Aircrack 0.9.1 or 1.0 Dev for Alfa AWUS036H (drivers already patched)

[grikster]

Hello guys,

Just got the card and its super power, incredible really, my results got more than 10 times the power i previously had when a regular wifi pen.
Im gonna test some drivers for this.

[grikster]

Having problems configuring Kismet with ALFA 500mw.

I have in kismet.conf :
version=2005.06.R1
suiduser=postgres
source=r8187,wlan0,ALFA

Can anyone help me what im suppose to do next?

Im also having issues, i test injection and it works, i try to weside it doesnt work:

Code:

bt kismet-2007-10-R1 # wesside-ng -i wlan0
[19:05:50] Using mac 00:11:22:33:44:55
[19:05:50] WARNING: Appending in wep.cap
[19:05:50] Looking for a victim...
[19:05:51] Found SSID(MM) BSS=(00:13:10:8A:DB:03) chan=11
[19:05:51] Authenticated
[19:05:51] Associated (ID=1)
[19:05:56] \
[19:05:56] Dying...
bt kismet-2007-10-R1 #

bt kismet-2007-10-R1 # aireplay-ng -1 0 -a 00:13:10:8AB:03 -h 00:11:22:33:44:55 wlan0

Code:

19:03:41  Waiting for beacon frame (BSSID: 00:13:10:8A:DB:03)

19:03:41  Sending Authentication Request [ACK]
19:03:41  Authentication successful
19:03:41  Sending Association Request [ACK]
19:03:41  Association successful :-)

What bothers me is the ACK part, cause i cant get ARP Requests.
My router has macadress filtering its a SMC one.

Im lost on what to do.
Thanks for reading this

[bwise]

first of all this is wrong : source=r8187,wlan0,ALFA

you should put rt8180 instead of r8187 (rt8180 covers all Realtek 8180 based cards)

[twocent$]

Quote:

Originally Posted by grikster

Hello guys,

Just got the card and its super power, incredible really, my results got more than 10 times the power i previously had when a regular wifi pen.
Im gonna test some drivers for this.

Hi all,

Been fiddling with this card today on BT2 (HD install) and wondered if this might help someone. Not sure if its just a fluke but I did the following and it seems to be running fine...

1) Used BP's method to update sqlite to latest version (3.5.4)
2) Followed directions on Aircrack-ng page for patching drivers (ww.aircrack-ng.org/doku.php?id=r8187). This didn't seem to work as the wlan0 interface completely disappeared under iwconfig and airmon-ng commands!
3) Went ahead and updated to latest svn branch revision of aircrack-ng dev anyway (aircrack-ng 1.0 beta1 r865) and crossed my fingers! (see backtrack.offensive-security.com/index.php/Howto:aircrack_ptw)
4) Changed Kismet source back to 'source=rt8180,wlan0,ALFA' in /usr/local/etc/kismet.conf

Hey presto!

Completely wrong approach and other methods will probably extract more juice from it but it works well enough for me. It associates, injects, catches and relays packets and does frag attacks It appears to have retained something from the patch as it only shows up to 5db, which is really the relative txpower setting 1-5.

Haven't tried changing mac yet and Kismet is a bit touch-and-go but it (mostly) works with 'kismet start wlan0' and if it starts misbehaving I just restart or just use Airodump-ng!

Great card! Haven't tried it on 3 beta yet......

Wesside!

[merlin051]

the txpower settings 1-5 is not directly relative to the db power, its 1-5 settings where 1 = minimum and 5 = max

[twocent$]

Oops.

Thanks merlin051, you are right. I was just going off the iwcofig output and misread it.

Card wont respond to iwconfig txpower command to change txpower but I guess I am stuck at 5 (which is fine) till I figure how to configure it properly !

Wicked card!

Cheers.

ps Pilotsnipes, Thanks for the detailed howtos. Will they work for latest svn branch aircrack-ng 1.0 beta1 r865? I was a bit scared to try them on a different version!

Keep up the good work guys.

Cheers.

[Happy Daze]

Hi all... this is my 1st post in the forum so apologies if its in the wrong place or sumfin... I'm a noob with forums too.

I'm having a problem, well, may problems trying to crack my 128 WEP router...but this is the most recent problem...

I seem to have successfully got as far as as running Aircrack but have hit a wall.

I'm running a raw BT2 Final CD, patched with "Update 01st/Oct/2007 - Included latest aircrack 0.9.1 (svn772) version (with new v5 alfa patch)"

...and this is the full list of commands I've run once logged in and after xconf/startx...I booted without the Alfa connected

cd rtl8187_linux_26.1010.0622.2006/

make

sh wlan0up
(Error about device not being plugged in)

PLUG IN ALFA

sh wlan0up
(receive error about file exists)

ifconfig wlan0 down

macchanger -m 00:11:22:33:44:55 wlan0

ifconfig wlan0 up

airmon-ng start wlan0 <it does go into monitor with no probs>

airodump-ng wlan0 and control-C when desired AP is found

airodump-ng -c 9 -w jason --bssid 00:XX:22:XX:44:XX wlan0 (Leave window open)

aireplay-ng -1 0 -e MYROUTER -a 00:XX:22:XX:44:XX -h 00:11:22:33:44:55 wlan0 (This associates OK)

aireplay-ng -3 -b 00:XX:22:XX:44:XX -h 00:11:22:33:44:55 wlan0

aircrack-ng -n 128 --bssid 00:XX:22:XX:44:XX jason-01.cap (or jason.cap, or any derivative I can think of...nothing works, this is my brick wall)

The problem is that I am looking at 623000 Data and 303 #/s in airodump

In aireplay it shows 1380000 Read, 675000 ARP requests, 696000 sent packets and 254 PPS

...then i thought I'd run Aircrack on the .cap file that Aireplay said it was saving the ARP requests in...so I run this command...

aireplay-ng -n 128 --bssid 00:XX:22:XX:44:XX replay_arp-0223-033338.cap

but it ALWAYS comes back saying...

Opening replay_arp-0223-033338.cap
Read 8 packets (only 8 every time!)
Not enuff IV's available...you need at least 250000 etc etc

It always only says 8 packets read, no matter how all the rest of the numbers are rolling, and they do roll fast.

All the above info was pasted together from "merlin051" and the Xploitz E-Z WEP video...plus 3 weeks of research, the purchase of a D-link GWL-G122 B1 2.02 (works like a total dream with nothing more than airoscript.sh)...a Senao NL2511CD EXT2 1.8.0 (no joy what-so-ever), an Alfa AWUS036S (no joy either)

Would somebody please come back with a "Yeah, you missed this simple command" type thing and bring back my happiness?

When cracking WEP with my D-Link airoscript always has it constantly DeAuth-ing...but the Xploits video shows none of this...why different cards are run in different ways I've no idea...I'm a total noob to linux and Backtrack so am really just pulling bits of commands from here and there and hoping something miraculously happens!!

By the way...on all my WEP 'hacks' my read packets have to be up around 3000-6000 before any ARP's are got...why doesn't it just start shooting up at the start like all the vids I see?

My alfa is USB'd to about 4 metres away from my router

If the D-link just had an external antenna connector, its totally the poster-child for WEP cracking

Cheers for any help...

[balding_parrot]

The file you want is jason-**.cap where ** changes each time you run airodump.
Look in your root directory and you will find out what it is called.
You can also run it as aircrack-ng *.cap and it will open and use all of the cap files.

Only had a quick look and that was the first thing that jumped out at me.

[Happy Daze]

Cheers balding_parrot

Thats what I thought the command was...my problem was that I'd been running aircrack in the wrong directory, and therefore hadn't selected the correct file...lolol !

Correct commands, wrong dir...tit !

I'm flying with my Alfa AWUS036H on both the modified BT2, and way better still with BT3b, the new aircrack does the job in about a third of the time...nice one you wizards you.

I'll post exactly what I've done shortly so other noobs have totally idiot-proof instructions...or PM me in the meantime if nothing appears...

I also figured why my ARP's weren't rising...coz I wasn't generating anything on my other (client) machine, i.e. web browsing...BTW noobs...with my procedure below there does indeed need to be some kind of client PC attached to the AP...wired or wifi makes no difference...but it must be surfing the net in some way when you start the attack...WHICH LEADS ME TO MY NEXT AND PROBLY FINAL HURDLE...(famous last words!)

CAN SOMEBODY HELP WITH THIS....?? (Not shouting, drawing emphasis!)

My final(!) problem is this...If I leave my house to test the full range of my AWUS036H then how can I get ARP's if I am not around to do some surfing on my attached client PC...coz at the mo my ARP's only start rolling when I do something on my client, a simple page refresh starts the ARP's.

With my D-link GWL-G122 I can run airoscript.sh (BTW, I haven't figured out how to use airo with my alfa's...any help?...it just wont run, or does not see any alfa attached, i.e. I dont get the 'choose adapter' first screen, just goes straight into the first load of 1 to 9 options????)...anyway, with airoscript (and D-Link) I do not need a client attached...just the router to be on, and airoscript gets the job done in minutes, all automatically... but with my alfa's and the set of commands in my previous post I absolutely must have an attached client and it must be doing something on the web...just a one page refresh is enuff to get the ARP's going...but I must physically do this on the client or no ARP's at all...maybe a few literally

So can anybody (parrot?) tell me the modified commands to get the wep cracked without a client to rely on?...all i want is one laptop, the target router and thats it...oh, I do have 2 laptops so if I need to use one of those as a fake client what are the commands?...I'd rather only use the 1 laptop (thats all I need with the d-link) but I do have 2 if needbe.

Thanks for anybody's and everybody's help in advance

Oh, one last thing...my hat's off to all you programmers out there who sat down, figured out, and finally wrote all this... magicians the lot of ya !

[balding_parrot]

Glad to have helped.

Try -=Xploitz=- tutorials on clientless and clitent WEP attacks in the tutorials and guides section, the answers to your questions are there.