Page 5 of 8 « First 34 5 67 Last »
Reply
Thread Tools
plourde is offline plourde
2013-11-09 , 03:49
Posts: 69 | Thanked: 50 times | Joined on Mar 2012
#41
Great work, truly, I have been a pentester for years, i appreciate all the hard work
 
bulanula is offline bulanula
2013-11-11 , 04:50
Posts: 5 | Thanked: 8 times | Joined on Oct 2013
#42
So does this mean that your results can be replicated on any device with the wl12xx driver ?

If so, that is fantastic news. Macchanger is not a big problem at all.

Why do you still need David to help you since it seems it is 90% working ?
Last edited by bulanula; 2013-11-11 at 04:52.
 
nieldk
2013-11-11 , 07:44
Guest | Posts: n/a | Thanked: 0 times | Joined on
#43
Originally Posted by bulanula View Post
So does this mean that your results can be replicated on any device with the wl12xx driver ?

If so, that is fantastic news. Macchanger is not a big problem at all.

Why do you still need David to help you since it seems it is 90% working ?
We asked David, before I compiled my work That simple.
Still, this is unstable and I have yet to find out exactly why.
It seems to work 100%, but for some reason wifi looses connection (the attacks can be continued, by simply open the network connection and let the device start scan).
I would like something more stable, but, still needs to figure out what is the problem in loosing connection.
I have seen this on an ordinairy laptop also, and a simple second window (screen) performing a ping would make the connection stay alive.
 
nieldk
2013-11-14 , 13:44
Guest | Posts: n/a | Thanked: 0 times | Joined on
#44
This is now implemented in kernel power, big thanks to Hurrian for his work on creating a power kernel for Harmattan (please, all, contribute to the disaster in his area, make a donation to help the effort there - see post by Hurrian here http://talk.maemo.org/showpost.php?p...&postcount=173)
 

The Following 3 Users Say Thank You to For This Useful Post:
nieldk
2013-11-17 , 13:51
Guest | Posts: n/a | Thanked: 0 times | Joined on
#45
Got it! I will ask devs of power kernel to add these patches

We need two patches to kernel/net/wireless/chan.c and kernel/net/mac80211/tx.c

Code:
diff --git a/net/wireless/chan.c b/net/wireless/chan.c
index b01a6f6..09d979b 100644
--- a/net/wireless/chan.c
+++ b/net/wireless/chan.c
@@ -49,9 +49,12 @@ int cfg80211_set_freq(struct cfg80211_registered_device *rdev,
 {
 	struct ieee80211_channel *chan;
 	int result;
+	struct wireless_dev *mon_dev = NULL;
 
-	if (wdev && wdev->iftype == NL80211_IFTYPE_MONITOR)
+	if (wdev && wdev->iftype == NL80211_IFTYPE_MONITOR) {
+		mon_dev = wdev;
 		wdev = NULL;
+	}
 
 	if (wdev) {
 		ASSERT_WDEV_LOCK(wdev);
@@ -76,5 +79,8 @@ int cfg80211_set_freq(struct cfg80211_registered_device *rdev,
 	if (wdev)
 		wdev->channel = chan;
 
+	if (mon_dev)
+		mon_dev->channel = chan;
+
 	return 0;
 }

Code:
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 0855cac..221bed6 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -677,11 +677,19 @@ int tid;
 
 	/*
 	 * Packet injection may want to control the sequence
-	 * number, if we have no matching interface then we
-	 * neither assign one ourselves nor ask the driver to.
+	 * number, so if an injected packet is found, skip
+	 * renumbering it. Also make the packet NO_ACK to avoid
+	 * excessive retries (ACKing and retrying should be
+	 * handled by the injecting application).
+	 * FIXME This may break hostapd and some other injectors.
+	 * This should be done using a radiotap flag.
 	 */
-	if (unlikely(info->control.vif->type == NL80211_IFTYPE_MONITOR))
+	if (unlikely((info->flags & IEEE80211_TX_CTL_INJECTED) &&
+	   !(tx->sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES))) {
+		if (!ieee80211_has_morefrags(hdr->frame_control))
+			info->flags |= IEEE80211_TX_CTL_NO_ACK;
 		return TX_CONTINUE;
+	}
 
 	if (unlikely(ieee80211_is_ctl(hdr->frame_control)))
 		return TX_CONTINUE;
 

The Following 5 Users Say Thank You to For This Useful Post:
plourde is offline plourde
2013-11-18 , 19:48
Posts: 69 | Thanked: 50 times | Joined on Mar 2012
#46
Incredible, great work

Originally Posted by nieldk View Post
Got it! I will ask devs of power kernel to add these patches

We need two patches to kernel/net/wireless/chan.c and kernel/net/mac80211/tx.c

Code:
diff --git a/net/wireless/chan.c b/net/wireless/chan.c
index b01a6f6..09d979b 100644
--- a/net/wireless/chan.c
+++ b/net/wireless/chan.c
@@ -49,9 +49,12 @@ int cfg80211_set_freq(struct cfg80211_registered_device *rdev,
 {
 	struct ieee80211_channel *chan;
 	int result;
+	struct wireless_dev *mon_dev = NULL;
 
-	if (wdev && wdev->iftype == NL80211_IFTYPE_MONITOR)
+	if (wdev && wdev->iftype == NL80211_IFTYPE_MONITOR) {
+		mon_dev = wdev;
 		wdev = NULL;
+	}
 
 	if (wdev) {
 		ASSERT_WDEV_LOCK(wdev);
@@ -76,5 +79,8 @@ int cfg80211_set_freq(struct cfg80211_registered_device *rdev,
 	if (wdev)
 		wdev->channel = chan;
 
+	if (mon_dev)
+		mon_dev->channel = chan;
+
 	return 0;
 }

Code:
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 0855cac..221bed6 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -677,11 +677,19 @@ int tid;
 
 	/*
 	 * Packet injection may want to control the sequence
-	 * number, if we have no matching interface then we
-	 * neither assign one ourselves nor ask the driver to.
+	 * number, so if an injected packet is found, skip
+	 * renumbering it. Also make the packet NO_ACK to avoid
+	 * excessive retries (ACKing and retrying should be
+	 * handled by the injecting application).
+	 * FIXME This may break hostapd and some other injectors.
+	 * This should be done using a radiotap flag.
 	 */
-	if (unlikely(info->control.vif->type == NL80211_IFTYPE_MONITOR))
+	if (unlikely((info->flags & IEEE80211_TX_CTL_INJECTED) &&
+	   !(tx->sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES))) {
+		if (!ieee80211_has_morefrags(hdr->frame_control))
+			info->flags |= IEEE80211_TX_CTL_NO_ACK;
 		return TX_CONTINUE;
+	}
 
 	if (unlikely(ieee80211_is_ctl(hdr->frame_control)))
 		return TX_CONTINUE;
Last edited by plourde; 2013-11-18 at 19:48. Reason: typo :)
 
Lucazz990 is offline Lucazz990
2013-11-30 , 15:29
Posts: 335 | Thanked: 285 times | Joined on Sep 2012 @ Trento, Italy
#47
Hi,
I followed the steps in the first post and everything seems to work as expected but when at the end i type aireplay-ng -9 mon0 the output is:

16:14:49 Trying broadcast probe request...
16:14:51 No answer...
16:14:49 Found 0 APs

but there are two APs, both in wpa-psk and wep
__________________
Petition to get bug fixing for N9:
http://www.change.org/en-GB/petition...g-for-nokia-n9
 
SunViolet is offline SunViolet
2013-11-30 , 19:16
Posts: 2 | Thanked: 0 times | Joined on Nov 2013
#48
Originally Posted by Lucazz990 View Post
Hi,
I followed the steps in the first post and everything seems to work as expected but when at the end i type aireplay-ng -9 mon0 the output is:

16:14:49 Trying broadcast probe request...
16:14:51 No answer...
16:14:49 Found 0 APs

but there are two APs, both in wpa-psk and wep
Same too. I've 3 APs (2wpa-psk and open)and aireplay-ng -9 mon0 give me 'Found 0 APs'. Also airodump-ng mon0 capturing only my tries from N9 to connecting APs. Sorry for my english.
 
nieldk
2013-11-30 , 20:11
Guest | Posts: n/a | Thanked: 0 times | Joined on
#49
Like said. This is unstable.
it needs more work (please follow powerkernel thread)
for some reason, this happens, i have yet to find out why.
you can make it more reliable, by opening network connection, and let the phone discover accesspoints.
Also, try experimenting with macchanger, to change mac address of mon0.
macchanger is on my openrepos (look in my signature)
 

The Following 2 Users Say Thank You to For This Useful Post:
Lucazz990 is offline Lucazz990
2013-12-02 , 13:11
Posts: 335 | Thanked: 285 times | Joined on Sep 2012 @ Trento, Italy
#50
Originally Posted by nieldk View Post
Like said. This is unstable.
it needs more work (please follow powerkernel thread)
for some reason, this happens, i have yet to find out why.
you can make it more reliable, by opening network connection, and let the phone discover accesspoints.
Also, try experimenting with macchanger, to change mac address of mon0.
macchanger is on my openrepos (look in my signature)
Hi Nieldk, thanks for your answer!
I don't understand one thing about mac addres, we change only the last digit just for convenience or because it should be similar to the original one? For example mine ends up with 7F, it's ok if i change it to 8F? Thanks in advance
__________________
Petition to get bug fixing for N9:
http://www.change.org/en-GB/petition...g-for-nokia-n9
 

The Following User Says Thank You to Lucazz990 For This Useful Post:
Reply
Page 5 of 8 « First 34 5 67 Last »

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 19:13.

Contact Us - Home - Archive - Top