January 19, 2007

Auditing Wireless Networks from Windows using VMware and BackTrack 2.0

One of the major constraints to Windows-based wireless network auditing is the lack of open-source wireless security tools and advanced wireless drivers for this OS; however, this is not the case with Linux.

Although in other security fields, this limitation can be easily avoided by running Linux inside a VMware (or other virtual) environment executing on Windows, when talking about wireless technologies, this is a problem because VMware doesn't provide PCMCIA native support yet. A PCMCIA wireless card is mapped in VMware as a standard PCnet-II Ethernet wired card. This means that you cannot manage the wireless card settings, and even worst, configure it in monitor mode or enable its traffic injection capabilities.

Fortunately, here is the VMware USB native support to the rescue!! You can buy a USB wireless dongle, such as the Conceptronic C54RU (available for around 20€), and get access to all wireless features from inside the virtual machine.

The main Live CD Linux-based distribution for wireless testing nowadays is BackTrack v2.0 Public Beta. Unfortunately, it doesn't provide support for the Ralink RT73 chipset that lives inside the C54RU v2. You can check if your C54RU has the RT73 chipset by running the following command:
# lsusb
Bus 001 Device 002: ID 14b2:3c22
If it finishes in "22", it is v2, thus chipset RT73. If it finishes in "02", it is v1, thus chipset Ralink RT2570. BackTrack v2.0 provides support for the RT2570 chipset by default through the rt2500 driver. BTW, other wireless Live CD distributions, such as Wifislax (Spanish), provide support for the Ralink RT73 by default.

How to setup the Ralink RT73 driver (Conceptronic C54RU v2) in BackTrack v2.0?

Step 1. Download the latest RT73 driver source code from http://rt2x00.serialmonkey.com/rt73-cvs-daily.tar.gz.

Step 2. Download and review this basic setup.sh script.

Step 3. Copy both files, the shell script and the tar.gz, to the same directory.

Step 4. Turn on the setup.sh script read and execute permissions (chmod 500 setup.sh).

Step 5. Run ./setup.sh (as root).

Once the script finishes, you can configure your C54RU in monitor mode:
# iwconfig rausb0 mode monitor
And, enable the C54RU injection mode (in monitor mode):
# iwpriv rausb0 rfmontx 1

<plug> Interested in advanced wireless security training? I will be teaching SANS SEC617, Assessing and Securing Wireless Networks, in Prague on February, 12-17. Updated to BackTrack v2.0!! </plug>

Labels:

4 Comments:

Anonymous Anonymous said...

I am begining with auditing wireless networks. I have been testing to detect wireless networks (with my access point only), and try to obtain the key.
I gain access with wep keys, but now i am studying how to crack wpa keys, i have found a tool called genpmk and cowpatty but it needs a dictionary file. do you know were can i find a good dict file? i am a spanish guy, so the dict file i think must contain spanish words.

good job and Regads

7:25 PM  
Blogger Raul Siles said...

Although the post it's not directly related with auditing wireless encryption ;-), the following links provide good basic dictionaries to start with:

Openwall (John the Ripper) wordlist collection (Spanish, CD ($))

Roamer's dictionary (33MB, Save As...)

Church of WiFi password list

Also, don't forget to ask to the oracle :-)

12:42 AM  
Anonymous Anonymous said...

vHi.

Im studying wifisecurity and need some help.
Im using vmware server with bactrack slax and I need to know how to use traffic injection;is wusb54gc capable of doing it or i need to use liveCD for my Intel945abg?

Any comment?

thanks

5:46 PM  
Blogger Raul Siles said...

VMWare can only provide "native" access to USB ports, and not any other interface type: PCMCIA, miniPCI, etc. Therefore, only USB-based wireless cards can be used as wireless cards (and not as basic Ethernet cards) inside a VM.

2:44 PM  

Post a Comment

<< Home