This is not a HOWTO. There are gazillions of those on the Interwebs, which is how I got started into this. BT5's intro in April really boosted the interest in wireless hacking, especially considering Vivek Ramachandran's Megaprimer on SecurityTube
, which leveraged the fuck out of BT5.
This brings me to my first observation: it only works on BT5
. Now, before you protest and tell me about your wonderful experience with Aircrack-ng on Ubuntu or Fedora, let me explain. I've done a lot of custom kernels in my time chasing new features in netfilter only to find that I broke something else that ran just fine with a stock distro kernel. Mea culpa
The first thing I bumped up against was a kernel bug that sets the WiFi channel to 255 when you try to create an access point with airbase-ng. This doesn't happen with BT5's "2.6.38 #1 SMP Thu Mar 17 20:52:18 EDT 2011 i686 GNU/Linux" kernel, so stick with BT5. I hope it doesn't break in BT5 R1
Another curiosity: BT5's implementation of wicd can't see access points made with airbase-ng. This is what I get (entry at top is the evil access point):
I haven't found a work-around for that, but Windows 7 sees the AP just fine, as does NetworkManager in Linux Mint LXDE.
Which brings up another point: do not
try to make an access point on any box that uses NetworkManager! Personally, I despise
NetworkManager, and generally remove it whenever possible. I learned this from the Mint box, so stick with BT5.
The Mint box did surprise me as a client, though. Evidently ndiswrapper has come a long way from whenever the last time I used it was (2006? 2007?). There's even a gui, ndisgtk, for painless installation of drivers.
you can find them. Case in point: the NetGear WG111v1 wireless USB NIC I've had since 2005. I knew I had them somewhere but I thought it would be quicker to hit NetGear's site to download them. Nope. No way am I going to register with a company I have no intention of ever doing business with again. But luckily I found the original drivers buried deep on a dusty old hard drive. I installed the drivers and the damned thing actually worked. I never
got that damned thing to work on Linux before! It's not perfect and a lot of features just aren't there, but for basic functionality in a pinch you can't beat it.
Which brings up another observation: there's no ndiswrapper in BT5. You can download all the tools, but the kernel module isn't there (I had the exact same problem with JFS in BT4
). You really wouldn't want it for making an AP, but if you're short a NIC, ndiswrapper would be nice to have around. If they do add support for ndiswrapper and you need
it, you're stuck in 32-bit land, which is not always a bad place to be.
Eventually I had three useless access points hanging off my BT5 laptop. Useless because I didn't have a DHCP server. ISC's dhcp3d is fine, but I settled on udhcpd because it's simpler and it's in BT5's software repository.
Here comes another observation: udhcpd is broken. Well, that's not entirely true. The manual page is broken. The date on the man page is "2001-09-26", so that should be a dead giveaway that it just ain't right. It states that "option namesvr" is the setting for DNS in the config file but oddly... it doesn't work! A quick Google search and you'll find the real
setting is "option dns". As long as you take the man page with a grain of salt you'll be OK.
Another "gotme" was the "subnet" line in the config file. The man page says
But they meant
Jeez. Woe betide the literal-minded. "255.255.255.0" is not
an "address", people!
Oh, and speaking of man page fuck-ups, the airbase-ng option for the BSSID is not
--bssid or -b, it's -a! Fucking -a! -b and --bssid do nothing
. That was a real WTF moment. I quote then man page:
If the BSSID is not explicitly specified by using "-a ", then the current MAC of the specified interface is used.
-b and --bssid are "Filter Options", which are never clearly explained in the man page. Some HOWTOs out there make the same mistake, so beware.
So much for RTFM.
You need to assign an address to the atx
adapter airbase-ng pulls out of its ass and make that the gateway ("option router"), enable IP forwarding in the kernel and set up iptables to forward everything from your DHCP scope out to the Internet.
Once you have all that in place, you're ready to rock and/or roll. The first thing you'll notice is it's a damn slow access point. But it gets the job done.
Put everything into scripts so it'll all be there when you need it. I would hate to have to do this cold on a spur of the moment assignment. Your victim/suspect would drink his coffee and be out the door before you got your first packet.