Because 802.11 management and control frames are neither authenticated nor encrypted, being able to send custom 802.11 frames gives a wireless attacker an unlimited opportunity to cause Layer 2 DoS attacks on a targeted WLAN. Even worse, a skilled attacker can spoof his or her attacking machine as an access
point, wireless bridge, or client host on the unfortunate infrastructure or managed network or as a peer on the independent or ad-hoc WLAN. Then a DoS attack can be used to deassociate WLAN hosts from a legitimate access point or bridge and force them to associate with the attacker's machine.
There are two main tools that allow custom 802.11 frame generation: AirJack suite (Linux) and the more recent Wnet dinject utilities collection (OpenBSD). To an extent, HostAP drivers for the Prism chipset cards can also be considered as 802.11 frame-generating tools, because access point functionality involves transmitting beacons and sending probe response frames. FakeAP from Black Alchemy, which is run on top of HostAP and uses Linux Wireless Extensions to generate custom beacons, underlines such functionality and can be employed in several 802.11 attacks as well as for its intended use as a wireless honeypot.
Void11 is another frame-generating tool that uses HostAP and is designed for data link DoS attacks on 802.11 networks, including mass DoS attacks.
AirJack
The AirJack suite was originally made up of a custom driver for Prism II chipset cards and a few end-user utilities that use the airjack_cs module's custom 802.11 frame-generation capabilities to launch a variety of attacks against WLANs. An expected but delayed second release of AirJack should support wireless hardware with chipsets other than Prism. Here we describe the first versions of AirJack, extensively tested and tried at the moment of writing.
The attack utilities included with the two first versions of AirJack contain DoS by sending deauthentication frames, closed ESSID disclosure attack via forcing host reauthentication, and Layer 2 man-in-the-middle attack with an additional
possibility of a specific man-in-the-middle attack against FreeSWAN-based
Wavesec wireless IPSec implementation. Later versions of AirJack include only the closed ESSID disclosure attack utility. Nevertheless, the utilities from earlier
versions, written to implement the attacks just mentioned, work fine with the later AirJack versions.
The main functionality of AirJack is based around its ability to send
deauthenticate 802.11 frames. For those interested in how AirJack generates deauthenticate frames, here is an example of the frame-building code:
void send_deauth (__u8 *dst, __u8 *bssid) {
struct {
struct a3_80211 hdr;
__u16 reason;
}frame;
memset(&frame, 0, sizeof(frame));
frame.hdr.mh_type = FC_TYPE_MGT;
frame.hdr.mh_subtype = MGT_DEAUTH;
memcpy(&(frame.hdr.mh_mac1), dst, 6);
memcpy(&(frame.hdr.mh_mac2), bssid, 6);
memcpy(&(frame.hdr.mh_mac3), bssid, 6);
frame.reason = 1;
send(socket, &frame, sizeof(frame), 0);
}
Despite being developed for Prism II chipset cards, AirJack end-user utilities use Hermes chipset cards in man-in-the-middle attacks, providing the
orinoco.c.patch included with the suite is applied. This patch was designed for pcmcia-cs services version 3.1.31 and you might want to see if it will work with later versions of the card services to use a Hermes chipset card with the AirJack man-in-the-middle utilities. Our experience in applying the patch to pcmcia-cs-3.2.1 wasn't successful, so you might be forced to downgrade to version 3.1.31 or rewrite the patch.
The code of AirJack is GNU and available for download at both
http://802.11ninja.net/airjack/ and Sourceforge; several crippled copies of
AirJack can be found on the Web and you'll need some C knowledge to fix them.
To compile AirJack do make; if you are plagued by the 'cmpxchg' undefined symbol error message, change the AirJack Makefile CFLAGS line from
CFLAGS= -O2 -Wall -Werrow -DMODULE -D__KERNEL__$(INCLUDES)
to
CFLAGS= -O2 -Wall -DMODULE -D__KERNEL__ $(INCLUDES)
Then copy the airjack_cs.o module to your modules path (should be
/lib/modules/<your_kernel_version>/pcmcia) and run depmod. After that use the linux-wlan-ng-generated /etc/pcmcia configuration files and replace all bind
"prism2_cs" strings in wlan-ng.conf and config by bind "airjack_cs".
Alternatively, you can use the ready configuration files supplied on the
accompanying Web site. Unplug your wireless card and restart the card manager.
Plug the card back in and do lsmod. You should see something like this in its output:
Module Size Used by Tainted: P airjack_cs 16712 0
Then do ifconfig -a and check if there is an aj0 interface:
arhontus:~# ifconfig -a
aj0 Link encap:UNSPEC HWaddr 00-DE-AD-C0-DE-00-00-00-00-00-00-00-00-00-00-00 UP BROADCAST RUNNING MULTICAST MTU:1600 Metric:1
RX packets:1754241 errors:17589 dropped:0 overruns:0 frame:17589 TX packets:0 errors:19624 dropped:0 overruns:0 carrier:0
collisions:0
RX bytes:120758718 (115.1 MiB) TX bytes:0 (0.0 b)
Please note that iwconfig will not show any data about the aj0 interface,
because no wireless extensions are present within this device. Bring up the aj0 interface with ifconfig aj0 up. Go to the airjack-v0.6.2-alpha/tools
directory and do make. Then do make monkey_jack. Congratulations, your AirJack should be ready for use.
If you want to employ a Hermes chipset card for man-in-the-middle attacks, first patch the pcmcia-cs sources:
arhontus:~#cp /airjack-v0.6.2-alpha/patches/orinoco.c.patch \ /usr/src/pcmcia-cs-3.1.31/wireless/
arhontus:~# patch -p0 < orinoco.c.patch arhontus:~# ./Configure force
Back up your existing PCMCIA modules and install the patched pcmcia-cs. Check that both Prism II and Hermes chipset cards can fit into your PCMCIA slots
simultaneously (having both cards with MMCX connectors and without built-in dipole antennas is a good idea).
The end-user attack utilities for AirJack include the following:
essid_jack, which forces wireless hosts to reauthenticate with an AP on a closed network and sniffs the hidden ESSID in the process
wlan_jack, the deauthentication spoofed MAC address frames flooder
monkey_jack, the man-in-the-middle attack tool (which inserts the AirJack-running host between the access point and a target machine on a WLAN) kraker_jack, a modified monkey_jack capable of inserting the attacking host between Wavesec client and server
Wavesec (http://www.wavesec.org) is a wireless-specific mobile implementation of the Linux FreeSWAN IPSec client. The peculiar thing about Wavesec operation is the way it arranges the trust required between the wireless client and the IPSec gateway. Wavesec does it by exchanging public keys during the DHCP address assignment. The client provides its forward hostname and public key in a DHCP request. The DHCP server then inserts both into the DNS server for the reverse zone (the IP to hostname mapping) using dynamic DNS update. Kraker_jack attacks these specific key exchange features of Wavesec to insert the attacking host between the Wavesec client and server on a second layer (monkey_jack), replace the client key by its own, and decrypt bypassing data. Thus, kraker_jack does not attack the FreeSWAN and IPSec protocol per se, and FreeSWAN IPSec settings based on the shared secret or x509 certificates we describe in Chapter 14 are not vulnerable to the kraker_jack attack.
Other utilities included among the AirJack tools are setmac and set_channel for the Hermes chipset card when used in man-in-the-middle attacks
(self-explanatory) and dump_core, which allows you to monitor raw output from the aj0 interface (pipe it into a file and use strings to see the ESSIDs of present wireless networks, etc.).