Previous Section  < Day Day Up >  Next Section

The Engine: Chipsets, Drivers, and Commands

A good thing about Linux drivers is their universal separation by the client card chipset: linux-wlan-ng, HostAP, and AirJack for Prism cards; Orinoco and HermesAP for Hermes cards; airo-linux for Cisco Aironet; Orinoco/Symbol24 for Symbol cards; vt_ar5k for Atheros 802.11a; and initial ADM8211 drivers and Madwifi for ADM8211 and Atheros 5212 in many 802.11a/b/g combo cards. However, all these drivers use the same /etc/pcmcia/wireless.opts configuration file, supplemented by more specific configurations such as wlan-ng.conf, hermes.conf, hostap_cs.conf, or vt_ar5k.conf. These additional files contain the description of 802.11 cards known to be supported by a particular driver they come with. As to the configuration utilities and scripts, the majority of listed card types use Jean's Tourrilhes Linux Wireless Extensions, apart from linux-wlan-ng (which has its own wlancfg and wlanctl-ng configuration utilities) and Cisco Aironet (configured by editing a text file in /proc/driver/aironet created when the card is initialized, usually /proc/driver/aironet/eth1/Config). Being rather flexible, Cisco Aironet cards can also be configured using Linux Wireless Extensions or through an ACU GUI utility. Due to this difference there are different initialization scripts for linux-wlan-ng (/etc/pcmcia/wlan-ng) and cards configured using Linux Wireless Extensions (/etc/pcmcia/wireless).

Under BSD, wireless drivers for Prism and Hermes chipset cards are grouped into the wi interface driver, whereas Cisco Aironet cards are supported by the an device. Other (Free) BSD wireless device drivers you might encounter are ray for Raylink-based and awi for old Prism I cards.

The configuration of wireless client cards on BSD is done via the wicontrol utility for Prism and Hermes chipset cards (listed later in the chapter) or ancontrol for Cisco cards. On FreeBSD versions above 4.5, the functionality of both wicontrol and ancontrol is merged into ifconfig, but both wicontrol and ancontrol are still there. The startup configuration scripts for FreeBSD have to be written by the user, but this is easy. A good example of such a script placed into /usr/local/etc/rc.d is given in Bruce Potter's and Bob Fleck's "802.11 Security." On OpenBSD, necessary parameters for wireless card initialization can be added to the <hostname.interface> file, such as hostname.an0 or hostname.wi0.

Whereas the Linux and BSD configuration files and utilities are pretty much unified by the chipset type, under Windows these utilities and files are specific for a particular card brand. Thus, a comprehensive review is outside the scope of this book, considering the amount of 802.11 client cards available on the market. We suggest you read the instructions provided by the card manufacturer.

Making Your Client Card Work with Linux and BSD

The first step in installing your 802.11 client card under Linux or BSD is choosing the correct options in the kernel and compiling pcmcia-cs Card Services. If you use a vanilla kernel or a kernel that comes with your default distribution installation, chances are that the modules for your wireless card are already compiled and included and the Set Version Information On All Module Symbols option is enabled. This is fine as long as you use the Prism chipset cards only, which support RFMON sniffing mode by default using the majority of linux-wlan-ng driver versions. You can even compile Prism support into the kernel. Otherwise you should use patched (Orinoco/Hermes) or third-party (Sourceforge airo-linux) modules when setting up a system for security audits (Aironet drivers that come with the latest linux kernels are actually fine). Specific drivers such as HostAP do not come with the kernel and have to be compiled separately. In such cases you should disable Set Version Information On All Module Symbols and should not try to compile your card support into the kernel, instead compile it as modules (see Figure 4-1).

Figure 4.1. Kernel loadable modules support.

[View full size image]
graphics/04fig01.gif


You can either skip selecting the modules coming with your kernel or overwrite them later with the patched modules when installing pcmcia-cs or card-specific drivers.

After the kernel compiles (read Kernel-How-To if you never compiled one), you should build the pcmcia-cs package. We do not recommend using the precompiled pcmcia-cs distribution packages due to the patching and the future need for pcmcia-cs sources if you want to build other tools. Before building pcmcia-cs, you might need to apply the Shmoo patch, which can be obtained from http://airsnort.shmoo.com/orinocoinfo.html. Pick a patch appropriate for your particular pcmcia-cs version and execute:







arhontus:~# patch -p0 < pcmcia-cs-"your-pcmcia-cs-version"-orinoco-patch.diff

Alternatively, you can download the orinoco-cs driver, patch it, and replace the unpatched sources in /usr/src/pcmcia-cs-"current-version"-patched/wireless by the patched one. Also, you can compile the patched modules separately and copy them into /lib/modules/"yourkernelversion"/pcmcia, perhaps over the unpatched ones that come with a distribution kernel. If you intend to do this, you need to disable the "Set version information on all module symbols" option. If you use Cisco Aironet, don't use the default drivers that come with the card or the Cisco Web site because they don't support RFMON mode. Instead download airo-linux drivers from Sourceforge (http://sourceforge.net/projects/airo-linux/). The easiest way of installing them is copying the airo.c and airo_cs.c sources from airo-linux into the wireless subdirectory of the pcmcia-cs. If you use the modules that come with the kernel, you'll have to apply the patch packaged with the airo-linux software. Because this patch is only applicable to kernel 2.4.3, this is not recommended. However, all the latest kernels provide RFMON-enabled Aironet drivers. Therefore, if you keep your kernel up to date, you can safely use the modules that came with the kernel.

If you want to overwrite the original kernel modules, use ./configure --force flag when compiling pcmcia-cs. Otherwise simply execute:








arhontus:~# make config



-------- Linux PCMCIA Configuration Script --------



The default responses for each question are correct for most users.

Consult the PCMCIA-HOWTO for additional info about each option.



Linux kernel source directory [/usr/src/linux]:



The kernel source tree is version 2.4.20.

The current kernel build date is Thu Mar 6 22:53:57 2003.



Build 'trusting' versions of card utilities (y/n) [y]:

Include 32-bit (CardBus) card support (y/n) [y]:

Include PnP BIOS resource checking (y/n) [n]:

Module install directory [/lib/modules/2.4.20]:



Kernel configuration options:

 Kernel-tree PCMCIA support is enabled.

 Symmetric multiprocessing support is disabled.

 PCI BIOS support is enabled.

 Power management (APM) support is enabled.

 SCSI support is enabled.

 IEEE 1394 (FireWire) support is disabled.

 Networking support is enabled.

 Radio network interface support is enabled.

 Token Ring device support is disabled.

 Fast switching is disabled.

 Frame Diverter is disabled.

 Module version checking is disabled.

 Kernel debugging support is enabled.

 Memory leak detection support is disabled.

 Spinlock debugging is disabled.

 Preemptive kernel patch is disabled.

 /proc filesystem support is enabled.



It looks like you have a System V init file setup.



X Window System include files found.

Forms library not installed.



If you wish to build the 'cardinfo' control panel, you need the forms library and the X

graphics/ccc.gif Window System include files. See the HOWTO for details.



Configuration successful.



Your kernel is configured with PCMCIA driver support. Therefore, 'make all' will compile

graphics/ccc.gif the PCMCIA utilities but not the drivers.



arhontus:~# make all && make install && make clean

This will finish the job. You need to build trusting versions of the card utilities if you want non-root users to be able to suspend and resume pcmcia cards, reset cards, and change the current configuration scheme. The 32-bit CardBus support is only necessary for using 32-bit CardBus cards, such as the current combo a/b/g cards, as well as many recent 802.11a and 802.11b cards that support proprietary 22 Mbps or 108 Mbps speed enhancements. It is not needed for older 16-bit PC cards. Prism chipset card drivers such as prism2_cs and p80211 are not included within the wireless subdirectory of PCMCIA-cs: They have to come with the kernel, or be built and installed when compiling linux-wlan-ng. Installing PCMCIA-cs creates the /etc/pcmcia directory, which can be modified later when you compile other wireless card drivers like linux-wlan-ng or HostAP. If you use multiple wireless cards with different chipsets on the same laptop, we recommend keeping /etc/pcmcia configs for each chipset card separately. Then you will be able to switch between different chipset cards easily. For example, if your current card is Orinoco and you want to change it to Prism, a good option is this:








arhontus:/#rm -rf /etc/pcmcia && cp -r /usr/local/wireless/pcmcia-wlan-ng /etc/pcmcia && 

graphics/ccc.gif/etc/init.d/pcmcia restart

Make sure you have a backup for all of the configuration files. For your convenience we have included samples of PCMCIA configuration files for Wlan-ng, Hermes, HostAP, and Ark chipset cards on the http://www.wi-foo.com Web site. The given PCMCIA Ark configuration files also support Wlan-ng. As long as airo_cs and airo modules are correctly installed, the Cisco Aironet cards are unaffected by the peculiarities of /etc/pcmcia config files and will work with all config files without any need to restart PCMCIA services. You can always check the status of the card by using the cardctl:







arhontus:~# cardctl config && cardctl info && cardctl status

or even using the graphical cardinfo (Figure 4-2) utility, which lets you control the card in the same way /etc/init.d/pcmcia script does.

Figure 4.2. Cardinfo graphical utility.

graphics/04fig02.gif


To use 802.11a PCMCIA cards with an Atheros chipset, select the kernel PCMCIA support, compile the vt_ark5k driver (edit the Makefile if your Linux kernel source is not in /usr/src/linux), and insert "options vt_ar5k reg_domain=???" into /etc/modules.conf. There is a variance according to the country you are in and its power output regulations; the available options are fcc (U.S.), etsi (E.U.), and de (Germany and Japan). Alternatively, you can specify these options when the module is inserted (e.g., insmod vt_ar5k.o reg_domain=fcc). When the card services are restarted, you should see the module with lsmod and the card should be recognized.

Alternatively, you can use the Madwifi project drivers, in particular when trying to set up and configure a combo 802.11a/b/g Atheros chipset card. As of the time of writing, the latest version of the driver was madwifi-20030802, but as we have found out, the CVS version is more stable, provides support for more Wi-Fi cards and has faster network performance.

To obtain the latest CVS driver use the following command:







arhontus:$ cvs -z3 -d: \

pserver:anonymous@cvs.sourceforge.net:/cvsroot/madwifi co madwifi

To compile these modules for 2.6.x Linux kernels, you should consider downloading relevant patches from the project page. For illustration purposes, this section describes madwifi installation under 2.4.x based kernels. To compile Wi-Fi modules, change the current working directory to madwifi CVS and issue:







arhontus:$ make all && make install

To load the modules, make sure the wifi card is inserted and type modprobe ath_pci. If all goes well, you should have similar output to lsmod and iwconfig commands:







arhontus:~#lsmod

Module  Size      Used by Tainted: P

ath_pci 31952     1

wlan    45512     1 [ath_pci]

ath_hal 101152    1 [ath_pci]



arhontus:~#iwconfig ath0

ath0 IEEE 802.11 ESSID:"ComboNet"

 Mode:Managed Frequency:2.412GHz Access Point: 00:30:BD:9E:50:7C

 Bit Rate:54Mb/s Tx-Power:off Sensitivity=0/242700000

 Retry:off RTS thr:off Fragment thr:off

 Encryption key:4330-4445-3145-4537-4330-4747-45

    Security mode:open

 Power Management:off

 Link Quality:0/1 Signal level:-216 dBm Noise level:-256 dBm

 Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0

 Tx excessive retries:0 Invalid misc:0 Missed beacon:0

For the card interface configuration use Linux Wireless Extensions, as described in the next chapter. If you require further information about the madwifi driver, consult the README file in the madwifi directory.

Tip

graphics/tip_icon.gif

There are many wireless card chipsets and corresponding Linux drivers that are different from the mainstream Prism, Hermes, Aironet, and Atheros. Some of these chipsets and drivers, such as Symbol24t, have been mentioned earlier. Unfortunately, we cannot cover them all, as it would require a book on its own. We also do not review the drivers' internals for the same reason, even though we consider this area to be of great interest for people interested in hacking. If you are interested in knowing more about this area, we suggest studying Jean's Tourrilhes Linux wireless drivers page, in particular http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Linux.Wireless.drivers.html#Prism2-hostAP, and follow the links it provides. This provides a good insight for anyone interested in modification and development of wireless client card drivers, or people who want to know why Hermes chipset cards have three different drivers or what the difference is between the function and structure of prism2_cs and p80211 linux-wlan-ng modules for the Prism cards. Please note that we do not discuss the installation of HostAP and AirJack drivers in this chapter, as they are described in the review of man-in-the-middle attacks.


On BSD systems the installation of wireless drivers is more straightforward: You use the wi or an device drivers that come with the system. Ensure that your kernel configuration file in /usr/src/sys/i386/conf has PCMCIA support.

An example of FreeBSD configuration is as follows:







device card

device pcic0 at isa? irq 0 port 0x3e0 iomem 0xd0000

device pcic1 at isa? irq 0 port 0x3e2 iomem 0xd4000 disable

options WLCACHE

options WLDEBUG

options PCIC_RESUME_RESET

Do not forget to add pccard_enable="YES" to /etc/rc.conf. You might also need to add pccard_mem="DEFAULT" to the rc.conf configuration file and specify an unused IRQ and any additional options you like in /etc/pccard.conf. For example:







# Lucent WaveLAN/IEEE PCMCIA card

card "Lucent Technologies" "WaveLAN/IEEE"

 config 0x1 "wi0" 10

 insert echo Lucent card inserted

 insert /etc/pccard_ether wi0

 remove echo Lucent card removed

 remove /sbin/ifconfig wi0 delete

In this example, "10" in the "config 0x1 "wi0" 10" string is the IRQ.

In OpenBSD, the kernel configuration options to recognize PCMCIA 802.11 cards would look like this:







#PCMCIA controllers

pcic*   at pci? dev? function?

# PCMCIA bus support

pcmcia* at pcic? controller? socket?

pcmcia* at tcic? controller? socket?

wi*     at pcmcia? dev? function?

an*     at pcmcia? function?

The list of cards supported by wi in accordance with the OpenBSD manuals is given in Table 4-1.

Table 4.1. Supported Wireless Cards in BSD

Card

Chip

Bus

3Com AirConnect 3CRWE737A

Spectrum24

PCMCIA

3Com AirConnect 3CRWE777A

Prism-2

PCI

ACTIONTEC HWC01170

Prism-2.5

PCMCIA

Addtron AWP-100

Prism-2

PCMCIA

Agere Orinoco

Hermes

PCMCIA

Apple Airport

Hermes

macobio

Buffalo AirStation

Prism-2

PCMCIA

Buffalo AirStation

Prism-2

CF

Cabletron RoamAbout

Hermes

PCMCIA

Compaq Agency NC5004

Prism-2

PCMCIA

Contec FLEXLAN/FX-DS110-PCC

Prism-2

PCMCIA

Corega PCC-11

Prism-2

PCMCIA

Corega PCCA-11

Prism-2

PCMCIA

Corega PCCB-11

Prism-2

PCMCIA

Corega CGWLPCIA11

Prism-2

PCI

Dlink DWL520

Prism-2.5

PCI

Dlink DWL650

Prism-2.5

PCMCIA

ELSA XI300

Prism-2

PCMCIA

ELSA XI325

Prism-2.5

PCMCIA

ELSA XI325H

Prism-2.5

PCMCIA

ELSA XI800

Prism-2

CF

EMTAC A2424i

Prism-2

PCMCIA

Ericsson Wireless LAN CARD C11

Spectrum24

PCMCIA

Gemtek WL-311

Prism-2.5

PCMCIA

Hawking Technology WE110P

Prism-2.5

PCMCIA

I-O DATA WN-B11/PCM

Prism-2

PCMCIA

Intel PRO/Wireless 2011

Spectrum24

PCMCIA

Intersil Prism II

Prism-2

PCMCIA

Intersil Mini-PCI

Prism-2.5

PCI

Linksys Instant Wireless WPC11

Prism-2

PCMCIA

Linksys Instant Wireless WPC11 2.5

Prism-2.5

PCMCIA

Linksys Instant Wireless WPC11 3.0

Prism-3

PCMCIA

Lucent WaveLAN

Hermes

PCMCIA

NANOSPEED ROOT-RZ2000

Prism-2

PCMCIA

NDC/Sohoware NCP130

Prism-2

PCI

NEC CMZ-RT-WP

Prism-2

PCMCIA

Netgear MA401

Prism-2

PCMCIA

Netgear MA401RA

Prism-2.5

PCMCIA

Nokia C020 Wireless LAN

Prism-I

PCMCIA

Nokia C110/C111 Wireless LAN

Prism-2

PCMCIA

Nortel E-mobility 211818-A

Spectrum24

PCI

NTT-ME 11Mbps Wireless LAN

Prism-2

PCMCIA

Proxim Harmony

Prism-2

PCMCIA

Proxim RangeLAN-DS

Prism-2

PCMCIA

Samsung MagicLAN SWL-2000N

Prism-2

PCMCIA

Symbol Spectrum24

Spectrum24

PCMCIA

Symbol LA4123

Spectrum24

PCI

SMC 2632 EZ Connect

Prism-2

PCMCIA

TDK LAK-CD011WL

Prism-2

PCMCIA

US Robotics 2410

Prism-2

PCMCIA

US Robotics 2445

Prism-2

PCMCIA


You can also check the lists of networking equipment in Appendix B for more compatibility information. If your card is in the list of supported hardware and you have modified the BSD kernel config file as shown earlier and recompiled the kernel, everything should work. We'll emphasize this point one more time: If you want to use BSD as the primary platform for proper wireless penetration testing, you'll need a Prism chipset card, and 802.11a will remain out of reach until the appropriate drivers are developed (if ever, considering the current 802.11g spread and popularity).

    Previous Section  < Day Day Up >  Next Section