In this configuration, we used two laptops. The first one is configured like an access point to work as an ethernet bridge between the radio and the wired network, ans the second one is configured as a regular client of the access point. A second wireless card allows to do sniffing of this regular connection between the client and the AP.
The access point laptop has the following configuration of its two pcmcia cards:
[root@frog root]# cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=no
[root@frog root]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:10:4B:60:CA:26
inet addr:192.168.128.7 Bcast:192.168.128.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1389 (1.3 Kb) TX bytes:650 (650.0 b)
Interrupt:9 Base address:0x4800
Apr 21 16:28:41 frog cardmgr[631]: socket 0: BroMax Freeport 11Mbps WLAN Card Apr 21 16:28:41 frog kernel: cs: memory probe 0xa0000000-0xa0ffffff: clean. Apr 21 16:28:42 frog cardmgr[631]: executing: 'modprobe prism2 channel=10 iw_mode=3 essid=test ignore_cis_vcc=0' Apr 21 16:28:42 frog kernel: prism2: prism2.c 0.0.0 2002-04-13 (SSH Communications Security Corp, Jouni Malinen) Apr 21 16:28:42 frog kernel: prism2: (c) SSH Communications Security Corp <jkm@ssh.com> Apr 21 16:28:42 frog kernel: prism2: index 0x01: Vcc 5.0, irq 3, io 0x0100-0x013f Apr 21 16:28:42 frog kernel: prism2: Registered netdevice wlan0 Apr 21 16:28:42 frog kernel: wlan0: NIC: id=0x800c v1.0.0 Apr 21 16:28:42 frog kernel: wlan0: PRI: id=0x15 v1.0.5 Apr 21 16:28:42 frog kernel: wlan0: STA: id=0x1f v1.3.4 Apr 21 16:28:42 frog cardmgr[631]: executing: './network start wlan0' Apr 21 16:28:43 frog /etc/hotplug/net.agent: invoke ifup wlan0For the correct discovery of the card, I had to add its identity into the /etc/pcmcia/prism2.conf configuration file.
card "BroMax Freeport 11Mbps WLAN Card" manfid 0x0274, 0x1612 bind "prism2"In this same configuration file, you also can force some module parameters. If you configuration module here, you can leave the /etc/pcmcia/wireless.opts file empty, as all information required for hostAP is given when you load the module.
# Optional configuration parameters for prism2.o module "prism2" opts "channel=10 iw_mode=3 essid=test ignore_cis_vcc=0"In this example, you use channel 10, mode 3 (aka Master mode), and ESSID test. Now, you check that the wireless card is operating in AP Mode.
[root@frog root]# iwconfig wlan0
Warning : Device wlan0 has been compiled with version 12
of Wireless Extension, while we are using version 11.
Some things may be broken...
wlan0 IEEE 802.11-DS ESSID:"test"
Mode:Master Frequency:2.457GHz Access Point: 00:02:DD:30:3E:4B
Bit Rate:2Mb/s Tx-Power:2 dBm Sensitivity=1/3
Retry min limit:8 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 invalid crypt:0 invalid misc:0
We see here that the interface is called wlan0, and is
conforming to IEEE 802.11-DS mode, which is another manner to
say that we are in AP/Master mode. The frequency is directly
derived from the channel we gave when loading the prism2.o module.
No encryption is used.[root@frog root]# lsmod Module Size Used by Not tainted prism2 74528 1 3c59x 26632 1 ds 7136 2 [prism2] yenta_socket 11456 2 pcmcia_core 39360 0 [prism2 ds yenta_socket] autofs 10852 1 (autoclean) ext3 63040 0 (unused) jbd 41016 0 [ext3]Interesting modules here are the 3c59x which correspond to the eth0 wired interface. Its use count is 1, because the interface is currently up and running. prism2 is the other module of interest, and correspond to our wireless PCMCIA card. Its use count is 0 because the corresponding interface wlan0 is actually up too.
[root@frog root]# ifconfig wlan0
wlan0 Link encap:Ethernet HWaddr 00:02:DD:30:3E:4B
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:7440 (7.2 Kb)
Interrupt:3 Base address:0x100
The next step to have a working access point is to configure the
ethernet bridge between wlan0 and eth0.brctl addbr br0 brctl addif br0 eth0 brctl addif br0 wlan0 ifconfig eth0 0.0.0.0 ifconfig wlan0 0.0.0.0 ifconfig br0 192.168.100.200 up
[root@frog root]# ifconfig br0
br0 Link encap:Ethernet HWaddr 00:02:DD:30:3E:4B
inet addr:192.168.100.200 Bcast:192.168.100.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
You can now activate WEP encryption with an iwconfig
invocation.
[root@frog root]# iwconfig wlan0 key 01:02:03:04:05
[root@frog root]# iwconfig wlan0
Warning : Device wlan0 has been compiled with version 12
of Wireless Extension, while we are using version 11.
Some things may be broken...
wlan0 IEEE 802.11-DS ESSID:"test"
Mode:Master Frequency:2.457GHz Access Point: 00:02:DD:30:3E:4B
Bit Rate:2Mb/s Tx-Power:6 dBm Sensitivity=1/3
Retry min limit:8 RTS thr:off Fragment thr:off
Encryption key:0102-0304-05 Encryption mode:restricted
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 invalid crypt:0 invalid misc:0
On the other laptop, I use the 3Com wireless card as a regular client
of my Linux access point. This card uses the poldhu_cs driver,
appears as a network interface called eth0, and if configurable
via /etc/pcmcia/wireless.opts. The poldhu_cs driver support
WEP encryption, and wireless extensions. In wireless.opts
you have to configure few parameters.[root@bonobo poldhu]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=noYou should see your wireless interface with correct AP, encryption stuff, and ESSID.
[root@bonobo poldhu]# iwconfig eth0
eth0 IEEE 802.11b ESSID:"test"
Mode:Managed Frequency:2.457GHz Access Point: 00:02:DD:30:3E:4B
Tx-Power=14 dBm
Retry min limit:8 RTS thr:off Fragment thr:off
Encryption key:0102-0304-05 Encryption mode:open
Then hopefully, the DHCP server will prvide you with a valid IP adress
through the wireless AP.
[root@bonobo poldhu]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:04:76:A6:7E:76
inet addr:192.168.128.10 Bcast:192.168.128.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4579 errors:0 dropped:0 overruns:0 frame:0
TX packets:3849 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:604336 (590.1 Kb) TX bytes:251052 (245.1 Kb)
Interrupt:4 Base address:0x180
The other Prism2.5 wireless card is now inserted in the second PCMCIA
slot. This card is configured to not connect to the current
network. Be sure to not provide ESSID, WEP key in the
/etc/pcmcia/wlan-ng.opts.
[root@bonobo poldhu]# ifconfig wlan0
wlan0 Link encap:Ethernet HWaddr 00:02:DD:30:3E:5B
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:4672 (4.5 Kb)
Interrupt:5 Base address:0x280
Put the Prism2.5 card in promiscuous mode.[root@bonobo poldhu]# wlanctl-ng wlan0 lnxreq_wlansniff channel=10 enable=true keepwepflags=false prismheader=true message=lnxreq_wlansniff enable=true channel=10 prismheader=true keepwepflags=false resultcode=successYou can now sniff radio packet. On this capture, most of the traffic is control frames (Beacon frame), and encapsulated Ethernet frames are encapsulated into a IEEE 802.11 frame. On the snapshot, you naturally have access to WEP parameters, and its Initialization Vector. You can save these packet to process them later. The goal of WEP-cracking programs is to collect enough various values of weak values of these Initialization Vectors. Vendors have various workarounds to prevent to generate these weak initialization vectors.
[root@frog root]# iwconfig wlan0 key 01:02:03:04:05 off
[root@frog root]# iwconfig wlan0
Warning : Device wlan0 has been compiled with version 12
of Wireless Extension, while we are using version 11.
Some things may be broken...
wlan0 IEEE 802.11-DS ESSID:"test"
Mode:Master Frequency:2.457GHz Access Point: 00:02:DD:30:3E:4B
Bit Rate:2Mb/s Tx-Power:6 dBm Sensitivity=1/3
Retry min limit:8 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 invalid crypt:1 invalid misc:0
On the client laptop, remove the KEY entry in
/etc/pcmcia/wireless.opts before restarting the
pcmcia service. Your should obtain an IP adress too.
[root@bonobo poldhu]# iwconfig eth0
eth0 IEEE 802.11b ESSID:"test"
Mode:Managed Frequency:2.457GHz Access Point: 00:02:DD:30:3E:4B
Tx-Power=14 dBm
Retry min limit:8 RTS thr:off Fragment thr:off
Encryption key:off
[root@bonobo poldhu]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:04:76:A6:7E:76
inet addr:192.168.128.10 Bcast:192.168.128.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:379882 errors:0 dropped:0 overruns:0 frame:0
TX packets:379683 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:14473768 (13.8 Mb) TX bytes:13674440 (13.0 Mb)
Interrupt:5 Base address:0x280
Put the prism2.5 in promiscuous mode.
[root@bonobo poldhu]# ifconfig wlan0 up
[root@bonobo poldhu]# ifconfig wlan0
wlan0 Link encap:UNSPEC HWaddr 00-02-DD-30-3E-5B-00-00-00-00-00-00-00-00-00-00
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2963 errors:0 dropped:0 overruns:0 frame:0
TX packets:892 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:631204 (616.4 Kb) TX bytes:46905 (45.8 Kb)
Interrupt:4 Base address:0x180
You now can capture packet, and examine them in clear text, like in
this snapshot. I have highlighted a
packet, a 802.11 frame, without WEP encryption, where you can
this time read a HTTP request in clear text. This clearly demonstrate
how it could be dangerous to use unencrypted high level protocols,
because this kind of sniffing is totally passive.[root@bonobo WepCrack-0.0.10]# wlanctl-ng wlan0 lnxreq_wlansniff channel=10 enable=true keepwepflags=false prismheader=false message=lnxreq_wlansniff enable=true channel=10 prismheader=false keepwepflags=false resultcode=success [root@bonobo WepCrack-0.0.10]# tcpdump -i wlan0 -c 4000 -w /tmp/capture.log tcpdump: WARNING: wlan0: no IPv4 address assigned tcpdump: listening on wlan0 4000 packets received by filter 0 packets dropped by kernel [root@bonobo WepCrack-0.0.10]# ./prism-getIV.pl < /tmp/capture.log | head -10 IV: 169-206-15- IV: 169-206-16- IV: 169-206-17- IV: 169-206-18- IV: 169-206-19- IV: 169-206-20- IV: 140-9-66- IV: 169-206-21- IV: 232-53-254-Using tcpdump to store sniffed frames, you can now examine IV repartition, with a tool like prism-getIV.pl. The first IV of the above sequence also shows up in this snapshot with ethereal, if you load the same /tmp/capture.log file. There are noticeable elements in this sequence :
/* Fluhrer, Mantin, and Shamir have reported weaknesses in the key
* scheduling algorithm of RC4. At least IVs (KeyByte + 3, 0xff, N)
* can be used to speedup attacks, so avoid using them. */
if ((local->wep_iv & 0xff00) == 0xff00) {
u8 B = (local->wep_iv >> 16) & 0xff;
if (B >= 3 && B < klen)
local->wep_iv += 0x0100;
}
$Id: wireless2.html,v 1.3 2003/10/19 20:33:27 bellet Exp $