Raw Wireless Tools Homepage
This is the main web site of several proof-of-concept
tools using IEEE 802.11 raw injection. These tools are provided as-is
and thus cannot be considered as a complete and functional tool set.
These programs are basic
proof-of-concept
code, so please, do not blame me for ugly coding style! They
were coded for testing wireless IDS stuff but also for fun!
To that date, several tools tools are available:
- Raw Fake AP (rfakeap): a
proof-of-concept tool
that emulates IEEE 802.11 access points thanks to wireless raw
injection and monitor mode;
- Raw Glue AP (rglueap): a
proof-of-concept tool
that tries to catch wireless stations that are searching for preferred
SSIDs thanks to wireless raw injection and monitor mode;
- Raw Covert (rcovert): a
proof-of-concept tool
that uses ACK frames to initiate a covert channel thanks to wireless
raw injection and monitor mode;
- Python Raw Covert (pyrawcovert):
an improved version of Raw Covert in Python with tun mode;
- WiFi Advanced Stealth
Patches: some proof-of-concept patches for madwifi-ng to implement
stealth at low-cost by tweaking the 802.11 MAC layer.
These tools are released under General Public License (GPL) version 2.
The first three tools were explained and demonstrated at the ShmooCon 2006 conference [Slides].
The enhanced Raw Covert and Stealth patches were explained and
demonstrated at the BlackHat US 2006
conference [Slides].
Raw Fake AP
rfakeap,
a program that emulates IEEE 802.11 access points thanks to wireless
raw injection.
It aims at creating/injecting both beacon and probe response frames
in order to emulate valid IEEE 802.11 access points.
Infamous tools like Black Alchemy's Fake AP are
using ifconfig/iwconfig to change wireless settings like BSSID, ESSID,
channel and txpower. But unfortunately when using master mode, some
IEEE 802.11 fields are mastered by the driver like the BSS timestamp,
sequence number and (some) tagged parameters; and thus cannot be easily
forged. E.g., an ESSID change (thanks to iwconfig) resets the BSS
timestamp (thanks to Joshua Wright for this hint) giving the
opportunity to any wireless IDS to catch a Fake AP easily.
This tool is able to fool both passive scanners (e.g. Kismet) and
active
scanners (e.g. XP SP2 WZC, NetStumbler) with some limitations (see
below) . It can be used to disturb any
(newbie) wardriver with some efficiency hiding "real" wireless
networks (of course, this should be further enhanced thanks to a wider
tool sending data, control and management frames in order to simulate a
set of
wireless networks).
Preliminary tests
Some weird things... ;-)
- Some instability issues on some active scanners
- Some active scanners accept
broadcast probe responses frames
Should be further investigated...
As a reminder, (most) passive scanners just listen for beacon
frames (and optionally probe response frames), whereas (most) active
scanners
listen for probe response frames answered to initiated broadcast probe
requests in order to find both cloaked and uncloaked wireless networks.
This tool allows you to send packets (beacons or probe responses) with
a destination MAC equal to scanner's MAC addresses.
Features
Overall features:
- Raw injection of beacon and probe response frames in monitor mode
- Try to forge coherent sequence numbers and BSS timestamps
(depending on driver injection capabilities)
- Try to have a coherent time interval between beacons (which is
hard to achieve without a real time kernel)
Command line interface will help you to choose between:
- Randomize Open/WEP/WPA/RSN crypto
- Randomize b/g cards
- Channel hopping
- TXpower hopping
- Randomize ESSIDs (alnum or not)
- Randomize BSSIDs
- Choose beacon interval
- Choose number of fake access points
- Choose a file with valid OUIs
- Choose a file with ESSIDs
- Choose between beacon or probe response frames
- Select a destination MAC address
Download
rfakeap-0.1.tar.gz
(sha1)
[deprecated]
rfakeap-0.2.tar.gz
(sha1)
Changelog
Version 0.2 : added a probe response mode that listens for Null probe
requests
Raw Glue AP
rglueap,
a program that catches wireless stations searching for preferred ESSIDs.
It aims at creating/injecting probe responses, authentication
responses, association responses to wireless stations wanting to
associate themselves to access points.
This tool catches probe requests, send back appropriate probe responses
and then tries to catch authentication and association requests. This
is a kind of Glue AP which purpose is to catch clients that are
actively scanning for any ESSID. This method could be implemented in a
Wireless IPS tool.
Any ESSID with both Null ESSID and pre-configured ESSID (which are
usually preferred wireless networks in Wireless Zero Configuration)
will be caught.
All this stuff is done in monitor mode and uses raw injection which
seems to be a required if this method may be implemented in a Wireless
IDS (that usually perform detection in monitor mode).
You should also check for excellent KARMA tool which performs
very well in catching wireless clients thanks to a
modified madwifi driver in master mode.
Preliminary tests
Raw Glue AP is functional but has some limitations regarding the
ACKnowledgment of authentication and association requests. As a matter
of fact, the code is not enough optimized to succeed in catching every
wireless client (or chipset/driver). ACK frames are generally managed
in the firmware or driver (within 300 microseconds), and this tool
tries to manage it in userland...
Main interest of catching wireless clients, is that when caught, they
do not scan for other access points, keeping them in a kind of virtual
quarantine area.
To this time, the proof-of-concept tool performs well against
Atheros/madwifi, Prism2.5/HostAP, and PrismGT/Prism54.
But it requires much more testing.
Download
rglueap-0.1.tar.gz
(sha1)
Changelog
Version 0.1: initial release
Raw Covert
rcovert, a program that
initiates a covert channel over IEEE 802.11 networks thanks to wireless
raw injection.
It aims at encoding a covert channel in valid ACK frames in the RA
address field. Using ACK frames has the advantage to be quite stealthy
as they are considered harmless and thus are generally not analyzed by
Wireless IDS. This kind of encoding is quite trivial, but should be
extended using encryption...
Covert channel principles can be extended to encode anything between
the lines in the IEEE 802.11 protocol (but not necessarily) and to
achieve a reliable communication (shell, file transfer...).
Preliminary tests
Raw Covert is fully functional even if some frames may be dropped as
the medium is somewhat unreliable. But it is sufficient to send some
simple
Download
rcovert-0.1.tar.gz
(sha1)
Changelog
Version 0.1: initial release
Python Raw Covert
pyrawcovert is an enhancement
of the Raw Covert tool that was released at ShmooCon2006. It is a
covert channel over the 802.11 protocol. It uses valid control frames
(ACK) for carrying the communication protocol. These frames are usually
considered as non malicious and thus are not analyzed by most wireless
IDS.
This tool enables a full-duplex communication between two pyrawcovert
and thus make it possible to perform some interactive communications
(ssh...) or file transfers (scp...) within this covert channel.
Download
pyrawcovert-0.1.tar.gz
(sha1)
Changelog
Version 0.1: initial release
WiFi Advanced Stealth
Patches
wifi-advanced-stealth-patches
are a set of basic patches for the madwifi-ng driver in order to
acheive good stealth at low cost!
It can be useful in protecting your own network from wardrivers and
attacks (denial-of-service, wep cracking...) as your modified access
point and client are the only ones that understand themselves! :-) Some
embedded access point like the Netgear WG634U have an Atheros chipset
(OpenWRT + madwifi) and thus may be modified to support stealth at low
cost.
These patches are only a proof-of-concept and may be improved in many
ways as possibilities are quite infinite...
Download
wifi-advanced-stealth-patches.tar.gz
(sha1)
Tools Requirements
You basically need:
- A laptop running GNU/Linux
- PCMCIA IEEE 802.11 wireless cards
- Wireless tools (iwconfig) with channel and txpower support
- A raw injection enabled wireless driver (you should check for
excellent Christophe Devine's aircrack
for raw injection hints)
Most of this software were successfully tested on:
- Netgear WG511 (prism54 driver)
- Netgear WAG511 (madwifi driver)
Prism54 and madwifi drivers enable the tools to inject coherent
sequence
numbers and BSS timestamps.
Installation
Most of the time: make and/or make install
Author
Laurent Butti -- 0x9090 at gmail
Last
modified: September 28th, 2006.