Archive for the Networking Category

Connecting Ubiquiti Aircam to Synology NAS – Surveillance Station 6.1-2941

Posted in Computing, Infrastructure, Networking on May 29, 2012 by brandon314

How to:

This requires you to modify .conf files on your Synology NAS. If you are not familiar with how to do this or are not good in a UNIX terminal, you may want to investigate adding this package to your NAS before starting (for file editing):

Make sure both your UBNT Aircam and the Synology NAS are running most current (current date 2/20/2014) firmware/packages.

Start the SSH service on your NAS if you wish to SSH into it using Putty or some other flavor of client. Do this by logging into your NAS, selecting Control Panel, then clicking on Terminal. Select ‘Enable SSH service’ and click apply. Confirm that Surveillance Station 6.1 is already shut down before editing files (you can confirm this in the package manager)

SSH into your NAS by entering the IP address and using the default port. Username:  root, password: admin

Example: Type ssh root@ hit return and then wait for prompt and enter the password “admin”. Replace the IP address with your NAS IP address and if you have changed your root password (you really should) it will be something besides admin.

Navigate to and edit the following files (I used the vi command followed by a space and the file name):



Add under the {camera*list] (using vi, you click the insert button on your keyboard and then scroll up/down):


Then add, down below where the camera port/streams are called out:

      video source=”/live/ch01_0″
video source=video.cgi


Use ch00_0 for higher resolution video.

You then need to save that file (in vi, hit Esc, followed by a colon, followed by the letters ‘wq’ and then hit enter.

Next edit the following file:



It doesn’t exist (it will be blank and empty) however if you use VI (or similar editor) and save the contents, it will create the file for you.

Within that file, paste the following:

api = ubnt

channel_list = 1

default_channel = 1
resolutions_h264 = 640×480, 1280×720

default_resolution_h264 = 1280×720

fps_h264_[640×480] = 5,10,15,20,25,30
fps_h264_[1280×720] = 5,10,15,20,25,30
default_fps_h264_1280x720 = 10
default_fps_h264_640x480 = 10
default_image_quality = 5

h264 = rtsp

default_username = ubnt
default_password = ubnt

(Again, if in vi, hit Esc, then enter ‘:wq’ and hit return to save)

Restart your Surveillance Station 6.1 package and go add a new camera.

Select UBNT and Aircam.

Name your camera, enter port 554, your proper IP, and H.264 as your video type. Username and password need to match what you have set up on the Aircam in the web interface under video, RTSP Authentication (username/password). Synology only includes one free camera license per NAS unless you buy additional licences through them (search the web to find out more).

Hope you enjoy having your NAS directly talking with your Ubiquiti Aircam.



Another AirCrack Guide for IPW2200 Driver (Intel PRO/Wireless 2200BG)

Posted in Computing, Networking on October 7, 2011 by brandon314

Shamelessly copied from some forum for my own personal notes.


Here’s a quick guide for anyone trying to get injection working on an ipw2200 with BackTrack 2. This is intended for first-time aircrack-ng users, so it will only detail the most basic procedure. You can find more complicated guides with troubleshooting for some of the more complicated access points in other threads.

I will be demonstrating a simple WEP crack using ARP request replay. Please also read the newbie guide first so that you generally know what you are doing.

** This tutorial is for open authenticted networks only. Shared key authentication is more complicated. **

By the way: if you are very new to linux, selecting text in the terminal window (with the mouse) will automatically copy it, and clicking both mouse buttons at the same time will paste. You can stop any aircrack programs with ctrl+c. To see the history of the terminal window, you can scroll with shift+pageUp/pageDown.

BackTrack 2 supports ipw2200 injection out of the box, but there are some limitations. Injection is slightly more complex when using the ipw2200 as opposed to other cards – you have to use different interfaces to inject and monitor. You can only use the following aireplay-ng attacks with the ipw2200:
2 (–interactive)
3 (–arpreplay)
4 (–chopchop)

You will need the following information first. You can find access point details using: “iwlist eth1 scan” after you log into BackTrack.:
Access point bssid
Access point channel


0. (optional) The aircrack-ng team has done such a great job lately that there have been 2 releases since BackTrack 2. So the first thing that you should do is update aircrack-ng to v0.9. You should start backtrack connected to a LAN so that you can download the updates.
tar -zxvf aircrack-ng-0.9.tar.gz
cd aircrack-ng-0.9
make install

1. Enable the rtap0 interface.
rmmod ipw2200
modprobe ipw2200 rtap_iface=1

2. Make a ‘dummy’ connection to the access point. You don’t need to know the key at this stage – we just make up a fake one (“fakekey”). This step is required because of a limitation in the ipw2200 driver. ipw2200 must be in managed mode and connected to an access point before it will work with aireplay-ng.
iwconfig eth1 ap <access point bssid>
iwconfig eth1 key s:fakekey
iwconfig eth1 mode managed

3. Bring up the interfaces:
ifconfig eth1 up
ifconfig rtap0 up

3a. Optional: at this point, you can type “iwconfig” to see if the dummy connection from step 2 has worked. The connection details will be listed beside the “eth1” interface.

4. Run airodump-ng to capture packets from your access point to dumpfile*.cap. You should always specify a channel with airodump, because otherwise it will try to scan through all channels, and that will break your injection attack.
airodump-ng –channel <Access Point channel> –bssid <Access Point bssid> -w dumpfile rtap0

4a. After a few seconds in airodump-ng, you should notice that there are clients connected to the access point (they will be listed under “STATION”). Take note of the MAC address of one of the clients. You will use it in the next step.

5. Open another terminal window. Run an ARP replay attack. Note the commands at the end of the line (“-i rtap0 eth1”) which tell aireplay-ng to listen on rtap0 and inject on eth1. After some time, an ARP packet will come through and the #/s figure in the airodump-ng window will increase. If the RXQ (receive quality %) column is >90 then you should be getting #/s of 200 or higher, but more importantly, it should be much higher than what it was before.
aireplay-ng –arpreplay -b <Access Point bssid> -h <client MAC addr. from step 4a> -i rtap0 eth1

6. Wait a few minutes until the #Data reaches 100 000 (if you updated in step 0), or 1 000 000 (if you did not update in step 0). This should be more than enough, but we leave the attack running just in case.

7. Open another terminal window and run aircrack-ng.

  • If you did not update aircrack-ng in step 0, you will need 1 000 000 IVs, and will have to run aircrack-ng without -z:
    aircrack-ng -b <Access Point bssid> dumpfile*.cap
  • If you did update in step 0, you can use the PTW attack (-z option). Aircrack should say that it is processing approx. 100 000 IVs. If this number is low (less than 1000), there is some problem with your injection attack. Aircrack will then display “Key Found”. You should know what to do after that.
    aircrack-ng -z -b <Access Point bssid> dumpfile*.cap

You should now have the key.


Using Intel PRO/Wireless 2200BG with AirCrack

Posted in Computing, Networking on October 7, 2011 by brandon314

Shamelessly copied from another wordpress for my personal notes.
HOWTO: Aircrack-NG (Simple Guide)

This HOWTO is widely based on Aircrack’s own documentation. In addition you’ll find the latest version of “Aircrack Next Generation” here and Aircrack-PTW here

Any suggestions for improvement are welcome. Aim is to keep this HOWTO as simple & comprehensive as possible as I believe that brevity is the soul of wit.

Note that you need formal permission from the owner of any wireless network you wish to audit. Under no circumstances must you compromise a network’s security prior to obtaining approval from the owner of the network, and no support will be given to users who seek to do otherwise.

Generally speaking there are 3 types of attacks:

1. Brute force attack
2. Dictionary attack
3. Statistical attack

By exploiting several security weaknesses of the WEP protocol Aircrack NG makes use of a statistical method to recover WEP keys. Provided that you have collected a sufficient number of IVs (= Initialization Vectors) and depending on the length of the encryption key, determining the actual WEP key will take less than a minute on a common PC.

I assume that you have successfully patched the driver for your wireless adapter (e.g. Ralink chipset), so I won’t go into this. I have tested packet injection and decryption with:

1. Intel® PRO/Wireless 2200BG (IPW2200)
2. Linksys WUSB54G V4.0 (RT2570)

I recommend “Linksys WUSB54G V4.0″ as it has a decent reception and reasonable performance. If you need help patching & compiling from source, feel free to post your problems here as well.

1. This HOWTO was written for Aircrack-NG v0.9.1 & Aircrack-PTW v1.0.0 on Kubuntu Feisty Fawn 7.04 (32-bit).
2. ’00:09:5B:D7:43:A8′ is the MAC address of my network, so you need to replace it with your own.
3. ’00:00:00:00:00:00′ is the MAC address of the target client, NOT that of your own wireless card.

Please make sure that you stick to the exact sequence of actions and pay attention to section on MAC filtering.

  • 1. Enable monitoring with “airmon-ng” (screenshot #1):
    sudo airmon-ng start <interface> <channel>
  • 2. Packet capturing with “airodump-ng” (screenshot #2):
    sudo airodump-ng –channel <channel> –write <file_name> <interface>

    Alternatively, try this (to collect data from target network only and hence increase performance):

    sudo airodump-ng –channel <channel> –bssid 00:09:5B:D7:43:A8 –write<file_name> <interface>

    –channel… Select preferred channel; optional, however, channel hopping severely impacts and thus slows down collection process.
    –bssid… MAC address of target access point; optional, however, specifying access point will improve performance of collection process.
    –write… Preferred file name; mandatory field (in our case).

  • 3.1. Now check if MAC filtering is enabled or turned off:
    sudo aireplay-ng -1 0 -e <target_essid> -a 00:09:5B:D7:43:A8 -h MY:MA:CA:DD:RE:SS <interface>

    -1… ’0′ deauthenticates all clients.
    -e… ESSID of target access point.
    -a… MAC address of target access point.
    -h… MAC address of your choice.

  • 3.2. If the resulting output looks like this…
    18:22:32 Sending Authentication Request
    18:22:32 Authentication successful
    18:22:32 Sending Association Request
    18:22:32 Association successful :-)

    …then MAC filtering is turned off & you can continue following section ‘No MAC filtering’, otherwise jump to section ‘MAC filtering’.

>> No MAC filtering <<

  • 4. Packet Re-injection with “aireplay-ng” (screenshot #4):
    sudo aireplay-ng -3 -b 00:09:5B:D7:43:A8 -h MY:MA:CA:DD:RE:SS<interface>

    You’ll now see the number of data packets shooting up in ‘airodump-ng’. This process can take up to five minutes before you start receiving any ARP requests. So be a little patient at this point. As MAC filtering is off, use an arbitrary MAC address (‘MY:MA:CA:DD:RE:SS’).

    Continue with #6.

    -3… Standard ARP-request replay.
    -b… MAC address of target access point.
    -h… MAC address of your choice.

>> MAC filtering <<

  • 4. Deauthentication with “aireplay-ng” (screenshot #3):
    sudo aireplay-ng -0 5 -a 00:09:5B:D7:43:A8 -c 00:00:00:00:00:00 <interface>

    -0… Number of deauthentication attempts.
    -a… MAC address of target access point.
    -c… Client MAC address.

  • 5. Packet Re-injection with “aireplay-ng” (screenshot #4):
    sudo aireplay-ng -3 -b 00:09:5B:D7:43:A8 -h 00:00:00:00:00:00 <interface>

    You’ll now see the number of data packets shooting up in ‘airodump-ng’. This process can take up to five minutes before you start receiving any ARP requests. So be a little patient at this point.

    -3… Standard ARP-request replay.
    -b… MAC address of target access point.
    -h… Client MAC address.

  • 6. Decryption with “aircrack-ng” & “aircrack-ptw” (screenshot #5):Aircrack-ng:
    sudo aircrack-ng <file_name>.cap


    ./aircrack-ptw <file_name>.cap

This is a summary based on information given here and there, respectively:

64-bit key: ~250,000 packets
128-bit key: ~1,500,000 packets

64-bit key: ~20,000 packets [estimate]
128-bit key: ~85,000 packets

That’s it. I am open for further suggestions and hope to gain as much input as possible so that we can improve this guide and at the same time, keep it as simple as possible for other users.

Installing Ubuntu 10.10 over LAN

Posted in Computing, Networking on April 24, 2011 by brandon314

Useful, but was very buggy when it came down to pulling the image off of a remote server. Couldn’t get it to work, and besides, I needed the linux partition manager booted up via the “Live” version…no install (my Toshiba M200 doesn’t recognize the external PCMCIA optical drive under linux…AND doesn’t have boot from USB (major failure))

Slick for most other machines though…especially if they don’t have drives or similar.

Installing Win7 (or other) over TFTP (Boot-Over-LAN)

Posted in Computing, Networking on April 24, 2011 by brandon314

Handy little tool, but very annoying to get right the first time.

We will see how it handles reboots without the virtual drive existing anymore. Lets hope Microsoft is smarter than that when it comes to OS installations.

…and about that time

Posted in Networking on March 30, 2010 by brandon314

The internet at home went down. Sigh…

I fought with the local AP’s for a bit…realized I could reach a LOT farther than I thought with a dish only 9ft HAAT, and then just left it with the old settings.

And an hour ago the net came back up. Router was fubar (my guess) as I could ping it, but couldn’t access an admin page or even NAT through it. Bummer!

Gah! Belkin Routers

Posted in Networking with tags , , on March 28, 2010 by brandon314

So, on the Dish Network* internet that I use at my residence, the remote wireless AP that I am connecting with is a  Belkin F5D7230-4 6000. It supports wireless B/G, bridging, and all the usual router features. And oh, BTW, it is a piece of garbage.

Reboot ~1-4 times a day depending upon use to keep the Internet WAN active.

Junkbox 101.

*Dish Network = 17dB 2.4Ghz Parabolic Antenna connected to a Ubiquity Bullet setup as a router for my local network. Thank you distant company with a static IP address and the lack of knowledge to setup even the most basic wireless security.