New penetration testing tool for wifi

From: Valery Marchuk (vulns@securitylab.ru)
Date: Fri Mar 14 2008 - 03:46:35 EST


New penetration testing tool for wifi

wep0ff-ng can be used to generate traffic with WEP-based wireless clients,
who are seeking for AP to mount KoreK or other attacks.

Download:
http://download.securitylab.ru/wep0ff-ng.tar.gz

Article (Russian):
http://www.securitylab.ru/analytics/312606.php

>From readme:
This tool can be used to generate traffic
with WEP-based wireless clients, who are seeking for AP.

It waits while client connects to our 'fake' access point (AP),
then intercepts either Gratuitous ARP (IPv4) or ICMPv6 Neighbor Solicitation
(IPv6) packet,
slightly modifies it and sends back.

If target machine answers our packet, we start to send it in the endless
loop.

Written by Alexander Markov <amarkov (at) ptsecurity (dot) com>
Released under a BSD Licence

This code was tested on madwifing drivers 0.9.3.3.

How to Use:
--------------------------------------------------
0. Say, we are sitting in airport in front of a man
   who's notebook is seeking for his home wireless
   WEP protected net named 'foo'.

1. Setup WEP protected AP with essid 'foo' and specify any key you like

2. Start this program ( ./wep0ff-ng <iface in MONITOR mode> <drivername>
<mac address of AP, you've just launched> [log_packets] )

3. Wait until client connects to our access point

4. Launch airodump-ng to collect packets

5. Launch aircrack-ng to recover WEP key

How to Compile:

gcc -o wep0ff-ng wep0ff-ng.c -lpcap -lorcon
gcc -o airfile airfile.c -lorcon

If wep0ff-ng was launched with 'log_packets' option it will save processed
packets on disk.
Received packets will be stored with the names recvd0, recvd1, recvd2 etc.
Modified packets - with the names arp0, arp1, icmp2, etc.

One can use airfile utility to mainly transmit saved packet over the air.
(there is no sense to transmit received packets. one should better try
modified ones.)

While trying to get all this stuff to work I've met a couple of troubles.
The first one concerns madwifi-ng drivers.
You can learn more about it at the tracker we've worked out
(http://madwifi.org/ticket/1699).
Our sample configuration script demonstrates this technique
(prepare_ath.sh).

The second trouble was to make our tool to work with airodump-ng.
You can learn more about it at the tracker we've created
(http://trac.aircrack-ng.org/ticket/364).
At the time of this writing we haven't received any feedback from the
aircrack team.
So to fix this problem one can use airodump.patch file we supply.

This code based on following works and POCs:

Sergey Gordeychik. wep0ff. (in russian)
http://www.ptsecurity.ru/download/client-side-wep.pdf
http://www.ptsecurity.ru/download/wepoff.tar.gz

Cafe-Latte
http://www.airtightnetworks.net/knowledgecenter/ppt/Toorcon.ppt

ieee802_11.h by Charlie Lenahan ( clenahan@fortresstech.com )

Best Regards,
Valery Marchuk
www.SecurityLab.ru

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:28 EDT