Steve8x Posted September 19, 2008 Share Posted September 19, 2008 Ok, so my friend has an HP TouchSmart PC which came pre-installed with Vista... The wifi card works on vista, however, tools like aircrack-ng I haven't found a way to get them to work on vista... So I looked in the device manager to see what kind of device he has... It is not EXTERNAL, it does not plug into a usb port, it is internal, in the machine... it comes up as a "HP 802.11abg wireless LAN" which doesn't really tell me much... How am I supposed to figure out what chip he has provided that? however I have found that it is made by "Atheros Communications Inc." I've read all over that Atheros chipset's work nicely with aircrack-ng and similar tools... When booting backtrack 3 live cd, though the device does not show up at all when doing an "iwconfig" or "ifconfig" and the wifi assistant says no compatible wifi devices found and closes!! heres an image taken: why is the driver named "athrusb.sys" if it is not a USB device? I'm at a loss at what I need to do to get this working? Should I try ndiswrapper with the windows driver? or try to install a madwifi driver? I've heard great things about atheros chipsets, but I can't seem to figure out what MODEL NUMBER the chip is? all I know is its atheros... heres info that I took from the device manager: HP Touch Smart HP 802.11abg wireless LAN USB\VID_0ACE&PID_B215&REV_4810 USB\VID_0ACE&PID_B215 athrusb {4d36e972-e325-11ce-bfc1-08002be10318} {4d36e972-e325-11ce-bfc1-08002be10318}\0008 Atheros Communications Inc. Port_#0002.Hub_#0004 \Device\USBPDO-11 00000084 CM_DEVCAP_REMOVABLE CM_DEVCAP_SURPRISEREMOVALOK {9d7debbc-c85d-11d1-9eb4-006008c3a19a} USB\VID_0ACE&PID_B215\6&37E6974E&0&2 USB\VID_0424&PID_2507\5&b61b967&0&8 oem31.inf:Atheros.NTX86:ATHR_DEV_B215.ndi:2.0.0.140:usb\vid_0ace&pid_b215 5/3/2007 2.0.0.140 oem31.inf ATHR_DEV_B215.ndi .NTx86 NetCfgx.dll,NetClassInstaller How can I get the wifi working!! It seems I'd be able to use the tools if I could only get the damn light to blink! lol, and the device be recognized as something like wlan0 thanks for your help Quote Link to comment Share on other sites More sharing options...
digip Posted September 19, 2008 Share Posted September 19, 2008 Its an Atheros USB device. Check the linux HCL for compatibility, You need the model or chipset designation, as not all Atheros chips are going to have the correct drivers for it. Example, the PCI card version may work, but the USB version of the same card might not. http://wiki.remote-exploit.org/index.php/HCL:Wireless Madwifi if you want to use aircrack, otherwise, ndisqrapper for just normal wirless use. Quote Link to comment Share on other sites More sharing options...
Steve8x Posted September 19, 2008 Author Share Posted September 19, 2008 well thanks for that link... So if I can't figure out the model number or get it to work, I suppose I'll just have to buy a wifi card that works... USB wifi devices I've read from fate in the other thread, can work with the right one! So now I just have to decide which one to get! See currently he has his network secured with WEP, and I want to show him just how weak WEP is as opposed to something like WPA (he doesn't really believe me that I can crack it). Problem is I can't seem to get it goin! I know if I could have a device which the drivers worked for, and it is capable of going into monitor mode I could crack his network for him! Which card is recommended? One that I can plug into a Desktop PC, through USB(preferably) load up backtrack and it will detect it right out of the box? or with a simple driver make and make install... but I think it would be better if the drivers were already on the disc. As then I wouldn't have to do the install every time since it is a live cd... I don't want to modify his system so I have to use the a live cd of some sort. I was thinking backtrack 3 since thats geared toward this kind of thing... on a side note: On his vista, the myspacejuke app does not work! it for some reason fails to connect to a server then crashes, I'm thinking its the second because only 1 box pops up where as if you disabled your internet two would come up(the xClient class gives a socket error messagebox if the connection failed) I had to use "Remote Execute Server" to launch a VNC server so I could show him that the app does infact work on my PC. ;) Quote Link to comment Share on other sites More sharing options...
digip Posted September 19, 2008 Share Posted September 19, 2008 If using bt3, see the HCL list and just buy one listed that has working drivers + can do packet injection. You will then be able to use the wireless USB dongle with BT3 while under VMware, as where normally, Vmware can't see any wireless cards that are built in to the host. Vmware only shares Ethernet connections from the host, but can not control the ethernet and wireless adapters nativley to do monitor mode. It can however do it with USB wireless cards, as they show up as a normal, independent device under VMware. They work seperate to the host system, so BT3 will be able to put the card into monitor mode and have full control over the device. I use mine with BT3 under Vmware and it works flawlessly. BT3 also makes it silly easy to crack WEP. With my laptop my builtin card has all the full functions to crack and inject, so using the tool Spoonwep to crack an AP takes less than 5 minutes under optimal conditions. Especially if there is a lot of traffic, like if someone is downloading a file or running a bittorrent. WPA is a bit harder, but I was able to crack WPA in about 12 hours or so, mainly due to the fact that you are brute forcing it through a wordlist, and it takes god awefull amount of time to find out if you even have the password in the list. If its not in the list, well, be ready to spend 48 hours or more just to find that out (depending on the size of your wordlist). I remember someone saying they have rainbow tables for WPA now, so it probably won't be long before it becomes like WEP and people move beyond it as a security protocol for wireless. I personally do not think any wireless can be made secure given the way the process works today. Someone will always be able to intercept the packets over the air and figure out how to get in. offtopic: with tyour myspace program, have you run wireshark and seen what the packets look like in comaprison to XP. I think Vista does something different with the TCP stack and sockets and it may be that it filters it differently than XP does. Or the card under Vista, does not work the same as it does under XP. Quote Link to comment Share on other sites More sharing options...
Steve8x Posted September 19, 2008 Author Share Posted September 19, 2008 Ok i went through just about every USB device on the list (which is said to work good with packet injection + monitor mode and ignored the others) I've been trying to find one on that list that I can purchase in a store so I can get it quick. Without having to wait for it by mail... I found the hawking on best buy's site, however they may not have it in the store so I think I should call around, and it says its backordered lol. Probably people are buying it for the same reason I want it... BUT is that the right model? on the 'list' its listed as: Hawking HWUG1 which it says: * Driver: rt73 * Chipset: ralink * Injection and monitor mode work fine, just have to "ifconfig rausb0 up" and it works sounds good to me... but on the best buy site it says the model is : HWUG1A the A at the end shouldn't matter right? its still the same chipset? I just want to get the right one ya know! Quote Link to comment Share on other sites More sharing options...
digip Posted September 19, 2008 Share Posted September 19, 2008 BUT is that the right model? Be carefull here when going to buy one. I have two Linksys cards. One is a WUSB54GSC and the other is a WUSB54GC. The one with the S is a broadcom chipset(using speed booster), the other, a Ralink chipset. The Ralink one works with linux, the other does not, as they have no drivers for it. So while they look the same, they may be different, even if only 1 letter is off. My cards look identical on the box and everything is the same excpet that one letter, so make sure you check the box itself for the correct info. Best bet is go to the store to buy a card, and do not order one online, as if there is a mix up, chances are you cant return it once you open it to find out. Quote Link to comment Share on other sites More sharing options...
Steve8x Posted September 19, 2008 Author Share Posted September 19, 2008 Be carefull here when going to buy one. I have two Linksys cards. One is a WUSB54GSC and the other is a WUSB54GC. The one with the S is a broadcom chipset(using speed booster), the other, a Ralink chipset. The Ralink one works with linux, the other does not, as they have no drivers for it. So while they look the same, they may be different, even if only 1 letter is off. My cards look identical on the box and everything is the same excpet that one letter, so make sure you check the box itself for the correct info. Best bet is go to the store to buy a card, and do not order one online, as if there is a mix up, chances are you cant return it once you open it to find out. OK the store I went to had both HWUG1's && HWUG1A's On the packages the HWUG1A's said they were for mac, and the HWUG1's said for windows... So naturally I went with the HWUG1 since its the exact model that is on the list with everything working! And I have some good news! when I booted backtrack 3 after doing a "ifconfig rausb0 up" the light started blinking and it worked and found my network and I was able to connect! ;) I was also able to put it into monitor mode successfully and will be doing a test run cracking my own network which I will setup with WEP... So I'll let you know my results! but it definitely looks good! :) side note: I haven't thought of that, but yes I will run wireshark on the myspacejuke next time I go over to his house to crack his wifi ;) Quote Link to comment Share on other sites More sharing options...
digip Posted September 19, 2008 Share Posted September 19, 2008 rausb0 is the same one I use for my Linksys. Few things. If you notice bad connections or low power output, try the following set of commands. For mine I do the following commands in a terminal window: rmmod rt73 modprobe rt73 ifconfig rausb0 up promisc iwcconfig rausb0 mode monitor rate 1m iwpriv rausb0 rfmontx 1 iwpriv rausb0 forceprism 1 From there your card should be on and you can then run airodump, aircrack, wireshark, etc. If your card stops responding, just shut down the card: ifconfig rausb0 down then redo the above commands again, stating with the rmmod, etc. This gave me much better results and I could see more connected devices vs leaving the card to be configured by other programs. Also, the card I have does not do the fragmentation attacks(which you really don't need to crack wep), and I think yours uses the same drivers, so not sure if that means you can't do the fragmentation attack with your card or your hardware might be able to, but all other things seem to work great with my USB card. Quote Link to comment Share on other sites More sharing options...
Steve8x Posted September 20, 2008 Author Share Posted September 20, 2008 rausb0 is the same one I use for my Linksys. Few things. If you notice bad connections or low power output, try the following set of commands. For mine I do the following commands in a terminal window: rmmod rt73 modprobe rt73 ifconfig rausb0 up promisc iwcconfig rausb0 mode monitor rate 1m iwpriv rausb0 rfmontx 1 iwpriv rausb0 forceprism 1 From there your card should be on and you can then run airodump, aircrack, wireshark, etc. If your card stops responding, just shut down the card: ifconfig rausb0 down then redo the above commands again, stating with the rmmod, etc. This gave me much better results and I could see more connected devices vs leaving the card to be configured by other programs. Also, the card I have does not do the fragmentation attacks(which you really don't need to crack wep), and I think yours uses the same drivers, so not sure if that means you can't do the fragmentation attack with your card or your hardware might be able to, but all other things seem to work great with my USB card. I never have low power output.... Ok, I thought I had this, but I can't even seem to crack my own WEP LOL! with or without your commands does not help... I'm writing this from backtrack 3 right now, I used airmon-ng stop rausb0 ifconfig rausb0 down ifconfig rausb0 up promisc So that I could connect to my network using the key(the passphrase doesn't seem to work so I had to use the actual key) to post this. Even though I know the key I just want to see the aircrack program get it! I seem to get stuck at the packet injection part! it says it's sending packets (about 500 packets per second) but the data value does not go UP!! ?? as you can see 75000+ packets were sent without the data going up a single 1!!! I've waited even longer than this and started aircrack on the log file, and it stopped and said will try again when 5000 IV's are reached, but it will never get there since the data doesnt increase! Here are the steps I take: 1: disable everything to start fresh airmon-ng stop rausb0 ifconfig rausb0 down 2: change mac address macchanger --mac 00:XX:XX:XX:XX:XX rausb0 (been using 00:11:22:33:44:55, but also tried other random ones) 3: enter your commands (or not) 4: airmon-ng start rausb0 // start the device in monitor mode, it only takes 1 second until it shows this: 5: airodump-ng rausb0 after this I know my monitor mode is working because I see all the access points around my area, and clients connected to them (if any, for my router there isnt) I notice the wifi card is browsing through every channel repeatedly trying to find every wifi device it can... I write my routers BSSID and copy it so I can paste it the several times you need to. I remember the channel its on in my case 6 then Ive tried either closing that konsole window, or just leaving it open before continuing to the next step... -c is channel, -w is filename (which is saved into your home folder, I make this different everytime I try) 6: airodump-ng -c 6 -w crackmynetwork --bssid [shift insert router bssid here] rausb0 after that it shows similar to step 5 but with only my router... and it also saves the 'data' to the file specified I belive(so that aircrack-ng can use it later) then I do: 7:aireplay-ng -1 0 -a [routerbssid] -h [fakedmacaddress] rausb0 that I'm not exactly sure what it does, but it somehow associates with the router... most of the time it works right away with no problems but sometimes it takes a few tries... after I see association successful I move to the next step this is the part where the packet injection begins (i think) since I don't have any other computers connected to the network at this time I have to do a client less crack 8:aireplay -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [routerbssid] -h [fakedmacaddress] rausb0 now this step sometimes takes a long time, or it sometimes happens right away, but sometime between then I'll recieve a packet and it'll ask me if I want to use it! I always hit 'y' then enter, should I be hitting 'n' for some?? how can I tell which ones? then what happens is it says sending packets and it seems fast (like 500pps) but yet the data in the other konsole window (called from airodump) does not seem to increase! what am I doing wrong? finally 9: aircrack-ng [filename]-01.cap (in this case it was crackmynetwork-01.cap) it trys what seems like many keys but then It stops and waits until 5000, but 5000 will never be reached unless I wait 5000 years !! since the data only increases naturally. It doesn't seem like the packet injection is working? how can I get this to work? oh and if it matters I set my network as 64bit open access WEP Quote Link to comment Share on other sites More sharing options...
digip Posted September 20, 2008 Share Posted September 20, 2008 Using aircrack, you need to just captur enough IV's. If the IV count isn't going up, you have something configured wrong or you are not capturing them in monitor mode. You can try a deauth to the target pc and see it reasociate itself, then see if the IV count starts to pick up. It takes a while using Aircrack. I use spoonwep with my laptop and it only takes about 5 minutes, but the rt73 card works better with aircrack than spoonwep, since we cant do the fragmentation attacks. edit: Also, is it using TKIP-PSK? PSK is the key to cracking it, as this is the IV's being sent back and forth(Pre Shared key). - Forget I said that, I was thinking WPA for a second there.. continue... Try this: ifconfig rausb0 down rmmod rt73 modprobe rt73 ifconfig rausb0 up promisc iwconfig rausb0 mode monitor rate 1M (<--forgot to tell you, capital M, sorry) iwpriv rausb0 rfmontx 1 iwpriv rausb0 forceprism 1 Now, the card is set to monitor mode, so you should be able to see any packets flying about, even if they are encrypted(you just wont be able to see what the packet actually contains, since it is encrypted, but you should be able to capture them at this point). Not on to aircrack suite. First, what channel is your target on? You will need to set aircrack to say on that channel! Otherwise, it roams, and shit gets harder to work with. Once you know the targets channel set a dump of the packets: airodump-ng -w dump rausb0 -c X (where X is the channel you want to monitor!) Now you want to send a deauth to the client on the access point, so you need their mac address. Airodump will show you on the screen AP's on top, then users conencted to any at the bottom of the screen. BSSID is the router, Station is the user connected to the router. Look for a user who is on the BSSID you want to crack. Then run aireplay-ng to deauth the user. edit: ex: aireplay-ng --deauth 3 -a xx:xx:xx:xx:xx:xx rausb0 (where xx:xx:xx:xx:xx:xx is the users BSSID mac address) This will disconect the user. Might take a few tries, but once they reconnect, you should see the IV's go up in numbers. It helps when say, a user has a LOT of traffic on the AP, so if you want, download a large file while trying to crack your router. Make sure there is a lot of traffic going back and forth. You need a minimum of 20,000 IV's Ideally, about 25-30,000. Not data packets, but IV's!! 5,000 or less and your chances are none to what the hell were you thinking, I already told you you needed at least 20,000 IV's!! j/k After you get the number of IV's, run aircrack-ng against the dump file and search for the mac address of the user you deauthed and wep. So, if that doesn't work, I am not sure what is going on. This is going from memory, as I havent logged on to BT in a few weeks, but I think this is what you need to try first. Cracking wep with this USB key takes longer than say, one that can use the fragmentation attack. With spoonwep, Id say you need a better card to do it any quicker. I'll have to go load BT and give it a shot and see if I got it right, as I can't remember all these damn commands all the time. There isn't enough room in there for jello, let alone aircrack commands. edit: For a while I was telling you what to do for WPA, and confusing IVs with getting the PSK under WPA. See, I have too much shit in my head. To associate with the AP(WEP now) You want to use method 1 under aireplay. aireplay-ng -1 3 -a xxxxxxxx rausb0 (where xxxxxxxx is the mac address of the AP in question). This increases the traffic on the AP and sends fake auth attempts and sets the ap AUTH to OPN. Then do a -6 to request more IV's aireplay-ng -6 -b xxxxxxxx rausb0 (where xxxxxxxx is the mac address of the AP in question) Using the USB dongle takes a while with Aircrack. On my laptop, I use the builtin broadcom and it works with spoonwep to crack it in about 5 minutes. Not sure how long it will take under the USB key, as I use the lappy for wep and the USB(On my desktop) for WPA(Which took me somewhere around 12 hours or so). Quote Link to comment Share on other sites More sharing options...
Steve8x Posted September 20, 2008 Author Share Posted September 20, 2008 Ok im moving right along! :) I managed to crack my own network's 64bit key with aircrack-ng with a little over 10,000 IV's(comes up as data in the airodump konsole window) I was sure glad to see that! however the way I got to that point sucked and took me a long time! remember I DO NOT have any clients connected to my network while i'm doing this. So I'm counting on forcing the IV's to increase by sending packets to the router... my friends network probably wont have any clients either so I must do it this way... everything is fine and dandy until I get to this step: aireplay -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [routerbssid] -h [fakedmacaddress] rausb0 heres what happens, it says reading packets... and after some time, could be almost immediately, or it could take a while. It will say "use this packet?" you either hit 'y' or 'n' I've always just hit y though... Ok now heres where the trouble happens, sometimes it says sending packets and the number continually increases yet the data/iv's in the airodump window do not go up... Other times, like this time where I actually cracked my 64bit key, the data/iv's DO INCREASE ,but the packets sending freezes(what I mean by that is it stops on a number between 500-800 and just hangs... Why is it doing that? however much the data increased, about 300. It stops increasing when the window which I sent that aireplay-ng command hangs... The way I cracked my network though, is everytime the thing hangs I close the window and open a new one, then send do the same command again: aireplay -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [routerbssid] -h [fakedmacaddress] rausb0 again it will say reading packets and I'll have to wait for it, then hit 'y' enter. and it will then send more packets the data will increase and then both will stop again once it says sent (between 500-800) Its really frustrating why does it stop? it should continue sending those packets... It sucks to have to keep closing the window opening a new one doing that command again, waiting for it to says use this packet, hit y enter, then when it stops sending packets and freezes/hangs, repeat the process all over again!!! It should just keep sending the packets then all i'd have to do is leave an aircrack-ng window up and wait until enough data is recieved until the key is cracked! Have you ever had this issue? what did you do about it? Quote Link to comment Share on other sites More sharing options...
digip Posted September 20, 2008 Share Posted September 20, 2008 I just wrote a shell sscript that sends 5 deauths, sleeps for 5, then sends 5 deauths, sleeps for 5, etc, etc. It loops until I kill it. Problem is you have to be patient with a card that can't to fragmentation. The injection part doesn't seem to work all the time either, like you found out. That is why I set the rate to 1M as it seems to work more consistently for me at a slower speed. You could also try the latest rt73 enhanced drivers, or older drivers, as people have had mixed results: http://homepages.tu-darmstadt.de/~p_larbig/wlan/ Scroll down to "RaLink RT73 USB Enhanced Driver" it says they now support the fragmentation attack, so I may try and install it and then run it through spoonwep again to see if I get any IV's quicker. Originally Posted by shamanvirtuel if you want injection : ifconfig rausb0 up iwconfig rausb0 mode monitor channel XX rate 1M iwpriv rausb0 forceprism 1 (enable prism headers for pwr output) iwpriv rausb0 rfmontx (enable injection) all attacks works well except fragmentation if u want fragmentation, just install aspj rewrited driver i uses these cards for months with no problem........ http://forums.remote-exploit.org/showthrea...5707&page=3 If you want injection to work properly, I think you have to lower your rate and turn on the forceprism 1 feature. This is why I allways do things in that order like I was posting in the above threads. People have said isntalling the 1.1 drivers allowed them to do packet injection much easier, but 2.0 drivers allowed fragmentation, and not sure about later drivers, but they seem to have different features as well. Quote Link to comment Share on other sites More sharing options...
digip Posted September 20, 2008 Share Posted September 20, 2008 Ok, I tried somethign compeltely differnt. Get everything setup like above, but after airmon is running, send an aireplay fragment (It seems to be working with the rt73 driver sunder BT3) aireplay-ng -5 -e routername rausb0 When it comes up for the packet answer y or n, hit n for the first one, then the next one, hit y. Saves the packet for use with packetforge-ng as somefile.xor Ok, now we want to construct a packet from this saved xor file. Before we do this, we need to think about our target. I happen to know the target is a linksys router and valid ip addresses on the router, so not sure if using spoofed ip's will work, but I used legit ones for my packet test. You can probably use anything though, but I havent verified this yet. Using the following command we are going to create an arp request/reply packet: packetforge-ng -0 -n 5 -a macofrouter -h yournicmac -k gatewayaddressofrouter -l anyvalidiprange -y fragment.xorfile -w arp rausb0 Now we have a file called arp with all out packet data in it so we can feed it to the AP and watch our IV's skyrocket. In about 3 minutes, you should have all the IV's you need to crack the AP's Wep. We have to send the "arp" packet we created, so run aireplay-ng again and feed it to our AP. aireplay-ng -r arp -3 -e essidofrouter rausb0 (where arp is the name of our forged packet!) Now your IV's(data) will start climbing and you should be able to crack it in just under 5 minutes! http://www.twistedpairrecords.com/digip/wep-cracked.jpg Quote Link to comment Share on other sites More sharing options...
Steve8x Posted September 22, 2008 Author Share Posted September 22, 2008 Heres an update! The new drivers sounded like a great idea! and yep the new drivers are all I needed to get my device working as it should! With backtrack 3 though, I was unable to install the new drivers... I believe the live CD is missing the necessary files to build the driver. I have ubuntu installed on my PC so I figured I would try installing the new latest version(since newer is usually better) driver and the aircrack-ng suite on it... I had to blacklist the old drivers that came with ubuntu though or else they would load instead... I'm really liking the newest driver as i've had great success with both the interactive packet replay attack aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [routerbssid] -h [fakedmacaddress] [deviceinterface] NOTE: you have to be associated with the access point for it to work (that was one of my problems before when the packets would be sent/injected but the IV's wouldn't increase since I wasn't associated with the router) now I use aireplay-ng -1 6000 -o 1 -q 10 -a [routerbssid] -h [fakedmacaddress] [deviceinterface] so -1 means fake auth (only works for WEP OPEN AUTH, if its pre-shared key you have to capture the preshared key first by deauthing a client) 6000 means wait 6000 seconds before sending another auth request -o 1 means only send one packet at a time -q 10 means every 10 seconds send a keep alive And I leave that window open so that I stay associated with the access point... I also have used the arp request re-injection successfully! but I have skipped your step "aireplay-ng -5 -e routername rausb0" instead I just use (after being associated with the AP first) aireplay-ng -3 -b [routerbssid] -h [fakedmac] [deviceinterface] then I deauth a client which generates an arp request, then the IV's skyrocket as said, I get about 200 iv's a second... And I successfully reached well over a million IV's before I started getting deauth's from my Access Point! (I did this just to see how many IVs I could collect before getting deauthed :) its way more than need though for a 64bit key. Using these two attacks I was able to crack a 64bit key in about 10,000 - 20,000 IVs and a 128bit key with about 50,000 - 100,000 IVs! I'm still looking for a good word list to give WPA cracking a try! ;) this was cracking a 64bit key heres an image taken shortly before I started getting deauth'd after 1,000,000 IVs were reached using the arp request reinjected attack(without the packetforge-ng step) heres where i got deauth packets and the IVs stopped increasing(it was way more than needed anyway ;)) heres cracking a 128bit key running aircrack-ng while maintaining association with the AP and doing an interactive packet replay attack to increase the IVs! OK so I'm glad this is working for me as I want it to now... but heres my new question... How can I make a backtrack 3 CD which contains the new driver from serial monkey version 3.0.1 I believe is the latest... and remove the old driver which doesn't work well with packet injection for me! Since I can't carry ubuntu around with me... I need ideally a backtrack 3 CD which has the drivers on it! I know its possible since the creators of BT3 put drivers on there... So how can this be done? what can I change in the ISO to make it have the newer driver? I really like the backtrack 3 CD as its a VERY fast live CD!!!!! the fastest live CD I've ever used! Usually live cd's are slow since everything is running off of the CD. Files I believe are stored in memory since you can't save things back to the CD... so once you restart whatever files you had in memory are deleted unless you backed them up onto some hard disk or partition... So how can it be done? So as a final note: anyone experiencing injection problems(with an rt73 chipset) like I've outlined in my above posts, just use the new driver and everything will work as it should :) Quote Link to comment Share on other sites More sharing options...
Steve8x Posted September 22, 2008 Author Share Posted September 22, 2008 EDIT: Okay I thought I figured it out yet there's still something wrong! Ok I figured out that BT3 works by modules! ".lzm" files which contain folder and file structures that will be loaded into the filesystem structure... I discovered that the wifi device drivers that are bundled with BT3 are stored in the lib.lzm file so using backtrack3 copying the lib.lzm to some folder then doing mkdir extractedfiles lzm2dir lib.lzm extractedfiles extracts the files into the "extractedfiles" folder now inside the newly created extracted files folder contains the lib file structure, inside the folder "lib" are two important folders "firmware" and "modules" inside the firmware folder contains the firmware for all the wifi drivers packaged with BT3 inside the modules folder is a folder called "2.6.21.5" im guessing its the kernel verison? within that folder is a directory called extra inside extra contains the actual driver files (".ko" files) which come with BT3 so I though by deleting the rt73.ko from there and deleting the rt73.bin from the firmware directory then copying the new driver in place of the old rt73.ko, and the new(if its new) firmware in place of the old rt73.bin and save the ISO file, once I burn it, It will have the new drivers which work for me ;) instead of the old drivers which packet injection fails!!!! I really thought it was gonna work but to my astonishment when I booted the CD under ifconfig and iwconfig nothing came up! and trying to do modeprobe rt73(to force the driver to load) causes this error: Why doesn't it understand the new driver?? Please help me get it right! I don't want to waste a bunch of CD's trying to figure this out!! use lzm2dir to extract an lzm file and use dir2lzm to re-compress it after making your changes! save the new ISO and burn it! What am I doing wrong? does it have something to do with the kernel version? Quote Link to comment Share on other sites More sharing options...
digip Posted September 22, 2008 Share Posted September 22, 2008 I don't know, as i get them working with no problem under BT3. I just send a fragment, wait for th epacket, construct my arp forged from the packet, send them the arp packet, and watch th eIV's skyroket. As for wordlist, here is one I use often, a 12meg file that is pretty decent with WPA brute force attacks, but can take A LONG TIME. http://www.twistedpairrecords.com/digip/wordlist.txt Someone said you can make a rainbow table from it and it cracks them faster, but I don't know how to do that or make BT3 read from a rainbow table for this to work. You could however break the text file into multiple files, each with unique parts of the list, and then run the attack against each seperate worlist at the same time and get done much quicker. Quote Link to comment Share on other sites More sharing options...
Steve8x Posted September 23, 2008 Author Share Posted September 23, 2008 Well maybe even though our cards have the same chipset, the drivers work differently because we have different cards. I've tried numerous times, the drivers that come with BT3 do not work well with my device. I was thinking my device was defective or something, but trying the new drivers proved that there is not anything wrong with it at all! It just the new drivers fixed an issue with the old one's of the injection hanging(i call it that) Thats why new drivers come out after all right? new drivers/software usually improves on the old version!! ;) that website is down!! twistedpairrecods.com could you please upload it somewhere else maybe? Sounds like a good word list to me if it will keep going for hours. I'd have to use an already made wordlist (I wouldn't want to make my own TOO MANY WORDS! lol) do you really think WPA will become easy to crack like WEP? I read somewhere that I can't find now on the aircrack website that it can't be cracked easily like that, and pre-computed tables(rainbow tables) cant be made because of the way that hash the IVs together with the correlating bytes(if i remembered correctly) well anyway thanks for the wordlist(once the site goes back up or you post it somewhere else). and I'm still trying to figure out the BT3 modifying thing ;) Quote Link to comment Share on other sites More sharing options...
digip Posted September 23, 2008 Share Posted September 23, 2008 My site (Twistedpairrecords.com) is up and working fine for me. Maybe your blocking it or your ISP's DNS doesn't have it? I can get to it just fine though. Try using OpenDNS to get to it and see what happens, or dreamhost could have been doing something at the time you tried to access it, but the site is working. Quote Link to comment Share on other sites More sharing options...
Steve8x Posted September 23, 2008 Author Share Posted September 23, 2008 As it turns out your website was just down last time I tried it. It is working fine now so thanx for the word list! I have solved my problem 100%! ;) I now have a backtrack3 Live CD which has the newer driver version 3.0.1! Now I can use packet injection with BT3 with no problems! I solved the problem by getting the kernel sources for backtrack (contained in kernel.lzm) found here : http://www.offensive-security.com/kernel.lzm while you've got backtrack 3 running you extract the kernel.lzm file into your root folder / cd to where your kernel.lzm is at, and do lzm2dir kernel.lzm / the / tells it to extract the files to the root folder once that is done you can now compile drivers/other software! now put the latest(or desired)driver for your wifi device into a folder somewhere. cd into the folder and extract the archive it will look something like this depending on the type of archive it comes in tar -xjf rt73-k2wrlz-3.0.1.tar.bz2 now cd into the module folder within the new folder created cd rt73-k2wrlz-3.0.1/Module build the driver using 'make' then install the driver using 'make install' (note: before installing the new driver MAKE CERTAIN that the old one is no longer loaded by doing "ifconfig [deviceinterface] down", and "modprobe -r [drivername]") for example, before doing make and make install I did this first ifconfig rausb0 down modprobe -r rt73 now install the new driver! ;) make make install it should build successfully without any errors, and then install successfully! If the old driver was not loaded when you did 'make install' it has been overwritten by the new one, and as soon as you bring the device up, you will be working with the new driver instead of the old one! Now the way I put the new driver on the CD is, I took the "lib.lzm" from the BT3 ISO and extracted the "lib" file structure into a folder called xtract lzm2dir lib.lzm xtract the reason for this is because you need a folder which will hold the "lib" folder... when we turn the directory "xtract" back into the "lib.lzm" file it will not contain the folder "xtract" once you've got it extracted into whatever you called your folder then its time to overwrite the old driver with the new one heeres what I did for mine... overwrite rt73.ko from "lib/modules/2.6.21.5/extra/rt73.ko" with the new driver! then place the firmware "rt73.bin" in lib/firmware/rt73.bin with the new files in place its time to re-create the "lib.lzm" file! first rename the original "lib.lzm" to something else so we don't overwrite it... dir2lzm xtract lib.lzm now you can re-create the ISO using the new "lib.lzm" that you've created! once burned or put onto a USB drive you'll have the new driver! and everything will work great! ;) it goes in the "BT3/base" directory of the ISO image. There is a make_iso.sh + make_iso.bat so it can be made on linux or windows pretty easily! I'm not going to post the whole ISO because its too huge! but for anyone that has the RT73 chipset heres the "lib.lzm" file ready to go: http://rapidshare.com/files/147852111/lib.lzm.html I'd also like to add that the wireless assistant no longer is problematic(it sometimes used to crash before with the old driver) now it works great! So if you have an RT73 device! I recommend getting the newest driver for it!! So there ya have it! a way to put new drivers for devices directly on the backtrack CD without having to wait until backtrack 4 comes out ;) Quote Link to comment Share on other sites More sharing options...
digip Posted September 24, 2008 Share Posted September 24, 2008 I have BT3 installed on both my pc and a usb key, so when I installed the drivers, I think they just worked as I have nto been having the difficulties you were having. Quote Link to comment Share on other sites More sharing options...
Steve8x Posted September 25, 2008 Author Share Posted September 25, 2008 Last night I took my USB thumbdrive which was the same as the CD I made with the new drivers, + my USB wifi device over to my friends house! I cracked his WEP in less than 3 minutes! actually more like 2 minutes but I didn't take the picture immediately as I was talking to him. He was amazed that I was able to crack it so fast! It really showed him how weak WEP is ;) here's my souvenir: Also I verified that I can capture the WPA handshake by testing on my own network: I choose a password that I knew was on that word list you gave me (also the same one as darren and wess choose in episode 3x06) so that it would be able to crack it! I'm starting to understand more about the rainbow tables for WPA.. It wont make it crack the password immediately or even make sure its cracked, It will however allow more passwords to be tested in a second... I was running aircrack-ng for over an hour before it finally go to the s words and it found the passphrase! I could really hear my computer working hard at it to! You could literally hear the processor crunching those numbers ;) My machine tests about 155 keys a second! which is slow because of all the processing it has to do! So we need to figure out how to get time memory trade off in place! with those WPA pre-computed tables! "Each passphrase is hashed 4096 times with SHA-1 and 256 bits of the output is the resulting hash. This is then compared to the hash generated in the initial key exchange. Alot of computing power is required for this." That quote was taken from a site I found where the people actually made WPA rainbow tables! Here is the link: http://www.renderlab.net/projects/WPA-tables/ for the 7GB tables though the link seems to be not working, and the 33GIG tables not sure how I would carry those around with me lol! I think there is a way to get aircrack to use them along with your wordlist so you can test more keys a second! In thats guys test with his laptop which normally can check 12 keys/sec, with the tables he achieved 18,000 keys/sec!!! A 149900% increase!!! Thats a tremendous increase! If that carried over for me at 155 keys/sec, I would be able to test 232,345 keys / second! :) What took me an hour and thirty two minutes to crack my passphrase could have been done in 3.5 seconds! I'll do some more reading in trying to get this to work, let me know if you figure out anything. Quote Link to comment Share on other sites More sharing options...
digip Posted September 25, 2008 Share Posted September 25, 2008 Well, I break the list up into multipl files and then run the crack against multiple word lists. Still takes forever, but it works a but faster. I just wish I could assign all 4 cores to VMware, as right now it only lets me assing two, and not sure how BT3 is using those cores efficiently through the aircrack suite. I don't even know it aircrack is able to use multiple cores at the same time, but I think it probably isn't since it takes so long. Maybe someone can write a program to do the crack on windows and speed it up with multiple cores. Just save the handshake file from bt3 to windows and then crack it natively on windows using all 4 of my cpu cores+ all my ram(in x64). Probably woudl finish a lot faster than me doing it in a Vm. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.