linux-wlan-ng, smc2532w-b, rfmon and wep question

captgoodnight · 05-31-2004, 08:06 PM

Quick question, someone must know this one.

I'm trying to sniff/crack (useing rfmon mode) my home wep 128 wifi network (3 machines). My pcmcia card (smc2532w-b, linux-wlan-ng) goes rfmon with no probs, it seems, but all I'm able to pickup is AP broadcasts. Is this right? Or should I be seeing wep portected packets aswell (from other machines to AP)? (useing ethereal, tcp-dump, kismet, airsnort...)

When I'm associated with the AP, wep included, going into promisc and sniffing works as I expected. It's just rfmon and wep128 protected AP and clients I'm confued about.

I've asked this question at numerious places. It seems to go unanswered. Please, if you know this, help. I'm at that last stopping block to success.

Thanks in advance.

cg

level · 05-31-2004, 09:16 PM

Both kismet and airsnort should be able to pick up any wireless traffic, whether AP broadcasts or encrypted data packets. It sounds like you're not generating any encrypted packets or your not in monitor mode. From what I've read it's not easy to get your card to work with kismet or airsnort. Can you give more detail as to what you have done so far.

Also, if you have a relatively new AP, it will probably be filtering the weak keys, making cracking with airsnort very difficult and time consuming.

captgoodnight · 05-31-2004, 11:30 PM

Straight up! THANK YOU FOR RESPONDING! I have been searching and searching. Okay,

Command used WITHOUT kismet or airsnort as front end.
wlanctl-ng wlan0 lnxreq_wlansniff channel=6 enable=true
or
wlanctl-ng wlan0 lnxreq_wlansniff enable=true channel=6 prismheader=true stripfcs=true
or
wlanctl-ng wlan0 lnxreq_wlansniff enable=true channel=6 prismheader=true
or
wlanctl-ng wlan0 lnxreq_wlansniff enable=true channel=6 stripfcs=true

Then with (most recent pcap and ethereal) ethereal sniffing.
only AP broadcasts - which makes me think I'm getting it into rfmon.? But maybe not completely?
In common promisc/association I catch traffic but not AP bdcasts, the contrast makes me think it's in rfmon?.

airsnort and kismet both give the same results when called as themselves (without wlanctl-ng commands).

AP = dlink 614+ latest firmware, wep 128 hex 11 mbs as all other machines
2nd machine's wifi pci card = MDK 9.2, d-link 520+, acx100 module=latest release
sniffing machine = dell 2650, MDK 9.2, pcmcia smc2532w-b module=Linux-wlan-ng-0.2.1pre21

Now with this new info about what to expect in sniffing, I'm now thinking it's the AP or that my smc starts up associated to begin with, then I put it into rfmon. I would like to see what the results would be if I could just load up the module, ifconfig it and then enter rfmon. But the pcmcia-cs loads up the modules and also the config scripts; which work fine, so I want to keep those running...I tried to pull the configs out of the scheme, only to find the card not being recognised by

ifconfig wlan0 up (even though seen with ifconfig -a)
and simple iwconfig commands (I know about the lack of extensions with wlan-ng)

What would be the wlanctl-ng commands to pull out of association but not into rfmon? After pcmcia-cs has done it's common job.

The idea of the AP riding the weak IVs is interesting. This could be my next test step maybe.

lol

Thoughts?

Bests all,
cg

level · 06-01-2004, 08:53 AM

In your last post you say kismet and airsnort are giving you the same results. Does kismet log any encrypted data packets, and does airsnort log any weak keys? Or are you just picking up AP broadcasts as with ethereal.

I'm not sure about the acx100 driver, but I believe your AP with the latest firmware and your SMC2532 card are filtering weak keys, which will not let you completely crack your WEP key. Check the airsnort website forums for more info.

http://sourceforge.net/forum/?group_id=33358

captgoodnight · 06-01-2004, 11:37 PM

>In your last post you say kismet and airsnort are giving you the same results. Does kismet log any encrypted data >packets, and does airsnort log any weak keys? Or are you just picking up AP broadcasts as with ethereal.

Nothing, just AP broadcasts as with ethereal.

>I'm not sure about the acx100 driver, but I believe your AP with the latest firmware and your SMC2532 card are >filtering weak keys, which will not let you completely crack your WEP key.

Leaning this way too.

I got my bearings now, thanks level

Bests all,
cg

I'll close this thread with my findings.

captgoodnight · 06-05-2004, 10:47 PM

Bought a antenna. Now I'm reaching out and touching someone

I'm seeing tcp and udp packets now from
other's traffic. Learned: Test in different environments.

I have yet to find a wep environment other than my own, so the whole wep/packet delima is still in the air.
Eventually...I'll know this too.

UPDATE: I'm into the wep world now. Picking up all packets (YEAH! I did it!). It seems, that for the latest
linux-wlan-ng, I have to use a new command syntax to enter rfmon (kismet does it automaticaly, so I know not what it is, yet...

, also had to choose my source in kismet.conf as source=wlanng_avs,wlan0,smcsource; useing wlanng_avs and not wlanng did it. I just wish avs would mention the new syntax in the readme! I've pulled lumps of hair out over this one! But hot-damn, what I've learned!

yeeehahahaboooahahahaha!

Word to the wise, use G 256wep! Since buying the antenna and sniffing all, I've picked up all sorts of info, from smtp to ftp (I don't move on the info though, I'm white hat). It's crazy what info people hand out in pure ignorance! Geez.

Thanks,
cg

thread closed