Wifitap EN

Un article de Page Personnelle de Cédric Blancher, l'encyclopéde libre.

(http://sid.rstack.org/index.php/Wifitap) Version française

Sommaire

1 News

2 Description

2.1 Wifitap in action

2.1.1 Direct communication without association
2.1.2 Further applications of Wifitap
2.1.3 Hacking Wifitap

2.2 Dependencies

3 Downloads

3.1 Wifitap source code
3.2 External distribution

[modifier]

News

Wifitap 0.4.0 (http://sid.rstack.org/code/wifitap/wifitap-0.4.0.tgz) is out !

I will be giving a WiFi Security training (http://www.syscan.org/practical.html) at SyScan'07 (http://syscan.org/) in Singapore. Students will be using Wifitap.

Another one (http://deepsec.net/schedule/) is schedule for Deepsec 2007 (http://deepsec.net/media/logo.png) in Vienna, Austria.

[modifier]

Description

Wifitap is a proof of concept for communication over WiFi networks using traffic injection.

[modifier]

Wifitap in action

[modifier]

Direct communication without association

Wifitap allows direct communication with an associated station to a given access point directly, meaning:

not being associated ourselves;
not being handled by access point.

~# modprobe prism54
~# ifconfig eth1 up
~# iwlist eth1 scan
eth1      Scan completed :
          Cell 01 - Address: 00:13:10:30:22:5C
                    ESSID:"linksys"
                    Mode:Master
                    Encryption key:off
                    Frequency:2.462 GHz (Channel 11)
                    Quality:19/0  Signal level:-28 dBm  Noise level:-47 dBm

We set our WiFi interface in monitor mode on channel 11.

~# iwconfig eth1 mode monitor channel 11
~# ifconfig eth1 promisc

Wifitap is ready to be launched to communicate with reachable associated stations to access point 00:13:10:30:22:5C.

~# wifitap.py

Error: BSSID not defined

Usage: wifitap -b <BSSID> [-o <iface>] [-i <iface>] [-s <SMAC>] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]
     -b <BSSID>    specify BSSID for injection
     -o <iface>    specify interface for injection (default: ath0)
     -i <iface>    specify interface for listening (default: ath0)
     -s <SMAC>     specify source MAC address
     -w <key>      WEP mode and key
     -k <key id>   WEP key id (default: 0)
     -d            activate debug
     -v            verbose debugging
     -h            this so helpful output

~# wifitap.py -b 00:13:10:30:22:5C -i eth1 -p -o eth1
IN_IFACE:   eth1 (no Prism headers in capture)
OUT_IFACE:  eth1
BSSID:      00:13:10:30:22:5c
tcpdump: WARNING: eth1: no IPv4 address assigned
Interface wj0 created. Configure it and use it
[...]

Launching Wifitap creates an tuntap interface named wj0 through which we can inject regular IP traffic

~# ifconfig wj0 192.168.11.11 mtu 1400
~# ifconfig wj0
wj0       Link encap:Ethernet  HWaddr 66:F6:C9:1E:E2:13
          inet addr:192.168.11.11  Bcast:192.168.11.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1400  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 b)  TX bytes:36 (36.0 b)

~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.11.0    0.0.0.0         255.255.255.0   U     0      0        0 wj0

Now we can reach 192.168.11.0/24 through wj0. Listening to eth1 (with tcpdump as an example), we can discover associated stations and communicate with them with IP.

NB : wj0 MAC address is used as source for sent frames if you don't provide source MAC address using -s <SMAC>.

~# ping 192.168.11.10
PING 192.168.11.10 (192.168.11.10): 56 data bytes
64 bytes from 192.168.11.10: icmp_seq=0 ttl=64 time=37.222 ms
64 bytes from 192.168.11.10: icmp_seq=1 ttl=64 time=0.200 ms
64 bytes from 192.168.11.10: icmp_seq=2 ttl=64 time=0.188 ms
64 bytes from 192.168.11.10: icmp_seq=3 ttl=64 time=0.206 ms
--- 192.168.11.10 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.188/9.454/37.222/16.032 ms

[modifier]

Further applications of Wifitap

Wifitap allows any application do send and receive IP packets using 802.11 traffic capture and injection over a WiFi network simply configuring wj0, which means :

setting an IP address consistent with target network address range ;
routing desired traffic through it.

In particular, it's a cheap method for arbitrary packets injection in 802.11 frames without specific library.

In addition, it will allow one to get rid of any limitation set at access point level, such as bypassing inter-client communications prevention systems (e.g. Cisco PSPF) or reaching multiple SSID handled by the same access point.

[modifier]

Hacking Wifitap

Wifitap can easily be modified to be used as a framework for simple tasks such as injecting answers to captured frames.

If you want to use Scapy for captured packets parsing and answers generation, it is necessary to add import for related classes. For instance, if you want to work on ICMP packets, just add:

from scapy  import IP,ICMP

Then, you have to rip tuntap interface handling:

initialisation;
reading;
writting.

Finally, you have to modify the main loop to handle interesting frames identification, fields parsing, then answers generation and injection.

Wifitap tarball contains sample programs:

ARP requests answering machine (wifiarp.py);
DNS requests answering machine (wifidns.py).
ICMP Echo Requests answering machine (wifiping.py);

[modifier]

Dependencies

Wifitap depends on :

Python (http://www.python.org/) >= 2.2
Scapy (http://secdev.org/projects/scapy/) devel version with 802.11 support (included in tgz)
Psyco (http://psyco.sourceforge.net/) Python optimizer (optional, but warmly recommanded)
Injection aware WiFi adapter and driver :
- Prism54 FullMAC chipset prism54 (http://prism54.org/) driver (patch optional but recommanded);
- Atheros chipset with patched Madwifi (http://madwifi.sourceforge.net) driver;
- Prism2/2.5/3 chipset with patched hostap (http://hostap.epitest.fi/) or wlan-ng (http://www.linux-wlan.org/) drivers;
- Ralink RT2500 chipset with rt2500 (http://rt2x00.serialmonkey.com/) driver;
- Ralink RT2750 chipset with patched rt2750 (http://rt2x00.serialmonkey.com/) driver;
- Realtek RTL8180 chipset with patched rtl8180 (http://rtl8180-sa2400.sourceforge.net/) driver.

See PATCHING file for drivers installation. Patches were written by Christophe Devine and are now maintained by Aircrack-ng (http://www.aircrack-ng.org/) team.

[modifier]

Downloads

[modifier]

Wifitap source code

Tar.gz: http://sid.rstack.org/code/wifitap.tgz (109KB, 0.4.0 version)
Repository: http://sid.rstack.org/code/wifitap/
Drivers and patches: http://patches.aircrack-ng.org/ (or http://sid.rstack.org/code/mirror/aircrack-ng.org.tgz, 14KB)
README
PATCHING
Changelog

Wifitap is also mirrored at Packetstorm (http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=wifitap&type=archives).

[modifier]

External distribution

BackTrack (http://www.remote-exploit.org/index.php/BackTrack) Linux Live CD features Wifitap 0.3.7 from 1.0 Final
Pentoo (http://www.pentoo.ch/) Linux Live CD features a Wifitap 0.3.7 package (http://www.pentoo.ch/isos/modules/wifitap-0.3.7.mo)
Troppix (http://distrowatch.com/troppix) Linux Live CD (discontinued) features Wifitap from 1.1-beta
Wifitap is listed in Wireless Vulnerabilities & Exploits (http://www.wirelessve.org/) database as candidate WVE-2005-0058 (http://www.wirelessve.org/entries/show/168)

[modifier]

Related stuff

[modifier]

Videos

Attacking WiFi Networks With Traffic Injection (145MB) (http://sid.rstack.org/videos/confs/0506_Recon_WirelessInjection.avi) at Recon 2005 (http://recon.cx/) in Montreal.
Videos courtesy of Christophe Devine:
- Cracking WEP in 10 easy steps (http://sid.rstack.org/videos/aircrack/whax-aircrack-wep.html) (and 10 minutes)
- Cracking WPA in 10 easy steps (http://sid.rstack.org/videos/aircrack/whax-aircrack-wpa.html)

[modifier]

Talks

Hack.lu 2006 (http://hack.lu/), Luxembourg: PDF, 3MB (http://sid.rstack.org/pres/0610_Hacklu_WifiWorkshop.pdf)
Bellua Cyber Security Asia 2006 (http://bellua.com/bcs/asia06.index.html), Jakarta, Indonesia: PDF, 3MB (http://sid.rstack.org/pres/0608_BCS_OpenWireless.pdf)
Eusecwest/core06 (http://eusecwest.com/) lightning talk, London, UK: PDF, 393KB (http://sid.rstack.org/pres/0602_ESW_CaptiveBypass.pdf).
SecureCon 2006 (http://securecon.unimelb.edu.au/), Melbourne, Australia: PDF, 2.1MB (http://sid.rstack.org/pres/0602_Securecon_WirelessInjection.pdf)
Pacsec/core05 (http://pacsec.jp/), Tokyo, Japan: PDF, 1.9MB (http://sid.rstack.org/pres/0511_Pacsec_WirelessInjection_en.pdf)
Ruxcon 2005 (http://ruxcon.au.org/), Sydney, Australia: PDF, 2MB (http://sid.rstack.org/pres/0510_Ruxcon_WirelessInjection.pdf).
Syscan'05 (http://syscan.org/), Bangkok, Thailand: PDF, 2.1MB (http://sid.rstack.org/pres/0509_Syscan_WirelessInjection.pdf)
LSM 2005 (http://www.rencontresmondiales.org/), Dijon, France : PDF, 1.9MB (http://sid.rstack.org/pres/0507_LSM05_WirelessInjection.pdf)
Recon 2005 (http://recon.cx/), Montreal, Canada, and Wifitap public release: PDF, 1.2MB (http://sid.rstack.org/pres/0506_Recon_WirelessInjection.pdf)
SSTIC 2005 (http://www.sstic.org/) Rump Session, Rennes, France: PDF, 220KB (http://sid.rstack.org/pres/0506_SSTIC_Wifitap.pdf)

[modifier]

Trainings

Pacsec/core06 (http://pacsec.jp), Tokyo, Japan
Bellua Cyber Security Asia 2006 (http://bellua.com/bcs/asia06.index.html), Jakarta, Indonesia
SyScan 2006 (http://syscan.org/), Singapore
Cansecwest/core06 (http://cansecwest.com/), Vancouver, Canada
Eusecwest/core06 (http://eusecwest.com/), London, United Kingdom