Wifitap EN

De Page Personnelle de Cédric Blancher.

Version française



[modifier] Description

Wifitap is a proof of concept for communication over WiFi networks using traffic injection.

This project is nowadays maintained by Oliver Lavery who set a GitHub repository for his work: https://github.com/gdssecurity/wifitap/.

[modifier] Wifitap in action

[modifier] Direct communication without association

Wifitap allows direct communication with an associated station to a given access point directly, meaning:

  • not being associated ourselves;
  • not being handled by access point.
~# modprobe prism54
~# ifconfig eth1 up
~# iwlist eth1 scan
eth1      Scan completed :
          Cell 01 - Address: 00:13:10:30:22:5C
                    Encryption key:off
                    Frequency:2.462 GHz (Channel 11)
                    Quality:19/0  Signal level:-28 dBm  Noise level:-47 dBm

We set our WiFi interface in monitor mode on channel 11.

~# iwconfig eth1 mode monitor channel 11
~# ifconfig eth1 promisc

Wifitap is ready to be launched to communicate with reachable associated stations to access point 00:13:10:30:22:5C.

~# wifitap.py

Error: BSSID not defined

Usage: wifitap -b <BSSID> [-o <iface>] [-i <iface>] [-s <SMAC>] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]
     -b <BSSID>    specify BSSID for injection
     -o <iface>    specify interface for injection (default: ath0)
     -i <iface>    specify interface for listening (default: ath0)
     -s <SMAC>     specify source MAC address
     -w <key>      WEP mode and key
     -k <key id>   WEP key id (default: 0)
     -d            activate debug
     -v            verbose debugging
     -h            this so helpful output
~# wifitap.py -b 00:13:10:30:22:5C -i eth1 -p -o eth1
IN_IFACE:   eth1 (no Prism headers in capture)
OUT_IFACE:  eth1
BSSID:      00:13:10:30:22:5c
tcpdump: WARNING: eth1: no IPv4 address assigned
Interface wj0 created. Configure it and use it

Launching Wifitap creates an tuntap interface named wj0 through which we can inject regular IP traffic

~# ifconfig wj0 mtu 1400
~# ifconfig wj0
wj0       Link encap:Ethernet  HWaddr 66:F6:C9:1E:E2:13
          inet addr:  Bcast:  Mask:
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 (0.0 b)  TX bytes:36 (36.0 b)

~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface   U     0      0        0 wj0

Now we can reach through wj0. Listening to eth1 (with tcpdump as an example), we can discover associated stations and communicate with them with IP.

NB : wj0 MAC address is used as source for sent frames if you don't provide source MAC address using -s <SMAC>.

~# ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=37.222 ms
64 bytes from icmp_seq=1 ttl=64 time=0.200 ms
64 bytes from icmp_seq=2 ttl=64 time=0.188 ms
64 bytes from icmp_seq=3 ttl=64 time=0.206 ms
--- ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.188/9.454/37.222/16.032 ms

[modifier] Further applications of Wifitap

Wifitap allows any application do send and receive IP packets using 802.11 traffic capture and injection over a WiFi network simply configuring wj0, which means :

  • setting an IP address consistent with target network address range ;
  • routing desired traffic through it.

In particular, it's a cheap method for arbitrary packets injection in 802.11 frames without specific library.

In addition, it will allow one to get rid of any limitation set at access point level, such as bypassing inter-client communications prevention systems (e.g. Cisco PSPF) or reaching multiple SSID handled by the same access point.

[modifier] Hacking Wifitap

Wifitap can easily be modified to be used as a framework for simple tasks such as injecting answers to captured frames.

If you want to use Scapy for captured packets parsing and answers generation, it is necessary to add import for related classes. For instance, if you want to work on ICMP packets, just add:

from scapy  import IP,ICMP

Then, you have to rip tuntap interface handling:

  • initialisation;
  • reading;
  • writting.

Finally, you have to modify the main loop to handle interesting frames identification, fields parsing, then answers generation and injection.

Wifitap tarball contains sample programs:

  • ARP requests answering machine (wifiarp.py);
  • DNS requests answering machine (wifidns.py).
  • ICMP Echo Requests answering machine (wifiping.py);

[modifier] Dependencies

Wifitap depends on :

  • Python >= 2.2
  • Scapy devel version with 802.11 support (included in tgz)
  • Psyco Python optimizer (optional, but warmly recommanded)
  • Injection aware WiFi adapter and driver :
    • Prism54 FullMAC chipset prism54 driver (patch optional but recommanded);
    • Atheros chipset with patched Madwifi driver;
    • Prism2/2.5/3 chipset with patched hostap or wlan-ng drivers;
    • Ralink RT2500 chipset with rt2500 driver;
    • Ralink RT2750 chipset with patched rt2750 driver;
    • Realtek RTL8180 chipset with patched rtl8180 driver.

See PATCHING file for drivers installation. Patches were written by Christophe Devine and are now maintained by Aircrack-ng team.

[modifier] Downloads

[modifier] Wifitap source code

[modifier] External distribution

[modifier] Related stuff

[modifier] Videos

[modifier] Talks

[modifier] Trainings

[modifier] Trackbacks

Locations of visitors to this page

No software patents !

Valid XHTML 1.0 Transitional

Valid CSS 2.1