|
Raw Fake AP v0.2
|
|
Hits: 45 |
|
Date added: 12/19/2006 |
|
Aprogram that emulates IEEE 802.11 access points thanks to wireless raw injection.
It aims at creating/injecting both beacon and probe response frames in order to emulate valid IEEE 802.11 access points.
Infamous tools like Black Alchemy's Fake AP are using ifconfig/iwconfig to change wireless settings like BSSID, ESSID, channel and txpower. But unfortunately when using master mode, some IEEE 802.11 fields are mastered by the driver like the BSS timestamp, sequence number and (some) tagged parameters; and thus cannot be easily forged. E.g., an ESSID change (thanks to iwconfig) resets the BSS timestamp (thanks to Joshua Wright for this hint) giving the opportunity to any wireless IDS to catch a Fake AP easily.
This tool is able to fool both passive scanners (e.g. Kismet) and active scanners (e.g. XP SP2 WZC, NetStumbler) with some limitations (see below) . It can be used to disturb any (newbie) wardriver with some efficiency hiding real wireless networks (of course, this should be further enhanced thanks to a wider tool sending data, control and management frames in order to simulate a set of wireless networks). |
|
|
|
|
|
Network Chemistry RogueScanner
hot!
|
|
Hits: 118 |
|
Date added: 12/17/2006 |
|
Network Chemistry RogueScanner
RogueScanner works using collaborative classification. Classification decisions are made by a central server which learns based on previous classifications it has performed. This means that classification accuracy will improve over time.
If RogueScanner doesn't classify your devices accurately the first time you run it, don't despair. Run it again in a few days and you should see more accurate results.
RogueScanner collects information from devices on your network (which we call evidence) and uses this evidence to make classification decisions. The evidence collected includes:
* The IP address and MAC address.
* What TCP and UDP ports are open.
* How the device responds to common network requests like a serving a web-page, telnet or SNMP.
* The DNS or Netbios name used by the device.
This information is sent to the classification server over an SSL encrypted link. No identifying information is stored by the server. For example, it doesn't store the request IP address together with the evidence. |
|
|
|
|
|
|
Raw Covert v0.1
|
|
Hits: 18 |
|
Date added: 12/16/2006 |
|
A program that initiates a covert channel over IEEE 802.11 networks thanks to wireless raw injection.
It aims at encoding a covert channel in valid ACK frames in the RA address field. Using ACK frames has the advantage to be quite stealthy as they are considered harmless and thus are generally not analyzed by Wireless IDS. This kind of encoding is quite trivial, but should be extended using encryption...
Covert channel principles can be extended to encode anything between the lines in the IEEE 802.11 protocol (but not necessarily) and to achieve a reliable communication (shell, file transfer...). |
|
|
|
|
|
|
Raw Glue AP v0.1
|
|
Hits: 33 |
|
Date added: 12/15/2006 |
|
A program that catches wireless stations searching for preferred ESSIDs.
It aims at creating/injecting probe responses, authentication responses, association responses to wireless stations wanting to associate themselves to access points.
This tool catches probe requests, send back appropriate probe responses and then tries to catch authentication and association requests. This is a kind of Glue AP which purpose is to catch clients that are actively scanning for any ESSID. This method could be implemented in a Wireless IPS tool.
Any ESSID with both Null ESSID and pre-configured ESSID (which are usually preferred wireless networks in Wireless Zero Configuration) will be caught.
All this stuff is done in monitor mode and uses raw injection which seems to be a required if this method may be implemented in a Wireless IDS (that usually perform detection in monitor mode). |
|
|
|
|
|
|
Python Raw Covert v0.1
|
|
Hits: 12 |
|
Date added: 12/10/2006 |
|
An enhancement of the Raw Covert tool that was released at ShmooCon2006. It is a covert channel over the 802.11 protocol. It uses valid control frames (ACK) for carrying the communication protocol. These frames are usually considered as non malicious and thus are not analyzed by most wireless IDS.
This tool enables a full-duplex communication between two pyrawcovert and thus make it possible to perform some interactive communications (ssh...) or file transfers (scp...) within this covert channel. |
|
|
|
