notice of my confirmation on your command as well as my explanation for the .cap not existing.

I was able to crack my 128-bit WEP with a WG511T. Although strangely enough, I started running Aircrack when I got about 950000 IVs and let it run until I got well over 2 million. For 3 hours and 40 minutes. I never got the key. I killed aircrack and started it up again and it got the key in 28 seconds :S Why is that? By the looks of it, aircrack updates its list of IVs dynamically.

I'll definatly run some more tests, as well as take this out onto the field.

Eventually, I'll have to mod the card and add, probably a blade-type antenna.

[edit] Oh, sorry mate. Misread I guess.

[edit2] http://img.photobucket.com/albums/v637/WildCard832/crack.jpg

Sometimes you just get lucky. =)

Also with that first one you did I don't think it shoudl of taken that mcuh data. I usually kill off 128 bit keys on 30 min with around 200k ivs.

You may want to rerun your test again or find a new ap to experment with.

200K IVs? Dang. I know back in ASC I could crack a 64-bit WEP with 40K IVs, but I always though 128-bit WEP was more like 500K to 1mil IVs. I'll re-run the test now.

On that note, Once I've deauth the client and sent in the ARP attack, once the IVs start flooding in, can I kill the ARP attack? I left it running until a few minutes before the end, and even after killing it, I still got the same rate of IVs comming in.

Im just asking because until I killed ARP attack, I couldnt use my built in wireless to connect to the AP.

Which is normal if you read my guide it has note about using managed mode and monitor mode at the same time. =)

Even so on two interfaces? Im using ath1 to for aireplay -3 attack and airodump capture. Im not using eth0 at all.

[edit] started up aircrack at 220K IVs after capturing for an hour. 8 minutes in, no results yet.

Padou: I am not sure what the version is (I think it was 14x8 or something, but I am not sure, I will check later when I am home).

I think you need to keep the arp attack going or you will stop injecting packets.

Also, when running in monitor mode with a vap, don't use both interfaces at the same time for the same card (if you use create wlandev athx instead of overriding the default ath interface).

I have a question. when trying to get arps from a ap, I can use attack 1 and successfully associate to an access point, but sometimes I won't get any arps at all (even after 30 minutes) but then sometimes I will go to an access point and get an arp within 15 minutes or so (even though arps should only take like 30 seconds or less).

Even when you can send packets to an ap, do arps need exceptional signal quality or something (do you need to be really close to recieve them?) When I am really close to an AP I usually get arps pretty fast. Anybody else notice this? Thanks.

Yea, I found out. I killed the ARP and shortly after, the IVs slowed back down.

Now, the interface thing. ath1 is the madwifi clone or whatever for my Netgear WG511T PCMCIA. eth0 is the Intel PRO/Wireless 2200BG chipset.

On your last question, I recall when I was using ASC, (the aireplay attack was different) I needed a rather strong signal to use the attack and capture IVs. Me needs to get a blade antenna on my card.

Or a new card...

True. But modding seems so much more fun, and cheaper. Provided I dont break anything or need much, in terms of additional tools.

[edit]This is what my WG511T looks like once its been stripped.
http://photobucket.com/albums/v637/WildCard832/?action=view&current=IM001252.jpg
I did this a while back out of curiosity.

I thought the WG511T is still supposed to be a pretty good card, and I don't think they have improved upon it all that much have they?

BTW, are you going to follow a guide to mod it (if so where so I can get a feel for it) or are you modding it from your own knowledge?

a little bit of both columns. I will use this (http://www.reality-computers.co.uk/wg511.htm) as a guide but I dont want a little antenna that sticks on the card. Im thinking I'll go with something a little bigger.

560K IVs running aircrack for an hour and nothing yet. You sure you could do this 30mins with 200K IVs GreatVirus?

[edit] stoped aircrack and started it up again at 570K IVs. I'll see how it goes.

That guide is not for the wg511t though. Does the wg511t have the same test port? I can find mods for the wg511, but not the wg511t (they are different chipsets if I remember correctly.

Yea, WG511 is Prism2 and WG511T is Atheros.

And lookey at one of my above posts for a link to a pick of the WG511T when I took it apart a while back. Same hirose connection.

See for yourself:

http://img8.picsplace.to/img8/10/snapshot5.png

17:47 Seconds from with cracking started exactly at the start of IV capture.

Are attacks without clients very unlikely to succeed? I was able to associate with an ap and then arp attack it through the association without any other clients, but I haven't been able to repeat the same thing against any other AP. What attack method do you usually go with? Do you use attack 2 and pick a frame or do you arp repeat or what? (note: still a noob who has tried to rtfm, please let me know if I am off. Also, I have only had success twice, just looking for opinions and info).

Don't feel bad it seems that that is not uncommon of that attack to fail ons ome AP's. Not every AP will let you use it and of course you have to take into consideration the range factors etc etc. I usually tend to avoid AP's without clients but if you really have to gain access to the AP you had better be ready for a really long task.

Dang, thats impressive GreatVirus. I tryed mine again last night, and started aircrack once I got around 200K IVs. It didnt crack it. Stopped it and started it a few times and didnt crack it. Finally, 3 hours after starting it, with nearly 1mil IVs, I started aircrack and went to bed, it was midnight. Aircrack cracked the key in one hour and 38 minutes.

Mind you, my key is a bit more complex than what your is. I dont have :30:30:30:30 at the end of it. Maybe the repetition in your key could be cause?

I'm not sure but I have cracked more complex 128 bit keys in 20-40 Min. :D

dang. i'll try and find another access point.

Cracking time can be reduced considerably by providing more information to aircrack such as the key index, length, and both the AP and client MAC addresses. Read through the options and really fill it out.

Ok, It was working fine for a while, but now I am having problems getting it to inject again. Please tell me what is wrong in my procedure (as if I just followed the guide on installing and patching everything:

Boot laptop
wlanconfig ath1 create wlandev wifi0 wlanmode monitor
airodump ath1 (channel) (iv flag) <It sees the traffic
New term (aireplay -3 -b APMAC -h CLIENTMAC ath1)
New term if no arps (aireplay -0 10 -a APMAC -c CLIENTMAC ath1)

Do I need to manually load a module or something cause modprobe ath_pci didn't cause any change. I also have another wireless card that is prism2 in the same laptop and if I run:

airmon.sh start wlan0 channel
aireplay -3 -b APMAC -h CLIENTMAC wlan0

It injects packets and the IV raises quickly. What am I doing wrong?

i run
wlanconfig ath1 create wlandev wifi0 wlanmode monitor
than
airodump ath1 out 0
than
airodump ath1 out 9 1
9 is the AP channel
it works.
whan i try
aireplay -1 0 -e testwep -a 00:04:ED:0E:17:97 -h 0:1:2:3:4:5 ath1
it reply:
17:55:37 Sending Authentication Request
17:55:39 Sending Authentication Request
17:55:41 Sending Authentication Request
17:55:43 Sending Authentication Request
17:55:45 Sending Authentication Request
17:55:47 Sending Authentication Request
17:55:49 Sending Authentication Request

Attack was unsuccessful. Possible reasons:

* Perhaps MAC address filtering is enabled.
* Check that the BSSID (-a option) is correct.
* The driver hasn't been patched for injection.
* This attack sometimes fails against some APs.
* The card is not on the same channel as the AP.
* Injection is not supported AT ALL on HermesI,
Centrino, ndiswrapper and a few others chipsets.
* You're too far from the AP. Get closer, or lower
the transmit rate (iwconfig <iface> rate 1M).

what am i doing wrong?


After some careful tests I found a simple solution to your problem.

After bringing up your Atheros card in onitor Mode please do the following:

ifconfig ath1 down
iwconfig ath1 channel X
ifconfig ath1 up

Note: Replace X with the Channel of the AP you are Attempting to Authenticate With.

You dont have to shut the card down normally though. Or is this a special case just for him?

So people who have used the patch guide, you just start up the interface in monitor mode and everything works right? You don't run any specific scripts or manually load any modules or anything? I just need to make sure that my previously posted procedure is correct so I can check for other problems because everything but packet injection is working.

You start the new virtual interface, ath1.

On that note, in about 2 hours, I cracked my 128-bit WEP key with 680K IVs and a fudge factor of 4. Took 3:33mins. :) Getting faster everytime.

start it with a script or start it as in wlanconfig ath1 create wlandev wifi0 wlanmode monitor?

you need to create ath1 and use it. So run wlanconfig command first.

TheGreatVirus,

Thanks for you step by step guide.

I followed it exactly except i did not get kismet and madwifing via subversion but downloaded directly from

respectively http://www.kismetwireless.net/download.shtml (Kismet-2005-08-R1) and http://snapshots.madwifi.org/madwifi-ng/ (madwifi-ng-r1468-20060310.tar.gz)).

Everything worked fine until i tried to use kismet (note that i did not change kismet config and used the below command instead as you mentioned).

Here below is what i get when starting kismet:

root@slax:/usr/src# kismet -c madwifing_g,ath1,Madwifing_g -p 2501
Server options: -c madwifing_g,ath1,Madwifing_g -p 2501
Client options: none
Starting server...
Suid priv-dropping disabled. This may not be secure.
No specific sources given to be enabled, all will be enabled.
Enabling channel hopping.
Enabling channel splitting.
FATAL: Unknown capture source type 'madwifing_g' in source 'madwifing_g,ath1,Madwifing_g'
Waiting for server to start before starting UI...
root@slax:/usr/src#

Would you have any idea what is the pb ?



Hope you or someone else can help ...

Padou

TheGreatVirus,

I have checked in change log and found the latest kismet version is Jan 09 2006.

As a consequence the file i downloaded is out of date.

I am investigating for an up to date file download.

Sorry :o

Padou

After some careful tests I found a simple solution to your problem.

After bringing up your Atheros card in onitor Mode please do the following:

ifconfig ath1 down
iwconfig ath1 channel X
ifconfig ath1 up

Note: Replace X with the Channel of the AP you are Attempting to Authenticate With.
This just caused my computer to hang after the unsuccess attack - one time only..
the other time - it still unsuccess..

Ok Guy, lets start from scratch. You patched madwifi, kismet, and aircrack just as TheGreatVirus's tutorial said to right?

yes, patched all of those.
wait.. tried a diffrent AP - my regular instead my old one.
it works on 3com wireless but not on Billion AP..
Shit!!! I wasted hours about it!
now i got injections vut just 3k a minute.
is it normal?

3000 IVs a minute is normal. As the traffic on the access point goes up, so will the IVs.

thanks guys!
so what can we do to crack an AP that wont reply to this attack?

What do you mean?

There are Access points that you can not run this attack because it wont associate you. so is there another way to crack wep?

Give this a read:
http://files.mlbel.de/devine/network/aircrack.html#q110
I'd read the full thing, however the information you seek is at the very bottom.

great link.
thanks again :-)

I don't know much about it or if it would be possible, but couldn't somebody make a module of the newest madwifi-ng drivers and patch the iso with it? That would fix a lot of problems for me. Without the new driver, even getting the interface up and connected to my network through dhcpcd is difficult.

edit: From what I have read it would seem possible. I will try to get one working so people who don't want to run an install don't have to wait for the next release. Let me know if I am wrong.

After finishing my tests I found that cracking a 128 Bit WEP Key via Fake Authentication it seems to take a significantly larger amount of IVs to crack the WEP Key. I cracked a 128 Bit WEP Key in 2 Hours and 52 Minutes, a significantly longer amount of time from my previous cracks. Also note I have tested this attack type on three APs with similar results.

Did you remember to set a periodic reassociation delay as per the aircrack readme?

P.S. Has anyone seen this new aircrack-ng thing?

I've looked at the different aireplay attacks, but so far I've only tried the deauth/ARP (-0,-3) attacks. Back in the ASC days though, I think it was the -2 attack, where you would listen for the ARP? packet, or something of 68bytes in size.

+ Attack 2: interactive packet replay

This attack allows you to choose a given packet for replaying; it
sometimes gives more effective results than attack 3 (automatic ARP
reinjection).
[...]
You can also use attack 2 to manually replay WEP-encrypted ARP request
packets, which size is either 68 or 86 bytes (depending on the
operating system)That's about the gist of it.

I just wanted to chime in to say I got the D-Link AG530 (PCI) working with the latest madwifi stuff.

im using a WG511T and i managed to get 2 million iv's from my router but aircrack has been running for 5 hours with a fudge factor of 4 and i've still not got the key which is annoying since i usually crack 128bit wep with about 500k. I used aireplay auth and deauth attacks and read what TheGreatVirus write up above about using auth attacks requires more iv's.

Anyone else had this happen?

maybe i'll try giving aircrack half the wep key. ill keep you posted.

Kill aircrack and fire it up again. If not, your capture file might be fubar.

I don't know much about it or if it would be possible, but couldn't somebody make a module of the newest madwifi-ng drivers and patch the iso with it? That would fix a lot of problems for me. Without the new driver, even getting the interface up and connected to my network through dhcpcd is difficult.

edit: From what I have read it would seem possible. I will try to get one working so people who don't want to run an install don't have to wait for the next release. Let me know if I am wrong.

marvelous idea! :)

I finally got Injection to work but my kismet doesn't "fail to retrieve list of ioctls 7argument list to long". I downloaded the latest version of kismet and edited kismet.conf. Any help would be appreciated. Thanks

Sounds like you have some kind of syntax problem in your kismet.conf. You sure there isn't a typo somewhere? It's too bad this forum doesn't support the [codebox] tag, otherwise you could just copy your kismet.conf here relatively unobstrusively.

In you kismet.conf be sure that the device is set as follows:

madwifing_g,ath1,Madwifing_g

If this fails attempt to pass the argument via the console.

Note: See my guide.

All,

I did the pagtch last night and all went great:

I now have a working atheros card but the old airmon.sh doesn't like the new card. I use the commands they have to create a auth1 interface and skip the airmon.sh so that's cool too. (Atheros Card is: Linksys A+G WPC55AG ver 1.2, if that matters)

My issue now is that when using Troppix I can use aireplay to generate about 1k/sec of arp replys. However with Backtrack (now that it works) it only generates about 100/sec arp replys. It doesn't matter if I use the -x option or not.

I have also noticed a few issues where if I start aireplay / stop / start / stop several times in one session it just stops working. To get it injecting again, I have to destroy the ath1 interface and recreate it. (this part I don't mind as I have a script to take care of that real quick).

Has anyone applied this fix and seen the same slow packet injection results? Were you able to fix it? What did you do? What rate of injection are you getting now?

Thanks all for this great OS & Fix

lol, bugs are to be expected my friend. Just take care in the use of your card and dont try to make it work too hard. =P

airmon.sh - I'm not sure if you noticed but this is not in my guide for a reason. it doesent work anymore.


As for the slow injection it's commmon with the current build of the drivers / aireplay patch. That may be fixed at a later time.

sorry to ask this, im just a noob trying to get my things around. I don't like asking question if it has been asked before but I just cant find it.
*do I only do this if my I can't use my card? the thing is that I can see my card thru ath0. and if I try to do iwconfig it does show it. but I cant do the this command: aireplay -i ath0. it keeps throwing me the manual of aireplay. by the way my card is an orinoco gold 8460-wd.
*Is it possible to do this if you are using the live-cd, if you can how can you save all the settings, would a use of an USB help?

thanks for any help that I can get and also THIS DISTRO IS BEST EVER I HAVE EVER USED.

but I cant do the this command: aireplay -i ath0. it keeps throwing me the manual of aireplay.That command by itself will do nothing if you don't specify some more parameters, primarily which attack you're trying to launch. I strongly suggest reading through the documentation once again to familiarize yourself with the various options. And if feel like doing it via trial and error, aireplay will apparently let you do that as well, as long as you specify which attack you want. It should prompt you for any further missing switches. HTH.

well I just followed the tutorial video for cracking wep....
I tried to inject packets to an ap thats why also im asking about the tutorial about this MADWIFI if I have to do this even though I can see my ath0 as wlancard and how to save settings if I am using a live-cd

I tried to inject packets to an ap thats why also im asking about the tutorial about this MADWIFI if I have to do this even though I can see my ath0 as wlancard and how to save settings if I am using a live-cdWell, I couldn't get my Atheros card to inject properly without switching to the madwifi-ng drivers. That's what really matters, in my experience, not necessarily the name of your virtual device. AFAIK, the aircrack suite doesn't rely on conf files or anything like that, so there's really nothing to save apart from your IVs, GPS, etc. files. Those can probably just go on a USB flash drive, if you've got one handy.

...or you could just wipe whatever HDD you have and install BackTrack to that. I know I'm not missing my Windows XP now ;)

i dont know if i can just remove windows on my comp, I go to school and with the classes im taking im required to use them... I really hate it when they require just to learn microsoft products like the office...

i dont know if i can just remove windows on my comp, I go to school and with the classes im taking im required to use them... I really hate it when they require just to learn microsoft products like the office...I guess you could go the route of dual-booting. Either that or VMWare. Yeah, Office apps blow g0at.

All I can say is thank you so much for this guide. Thanks to this baby I've finaly got my Netgear WPN511 card working properly in Back|track. So far so good, now if I can just get my Orinoco classic gold card to work properly I'll bet set. That cards always given me nothing but trouble under linux. Bought the only distro I ever got that thing working flawlessly in was Redhat 9.1 and Fedora Core 1.

Anyways again thank you for writing this, saved me a ton of time and frustration.

All, I have installed this patch and injection is working to deauth my client associated hosts and break non-broadcast SSID's ect.

The issue I am running into is that when aireplay -3 is being used (to inject found ARP packets) once I find an arp packet I only inject at a rate of about 100 arps per second. Using the -x option changes nothing. If I use same laptop/pcmcia card with troppix I can use the -x 1024 and inject about 1k arps per second....

Anyone else out there run into this same problem?

Also, I think this patch is different than the troppix patch because after using this patch I cant use commands like airmon.sh start ath0 or iwconfig ath0 mode monitor. Both don't work. I have to use the commands he used in this how-to to put the card into monitor mode.

Thoughts?

Thanks

Sadley the slow injection thing is quite common. Untill the drivers/aircrack etc fully support Atheros chipsets you have no choice but to wait and see what happens.

I followed the guide and it appears I have the same results as before, no injection. My card (proxim 8470-WD) now shows up as ath1 in monitor mode [ath0 is mode managed but down]. I run the aireplay -0 {...} and then immediately run aireplay -3 {...} After 20k packets, no ARP req. I have 1 computer connected to a linksys AP and located right beside it. Am I doing something wrong or is there something I can check that would point me in the right direction.. thanks

Try it this way.

1. Start airodump to capture traffic.
airodump ath1 <filename>
2. Start aireplay in another window to inject packets.
aireplay -3 -i ath1 -b <BSSID> -h <CLIENTMAC> -m 68 -n 68 -d ff:ff:ff:ff:ff:ff:ff: ath1
3. Start aireplay in yet another window to deatuenticate client.
aireplay -0 4 -a <BSSID> -c <CLIENTMAC> ath1

Repeat the command in step 3 until the aireplay in step 2 takes off. I have not tested in alot but sometimes you have to repeat step 3 several times before it starts working.

well, I decided to update the firmware just because the ap was reallly old. just finished and retried and it now it works. not sure why that would make a difference.

IVs @ 2k/min. at that rate, it's going to take hours to capture enough. i'm going to go ahead and try with the 40000 i've got so far and see if that works.

hi there,

did the kismet installation and have the following probs.

i followed the tut. and did:

./configure --disable-setuid
make & make forceinstall

modified the kismet.conf like ->
source=madwifi_ag,ath0,madwifi_ag

card is in monitor mode.

now when i start kismet (or kismet_server that is) i get the following message:

root@slax:~# kismet
Server options: none
Client options: none
Starting server...
Suid priv-dropping disabled. This may not be secure.
No specific sources given to be enabled, all will be enabled.
Enabling channel hopping.
Enabling channel splitting.
Source 0 (Madwifi_AG): Enabling monitor mode for madwifi_ag source interface ath0 channel 1...
FATAL: Failed to retrieve list of private ioctls 7:Argument list too long
Waiting for server to start before starting UI...

any idea?

greez
puppy-dog-eyes-kirmet

So you're saying you wlanconfig'd ath0 as monitor mode? Because TGV's guide sets ath1 as monitor and in the kismet.conf as well. Not that ath1 has to be in monitor mode, but that's what you're supposed to do if you're following the tutorial to the letter. In any case, just make sure that your kismet.conf is consistent with your virtual device settings.

P.S. Isn't the name of the driver supposed to be madwifi_ng?

madwifing_g

Whoops, that's what I get trying to remember it off the cuff :p

ok my bad ...
didnt see that the madwifing devel version is only availiable with svn.

i get the following error when i run airmon

ath0\t\tUnknown\t\tUnknown (MONITOR MODE NOT SUPPORTED)

use the driver specific commands:
wlanconfig ath0 destroy
wlanconfig ath0 create wlandev wifi0 wlanmode monitor

i try that still the same error

i remember i had the same output. it happened when i started the live-cd with the wlan adapter plugged in. if you use the bt live-cd try to boot without your wlan adapter plugged in.

if you have a hd install find out if you have all modules loaded.
check with lsmod ... you should at least have
ath_pci
ath_hal
wlan
ath_sample_rate
- somewhere in the list.
normally it should load when you load ath_pci with modprobe.
i dont know if unloaded modules would produce this kind of failure but you never know =P

thats all i cant think of atm.

and btw. what wlan adapter do you use?

greez

hi there i tried to use svn for the kismet update but all i got is the following message:

root@slax:~# svn co http://svn.kismetwireless.net/code/trunk kismet-devel
svn: REPORT request failed on '/code/!svn/vcc/default'
svn: REPORT of '/code/!svn/vcc/default': 400 Bad Request (http://svn.kismetwireless.net)

can anyone help here please?
greez kirmet

hmmm, it could possibly be on there end and not yours. :confused:

the card i using is 8470-WD all the modules are there

airmon doesn't work after running the patch...I don't know why it doesn't but not to worry. You can still crack wep keys without using airmon...

airmon doesn't work after running the patch...I don't know why it doesn't but not to worry. You can still crack wep keys without using airmon...
I am no sure if this is relavent but, aircrack-ng has patched aimon.sh to enable monitor mode through the script.

I'm using an Atheros card in a Fujitsu Siemens Amilo A1650G and did everything in this tut without any errors. I activate my WLAN using acer_acpi.
Before doing the 'update' i could start kismet without any problems.
But now i've first got a warning saying, that ath1 appears to not accept the Madwifi-NG. And he will attempt to configure it as a standard Madwifi-old interface.
Then there comes this message:
FATAL: 'get mode' does not return integer parameters.

And i'm getting back to the normal shell.
No Kismet :(
Anybody got an idea, what i can try to do to fix this?

Unforuntately, I can only use the livecd option for using BT and cannot perform an install on the HD. Has anyone successfully incorporated this patch into the image?

I understand the modules can be incorporated into the .iso following the instructions in the FAQ section. I'm just not sure how to incorporate all the steps into the image file without a module. Is there documentation anywhere that would allow me to incorporate the patch?

Any help will be appreciated. Thanks.

-------
BT rules

Nevermind. I think i've figured it out. I'll be add the patch and do some testing tonight.

Lol you may have figured it out but im Not so sure I have. I have the same problem as you. I'm using the LIVE CD version and CAN NOT install to the harddrive at all. So Could you walk me through step by step the proceidure for incorporating this into a no ISO file or anything that will allow me to run this as a NEW live CD without the need for install to the hard drive.

Thanks hope to hear from you soon and I hope that you got it to work

Bill

Hi There!

Got the same problem as et666!

Before installing the new madwifi drivers and the other stuff (as described above), kismet got no problem to start!

Now, i get the same error as et666. The only difference is, that i start my device with modprobe ath_pci.

"But now i've first got a warning saying, that ath1 appears to not accept the Madwifi-NG. And he will attempt to configure it as a standard Madwifi-old interface.
Then there comes this message:
FATAL: 'get mode' does not return integer parameters."

The same with me... Airodump and aireplay start both normally, but don't figured out yet wheter the packet injection works or not.

Folks,

Even though I patched the livecd with the modules I created for madwifi-ng and aircrack-2.4, I am still unsuccessful at using the livecd with the atheros chipset to inject ARP packets.

Following is what I did:
- I downloaded the latest aircrack from freshmeat, unpacked it, applied the madwifi patch to it, and then tar'ed it again. Now I had a file with the .tgz extension.
- I then downloaded the madwifi-ng drivers from http://snapshots.madwifi.org/madwifi-ng/ - The one that I got was madwifi-ng-r1486-20060329.tar.gz.
-I used the MySlax Modulator to convert the two into .mo's.
-Fired up the MySlax Creator and appended the two new modules onto the BT beta iso.
-The iso compiled nicely and I burned it onto a cd-rw.
-Took it for a test. I ran airmon.sh and it listed the ahteros based device (it's an internal wifi card on a T42, based on atheros 5212 I believe).
-Tried running 'wlanconfig ath1 create wlandev wifi0 wlanmode monitor', but it came back with an error saying it can't find wlanconfig.

This is where I think i screwed up. Anyway, I went ahead and tried it again, but this time around, I left out the madwifi-ng module and installed the one from http://slax.linux-live.org/modules.php?category=drivers&id=870&name=madwifi+dated+03-19-2006. I went through the exact same steps again. After patching the iso, I took it for a test drive.
-When I ran airmon.sh, it shows me ath0, but said monitor mode on the card is not supported.
-I try the wlanconfig, and I was able to create the virtual ath1 device. I was also able to run airodump and aireplay.
-Airodump was capturing packets.
-Aireplay -1 attack said it successfully sent the fake ARP packet. But when I try running aireplay in attack mode 2 or 3, I'm not able to inject any packets, or at least it doesn't appear so to me. Especially with mode 3, I see it capturing a whole bunch of packets, but no arp packets. With mode 2, it gives me options to inject the packets of my choosing, but after trying a number of them, I still couldn't see the DATA/IV's increasing.

This leads me to believe that somewhere something went wrong. Any thoughts?

---------
BT rules

After updating my Madwifing Drivers and Kismet last night I found that there are now slight differences in there installations so I will be making an update to the guide to get it up to date so there is not so much confusion going on. Im sorry that this is needed but thats just the way things go, things change. =)

I just wanted to point out that airmon.sh is a script (I think the .sh gives that away), and that what it's really saying is the the section of the script that looks for madwifi ("iwpriv $iface 2>/dev/null | grep inact_auth"), it's not finding it. Try doing a iwpriv athX and see why it doesn't find it. Change the airmon.sh script. Or do a "iwconfig athX mode monitor" manually.

-When I ran airmon.sh, it shows me ath0, but said monitor mode on the card is not supported.

yes, you are right...I can't believe I didn't realize that...lol. I feel like such a dope. :(

hello,

did everything as described here and all works fine. thnx.
now i want the atheros-upgrade burned back on a live-cd but can´t find a tut :confused:

thnx

Hi there! when i try to install kismet i allways and anyway got a error!
g++ -Ilibpcap-0.9.1-kis -O2 -Wall -DVERSION_MAJOR=\"2005\" -DVERSION_MINOR=\"08\" -DVERSION_TINY=\"R1\" -DTIMESTAMP=\"`cat TIMESTAMP`\" -g -O2 -g -O2 -c kismet_server.cc -o kismet_server.o
make[1]: Entering directory `/mnt/hda3/subversion-1.3.0/kismet-devel/libpcap-0.9.1-kis'
gcc -O2 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./pcap-linux.c
gcc -O2 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./fad-getad.c
sed -e 's/.*/static const char pcap_version_string[] = "libpcap version &";/' ./VERSION > version.h
gcc -O2 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./pcap.c
gcc -O2 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./inet.c
gcc -O2 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./stub_filter.c
gcc -O2 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./nametoaddr.c
gcc -O2 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./etherent.c
gcc -O2 -I. -DHAVE_CONFIG_H -D_U_="__attribute__((unused))" -c ./savefile.c
rm -f bpf_filter.c
ln -s ./bpf/net/bpf_filter.c bpf_filter.c
ln: creating symbolic link `bpf_filter.c' to `./bpf/net/bpf_filter.c': Operation not permitted
make[1]: *** [bpf_filter.c] Error 1
make[1]: Leaving directory `/mnt/hda3/subversion-1.3.0/kismet-devel/libpcap-0.9.1-kis'
make: *** [libpcap-0.9.1-kis/libpcap.a] Error 2


what is it and how to fix it?

Hi all,

went through the tutorial, it was working until i went back up to the command to start kismet after youve put the card in monitor mode. I got this:

Server options: -c madwifing_g,ath1,Madwifing_g -p 2501
Client options: none
Starting server...
Suid priv-dropping disabled. This may not be secure.
No specific sources given to be enabled, all will be enabled.
Enabling channel hopping.
Enabling channel splitting.
Source 0 (Madwifing_g): Enabling monitor mode for madwifing_g source interface ath1 channel 6...
WARNING: ath1 appears to not accept the Madwifi-NG controls. Will attempt to configure it as a standard Madwifi-old interface.
FATAL: 'get_mode' does not return integer parameters.
Waiting for server to start before starting UI...
Then it returned me to the prompt.

Anyone know where i went wrong? Do i need BackTrack? i might have missed something, i came straight to the tutorial page. Im using Slackware 10.2

EDIT: i just noticed the capture sources part of the kismet.conf, im using a WG511T, what do i put in there? i read the readme but still not sure, please excuse my n00bness.

Any help greatly appreciated

Please read This: http://forums.remote-exploit.org/showthread.php?t=1003


Kismet changed on the CVS and "-c" will no longer work for you. Please read my reply to the thread above. Ill attempt to append it into my guide asap.

could someone please answer my question?

hi guys do u also have problems with IV/min, it seems that the new madwifi-ng got problems with injection im only getting 3000IV/min with aireplay thats quite slow?

Anybody got an answer how to increase injection? or is the only way to speed up aireplay, to use madwifi-old drivers?

Anybody got an answer how to increase injection?I believe TGV answered (http://forums.remote-exploit.org/showpost.php?p=3562&postcount=124) this question in this very same thread.

Updated Guide: I made a small update to the guide to solve the issue that people have been PMing me about related to kismet just closing upon running it. The new Kismet creates virtual adapters for the Atheros Device which is at it's root level called wlan0 and the fix is simple just edit your kismet.conf and edit the source so that it contains the following: madwifing_g,wlan0,Madwifing_g

I'm following the updated guide exactly and get:

root@slax:~# wlanconfig ath1 create wlandev wifi0 wlanmode monitor
ath1
root@slax:~# kismet
Server options: none
Client options: none
Starting server...
Waiting for server to start before starting UI...
Suid priv-dropping disabled. This may not be secure.
No specific sources given to be enabled, all will be enabled.
Enabling channel hopping.
Enabling channel splitting.
Source 0 (Madwifing_g): Enabling monitor mode for madwifing_g source interface wlan0 channel 6...
WARNING: wlan0 appears to not accept the Madwifi-NG controls. Will attempt to configure it as a standard Madwifi-old interface. If you are using madwifi-ng, be sure to set the source interface to the wifiX control interface, NOT athX
FATAL: GetIFFlags: interface wlan0: No such device

The original guide worked for me just fine! :( I was sure to edit the kismet.conf with wlan0 instead of ath1.

you want to use wifi0

I'll give that a shot.

Also, it seems that the hotlink to freshmeat.net for aircrack is broken. Looks like aircrack has a 0.3 release as of March 28 or something. I imagine this will call for another guide update. :D

(Man... this thread isn't a sticky yet?! :eek: )

I'm following the updated guide exactly and get:



The original guide worked for me just fine! :( I was sure to edit the kismet.conf with wlan0 instead of ath1.


If you followed the guide simply run "kismet" and it shoudl create the VAP for you and start scanning. Kismet no longer needs for you to create a device in monitor mode. Kismet will do it on it's own just as long as the kismet.conf has been updated with the correct source.

madwifing_g,wifi0,Madwifing_g



Also Im very sorry about the guide issues shit keeps changing on me. Haha =) Hope that helps bro.

I've got aircrack-ng 0.3 to work fine with the rest of this tutorial. There is a patch provided with aircrack-ng 0.3 for the madwifi-ng drivers so not to worry. The instructions are on the website

I'm not sure if I said this already but the main reason Im not adding it into my tutorial is because airgcrack-ng is not anywhere near stable nor a final release so as you can see why add something when it will be outdated in less then a few weeks.

Hi

Great guide TGV since ppl say it works for them.

Unfortunately I'm unable to make a hard disk installation of BackTrack so I have to help myself with modules and stuff.

I went to this page
http://slax.linux-live.org/modules.php
and found this in drivers
http://slax.linux-live.org/modules.php?category=drivers&id=870&name=madwifi+dated+03-19-2006

Who has posted this (says used on backtrack)?
Has anyone tryed this?
Does this fix injection for you?

Thnx

Nvm I just downloaded Troppix and that worked out all right.

I hope these things will get fixed soon.

I imagine the next version of Backtrack will be exactly what your looking for. =)

Yeah I rather use 1 distro instead of 2 ;)

Anyways maybe this isn't the thread to ask but I succesfully recovered the WEP key of one network. Now I tried on another network - WEP 54g - the same where no clients were connected.

I used the fake authentication attack and set up my ARP attack. After one whole hour I finally got one ARP. Then it finally started sending packets but there wasn't an increase of data when I looked at airodump. Which is strange since I was in range of the AP (beacons went going up) + my card was 'authenticated' with the AP using the 'aireplay -1 XX' attack.

Is it possible that sometimes the 'aireplay -3' attack doesn't work? Btw 'aireplay -2' also didn't make the dataflow increase.

Is it possible that sometimes the 'aireplay -3' attack doesn't work? Btw 'aireplay -2' also didn't make the dataflow increase.Yes, if mac-filtering is in use.

But if MAC filtering is enabled then I wouldn't be able to authenticate with the AP (aireplay -1) what I was at that moment.

HELP!

I got as far as

IMPORTANT: REBOOT YOUR LAPTOP!

And when i did iam now unable to connect to my wireless AP, iam using WEP
iam using the command;
iwconfig ath0 mode managed key 0000000000
dhcpcd ath0

And that is not returning me an IP address.....HELP

I have a NETGEAR WG511T card and i also have BACKTRACK installed on my harddrive.

try using the wirless config tool within X. it's not as complicated and will probbaly fix the issues your having. Also make sure to manually run the command to pull an IP from the dhcp.

dhcpcd ath0

Sorted. ta very much, i o you a pint.

I can confirm, that the WG511T (AR5212) is working excellently for injecting packets with aireplay and anything else. The only thing is: I tried that with SuSE 9.3 and not with BackTrack because there it never worked. Althoug on SuSE 9.3 some rules are to be taken into account.

Therefore I post here my installation manual for the WG511T on SuSE 9.3 anyway:


Update your system via Yast. If a kernel-update is available make sure you update the kernel and reboot your system.
Install the "sharutils" and "kernel-source"-RPMs via Yast and reboot your system.
Update your system again via Yast --> Online-Updates to ensure that the kernel-source corresponds to your kernel and reboot the system.
Switch off an already existing atheros interface:
ifconfig ath0 down
Unload all old atheros modules:
rmmod wlan_wep ath_rate_sample ath_rate_onoe ath_pci wlan ath_hal 2>/dev/null
Delete all old atheros modules:
find /lib/modules -name 'ath*' -exec rm -v {} \; 2>/dev/null
find /lib/modules -name 'wlan*' -exec rm -v {} \; 2>/dev/null
Change to an installation directory of your choice (e.g. /usr/src/):
cd /usr/src/
Download the necessary sources:
wget http://www.tuto-fr.com/tutoriaux/crack-wep/fichiers/wlan/linux/atheros/madwifi-cvs-20051025.tgz
wget http://www.tuto-fr.com/tutoriaux/crack-wep/fichiers/wlan/linux/patches/madwifi-cvs-20051025.patch
Extract the sources and patch them:
tar -xvzf madwifi-cvs-20051025.tgz
cd madwifi-cvs-20051025
patch -Np1 -i ../madwifi-cvs-20051025.patch
Check your kernel-version:
uname -r
Compile the sources and install them. Substitute [VERSION] for the string you get via the "uname -r" command (e.g. if you get "2.6.11.4-21.11-default" by "uname -r" you enter "make KERNELRELEASE=2.6.11.4-21.11-default" respectively "make install KERNELRELEASE=2.6.11.4-21.11-default"):
make KERNELRELEASE=[VERSION]
make install KERNELRELEASE=[VERSION]
Reboot your system and then load the new module with the following command:
modprobe ath_pci

Sorted. ta very much, i o you a pint.

:D


mhermann - Good Job

HELP!

I got as far as

IMPORTANT: REBOOT YOUR LAPTOP!

And when i did iam now unable to connect to my wireless AP, iam using WEP
iam using the command;
iwconfig ath0 mode managed key 0000000000
dhcpcd ath0

And that is not returning me an IP address.....HELP

I have a NETGEAR WG511T card and i also have BACKTRACK installed on my harddrive.

you missed apart:

iwconfig ath0 essid (SSID) mode managed key 0000000000
dhcpcd ath0

can someone help me.. i followed that whole guide and patched everything, the monitor mode works airodump shows traffic but when i do the aireplay -3 the ARP stays at 0 for hours.. is this because there is no traffic or what? or is it because i didnt install this properly everything else is working apart from the arp thing (wg511t card)

Maybe there is no traffic on the access point...???

Have you done...
airmon.sh start ath0 [CHANNEL]
airodump ath0 [PREFIX] [CHANNEL]
iwconfig ath0 rate 5.5M
aireplay -1 0 -e [ESSID] -a [BSSID] -h 00:11:22:33:44:55 ath0
aireplay -3 -b [BSSID] -h 00:11:22:33:44:55 ath0
aircrack [PREFIX].cap

the airmon.sh doesnt work anymore after the patching its wlanconfig ath1 create wlandev wifi0 wlanmode monitor
but i never set the speed im gonna try that

I say wait till the next version of Backtrack comes out. This guide will no longer be needed after.

Anyone been able to create an iso with this patch?? I really dont want to use dual boot, cuz it wil most likely screw up my windows install.

I've got the WG511T which obviously doesnt work in BT3, so when will the next version be released?

I wanted to try troppix 1.2, but that's gone cuz of legal problems..

Does anyone know another distro that works with the WG511T?

has anyone else besides me tried to do this with the live cd (make modules and put them in the live cd). IT worked (no errors etc..) but i still have no injection...

same here. tried BT beta 3, and auditor and auditor-200605-02-no-ipw2100.iso auditor-150405-04. all dont work with my wg511t

Well the card works fine for me and the script on TGV's site is great.
The cards have different revisions which can be checked in windows using the netgear drivers.
only down side is injection is a little slow compared to prism card.

Thanks for the great guide. I have some observations about cracking my net which used WPA-PSK.

On the original boot cd with my WG511T:
Injection and deauthing is not working(just like you said)
Sniffing WPA-PSK Handshakes and cracking with cowpatty / aircrack works fine.(I am deauthing with another card PrismGT)

On my HD install with the patches:
Injecting deauths my other laptop every time. Only 1 deauth packet is necessary. Firing 20 at in one volley bluescreens it(NICE!!)
Sniffing the WPA-PSK Handshakes seems to work but does not work at all. It can make a nice .cap file but aircrack cannot crack the password. It tries all the words in my list and even though I have the right word in the list it fails every time. If I feed this .cap file to cowpatty, it bitches straight away about "incomplete TKIP four-way exchange". Strange that aircrack does not give a similar message and bail out. If I open this .cap file in etherreal, I can find the EAPOL Pakets but says on all the packets [malformed packet].

If I open one of my .caps captured while using just the boot cd(no patches), everything is cool, etherreal shows the EAPOL packets and nothing with [malformed] and the EAPOL packets are labelled with key, start, key...

I have to conclude that the packets captured using the mad-wifi patch is really corrupted.

here is the my method:
wlanconfig ath1 create wlandev wifi0 wlanmode monitor(just HD install)
airodump ath1 output 11 0 (happy collecting packets locked on 11)
aireplay -0 1 -a 00:09:5B:DC:B5:D4 -c 00:13:CE:5F:6F:7E ath1 (deauths my other laptop, cannot ping anymore for 30 seconds)
cowpatty -f list.txt -r output-03.cap -s CHRISNET << or >>
aircrack -a 2 -b 00:09:5B:DC:B5:D4 -w list.txt output-03.cap

It works fine on the boot cd every time(ath0)
It captures corrupt packets on HD install with patches(ath1)

Any ideas guys? Am I right or does anybody have the same experiences.
(EDIT - WTF those smileys doing there)

(sorry about the many edits - another observation: to use Kismet with the virtual ath1 card, you must start it from the command line, the K-Menu way of starting gives some nice errors and bails)


(EDIT: solved my own question, the airodump-ng in the aircrack-ng mentioned in the guide does not malform packets when it sniffs them - ./airodump-ng -w output cap -c 11 ath1. Now I got two cards WG511(PrismGT) and WG511T(Atheros) that can crack and deauth anything WOOT!! Now if I could just actually get one of those cards to authenticate to my WPA-PSK AP like the built-in ipw can I would be really happy. On a totally unrelated note the WG511 is more powerful and more sensitive that the WG511T)

thanks for guide, working on it right now!

Everything went fine until patching aireplay...

>Download Aircrack Source Direct Link: >http://freshmeat.net/redir/aircrack/...rcrack-2.4.tgz

The source doesn't exist anymore..there's a new version... "aircrack-ng" (what should i do??)

>Download Aireplay Patch: See Attached
>Extract It With:
>tar xvf aircrack-2.4.tgz
>Extract the Patch into:
>/aircrack-2.4/linux

I've extracted the other (-ng) source, and the "linux" folder doesn't exist :eek:

I don't know what to do :confused: and i'm a total newbie... can someone help me?

I went through all of the steps except editing the kismet.conf

The configs are strait forward and your source should be something like the following: madwifing_g,wifi0,Madwifing_g

I couldnt find where to change the code ... So I just pushed on and did everything else.

Also in the guide for updating the kismet_ui.conf file I thought this looked odd columns=.... maxrat e .... (there's a space there! is it supposed to be there?)

So after all these steps my Senao NMP 8602+ a/b/g 400mw (5006x atheros chipset) isn't working!

When I type iwconfig ath0 heres what i get:

ath0 IEEE 802.11b ESSID:""
Mode:Managed Channel:0 Access Point: 00:00:00:00:00:00
Bit Rate:0kb/s Tx-Power:0 dBm Sensitivity=0/3
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality:0/94 Signal level:-95 dBm Noise level:-95 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

I think someone (i'm a total newbie,and my card isn't working at all) should make a clean post on how to make the wg511t work with BT.
A step by step would be great.

It followed the guid and its working on my Philips card with Athos chip.
Got stuck ad installing te new driver but with this it was fixed.

find /lib/modules/ -name 'wlan' -exec rm -v {} \; 2>/dev/null
find /lib/modules/ -name 'wlan' -exec rm -v {} \; 2>/dev/null

On my work cracked an Linksys wrg54g with 900k Ivs and 18 sec in aircrack.
Injecting ran just over 3 hours.

Thnkz for the great info on this forum.

Can someone confirm that aircrack and the correct patch can be gotten from here?

http://www.aircrack-ng.org/doku.php

as the link in the tut is dead!

TGV it is a great write up but can someone clear this up as i'm struggling a little with it and i don't want to mess my nice dual boot hdd install again, everything worked before trying it apart from injection, which is why we are doing this...sorry im getting tired now been reading all night!

http://packetstormsecurity.nl/wireless/aircrack-2.4.tgz
First hit in google. I had that broken link problem too.

I had a problem with sniffing.(not glue). see my post on page 19 of this thread.

http://packetstormsecurity.nl/wireless/aircrack-2.4.tgz
First hit in google. I had that broken link problem too.

I had a problem with sniffing.(not glue). see my post on page 19 of this thread.

I've already tryed...doesn't work anyway :mad:

Just so as you know I have used the aircrack-ng download to update aircrack and you don't need to patch it.

Just so as you know I have used the aircrack-ng download to update aircrack and you don't need to patch it.

So you mean that i can do these steps?

1) remove the old madwifi drivers
2) download and install the new "madwifi-ng-r1552-20060515" (no patching!)
3) download and install the new "aircrack-ng-0.5" (no patching)

And everything should work? (using, of course the new command "aireplay-ng").

did for me follow The Great Viruses guide ignore the patch thing as its meant for aircrack.2.4 and everything works okay. plus you still have the use of the other aircrack tools.

did for me follow The Great Viruses guide ignore the patch thing as its meant for aircrack.2.4 and everything works okay. plus you still have the use of the other aircrack tools.

I've just tryed with the latest madwifi-ng and aircrack-ng, but i still get "malformed packets" and no injection (i can see the malformed packets with ethereal)

*yawn* Old stuff guys..... I'm a bit too busy to update a guide that will be outdated probably before I even finish it....


Edit: I have an idea! Just tell me what to add or remove... >.>

*yawn* Old stuff guys..... I'm a bit too busy to update a guide that will be outdated probably before I even finish it....


Edit: I have an idea! Just tell me what to add or remove... >.>

Hey TGV... you've done a great job with your tutorial, put and hand on your heart and think to those (like) that aren't able to "inject".
I don't ask you to write a tutorial, but just tell us what to do and we'll find a way to do what you suggest.

Thanks

Michele

Well summarize your problems for me so I don't have to go picking around and Ill see what I can do. You have to remember I have not needed to isntall ANYTHING since I wrote the damn tutorial. :D So things change, but I'm willing to assist you by reinstalling it and checking out the changes. Just don't expect it to be hasty as I now work from 10 am - 6 am every day except sunday plus I run my own website (http://www.tisnetworks.org/).

Well summarize your problems for me so I don't have to go picking around and Ill see what I can do. You have to remember I have not needed to isntall ANYTHING since I wrote the damn tutorial. :D So things change, but I'm willing to assist you by reinstalling it and checking out the changes. Just don't expect it to be hasty as I now work from 10 am - 6 am every day except sunday plus I run my own website (http://www.tisnetworks.org/).

The problem is quite simple...my wg511t can't inject (malformed packets).
What i've tryed

1) Things you said in your big tutorial

2) Updated drivers (madwifi-ng) and installed aircrack-ng (without patching, people say it is not necessary,anyway i'm not able to patch without istructions and without knowing which files are needed).

The situation is quite simple

First off I wanted to thank you for the time you put into making this guide, I can't say enough how much it helped me migrate from my old Auditor to BackTrack. Coming from someone who know just enough linux to be dangerous, guides like these teach me more then any linux book I've attempted to read. Its something about seeing things happen in front of your eyes, you might want to call it feedback, that you don't get while reading a book.

I wanted to give you some hardware feedback so you can add it to the list of wireless cards this guide helps fix. I first did this fix with a Netgear WG311T Rev. A2 and then later with a Ubiquiti Networks SuperRange2 802.11b/g 400mW High Power Atheros
Wireless mini-pci card with mini-pci to PCI adapter. Both work!

Now as for making this easier for people who are still learning. I wanted to also give some feedback dealing with areas that people like myself can and have gotten mixed up.

-----------------------------------------------------------------
It is suggested you edit the following configs before you start Kismet:

/usr/local/etc/kismet.conf
/usr/local/etc/kismet_ui.conf
----------------------------------------------------------------

I know we upgraded Kismet and it seems that the default setting that Backtrack installed are wiped during the upgrade. So editing kismet.conf and kismet_ui.conf are now necessary. The first thing I had to do was to create a new user, I know I know... If you do a HD install you really should make a new user and leave root alone. So anyway, I made a new user and changed the password of root. Inside kismet.conf suiduser=(new user) to reflect the new user I created using "adduser (userid)" and I changed the root password by typing "passwd" at the bash prompt while logged in as root.

I'm still troubleshooting Kismet as I'm still having some problems. Something to do with 'get_mode' but fear not, Google is my friend.

Again, thank you for the time and I hope at least some of my feedback helps out, at least a little.

Sincerely,

Tossil

:EDIT:

So after doing some research, I edited the Kismet.conf and changed "source=madwifing_g,wifi0,madwifing_g" this is after changing

# User to setid to (should be your normal user)
suiduser=(Username)

From the bash prompt I type kismet and this is my output.

root@slax:~# kismet
Server options: none
Client options: none
Starting server...
Waiting for server to start before starting UI...
Will drop privs to (My Username)
No specific sources given to be enabled, all will be enabled.
Enabling channel hopping.
Enabling channel splitting.
Source 0 (madwifing_g): Enabling monitor mode for madwifing_g source interface wifi0 channel 6...
NOTICE: Created Madwifi-NG VAP kis
WARNING: wifi0 appears to be using Madwifi-NG. Some versions of the Madwifi-NG drivers have problems in monitor mode, especially if non-monitor VAPs are active. If you experience problems, be sure to try the latest versions of Madwifi-NG and remove other VAPs
Source 0 (madwifing_g): Opening madwifing_g source interface kis...
Spawned channelc control process 32055
Dropped privs to (My Username)
Allowing clients to fetch WEP keys.
Logging networks to Kismet-May-19-2006-1.network
Logging networks in CSV format to Kismet-May-19-2006-1.csv
Logging networks in XML format to Kismet-May-19-2006-1.xml
Logging cryptographically weak packets to Kismet-May-19-2006-1.weak
Logging cisco product information to Kismet-May-19-2006-1.cisco
Logging gps coordinates to Kismet-May-19-2006-1.gps
Logging data to Kismet-May-19-2006-1.dump
Writing data files to disk every 300 seconds.
Mangling encrypted and fuzzy data packets.
Tracking probe responses and associating probe networks.
Reading AP manufacturer data and defaults from /usr/local/etc/ap_manuf
Reading client manufacturer data and defaults from /usr/local/etc/client_manuf
Using network-classifier based data encryption detection
FATAL: Dump file error: Unable to open dump file Kismet-May-19-2006-1.dump (Permission denied)
Sending termination request to channel control child 32055...
Waiting for channel control child 32055 to exit...
Kismet exiting.
root@slax:~#

It seems FATAL: Dump file error: Unable to open dump file Kismet-May-19-2006-1.dump (Permission denied) is whats causing me trouble.

I can't seem to find where to fix this. I would assume that whatever directory I am in is the directory kismet is going to write its .dump file in. I've tried this in root and also in a directory I made on the desktop called temp. Both with the same error.

Does anyone know where I am going wrong?

P.S. I never figured out anything to change in kismet_ui.conf

can anyone explain how to get injection working on the new final backtrack 1.0 release?

i Have a belkin wireless G desktop(pci) with atheros chipset. When i go (without using guide) to do anything, it works (havn't had time to try aireplay deauth on a person, as it doesn't work on ap's. but it worked for my mom's pc and kept showing it disconnecting and reconnecting).

The problem is of course reinjection. When I do an arp or just captures packets to replay (aireplay-ng of course), it says it is but the IV count in airodump-ng doesn't increase. Now if i run a second aireplay, and make it look for packets to reinject, it'll find that packet that its suppossed to be sending out ( aka if i keep saying no to use that packet, it'll infinetely keep showing it as its being replayed, but its not increasing ivs!)

i also know i got the right packet because it was:
FromDs= 0
ToDS=1
BSSID = mac of the wap
Src mac = Target pc mac
dist mac = FF:FF:FF:FF:FF:FF

which is the setting it should be to get a working packet to reinject.

does anyone know whats wrong? seems everything would be patched and working in the final release... I tried your guide but it went bad at :

"Remove Old Modules:

rmmod -w ath_pci.ko

Note: If you get an error with this just ignore it.

Make and Install It:

make && make install
"

when i did make && make install, it gave an error about it cant find kernal or something.

the kismet updated and works though. i dloaded the old aircrack and patched, but the problem there is when i do "wlanconfig ath1 create wlandev wifi0 wlanmode monitor" it says (ALWAYS): wlanconfig: ioctl: No such device



*Edit*
the error I get with the make && make install of madwifi-ng is:
slax madwifi-ng # make && make install
/bin/sh: line 0: cd: /lib/modules/2.6.15.6/build: No such file or directory
Makefile.inc:95: *** /lib/modules/2.6.15.6/build is missing, please set KERNELPATH. Stop.

and if i try this i get this:
slax madwifi-ng # make KERNELPATH=/lib/modules/2.6.15.6/kernel/
Makefile.inc:119: *** KERNELCONF: /lib/modules/2.6.15.6/kernel//.config does not exist.. Stop.


also if i make && make install the tool folder to use wlanconfig, I get this:
slax tools # wlanconfig ath0 create wlandev wifi0
wlanconfig: ioctl: No such device


i know SOMEONE out there can help so please do :P

Sorry for the very noob questions, but at the start of the guide it says get madwifi via svn then reboot, if im using backtrack wont that get rid of madwifi?

When doing make && make install in the madwifi-ng dir i get: /bin/sh: line 0: cd: /lib/modules/2.6.15.6/build: No such file or directory
Makefile.inc:95: *** /lib/modules/2.6.15.6/build is missing, please set KERNELPATH. Stop.
Im using backtrack final with a netgear wg511t.

Any help greatly appreciated.

Sorry for the very noob questions, but at the start of the guide it says get madwifi via svn then reboot, if im using backtrack wont that get rid of madwifi?Methinks the assumption was that you'd already installed backtrack to the HDD. Then rebooting wouldn't be an issue. HTH.

Hi all, when typing "make && make install" in the madwifi-ng folder i get: /bin/sh: line 0: cd: /lib/modules/2.6.15.6/build: No such file or directory
Makefile.inc:89: *** /lib/modules/2.6.15.6/build is missing, please set KERNELPATH. Stop.

I had a look on the forum but i cant seem to find where the kernelpath is, or how to set it for madwifi-ng.

Any help greatly appreciated.

Hi all, when typing "make && make install" in the madwifi-ng folder i get: /bin/sh: line 0: cd: /lib/modules/2.6.15.6/build: No such file or directory
Makefile.inc:89: *** /lib/modules/2.6.15.6/build is missing, please set KERNELPATH. Stop.

I had a look on the forum but i cant seem to find where the kernelpath is, or how to set it for madwifi-ng.

Any help greatly appreciated.
It searching for the kernel source which the authors removed to save space on the CD. You can download it as a module from here :

http://www.remote-exploit.org/kernel.mo

Then do :

uselivemod kernel.mo

to insert it into your system (I hope you have B|T installed to the hdd)

Then you can try and compile the madwifi-ng drivers again. Question I'd like to ask is why are you recompiling the madwifi-ng drivers again? They are already installed with the latest version of BackTrack and patched for injection. Unless you're still using the Beta version.

when i tried "uselivemod kernel.mo" i got an error saying it couldnt find something about the kernel (does the .mo need to be in a certain place?), but i thought seeing as markds says i dont need to recompile madwifi-ng as its already installed and patched for injection, so i just moved on to installing an up to date kismet as this guide shows.
After compiling kismet and running it i got a fatal error, saying the capture source is invalid, so i edited the kismet.conf, tried eth0 in there but it said this wasnt a valid capture source either. eth0 is what my netgear wg511t comes up as in BT. What do i put in there?

Any help greatly appreciated.

when i tried "uselivemod kernel.mo" i got an error saying it couldnt find something about the kernel (does the .mo need to be in a certain place?), but i thought seeing as markds says i dont need to recompile madwifi-ng as its already installed and patched for injection, so i just moved on to installing an up to date kismet as this guide shows.
After compiling kismet and running it i got a fatal error, saying the capture source is invalid, so i edited the kismet.conf, tried eth0 in there but it said this wasnt a valid capture source either. eth0 is what my netgear wg511t comes up as in BT. What do i put in there?

Any help greatly appreciated.

In kismet.conf ,as source, try one of these AND LET US KNOW WHICH ONE WORKS:

wifi0
ath0
kismet

Please,let us know...

wifi0, ath0 and kismet give me errors eg. "FATAL: Illegal card source line 'ath0'"

wifi0, ath0 and kismet give me errors eg. "FATAL: Illegal card source line 'ath0'"
Do 2 things and tell us what you see :

ifconfig -a

and

iwconfig

"ifconfig -a" gives me: ath0 Link encap:Ethernet HWaddr 00:09:5B:98:E7:E8
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:200
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:10 Memory:e11a0000-e11b0000

eth0 Link encap:Ethernet HWaddr 00:40:D0:42:47:30
inet addr:192.168.1.64 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::240:d0ff:fe42:4730/64 Scope:Link
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:950 errors:0 dropped:0 overruns:0 frame:0
TX packets:973 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:605127 (590.9 Kb) TX bytes:136918 (133.7 Kb)
Interrupt:11 Base address:0xe400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

sit0 Link encap:UNSPEC HWaddr 00-00-00-00-31-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

and "iwconfig" : lo no wireless extensions.

ath0 IEEE 802.11 ESSID:""
Mode:Managed Frequency:2.412 GHz Access Point: 00:00:00:00:00:00
Bit Rate:0 kb/s Tx-Power:20 dBm Sensitivity=0/3
Retry:off RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=0/94 Signal level=-95 dBm Noise level=-95 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

eth0 no wireless extensions.

sit0 no wireless extensions.

Well your card is definitely ath0 as shown. I don't quite understand why kismet says that unless you didn't edit the file correctly. Maybe you want to post the lines of the conf you edited for us to take a look at.

The only part of kismet.conf i edited is: # Sources are defined as:
# source=sourcetype,interface,name[,initialchannel]
# Source types and required drivers are listed in the README under the
# CAPTURE SOURCES section.
# The initial channel is optional, if hopping is not enabled it can be used
# to set the channel the interface listens on.
# YOU MUST CHANGE THIS TO BE THE SOURCE YOU WANT TO USE
source=ath0 is there something else that needs to be edited?

EDIT: Im using "source=madwifing_g,ath0,madwifing_g", that seems to work.

When i try "wlanconfig ath1 create wlandev wifi0 wlanmode monitor" after patching aircrack i get: -bash: wlanconfig: command not foundAny ideas?

When i try "wlanconfig ath1 create wlandev wifi0 wlanmode monitor" after patching aircrack i get: -bash: wlanconfig: command not foundAny ideas?

I think you mean to do :

iwconfig ath0 mode monitor

Thanks for the help. I think the reason "wlanconfig" wasnt working is because the kernel.mo wasnt installed, i downloaded it again and "uselivemod kernel.mo" worked this time. Then wlanconfig worked.

When I get to make && make install, or just run make, or just run make install I get the following...
/bin/sh: line 0: cd: /lib/modules/2.6.15.6/build: No such file or directory
Makefile.inc: 89: *** /lib/modules/2.6.15.6/build is missing, please set KERNELPATH. Stop.

any ideas?

When I get to make && make install, or just run make, or just run make install I get the following...
/bin/sh: line 0: cd: /lib/modules/2.6.15.6/build: No such file or directory
Makefile.inc: 89: *** /lib/modules/2.6.15.6/build is missing, please set KERNELPATH. Stop.

any ideas?

http://forums.remote-exploit.org/showthread.php?p=10854&highlight=kernel.mo#post10854

awsome... I am downloading now.
I appreciate it.

Is this still worth doing with the current release of B|T ?

Is this still worth doing with the current release of B|T ?
I don't understand the question - why isn't it worth doing?

What I meant was is this still necessary given the date and mention of it being used on a beta version of B|T and that are these tweaks/updated files now part of the current release or is this still a good idea.

From your response I assume it is a good idea to still do these updates.

Well, the way i see it FhMoTa, it's always good to keep your software updated. The software that comes with BackTrack was the latest when they made it. However, a week may have went by and someone could have let out a newer version.

What I meant was is this still necessary given the date and mention of it being used on a beta version of B|T and that are these tweaks/updated files now part of the current release or is this still a good idea.

From your response I assume it is a good idea to still do these updates.
Updates are always good (except every now and then when some old codger at Symantec releases half baked virus defs that screw up the pc). Updates stabilize software MOST (note I didn't say all) of the time and sometimes give you new 'toys' to play with. Always update - its a good practice.

EDIT: found the answer to my question.. deleted previous post. thanks

sinds i had installed the kernel.mo thing i cant boot my backtrack anymore with grub :s.
i use a triboot laptop system with winXP, auditor and backtrack.
my bootloader is grub and before i installed the kernel it was all working

heeeeelp :( :confused:

Firstly thanks a million to The Great Virus for help thus far....

But now the problem.

I followed the intructions and have done a lot of other reading/googling/etc and can't get my wifi card to work under linux at all! (it works under windows though... Woopee <- excuse sarcasm)

It's a DWL-G650 ver C3 with F/W 4.30

I've read tons about how other ppl's card are working but I must be doing something wrong to mine! I'm running BackTrack ( :-) ). I start up with the card in and cannot see any networks at all. The leds come on in similar fashion to windows operation but can't see a thing... (2 AP within few meters)

Kismet starts, creates virtual kis device in monitor mode but doesn't see anything. Detroy other virtual devices, create, up, down, tweak..... and nothing. No errors. I'm running kismet on different machine perfectly. Mdded the sources line in kismet.conf

Even if i enter all AP's details (wep, ssid, IP address set manually, etc ) still can't see anything!!!

Don't know if this helps but can't ping anything, not even 127.0.0.1!!!!

Help!!!! Please.
Can anybody tell me where to start, I really want to get this right



Update.....
I think the problem is an absence of an IP protocol or ifrastucture but i don't know how to confirm this......

Help please, i've been looking around but still can't find anything

Hello,
I am linux lamaz and I tried WHAX,Auditor and now BackTrack because I want to learn crack WEP...but in Auditor I always return this message, when I want to switch card into Mode monitor

iwconfig ath0 mode monitor
Error for wireless request "Set Mode" (8B06) :
SET failed on device ath0 ; Invalid argument.

I have wifi PCI Eusso 2454, it s same as DLink G520 or... with Atheros chipok :} 5212

This is discourage me for 1 years {?} until you release BIT. I installet it on HDD and try to crack WEP according to some Tutorials on the net or Flash animations.

Firste problem which I saw was don\t start airodump.. In tutorials always Airodump starts and collected packets...but for me return :help: where was written Options and etc.
But iwconfig ath0 mode monitor like 8B06.
Next I try Aireplay but some packets have received but tje Aireplay DONT SENT packets to destination radio {my wireless router WA2204} - 0.

So I learn this Thread and download by Svn madwifi drivers, download kernel.mo {problem with makefile.inc at bookmark in this thread no 21} and successfully instal them. Download aircrack 2.4 and patch it.
I do wlanconfig ath1 create wlandev wifi0 wlanmode monitor and

wlanconfig ath1 destroy too

Now :
slax aircrack-2.4 # airodump ath0 tocrack
ioctl(SIOCSIWMODE) failed: Invalid argument

ARP linktype is set to 1 (Ethernet) - expected ARPHRD_IEEE80211
or ARPHRD_IEEE80211_PRISM instead. Make sure RFMON is enabled:
run 'ifconfig ath0 up; iwconfig ath0 mode Monitor channel <#>'

slax aircrack-2.4 # ifconfig ath0 up
slax aircrack-2.4 # iwconfig ath0 mode Monitor channel 1
Error for wireless request "Set Mode" (8B06) :
SET failed on device ath0 ; Invalid argument.

I try to change iface on wifi0, ath1,ath2,wlan,wlan0 but still same problem 8B06 like in olders Auditor,whax...
If I dont switch card to Monitor mode I cant crack WEP because I dont listening packets...

What I should to do ?
Original BackTrack installer have patched madwifi ? If yes, so why it dont start airodump {still options menu} and dont want to replay packetS?
Now I want to reinstall BAcktrack at original settings, but what next<
thanks

slax madwifi-ng # make && make install
/bin/sh: line 0: cd: /lib/modules/2.6.15.6/build: No such file or directory
Makefile.inc:85: *** /lib/modules/2.6.15.6/build is missing, please set KERNELPATH. Stop.


obviously,n00b here.....any help?:)
edite: looks like i must set manually make KERNELPATH=/path/to/kernel/source
problem solved,page 21:)

Isn't the injection fixed in B|T v1 Final?

It was for me...

downlaoded, compiled and installed subversion, downloaded madwifi-ng with subversion, and a give it a make && make install

first make fails with


Makefile.inc:91: *** KERNELCONF: /lib/modules/2.6.15.6/build/.config does not exist. stop.

Hey guys...
exactly the same error at the same step on a live cd.
" Makefile.inc:91: *** KERNELCONF: /lib/modules/2.6.15.6/build/.config does not exist. stop."

I will install backtrack on my laptop (full install) to give it a try.

Hey,

Well....
Installed on my lap (Installation Method real) BackTrack v2.0
I am using the Super Range CardBus 300mw a/b/g pcmcia card .
The card works perfectly.!!!
Right now I am testing it in my lab.
The distro is ready to fire up......
well done to everyone.!!

I did not try to install something else........... just out of the box.!!


Again...well done...to everyone.!

Hi,

I tried to compile the latest development version of Kismet, following the instructions given, but when I type "make" I get:

g++ -I/usr/local/include -O2 -Wall -DVERSION_MAJOR=\"2006\" -DVERSION_MINOR=\"04\" -DVERSION_TINY=\"R1\" -DTIMESTAMP=\"`cat TIMESTAMP`\" -g -O2 -g -O2 -Wall -W -pthread -c iwcontrol.cc -o iwcontrol.o
iwcontrol.cc: In function `int Iwconfig_Set_Channel(const char*, int, char*)':
iwcontrol.cc:522: error: 'struct iw_freq' has no member named 'flags'
iwcontrol.cc:522: error: `IW_FREQ_FIXED' was not declared in this scope
iwcontrol.cc:522: warning: unused variable 'IW_FREQ_FIXED'
make: *** [iwcontrol.o] Error 1


I tried to compile the same version of Kismet on my Debian box and it compiles successfully...

Anyone has the same problem?

Thanks

that seems to be a problem of the kismet, or to be more precise, incompatibility with gcc 3.4.6.
the latest svn revision that works is 1888. so please
cd into your dir with kismet-devel source and run
svn -r 1888 update
make clean
./configure --prefix=/usr --sysconfdir=/etc
make dep && make && make install

or you can use checkinstall to create a slackware package for easy management of future updates.
I will try to contact kismet guys about this issue.

ablaz3r, please let me know which version of GCC your debian box has, the one that actually compiled the latest kismet-devel.

ok, you just need to make sure you got an uptodate /usr/include/linux/wireless.h, which is a part of linux kernel source. so you could do this:
cd /usr/src
wget http://kernel.org/pub/linux/kernel/v2.6/linux-`uname -r`.tar.bz2
tar xjvf linux-`uname -r`.tar.bz2
cd linux-`uname -r`
cp -avx ./include/* /usr/include/

and after that build your latest kismet

Thank you Zi0n! It worked ;)

ps. My debian box was running gcc 4.1.2 20060901.

did you settle for r1888? or updated your /usr/include/linux/wireless.h and compiled latest r1893?
btw, i was wrong about it being a incompatibility problem of GCC and kismet-devel. the real problem was that we had installed old kernel headers