Is You Geeked Up? | Technology Blog for the Computer Geek | isyougeekedup.com

Aircrack on Fonera With Legend Firmware

with 13 comments

The DD-WRT firmware for the Fonera does not support packet injection as it does not have the proper patched Mad-wifi driver. I’ve tried to make injection work with the DD-WRT firmware, but to no avail. As soon as injection begins, the router immediately freezes up. I am not going to go into the process of flashing open source firmware. You can find that guides for that at FoneraHacks.com

A quick rundown of what was done:

    * Mount network share for capture files (Fonera does not have enough memory to store capture files)
    * Create wireless interface “ath1? in monitor mode
    * Start airodump to get quick snapshot
    * Restart airodump with “–bssid” option to cut down on file size and “-w” to specify write location
    * Start aireplay in fake authentication mode
    * Once attack has completed, start aireplay in replay mode
    * Collect 35,000 - 60,000 packets (for 128-bit WEP)
    * Use aircrack-ptw to decrypt the key

More:

Written by prochobo

January 22nd, 2008 at 9:24 pm

Posted in Wireless

Tagged with , , , ,

« Most Important Part of a Loud System
Battery Pack for the Fonera »

13 Responses to 'Aircrack on Fonera With Legend Firmware'

Subscribe to comments with RSS or TrackBack to 'Aircrack on Fonera With Legend Firmware'.

  1. that was awesome…cant wait to get my hands on my new fonera+ with directional antenna

    Alex Hortin

    26 Jan 08 at 1:26 am

  2. is it possible for you to do another article on flashing the router? im having trouble flashing mine.

    bob smtih

    30 Jan 08 at 8:03 pm

  3. What problems are you having? To tell you the truth, it isn’t that high on my priority list, but I may in the future. The reason for that is, many people have already created very comprehensive tutorials on the process. Here are the two websites I found to be the best and most thorough:

    To flash to DD-WRT
    http://www.dd-wrt.com/wiki/index.php/LaFonera_Software_Flashing

    To flash to Legend
    http://www.dd-wrt.com/phpBB2/viewtopic.php?t=16412&postdays=0&postorder=asc&start=0

    prochobo

    30 Jan 08 at 9:11 pm

  4. That’s interesting. I’m suddenly famous. Now I feel obligated to update my firmware.

    Trouble flashing? email me: kmeltyblood@gmail.com

    meltyblood

    3 Feb 08 at 10:19 am

  5. Well, it would be great if you could update Legend. I know there’s at least a few loyals running your firmware. I love the web interface, but it’d be awesome if it was finished :)

    prochobo

    3 Feb 08 at 5:10 pm

  6. I can’t wait to get my new foneras…if you could post a video of an MDK3 attack that would make waiting a little easier haha

    Alex Hortin

    5 Feb 08 at 2:45 am

  7. I was going to, but I ran into some issues. The DoS and fake AP generator worked fine; however, the client deauthentication attack didn’t go to well. In my environment with 2 wireless clients, MDK3 couldn’t disconnect either of them. I haven’t found many MDK3 users to help me out with that either :(

    I also tried setting MDK3 to perform the “b a d” (DoS, AP gen., and deauth) on startup of the Fonera, but the beacon flood attack just “quit” about 2 minutes after startup and the deauth didn’t really work against my network.

    prochobo

    5 Feb 08 at 5:07 pm

  8. yeah, so denial of service works? Does it just flood the router so it wont pass any traffic? The APgenerator is cool its part of this video I found

    http://youtube.com/watch?v=Bq7mWBtNhjs

    he uses aireplay for the deauth attack

    I assume you are trying to use the startup with your battery pack mod for mobile fun at starbucks or soemthing similar. I should be getting mine soon and am excited to experiment with all these utilities. Its good news that melty seems to want to keep his firmware updated since it seems to be the best for this kind of activity haha

    Alex Hortin

    5 Feb 08 at 9:36 pm

  9. [...] It runs on a modified linux distro some of you probably have heard of called OpenWrt….it also has an atheros chipset *cough* aircrack *cough* [...]

    10 invites to join Fon...and get a really cheap linux wireless router | MobileMoko - Guides and News for the OpenMoko

    6 Feb 08 at 8:12 am

  10. [...] that’s what I’ve been up to lately. Many people seemed interested in the aircrack video I had posted here a few weeks ago so I figured I’d make another website dedicated just for [...]

    Fonerahacks.com is Online at Is You Geeked Up? | Blog for the Geeks | isyougeekedup.com

    15 Feb 08 at 12:18 am

  11. Hello,

    I have successfully flashed my fonera to Meltyblood’s Legend Pre-4.5 and have tried following your video tutorial here without success on two separate (and different branded) WEP enabled routers.

    The only thing I did to the fonera after flashing to Pre-4.5 is change the default password, nothing else. Here is a run down of the commands I enter, I’ve replaced actual values with place holders (the square brackets and text) to confirm with you guys it’s at least the right *type* of data I should be putting there…

    1) wlanconfig ath1 create wlandev wifi0 wlanmode monitor

    2) mount.cifs [network share path] /mnt/shared -o username=[username]

    3) airodump-ng ath1 (just to check the target AP is ‘visible’ to the fonera)

    4) airodump-ng -c 1 –bssid [target AP mac] -w /mnt/shared/capture ath1

    5) aireplay-ng -1 0 -e [target AP essid] -a [target AP mac] -h [fonera mac] ath1

    6) aireplay-ng -3 -b [target AP mac] -h [fonera mac] ath1

    The association was successful at step 5 but it’s at step 6 where I am having problems. The read and sent packets both go up at the same rate but the data value in the airodump-ng cap terminal window stays at the same slow rate it did before I pressed enter on step 6. It does not shoot up to the kind of speeds I’m seeing in your video. I decided to leave it for an hour, come back to find read and sent were both in the two hundred thousand range whereas data had only reached 300, yes just three hundred, no thousands or millions.

    If it helps, PWR and RXQ for the AP in question is at (a seemingly healthy) 25 and 100 respectively.

    Was I supposed to configure some other settings in Legend after flashing it before I tried this WEP cracking?

    Is it because there is supposed to be another user associated to the target AP doing their usual surfing that would help in this cracking process? It’s only me on there trying to hack my own router when I try ^_^

    I’m even running BT3 in a VM just like in the video!

    Thanks in advance for any help given.

    -Greg

    Greg

    27 Feb 08 at 9:21 pm

  12. Greg,

    Since you actually are sending packets in step 6, you should be receiving ARP requests as well. Correct me if I’m wrong. Your procedure is correct also. Some routers are not susceptible to this kind of attack, so you may want to try the attack against another router if you could.

    Having another user browsing the web would only speed up the process of receiving ARP requests, which then speeds up the injection process. It is not necessary to have that though and you’ve proved it because you were getting ARP requests (I’m assuming).

    You don’t have to configure any additional settings to do the attack either. If the method in the video doesn’t work for you, try the steps in this thread:

    http://fonerahacks.com/forums/viewtopic.php?t=24

    Scroll about half way down, the post was posted by “orange”. You’ll see an alternate way of injecting packets.

    prochobo

    27 Feb 08 at 9:45 pm

  13. [...] to keep invaders out.  However, it has become increasingly easier to crack WEP encrypted networks (see the video here) and cracking WPA/WPA2 networks is difficult, but feasible.  These methods help keep external [...]

    Securing Wireless Networks Internally at Is You Geeked Up? | Blog for the Geeks | isyougeekedup.com

    14 Mar 08 at 5:36 pm

Leave a Reply