The collection of tools is amazing and I don’t even need to go on blabbering about it. Its the distro of choice for security professionals. The multitude of scripts are simply vast each grouped neatly in the appropriate categories for radio analyzing, os fingerprinting, forensics etc etc (heck, I don’t even remember all of them).

I booted into BT2 using the live CD. I prefer the live CD in this case as I don’t exactly wanna mess around with my wireless settings by creating and destroying multiple VAPs. Got down straight to work, fired up airodump-ng. Found a couple of clients connected to the AP near me. Deauth-ed them with aireplay-ng. To make sure it was working, called over a friend to my room, tested the deauth on his laptop and it was working!

Ok, catch up with your breath. This is how I did it:

Created a VAP ath1 in monitor mode
wlanconfig ath1 create wlandev wifi0 wlanmode monitor
I wont even explain how to start up airodump-ng. Its as easy as 1-2-3.

Deauth the clients using the MAC addresses found with aireplay-ng.
aireplay-ng -0 30 -c client MAC address -a access point MAC address ath1
Here -0 means deauth and 30 is the number of deauth requests to be sent.

At this stage, you can easily spoof the MAC address and capture the packets intended to be received by the now disconnected client. Maybe get around MAC based authentication too if that is the first layer of security in a network.
Finally, don’t forget to check out the documentation and tutorials at aircrack-ng.org

Edit your /etc/rc.local file and add the following lines before exit 0

modprobe ath_pci
(sleep 10 && /sbin/iwpriv ath0 mode 3) &


Actually it uses the iwpriv mode X command to lock the card to a specific mode, where
X=0, for a/b/g
1, for a
2, for b
3, for g
You add this to /etc/rc.local to make the change permanent, so that these settings are loaded every time you boot into ubuntu.

Source

Gotta try out wicd as a replacement for network manager too.

Agreed that traffic shapers are very much needed for maintaining the QoS of the network, but the University authorities have simply pulled off a cheap trick by misusing the powers of these tools.

In my next post, I’ll be posting some iperf results as evidence to my claims.

For my Thinkpad R60, these were the lines I needed to enter in /etc/sysctl.conf

dev.wifi0.ledpin=1
dev.wifi0.softled=1

If any experts are reading this, is it a flaw in the IOS RADIUS itself or something is wrong with its implementation on our network?

I have an atheros chipset wireless card on my lappy, and the madwifi-ng drivers for Edgy don’t include the madwifi-tools package. So had to download and install it from debian’s testing branch. This package includes the wlanconfig tool. Without this, the aircrack-ng suite is as good as defunct.

Now comes the real part. Firing up the suite. First of all, you need to put your card into ‘monitor mode’ . Under this mode, you will be able to monitor all the traffic in your wireless network. Somewhat like the promiscuous mode.

Now, when you enter the following command, you will get something like the following output:

# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wifi0     no wireless extensions.

ath0      IEEE 802.11g  ESSID:"Tata Indicom Wi-Fi"
Mode:Managed  Frequency:2.462 GHz  Access Point: 00:17:5A:B7:B8:20
Bit Rate:11 Mb/s   Tx-Power:8 dBm   Sensitivity=0/3
Retry:off   RTS thr:off   Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=19/94  Signal level=-76 dBm  Noise level=-95 dBm
Rx invalid nwid:28018  Rx invalid crypt:0  Rx invalid frag:0
Tx excessive retries:0  Invalid misc:0   Missed beacon:0

sit0      no wireless extensions.

Now lets be clear about something. The interface wifi0 is actually the base device, indicative of the network card you are using. Suppose you have two cards supported by the madwifi driver. Then these two will show up as wifi0 and wifi1. Now for each base device, you can use wlanconfig to create VAPs (Virtual Access Points) running under different modes. Now going back to the output above, if you want to use ath0 for monitoring purposes, which is already under use, use airmon-ng to first stop the VAP.

#airmon-ng stop ath0

Interface       Chipset         Driver

wifi0           Atheros         madwifi-ng
ath0            Atheros         madwifi-ng VAP (parent: wifi0) (VAP destroyed)

Now if you want to use another VAP like say ath1, use wlanconfig to create it in station mode and then stop it by issuing the above command.

# wlanconfig ath1 create wlandev wifi0 wlanmode sta

Now, after stopping the device you need to put the card in monitor mode

#airmon-ng start wifi0

Interface       Chipset         Driver

wifi0           Atheros         madwifi-ng
ath0            Atheros         madwifi-ng VAP (parent: wifi0) (monitor mode enabled)

Now comes the role of airodump-ng for sniffing out networks. Start it

#airodump-ng ath0

So, airodump-ng now starts hopping channels and lists all the access points it can receive beacons from. You will see an output like this:

Next comes the part of zeroing in one certain AP and capturing data packets from it, writing all of it to disk and use it for cracking the WEP key.

To be contd in the 2nd part (‘coz this gets updated as soon as I myself learn it!)

Recommended readings:
1. The MadWifi wiki page
2. The aircrack-ng documentation
3. And ofcourse the man pages!

If you are stuck at any point or screw something up, just visit the #madwifi channel on freenode network. The guys there are ever willing to help you out!