Friday, 23 October 2009

Injection support with Intel 3945 A/B/G card

I've used this chipset for quite a while now and since some time it very stable, well supported and built in antenna provides decent reception. It's not N capable but it does A band! Getting it to work on a decent kernel is trivial and Gentoo hardened is no exception. ;]

First, make sure that you have it enabled in your kernel config - in Wireless LAN section enable "Intel PRO/Wireless 3945ABG/BG Network Connection" - I tend to compile it as a module so I can load it only when necessary - just in case, I prefer to have it disabled... ;] If needed, recompile and boot your new kernel, then continue.

You probably want to emerge aircrack suite if not already done so. Aircrack has a cool feature to test injection support and can do sooo much more than that! You need to make sure that you will emerge aircrack from the 'hardened-development' overlay because otherwise it won't compile on hardened. It has some inline assembly which unfortunately does not like to be compiled as PIE, at least at the time being ;( Anyway:

~ # emerge -av aircrack-ng

These are the packages that would be merged, in order:

Calculating dependencies ... done!
[ebuild N ] net-wireless/aircrack-ng-1.0 USE="sqlite" 1,472 kB [1]

Total: 1 package (1 new), Size of downloads: 1,472 kB
Portage tree and overlays:
[0] /usr/portage
[1] /usr/local/portage/layman/hardened-development

Would you like to merge these packages? [Yes/No]

Cool, once it's done it's time to load the module:

host ~ # modprobe iwl3945

Which should result in the following output via the dmesg command:

iwl3945 0000:0c:00.0: PCI INT A disabled
iwl3945: Intel(R) PRO/Wireless 3945ABG/BG Network Connection driver for Linux, 1.2.26ks
iwl3945: Copyright(c) 2003-2009 Intel Corporation
iwl3945 0000:0c:00.0: PCI INT A -> GSI 17 (level, low) -> IRQ 17
iwl3945 0000:0c:00.0: setting latency timer to 64
iwl3945 0000:0c:00.0: Tunable channels: 13 802.11bg, 23 802.11a channels
iwl3945 0000:0c:00.0: Detected Intel Wireless WiFi Link 3945ABG
iwl3945 0000:0c:00.0: irq 24 for MSI/MSI-X
phy2: Selected rate control algorithm 'iwl-3945-rs'

Sweet! Let's enable monitor mode then, shall we? Command airmon-ng when run without any parameters will show list of wireless cards recognised by the system along with their respective drivers - quite useful!

~ # airmon-ng
Interface Chipset Driver
wlan1 Atheros ath5k - [phy1]
mon0 Atheros ath5k - [phy1]
wlan0 Intel 3945ABG iwl3945 - [phy2]

Right, so the card is there, now the monitor mode itself:

~ # airmon-ng start wlan0
Interface Chipset Driver

wlan1 Atheros ath5k - [phy1]
mon0 Atheros ath5k - [phy1]
wlan0 Intel 3945ABG iwl3945 - [phy2]SIOCSIFFLAGS: No such file or directory
(monitor mode enabled on mon1)

Hmm...that didn't look good, let's see what has happened...that's what I got from dmesg again:

iwl3945 0000:0c:00.0: firmware: requesting iwlwifi-3945-2.ucode
iwl3945 0000:0c:00.0: iwlwifi-3945-2.ucode firmware file req failed: -2
iwl3945 0000:0c:00.0: firmware: requesting iwlwifi-3945-1.ucode
iwl3945 0000:0c:00.0: iwlwifi-3945-1.ucode firmware file req failed: -2
iwl3945 0000:0c:00.0: Could not read microcode: -2

Oppsie! Right, so required firmware file is missing but there's a trustworthy Gentoo repository! ;] So:

~ # emerge -av iwl3945-ucode

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild N ] net-wireless/iwl3945-ucode-15.32.2.9 66 kB

Total: 1 package (1 new), Size of downloads: 66 kB

Would you like to merge these packages? [Yes/No]

Yesss! When it's installed we need to reload the module and then start the monitor mode again:

~ # rmmod iwl3945
~ # modprobe iwl3945
~ # airmon-ng start wlan0
Interface Chipset Driver

wlan1 Atheros ath5k - [phy1]
mon0 Atheros ath5k - [phy1]
wlan0 Intel 3945ABG iwl3945 - [phy3]
(monitor mode enabled on mon1)

Which resulted in the following in the dmesg:

iwl3945 0000:0c:00.0: firmware: requesting iwlwifi-3945-2.ucode
iwl3945 0000:0c:00.0: loaded firmware version 15.32.2.9

Yuppie! Now run aircrack as a final test:

~ # aireplay-ng -9 mon1
20:38:16 Trying broadcast probe requests...
20:38:16 Injection is working!


Bakgat!

2 comments:

  1. Hi There,

    Actually from the post you wrote it seems that the injection is not going via the intel card but rather via your atheros card.

    You are setting the Intel card in monitoring mode but the actual injection is routed via mon0 (atheros?)

    --> aireplay-ng -9 mon0

    What do you think? :)

    ReplyDelete
  2. Opps! You're absolutely right! It was either a typo or I might have actually typed the wrong command! Nevertheless injection does work... :) ...and I fixed the typo, thanks! :)

    ReplyDelete

Have your say: