| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 15 Mar 2008 19:09:18 +0200 From: "Valery Marchuk" <tecklord@...uritylab.ru> To: <full-disclosure@...ts.grok.org.uk> Subject: New penetration testing tool for wifi New penetration testing tool for wifi wep0ff-ng can be used to generate traffic with WEP-based wireless clients, who are seeking for AP to mount KoreK or other attacks. Download: http://download.securitylab.ru/wep0ff-ng.tar.gz Article (Russian): http://www.securitylab.ru/analytics/312606.php >>From readme: This tool can be used to generate traffic with WEP-based wireless clients, who are seeking for AP. It waits while client connects to our 'fake' access point (AP), then intercepts either Gratuitous ARP (IPv4) or ICMPv6 Neighbor Solicitation (IPv6) packet, slightly modifies it and sends back. If target machine answers our packet, we start to send it in the endless loop. Written by Alexander Markov <amarkov (at) ptsecurity (dot) com> Released under a BSD Licence This code was tested on madwifing drivers 0.9.3.3. How to Use: -------------------------------------------------- 0. Say, we are sitting in airport in front of a man who's notebook is seeking for his home wireless WEP protected net named 'foo'. 1. Setup WEP protected AP with essid 'foo' and specify any key you like 2. Start this program ( ./wep0ff-ng <iface in MONITOR mode> <drivername> <mac address of AP, you've just launched> [log_packets] ) 3. Wait until client connects to our access point 4. Launch airodump-ng to collect packets 5. Launch aircrack-ng to recover WEP key How to Compile: gcc -o wep0ff-ng wep0ff-ng.c -lpcap -lorcon gcc -o airfile airfile.c -lorcon If wep0ff-ng was launched with 'log_packets' option it will save processed packets on disk. Received packets will be stored with the names recvd0, recvd1, recvd2 etc. Modified packets - with the names arp0, arp1, icmp2, etc. One can use airfile utility to mainly transmit saved packet over the air. (there is no sense to transmit received packets. one should better try modified ones.) While trying to get all this stuff to work I've met a couple of troubles. The first one concerns madwifi-ng drivers. You can learn more about it at the tracker we've worked out (http://madwifi.org/ticket/1699). Our sample configuration script demonstrates this technique (prepare_ath.sh). The second trouble was to make our tool to work with airodump-ng. You can learn more about it at the tracker we've created (http://trac.aircrack-ng.org/ticket/364). At the time of this writing we haven't received any feedback from the aircrack team. So to fix this problem one can use airodump.patch file we supply. This code based on following works and POCs: Sergey Gordeychik. wep0ff. (in russian) http://www.ptsecurity.ru/download/client-side-wep.pdf http://www.ptsecurity.ru/download/wepoff.tar.gz Cafe-Latte http://www.airtightnetworks.net/knowledgecenter/ppt/Toorcon.ppt ieee802_11.h by Charlie Lenahan ( clenahan@...tresstech.com ) Best Regards, Valery Marchuk www.SecurityLab.ru _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists