Ubiquity SR71e and Aircrack-NG
Posted by Trevelyn on Tuesday Mar 16, 2010 Under Computer Security, Hacking / Phreaking, WiFiWell, the card came today. The SR71e from Ubiquity with the Atheros AR9280 chip.

Sadly, the WeakNet Linux Kernel is too old and the ath9k will not inject. In fact, as soon as you inject the first packet, the kernel panics and causes the whole system to lock up and make the Lock keys blink. I remember reading somewhere that certain kernels actually blocked packet inject, this could very well be the case. I plan on using the bleeding edge next time I release a WNLA anyways! But it still works and sniffs fine and goes into monitor mode and managed works fine as well.
The BT4 final disk works with injection though! They used a newer kernel than I, and Here are some shots of the SR71e in action. It was all done within closed boundaries. The aireplay-ng command to fake associate and authenticate was blazing fast. I was deauthenticated though, so adding the appropriate flags to aireplay-ng, like -q 10 would have fixed that but, I just kept bashing away until I got it. i was so close to the router that it really didn’t matter.
Here is a fake authentication with the router. This would have failed instantly if packet injection where not possible with ath9k and this device.

Here are three different atheros based cards. The first on the far left is the AR5BXB6 internal mini PCI Express card. The middle card is the SR71e. The card on the far right is the SMC Networks SMCWCB-G2 PCMCIA card. The hugest difference so far are the client lists!

Since the WEP key I chose is completely numeric I didn’t need that many IV’s, I simply daydreamed a bit too long!

Well, after walking home while creating a WardriveSQL DB entry, the first thing I did was set up a router in my temporary apartment and cracked WEP with it. The clients list is one that the other two cards never see! This is very good for applications like Catchme-NG! where client lists are the payload, and wireless sensitivity counts!

Specifiactions
Here is the output from lspci -vvv for it:
0c:00.0 Network controller: Atheros Communications Inc. AR928X Wireless Network Adapter (PCI-Express) (rev 01)
Subsystem: Device 0777:4e05
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort-
Interrupt: pin A routed to IRQ 17
Region 0: Memory at ecef0000 (64-bit, non-prefetchable) [size=64K]
Capabilities: [40] Power Management version 2
Flags: PMEClk- DSI- D1+ D2- AuxCurrent=375mA PME(D0+,D1+,D2-,D3hot+,D3cold-)
Status: D0 PME-Enable- DSel=0 DScale=0 PME-
Capabilities: [50] Message Signalled Interrupts: Mask- 64bit- Queue=0/0 Enable-
Address: 00000000 Data: 0000
Capabilities: [60] Express (v1) Legacy Endpoint, MSI 00
DevCap: MaxPayload 128 bytes, PhantFunc 0, Latency L0s <512ns, L1 <64us
ExtTag- AttnBtn- AttnInd- PwrInd- RBE- FLReset-
DevCtl: Report errors: Correctable- Non-Fatal- Fatal- Unsupported-
RlxdOrd+ ExtTag- PhantFunc- AuxPwr- NoSnoop-
MaxPayload 128 bytes, MaxReadReq 512 bytes
DevSta: CorrErr- UncorrErr- FatalErr- UnsuppReq- AuxPwr- TransPend-
LnkCap: Port #0, Speed 2.5GT/s, Width x1, ASPM unknown, Latency L0 <512ns, L1 <64us
ClockPM- Suprise- LLActRep- BwNot-
LnkCtl: ASPM L1 Enabled; RCB 128 bytes Disabled- Retrain- CommClk+
ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
LnkSta: Speed 2.5GT/s, Width x1, TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt-
Capabilities: [90] MSI-X: Enable- Mask- TabSize=1
Vector table: BAR=0 offset=00000000
PBA: BAR=0 offset=00000000
Capabilities: [100] Advanced Error Reporting >
Capabilities: [140] Virtual Channel >
Capabilities: [160] Device Serial Number 00-00-00-00-00-00-00-00
Kernel driver in use: ath9k
Kernel modules: ath9k
Verdict
Ath9k Needs a newer kernel to inject. Aircrack-ng’s website claims “Starting with 2.6.29.4+ and 2.6.28.10+” but WNLAv3 is 2.6.28.14! Even still, it’s an amazing card for the price $59 USD. I would highly recommend it over any other Mini PCI Express card I have ever owned.












