Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

hostap driver broken under kernels 2.6.20 and above #288

Closed
aircrack-ng opened this issue Mar 10, 2018 · 12 comments

Comments

Projects
None yet
1 participant
@aircrack-ng
Copy link
Owner

commented Mar 10, 2018

Reported by darkAudax on 8 Aug 2007 22:01 UTC

Monitor mode capture works correctly by itself. Meaning if a second card is used to inject and the hostap device is used simply for capturing the traffic, it works correctly.

It also works correctly for fake authentication.

However if the card is used to both inject and capture, then the capture fails.

The above is for kernel 2.6.20.

On higher kernels, nothing works correctly.

@aircrack-ng aircrack-ng added this to the 1.0 milestone Mar 10, 2018

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by darkAudax on 8 Aug 2007 22:01 UTC

Here is the detailed documentation of the steps I took to confirm that the hostap driver is not working correctly.
The basic problem is that if you inject and capture on the same card with the hostap driver, the captured packets are all corrupted.

I have tested on 2.6.18, 2.6.20 and 2.6.21 kernels. All fail.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Rebuild hostap module including the patch.

Set the AP to "b" only mode.

Put hostap card in monitor mode: airmon-ng start wlan1 9
Put rtl8187 card in monitor mode: airmon-ng start wlan0 9

aireplay-ng -1 6000 -e teddy -a 00:14:6C:7E:40:80 -h 00:02:6f:3b:c4:ec -o 1 -q 10 wlan1
Interface wlan1 -> driver: HostAP
10:49:47 Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80)
10:49:48 Sending Authentication Request
10:49:48 Authentication successful
10:49:48 Sending Association Request
10:49:48 Association successful :-)
10:49:58 Sending keep-alive packet
10:50:08 Sending keep-alive packet
10:50:18 Sending keep-alive packet

aireplay-ng -3 -b 00:14:6C:7E:40:80 -h 00:02:6f:3b:c4:ec wlan1
Interface wlan1 -> driver: HostAP
10:51:56 Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80)
Saving ARP requests in replay_arp-0809-105157.cap
You should also start airodump-ng to capture replies.
Read 1939 packets (got 2 ARP requests), sent 52282 packets...(499 pps)

This is from wlan1 which is the hostap card while injection is running. Notice that RXQ is zero and the data rate is only 2.

CH 9 ][ Elapsed: 1 min ][ 2007-08-09 10:54

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:14:6C:7E:40:80 212 0 627 2 0 9 11 WEP WEP teddy

BSSID STATION PWR Rate Lost Packets Probes

This is from wlan0 which is the rtl8187 card while injection is running:
CH 9 ][ Elapsed: 4 s ][ 2007-08-09 10:54

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:14:6C:7E:40:80 41 89 54 2275 420 9 11 WEP WEP teddy

BSSID STATION PWR Rate Lost Packets Probes

00:14:6C:7E:40:80 00:02:6F:3B:C4:EC 44 0-11 529 2190

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by GuySoft on 8 Aug 2007 22:01 UTC

I am on kernel 2.6.22-1-686 Debian, and it seems that monitor works correctly, and the driver functions fine, except it won't inject :-( . I might also add that injection worked perfectly under 2.6.20-1-686, I managed to fully crack WEP keys, also with fake MACs, etc.

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by hirte on 8 Aug 2007 22:01 UTC

i just tried kernel 2.6.21.1 with patched hostap driver, installed by airdriver-ng and injection & monitor mode works.

aireplay-ng -1, -2, -3 and -9 tested.

No other cards were used, only one prism 2.5 pcmcia card.

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by hirte on 8 Aug 2007 22:01 UTC

psy, i don't think that your issue matches this ticket, as you can inject with -2 or when a client is associated. so its not the driver, but other circumstances. from the drivers point of view, -2, -3 and -4 is nearly the same. always injecting data packets with different length.

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by guysoft on 8 Aug 2007 22:01 UTC

I have an update:
I am using the SAME kernel as before (2.6.22-1-686). and I got it to inject with no modifications (I actually used that kernel by mistake to inject). I think the last upgrade of Debian fixed it. However, I am not on a different kernel. It might be some other part of the system.

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Modified by misterx on 8 Aug 2007 22:01 UTC

@aircrack-ng aircrack-ng removed this from the 1.0 milestone Mar 10, 2018

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by exiL on 8 Aug 2007 22:01 UTC

injection fails with kernel 2.6.24 firmware v1.8.2

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by misterx on 8 Aug 2007 22:01 UTC

prism2 is known to inject 'correctly' with firmware 1.7.4. Try again with this one and report if it doesn't work.

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by anonymous on 8 Aug 2007 22:01 UTC

injection fails even with firmware 1.7.4

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by anonymous on 8 Aug 2007 22:01 UTC

Did work with 2.6.26 under mandriva 2008.1, since i upgraded to mandriva 2009.0 it doesnt work any more, although i kept my patched kernel. It doesnt work under backtrack 3 either.

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Modified by misterx on 8 Aug 2007 22:01 UTC

@aircrack-ng

This comment has been minimized.

Copy link
Owner Author

commented Mar 10, 2018

Comment by misterx on 8 Aug 2007 22:01 UTC

Milestone N/A deleted

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.