HCL:Wireless

From Offensive-security.com

Jump to: navigation, search

Object 1
Contents
[hide]
• 1
Wireles
s Cards
And
Drivers
• 1
.
1

N
o
t
e
s

a
b
o
u
t
V
M
W
a
r
e

o
r

a
n
y

o
t
h
e
r

v
i
r
t
u
a
l
i
s
Wireless Cards And Drivers
This section lists Cards that have been tested with BackTrack. If you have tested a card that does not appear on this list,
please add it in!
BackTrack V.2.0-BackTrack V.3.0 (Final) has the following drivers included, in addition to the standard 2.6.20/2.6.21.5
kernel drivers:
• madwifi-ng (Patched for Injection)
• hostap (Patched for Injection)
• prism54 (Patched for Injection)
• bcm43xx (Patched for Injection)
• rtl8180 [1] (Patched for Injection)
• rtl8187 (Patched for Injection)
• ipw2200 (Patched for Injection)
• rt2570 (ASPj's Drivers)
• rt2500 [2] (not sure if patched already but can be added with this link http://aircrack-ng.org/doku.php?
id=rt2500&DokuWiki=c3d1aad1f57c675981be7c8290e369d6)
• rt61
• rt73
• ipw2100
• ipw3945
• acx100 (Patch available -BETA-)
• zd1211rw (Patch available -BETA-)
• wlan-ng HAS BEEN REMOVED! Prism2 card owners should use the Hostap Drivers
-muts
The links provided above for the driver of the chipset are the links to the developer's actual homepage. If you want to
know where the patches are coming from, click on the link that says something similar to the word `patch'. Note that the
links provided may not be current and that patches may/may not work. You have been forewarned.
- hatake_kakashi

Notes about VMWare or any other virtualisation software

VMWare or any other virtualisation software generally does not allow backtrack 2 or 3 or any other OS as guest to operate
fully with any devices that are not USB which also includes wireless devices. Do not ask for support when using VMWare
or any other virtualisation software when you have either: PCI/PCI-E/PCMCIA/MINI-PCI/MINI-PCIe/EXPRESS CARD
and that you want virtualisation support in either #remote-exploit or the forum as this is beyond our control.
More information maybe found at Talk:HCL:Wireless or on the forum.

Notes for broadcom owners

Broadcom has used some of the BCM43XX designations for more than one flavor of card. To tell for sure if your
card is supported, use the command 'lspci -n| grep 14e4'.
If 14e4:XXXX is 4301, 4307, 4311, 4312, 4318, 4319, 4320, 4321 (aka 4306 802.11b/g? only), 4324, or 4325, the card
is supported with b43 driver.
All others are with 4313, 4315 (4310?), 4328 (4321 802.11n dualband), 4329 (4321 802.11n 2.4GHz), 432a (4321
802.11 5GHz), 432b (4322), 432c, 432d can only use broadcom's linux_sta driver, which is similar to using
ndiswrapper.
You will need kernel.lzm if you downloaded cdrom version and will need to compile this driver. You may also need
compat-wireless if the driver does not work and/or search for possible answers via google. Last but not least, there
is absolutely NO support whatsoever with linux_sta for monitoring/injecting. Desperate users can try and join their
mailing list

Tested Card List

PCI
Asus WL-138g v2
• Driver : bcm43xx
• Chipset : Broadcom
• External Antenna: Reverse connector (RP-SMA) with a detachable antenna
Works out of the box.

Belkin F5D8001
• Works out of the box.

CNet CWP-854
• Driver : rt2500
• Chipset : Ralink 2500
• External Connectors: RP-SMA
• Works out of the box.

Dlink DWA-520
• Driver : Madwifi-ng
• Chipset : Atheros
• External Connectors : RP-SMA
• Works out of the box in BT3 Final. Injection is perfect.
• Product link : http://www.dlink.com.my/products/?idproduct=199

Dlink DWA-552
• Driver : Madwifi-ng
• Chipset : Atheros AR5212 a/b/g/n
• For Kismet, edit your kismet.conf file (/usr/local/etc/kismet.conf) to "source=madwifi_g,wifi0,Atheros"
• Notice: To set up your MAC (optional) and switch into Monitor Mode type:
airmon-ng stop ath0

macchanger -a wifi0

iwconfig ath0 mode Monitor

Dlink DWL-AG530
• Works out of the box.

Dlink DWL-G520
• Chipset : Atheros
• External Antenna: RP-SMA
• Works out of the box.

Dlink DWL-G550
• Chipset : Atheros AR5212 (within AR5002X)
• External Antenna: Yes, omni-directional dipole antenna with 5dBi
• Works great out of the box.
http://www.dlink.com/products/?sec=0&pid=414

Dlink DWL-G510
• Chipset : Atheros AR5212a/b/g; Ralink RT73
• Driver : madwifi-ng; rt73
• External Antenna: REV-SMA
Read here

Dynex DX-EBDTC
• Chipset : Broadcom
• Works right of of box. Injection and monitor mode IS supported.

Foxconn WLL-3350
• Driver: rt2500

MSI PC60G
• Driver : RT61
• Chipset : Ralink
• Works out of the box. Injection and such (wireless tools) not functional
http://global.msi.com.tw/index.php?func=proddesc&prod_no=1063&maincat_no=131

Netgear WG311T
• Driver : Madwifi-ng
 • Chipset : Atheros
• External Antenna: RP-SMA Connector
Works perfectly out of the box. Injection works as Well.
http://www.netgear.com/Products/Adapters/SuperGWirelessAdapters/WG311T.aspx

Netgear WPN311
• Driver : Madwifi-ng
• Chipset : Atheros
• External Antenna: RP-SMA Connector
Works great out of the box including injection.

SMC SMCWPCI-G
• Chipset : Atheros
• Antenna Type : External SMA (detachable)
• Operating Range :
• Outdoors up to 1.312ft / 400m
• Indoors up to 328ft / 100m

Works great out of the box including injection

Mini PCI (Built in)

Broadcom BCM4306 802.11b/g (rev 3)
Compatibility
Hardware ver Internet Monitor Injection
Software ver

Dell 1350
2.6.20-BT-PwnSauce-
WLAN Mini- yes yes no
NOSMP bcm43xx
PCI
Environment HP Pavilion
bcm43xx ? ? no
ZV5330us
HP Pavilion
bcm43xx yes yes ?
zd8000
Compaq
bcm43xx yes yes no
Presario 2500

• Driver : bcm43xx
• Notebook HP NX6110 model PT601AA#AKD
• Notebook HP Pavilion ZV6170us (part of zv6000 series)
• Notebook Compaq Presario V2405CA Not sure what chipset it is but doesn't work with built in Broadcom B/G
• Notebook acer TravelMate 2413LMi Not sure what chipset it is but Packet injection does not work with buit in
Broadcom B/G
Broadcom BCM4318 802.11b/g
• Driver : bcm43xx
• Notebook Compaq v2312us - It will capture packets but does not inject.
• Notebook HP Pavilion dv5215us - Injection works! http://forums.remote-exploit.org/showthread.php?t=7190 First
place card in monitor mode (include channel of target AP):
• AirForce One 54g - Injection works but you need to have a recent version of aircrack-ng (it worked for me with the
0.9)
bt ~ # ifconfig eth0 up
bt ~ # iwconfig eth0 mode Monitor channel #

Use aireplay-ng attack 1 (fake authentication) and then attack 3 (ARP request replay attack). ~40,000 packets injected in
<5 minutes. -theprez98
• Notebook Acer 5000 - It will capture packets but does not inject.

IBM AR5212 802.11abg NIC (rev 01)

• Driver : Atheros

IPW2100
• Driver : IPW2100
• Special Notes: Will enter monitor mode, but cannot inject.
===================================== YES for IPW2200 Sorry, but it works with injection patch I use
ipw2200-1.2.1 and package of aircrack.0.90 need to compile, and install Kismet works fine but I prefer airodump-ng
Attack works under aireplay -2 -3 -4 -5 and -9, but not for -0 and -1

IPW2200
• Driver : IPW2200 (With Injection Patches)
• Boots Live and installs on hard drive detecting and installing the ipw2200 pached drivers perfectly (also on dual
and multi-boot environments (MacOS, Vista, XP, BT)
• About Injection, Void11 cannot be used to deauth stations. ONLY the "--interactive", "--arpreplay" and "--
chopchop" options of Aireplay-ng work, due to an ipw2200 limitation. You must enable the rtap0 interface
executing the following commands to make injection posible before doing anything else:
- rmmod ipw2200
- modprobe ipw2200 rtap_iface=1
- ifconfig eth1 up
- ifconfig rtap0 up

• Injection has proven to be succesfull with "-i rtap0 eth1" interface parameter at the end of your aireplay-ng
--arpreplay command. This allows to capture at the same time using the rtap0 interface with other programs.
Example of arp injection command:
- aireplay-ng --arpreplay -b 00:00:00:00:00:00 -h 11:11:11:11:11:11 -i rtap0 eth1

• GUI Wireless tools are at early development. Sometimes they don't work as expected and network parameters must
been set in konsole. Things may appear failing when they are actually working:
- Wireless assistant may say "connection failed" but you are associated with the AP.
- Running Kismet a 2nd time does not work because inteface is set in monitor mode.
 - Injection failing because deauth attack is not posible, but deauth is not the only method.

• You may feel misfuncionalities when following tutorials step by step without ANY previous knowledge, especially
those for Wep cracking because of its complexity. But the true is that full funcionality is found on this chipset
except for a few injection attacks that doesn't prevent you from auditing WEP and WPA wireless security. But to
achieve this you have to learn and master some essential of linux connectivity tasks, and commands to set up
network parameters using the console and troubleshoot results. You only have to check the manuals, learn and
practice all possible options of the following 5 commands to be succesfull with this nice integrated ipw2200
chipset:
- ifconfig
- iwconfig
- iwlist
- modprobe
- ping

aireplay only thing not working

Will not inject even with the patch enabled.
Kismet & AirMon didnot work for me.
Kismet did work for me.

Good tutorial for injection can be found here: http://tinyshell.be/aircrackng/forum/index.php?topic=1775.0

This tutorial worked out of the box for me, no driver patching required, however ony aireplay-ng injection attacks -2, -3,
and -4 work though.

Injection is working alright, but you can only inject data frames (arp injecting works, for example). That means deauth and
other attacks that may require management frames can't work. Bear in mind you must use rtap_iface=1 when loading the
module to use the rtap interface, through which you can sniff while you inject in the eth interface (you have to do it that
way or it won't work).
Be careful with the new 2.6 kernels, you may need to use irqpoll at boot to avoid an IRQ conflict on your computer -see
below ipw3495 (in that case the conflicting device won't work at all so if it's just injection that fails, it's not an irqpoll
problem).
We could not use any injecion on this due to it using Centrino technology.

WN360G
• Driver : prism54/p54
• Use a PCI to MiniPCI adapter with it.
• lspci output :
• FCC ID: QDWWN360G
01:07.0 Network controller: Intersil Corporation ISL3890 [Prism GT/Prism Duette]/ISL3886 [Prism Javelin/Prism Xbow]
(rev 01)

Mini PCIe (Built in)

• Gigabit Atheros card works, but you have to use 'airmon-ng start wifi0' to set it into monitor mode.
• Broadcom 4311-based Dell Wireless 1390 adapter is detected and works as mentioned below. Monitor mode works
but packet injection doesn't seem to be working.
Broadcom BCM4311 802.11b/g
• Driver : bcm43xx
• Driver : bcmwl5.sys
• Notebook HP nx6315
• Notebook HP nx7400
• Notebook Dell Inspiron 1501
• Notebook Dell Inspiron 1505\6400
• Notebook Dell Latitude d820
D820 is detected and works but the BCM4311 chip does not work with packet injection
• FCC ID: MXF-C941103G
• Notebook Dell Dell d520
• Notebook Compaq/Dell V2000US is NOT working. Packets appear to send but after testing on a separate card I
was able to determine that NONE of the attack modes work properly.
Windows Drivers and Client Software: http://www.wireless-driver.com/download/broadcom/2007-6-26/Broadcom-
4311-BCM4311KFBG-Driver_0.htm
PCI ID:
BCM43XG, PCI\VEN_14E4&DEV_4320&SUBSYS_00E70E11
BCM43XGT, PCI\VEN_14E4&DEV_4320&SUBSYS_12F4103C
BCM43XG1, PCI\VEN_14E4&DEV_4320&SUBSYS_12F8103C
BCM43XG2, PCI\VEN_14E4&DEV_4320&SUBSYS_12FA103C
BCM43XG3, PCI\VEN_14E4&DEV_4320&SUBSYS_12FB103C
BCM43XM1, PCI\VEN_14E4&DEV_4324&SUBSYS_12F9103C
BCM43XM2, PCI\VEN_14E4&DEV_4324&SUBSYS_12FC103C

BCM43XG1, PCI\VEN_14E4&DEV_4318&SUBSYS_1355103C
BCM43XG2, PCI\VEN_14E4&DEV_4318&SUBSYS_1356103C
BCM43XG3, PCI\VEN_14E4&DEV_4318&SUBSYS_1357103C
BCM43XM1, PCI\VEN_14E4&DEV_4319&SUBSYS_1358103C
BCM43XM2, PCI\VEN_14E4&DEV_4319&SUBSYS_1359103C
BCM43XM3, PCI\VEN_14E4&DEV_4319&SUBSYS_135A103C

BCM43XG11, PCI\VEN_14E4&DEV_4311&SUBSYS_1363103C
BCM43XG12, PCI\VEN_14E4&DEV_4311&SUBSYS_1364103C
BCM43XG13, PCI\VEN_14E4&DEV_4311&SUBSYS_1365103C
BCM43XM11, PCI\VEN_14E4&DEV_4312&SUBSYS_1360103C
BCM43XM12, PCI\VEN_14E4&DEV_4312&SUBSYS_1361103C
BCM43XM13, PCI\VEN_14E4&DEV_4312&SUBSYS_1362103C
BCM43XM14, PCI\VEN_14E4&DEV_4312&SUBSYS_135F103C

IPW3945
• Driver : IPW3945
• Special Notes : Enable the drivers via KDE menu or cd /usr/src/drivers/ipw3945-1.2.0/ && ./load
• Special Notes : Enters monitor mode, but cannot inject
• Special Notes : You may need to start the image with "bt irqpoll" Good way to tell: you see what looks like
function call backtraces on startup and the suggestion to run "bt irqpoll" scrolls by pretty fast. Check your dmesg
for more details if it scrolls too fast for you.

IPWRAW (IPW3945 Monitor + Inject)

• Driver : IPWRAW, A guide can be found [here]
• Or an easy to use lzm module can be found here [here]
• Note : This driver is not included in Backtrack2 by default.
 • Special Notes : Locked in monitor mode and can be used in all aireplay-ng attacks.
• For Kismet, edit your Kismet.conf to "source=ipw3945,wifi0,Intel"
• Notice: After starting airodump-ng only run one command at a time. If you do not your system may hang or freeze.
ifconfig wifi0 down
#Change to AP BSSID
nano /sys/class/net/wifi0/device/bssid
# Channel of AP
nano /sys/class/net/wifi0/device/channel
# Change from 108 to 2
nano /sys/class/net/wifi0/device/rate
ifconfig wifi0 up
airodump-ng rtap0
#wifi0 is used for all other commands.

IPW4965/IWL4965 agn
• Monitor: yes, works natively on backtrack3
• Injection: no, there are works being done on it.
To load the driver
modprobe iwl4965

Gigabyte GN-WS50G b/g

• Driver: Madwifi-ng
• Managed: yes
• Monitor: yes
• Injection: yes

PCMCIA Cards
3COM 3CRWE154G72 v1
• Driver : prism54/p54
• Chipset : Intersil PrismGT FullMAC
• Notice : other revisions of this card are not prismGT FullMAC

3COM 3CRPAG175B with XJACK Antenna

• Driver : Madwifi-ng
• Chipset : Atheros AR5212
• Notes : detected at boot time, injection works, everything goes like in aircrack-ng tutorials

Agere Systems ORiNOCO GOLD PC Card Classic

• Notes: see Enterasys Roamabout 802.11 DS High Rate

AirLink101 AWLC4130
• Driver : Madwifi-ng
• Chipset : Atheros
• Notes: Found at boot up. Forum users report 100% working, making this the cheapest working Atheros (and maybe
 overall) card out there.

ASUS WL100G
• Driver : bcm43xx
• Chipset : Broadcom BCM43xx
• Notes: It is found at boot-up and is ready to go.

Belkin F5D6020 v3
• Driver : Realtek
• Chipset : rtl8180
• Notes: Requires terminal input of iwconfig and dhcpcd wlan0
• Notes: Full capability and injection

Belkin F5D7010 V1000

• Driver : bcm43xx
• Chipset : Broadcom BCM43xx
• Notes: Detected at boot-up and is ready to go. Didn't have an opportunity yet to test the packet injection so can't
report on that.

Belkin F5D7010 V3000UK

• Driver : RT61
• Chipset : Unknown will update later (SORRY)
• Notes : Detected at boot-up with final BT2 (ra0). I have no had any problem to put it in Monitor mode;
unfortunately packet injection does not work.

Belkin F5D7010 V5000

• Driver : Atheros
• Chipset : Atheros
• Notes : Works great from what I could tell. Detected at boot-up with latest BT2. Packet injection appears to work.

Belkin F5D7010 V6000

• Driver : RT61
• Chipset : Ralink
• Notes: after untar the files, in the Module dir, make clean, make debug and then make install then modprobe rt61
debug=1

Belkin F5D7011
• Driver : bcm43xx
• Chipset : Broadcom 4306
• Notes: Picked up on boot and I can inject into my router without a problem.

Buffalo WLI-CB-G54HP
• Driver : bcm43xx/b43
• Chipset : Broadcom BCM4318
 • Notes: It is found at boot-up and is ready to go. Packet injection works perfectly.
Use b43 driver and mac80211. bcm43xx will not show correct PWR levels in airodump-ng and may have issues with
injection if not at PPS (Packets Per Second)

Cisco AIR-LMC350
• Driver : airo_cs
• Chipset : Cisco Aironet
• Monitor mode HOWTO
• Special Notes : airodump-ng output on wifiX shows garbled output whilst ethX does not work. Kismet will work
with this card. More information: airo

Cisco AIR-PCM350-T
• Driver : airo_cs
• Chipset : Cisco Aironet
• Monitor mode HOWTO
• Special Notes : airodump-ng output on wifiX shows garbled output whilst ethX does not work. Kismet will work
with this card. More information: airo

Cisco Aironet AIR-CB21AG-A-K9

• Driver : Madwifi-ng
• Chipset : Atheros
• lspci : 03:00.0 Ethernet controller: Atheros Communications, Inc. AR5212 802.11abg NIC (rev 01)

Dlink DWA-645
• Driver: Madwifi-ng/ath9k
• Chipset: Atheros AR5416 a/b/g/n
• External Antenna: None
• Internal Antenna: 3x Hirose u.fl
• H/W Rev A1 FCC ID: KA2DWA645A1 (PPD-AR5BCB-00071)
• H/W Rev B1 FCC ID (NOT SUPPORTED): KA2DWA645B1
• Comments: Works on BT4b under both madwifi-ng (without n-draft mode I think) and ath9k (but probably with no
injection)
Be aware of H/W Rev: B1 as this contains Marvell chipset which is most likely not supported at all.
External pictures of Rev A1: https://fjallfoss.fcc.gov/prod/oet/forms/blobs/retrieve.cgi?
attachment_id=643507&native_or_pdf=pdf
External pictures of Rev B1: https://fjallfoss.fcc.gov/prod/oet/forms/blobs/retrieve.cgi?
attachment_id=662985&native_or_pdf=pdf
External pictures courtesy of fcc website.

Dlink DWL-650+
• Driver : acx100
• Chipset : Texas Instruments ACX100
• Special Notes: Enable the drivers via KDE menu or cd /usr/src/drivers/acx100/ && insmod ./acx100.ko
got an error and modified it a bit and it worked. cd /usr/src/drivers/acx100 && insmod ./acx.ko
Dlink DWL-G650
• Driver : Madwifi-ng
• Chipset : Atheros AR5212 a/b/g
• For Kismet, edit your kismet.conf file (/usr/local/etc/kismet.conf) to "source=madwifi_g,wifi0,Atheros"
• Notice: To set up into Monitor Mode type:
airmon-ng start wifi0
ifconfig ath1 up
iwconfig ath1 mode Monitor

Dlink DWL-G630, 650+/-

Refer to this site for information.

Dlink DWL-G650M
• Chipset: Atheros Communications, Inc. AR5005VL 802.11bg Wireless NIC (rev 01)
This chipset is not yet supported as it is a MIMO capable chip.

D-Link WNA-1330
• Driver : Madwifi-ng
• Chipset : Atheros
When the card is enabled and in monitor mode it can not change back to channel 1 via iwconfig commands.
iwconfig ath0 channel 1
Will not work. It will not COMPLAIN either. So unless you are actually double-checking the freq you are on, you don't
know that it's not working.
To get the card back on channel 1 for monitoring, you'll have to ifconfig ath0 down, iwconfig ath0 channel 1, and then
ifconfig ath0 up.[3]

Enterasys Roamabout 802.11 DS High Rate

• Driver : orinoco_cs, wvlan_cs, wavelan_cs
• Chipset : Hermes I
• Mode : 802.11b only (11Mbps)
• Driver capabilities : Connect + Monitor only
• Driver Source 1 : http://www.nongnu.org/orinoco/
• Driver Source 2 : http://www.projectiwear.org/~plasmahh/orinoco.html
• Driver Source 3 : http://secure.enterasys.com/software/RoamAbout/CSIxD/linux/
• Firmware supplied : Lucent/Agere 8.72
• Firmware downloads source 1 : http://orinoco.gotchi.at/
• Firmware downloads source 2 : http://www.andrewhakman.dhs.org/orinoco/files/
• More information: http://airsnort.shmoo.com/orinocoinfo.html
• firmware extract (download for 2.6.28 and above) howto: http://tuxsavvy.vox.com/library/post/computers-orinoco-
hermes-firmware-extraction.html
• Notes :
The firmware supplied cannot be used to monitor as orinoco_cs notes the firmware as buggy. Suggested to downgrade the
firmware may help. You will need to downgrade to 7.52 and apply 3.2.1 patch.
http://gentoo-wiki.com/HOWTO_Orinoco_USB#Kismet Hermes I version for sniffing.
 • Update:
Theoretically one is able to use airjack to make hermes do some mitm attack however that will require more deeper
analysis.

Gigabyte GN-WM01GT AirCruiserG Mach G

• Driver : madwifi-ng
• Chipset : Atheros
• 2.4Ghz 802.11b/g 108Mbps with internal antenna.
• Notice : Seems to work 100%. Interface is: ath0

Lucent Technologies Orinoco Silver

Works perfectly out of the box. However, this card doesn't support packet injection because it is Hermes I based. It is
perfect for wardriving and sniffing wireless networks though.
• Note: see section: Enterasys Roamabout 802.11 DS High Rate

Linksys WPC11v4
• Driver: rtl8180
• Chipset: rtl8180
• Notes: Requires terminal input of iwconfig and dhcpcd wlan0
• Notes: Full capability including injection

Linksys WPC54G v3
• Driver : bcm43xx/b43
• Chipset : Broadcom Corporation BCM4318 [AirForce One 54g] 802.11g Wireless LAN Controller (rev 02)
• Subsystem: Linksys WPC54G-EU version 3 [Wireless-G Notebook Adapter]
Monitor mode currently supported but injection may or may not work with bcm43xx. Apparently a new driver is coming
out dubbed as b43 and is only available in either kernel >=2.6.24 and/or wireless-2.6 git. Injection will work after patching
b43 via mac80211 stack. bcm43xx driver will soon be deprecated and for this chipset it will not indicate PWR levels with
airodump-ng.

Motorola WN825G v2
• Driver : bcm43xx
• Chipset : Broadcom 4306
Card is recognized in response to "iwconfig" but LEDs do not illuminate until "ifconfig eth# up". Injection not tested but
should work similarly to other Broadcom cards. See here for Broadcom injection.

NetGear MA401
• Driver : HostAP
• Chipset : Prism 2
To inject packets you have to load the HostAP driver. [4].
BT3 Users read this.
NetGear WPN511
• Driver : Madwifi-ng
• Chipset : Atheros
• Comments: Monitor mode and packet injection supported. All current supported attack modes 0-5 tested and
working perfect.

NetGear WPN511 - Range Max

• Driver : Madwifi-ng
• Chipset : Atheros AR5212 a/b/g
• Internal Antenna: 2 x Hirose UF.L. One of them has connector the other does not have one soldered on.
• Comments: Monitor mode and packet injection supported. Also known as WPN511GE, exactly the same chipset.

NetGear WG511T
• Driver : Madwifi-ng
• Chipset : Atheros
• Notes: Works with Backtrack, (out of the box).
Supports all current Aireplay-NG attacks (-1,-2,-3,-4,-5)
If you can't get this card to run in Monitor mode try the following:
BT ~#airmon-ng stop ath0
BT ~#airmon-ng start wifi0
Then run iwconfig and check if ath0 is in Monitor mode. If it still isn't, try the following:
BT ~#ifconfig ath0 down
BT ~#airmon-ng start ath1
wifi0 should now parent ath1, and ath1 should be in Monitor mode. If it isn't, try:
BT ~#airmon-ng start wifi0

NetGear WAG511v2
• Driver : Madwifi-ng
• Chipset : Atheros

NetGear WG511 v1
• Driver : prism54/p54
• Chipset : Intersil PrismGT FullMAC
• Notice : See here for Netgear's ambiguous naming of models.
• lspci : 03:00.0 Network controller: Intersil Corporation ISL3890 [Prism GT/Prism Duette]/ISL3886 [Prism
Javelin/Prism Xbow] (rev 01)
Works great with Backtrack 2 Final, have cracked many WEP keys. Supports packet injection. These cards are extremely
rare but they sport 2x Hirose U.F.L connectors internally.

NetGear WG511 v2
• Driver : prism54/p54
• Chipset : Intersil PrismGT FullMAC
 • Notice : See here for Netgear's ambiguous naming of models.
• lspci : 03:00.0 Network controller: Intersil Corporation ISL3890 [Prism GT/Prism Duette]/ISL3886 [Prism
Javelin/Prism Xbow] (rev 01)
Like its brother NetGear WG511 v1 this one also works well except it only has 1x Hirose U.F.L connector. See here for
information on external antenna hack.

NetGear WG511 v3
• Driver : p54
• Chipset : Conexant PrismGT SoftMAC
• Notice : See here for Netgear's ambiguous naming of models.
This card requires compat-wireless or kernel build later than 2.6.24 mainly because its a softmac and it was not heavily
supported until the release of p54. The release of p54 driver depends on mac80211 rather than ieee80211 (old and
deprecated support for other softMAC based devices). Do not hold your breath for monitor/injection support either.

NetGear WG511v2
• Chipset : Marvell
• lspci : Marvell Technology Group Ltd. 88w8335 [Libertas] 802.11b/g Wireless (rev 03)
• lspci -n : 11ab:1faa (rev 03)
• FCC ID : PY3WG511V2H1
• CANADA ID : 4054A-WG511V21
• CE : 0470
There are no native linux driver support for this chip. If you want to gain native linux driver support, you should email
Marvell directly.

Netgear WG511U
• Driver : Madwifi-ng
• Chipset: Atheros AR5212 a/b/g
• External Antenna: None
• Internal Antenna: 2 x Hirose UF.L. One of them has connector the other does not have one soldered on.

NetGear WPN511GR
• Driver : Madwifi-ng
• Chipset : Atheros

Netgear WPNT511
• Driver: N/A *Windows only: ndiswrapper*
• Chipset: Airgo AGN300 True MIMO
• External Antenna: None
• Comments: No linux drivers yet. Ndiswrapper may work for normal connection but nothing else.
• Update: Linux native (alpha stage) available: http://sourceforge.net/projects/agnx80211driver/. This requires kernel
version either 2.6.24 or wireless-git-2.6.24 package. Not recommended for beginners and not patched at all yet.

PROXIM ORiNOCO 802.11b/g Gold (Model: 8470-WD)

• Driver : Madwifi-ng
• Chipset : Atheros
 • Notice : To set monitor mode type "airmon-ng start wifi0" and then use ath1
• If your card does not appear to be recognized when you first insert it, type "modprobe ath_pci" and then run
"dmesg" again.
• For Kismet, edit your Kismet.conf to "source=madwifi_g,wifi0,Atheros"
Windows Drivers and Client Software: http://support.proxim.com/cgi-bin/proxim.cfg/php/enduser/std_adp.php?
p_faqid=1082
Linux Drivers: http://www.madwifi.org

Senao NL-2511CD/SL-2511CD PLUS EXT2

• Driver : HostAP (wlan-ng drivers have been removed from BT2 final. See here to use HostAP driver)
• Chipset : Prism 2.5
• Firmware : 1.74 is suggested, check [here] for instructions.
• FCC ID: NI3-2511CD-PLUS3
• For Kismet, edit your Kismet.conf to "source=hostap,Wlan0,Prism2"
• Notes: If you are using orinoco_cs drivers, you need to follow this as orinoco_cs is not recommended for this
device.
BackTrack3 Users should try this OR this if their card is not automatically detected under BT3 or no injection is
available.
• To raise the output of this card to 250mw Not verified
Caution! This might destroy your card if you do not know exactly what your doing!
The change in readmif seems stable only in Master mode.
ifconfig wlan0 up
iwpriv wlan0 alc 0
iwpriv wlan0 readmif 116 [-> actual powertx value]
iwpriv wlan0 writemif 62 49 [-> I've no idea at all why "49"]
iwpriv wlan0 readmif 116 [-> now showing something around 252]

With a Spectran HF-2025E spectrum RF analyzer from elektrosmog.de

Here are the results: [5][6][7]
Force the card to give the maximum txpower.
iwpriv wlan0 alc0
iwpriv wlan0 writemif 62 128

Force the card to give the somewhat minimum txpower.

iwpriv wlan0 writemif 62 127

Sitecom WL-100b
• Driver: bcm43xx
• Chipset: Broadcom 4306
• External Antenna: None
• Notes: Tested with BackTrack 3 beta released on 14th December 2007, 700MB CD version (bt3b141207.iso).
• Notes: Both monitor mode and packet injection work fine (with the following caveats below).
• Notes: The wireless interface is eth1, and it must be "brought up" before use. The command to do this is:
ifconfig eth1 up

You will now see the "Power" and "Link" lights have turned on, which indicates that the card is ready for use.
 • Notes: When using the --arpreplay option of aireplay-ng, the default packet speed is too fast for the bcm43xx driver
to handle, so it keeps crashing every hundred packets or so. To fix this, add option: "-x 30" to the command line,
which will limit aireplay-ng to 30 packets per second. I've found that "30" is the highest value it can take without
crashing. This will slow things down quite a bit, but not too badly and at least it works.

SMC 2532W-B
• Driver : HostAP
• Chipset : prism2.5

SMC SMC2536W-AG
• Driver : Madwifi-ng
• Chipset : Atheros AR5212 a/b/g
• External Antenna : None

SMC WCB-G
• Driver : Madwifi-ng
• Chipset : Atheros

SWEEX LW051 ver:1.0

• Driver : Madwifi-ng
• Chipset : Atheros AR2413A
• Notes: It is found at boot-up and is ready to go, but BT2 says it is a AR5212 which seems to make no difference.
Packet injection works perfectly.

TP-link SuperG&eXtended Range 108M Wireless Cardbus Adapter(TL-WN610G)

• Drivers : MadWifi-ng
• Chipset : Atheros AR5212 802.11abg NIC (rev 01)
• [External Antenna Modification]

TP-link eXtended Range 54M Wireless Cardbus Adapter (TL-WN510G)

• Drivers : MadWifi-ng
• Chipset : Atheros AR5212 b/g

Ubiquiti SRC
• Driver : Madwifi-ng
• Chipset : Atheros AR5212 a/b/g
• FCC ID: SWX-SRC
• lspci : 03:00.0 Ethernet controller: Atheros Communications, Inc. AR5212 802.11abg NIC (rev 01)
Product Page

Wistron WLAN 802.11a/b/g Cardbus CB9-GP

• Driver : madwifi-ng
• Chipset : Atheros AR5212
X-Micro WLAN 11g PCMCIA Card (XWL-11GPAG)
• Driver : Madwifi-ng
• Chipset : Atheros

ZCom XI-325HP+
• Driver : HostAP
• Chipset : Prism 2.5

Zyxel ZyAIR G-100 PCMCIA Card (FCC ID:N89-WE601l)

• Driver : prism54/p54
• Chipset : Intersil PrismGT FullMAC

USB Dongles
Airlink101 AWLL3026
• Driver : zydas
• Chipset: zd1211rw
• Nice USB Dongle. Inexpensive (<$10). Easy to antenna mod. Full capability and injection

ALFA Networks AWUS036E

• Driver : rtl8187 (mac80211, kernel >=2.6.24)/r8187 (ieee80211, kernel <=2.6.24)
• Chipset : Realtek 8187L
• For Kismet, edit your Kismet.conf to "source=rt8180,wlan0,ALFA"
• Notes : You can turn this device to go ~300mW but do be warned that this may damage your device. Also WPA
under this mode is not supported.

ALFA Networks AWUS036H

• Driver : rtl8187 (mac80211, kernel >=2.6.24)/r8187 (ieee80211, kernel <=2.6.24)
• Chipset : Realtek 8187L
• For Kismet, edit your Kismet.conf to "source=rt8180,wlan0,ALFA"
This card works out of the box including injection with BackTrack3.
• Notes : There is a common misconception with regards to this device requiring two USB connectors. This device
does not exactly need both USB connectors plugged in for it to work. The only reason why it was provided with
two USB connectors is because of an instance whereby a person uses either an unpowered USB hub and/or the
output from the computer's USB port is inadequate (very rare case for computers to do that, most do power their
USB ports) and with other USB devices hooked onto either the unpowered USB hub or computer's USB ports there
may not be enough power for the USB network dongle to work. So having the second USB connector plugged in
gives the USB network dongle a slightly upper hand advantage in being provided with more power.

ALFA Networks AWUS036S

• Driver : rt73
• Chipset : Ralink RT73
This card works out of the box including injection with BackTrack3. You will need to ifconfig device up before you can
set monitor mode, etc.

ASUS WL-167G
• Driver : rt73 (older version rt2570)
• Chipset : rt2571WF (older verson Ralink 2570)
Notice : Range is moderate but both monitor mode and injection work perfectly. Injects IV's at a very slow rate (about
300-500 IV's per minute), taking about 35 hours to collect 1,000,000 IV's.
Update : Injection is faster under bt4 beta (300-400pps). Just need to ifconfig wlan0 up to use it.

AVM Fritz!Wlan USB V1.1

• Driver : ndiswrapper
• Chipset :Texas Instrument TNetW1450
• Notice : NdisWrapper will never work with Aircrack-ng Suite
Notice : Works fine even with WPA/WPA2 encryption.Used ndiswrapper version 1.39 and the windows drivers from the
cd.

Belkin F5D7050 V1
• Driver : rt2570
• Chipset : rt2571F
Worked fine upon boot. My version 3 card did not go into monitor mode.
Later versions (don't know which ones) use the bcm43xx chipset from broadcom. 'modprobe bcm43xx' then 'ifconfig -a'
you will see your adapter as ethX
• It will not inject packets **

Belkin F5D7050 (4000 series)

• Driver : zd1211rw
• Chipset : zd1211b
Upon boot, works fine in monitor mode but doesn't inject packets. However, if you patch the kernel following the
instructions at [8], packet injection works great. After patching, all of the various attacks (fragementation, chopchop, arp
replay, fakeauth) work fine with aircrack-ng.

Belkin F5D7050B
• Driver : rt73
• Chipset: Ralink 2570
Works fine on boot including packet injection.
• Notes: FCC ID k75-f5d7050b is reported to not being able to detect APs, possibly due to different radio chip.

Belkin F5D7050E
• Driver : rtl8180 (mac80211 stack)
• Chipset: Realtek RTL8187B
• FCCID : K7SF5D7050E
You will need compat-wireless2.6 along with rtl8180 driver to get this working.
Belkin F5D7051
• Driver : rt73+rt2570/rndis_wlan (mac80211_stack)
• Chipset: rt2570/bcm4320
Belkin have changed the chipset that they use in the usb adapters apparently. They now use the bcm4320 chipset instead of
the rt2570. The bcm4320 drivers will only work with rndis_wlan which requires mac80211. There will probably be no
support for rndis_wlan in terms of monitoring/injecting.
Owners of the older version of the hardware (with rt2570) are recommended to use serialmonkey's/ASPj's driver which
should already be included in the backtrack.

Buffalo Airstation G54 WLI-U2-KG54-AI (2A)

• Driver : rt2570
• Chipset : Ralink 2570

Chiefmax
• Driver : RT73
• Chipset : rt2571WF

D-Link DWL 122 (USB) F/W 3.2.1 H/W A1

• Driver : wlan-ng
• Chipset : prism 2.5
• Notice : There are drivers for injection however they only work on 2.6.11 kernels or older.

D-Link DWL G122 (USB) F/W 2.03 B1

• Driver : rt2570
• Chipset : Ralink 2570
• lsusb : Bus 1 Device 3: ID 2001:3c00 D-Link Corp. [hex] DWL-G122 802.11g rev. B1 [ralink]
• Notice : rev. C1 uses [ralink] RT73
This dongle must be tweaked if u want to inject with it. Additionally, its covering is very limited, recommended a
cantenna!!!
Rev B1 users read here VERY IMPORTANT (credit goes to allelectrix from aircrack-ng forum)

D-Link WUA-1340
• Chipset: Ralink 2571 (RT73)
• Driver : rt73
• Chipset : Ralink
• Notice : Follow instructions for using driver with aircrack-ng: http://www.aircrack-ng.org/doku.php?id=rt73

Edimax EW-7317UG
• Driver: zd1211rw
• Chipset: zd1211
• Notice: After updating aircrack suite to aircrack-ng 1.0 dev. Monitor mode and packet injection supported.
Edimax EW-7318USG
• Driver : rt73
• Chipset : Ralink
• Notice : Follow instructions for using driver with aircrack-ng: http://www.aircrack-ng.org/doku.php?id=rt73

Hawking HWUG1
• Driver: rt73
• Chipset: ralink
• Injection and monitor mode work fine, just have to "ifconfig rausb0 up" and it works

Hawking HWU8DD
• Driver: Rev. A: unknown Rev.B: zd1211rw
• Chipset: Rev. A: zd1211 (not supported) Rev. B: zd1211b (supported)
• lsusb: Rev. A: unknown Rev. B: 0ace:1215 ZyDAS WLA-54L WiFi?
• Credits: Talkie Toaster/openxs
The only way to tell the difference between Rev. A and Rev B. is by the sticker on the actual device (on the bottom) or the
actual CD. Apart from that, on the box/packaging it would have vista ready sticker for Rev. B

Linksys WUSB54g v4
• Driver : rt2570
• Chipset : Ralink 2570
No problems with any injection (kismet, airodump...). Very good USB dongle.
Does not capture WPA/WPA2 handshake.Update driver to v.1.6.0
Extremely easy to antenna mod.
Linksys WUSB54g v4 users read here VERY IMPORTANT (credit goes to allelectrix from aircrack-ng forum)

Linksys WUSB54GC
• Driver : RT73
• Chipset : Ralink Technology, Corp. 802.11b/g WiFi
• Notice 1: The interface is named rausb0, not eth0 or ath0 etc.
• Notice 2: Built-in [BackTrack] Driver does not support fragmentation attack; however, the following driver does:
http://homepages.tu-darmstadt.de/~p_larbig/wlan/rt73-k2wrlz-2.0.1.tar.bz2
Needs activation before use
bt ~ # ifconfig rausb0 up
bt ~ # iwconfig rausb0 mode monitor

Everything works out of the BT3 box!

Linksys WUSB600N
• Driver : rt2870 (modified by hirte and nemesis)
• Chipset : Ralink rt2870 a/b/g/n
You will need kernel.lzm and to compile the included driver from the link above.
MicroEdge MEG55A Wireless-G USB Dongle
• Driver : rt2570
• Chipset : Ralink rt2570
• Notice : Works fine out of the box. airmon-ng start rausb0 kicked straight into monitor mode, successfully reinjects
packets while monitoring.

NetGear MA111
• Driver : wlan-ng (requires patched version which cannot be used on kernels > 2.6.20)
• Chipset : Intersil Prism 2.5
• FCC ID: PY3MA111 (links to M4Y-00735)
• lsusb: 0846:4110
This is a very old device that will never be supported for the time being. Users can read here

NetGear WG111v2
• Driver : rtl8187 (mac80211, kernel >=2.6.24)/r8187 (ieee80211, kernel <=2.6.24) // p54 (mac80211)
• Chipset : Realtek RTL-8187L // Intersil-Conexant GW3887
• FCC ID : PY305400026 // PY3WG111V2
Be careful not all wg111v2 sticks have the realtek chipset the v2 with the word netgear set into the stick. To verify the
differences, type `lsusb' when you have the device connected. Apparently, older versions of this card is equipped with
Conexant and the later versions are with Realtek. There has been no easy way of identifying the difference between the
two apart from checking the FCC ID or via plugging it in.
• USB ID: 0846:6a00 is Realtek RTL-8187L chipset
• USB ID: 0846:4240 is Intersil/Conexant GW3887 chipset
• RTL8187L users : Drivers are available on the forum however the range on this card in my opinion is poor.
• GW3887 users : Use p54usb driver. You will need firmware for this and the current status for monitoring/injection
is unknown.

NetGear WG111T
• Driver : ndiswrapper
• Chipset : Atheros AR2112A-00
• FCC ID: PY3WG111T
• Notice : NdisWrapper will never work with Aircrack-ng Suite
You can breath life to your small USB-WG111T by doing the next steps:
1)Download and extract the driver (using wine?) from Netgear
As of 2008-03-29, driver 2.1 is here: http://kbserver.netgear.com/release_notes/d103172.asp
2)change to root shell 'sudo su -'
3)rmmod ndiswrapper
4)ndiswrapper -i netwg11t.inf
4)modprobe ndiswrapper
5)iwconfig

Netopia ter/gusb-e
• Driver : rt2570
• Chipset : Ralink Technology, Corp. 802.11g WiFi
• Notice : works fine as i know
OvisLink Evo-w54usb
• Driver : rt2570
• Chipset : Ralink 2570
• Notice : injection works, just have to "ifconfig rausb0 up" before anything

Rosewill RNX-G1(W)
• Driver : rtl8187 (mac80211, kernel >=2.6.24)/r8187 (ieee80211, kernel <=2.6.24)
• Chipset : Realtek 8187L
• Notice : Works right out of the box on BT2 and BT3, enable monitor mode with airmon-ng.

SafeCom SWMULZ-5400
• Driver : zd1211rw
• Chipset : zd1211b
• Notice : Works with packet injection with new patch found in aircrack-ng 0.8

TP-Link TL-WN321G
• Driver : rt73
• Chipset : Ralink Technology, Corp. RT2501USB Wireless Adapter
• Notice : At first I plugged this in to my computer,and it didn't work. airodump-ng rausb0 showed no APs detected.
Updating to the latest driver made this work. Once I got this card working, it detected more AP's than my
WMP54G and my Netgear WG111v2, injected as well as either, but did not report Power properly.
Here are the steps to update the driver and make this card work:
Download the latest driver from http://homepages.tu-darmstadt.de/~p_larbig/wlan/
As of 2009-04-16, the latest driver is 3.0.2
http://homepages.tu-darmstadt.de/~p_larbig/wlan/rt73-k2wrlz-3.0.2.tar.bz2

ifconfig rausb0 down

airdriver-ng remove 31
tar xvjf rt73-k2wrlz-3.0.2.tar.bz2
cd rt73*/Module
make
make install
modprobe rt73
ifconfig rausb0 up

USB WiFi Booster Kit with 5dbi Indoor Dipole

• Driver: zd1211rw
• Chipset zd1211b
• lsusb: 0ace:1215
• FCC ID: ???
Tested to work on bt2 and bt3. With bt2 there's issues with airodump-ng as it sometimes output garbled letters in various
fields notably in the ESSID section. In bt3 the issue is fixed but it drops the packets out instead of properly processing
them, something to do with rate limiting.

ZyDAS 1211
• Driver : zd1211rw
• Chipset : ZyDAS Chipset
 • Notice 1 (properly for BT2): For basic functionality, you need to get the firmware from [here], untar it to
/usr/lib/firmware/ - reinsert the card and the firmware should load OK. Addendum: I had to unzip to
/lib/firmware/zd1211, but after that it worked fine.
• Notice 2 (for BT3): Test with 1211b / Lutec USB Stick:
Works out of the box in monitoring mode, runs as eth1 (on my box, yours may differ). Injection is possible without any
driver or kernel modding, but ONLY with SpoonWEPs POS801 attack (didn´t find the according aireplay mode, airreplay
standalone DID NOT work!). Besides, for me WEP cracking did only work like this - but then without any problems:
a.) "airodump-ng eth1", get bssid, close it
b.) start SpoonWEP. It´s only used for starting the correct airreplay mode.
c.) Select 2nd Attack Option (POS801..), this is the ONLY attack-mode which will work with 1211b!
d.) Close SpoonWEP`s WS-Dump window, keep SpoonWEP`s Mainwindow = aireplay thread running
e.) start airodump-ng again, dump data traffic now
f.) start aircrack-ng manually
g.) you are done!
for more help with the commands check: http://blip.tv/file/930698/
Conclusion: not perfect, but cheap USB-Dongle WEP-Cracking out of the box - without any patching - if u know what to
do.
-> *NOOB-Compatibility Award*
Still, Realtek-USB-Chipset more recommended if u can find it, can run SpoonWEP without any hacks.

SMCWUSB-G EU
• Appears to use a ZD1211 chipset.

MSI US54SE
Version 1
• Appears to use a ZD1211 chipset.
Version 2
• Uses rt73 chipset.
• Notice: This particular rt73-Version is not supported, yet.
Retrieved from "http://backtrack.offensive-security.com/index.php/HCL:Wireless"

Views

• Article
• Discussion
• View source
• History

Personal tools

• Log in / create account

Navigation

• Main Page
• Changelog
• HCL
• Tools List
• How-To
• Modules
• Bugs

Search

Go Search

Toolbox

• What links here

• Related changes
• Special pages
• Printable version
• Permanent link

• This page was last modified 09:03, 23 August 2009.

• This page has been accessed 1,256,194 times.
• Privacy policy
• About Offensive-security.com
• Disclaimers