|
KARMA Wireless Client Security Assessment Tools
hot!
|
|
Hits: 103 |
|
Date added: 11/27/2006 |
|
KARMA is a set of tools for assessing the security of wireless clients at multiple layers. Wireless sniffing tools discover clients and their preferred/trusted networks by passively listening for 802.11 Probe Request frames. From there, individual clients can be targetted by creating a Rogue AP for one of their probed networks (which they may join automatically) or using a custom driver that responds to probes and association requests for any SSID. Higher-level fake services can then capture credentials or exploit client-side vulnerabilities on the host.
KARMA includes patches for the Linux MADWifi driver to allow the creation of an 802.11 Access Point that responds to any probed SSID. So if a client looks for 'linksys', it is 'linksys' to them (even while it may be 'tmobile' to someone else). Operating in this fashion has revealed vulnerabilities in how Windows XP and MacOS X look for networks, so clients may join even if their preferred networks list is empty.
Currently, these releases are BYOX (Bring Your Own Exploits), although a number of client-side exploits have been written, tested and demonstrated within this framework. Some may be included in a future release. Automated agent deployment is also planned. |
|
|
|
|
|
|
WiFi Advanced Stealth Patches
|
|
Hits: 38 |
|
Date added: 12/04/2006 |
|
A set of basic patches for the madwifi-ng driver in order to acheive good stealth at low cost!
It can be useful in protecting your own network from wardrivers and attacks (denial-of-service, wep cracking...) as your modified access point and client are the only ones that understand themselves! :-) Some embedded access point like the Netgear WG634U have an Atheros chipset (OpenWRT + madwifi) and thus may be modified to support stealth at low cost.
These patches are only a proof-of-concept and may be improved in many ways as possibilities are quite infinite... |
|
|
|
|
|
|
Python Raw Covert v0.1
|
|
Hits: 12 |
|
Date added: 12/10/2006 |
|
An enhancement of the Raw Covert tool that was released at ShmooCon2006. It is a covert channel over the 802.11 protocol. It uses valid control frames (ACK) for carrying the communication protocol. These frames are usually considered as non malicious and thus are not analyzed by most wireless IDS.
This tool enables a full-duplex communication between two pyrawcovert and thus make it possible to perform some interactive communications (ssh...) or file transfers (scp...) within this covert channel. |
|
|
|
|
|
|
Raw Glue AP v0.1
|
|
Hits: 33 |
|
Date added: 12/15/2006 |
|
A program that catches wireless stations searching for preferred ESSIDs.
It aims at creating/injecting probe responses, authentication responses, association responses to wireless stations wanting to associate themselves to access points.
This tool catches probe requests, send back appropriate probe responses and then tries to catch authentication and association requests. This is a kind of Glue AP which purpose is to catch clients that are actively scanning for any ESSID. This method could be implemented in a Wireless IPS tool.
Any ESSID with both Null ESSID and pre-configured ESSID (which are usually preferred wireless networks in Wireless Zero Configuration) will be caught.
All this stuff is done in monitor mode and uses raw injection which seems to be a required if this method may be implemented in a Wireless IDS (that usually perform detection in monitor mode). |
|
|
|
|
|
|
Raw Covert v0.1
|
|
Hits: 18 |
|
Date added: 12/16/2006 |
|
A program that initiates a covert channel over IEEE 802.11 networks thanks to wireless raw injection.
It aims at encoding a covert channel in valid ACK frames in the RA address field. Using ACK frames has the advantage to be quite stealthy as they are considered harmless and thus are generally not analyzed by Wireless IDS. This kind of encoding is quite trivial, but should be extended using encryption...
Covert channel principles can be extended to encode anything between the lines in the IEEE 802.11 protocol (but not necessarily) and to achieve a reliable communication (shell, file transfer...). |
|
|
|
