From owner-freebsd-wireless@FreeBSD.ORG Mon Feb 6 19:57:36 2012 Return-Path: Delivered-To: freebsd-wireless@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0A666106564A; Mon, 6 Feb 2012 19:57:36 +0000 (UTC) (envelope-from merlin@merlinsbox.net) Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id A44D08FC14; Mon, 6 Feb 2012 19:57:35 +0000 (UTC) Received: by obcwo16 with SMTP id wo16so10298951obc.13 for ; Mon, 06 Feb 2012 11:57:35 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.193.2 with SMTP id hk2mr18092302obc.20.1328558255064; Mon, 06 Feb 2012 11:57:35 -0800 (PST) Received: by 10.60.17.42 with HTTP; Mon, 6 Feb 2012 11:57:35 -0800 (PST) X-Originating-IP: [76.169.108.219] In-Reply-To: <201202061835.43116.bschmidt@freebsd.org> References: <201202061835.43116.bschmidt@freebsd.org> Date: Mon, 6 Feb 2012 19:57:35 +0000 Message-ID: From: Merlin Corey To: Bernhard Schmidt Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-wireless@freebsd.org, rpaulo@freebsd.org Subject: Re: FreeBSD 9.0 ath driver injection with aireplay_ng returns input/output error in AHDemo and Monitor mode X-BeenThere: freebsd-wireless@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussions of 802.11 stack, tools device driver development." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Feb 2012 19:57:36 -0000 Hello, On Mon, Feb 6, 2012 at 5:35 PM, Bernhard Schmidt wro= te: > On Monday 06 February 2012 15:32:42 Merlin Corey wrote: >> Hello, >> >> Like some a year before me, from a thread two years before me ( >> http://forums.freebsd.org/showthread.php?t=3D10042 ), I am interested in >> making my (pun intended) penultimate pen-testing netbook on my >> favorite operating system, FreeBSD; alas, I am not able to make use of >> the atheros card in said netbook for the purposes of injection. >> >> It is perhaps worth nothing that I started this project on FreeBSD >> 8.x, but my card (AR9285 card=3D0x10891a3b chip=3D0x002b168c rev=3D0x01 = hdr=3D >> 0x00) was only working at what seemed half power and would constantly >> take itself up/down. =A0I have since updated the system to 9.0-RELEASE >> and experienced what appeared to be fully functioning wireless until >> now. >> >> In the thread linked above, there is a mention of a kernel patch which >> allows writing in monitor mode - I desperately applied this patch >> after finding that the instructions to patch aircrack itself seem to >> have already been applied either in ports or upstream. >> >> Now, I can run airodump just fine, but when I try to do injection test >> with aireplay in either ahdemo or monitor mode, I simply end up with a >> bunch of "wi_write(): Input/output error" messages. >> >> I am not really sure how to proceed in further debugging this issue; >> should I turn wlandebug on, and if so, which bit is best, or should I >> just throw them all? =A0Perhaps something else entirely? >> >> Is this maybe a problem with my card itself? >> >> Any push in the right direction would be greatly appreciated. > > Can you set a channel and ssid before starting any kind of injection? Som= ething like > ifconfig wlan0 create wlandev ath0 wlanmode ahdemo > ifconfig wlan0 channel 1 ssid foobar up > > If I remember correctly, the interface will otherwise scan indefinitely t= rying to find an open network to connect to. Setting a channel/ssid will en= sure that the interface moves into RUN state (you can verify that with wlan= debug +state) which should allow injection. Trying to do so while in eg. SC= AN state is really too racy due to all the channel changes going on. > > Basically, injection is a real mess currently and neither monitor nor ahd= emo mode are really that well suited for that purpose. Monitor mode is desi= gned to be totally mute while ahdemo is adhoc mode without mgmt frames but = a lot of unnecessary logic behind it. Guess we should really think about a = new mode specially designed to handle those needs, or re-enable injection i= n monitor mode which would break it's initial purpose.. thoughts? > > -- > Bernhard As per the directions given to me by Bernhard, I have tested ahdemo and monitor mode injection with wlandebug +states. In short, it seems that indeed ahdemo mode complains about moving from INIT to RUN state unexpectedly, and monitor mode goes back to SCAN state making it not very useful for this purpose given the stated issues with SCAN state. First, the general output of aireplay-ng -9: wi_write(): Input/output error ... repeat last message 28 times ... wi_write(): Input/output error wi_write(): Input/output error 19:34:43 0/30: 0% Finally, below my signature, I have included the /var/log/messages output annotated with comments indicating which shell commands were being run before the messages were output in the form of comments with three hashmarks. Thanks, Merlin Addendum -------- $ sudo tail -f /var/log/messages Feb 6 19:25:35 frakir kernel: Root mount waiting for: usbus4 Feb 6 19:25:35 frakir kernel: ugen4.2: at usbus4 Feb 6 19:25:35 frakir kernel: Trying to mount root from zfs:rpool/r/freebsd []... Feb 6 19:25:35 frakir kernel: WARNING: TMPFS is considered to be a highly experimental feature in FreeBSD. Feb 6 19:25:37 frakir dbus[1626]: [system] Activating service name=3D'org.freedesktop.ConsoleKit' (using servicehelper) Feb 6 19:25:37 frakir dbus[1626]: [system] Activating service name=3D'org.freedesktop.PolicyKit1' (using servicehelper) Feb 6 19:25:38 frakir dbus[1626]: [system] Successfully activated service 'org.freedesktop.PolicyKit1' Feb 6 19:25:38 frakir dbus[1626]: [system] Successfully activated service 'org.freedesktop.ConsoleKit' Feb 6 19:28:07 frakir sudo: merlin : TTY=3Dpts/1 ; PWD=3D/usr/home/merlin ; USER=3Droot ; COMMAND=3D/usr/local/bin/zsh Feb 6 19:28:14 frakir sudo: merlin : TTY=3Dpts/2 ; PWD=3D/usr/home/merlin ; USER=3Droot ; COMMAND=3D/usr/bin/tail -f /var/log/messages ### ifconfig wlan0 create wlandev ath0 wlanmode ahdemo Feb 6 19:29:11 frakir kernel: wlan0: Ethernet address: 74:2f:68:8e:4f:2d ### airodump-ng wlan0 Feb 6 19:29:38 frakir kernel: wlan0: permanently promiscuous mode enabled Feb 6 19:29:38 frakir kernel: wlan0: start running, 0 vaps running Feb 6 19:29:38 frakir kernel: wlan0: ieee80211_start_locked: up parent ath= 0 Feb 6 19:29:38 frakir kernel: wlan0: start running, 1 vaps running Feb 6 19:29:38 frakir kernel: wlan0: ieee80211_new_state_locked: INIT -> SCAN (nrunning 0 nscanning 0) Feb 6 19:29:38 frakir kernel: wlan0: ieee80211_newstate_cb: INIT -> INIT a= rg 0 Feb 6 19:29:38 frakir kernel: wlan0: adhoc_newstate: INIT -> INIT (0) Feb 6 19:29:38 frakir kernel: wlan0: ieee80211_newstate_cb: INIT -> SCAN a= rg 0 Feb 6 19:29:38 frakir kernel: wlan0: adhoc_newstate: INIT -> SCAN (0) Feb 6 19:29:38 frakir kernel: wlan0: ieee80211_new_state_locked: SCAN -> SCAN (nrunning 0 nscanning 0) Feb 6 19:29:43 frakir last message repeated 22 times Feb 6 19:29:43 frakir kernel: wlan0: ieee80211_newstate_cb: SCAN -> SCAN a= rg 0 Feb 6 19:29:43 frakir kernel: wlan0: adhoc_newstate: SCAN -> SCAN (0) Feb 6 19:29:44 frakir kernel: wlan0: ieee80211_new_state_locked: SCAN -> SCAN (nrunning 0 nscanning 0) Feb 6 19:29:49 frakir last message repeated 21 times Feb 6 19:29:49 frakir kernel: wlan0: ieee80211_newstate_cb: SCAN -> SCAN a= rg 0 Feb 6 19:29:49 frakir kernel: wlan0: adhoc_newstate: SCAN -> SCAN (0) Feb 6 19:29:49 frakir kernel: wlan0: ieee80211_new_state_locked: SCAN -> SCAN (nrunning 0 nscanning 0) Feb 6 19:29:51 frakir last message repeated 6 times Feb 6 19:29:54 frakir kernel: wlan0: ieee80211_newstate_cb: SCAN -> SCAN a= rg 0 Feb 6 19:29:54 frakir kernel: wlan0: adhoc_newstate: SCAN -> SCAN (0) ### ifconfig wlan0 ssid bssid channel up Feb 6 19:30:32 frakir kernel: wlan0: ieee80211_init Feb 6 19:30:32 frakir kernel: wlan0: start running, 1 vaps running Feb 6 19:30:32 frakir kernel: wlan0: ieee80211_new_state_locked: SCAN -> SCAN (nrunning 0 nscanning 0) Feb 6 19:30:32 frakir kernel: wlan0: ieee80211_init Feb 6 19:30:32 frakir kernel: wlan0: start running, 1 vaps running Feb 6 19:30:32 frakir kernel: wlan0: ieee80211_new_state_locked: SCAN -> SCAN (nrunning 0 nscanning 0) Feb 6 19:30:32 frakir kernel: wlan0: ieee80211_new_state_locked: SCAN -> SCAN (nrunning 0 nscanning 0) Feb 6 19:30:33 frakir kernel: wlan0: ieee80211_new_state_locked: SCAN -> RUN (nrunning 0 nscanning 0) Feb 6 19:30:33 frakir kernel: wlan0: ieee80211_newstate_cb: SCAN -> INIT a= rg -1 Feb 6 19:30:33 frakir kernel: wlan0: adhoc_newstate: SCAN -> INIT (-1) Feb 6 19:30:33 frakir kernel: wlan0: ieee80211_newstate_cb: INIT -> RUN ar= g -1 Feb 6 19:30:33 frakir kernel: wlan0: adhoc_newstate: INIT -> RUN (-1) Feb 6 19:30:33 frakir kernel: wlan0: adhoc_newstate: unexpected state transition INIT -> RUN ### aireplay-ng -9 wlan0 -e ssid -a bssid Feb 6 19:32:23 frakir kernel: wlan0: ieee80211_new_state_locked: RUN -> SCAN (nrunning 0 nscanning 0) Feb 6 19:32:23 frakir kernel: wlan0: ieee80211_newstate_cb: RUN -> SCAN ar= g 0 Feb 6 19:32:23 frakir kernel: wlan0: adhoc_newstate: RUN -> SCAN (0) Feb 6 19:32:23 frakir kernel: wlan0: ieee80211_new_state_locked: SCAN -> SCAN (nrunning 0 nscanning 0) Feb 6 19:32:26 frakir kernel: wlan0: ieee80211_new_state_locked: SCAN -> RUN (nrunning 0 nscanning 0) Feb 6 19:32:26 frakir kernel: wlan0: ieee80211_newstate_cb: SCAN -> RUN ar= g -1 Feb 6 19:32:26 frakir kernel: wlan0: adhoc_newstate: SCAN -> RUN (-1) Feb 6 19:32:34 frakir kernel: ath0: bb hang detected (0x1) ### ifconfig wlan0 destroy && ifconfig wlan0 create wlandev ath0 wlanmode monitor Feb 6 19:32:48 frakir kernel: wlan0: ieee80211_vap_detach: AHDEMO parent a= th0 Feb 6 19:32:48 frakir kernel: wlan0: stop running, 1 vaps running Feb 6 19:32:48 frakir kernel: wlan0: ieee80211_new_state_locked: RUN -> INIT (nrunning 0 nscanning 0) Feb 6 19:32:48 frakir kernel: wlan0: down parent ath0 Feb 6 19:32:48 frakir kernel: wlan0: ieee80211_newstate_cb: RUN -> INIT ar= g -1 Feb 6 19:32:48 frakir kernel: wlan0: adhoc_newstate: RUN -> INIT (-1) Feb 6 19:46:01 frakir kernel: wlan0: Ethernet address: 74:2f:68:8e:4f:2d ### airodump-ng wlan0 Feb 6 19:46:36 frakir kernel: wlan0: permanently promiscuous mode enabled Feb 6 19:46:36 frakir kernel: wlan0: start running, 0 vaps running Feb 6 19:46:36 frakir kernel: wlan0: ieee80211_start_locked: up parent ath= 0 Feb 6 19:46:36 frakir kernel: wlan0: start running, 1 vaps running Feb 6 19:46:36 frakir kernel: wlan0: ieee80211_new_state_locked: INIT -> RUN (nrunning 0 nscanning 0) Feb 6 19:46:36 frakir kernel: wlan0: ieee80211_newstate_cb: INIT -> INIT a= rg -1 Feb 6 19:46:36 frakir kernel: wlan0: monitor_newstate: INIT -> INIT (-1) Feb 6 19:46:36 frakir kernel: wlan0: ieee80211_newstate_cb: INIT -> RUN ar= g -1 Feb 6 19:46:36 frakir kernel: wlan0: monitor_newstate: INIT -> RUN (-1) Feb 6 19:46:36 frakir kernel: wlan0: ieee80211_new_state_locked: RUN -> RUN (nrunning 0 nscanning 0) Feb 6 19:46:36 frakir kernel: wlan0: ieee80211_newstate_cb: RUN -> RUN arg= -1 Feb 6 19:46:36 frakir kernel: wlan0: monitor_newstate: RUN -> RUN (-1) # ifconfig wlan0 ssid bssid channel up Feb 6 19:47:13 frakir kernel: wlan0: ieee80211_init Feb 6 19:47:13 frakir kernel: wlan0: start running, 1 vaps running Feb 6 19:47:13 frakir kernel: wlan0: ieee80211_new_state_locked: RUN -> RUN (nrunning 0 nscanning 0) Feb 6 19:47:13 frakir kernel: wlan0: ieee80211_newstate_cb: RUN -> INIT ar= g -1 Feb 6 19:47:13 frakir kernel: wlan0: ieee80211_init Feb 6 19:47:13 frakir kernel: wlan0: monitor_newstate: RUN -> INIT (-1) Feb 6 19:47:13 frakir kernel: wlan0: ieee80211_newstate_cb: INIT -> RUN ar= g -1 Feb 6 19:47:13 frakir kernel: wlan0: monitor_newstate: INIT -> RUN (-1) Feb 6 19:47:13 frakir kernel: wlan0: ieee80211_new_state_locked: RUN -> RUN (nrunning 0 nscanning 0) Feb 6 19:47:13 frakir kernel: wlan0: start running, 1 vaps running Feb 6 19:47:13 frakir kernel: wlan0: ieee80211_new_state_locked: RUN -> RUN (nrunning 0 nscanning 0) Feb 6 19:47:13 frakir kernel: wlan0: ieee80211_newstate_cb: RUN -> INIT ar= g -1 Feb 6 19:47:13 frakir kernel: wlan0: monitor_newstate: RUN -> INIT (-1) Feb 6 19:47:13 frakir kernel: wlan0: ieee80211_newstate_cb: INIT -> RUN ar= g -1 Feb 6 19:47:13 frakir kernel: wlan0: monitor_newstate: INIT -> RUN (-1) Feb 6 19:47:13 frakir kernel: wlan0: ieee80211_new_state_locked: RUN -> RUN (nrunning 0 nscanning 0) Feb 6 19:47:13 frakir kernel: wlan0: ieee80211_newstate_cb: RUN -> RUN arg= -1 Feb 6 19:47:13 frakir kernel: wlan0: monitor_newstate: RUN -> RUN (-1) ## aireplay_ng -9 wlan0 -e ssid -a bssid Feb 6 19:47:38 frakir kernel: wlan0: ieee80211_new_state_locked: RUN -> SCAN (nrunning 0 nscanning 0) Feb 6 19:47:38 frakir kernel: wlan0: ieee80211_newstate_cb: RUN -> SCAN ar= g 0 Feb 6 19:47:38 frakir kernel: wlan0: monitor_newstate: RUN -> SCAN (0) Feb 6 19:47:38 frakir kernel: wlan0: ieee80211_new_state_locked: SCAN -> SCAN (nrunning 0 nscanning 0) Feb 6 19:47:38 frakir kernel: wlan0: ieee80211_newstate_cb: SCAN -> SCAN a= rg 0 Feb 6 19:47:38 frakir kernel: wlan0: monitor_newstate: SCAN -> SCAN (0) Feb 6 19:47:42 frakir kernel: ath0: bb hang detected (0x1) ^C% ------ End Addendum