Home page logo
/

pen-test logo Penetration Testing mailing list archives

New penetration testing tool for wifi
From: "Valery Marchuk" <vulns () securitylab ru>
Date: Fri, 14 Mar 2008 10:46:35 +0200

New penetration testing tool for wifi

wep0ff-ng can be used to generate traffic with WEP-based wireless clients, who are seeking for AP to mount KoreK or other attacks.

Download:
http://download.securitylab.ru/wep0ff-ng.tar.gz

Article (Russian):
http://www.securitylab.ru/analytics/312606.php

From readme:
This tool can be used to generate traffic
with WEP-based wireless clients, who are seeking for AP.

It waits while client connects to our 'fake' access point (AP),
then intercepts either Gratuitous ARP (IPv4) or ICMPv6 Neighbor Solicitation (IPv6) packet,
slightly modifies it and sends back.

If target machine answers our packet, we start to send it in the endless loop.

Written by Alexander Markov <amarkov (at) ptsecurity (dot) com>
Released under a BSD Licence

This code was tested on madwifing drivers 0.9.3.3.

How to Use:
--------------------------------------------------
0. Say, we are sitting in airport in front of a man
  who's notebook is seeking for his home wireless
  WEP protected net named 'foo'.


1. Setup WEP protected AP with essid 'foo' and specify any key you like

2. Start this program ( ./wep0ff-ng <iface in MONITOR mode> <drivername> <mac address of AP, you've just launched> [log_packets] )

3. Wait until client connects to our access point

4. Launch airodump-ng to collect packets

5. Launch aircrack-ng to recover WEP key

How to Compile:

gcc -o wep0ff-ng wep0ff-ng.c -lpcap -lorcon
gcc -o airfile airfile.c -lorcon


If wep0ff-ng was launched with 'log_packets' option it will save processed packets on disk.
Received packets will be stored with the names recvd0, recvd1, recvd2 etc.
Modified packets - with the names arp0, arp1, icmp2, etc.

One can use airfile utility to mainly transmit saved packet over the air.
(there is no sense to transmit received packets. one should better try modified ones.)

While trying to get all this stuff to work I've met a couple of troubles.
The first one concerns madwifi-ng drivers.
You can learn more about it at the tracker we've worked out (http://madwifi.org/ticket/1699). Our sample configuration script demonstrates this technique (prepare_ath.sh).

The second trouble was to make our tool to work with airodump-ng.
You can learn more about it at the tracker we've created (http://trac.aircrack-ng.org/ticket/364). At the time of this writing we haven't received any feedback from the aircrack team.
So to fix this problem one can use airodump.patch file we supply.

This code based on following works and POCs:

Sergey Gordeychik. wep0ff. (in russian)
http://www.ptsecurity.ru/download/client-side-wep.pdf
http://www.ptsecurity.ru/download/wepoff.tar.gz

Cafe-Latte
http://www.airtightnetworks.net/knowledgecenter/ppt/Toorcon.ppt

ieee802_11.h by Charlie Lenahan ( clenahan () fortresstech com )



Best Regards,
Valery Marchuk
www.SecurityLab.ru



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • New penetration testing tool for wifi Valery Marchuk (Mar 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]