Category Archives: WiFI

Setting a Mac into Monitor Mode

Due to overwhelming request I’m going to write a quick guide to setting you Mac into monitor mode for use with Cookie Cadger or Aircrack. In order to do this you will need a AirPort Extreme 802.11. The card that ships with any modern Mac. Depending on what version of OSX you hav installed the way set to monitor mode varies. I will be using Wireshark to set into monitor mode. You can download it from http://wireshark.org.

Panther (or earlier)

In Mac OS X releases prior to 10.4.0 (Panther and earlier), neither monitor mode, nor seeing 802.11 headers when capturing data, nor capturing non-data frames are supported – although promiscuous mode is supported.

Tiger

In Mac OS X 10.4.x (Tiger) (at least in later updates), monitor mode is supported; 802.11 headers are provided, and non-data frames are captured, only in monitor mode. To capture in monitor mode on an AirPort Extreme device named enn, capture on a device named wltn instead – for example, if your AirPort Extreme device is named en1, capture on wlt1. On PowerPC Macs, you will have to enable that device by changing the !APMonitormode property in the /System/Library/Extensions/AppleAirport2.kext/Contents/Info.plist property list file to have the value “true” (<true/>) and rebooting; on Intel Macs, that device is enabled by default.

Leopard & Snow Leopard

In Mac OS X 10.5.x (Leopard) and 10.6.x (Snow Leopard), monitor mode is supported; 802.11 headers are provided, and non-data frames are captured, only in monitor mode. To capture in monitor mode on an AirPort Extreme device, select a “Link-layer header type” other than “Ethernet” from the Capture -> Options dialog box in Wireshark or by selecting a link-layer header type other than “EN10MB” with the “-y” flag in TShark or from the command line in Wireshark (the available link-layer types are printed if you use the “-L” flag).

Disassociating and Capturing

If you don’t already have Wireshark go ahead an download an install it from http://wireshark.org. Once installed and started, select the capture option and fill out the dialog as follows:

  • Capture using interface “en1” which will be the wireless interface on the MAC
  • Select “Capture packets in monitor mode” which is needed to allow Wireshark to capture all wireless frames on the network.
  •   The channel being sniffed will be the channel the MAC was associated to when Wireshark is started. While it is possible to change the channel being sniffed, you must do this via the “Airport” command on the terminal application. I’ve included a guide on how to use this below.

If you plan on using the captured packets in Cookie Cadger you have the option to open the captured file for exploitation.

$ airport

It’s possible to capture in monitor mode on an AirPort Extreme while it’s associated, but this necessarily limits the captures to the channel in use. You can use the undocumented “airport” command to disassociate from a network, if necessary, and set the channel. As the command is not in the standard path, you might find it convenient to set up a link, as shown in http://osxdaily.com/2007/01/18/airport-the-little-known-command-line-wireless-utility/:

sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport

You will be prompted for your root password enter it and hit return. Now you can use the simple command ‘airport’. You’ll probably find the -I flag and -S flags to be most useful and informative, so type airport -I at the Terminal prompt, which will return something like the this:

$ airport -I
commQuality: 75
rawQuality: 59
avgSignalLevel: -40
avgNoiseLevel: -97
linkStatus: ESS
portType: Client
lastTxRate: 11
maxRate: 11
lastAssocStatus: 1
BSSID: 00:06:5b:2a:37:10
SSID: OSXNetwork
Security: none
$

The output is detailed information on signal quality, noise, security, and other WiFi network attributes. The airport command is more powerful than just being able to list information on the current wireless network though, you can actually manually adjust many settings and troubleshoot too. While there is no manual page for the airport command, attaching the -h command to it will issue a brief list of flags and explanations of their function.

So just as a quick example of the usage of the airport command

 
sudo airport -z #disassociates you card from the current network
sudo airport -c["channel you want to switch to"] #sets the channel the card monitors on

If you have any questions or think I missed something feel free to tell me in the comments.

Narwhal’s Guide to Wardriving

War driving, the practice of driving, biking, or walking while carrying a device that collects and records data and location of wireless networks. Until a couple days ago I had never considered war driving but I decided to try it out. I’ll be writing a guide following my setup here’s a list of the stuff I used.

  • Samsung Q310
  • Xubuntu or distro of your choice
  • External Wifi Adapter (this one is great)
  • a gps unit
  • if you are using a car some way to mount you laptop

Unless your laptop has a space for a external wifi card you will probably need to buy a external adapter. Most internal cards do not have the ranger of ability to be set into monitor mode. Also even if you can set your internal card into capture mode a external antenna is a good investment.

Once you get all this stuff together the first thing you need to do is install the software for wardriving. The wardriving software I use is Kismet, it’s Linux only, and generally considered one of the best. If your still reading this and insist on using Windows, Netstumbler is very good.

sudo apt-get install kismet

sudo gedit /etc/kismet/kismet.conf

Uncomment the line #suiduser=your_user_here and add your username that you use to login to Ubuntu.

suiduser=matt

You need to change the configuration depending on what wifi card you are using

If you are running Alfa wifi change

source=none,none,addme

to

source=rt8180,mon0,alfa

If you are running Atheros AR5001X+ card change

source=none,none,addme

to

source=madwifi_ag,wifi0,madwifi

If you are running Intel 2100 driver

source=none,none,addme

to

source=ipw2200,eth1,wifi

Configuring GPS to Run on Startup

gps=true
gpstype=gpsd
gpshost=localhost:2947
gpsmodelock=false
gpsreconnect=true

Notes

If you don’t know your relevant network driver, view the Kismet Readme and scroll down to the section “12. Capture Sources”.

If you don’t know your interface name, use iwconfig to find your wireless interface.

Save and Exit the file

Before starting kismet, you need to put your wireless adapter into monitor mode.

Run alfa wifi card in monitor mode

sudo airmon-ng check kill alfa & sudo airmon-ng start alfa

Run Atheros AR5001X+ card in monitor mode

sudo wlanconfig ath0 destroy

Finally start Kismet from the terminal using the following command

sudo kismet

Gpsdrive

In addition to using Kismet I also use Gpsdrive if I’m driving. But it doesn’t make much sense to have a live map if your biking like I will be.

Car Mounts for Your Laptop

A car mount isn’t to hard to put together. The best one I found used a aluminum laptop cooler bolted to the center console in a van.

It’s far cry from a crown vic mount but it works.

He just used some webbing to attach the laptop to the mount. If you don’t want to modify your car I normally just set the laptop in the passenger seat and strap it in.

Hot slot Wireless Cards

Another example from the same guy who has added whats called a “pigs tale” to his card to extend the cards range.

If you plan on buying a hot slot card I suggest adding a pigtale to it so you can get some real range out of it. I won’t be guiding you though this process. But WardrivingOnline has a pretty good guide to putting together a pigtale for your specific card.

Attaching a GPS to Kismet

Once you get Kismet up and running in order to us a GPS to log the location of the networks you need to install GPSD.

sudo apt-get install gpsd

Start gpsd. You’ll need to give it as an argument a path to a serial or USB port with a GPS attached to it. Your test command should look something like this:

gpsd -D 5 -N -n /dev/ttyUSB0
  1. Once gpsd is running, telnet to port 2947. You should see a greeting line that’s a JSON object describing GPSD’s version. Now plug in your GPS (or AIS receiver, or RTCM2 receiver).
  2. Type ?WATCH={“enable”:true,”json”}; to start raw and watcher modes. You should see lines beginning with { that are JSON objects representing reports from your GPS; these are reports in GPSD protocol.
  3. Start the xgps or cgps client. Calling it with no arguments should do the right thing. You should see a display panel with position/velocity-time information, and a satellite display. The displays won’t look very interesting until the GPS acquires satellite lock.
  4. Have patience. If you are cold-starting a new GPS, it may take 15-20 minutes after it gets a skyview for it to download an ephemeris and begin delivering fixes.
  5. A FAQ and troubleshooting instructions can be found at http://gpsd.berlios.de/faq.html

Now all you have to do is go out and drive, bike, or even walk around with your laptop. Your laptop will automatically collect all the data from any wireless network it touches. I’ll be posting some pictures of my biking setup later on. If you have any questions ask them in the comments I’ll do my best to answer them.

Bitcoin Bounties On Cracking WPA2 Handshakes

If you have a couple extra GPU’s sitting around Reddit user px403 has the perfect job for you. He/she has setup a site where you submit a WPA2 hash, put a bitcoin bounty on it and once someone has cracked it your bounty goes to them and the site emails you with the password. It seems like a great way to make a few bitcoins on the side. As well as a great way for Pen testers without access to a large computer to crack their hashes quickly.

hashbounty.net

Here’s a few links to learn how you can collect handshakes as well as crack them.

Collecting Handshakes

http://www.aircrack-ng.org/doku.php?id=cracking_wpa

Cracking Hand Shakes

http://hashcat.net/oclhashcat-plus/

https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

Video guide to cracking WPA hashes

If you have a link you think would be helpful add it in the comments.