Introduction

My favorite Linux distribution for performing Wireless Assessments and Penetration testting is Backtrak do to all the work that has been put into it by the Remote-Exploit team to support a large array of Network Cards and make sure that they are properly patched for injection. One of such drivers is the Madwifi-ng drivers tha are used for Atheros chip-set cards which are a favorite of pentesters and researches do to it's stability. Sadly on the latest version of Backtrack 4 Beta the drivers are not patched with the  Digininja Karma patch writen by Robin Wood, this is one of the functionalities that 2 of my scripts (mitmap.sh and kmsap.sh) depend on also the functionality that it brings for the addition of SSID's and MAC Addresses on the fly for whitelisting or blacklisting with the iwpriv command is what makes it comparable to none. This guide is to cover the patching and installation of the madwifi-ng drivers with the Digininja patch.

Download and Patch

Robin Wood was kind enough to give me patch for the latest Madwifi-ng-hal svn tree and I will cover the download and installation of this version of the madwifi drivers do to their exceptional hardware support for Atheros chip-set cards.  The commands are as follows:

svn co http://svn.madwifi-project.org/madwifi/branches/madwifi-hal-0.10.5.6/
cd madwifi-hal-0.10.5.6/
wget http://patches.aircrack-ng.org/madwifi-ng-r3925.patch

wget http://www.darkoperator.com/tools-and-scripts/madwifi-hal-digininja-karma-updated_1.patch

patch -N -p 0 -i madwifi-ng-r3925.patch
patch -N -p 0 -i madwifi-hal-digininja-karma-updated_1.patch
make
./scripts/madwifi-unload
make
make install
depmod -ae
modprobe ath_pci

Once we are finnished we should have the diver patched and install

Testing the Karma Functionality

to make sure we have the correct driver loaded and we have karma functionality enabled we would check with the iwpriv command in the following manner:

root@bt:~# iwpriv ath0 | grep karma
clrkarmalist (0068) : set 1 int & get 0
addkarmassid (8BFF) : set 32 char & get 0
karma_bw (0066) : set 1 int & get 0
get_karma_bw (0066) : set 0 & get 1 int
karma (0065) : set 1 int & get 0
get_karma (0065) : set 0 & get 1 int

As it can be seen the karma commands are available. To set the interface for a karma attack we must set it so as to make it act as an AP, this way with the karma functionality enabled it will respond to all requests, this is achieved by performing the following commands:

wlanconfig ath0 destroy
wlanconfig ath0 create wlandev wifi0 wlanmode ap
iwpriv ath0 karma 1
iwconfig ath0 ssid "Free Wifi"
iwconfig ath0 mode master
ifconfig ath0 up

The card will initially broadcast the ESSID of "Free Wifi" and as it hears new ESSIDs Requests being brodcasted it will respond those and broadcast the ESSID as if it was the AP that uses it. Now that the Interface is up we can perform attacks based on this like Karmetasploit, Man-In-The-Middle and act as a fake ap. To be able to conduct all of this attack before bringing the interface up we would configure the interface with an IP and probably set a malicious DHCP Servers with a special configuration so as to redirect our traffic as whell as DNS Spoofing. The options are many. It is very important to save the patched source code since one may inadvertently  replaced the drivers. For more information on using the karma functionality and their commands please read my blog post on the patch from Robin Wood