New penetration testing tool for wifi
wep0ff-ng can be used to generate traffic with WEP-based wireless clients,
who are seeking for AP to mount KoreK or other attacks.
Download:
http://download.securitylab.ru/wep0ff-ng.tar.gz
Article (Russian):
http://www.securitylab.ru/analytics/312606.php
From readme:
This tool can be used to generate traffic
with WEP-based wireless clients, who are seeking for AP.
It waits while client connects to our 'fake' access point (AP),
then intercepts either Gratuitous ARP (IPv4) or ICMPv6 Neighbor Solicitation
(IPv6) packet,
slightly modifies it and sends back.
If target machine answers our packet, we start to send it in the endless
loop.
Written by Alexander Markov <amarkov (at) ptsecurity (dot) com>
Released under a BSD Licence
This code was tested on madwifing drivers 0.9.3.3.
How to Use:
--------------------------------------------------
0. Say, we are sitting in airport in front of a man
who's notebook is seeking for his home wireless
WEP protected net named 'foo'.
1. Setup WEP protected AP with essid 'foo' and specify any key you like
2. Start this program ( ./wep0ff-ng <iface in MONITOR mode> <drivername>
<mac address of AP, you've just launched> [log_packets] )
3. Wait until client connects to our access point
4. Launch airodump-ng to collect packets
5. Launch aircrack-ng to recover WEP key
How to Compile:
gcc -o wep0ff-ng wep0ff-ng.c -lpcap -lorcon
gcc -o airfile airfile.c -lorcon
If wep0ff-ng was launched with 'log_packets' option it will save processed
packets on disk.
Received packets will be stored with the names recvd0, recvd1, recvd2 etc.
Modified packets - with the names arp0, arp1, icmp2, etc.
One can use airfile utility to mainly transmit saved packet over the air.
(there is no sense to transmit received packets. one should better try
modified ones.)
While trying to get all this stuff to work I've met a couple of troubles.
The first one concerns madwifi-ng drivers.
You can learn more about it at the tracker we've worked out
(http://madwifi.org/ticket/1699).
Our sample configuration script demonstrates this technique
(prepare_ath.sh).
The second trouble was to make our tool to work with airodump-ng.
You can learn more about it at the tracker we've created
(http://trac.aircrack-ng.org/ticket/364).
At the time of this writing we haven't received any feedback from the
aircrack team.
So to fix this problem one can use airodump.patch file we supply.
This code based on following works and POCs:
Sergey Gordeychik. wep0ff. (in russian)
http://www.ptsecurity.ru/download/client-side-wep.pdf
http://www.ptsecurity.ru/download/wepoff.tar.gz
Cafe-Latte
http://www.airtightnetworks.net/knowledgecenter/ppt/Toorcon.ppt
ieee802_11.h by Charlie Lenahan ( clenahan@fortresstech.com )
Best Regards,
Valery Marchuk
www.SecurityLab.ru
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
