Hi guy's here is the complete guide on how to make the b43/b43 legacy (driver for the Broadcom wireless chips) aircracking 802.11a/b/g/n work with wireless testing kernel (Ubuntu 8.04 / Ubuntu Ultimate Edition 2.0 & + )
Kernel 2.6.2x-wl works well in managed and monitor modes, Fragmentation is not broken, and has good injection speed.

*This guide is Ubuntu Hardy specific*

b43 is a mac80211 driver. b43 offers a newer codebase and hardware crypto support than bcm43xx. There is no support for any Draft 802.11n features right now. The patches make the fragmentation work and increase the injection speed, with patches the injection speed is at least 700pps and can reach 1024pps. With the new version of aircrack (aircack-ng 1.0-rc2) b43 has complete support in kernels 2.6.25 and up. Also, all attacks work, including fragmentation.

For more info go here;
http://www.aircrack-ng.org/doku.php?id=b43

*Remember that packet injection would not work with ndiswrapper. it must be removed before you can continue!!!


*Most of the work from here on will be done from the command-line, so open up a terminal (Applications > Accessories > Terminal)

Wireless Testing Kernel

I recomend the wirelless testing kernel (2.6.2x-wl) for b43. Note; you can use other kernels 2.6.25 & 2.6.26 & 2.6.27 for injection, but the patches work best with the latest wireless testing kernel. We will be using the latest frag+ack patch.

We will have to compile the wireless-testing kernel from source.
The easy way of making this work is applying the patches to the modules before compiling the new kernel.

How-to compile the wireless testing kernel 2.6.2x-wl

1. Install the utilities needed to configure the kernel



2. Move to the configuration directory



3. Make yourself the omnipotent root



4. Now we are going to download the kernel and unpack it



5. Now move to the Linux directory:



6. Now import your current kernel configuration and get your current kernel options:



7. Configure the kernel:



Or for a terminal-based version:



8. Now we will download and apply the patch:


9. Finally, it's time to build the kernel: Make sure that you are in /usr/src/linux with full root access.

Start compiling to create a compressed kernel image, enter:
note: add -j4", for multi-core users to speed up compilation.



Install kernel modules:



10. Install kernel

So far we have compiled kernel and installed kernel modules. It is time to install kernel itself.


It will install three files into /boot directory as well as modification to your kernel grub configuration file:

* System.map-2.6.2x.x
* config-2.6.2x.x
* vmlinuz-2.6.2x.x

11. Create an initrd image

Type the following command at a shell prompt:


initrd images contains device driver which needed to load rest of the operating system later on. (note the Linux kernel version might change)

12. Update The Grub configuration file



You can also manually modify and view the configuration file,




13. Now reboot.

________________________________________________________________________
If you already have compiled a custom kernel (wireless testing kernel)


The module should now be ready to use for injection.

Restart the PC.

_____________________________________________________________________________
Installing the Broadcom card

Before we start compiling make sure you have build-essential installed!!!
you can install this by


We are going to install the Broadcom wlan card. All Broadcom chips require firmware that is loaded onto the wireless chip before it can operate.

Supported Chips (Broadcom's AirForce™ family)

# bcm4301
# bcm4303
# bcm4306
# bcm4307
# bcm4309
# bcm4311
# bcm4312
# bcm4318
# bcm4319

To check what version you have:
Type



note: cards with a MAC core revision of 4 or less should use b43legacy.
these are cards should be installed with b43legacy
# bcm4301
# bcm4303
# bcm4306
# bcm4309
You can always build both b43 and b43legacy (and get firmware for both too). The kernel autoloader will automatically do the right thing and load the correct driver for your device.

Use version 011 of b43-fwcutter.
Download, extract the b43-fwcutter tarball and build it:



If you are using the b43legacy driver, follow these instructions.

Use version 3.130.20.0 of Broadcom's proprietary driver.
Download and extract the firmware from this driver:


*Restart PC

If you are using the b43 driver from linux-2.6.25 & 2.6.26 & wireless testing kernel, follow these instructions.

Use version 4.150.10.5 of Broadcom's proprietary driver.
Download and extract the firmware from this driver tarball:



*Restart PC

___________________________________________________________________
Installing Aircrack-ng

*Before we install Aircrack-ng make sure you have libsqlite3-0 and libssl-dev installed!

To install from the Ubuntu Repository, you can run:


Install Aircrack-ng 1.0-rc2 for more info go to http://www.aircrack-ng.org/doku.php?id=install_aircrack


________________________________________________________________
Monitor Mode & Testing

To use your card for aircracking we must put in these commands: (monitor mode)


run this command to test if your packet injection is working:



it should say Injection is working! and then a list of AP

Another way of setting the card in monitor mode: (Recommended)

This way, you can monitor on mon0 while still being associated on wlan0.
- libnl1 and libnl-dev is needed for iw,

To install from the Ubuntu Repository, you can run:


- Install iw, for info go here http://www.aircrack-ng.org/doku.php?id= ... talling_iw

- Instead of setting monitor mode on wlan0, create mon0 using and you can go here for more information http://www.aircrack-ng.org/doku.php?id=airmon-ng
- Test and see if injection works.

Edit /etc/modprobe.d/options, by

and add a new line containing "options b43 nohwcrypt=1" This ensures that the encryption on wlan0 doesn't interfere with monitoring. This should be only enabled when aircracking with mon0, as it increases the softmac overhead. Remove it from your options list when not using aircrack for a longer time.
This is a workaround for a known bug in b43.

After that, use "mon0' for all moninjection tasks.

You can control the injection speed with aireplay-ng -x 'number'
1024 is the max, 500 is the default pps

________________________________________________________________________
Miscellaneous programs and info

after that refer here on how to WEP crack
http://www.aircrack-ng.org/doku.php?id=simple_wep_crack
and here for WPA/WPA2
http://www.aircrack-ng.org/doku.php?id=cracking_wpa

I am injecting but the IVs don't increase!
go here: http://aircrack-ng.org/doku.php?id=i_am ... t_increase

FAQ
http://www.aircrack-ng.org/doku.php?id=faq


Process wordlists

copy this into the text editor:


Save,
Once those lines are copied and the file is saved, then you need to make it executable:

Now you can you run the script from a terminal session:
myscript < /some/path/wordlist > /some/path/results.lst

results.lst will contain all words that are at least 8 characters in length.


John the Ripper - John the Ripper is a fast password cracker - http://www.openwall.com/john/
To install:


You can generate a list of "words" (actually character strings)

That produces a list of all combinations of the 95 printable ASCII characters of lengths 1 to 8. You can replace "All" with say "Alpha" or "Digits" to get just alpha or numeric passwords. It's also worth having a look at the john.conf file, you can change the min and max length of the generated passwords.
To edit the john.conf file:

There is more info here - http://aircrack-ng.org/doku.php?id=airc ... other_tips

note:
A list of all printable characters from Wikipedia (starting with a space)
!"#$%&'()*+,-./0123456789:;<=>?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_
`abcdefghijklmnopqrstuvwxyz{|}~

Macchanger - change the MAC address of a network interface - http://www.alobbs.com/macchanger/
To install


To change the MAC address


Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. For more info - http://www.kismetwireless.net

To install Kismet


For a latest version of Kismet compile from source.



To configure Kismet


change the following line
source=b43,wlan0,broadcom
save

To run Kismet


Wireshark is a network protocol analyzer (or "packet sniffer") - http://www.wireshark.org/

To install Wireshark - http://www.howtoforge.com/wireshark_ubuntu_feisty
To use Wireshark - http://www.aircrack-ng.org/doku.php?id= ... e&DokuWiki
There is more info here - http://www.willhackforsushi.com/books/377_eth_2e_06.pdf on wireless sniffing.


Useful Commands - not relating to aircrack

ifconfig - lists IP address (similar to ipconfig in Windows)
iwlist scan - shows wireless networks that are available in the area along with basic encryption information
lshw -C network - Shows interface and driver associated with each networking device
lspci -nn - Shows hardware connected to the pci bus
lsusb - Shows USB connected hardware
lshw -C usb - Additional info on USB related hardware (good for USB dongles)
cat /etc/modprobe.d/blacklist - List modules that will not be loaded by the Operating System at boot time
lsmod - lists currently loaded kernel modules. (Example usage - lsmod | grep ndiswrapper)
route -n - Lists kernel IP routing table -- Good for troubleshooting problems with the gateway (netstat -rn = equivalent command)
sudo route add default gw 192.168.1.1 - Example of how to set the default gateway to 192.168.1.1
sudo route del default gw 192.168.1.1 - Example of how to delete the default gateway setting
sudo modprobe ***** - Loads the kernel module **** . (Example usage - sudo modprobe ndiswrapper, sudo modprobe r818x, sudo modprobe ath_pci)
sudo modprobe -r **** - Unloades the kernel module ****. (Example usage - sudo modprobe -r ndiswrapper)
sudo ifup/ifdown <interface> - Brings up/down the interface and clears the routing table for the specified interface
sudo ifconfig <interface> up/down - Brings up/down the interface for the specified interface
sudo dhclient <interface> - Request IP address from DNS server for specified interface
sudo dhclient -r <interface> - Release IP address associated with specified interface
sudo iptables -L - Lists firewall rules
dmesg | less - Lists boot log -- good for troubleshooting problems with modules/drivers not being loaded
uname -r - Displays kernel version
/etc/iftab (Feisty and pre-releases (Edgy, etc)) - /etc/udev/rules.d/70-persistent-net.rules (Gutsy) - File which assigns logical names (eth0, wlan0, etc) to MAC addresses
cat /etc/resolv.conf - Lists DNS servers associated with network connections (Network Manager)
/etc/dhcp3/dhclient.conf - File which sets or modifies dns (domain name servers) settings

Comments, Sugestions or Problems make a post!

AND THATS IT

Hello Joker ..

Im a n00b of course .. i found this website by reading http://www.aircrack-ng.org/doku.php

Looking at all your post on that website and this one .. you rock ..

I have been trying to get aircrack airodump to work on my laptop and it never works at all .. i installed debian just to see if it will work but no go ..

If i follow this guide on ubuntu 8.10 will it work ?

yes it will work!

I was wondering if this will work with ultimate edition 2.0?

Thanks

it will

all updated

Very nice!!!!!!! Worked!!!!!!!!! Hurray!!!!!!!!

The only problem that I had was that I couldn't build the new aircrack-ng 1.0-rc2

It kept giving me errors:
Error: suffix or operands invalid for `push'

I used Synaptic Package Manager's version

(I have AMD64)

Also, what does softmac overhead mean and why should the option be removed if not cracking for a longer time?


Thanks

well good to hear from you,

u should compile aircrack-ng 1.0-rc2 from source

gave me no errors

I really need some help....

Will this work for my card ?

i have Broadcom BCM4312.................but my PCI ID is 14e4:4315???

Much appreciate your help

Cheers
sAtaN-666

im using the unibody macbook - the airport card is using the bcm4322. will it work?