lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 22 Nov 2008 20:59:04 +0100
From: "Kacper Szczesniak" <kacper@....pl>
To: full-disclosure@...ts.grok.org.uk, wifisec@...urityfocus.com
Subject: [tool] Broadcom NDIS driver monitor enabler (or
	simply monitor mode for your macbook)

INTRODUCTION

If you are an unlucky BCM432x (in terms of pci-id's) user like all of
macbook owners since santa rosa
your wireless card is not supported by the bcm43xx driver. There are 2
possible solutions
of this problem:
- use ndiswrapper (but you've been told that there's no monitor mode
in ndis<6 drivers)
- use buggy and closed Broadcom wl driver

But unfortunately wl is also not capable of enabling monitor. This is
strange because
in wlioctl.h you can find following defines:
#define WLC_GET_MONITOR				107
#define WLC_SET_MONITOR				108

also there's a function skeleton in wl_linux.c:
void wl_set_monitor(wl_info_t *wl, int val) { }

So, how should it work? It should be possible to pass WLC_SET_MONITOR
to the wl_ioctl() function
inside the closed driver. I tried that. No luck. I disassembled the
provided object and there seems to be
no code that can handle monitor mode request. If there's no monitor
mode support what are the ioctl
numbers for? It's just common for all Broadcom drivers. So I
disassembled the bcmwl5.sys file.
Here's the finding:
.text:00038CE7    int __stdcall sub_38CE7(int Register, int, char *, int, int)
look's just like wl_ioctl()...

and what's more:
.text:00039037     mov     al, [ebp+64h+var_D] ; jumptable 00038DF4 case 108
WLC_SET_MONITOR is handled inside windows ndis driver!

win_wl_ioctl() is never called directly, instead few ndis OIDs (eg.
DISASSOCIATE) make use of it.
But as far as I know there's no code that calls win_wl_ioctl() to
enable monitor mode in the driver itself.
Why is there unused code to handle monitor requests inside an ndis
driver but not in linux driver?!

The question remains open. We can try to make use of the gift found
inside bcmwl5.sys.
All we have to do is:
1. load ndis driver using ndiswrapper
2. find win_wl_ioctl()'s location in memory
3. find the location of the internal structure used by bcmwl5.sys
4. call it

Since ndis driver asks ndiswrapper to allocate memory for it [3] is fairly easy.
Now we have our own full-featured wl_ioctl() function that can handle
most of the wlioctl.h
(eg. SET_PASSIVE_SCAN)

Last thing is to receive data from the card set to monitor mode. The
NDIS spec states
that there's no other possibility than to receive Ethernet frame from
the driver.
That's true. bcmwl5.sys will give us 80211_RADIO_PRISM frames encapsulated
in dummy Ethernet frames. All we need to do is strip it down inside ndiswrapper.

Fully functional monitor mode inside ndis driver. This method should
work for all
Broadcom cards supported by x86 bcmwl5.sys and since there are no hardcoded
offsets possibly for others.

INSTALLATION

1. Download bcmmon tarball from http://qwe.pl/~kacper/bcmmon.tar.bz2
2. Download ndiswrapper source from http://ndiswrapper.sourceforge.net/
3. Extract tarballs
$ tar jxf bcmmon.tar.bz2
$ tar zxf ndiswrapper-1.53.tar.gz
4. Patch ndiswrapper using bcmmon.diff
$ patch -p1 < ./bcmmon.diff
5. Compile
$ make
6. If you haven't configured ndiswrapper before you can use bcmwl5.sys
extracted from bcmmon - this is the non-modified .sys file that I use
# ndiswrapper -i bcmwl5.inf
7. Load the new ndiswrapper module
# insmod ./ndiswrapper.ko

Note that this module is suitable for normal use so you can just replace
your original ndiswrapper module if it's working fine for you.

USAGE

# iwconfig wlan0 mode monitor
# ifconfig wlan0 up

now you are ready to go, just fire up kismet (set source to orinoco)
and enjoy!

then you can just get back to the Infrastructure mode
# ifconfig wlan0 down
# iwconfig wlan0 mode managed

cheers,
kacper

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ