 |
| Find Wi-Fi Passwords |
Monitor mode lets you see all the traffic going through a network and how many devices are connected to it, but it can also be used for more nefarious purposes. If you're patient enough, you can crack the WEP key on a network by capturing data packets in monitor mode.
To add monitor mode to an Android device, the researchers reverse engineered the Broadcom radio chip. They modified the firmware on the chipsets in the Nexus One and Galaxy S II, which are the same ones used in the majority of mobile devices. The code is posted on Google Code, but you'll need to know which chipset you have and download the right one for your phone.
Once you've downloaded the code, it's as simple as extracting the .zip file, then running the setup and configuration files. They've included instructions for each chipset and a few different devices on their blog, so head over there to find the specifics for yours.
Technical details
You might ask yourself why monitor mode is so very common among Laptop's & USB Wifi modules, and why there is not even one implementation of monitor mode for android devices.The short answer is that most of the common smartphones use the same chipset made by broadcom, named bcm4329 or bcm4330, and broadcom never added the support for monitor mode.
The reason that those chips are so common in smartphones is that they combine every short-distance communication needed for those devices, and more importantly - they offload most of the protocol overhead to a dedicated processor, and communicates with the linux device with simple ethernet packets.
Project Overview
The mission of understanding how this device works.At first, we compiled the driver in debug mode, and noticed that the module strips the 802.11 headers in hw and sends only ethernet packets to the linux device.
We concluded that in order to receive full 802.11 frames, a change to the device firmware is needed.
So we started reverse engineering the firmware and after a few weeks we had a decent understanding of the packet receiving process.
** More details on the reversing process would be released soon
Having this knowledge, it took us only a few more days to get a first working version of the monitor-mode-enabled firmware
Current Status
We currently have a patched firmware for the following chipsets:bcm4329 - Fully working monitor mode on our Nexus One
bcm4330 - Fully working monitor mode on our Galaxy S II
We havent tested it yet, but if you have a phone with one of those chipsets (and you most probably have one), it should also work on your phone.
Further work
Add packet injection support to the patched firmware
Better implementation of the linux driver
Create an APK bundle for "mass distribution"
Instructions
All the changes are volatile and should disappear after device reboot:Although, please note that this code is experimental and you use it at your own risk and we are not responsible nor liable for any damage or loss of data. Sometimes unexpected things might go wrong and you might end up with a device that is no longer functional. Be warned and please take the responsibility yourself--it is your own risk and no one else can be held responsible.
Cyanogen 7 & Nexus one
Download the zip: http://bcmon.googlecode.com/svn/trunk/bundles/nexus_bundle.zipExtract the zip on your device (your sdcard will do fine)
Run 'sh setup.sh' on some terminal (adb ssh, terminal emulator, ...)
Now you have a wifi interface named eth0 in monitor mode
Now run 'iwconfig eth0' and check that you get a similar output:
eth0 IEEE 802.11-DS ESSID:"" Nickname:""
Mode:Monitor Frequency:2.412 GHz Access Point: Not-Associated
Bit Rate:72 Mb/s Tx-Power:32 dBm
Retry min limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Managementmode:All packets received
Link Quality=5/5 Signal level=0 dBm Noise level=-92 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
Cyanogen 9 & GS2 (I9100)
Download the zip: http://bcmon.googlecode.com/svn/trunk/bundles/gs2_bundle.zipExtract the zip on your device (your sdcard will do fine)
Run 'sh setup.sh' on some terminal (adb ssh, terminal emulator, ...)
Now you have a wifi interface named wlan0 in monitor mode
Now run 'iwconfig wlan0' and check that you get an output similar to the one above
GS2 Update: iwconfig wlan0 will show 'Mode: Managed", ignore it - airodump should work fine (we are working on a fix).
Other phones
Check out the source from http://code.google.com/p/bcmon/source/checkoutBuild the KO for your device (cyanogen wiki should be helpful)
If it works please tell us and send us the compiled version so we can list it here (if it doesn't work contact us)
AirCrack binaries
We bundled useful binary executables for arm:aircrack-ng suite
tcpdump
iwconfig
FAQ
I get "Can't find wireless tools, exiting."
Solution: Make sure you have 'iwpriv' on your system, just add soft link from 'iwpriv' to 'iwconfig' (actually it is 'iwmulticall')
0 comments:
Post a Comment