QUICK AND DIRTY SETUP


patching:

NOTE: this patch will only work with openbsd 3.2 release.

first you need to patch your kernel source.. so make sure it's handy in
/usr/src/sys:

$ cd wnet
$ sudo patch -d /usr/src -p1 < wi.diff

now rebuild your kernel, and make sure you copy over the new if_wi*.h's:

$ cd /usr/src/sys/i386/compile/MYKERNEL
$ make
$ sudo make install
$ cd /usr/src/sys/dev/ic
$ sudo cp if_wi*.h /usr/include/dev/ic
$ sudo reboot


compilation:

first you'll need to compile and install libwnet:

$ cd wnet/libwnet
$ make
$ sudo make install

then you'll be able to compile dinject and/or reinj:

$ cd ../dinject
$ make
$ sudo make install

$ cd ../reinj
$ make
$ sudo make install


running:

now, to set the card into hostap injection/monitor mode all you have to do is:

$ sudo wicontrol wi0 -p 5

and optionally set the channel you would like to inject/monitor on:

$ sudo wicontrol wi0 -f 11


reinj attack:

to attempt the reinj attack, setup your ap with wep and make sure there's a
node connected to it. now, setup your attacking machine with injection/monitor
mode and on the same channel as your ap:

$ sudo wicontrol wi0 -p 5 -f 11

now, run reinj and supply the bssid of your ap and additional options, if you
don't know the bssid of your ap, just run prism2dump wi0 -p the mac address of
the beacon's should be your ap's bssid:

$ sudo reinj wi0 00:12:34:56:78:90 1000000 2

NOTE: the interval setting is the amount of hz to wait between each injection,
normally a hz is 1/100 of a second. i've found that if you set it to 1, it
will inject a lot faster, but the card will have to be reset every 5-10
seconds. my patches will auto-reset the card when there are transmit errors,
although it takes around 1 second to reset the card, so you will loose
transmit time every time it's reset.

you will start to see .'s on the screen... each dot is a packet on the network,
most likely the ones you see are for beacon packets. now, you'll probably want
to fire up dwepdump on a different terminal to start logging weak ivs:

$ sudo dwepdump -w wi0 crack.log

now, to start the attack, simply create a telnet session from one of your
wireless clients to another machine:

$ telnet 192.168.0.69 80

reinj should see either the arp or one of the tcp packets and then attempt to
reinject it to generate traffic. it will do this 5 times to verify, and then
start to inject at the specified interval. you should see your dwepdump status
start cranking fairly fast... most tcp packets should generate 2 packets per
injection, whereas arps should be 1 to 1. also, since dwepdump is picking up
your own injections as well, you'll have to look for roughly 1/3 more packets
than normal., although the weak iv counters should still apply as normal unless
you reinject a weak iv packet. results may vary.


PLEASE SEND ME FEEDBACK: h1kari@dachb0den.com
