Injection driver for Intel ipw3945
is based on a driver made for testing purposes called ipwraw. It allows
raw packet Tx/Rx with the Intel PRO/Wireless 3945ABG adapter, it's raw
mode only and can't be used for normal connections to the internet.
ipwraw doesn't have wireless extensions, so this modification adds some
to make it easier to work with programs like aircrack-ng, kismet, mdk,
External project by JMF, only
New in ipwraw-ng
compatibility fixes for recent kernels (2.6.23 and newer)
bug when setting 5.5 Mb/s rate with iwconfig
bugs (I hope)
in Makefile - it would report that old firmware versions were adequate
and also had some cosmetic glitches
Wireless Extension. Now TxPower can be set using
(INTERFACE is normally
wifi0, or eth0; TXPOWER is a the value you want to set, min=-12 and
This version includes some fixes ported from ipw3945 driver. It
should be more stable now...
Default speed was left at 54 MBit, you may want to lower it to 1
MBit before injection with iwconfig
wifi0 rate 1M
You will have that configured automatically if you use airmon-ng
from the aircrack-ng suite (changeset 847 or greater)
More information can be found on the included README.ipwraw-ng
contact JMF directly for questions regarding his driver: firstname.lastname@example.org
RT73 USB Enhanced Driver
for Fragmentation Attack
is called rausb0 instead of wlan0 to prevent some tools incorrectly
detecting it as wlanng or hostap driver
speed can be selected with iwconfig
<interface> rate command. The default speed is 54 MBit.
You may want to lower it to 1 MBit before injection with iwconfig
rausb0 rate 1M
Version 3.0.0 is a new fork from the former serialmonkey CVS. It has
fixes for 2.6.24 and 2.6.25 and does not need setting a MAC Address
before bringing the interface up. This version includes all the
enhancement of the 2.0 series of this driver. If you unplug the card
while its still in use, it may crash your system. So close all
applications accessing it, bring the interface down and then remove the
You may have waited for
Version 3.0.1 has an updated base version from serialmonkey CVS. It is
patched with all the features of 3.0.0 and it has been successfully
tested with 2.6.26 vanilla kernel.
Version 3.0.2 provides kernel version 2.6.27 compatibility.
NOTE: You may also
try the mac80211 drivers included in 2.6.27 or newer since these
drivers are pretty nice too ;)
Version 3.0.3 provides kernel version 2.6.29 compatibility. It uses
default kernel memory allocation for devices' private data area. This
may fail on 64bit platforms (according to RaLink). In previous versions
the driver allocated its own memory and hacked it into the netdev
structure. This hack failed in 2.6.29 and has been removed. However,
the new mode works for me quite well. Please report if any problems
RT2570 USB Enhanced Driver
header can be toggled via iwpriv, no automatic changes which screwed up
for Fragmentation Attack
support is now considered stable. For further details on the
fragmentation attack see the paper from Andrea Bitteau: http://toorcon.org/2005/slides/abittau/
1.5.0 version has some important fixes for kernel version 2.6.19 and
The serialmonkey CVS repository updated its driver from a new RaLink
legacy one. Version 1.6.0 is the modification of this driver with
fragmentation support, MAC changing and prism headers enabled by
default. This driver seems to fix some threading, some SMP and some
endianness issues. So it should be more stable than previous releases.
Version 1.6.1 works for 2.6.22 kernels and comes with some more
Version 1.6.2 with a new base version from serialmonkey CVS, all the
patches from the previous version and support for 2.6.26 kernel.
Version 1.6.3 adds kernel 2.6.27 compatibility. NOTE: You may also try the mac80211
drivers included in 2.6.27 since these drivers are pretty nice too ;)
Version 1.6.4 adds compatibility with 2.6.29.
new MDK3 uses the osdep injection library from the www.aircrack-ng.org project. The
Linux-dependant includes have been removed, mdk3 compiles and runs on
FreeBSD and even Windows (Cygwin). For Windows you need special
drivers, a possibly illegal DLL file and the cygwin environment. Please
see the aircrack-ng website for details about Packet Injection in
MDK3 works on the new
If you are a Linux user, just make, make install and have fun.
If you are a FreeBSD user, do the same, and report back to me, if it
works correctly there.
If you are a Windows user, good luck, but expect no support from me.
MDK3 is licenced under GPLv2.
hidden SSIDs (some small SSID wordlists included)
networks to check if they can hear you
Authentication-DoS to freeze APs (with success checks)
- Beacon Flooding with channel hopping (can crash NetStumbler and some
everything (aka AMOK-MODE)
with Deauthentication and Disassociation packets
Confusion - Shuts down large scale multi-AP installations
MDK3 version 6
MDK3 version 5
Mode now works on Ad-Hoc and MANET networks (WARNING: Clients may not reconnect
automatically, so they may stay disconnected after the attack stopped!)
duplicate WPA downgrade in Deauth Mode (sorry for the confusion)
Bruteforce Mode understands 0 and 1 byte SSIDs as hidden now, and tries
4.4 support, all warnings and extra warnings fixed
and Blacklists in Amok Mode are re-read periodically every 3 seconds.
You can use this to dynamically allow or block hosts with scripts.
lot of small bugfixes
MDK3 version 4
MAC-Filter Bruteforce Mode
WDS/WIDS/WIPS Confusion Test
Mode supports QoS packets
Countermeasure Exploit (also known as TKIP QoS Exploit)
Shuts down APs using TKIP encryption and QoS Extension with 1 sniffed
and 2 injected QoS Data Packets
Test - deauthenticates Stations and APs sending WPA encrypted packet
With this test you can check if the sysadmin will try WEP or even
mdk3 will let WEP and unencrypted clients work, so if the sysadmin
simply thinks "WPA is broken" he sure isn't the right one for this job.
(this can/should be combined with social engineering)
high-speed MAC-Filter Bruteforce Mode (experimental)
Please test this on your APs and report back for optimizing and
Ancient mdk2 versions:
is the first Prism2 USB driver that was able to inject packets. I made
this before Devine had its own one. But i never released it to the
public, however. Instead of his driver, this one seems to be very
stable (was able to crack a whole lot of WEPs with aireplay). It shares
the same issue with Devine's driver, it doesn't inject on kernels newer
than 2.6.11. I can't give any support or help for this since I gave my
prism away. Sorry.
Shared Key Authentication
is world's first fully functional code to enable fake authentication on
networks using Shared Key Authentication. You do NOT need to know the key to
authenticate, all you need is a keystream that has been chopped with
aireplay-ng's chopchop attack. Hirte, another developer from the
aircrack-ng community successfully included this code into the aircrack
Fixed in Version 0.2:
error when network does not use Shared Key Authentication
Capability Field from Beacon Frame. (Using the standard capabilities
failed for some APs)
another world premiere from me. First implementation of the
Fragmentation Attack on Linux. This attack needs a special driver and
card, that is able to handle the IEEE802.11 fragmentation correctly,
your driver may not work or may need to be updated or modified. The
output of this tool is a file in the aircrack-ng keystream format
(.xor). The output can be used in the same way like the output of the
chopchop attack in aireplay-ng. With that keystream you can build an
ARP packet (arpforge-ng or packetforge-ng). This packet can then be
injected into the target wifi system, generating either answers and/or
fowarded packets increasing the IV count. For an example attack, see
the README in the tarball.
afrag has already been integrated into aireplay-ng, best idea is to get
the aircrack-ng SVN version for the newest fragmentation attack code.
you want to send some funny stuff,
or if want to join the "official" ASPj Fanclub,
or if you just have some useful patch for any of my software
or if you used my code in any other project,
I would like to get some mail
I made up a little list of the people who are in my fanclub. They just
drove crazy due to exaggerated happiness after using my drivers and/or
THANK YOU VERY MUCH FOR
THIS AWESOME "FEEDBACK"!