This is a long story… but it is finally solved thanks to the developers of the BackTrack distribution! For a long time, I used a good old Orinoco PCMCIA card to play around with WiFi networks. But it died and I was looking for a brand new toy. After reviewing some discussion groups and asking for advices, I decided to buy a brand new card from Alpha Networks. They produce good devices and not very expansive. There was two cards in competition: The AWUS036N and AWUS036NH. The second one is the new model. It offers more signal and is 802.11n compatible. Unfortunately, like a lot of new devices, the card was not supported by the “old” release of BackTrack. More precisely, it was available as a standard card to connect to a wireless network but injection of packets was not possible.
During BlackHat 2010, a new version (R1) was released with the following changes:
- Kernel 2.6.34 – With fragmentation patches, etc.
- Updated tools, such as Maltego and SET.
- Improved driver support, broader range of wireless cards supported.
- Faster desktop experience due to kernel.
- Fluxbox environment added.
Yes! A new kernel and support for a broaden set of wireless cards! A few days after the conference, it was released to the public. Unfortunately, still no out-of-the-box support for the AWUS036NH card! I re-installed my BackTrack persistent USB-key using the wonderful tutorial provided by Kevin Riggins on infosecramblings.com. After more investigations and compilations, I’m finally able to use my card for monitoring and injection! Here are the steps I followed.
First, keep your BackTrack environment up to date:
# apt-get update && apt-get upgrade && apt-get install firmware-ralink
Mine was already ok. Then, compile and install the Linux wireless compatibility package. This one is provided on the BackTrack media but not installed (no idea why?). There is already a new version available on wireless.kernel.org (2010-07-24) but I did not tested it. Install the driver using the following commands:
# cd /usr/src/drivers/compat-wireless-2010-07-10 # ./scripts/driver-select rt2x00 # make # make install # make unload # modprobe rt2800usb
Normally, it should be fine but, in doubt, just reboot! Once done, connect your USB Wireless card and you should see something like this in /var/log/messages:
usbcore: registered new interface driver rt2800usb usb 1-1: new high speed USB device using ehci_hcd and address 4 rt2800usb 1-1: firmware: requesting rt2870.bin
Now, let’s test the interface in monitor mode:
# airmon-ng start wlan0 Interface Chipset Driver wlan0 RaLink RT2870/3070 rt2800usb - [phy0] (monitor mode enabled on mon0) # airdump-ng mon0
You will see the detected WiFi network and all the classic stuff (beacons, packets, etc). Now, let’s test the injection:
# airdump --test mon0 15:40:51 Trying broadcast probe requests... 15:40:51 Injection is working! 15:40:52 Found 1 AP 15:40:52 Trying directed probe requests... 15:40:52 xx:xx:xx:xx:xx:xx - channel: 11 - 'xxxxxxxxx' 15:40:53 Ping (min/avg/max): 0.203ms/2.512ms/4.130ms Power: 3.86 15:40:53 29/30: 96%
Looks good! But a new problem popped up:
# aireplay-ng -1 0 -e xxxxx -a xx:xx:xx:xx:xx:xx -h xx:xx:xx:xx:xx:xx mon0 16:26:45 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel -1 16:26:45 mon0 is on channel -1, but the AP uses channel 11
# cd /usr/src/drivers/compat-wireless-2010-07-10/net/wireless # patch -p0 <chan.patch
And recompile the driver as already describe above. After reboot, try injection again:
# aireplay-ng -1 0 -e xxxxx -a xx:xx:xx:xx:xx:xx -h xx:xx:xx:xx:xx:xx mon0 19:17:57 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11 19:17:57 Sending Authentication Request (Open System) [ACK] 19:17:57 Authentication successful 19:17:57 Sending Association Request [ACK] 19:17:57 Association successful :-) (AID: 1) #
Case closed! The installed driver worked for me. My WiFi adapter is a AWUS036NH (802.11b/g/n Long-Range Wireless USB Adapter) but the procedure should stay the same for others.
Happy wireless hacking…