Re: Wireless Pentest Question

• Previous message: Barrie Dempster: "Re: Betr.: Exploiting C# Issues"
• In reply to: Arvind Sood: "Wireless Pentest Question"
• Next in thread: Brandon Kovacs: "Re: Wireless Pentest Question"
• Reply: Brandon Kovacs: "Re: Wireless Pentest Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 07 Feb 2005 07:06:22 -0500
To: Arvind Sood <asood74@gmail.com>

Arvind,

Arvind Sood wrote:
> The problem relates to creating traffic on a wireless network in case
> you dont find a lot of traffic for a good capture. Is there any way
> you can create traffic on a WEP network without knowing
> - the IP Address (address range) the Access Point and wireless clients
> are using
> - the WEP key being used (makes sense - that is why you are running a WEP crack)

Besides aireplay (not sure why you are getting a SEGFAULT, it worked OK
for me - maybe check the Aircrack documentation?), you could use
WEPWedgie. This tool was written by Anton Rager a few years ago, and
allows you to inject packets into the network after determining PRGA
from the WEP challenge/response mechanism.
http://www.sf.net/projects/wepwedgie/

The current version relies on the Airjack drivers for operation, meaning
you'll have to run it on a Linux 2.4 kernel system. I wrote a small
patch to add an option to send ICMP echo requests to the broadcast
address (since you might not know any internal addresses), which is
available at http://home.jwu.edu/jwright/code/ww-broadcasticmp.diff.

Unfortunately, Airjack has some timing issues which makes it somewhat
ineffective for injecting large quantities of packets, but this will get
you started. While at Shmoocon (you guys rock!) I started re-writing
WEPWedgie to port it to a more reliable packet injection framework (and
code cleanup) for another project, I'll make that available when I get
it finished.

Good luck,

-Josh

-- 
-Joshua Wright
jwright@hasborg.com
http://home.jwu.edu/jwright/
pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73
Today I stumbled across the world's largest hotspot.  The SSID is "linksys".

• Previous message: Barrie Dempster: "Re: Betr.: Exploiting C# Issues"
• In reply to: Arvind Sood: "Wireless Pentest Question"
• Next in thread: Brandon Kovacs: "Re: Wireless Pentest Question"
• Reply: Brandon Kovacs: "Re: Wireless Pentest Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Ethernet issue: works one way but not another ... packets transmitted, 5 packets received, 0% packet loss ... (This is when connected directly to internet through ... FBSD, I have been working with BSDI at the isp I work for for the last ... As for my network topology, I have an internal network that goes ... (freebsd-questions) Re: Update: UDP 770 Potential Worm ... > the network immediately after the 'attack', ... were no packets indicating some form of replication. ... I noticed that the UDP ... > of the UDP datagrams is the IP address of the proxy? ... (Incidents) Re: IDSIPS that can handle one Gig ... especially with 64-byte UDP packets. ... There are plenty of network IPS's ... IDS/IPS devices through use of fragments. ... Find out quickly and easily by testing it with real-world attacks from ... (Focus-IDS) Re: iptables and dhcp ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ... (comp.os.linux.networking) Re: Update: UDP 770 Potential Worm ... > were no packets indicating some form of replication. ... > my capture was limited due to the switched ... to see if the problem occurs on the test network, ... The proxy had already been isolated from the ... (Incidents)