FreeBSD 9.0 ath driver injection with aireplay_ng returns
input/output error in AHDemo and Monitor mode
Lars Engels
lars.engels at 0x20.net
Tue Feb 7 08:17:11 UTC 2012
On Mon, Feb 06, 2012 at 09:05:32PM +0100, Bernhard Schmidt wrote:
> On Monday 06 February 2012 20:57:35 Merlin Corey wrote:
> > Hello,
> >
> > On Mon, Feb 6, 2012 at 5:35 PM, Bernhard Schmidt <bschmidt at freebsd.org> wrote:
> > > On Monday 06 February 2012 15:32:42 Merlin Corey wrote:
> > >> Hello,
> > >>
> > >> Like some a year before me, from a thread two years before me (
> > >> http://forums.freebsd.org/showthread.php?t=10042 ), I am interested in
> > >> making my (pun intended) penultimate pen-testing netbook on my
> > >> favorite operating system, FreeBSD; alas, I am not able to make use of
> > >> the atheros card in said netbook for the purposes of injection.
> > >>
> > >> It is perhaps worth nothing that I started this project on FreeBSD
> > >> 8.x, but my card (AR9285 card=0x10891a3b chip=0x002b168c rev=0x01 hdr=
> > >> 0x00) was only working at what seemed half power and would constantly
> > >> take itself up/down. I have since updated the system to 9.0-RELEASE
> > >> and experienced what appeared to be fully functioning wireless until
> > >> now.
> > >>
> > >> In the thread linked above, there is a mention of a kernel patch which
> > >> allows writing in monitor mode - I desperately applied this patch
> > >> after finding that the instructions to patch aircrack itself seem to
> > >> have already been applied either in ports or upstream.
> > >>
> > >> Now, I can run airodump just fine, but when I try to do injection test
> > >> with aireplay in either ahdemo or monitor mode, I simply end up with a
> > >> bunch of "wi_write(): Input/output error" messages.
> > >>
> > >> I am not really sure how to proceed in further debugging this issue;
> > >> should I turn wlandebug on, and if so, which bit is best, or should I
> > >> just throw them all? Perhaps something else entirely?
> > >>
> > >> Is this maybe a problem with my card itself?
> > >>
> > >> Any push in the right direction would be greatly appreciated.
> > >
> > > Can you set a channel and ssid before starting any kind of injection? Something like
> > > ifconfig wlan0 create wlandev ath0 wlanmode ahdemo
> > > ifconfig wlan0 channel 1 ssid foobar up
> > >
> > > If I remember correctly, the interface will otherwise scan
> > > indefinitely trying to find an open network to connect to. Setting
> > > a channel/ssid will ensure that the interface moves into RUN state
> > > (you can verify that with wlandebug +state) which should allow
> > > injection. Trying to do so while in eg. SCAN state is really too
> > > racy due to all the channel changes going on.
> > >
> > > Basically, injection is a real mess currently and neither monitor
> > > nor ahdemo mode are really that well suited for that purpose.
> > > Monitor mode is designed to be totally mute while ahdemo is adhoc
> > > mode without mgmt frames but a lot of unnecessary logic behind it.
> > > Guess we should really think about a new mode specially designed
> > > to handle those needs, or re-enable injection in monitor mode
> > > which would break it's initial purpose.. thoughts?
> > >
> > > --
> > > Bernhard
> >
> > As per the directions given to me by Bernhard, I have tested ahdemo
> > and monitor mode injection with wlandebug +states. In short, it seems
> > that indeed ahdemo mode complains about moving from INIT to RUN state
> > unexpectedly, and monitor mode goes back to SCAN state making it not
> > very useful for this purpose given the stated issues with SCAN state.
> >
> > First, the general output of aireplay-ng -9:
> > wi_write(): Input/output error
> > ... repeat last message 28 times ...
> > wi_write(): Input/output error
> > wi_write(): Input/output error
> > 19:34:43 0/30: 0%
> >
> > Finally, below my signature, I have included the /var/log/messages
> > output annotated with comments indicating which shell commands were
> > being run before the messages were output in the form of comments with
> > three hashmarks.
>
> Yeah.. air* does a lot of stuff, not all of it being that useful. It
> might simple be that it resets the device and therefore the
> configuration. I'll have a look tomorrow.
Yup, maybe we can improve aircrack-ng and get some patches upstream?
>
> I the mean time, can you give /usr/src/tools/tools/net80211/wlaninect
> a shot?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-wireless/attachments/20120207/2a52d397/attachment.pgp
More information about the freebsd-wireless
mailing list