Jun
22

Aircrack/Aireplay-ng Under Packet Injection Monitor Mode in Windows

Update (6-27-07): I just found out that the makers of aircrack-ng just made this method easier. Two days after I wrote this article, they released a VMWare image of their entire suite of wireless penetration tools. So, instead of downloading and using the generic BackTrack ISO (step 1 and 5) head over to Aircrack-ng and obtain their version.

Update II (6-27-07): I guess packet injection under Windows is feasible after all! The same time the VMWare aircrack-ng image was released, they also revealed a new USB WiFi adaptor that lets you inject and read packets natively in Windows without the virtualization layer. What's more, you can use the Wireshark GUI instead of the aircrack-ng command line. Personally, I would still go with the Alfa (read more below) since it has nantenna connector. But that's just me! :)

“...crack a WEP enabled access point within a couple of minutes. 3 minutes to be exact.”

That Digg article piqued our curiosity in high school. My friend and I read about how the FBI publicly demonstrated a successful wireless network crack in a minuscule amount of time. Inspired, we obtained a laptop and searched around our neighborhood for WEP encrypted wireless networks. Our plan was to show these local folks how easy it was to acquire their WEP key. Then, we would convince them that we were good, hirable technicians who could upgrade their WiFi WEP encryption scheme to WPA. We spent literally three days practicing, trying to crack our own network with Windows tools. But in the end, our plan never materialized. Why? We were too “n00b” for Linux.

Crippled Windows Users

aircrack_windows.jpgI'll say it once and I’ll say it again, “I hate being a Windows user.” I hold great respect for computer hackers who are quick to grasp other operating systems, like Linux and OS X, without a problem. But I, having been weaned on Windows since the day I touched a computer, have a hard time operating those unfamiliar user interfaces … or lack thereof. I mean, more than half of Linux is in the shell command line!

 

Aircrack-ng Win32 Binary Port

Many users like myself have a hard time integrating with the computer hacker world. Most programs are written for *nix operating systems. Only when a kind, talented soul takes pity on us Windows amateurs and ports the code to Win32, are we able to use that software.

At the time, that Win32 software was almost non-existent for my friend and me. Even today, wireless network penetration software is still in the Linux stage. The main software suite, Aircrack-ng, is just barely supported in Windows. When I tried the Windows port, it was slow, it did not accept my drivers, and it crashed numerous times. Basically, the Win32 aircrack-ng suite was pretty unusable and unstable.

Virtualization Solution

Finally, I decided to just try aircrack-ng in Linux. I bought some equipment and ran the Backtrack Live-on-CD Linux Distribution. After reading up on numerous Linux and aircrack-ng documentation, I was finally able to crack my home network!

While I was writing about hacking the Windows Vista and t-mobile free Wireless Internet authentication (which is not no longer relevant) with VMWare, I had an epiphany. The same technique I used with VMware could also be applied to aircrack-ng! I tried it out and after a lot of trial and error, I cracked my home network once again. This time it was in Windows!

Frequently Asked Questions

So how did I do this? Before you begin my tutorial, I suggest you read this FAQ for background information.

  • Why aircrack-ng? Aircrack-ng is the most popular wireless cracking suite. Because of that, it is the most compatible with different types of hardware, it offers more forum support, and it is on the cutting edge of the latest WiFi hacking techniques.
  • What are the main elements in cracking a wireless network?
    Airodump-ng: Gather “special” “faulty” data necessary to crack a network.
    Aireplay-ng: Stimulate the base AP station to generate the “special” data for aireplay-ng.
    Aircrack-ng: Take the data from airodump-ng and, with statistical or brute-force dictionary analysis, crack the key/PSK.
  • Why is Windows inherently unable to crack wireless networks? Special (mostly unavailable) patched drivers are required to use these programs.
  • What about the Peek Driver? First of all, the Peek Driver is special software written by the WildPakets AiroPeek, sort of a wireless network version of Wireshark/Ethereal. The bad thing about the Peek Driver is that it only allows you to read packets. Essentially, you can only use airodump-ng and aircrack-ng. Theoretically, you can crack a wireless network with only these two programs but it is very difficult, drawn out, and plain inefficient. Without the speeding aid of aireplay-ng, cracking a wireless network may take days. Aireplay-ng helps inject packets and manipulate the wireless network.
  • Why does the Peek Driver not support aireplay-ng? This is because aireplay-ng requires the network card to be in a special state called “Monitor Mode.” In normal operation, the network interface is in “Managed Mode.” The Windows NDIS API (Network Driver Interface Specification) does not support any extensions for wireless monitor mode. Therefore, the only drivers that allow WiFi cards to be in monitor mode are in Linux.
  • I’ve heard of Windows tools that support packet injection. I have too. But I also heard that they cost upwards of $300 and they are not nearly as fast as aireplay-ng.
  • So then … there still is a way to use aireplay-ng in Windows with your hack? Yes. Basically, you run Backtrack as a virtual machine in VMWare Player. Since VMWare supports passthrough USB, the Backtrack virtual machine can directly access a compatible USB wireless network adapter. Note that my method will only work with a USB adapter since the only passthrough that virtual machine programs support is with the USB interface, not PCI, miniPCI, PCMCIA, PC Card, Express Card, etc.
  • So, I won’t need to know Linux commands and I will be presented with that familiar, friendly user interface that I am accustomed to in Windows? Heavens no! If you read the answer above, you know you will still be using Linux … in Windows. This is just a convenience of not having to switch between reboots. You will still be unable to avoid the obscure Linux shell commands!

Hardware

Let’s just cut to the chase. There is no reason to continue if you don’t even own the correct hardware. I’m sorry, but there is no workaround for this. I’m a frugal person and I tried doing this the frugal way. It just doesn’t work. If you’re not willing to open your wallet, I would stop reading now.



aircrack_alfa.jpgIn my research and tests on compatible network adapters, there is only one with the least quirks and the least breakage for this operation. Get the Alfa USB AWUS036S Network Adaptor with the threaded RP-SMA antenna connector. USB WiFi adapters with antenna connections are almost impossible to find. Usually you have to solder and mod the circuitry of another adapter to gain this functionality. Save yourself some trouble and just purchase this one.

Data Alliance

Now, if you could only find where to buy this elusive piece of equipment. I found mine at DataAlliance, an online/eBay store managed by a man name George Hardesty. If you know of any other worthy store, please comment at the end of this post.

Hardesty supplies most of my wireless networking needs. His inventory is the most cutting edge (and cheapest) that I have come across. Take a look at his store. It includes one of the most comprehensive resources I’ve read on wireless networking. Nevertheless, don’t be tempted to purchase the high-powered Alfa USB AWUS036H WLAN Adapter. I’ve used it … twice! It breaks easily and it is noisy. Additionally, “high powered” isn’t always a good thing. The chipset amplifies noise interference. Therefore, the TX/RX signal gets distorted. You could also be waving a flag to the FCC to smack down a fine, especially if you are using a high-gain antenna. Worse case scenario, you’ll give yourself leukemia. We already have enough EMI as it is with computers and cell phones.

Procedure

  1. Download the latest version ISO image of the BackTrack Security Penetration Linux Distribution.
  2. Install the VMWare Player. You may want to read the review in my other blog, the freeware review.
  3. Download QEMU and create a *.vmdx hard drive of at least 4 GB. For the lazy, the command is
    CODE:
    1. “qemu-img create -f vmdk linux_HDD.vmdk 4G”
  4. Use a *.vmx configuration file like this one and run it. You may have to tweak a couple of customizations to get it to work. The most important thing is that you enable USB passthough with “usb.present = "TRUE".”
    CODE:
    1. config.version = "8"
    2. virtualHW.version = "4"
    3.  
    4. uuid.location = "56 4d e3 cc a7 d5 15 0e-b2 c7 d5 2a f9 74 97 d0"
    5. uuid.bios = "56 4d e3 cc a7 d5 15 0e-b2 c7 d5 2a f9 74 97 d0"
    6.  
    7. uuid.action = "create"
    8. checkpoint.vmState = ""
    9.  
    10. displayName = "BackTrack"
    11. annotation = ""
    12. guestinfo.vmware.product.long = ""
    13. guestinfo.vmware.product.url = ""
    14.  
    15. guestOS = "other26xlinux"
    16. numvcpus = "1"
    17. memsize = "256"
    18. paevm = "TRUE"
    19. sched.mem.pshare.enable = "TRUE"
    20. MemAllowAutoScaleDown = "TRUE"
    21.  
    22. MemTrimRate = "-1"
    23.  
    24. nvram = "nvram"
    25.  
    26. svga.maxWidth = "800"
    27. svga.maxHeight = "600"
    28.  
    29. mks.enable3d = "FALSE"
    30. vmmouse.present = "TRUE"
    31.  
    32. tools.syncTime = "TRUE"
    33. tools.remindinstall = "FALSE"
    34.  
    35. isolation.tools.hgfs.disable = "FALSE"
    36. isolation.tools.dnd.disable = "FALSE"
    37. isolation.tools.copy.enable = "TRUE"
    38. isolation.tools.paste.enabled = "TRUE"
    39. gui.restricted = "FALSE"
    40.  
    41. ethernet0.present = "TRUE"
    42. ethernet0.connectionType = "nat"
    43. ethernet0.addressType = "generated"
    44. ethernet0.generatedAddress = "00:0c:29:74:97:d0"
    45. ethernet0.generatedAddressOffset = "0"
    46.  
    47. usb.present = "TRUE"
    48. usb.generic.autoconnect = "TRUE"
    49.  
    50. sound.present = "FALSE"
    51.  
    52. ide0:0.present = "TRUE"
    53. ide0:0.fileName = "disk.img"
    54. ide0:0.deviceType = "disk"
    55. ide0:0.mode = "persistent"
    56. ide0:0.redo = ""
    57. ide0:0.writeThrough = "FALSE"
    58. ide0:0.startConnected = "FALSE"
    59.  
    60. ide1:0.present = "TRUE"
    61. ide1:0.fileName = "cd.iso"
    62. ide1:0.deviceType = "cdrom-image"
    63. ide1:0.autodetect = "FALSE"
    64. ide1:0.startConnected = "FALSE"
    65.  
    66. floppy0.present = "FALSE"
    67.  
    68. serial0.present = "FALSE"
    69.  
    70. serial1.present = "FALSE"
    71.  
    72. parallel0.present = "FALSE"
    73.  
    74. usb.autoConnect.device0 = "path:1/2/1 autoclean:1"
    75.  
    76. usb.autoConnect.device1 = ""
  5. Install the BackTrack ISO on the slave virtual machine.
  6. I suggest that you install VMWare Tools as well. It makes VMWare integration with Windows a whole lot easier and faster. You’ll have to do some special extraction though. Read my previous article on VMWare Tools for more details.
  7. When you are actually viewing the desktop of the BackTrack KDE X-Windows, plug in your USB network adapter. Windows will recognize and install it as a "VMWare USB Device." On the top of your VMWare window, you should see “Anonymous USB Device (Vendor: #### Product: ####)" highlighted. The "####" values will vary depending on the wireless USB interface hardware ID.

    If it isn't highlighted or Windows is trying to install the driver for Windows use (like "Realtek Network Driver" not "VMWare USB Device") just click the "Anonymous USB Device" button and Windows will "disconnect" the device from Explorer and "reconnect" it in VMware.

    aircrack_backtrack.jpg

  8. After about a minute, open a console window verify that BackTrack recognized the hardware. Type, "iwconfig." If you see an interface (like "rausb0"), congratulations! You're in business!

    aircrack_iwconfig.jpg

    aircrack_dumplay.jpg

In Closing

On attack techniques, I won't get into the details. There are enough tutorials online. For starters, read the aircrack-ng documentation. They just added a new “cracking tutorials” section. You'll learn a thing or two. Remember, pretty much any wireless attack you perform in Linux can also be done in this setup.

Technically, you still need a form of Linux in order to perform this workaround. However, it sure beats constantly rebooting to switch between operating systems. Windows users may find it comforting that they can always retreat to Explorer when things get scary. They don't have to fear that any real data can be lost or hardware destroyed.

Leave any questions or comments below about your experience with this hack. I'll try my best to answer them.

Update (6-27-07): I just found out that the makers of aircrack-ng just made this method easier. Two days after I wrote this article, they released a VMWare image of their entire suite of wireless penetration tools. So, instead of downloading and using the generic BackTrack ISO (step 1 and 5) head over to Aircrack-ng and obtain their version.

Update II (6-27-07): I guess packet injection under Windows is feasible after all! The same time the VMWare aircrack-ng image was released, they also revealed a new USB WiFi adaptor that lets you inject and read packets natively in Windows without the virtualization layer. What's more, you can use the Wireshark GUI instead of the aircrack-ng command line. Personally, I would still go with the Alfa (read more below) since it has nantenna connector. But that's just me! :)

If you enjoyed this post, make sure you subscribe to hacker not cracker via RSS feed or email update!



Additional Reading

Comment View Comments from Other Readers

Popular Posts

Featured Posts

Related Posts

Recent Posts

What's Your Reaction?


Subscribe to this Blog:

Reader Reactions Elsewhere


 

48 Responses to “Aircrack/Aireplay-ng Under Packet Injection Monitor Mode in Windows”

  1. airdump Says:

    See this nice tuto

    http://en.airdump.net/hacks/packet-injection-windows/

  2. butters Says:

    I had a problem using an Alfa USB AWUS036S with the VMware image. Selecting RT2570 as the adapter just made Linux grind to a halt. Fortunately, using the rt73 driver as described at the link fixed things. http://forums.remote-exploit.org/showpost.php?p=22768&postcount=15

    In short, follow the directions here ( http://www.aircrack-ng.org/doku.php?id=rt73&DokuWiki=49fb4090881b6c94aa22888f3e9ae2ab ) to download and make the rt73 driver. Next, go to /lib/modules/2.6.21.4/extras and delete or rename rt2570.ko and then copy rt73.ko and rename it to rt2570.ko.

  3. blogger Says:

    thank you for your input butters. I guess its going to be slightly different for other VMWare setups

  4. John Says:

    I downloaded the aircrack vmware premade larger of two choices image and used Netgear WG111v2 and it worked with packet in jection using the rtl8180 driver. Been successful in cracking
    wep with it. Got it at Best Buy. Somewhere on the web I found it uses the RT73 and it works. Used vmware 6.

  5. Downey Says:

    Hi. I downloaded Vmware Player 2.0.1 build-55017, and aircrack-ng's vmware image (vmware-aircrack-ng-v2.7z) but unfortunely, the file doesn't hace an extension like .vmx or .vmc. ¿What do I have to do to play the image?

  6. Downey Says:

    Found it. I didn't recognize .7z as the 7-Zip extension. Used Winrar to unpack it.

  7. sam Says:

    Hi, thnx for the new. Tried it with a netgear WG111v2 and it worked. I also tried it with a WG111v3 and that doesn't work. You can determine the version number with the serial number on the box. ***165 and *WG41 are good to go :)

  8. psycho_oreos Says:

    WG111v2 has two different versions:
    http://backtrack.offensive-security.com/index.php?title=HCL:Wireless#NetGear_WG111v2

    WG111v3 apparently is equipped with Realtek RTL-8187B which is not yet compatible with linux despite there is already a driver for Realtek RTL-8187L.

  9. David Says:

    We stock the Alfa USB Wifi adaptor - and lots more for enthusiasts.We ship from the UK all over the world.

  10. Sorceress Sarah Says:

    Crippled Windows user indeed! Windows does it's best to hide the nuts and bolts of computing from the user. At the cost of doing what you want to do someone else's way, or being unable to do it at all.

    *nix puts the hack back into hacking. You get as much, or as little control as you like, and if you're using open source, you can create your own customized solution by building upon the work of others.

    And here's the cool part: It is stunning just how fasst some of that old hardware can be when you don't have to run a gui to make the software work.

    Take the time to learn an *nix variant. It's time well spent.

  11. Blasko Says:

    Hi

  12. David Says:

    Hi

    We have the Alfa AWUS036S in stock. Ships fast worldwide.

    David

  13. Johan Boonstra Says:

    This method is too awesome.

  14. ken Says:

    crack wep in windows with minimal effort using commview drivers.

    http://rapidshare. com/files/137814754/AiroWizard_Setup-Beta_1-rev.250.exe.html

  15. airdump.net Says:

    USB Backtrack installation or live cd works like charm check http://airdump.net/

  16. alen Says:

    36c3

  17. jeff Says:

    very cool man, no real technical input but I\\\'m glad someone\\\'s writing about this stuff

  18. luy Says:

    werewatresytrdu

  19. website analyzer Says:

    Great metod.It worked from the first trying for me:D

  20. petrus website Says:

    Whats for MemTrimRate variable?And why is -1?

  21. m4jiD thinktank Says:

    hi dear hackernotcracker...

    its long time im looking for good and Linux + Aircrack-ng +Ethercap compatible USB adaptor ,finally i choose it after reading aircrack-ng documents and your article Aircrack/Aireplay-ng Under Packet Injection Monitor Mode in Windows and i choose
    Alfa USB AWUS036S Network Adaptor but i cannot found anywhere to buy one :-(

    now my question is Alfa USB AWUS036S use Ralink rt73 chipset ,so if i buy another brand not alfa with Ralink rt73 chipset does it work perfectly like Alfa USB AWUS036S and easy to use ,plug and play in Backtrack and other linuxes.

    thank you

  22. hacker not cracker Says:

    Yes, It will work perfectly like the Alfa USB AWUS036S. I bought an RT73 on eBay a couple months ago and it worked exactly like the Alfa counterpart. Good luck!

  23. USB HD TV tuner Says:

    USB HD TV tuner...

    [...]Aircrack/Aireplay-ng Under Packet Injection Monitor Mode in Windows - hacker not cracker[...]...

  24. Joshwa Says:

    Hi hacker not cracker, I know this blog page is from a while back now but I was wondering if you could clarify a few things for me. I have a RT73 USB chipset and I have located https://mypeek.wildpackets.com/driver_downloads.php which apparently has the appropriate drivers for my card to run packet sniffing/injection under windows, but I am failing to make sense of the list of drivers.
    Also, have you discovered a more direct method of getting an RT73 working in windows? I find I am running around the whole internet just trying to locate a laymans guide to getting an RT73 working in windows with no luck so far so it would be good to get some clarification on whether I am barking up the wrong tree or not!
    Thanks

  25. Andrei Says:

    nice

  26. NEO Says:

    Are 1000mw Alfa "AWUS036H" and "AWUS036S" one and the same?

  27. NEO Says:

    Are 1000mw Alfa "AWUS036H" and "AWUS036S" one and the same?

    Can anyone answer it please....

  28. NEO Says:

    ??????

  29. Nick Says:

    No NEO, they are not the same. I just tried looking for the "S" version, and I can't find it anywhere, but I've seen proof that it's a seperate product. That's exactly what the picture in the article is.

    Don't expect to find one, it looks like they're not made/distributed anymore. I looked on EBay, Amazon, and every other major online retailer-- and sadly, nothing.

  30. Simpsons Tapped Out Unlimited Donuts Says:

    During World War II, he co-wrote musical comedy shows to entertain servicemen, and
    this led to an appearance on Milton Berle's show that launched his television career.
    I stopped listening every week, when his amalgam
    of comedy and political anger at the Bush Administration got
    a little too heavy for me to bear. Proactol has become tested in
    numerous clinical trials to prove its effectiveness and authenticity.

    my page ... Simpsons Tapped Out Unlimited Donuts

  31. youtube.com Says:

    Hi! I'm at work browsing your blog from my new apple iphone!
    Just wanted to say I love reading your blog and look forward to all your posts!
    Carry on the excellent work!

  32. http://www.montanatechcomponents.com Says:

    They are using templates and formats that are tried and tested.
    This way, any interested client easily gets the idea
    of what you are selling. So if you want to get started on the right track, you may want to join a good membership
    site and they can hopefully help point you in the right direction.

  33. Christian Roehl Says:

    This blog was... how do you say it? Relevant!! Finally I
    have found something that helped me. Thanks a
    lot!

  34. the simpsons daily free ios apps Says:

    All's I can do is tell you to listen to this song and ask whether you agree or not that "I Only Have Eyes For You" by The Flamingos doesn't have a distinct
    sense of foreboding to it. Our sport app builders have
    wide experience in this field and often prepared to just take challenges about revolutionary game
    enhancement idea. I was not comfortable quite yet to bring
    myself to drive on any other roads besides back roads.

  35. jelly splash hack ipad Says:

    Water has the power to waken the senses, and trickling
    warm water can provide a sensuous edge to any sexual experience.
    s not enough water, fill a bucket from another source and add.
    Some of the basic instruments employed for this purpose
    were PVC, Tubulum, Airpoles, Drumulum and Cimbalom to name a few.

  36. premium backtrack pdf Says:

    I like the valuable info you provide on your articles. I will bookmark
    your blog and test again right here regularly.
    I'm moderately sure I will be informed a lot of new stuff right here!

    Best of luck for the following!

  37. Simpsons Tapped Out Cheats Says:

    Thanks for the marvelous posting! I genuinely enjoyed reading it, you're a great author.I will be sure to bookmark your blog and definitely
    will come back from now on. I want to encourage
    continue your great writing, have a nice day!

  38. battle camp hack Ios Says:

    Since the majority of tennis instructors start off their careers
    by coaching private lessons or smaller groups, they soon come to be very comfortable teaching their tennis drills
    on an individual court. shut iin a participant is hit,
    they need to carry up their 'rifle' as a proof tyat they newed een eliminated, at a similar time depart
    from the sports ground. Others might say raising a happy family is thhe most important thing to
    which we humans cann aspire.

  39. white label seo software Says:

    Your way of describing all in this piece of writing is truly fastidious, all
    be capable of without difficulty know it, Thanks a lot.

  40. buy youtube views fast Says:

    Hi, Neat post. There is a problem along with your web site in web explorer, could
    check this? IE still is the market leader and a huge section of other
    people will pass over your great writing because of this problem.

  41. buy 5000 youtube views cheap Says:

    What's up to every one, for the reason that I am truly eager of
    reading this website's post to be updated on a regular basis.

    It consists of fastidious information.

  42. Melaine Says:

    I’m not that much of a online reader to be honest but your sites
    really nice, keep it up! I'll go ahead and bookmark your site to
    come back later on. Cheers

  43. Campus Life Cheats 2014 | IEC KHULNA Says:

    [...] hack and cheats instrument is 100% operating, up to day and undetectable. You already know what you campus life game cheats iphone have to do. Obtain Campus Life hack instrument appropriate [...]

  44. https://www.facebook.com/ Says:

    I have fun with, cause I found just what I used to be taking a look for.
    You've ended my 4 day lengthy hunt! God Bless you man.
    Have a nice day. Bye

    Also visit my web page - drag racing hack (https://www.facebook.com/)

  45. ethical seo consulting Says:

    The other day, while I was at work, my cousin stole my apple ipad
    and tested to see if it can survive a 25 foot drop, just so she can
    be a youtube sensation. My iPad is now broken and she
    has 83 views. I know this is entirely off topic but I
    had to share it with someone!

  46. buy cheap youtube Says:

    Awesome blog! Is your theme custom made or did you download it
    from somewhere? A design like yours with a few simple tweeks would really make my blog stand out.
    Please let me know where you got your theme. Bless you

  47. vaporizers for sale Says:

    Hi, I would like to subscribe for this webpage to obtain hottest updates, therefore where can i do it please help.

    Also visit my web site: vaporizers for sale

  48. Susana Says:

    I've been browsing online more than three hours today, yet
    I never found any interesting article like yours. It's pretty worth enough for me.
    In my view, if all website owners and bloggers
    made good content as you did, the net will be a lot more useful than ever before.

Leave a Reply

 
Latest Post on Loading...: Please Wait...
admin admin
© 2006 and web design of Allan Ray Barizo from [art] [⁄app].
This site is best viewed with FF and at least 1024x768 resolution.