Wlanconfig - The Madwifi-ng User's Best Friend! -by- lo __t ll xT. or rr pay AA AA__pay ll yy yy o__nn______,, oNXX rrr r_e. .e vv vv e. .e ll__yy yy nnnn n tT rr phon3__v v phon3 ll y___y nn n tT rr e. v.v e. ll y y nn n ___Tt rr. ee. A ee.__.dll yy nn n__.. y tty_.. #$@GnuCon///....................//.............../...../...//////// /* disclaimer: i will not be held responsable for your actions. = . the information within this document is para knowledge. = . anything that was illegal in any other document probably = . still is. Audit your OWN phone systems only. = . Here it is, completely from memory: = */...................................................//..///...//// DOes WPA mean "wireless Pennsylvania?"___ / \ / \|__|\_ _____/ __ __ \ \/\/ /| | | __) | | \ \ / | | | \ | | / \__/\ / |__| \___ / |____/ \/ \/ Summer 2008 *we* rule the city. Atheros based WLAN cards can be used with either the-horrible-excuse-for-a-driver NDISWRAPPER, or Madwifi-ng. http://madwifi-ng.org This driver will give you, the user in the driver seat, full control of your card. The latter is controlled by the same backseat driver that controls your gramdmothers windows machine. Today, I am going to talk about a few instances in which you would utilize the Madwifi-ng driver to your advantage. Firstly, you will need an Artheros based card, and the driver successfully installed on your system. Here's what it looks like when you issue a "iwconfig" code---------------------------------------------------------------------------o trevelyn@Celeritas:~$ iwconfig lo no wireless extensions. wifi0 no wireless extensions. eth0 no wireless extensions. ath1 IEEE 802.11g ESSID:"nintendo" Nickname:"" Mode:Managed Frequency:2.452 GHz Access Point: 00:0F:B3:A1:A6:8C Bit Rate:1 Mb/s Tx-Power:14 dBm Sensitivity=1/1 Retry:off RTS thr:off Fragment thr:off Power Management:off Link Quality=71/70 Signal level=-25 dBm Noise level=-96 dBm Rx invalid nwid:76108 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 trevelyn@Celeritas:~$ code---------------------------------------------------------------------------o This shows my Atheros based card as "ath1" (which i have created myself with wlanconfig) running at 2.452GHz (channel 9) and in "Managed" mode. When I installed this driver on my MacBook, the card was listed as Ath0 (still is after each reboot) and would not allow me to set monitor mode with iwconfig: code---------------------------------------------------------------------------o trevelyn@Celeritas:/$ iwconfig ath0 mode monitor Error for wireless request "Set Mode" (8B06) : SET failed on device ath0 ; Operation not permitted. trevelyn@Celeritas:/$ code---------------------------------------------------------------------------o I am not %100 sure why this card acts like this and I was personally quite disappointed. But, then i read up on my card in forums, other text files, and have about 2 years or so experience now with Linux+802.11 configurations. The first time I saw wlanconfig used was when I was watching a video tutorial made by Muts, here: on how to hack WEP with a fragmentation method. From there, I became more and more familiar with the application. To put the card into monitor mode i first have to destroy the "pseudo" card, or "wireless extension." Here in iwconfig's dump, you can see I have two devices listed for wireless; ath0, and wifi0. code---------------------------------------------------------------------------o trevelyn@Celeritas:/$ iwconfig lo no wireless extensions. wifi0 no wireless extensions. ath0 IEEE 802.11g ESSID:"Weak-Net2" Nickname:"" Mode:Managed Frequency:2.437 GHz Access Point: Not-Associated Bit Rate:0 kb/s Tx-Power:14 dBm Sensitivity=1/1 Retry:off RTS thr:off Fragment thr:off Power Management:off Link Quality=0/70 Signal level=-96 dBm Noise level=-96 dBm Rx invalid nwid:11500 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 eth0 no wireless extensions. trevelyn@Celeritas:/$ code---------------------------------------------------------------------------o "wifi0" is my actual card, and athX is the "extension," or pseudo device. You can destroy the psuedo device with wlanconfig like so: code---------------------------------------------------------------------------o root@Celeritas:/# wlanconfig ath0 destroy root@Celeritas:/# iwconfig lo no wireless extensions. wifi0 no wireless extensions. eth0 no wireless extensions. root@Celeritas:/# code---------------------------------------------------------------------------o Now as you can see, the device is no longer listed under iwconfig. Now we need to create a new "pseudo" device with wlanconfig that IS in monitor mode by default: code---------------------------------------------------------------------------o root@Celeritas:/# wlanconfig ath create wlandev wifi0 wlanmode monitor ath0 root@Celeritas:/# iwconfig lo no wireless extensions. wifi0 no wireless extensions. eth0 no wireless extensions. ath9 IEEE 802.11g ESSID:"" Nickname:"" Mode:Monitor Channel:0 Access Point: Not-Associated Bit Rate:0 kb/s Tx-Power:14 dBm Sensitivity=1/1 Retry:off RTS thr:off Fragment thr:off Encryption key:off Power Management:off Link Quality=0/70 Signal level=-96 dBm Noise level=-96 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 root@Celeritas:/# code---------------------------------------------------------------------------o Now there'a a card in monitor mode! You can now set the frequecy to that of your AP (or lab victim ap) or simply run "airodump ath9" to do a nonfrequency specific scan (a.k.a. channel hopping) Now say we want to attach to the AP after scanning. We have to destroy the "pseudo" device or you will see: code---------------------------------------------------------------------------o root@Celeritas:/# iwconfig ath9 mode managed Error for wireless request "Set Mode" (8B06) : SET failed on device ath9 ; Invalid argument. root@Celeritas:/# code---------------------------------------------------------------------------o when trying to set it back with iwconfig. Destroy it: "wlanconfig athX destroy" Then, create a new device in "managed" mode instead of Monitor with: "wlanconfig ath create wlandev wifi0 wlanmode Managed" and you should see something like this: code---------------------------------------------------------------------------o root@Celeritas:/# wlanconfig ath create wlandev wifi0 wlanmode Managed ath0 root@Celeritas:/# iwconfig lo no wireless extensions. wifi0 no wireless extensions. eth0 no wireless extensions. ath1 IEEE 802.11g ESSID:"" Nickname:"" Mode:Managed Frequency:2.427 GHz Access Point: Not-Associated Bit Rate:0 kb/s Tx-Power:14 dBm Sensitivity=1/1 Retry:off RTS thr:off Fragment thr:off Encryption key:off Power Management:off Link Quality=0/70 Signal level=-96 dBm Noise level=-96 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 root@Celeritas:/# code---------------------------------------------------------------------------o Now, ath1 is ready to be set up for your AP. code---------------------------------------------------------------------------o root@Celeritas:/# iwconfig ath1 essid nintendo key DEADDEAD1337DEAD1337DEAD69 channel 9 root@Celeritas:/# root@Celeritas:/# iwconfig lo no wireless extensions. wifi0 no wireless extensions. eth0 no wireless extensions. ath1 IEEE 802.11g ESSID:"nintendo" Nickname:"" Mode:Managed Frequency:2.452 GHz Access Point: 00:0F:B3:A1:A6:8C Bit Rate:54 Mb/s Tx-Power:14 dBm Sensitivity=1/1 Retry:off RTS thr:off Fragment thr:off Encryption key:DEAD-DEAD-1337-DEAD-1337-DEAD-69 Security mode:restricted Power Management:off Link Quality=80/70 Signal level=-16 dBm Noise level=-96 dBm Rx invalid nwid:2905 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 root@Celeritas:/# code---------------------------------------------------------------------------o You see? No error's there! Now that this configuration has been set up, we need to get an IP from the router. Then test the inet connection by pinging a well known website: code---------------------------------------------------------------------------o root@Celeritas:/# dhclient ath1 Internet Systems Consortium DHCP Client V3.0.5 Copyright 2004-2006 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ wifi0: unknown hardware address type 801 wifi0: unknown hardware address type 801 Listening on LPF/ath1/06:17:f2:ef:6d:7c Sending on LPF/ath1/06:17:f2:ef:6d:7c Sending on Socket/fallback DHCPREQUEST on ath1 to 255.255.255.255 port 67 DHCPACK from 192.168.1.1 bound to 192.168.1.68 -- renewal in 33940 seconds. root@Celeritas:/# code---------------------------------------------------------------------------o Note: If you are having trouble getting the card back into "Managed" mode after setting it up as "Monitor" (e.g. dhclient gives no IP) 1. Make sure you input the right settings with iwconfig, check the WEP key, channel (must be same as AP), and ESSID. The ESSID extended set service identifier (some people don't now this) IS case sensitive! Also is you have a special character or space in the ESSID, try using quotes. 2. Sometimes, I have found that i need to run "reboot" to set everything back to it's inital state before continuing. This is rare, but, sadly, (sh)it happens! 3. If you Find that you have been disassociated from the router (out of no where you can't even ping google.com) change a small setting like reset the channel with "iwconfig athX channel X" replacing the X's with your specifics. Then run dhclient again. This does the trick. note: you can set the rate too. Also, If it keeps acting up you should consider changing to a newer version of the madwifi-ng driver. trevelyn from Weak-Net Labs/2Dial*Phreak = kp101st[at]gmail[dot]com