Raw Wireless Tools Homepage


This is the main web site of several proof-of-concept tools using IEEE 802.11 raw injection. These tools are provided as-is and thus cannot be considered as a complete and functional tool set.

These programs are basic proof-of-concept code, so please, do not blame me for ugly coding style! They were coded for testing wireless IDS stuff but also for fun!

To that date, several tools tools are available:
These tools are released under General Public License (GPL) version 2.

The first three tools were explained and demonstrated at the ShmooCon 2006 conference [Slides].
The enhanced Raw Covert and Stealth patches were explained and demonstrated at the BlackHat US 2006 conference [Slides].

Raw Fake AP

rfakeap, a program that emulates IEEE 802.11 access points thanks to wireless raw injection.

It aims at creating/injecting both beacon and probe response frames in order to emulate valid IEEE 802.11 access points.

Infamous tools like Black Alchemy's Fake AP are using ifconfig/iwconfig to change wireless settings like BSSID, ESSID, channel and txpower. But unfortunately when using master mode, some IEEE 802.11 fields are mastered by the driver like the BSS timestamp, sequence number and (some) tagged parameters; and thus cannot be easily forged. E.g., an ESSID change (thanks to iwconfig) resets the BSS timestamp (thanks to Joshua Wright for this hint) giving the opportunity to any wireless IDS to catch a Fake AP easily.

This tool is able to fool both passive scanners (e.g. Kismet) and active scanners (e.g. XP SP2 WZC, NetStumbler) with some limitations (see below) . It can be used to disturb any (newbie) wardriver with some efficiency hiding "real" wireless networks (of course, this should be further enhanced thanks to a wider tool sending data, control and management frames in order to simulate a set of wireless networks).

Preliminary tests

Some weird things... ;-)

Should be further investigated...

As a reminder, (most) passive scanners just listen for beacon frames (and optionally probe response frames), whereas (most) active scanners listen for probe response frames answered to initiated broadcast probe requests in order to find both cloaked and uncloaked wireless networks. This tool allows you to send packets (beacons or probe responses) with a destination MAC equal to scanner's MAC addresses.

Features

Overall features:
Command line interface will help you to choose between:

Download

rfakeap-0.1.tar.gz (sha1) [deprecated]
rfakeap-0.2.tar.gz (sha1)

Changelog

Version 0.2 : added a probe response mode that listens for Null probe requests

Raw Glue AP

rglueap, a program that catches wireless stations searching for preferred ESSIDs.

It aims at creating/injecting probe responses, authentication responses, association responses to wireless stations wanting to associate themselves to access points.

This tool catches probe requests, send back appropriate probe responses and then tries to catch authentication and association requests. This is a kind of Glue AP which purpose is to catch clients that are actively scanning for any ESSID. This method could be implemented in a Wireless IPS tool.

Any ESSID with both Null ESSID and pre-configured ESSID (which are usually preferred wireless networks in Wireless Zero Configuration) will be caught.

All this stuff is done in monitor mode and uses raw injection which seems to be a required if this method may be implemented in a Wireless IDS (that usually perform detection in monitor mode).

You should also check for excellent KARMA tool which performs very well in catching wireless clients thanks to a modified madwifi driver in master mode.

Preliminary tests

Raw Glue AP is functional but has some limitations regarding the ACKnowledgment of authentication and association requests. As a matter of fact, the code is not enough optimized to succeed in catching every wireless client (or chipset/driver). ACK frames are generally managed in the firmware or driver (within 300 microseconds), and this tool tries to manage it in userland...

Main interest of catching wireless clients, is that when caught, they do not scan for other access points, keeping them in a kind of virtual quarantine area.

To this time, the proof-of-concept tool performs well against Atheros/madwifi, Prism2.5/HostAP, and PrismGT/Prism54.

But it requires much more testing.

Download

rglueap-0.1.tar.gz (sha1)

Changelog

Version 0.1: initial release

Raw Covert

rcovert, a program that initiates a covert channel over IEEE 802.11 networks thanks to wireless raw injection.

It aims at encoding a covert channel in valid ACK frames in the RA address field. Using ACK frames has the advantage to be quite stealthy as they are considered harmless and thus are generally not analyzed by Wireless IDS. This kind of encoding is quite trivial, but should be extended using encryption...

Covert channel principles can be extended to encode anything between the lines in the IEEE 802.11 protocol (but not necessarily) and to achieve a reliable communication (shell, file transfer...).

Preliminary tests

Raw Covert is fully functional even if some frames may be dropped as the medium is somewhat unreliable. But it is sufficient to send some simple

Download

rcovert-0.1.tar.gz (sha1)

Changelog

Version 0.1: initial release

Python Raw Covert

pyrawcovert is an enhancement of the Raw Covert tool that was released at ShmooCon2006. It is a covert channel over the 802.11 protocol. It uses valid control frames (ACK) for carrying the communication protocol. These frames are usually considered as non malicious and thus are not analyzed by most wireless IDS.

This tool enables a full-duplex communication between two pyrawcovert and thus make it possible to perform some interactive communications (ssh...) or file transfers (scp...) within this covert channel.

Download

pyrawcovert-0.1.tar.gz (sha1)

Changelog

Version 0.1: initial release

WiFi Advanced Stealth Patches

wifi-advanced-stealth-patches are a set of basic patches for the madwifi-ng driver in order to acheive good stealth at low cost!
It can be useful in protecting your own network from wardrivers and attacks (denial-of-service, wep cracking...) as your modified access point and client are the only ones that understand themselves! :-) Some embedded access point like the Netgear WG634U have an Atheros chipset (OpenWRT + madwifi) and thus may be modified to support stealth at low cost.

These patches are only a proof-of-concept and may be improved in many ways as possibilities are quite infinite...

Download

wifi-advanced-stealth-patches.tar.gz (sha1)


Tools Requirements

You basically need:
Most of this software were successfully tested on:
Prism54 and madwifi drivers enable the tools to inject coherent sequence numbers and BSS timestamps.

Installation

Most of the time: make and/or make install

Author

Laurent Butti -- 0x9090 at gmail

Last modified: September 28th, 2006.