************************************************************** * Wellenreiter - advanced 802.11b audit tool - Wellenreiter * ************************************************************** * Homepage: http://www.remote-exploit.org * * IRC: #wellenreiter @ openprojects.net * * Thanks to ZENO for providing most of this text * ************************************************************** * -[ Installation Instructions ]- * ************************************************************** Hardware: - A computer that will run linux and has PCMCIA. This document does not cover PCI->PCMCIA adapters and Cardbus bridges. It is assumed that PCMCIA support is built in (such as with a notebook computer). - PCMCIA Wireless Card. Only one is needed, but you can work with two if you like to use one for scanning and one for joining nets. One or more of these cards: Lucent Orinoco Card (or similar hermes chipset based cards) Cisco 350 Series client adapter (340 as well?) Prism2/2.5 Chip based cards (Supported by the wlan-ng drivers) Software: Packages needed: Pcmcia-cs 3.1.33: http://pcmcia-cs.sourceforge.net Gtk-Perl: http://www.gtkperl.org/download.html Net-Pcap: http://search.cpan.org/search?mode=module&query=net%3A%3Apcap Libpcap: http://www.libpcap.org/daily/libpcap-current.tar.gz Tcpdump: http://www.tcpdump.org/daily/tcpdump-current.tar.gz Wellenreiter: http://www.remote-exploit.org If you want to use Cisco/Aironet cards you should get the drivers from THESE URLs ONLY!!!: http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/airo-linux/airo-linux/kernel/airo.c?rev=1.34 http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/airo-linux/airo-linux/kernel/airo_cs.c?rev=1.4 http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/*checkout*/airo-linux/airo-linux/kernel/airo.h?rev=1.7 If you want to use Orinoco cards you have to get these patches: Orinoco packet monitor patch (orinoco-09b-packet-1.diff) http://airsnort.shmoo.com/orinocoinfo.html Hermes.conf http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/hermes.conf If you want to use Prism2/2.5 based cards you need to get this driver: ftp://ftp.linux-wlan.org/pub/linux-wlan-ng/linux-wlan-ng-0.1.14-pre2.tar.gz Installation: Install Linux, including development software, kernel development and utilities packages. Two methods for PCMCIA card services are covered: 1. In-kernel PCMCIA services: This should not be used with prism cards! This means that the kernel is built with CONFIG_NET_RADIO=y. If you are using Redhat 7.2 or above, PCMCIA is built into the system. You can also enable this in other distributions by recompiling the kernel with the proper options set (not covered in this document). 1.1 Untar pcmcia-cs (Recommend putting it in /usr/src): tar xzvf pcmcia-cs-3.1.33.tar.gz 1.2 Change to its directory: cd pcmcia-cs-3.1.33 1.3 Configure the package. This is necessary so that you can compile the modules with the correct options. ./Configure If you want to use Orinoco cards: 1.4 This is a good time to apply the orinoco patch. Copy the patch file to this directory, then: patch p0 < orinoco-09b-packet-1.diff If you want to use Cisco aironet cards: 1.4 Go into the wireless directory: cd wireless Copy the aironet driver files to this directory, overwriting airo.c and airo_cs.c. You may need to edit airo.c at this point, so that it will compile. Edit line 68, changing as follows: Original: remove: __devexit_p(airo_pci_remove), New: remove: __devexit(airo_pci_remove), This is for all types of cards: 1.5 Compile the modules using this command (while still in the pcmcia-cs-3.1.33/wireless directory): make Note: You may see some errors during this, but as long as it keeps going, it is fine, as they are only warnings. If everything compiles properly, you will now have a bunch of files like airo.o, airo_cs.o, orinoco.o, etc. These are the executable modules you will need to use. Now you have the modules you need, and all you need to do is copy them to the right locations so your card services will use them. 1.6 Copy the modules to your modules directory like this (overwriting existing files): For Cisco cards you need to copy the following ones: cp u airo.o /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/pcmcia cp u airo_cs.o /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/pcmcia For lucent ones you need those: cp u hermes.o /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/pcmcia cp u orinoco.o /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/pcmcia cp u orinoco_cs.o /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/pcmcia 1.7 Now you must create symlinks to these modules from two other places (overwriting existing files), like: ln sbf /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/pcmcia/airo.o /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/kernel/drivers/net/pcmcia/airo.o ln sbf /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/pcmcia/airo_cs.o /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/ kernel/drivers/net/pcmcia/airo_cs.ol ln sbf /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/pcmcia/hermes.o /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/ kernel/drivers/net/pcmcia/hermes.o ln sbf /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/pcmcia/orincoco.o /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/ kernel/drivers/net/pcmcia/orinoco.o ln sbf /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/pcmcia/orinoco_cs.o /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/ kernel/drivers/net/pcmcia/orinoco_cs.o ln sbf /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/pcmcia/airo.o /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/ kernel/drivers/net/wireless/airo.o ln sbf /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/pcmcia/airo_cs.o /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/ kernel/drivers/net/wireless/airo_cs.o ln sbf /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/pcmcia/hermes.o /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/ kernel/drivers/net/wireless/hermes.o ln sbf /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/pcmcia/orinoco.o /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/ kernel/drivers/net/wireless/orinoco.o ln sbf /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/pcmcia/orinoco_cs.o /lib/modules/(Your kernel version numbers e.g. 2.4.7-10)/ kernel/drivers/net/wireless/orinoco_cs.o 2. PCMCIA-CS card services by Gregory Hinds: These are services external to the kernel, which provide PCMCIA support for linux. Start by using pcmcia-cs to compile the modules you will be using for the card. If you are using pcmcia-cs as your card services do the following steps: 2.1 Untar pcmcia-cs (Recommend putting it in /usr/src): tar xzvf pcmcia-cs-3.1.33.tar.gz 2.2 Change to its directory: cd pcmcia-cs-3.1.33 2.3 Configure the package. This is necessary so that you can compile the modules with the correct options: ./Configure If you want to use Orinoco cards: 2.4 This is a good time to apply the orinoco patch. Copy the patch file to this directory and use this command: patch p0 < orinoco-09b-packet-1.diff If you want to use Cisco aironet cards: 2.4 Go into the wireless directory: cd wireless Copy the aironet driver files to this directory, overwriting airo.c and airo_cs.c. You may need to edit airo.c at this point, so that it will compile. Edit line 68, changing: Original: remove: __devexit_p(airo_pci_remove), New: remove: __devexit(airo_pci_remove), This is for all types of cards: 2.5 Compile the modules using this command (while still in the pcmcia-cs-3.1.33/wireless directory): make Note: You may see some errors during this, but as long as it keeps going, it is fine, as they are only warnings. 2.6 Install pcmcia-cs using the command: make install If you want to use Orinoco cards: 2.7 Edit hermes.conf to take out all references to Intersil drivers. Take out these lines: # Third class of device : other Intersil clones card "Intersil PRISM2 11 Mbps Wireless Adapter" manfid 0x0156, 0x0002 bind "orinoco_cs" 2.8 Copy hermes.conf to /etc/pcmcia: cp hermes.conf /etc/pcmcia This is for all types of cards: 2.9 Reboot 3.0 Now you can test to make sure the card will go into promiscuous mode, by doing this: For a Cisco 350/340 card (replace ethX with the proper device name): echo Mode: r >> /proc/driver/aironet/ethX/Config echo Mode: y >> /proc/driver/aironet/ethX/Config It should now be in rfmon mode (promiscuous mode). Check to see by issuing: ifconfig -a Output should look like: eth1 Link encap:UNSPEC Hwaddr 00-03-4D-A7-55-F2-00-00-00-00-00-00-00-00-00-00 (Be sure it has the trailing zeros in the MAC address) For a Lucent/Orinoco card: iwpriv ethX monitor 2 11 It should now be in rfmon mode (promiscuous mode). Check to see by issuing: ifconfig -a Output should look like: eth1 Link encap:UNSPEC Hwaddr 00-03-4D-A7-55-F2-00-00-00-00-00-00-00-00-00-00 (Be sure it has the trailing zeros in the MAC address) 4.0 Install the rest of the packages: Gtk-perl: Follow instructions included in the package. ( perl Makefile.pl then make then make install ) Libpcap: Follow instructions included in the package. ( ./configure then make then make install ) Tcpdump: Follow instructions included in the package. ( ./configure then make then make install ) Net::Pcap: Follow instructions included in the package. ( perl Makefile.PL then make then make install ) If you got wellenreiter from the cvs go to the build-tools directory and execute perl Build-wellenreiter.pl. After this you have a Wellenreiter.pl in the Mainpackage directory. 5.0 Configure the options for Wellenreiter: 5.1 Linux: login as/su to root 5.2 Run 'perl config.pl' in the directory where you unpacked wellenreiter. The script generates your ~/.wellenreiter/.wellenreiter.rc according your answers to a few questions. See the following example screencopies, all the text that belongs to the install process is quoted using -> : First a welcome text comes up: -> ************************************************************ -> * * -> * Wellenreiter config generator by team remote-exploit.org * -> * * -> * http://www.remote-exploit.org * -> * * -> ************************************************************ -> Press the return to continue I guess this is clear... just hit the enter/return key. :-) -> Building Wellenreiter for (Your operating system here)... -> Choose your wireless card type [cisco|prism2|lucent] [default: cisco] : cisco Now you should choose what card type you have for the non- sniffing functions of wellenreiter. If you just use one card for statistics, associations and sniffing, you should simply choose the type of your card. Type in one of the three options and hit enter. For example "cisco" -> Set your wireless interface name [default: eth1] : eth1 Enter the interface name for your card. Most laptops have an internal ethernet, so the default interface name should be ok. On Lucent and Cisco cards the interface naming starts with "eth" followed by a number starting from 0 counting up to the number of interfaces you have installed. On Prism2 cards this is "wlan" and a number instead of "eth". If you are not sure, use ifconfig -a to determine the device name. -> Do u got a RAW-capture rfmon compatible card? If you say no to this question you -> cannot use scan/sniff functions of wellenreiter (read README) ? [y/n] [default: N] : If you want to use the sniffer/scanner from wellenreiter you should answer y here. But be sure that you have a card/driver that can handle rfmon mode. See the corresponding readme, eg. for cisco cards read README.LINUX.CISCO. -> Which is the highest available channel in your country for wireless networks? -> in Europe normaly 13, in USA normaly 11 [default: 13]: Every country has its regulations for which 2.4Ghz. frequencies are legal to use. This parameter sets the upper limit to scan for. Japan has channel 14 for example, and Europe 13, and USA 11. -> Choose your type for this card [cisco|prism2|lucent] [default: cisco] : cisco This question comes up only if you choose to have an rfmon compatible card; you need to choose the type it is. If you have only one card it's easy, it's the same as before. If you use two different cards, pick the right one. -> Set your wireless interface name [default: eth2] : eth1 This question comes up only if you choose to have an rfmon compatible card; you need to enter the name of the interface. If you have only one card it's easy, it's the same as before. If you use two different cards, enter the correct one. -> Try to get the path to your ifconfig ...... -> Try to get the path to iwconfig now ....... Just informative ..... -> Activate gps features? [y/n] [default: n ]: If you have a gps receiver running according to README.LINUX.GPS and you want to use it in Wellenreiter, you have to say y, otherwise you should answer n. -> On which port gpsd is listening? [default: 2947 ]: This will only come when you have choosen 'y' on the activate gps question. Don't change this unless you know exactly what you are doing. Your gpsd listens by default on this tcp port, if you change it in gpsd you must change it here also. Normally you should simply hit enter. -> Activate accoustic features? [y/n] [default: y ]: If you dont want to be able to bind accoustic signals to events then choose n. In most cases you should choose y. -> Command to execute when a broadcasting network is found? default [printf "\a"] : -> Command to execute when a NON-broadcasting network is found? default [printf "\a"] : -> Command to execute when a new object is found? default [printf "\a"] : -> Command to execute when a non-broadcasting essid is uncoverd? default [printf "\\a"] : You can fill in any commando to be executed when a specific event occurs. For example you can use '/usr/local/bin/madplay sonarbeep.mp3 &' If you dont want to enable a specific feature then simply insert 'echo "no" > /dev/null &' See the sounds directory for some nifty sounds. I don't know who was making these sounds, so credit them if you know who they are. :-) -> Do you want to enable the accoustic beacon indicator? [y/n] [default: n ]: This option was a feature request, I think it can be useful in special cases, but normally it will produce a lot of noise. It enables a feature to indicate beacon frames via an accoustic signal. So during the search of a good capture position, it can be useful. -> Command to execute a beacon drops in, like a accousic beacon indicator? default [printf "\\a"] : This question comes up only when you have choosen to activate the accoustic beacon indicator. You can fill in any command to be executed when a beacon frame comes in. By default it's a standard beep. -> All necessary things are now configured Just informative....but nice to know :-) -> You can now run perl Wellenreiter.pl 6.0 Now you can run Wellenreiter with the command: perl Wellenreiter.pl 7.0 Have fun! ************************************************************** * If you have further questions, please contact the team at * * Homepage: http://www.remote-exploit.org * * IRC: #wellenreiter @ openprojects.net * **************************************************************