This is a long story… but it is finally solved thanks to the developers of the BackTrack distribution! For a long time, I used a good old Orinoco PCMCIA card to play around with WiFi networks. But it died and I was looking for a brand new toy. After reviewing some discussion groups and asking for advices, I decided to buy a brand new card from Alpha Networks. They produce good devices and not very expansive. There was two cards in competition: The AWUS036N and AWUS036NH. The second one is the new model. It offers more signal and is 802.11n compatible. Unfortunately, like a lot of new devices, the card was not supported by the “old” release of BackTrack. More precisely, it was available as a standard card to connect to a wireless network but injection of packets was not possible.
During BlackHat 2010, a new version (R1) was released with the following changes:
- Kernel 2.6.34 – With fragmentation patches, etc.
- Updated tools, such as Maltego and SET.
- Improved driver support, broader range of wireless cards supported.
- Faster desktop experience due to kernel.
- Fluxbox environment added.
Yes! A new kernel and support for a broaden set of wireless cards! A few days after the conference, it was released to the public. Unfortunately, still no out-of-the-box support for the AWUS036NH card! I re-installed my BackTrack persistent USB-key using the wonderful tutorial provided by Kevin Riggins on infosecramblings.com. After more investigations and compilations, I’m finally able to use my card for monitoring and injection! Here are the steps I followed.
First, keep your BackTrack environment up to date:
# apt-get update && apt-get upgrade && apt-get install firmware-ralink
Mine was already ok. Then, compile and install the Linux wireless compatibility package. This one is provided on the BackTrack media but not installed (no idea why?). There is already a new version available on wireless.kernel.org (2010-07-24) but I did not tested it. Install the driver using the following commands:
# cd /usr/src/drivers/compat-wireless-2010-07-10 # ./scripts/driver-select rt2x00 # make # make install # make unload # modprobe rt2800usb
Normally, it should be fine but, in doubt, just reboot! Once done, connect your USB Wireless card and you should see something like this in /var/log/messages:
usbcore: registered new interface driver rt2800usb usb 1-1: new high speed USB device using ehci_hcd and address 4 rt2800usb 1-1: firmware: requesting rt2870.bin
Now, let’s test the interface in monitor mode:
# airmon-ng start wlan0
Interface Chipset Driver
wlan0 RaLink RT2870/3070 rt2800usb - [phy0]
(monitor mode enabled on mon0)
# airdump-ng mon0
You will see the detected WiFi network and all the classic stuff (beacons, packets, etc). Now, let’s test the injection:
# airdump --test mon0 15:40:51 Trying broadcast probe requests... 15:40:51 Injection is working! 15:40:52 Found 1 AP 15:40:52 Trying directed probe requests... 15:40:52 xx:xx:xx:xx:xx:xx - channel: 11 - 'xxxxxxxxx' 15:40:53 Ping (min/avg/max): 0.203ms/2.512ms/4.130ms Power: 3.86 15:40:53 29/30: 96%
Looks good! But a new problem popped up:
# aireplay-ng -1 0 -e xxxxx -a xx:xx:xx:xx:xx:xx -h xx:xx:xx:xx:xx:xx mon0 16:26:45 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel -1 16:26:45 mon0 is on channel -1, but the AP uses channel 11
Once again, some reading of online material revealed that this is a know problem. To fix this, apply the following patch (credits go to DomInat3):
# cd /usr/src/drivers/compat-wireless-2010-07-10/net/wireless # patch -p0 <chan.patch
And recompile the driver as already describe above. After reboot, try injection again:
# aireplay-ng -1 0 -e xxxxx -a xx:xx:xx:xx:xx:xx -h xx:xx:xx:xx:xx:xx mon0 19:17:57 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11 19:17:57 Sending Authentication Request (Open System) [ACK] 19:17:57 Authentication successful 19:17:57 Sending Association Request [ACK] 19:17:57 Association successful :-) (AID: 1) #
Case closed! The installed driver worked for me. My WiFi adapter is a AWUS036NH (802.11b/g/n Long-Range Wireless USB Adapter) but the procedure should stay the same for others.
Happy wireless hacking…
You can simply use the tool airodump-ng
airodump-ng –channel 5 wlan0mon
Sometimes it is difficult to manage airodump-ng output files. i mean once i generate those csv and xml files then after i start looking into it so for large amount of data i can’t figure it out. so is there any tools or services available for analysis and visualization ?
i have used this website and it is quite good, here i have shared my sample data have a look and also share any other sources if anyone knows. – http://bit.ly/1Nbfgm6
HI
After i “make” it, it is giving me error….
what do i do?
Thank you so much ! It works good..
Hi, I have the Alpha AWUS036NH working fine with Backtrack 4 R2 & 5(KDE & G.NOME versions) injection works too, I haven’t had any of the issues mentioned above, this is how i get mine to work,
I use Oracle as my VM Software
BactTrack 4 R2 from their website
Install BackTrack 4 R2
Once loaded, click “install sh” on VM Desktop
Follow steps to install to HDD
Close VM
Go Into settings of VM to select boot device, Select HDD.
Start BT4 R2
Login, User = root, Password = toor, then type startx
Connect Adapter(Alpha AWUS036NH)
Open console
Type,
airmon-ng (this tells you the name of your card, mine is wlan0)
airmon-ng stop wlan0 (wlan0 could be ath0,eth0, etc etc)
ifconfig wlan0 up (this is the problem solver, up not down)
airmon-ng start wlan0 (starts monitor mode, wlan0 is now busy)
airodump-ng mon0 (notice now i use mon0 not wlan0)
FROM HERE ON IN ONLY USE mon0 FOR YOUR ATTACKS, NOT wlan0 AS IT WILL BE BUSY,
E-MAIL ME IF YOUR STILL STUCK
MrCraigX@msn.com
I wound up doing a live installation of backtrack on a USB drive. The problem is exclusively on the virtual environments only. You can get a decent Kingston 16gb datatraveller2 on amazon for $20 for backtrack 5 R1.
RE: scolder. What did you do I ran in to the same issue.
This doesn’t work with VirtualBox and VMware on Backtrack 5 / or 5 R1.
very helpful!!! two things. every step worked well except the injection test. i’m on BT4 R2, with awus036nh, macbook osx10.6.7, virtualbox, and under airdump (which should be airodump-ng, as i gather), it says –test is not an option. Reading the comments, i’m led to believe that it should be airplay -test mon0 (which in turn should REALLY be aireplay-ng –test mon0. At this point it responds with “trying broadcast probe requests…” but returns no APs. Oh, well, back to troubleshoot more…
second, as a relative n00b, i thought it would be helpful to go into further detail with installing the compat-wireless.tar file. I had to go to a 2nd tut to get this to work, and isn’t it always a pain to need 2 tuts to get one thing done!?! anyhow, once you download the .tar, you must run “tar -xf ‘file name'” to unpackage it before you can cd to the folder. maybe obvious, but i got stuck here.
all in all, great tut, i’m glad iwconfig isn’t just staring blankly at me anymore, thanks!!!
ps i think it bears repeating that proper syntax is SUPER important in creating tutorials. a lot of people understand the spirit of what they are doing, but if the instructions contain errors, become immediately stuck!! I know this is hard as commands are often related to distro/kernel version and/or user hardware, but clarity is worth it’s weight!!! thx
I can’t set the txpower above 8db.
Looks like its cause compat-wirless?
http://forum.aircrack-ng.org/index.php?PHPSESSID=0ilh4t904p3586qde6e0nch0l4&topic=8851.msg42990#msg42990
thanks a bunch dude. i went out and got that wireless alfa card without doing any research and had nothing but trouble trying to get it working, but thanks to your post its all working perfect now. nice one
I have tried the instructions step by step, restarting and all… Also applying the patch first and then installing… also the newest divers mentioned above… but non of them seem to work…
I keep on having the problem of channel -1… I don’t know what Im doing wrong…
Im using BT4-R1 the VMware workstation version.
And I have a Alfa AWUS036NH.
Can some one help me?
When i try to run wepbuster is says “can’t associate aireplay-ng died” like it wont inject.
anyone having same problem?
Hi, nice tutorial. Got everything working so far. But I wanted to know if you also having problems with Authentication and wep. I’m using a 036NH alfa too
Hi, can any1 please explain to a n00b how do i aplly the patch.
How to download it?
Where to put it?
How to install it?
On the small problems,I finally install the driver.Realy god post.Thanks
I got an Alfa AWUS036NEH (chipset RT3070) and it worked directly with stock BT 4 R1 (both flavors: live DVD and VMware image), no need to patch or other stuff…
my card worked right out the box with R1.
Hi my version of BT4 R1 doesn’t have the patch file does any one have a copy they can supply?
Cant go in monitor mode even with atheros card(working before installing) get 132 Error =\
hey there… after follow the steps everything works fine but then i restart my laptop my wireless connection is not working and i have to do all over again!!! any ideas that can help me to solve my problem???
modprobe b43
FATAL: Error inserting b43 (/lib/modules/2.6.32-24-generic/updates/drivers/net/wireless/b43/b43.ko): Unknown symbol in module, or unknown parameter (see dmesg)
Thanks a lot, backtrack 4r1 works perfectly in combination with my awus036nh now.
@ Tristan
Maybe it’s because you didn’t reboot?
I did.
@Tristan
I did exactly what you said to recompile the card and now it’s working – no problem with the channels at all.
astabada
thank u for this but it need some fix and some wrong commands….
# airdump-ng mon0 need 2b airodump-ng mon0
# airdump –test mon0 need 2b airplay –test mon0
most of it work for me , when i test with airplay –test it told me injection working good but when i try i get the thing “mon0 is on channel -1, but the AP uses channel 11” and then i install the patch dont know if I recompile it the way it should be :
# cd /usr/src/drivers/compat-wireless-2010-07-10
# ./scripts/driver-select rt2x00
# make
# make install
# make unload
# modprobe rt2800usb
but its the same prob with the chanel
H E L P 🙂
thank for your manual .
I think this is the solution 4me , im at the point “mon0 is on channel -1, but the AP uses channel 11” so im trying to use the patch but dont understand how to recompile it is it just reboot after download and run the “patch -p0 <chan.patch" or i need to do those steps "# cd /usr/src/drivers/compat-wireless-2010-07-10
# ./scripts/driver-select rt2x00
# make
# make install
# make unload
# modprobe rt2800usb"
thank u in advance
Tristan sun
great tutor
I find that everything works perfectly if I don’t have the ralink device plugged in when I boot.
Incidentally, although I have did an apt-get upgrade, etc. There is no airdump nor can I get get airdump –test mon0 to work. And if I try it with airodump-ng, –test does not work.
Curiouser and curiouser… I made all of the above changes and for one shining moment, I was picking up AP that I had never soon before! Then I rebooted and am back to airodump-ng not showing a single device. I decided to go through all of the steps and still nothing. I am using the AWUS036NH as well, and can’t get a single peep off of this.
cfg80211: Calling CRDA to update world regulatory domain
cfg80211: World regulatory domain updated:
(start_freq – end_freq @ bandwidth), (max_antenna_gain, max_eirp)
(2402000 KHz – 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
(2457000 KHz – 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
(2474000 KHz – 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
(5170000 KHz – 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
(5735000 KHz – 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
phy0: Selected rate control algorithm ‘minstrel’
Registered led device: rt2800usb-phy0::radio
Registered led device: rt2800usb-phy0::assoc
Registered led device: rt2800usb-phy0::quality
usbcore: registered new interface driver rt2800usb
rt2800usb 1-1:1.0: firmware: requesting rt2870.bin
device mon0 entered promiscuous mode
Is there any trick I am missing?
Hi I followed ur instructions and downloaded the driver, then re-booted, and then I did an injection test and it all went like a dream, thanks for ur great instructions.
When you say I need to recompile the drivers, can you explain more?\
Should I do rmmod rt2800usb? Should I run make install only or make too?
Thanks in advance
astabada
finally!
Cheers,
a.
Wonderful news, thanks!