Wireless Weapons of Mass Destruction for Windows

Beetle · 09-28-2004

HERE are my latest slides and code for the talk I gave at ToorCon (http://www.toorcon.org), which is a VERY cool security conference held annually in San Diego. From the ToorCon website and program:

"Wireless Weapons of Mass Destruction for Windows

If implementing wireless network security mechanisms doesn't kill you, managing enterprise wireless network security probably will. Whether it's deploying distributed networks of dedicated rogue AP detection devices, building automated articulating yagis, or walking all over campus with Netstumbler on a weekly basis, the costs in hardware and personal time needed to combat the rogue AP threat can become staggering! Well, things are about to get better. Ok. Maybe not. Beetle demonstrates how to do all sorts of crazy Wi-Fi things in Windows--good AND bad. How about iwconfig for XP? Nifty. Hotspot Defense Kit for Windows? No problemo. Fast and easy Windows enterprise monitoring for users that are dual-homed with wireless enabled while plugged in to your intranet? Nice! Hard-hitting worms that create global ad-hoc wireless networks that drive rogue AP watchdogs mad? Mmmm, not so nice. Or how about code that let's you sit in one place and discover every wireless network on the planet? Ouch. That's GOTTA hurt. Talk about the END of war-driving OR war-walking as we know it. Beetle has found Weapons of Mass Destruction! w00t! They're wireless! They're for Windows! And they're in San Diego--not Saddam's backyard, baby! New tips, new tools, and oh dear, new silly terminology from the Shmoo Group. 'War-lounging' anyone?"

Basically, these programs are some examples of nifty and evil wireless things you can do with Windows XP via Windows Management Instrumentation (WMI).

Brief breakdown:

wifiwmd4win32.sxi - Slides in OpenOffice format.
wifiwmd4win32.pdf - slides in PDF format.
HotspotDK - Windows binary & source thanks to Scott Tenaglia, a.k.a. "Intern", intern@geekspeed.net
iwconfig for XP - Windows binary & source. Older VBScript version, too.
SSidScan.vbs - Simple and small SSID scanner for Windows.
WiFiLocalSignal.vbs - Local current SSID, BSSID, and RSSI monitor.
WiFiRemoteSignal.vbs - Current SSID, BSSID, and RSSI of REMOTE system.
ssidscan.exe - Windows binary & source SSID scanner--has RSSI values, too.
ssidpeek.exe - Windows binary & source SSID scanner of REMOTE system.
WiFiMultiHome.vbs - Local check if connected to a WLAN while connected to a wired LAN.
WiFiMultiHomeLogon.vbs - Multi-home check suitable for logon script that post results to share.
WarLounge.vbs - Suitable friendly distributed app or worm-ready code to perform a global wardrive.

C# stuff needs .NET framework to run the binary or .NET SDK to compile from source. VBscript stuff should just run with cscript <filename> from any command prompt.

Tested with Senao cards. Limited testing / results with Orinoco, Netgear, D-Link, and Cisco cards. No testing with USB wireless adapters.

NOTE: I recommend having Wireless Zero Configuration Service enabled in XP for these scripts, as well as making sure "force guest" is disabled in XP Pro's local security policy if attempting to run the tools on a remote system that's part of a Workgroup instead of a Domain.

Enjoy.

See you at ShmooCon (http://www.shmoocon.org) 2005!

Sincerely,

Beetle

Thorn · 09-28-2004

Beetle,
I'm think of presenting a paper for the Smchoocon, but frankly I'm not sure that I'll complete the software in time. Is there some provision for such things?

renderman · 09-28-2004

Great stuff Beetle!

Damn I wish I could code.

Beetle · 09-28-2004

Quote:

Originally Posted by Thorn

Beetle,
I'm think of presenting a paper for the Smchoocon, but frankly I'm not sure that I'll complete the software in time. Is there some provision for such things?

Hey Thorn,

All we're asking for in the CFP is basically your name, your bio, and your idea. Naturally, you should have some confidence that you'll be able to complete your project by ShmooCon, but it's generally accepted practice to be working on something (rather finishing it) and planning to present on it at a con.

Although we'd like to have folks who are more certain they can pull off their talk, we'll be accepting enough submissions as hot alternates, who get free admission, to account for folks who might have difficulties. Submit and do your honest best to have something kickass by the con. We'll do the rest.

Sincerely,

Beetle

TheWatcher · 12-19-2004

Hi Beetle,
Looking forward to see you at shmoocon.

Regards,
TheWatcher

kabassanov · 02-18-2005

Hi,

I've tried to use these files with Windows XP SP2 and it does not work...

Is it normal?

Thanks.

Dutch · 02-18-2005

Quote:

Originally Posted by kabassanov

Hi,

I've tried to use these files with Windows XP SP2 and it does not work...

Is it normal?

Thanks.

Yes, when you don't know what you are doing.. A guess : You didn't install the .net framework from windowsupdate ??

Dutch

kabassanov · 02-18-2005

I've installed all windows updates that are available

... Is it possible that internal wireless structures were modified in SP2?

The Others · 02-18-2005

Quote:

Originally Posted by kabassanov

I've installed all windows updates that are available

... Is it possible that internal wireless structures were modified in SP2?

But did you install .net?

http://download.microsoft.com/downlo...6/dotnetfx.exe

(23 megs)

wrzwaldo · 02-18-2005

Quote:

Originally Posted by kabassanov

I've installed all windows updates that are available

... Is it possible that internal wireless structures were modified in SP2?

Yet another case of HIAD!

kabassanov · 02-18-2005

Yes .NET is installed.

RedSector · 02-18-2005

You are running these programs from the command prompt right (with the exception of HotspotDK)? Is there any error messages, etc?

kabassanov · 02-19-2005

cscript iwconfig.vbs wlan0 gives:

iwconfig.vbs(122, 1) (null): 0x8004100C

iwconfig.exe wlan0 gives:

[thread 0xe64] Unhandled exception generated: (0x00ab8c1c) <System.Management.Ma
nagementException>
errorObject=(0x00ab8bac) <System.Management.ManagementBaseObject>
errorCode=<System.Management.ManagementStatus>
_className=<null>
_exceptionMethod=<null>
_exceptionMethodString=<null>
_message=(0x00ab8be4) "Non pris en charge "
_innerException=<null>
_helpURL=<null>
_stackTrace=(0x00ab8c64) array with dims=[36]
_stackTraceString=<null>
_remoteStackTraceString=<null>
_remoteStackIndex=0x00000000
_HResult=0x80131501
_source=<null>
_xptrs=0x00000000
_xcode=0xe0434f4d

[00a8] int 3

03-23-2005

It can be nice to make a forum for wireless developers and I web site with source for Windows and linux. And try to make program multiplatform.

wrzwaldo · 03-23-2005

Quote:

Originally Posted by Flopik

It can be nice to make a forum for wireless developers and I web site with source for Windows and linux. And try to make program multiplatform.

You mean like http://sourceforge.net/ ??

09-28-2004	#1 (permalink)
Beetle Registered Member Join Date: Jun 2002 Location: D.C. Posts: 9	Wireless Weapons of Mass Destruction for Windows HERE are my latest slides and code for the talk I gave at ToorCon (http://www.toorcon.org), which is a VERY cool security conference held annually in San Diego. From the ToorCon website and program: "Wireless Weapons of Mass Destruction for Windows If implementing wireless network security mechanisms doesn't kill you, managing enterprise wireless network security probably will. Whether it's deploying distributed networks of dedicated rogue AP detection devices, building automated articulating yagis, or walking all over campus with Netstumbler on a weekly basis, the costs in hardware and personal time needed to combat the rogue AP threat can become staggering! Well, things are about to get better. Ok. Maybe not. Beetle demonstrates how to do all sorts of crazy Wi-Fi things in Windows--good AND bad. How about iwconfig for XP? Nifty. Hotspot Defense Kit for Windows? No problemo. Fast and easy Windows enterprise monitoring for users that are dual-homed with wireless enabled while plugged in to your intranet? Nice! Hard-hitting worms that create global ad-hoc wireless networks that drive rogue AP watchdogs mad? Mmmm, not so nice. Or how about code that let's you sit in one place and discover every wireless network on the planet? Ouch. That's GOTTA hurt. Talk about the END of war-driving OR war-walking as we know it. Beetle has found Weapons of Mass Destruction! w00t! They're wireless! They're for Windows! And they're in San Diego--not Saddam's backyard, baby! New tips, new tools, and oh dear, new silly terminology from the Shmoo Group. 'War-lounging' anyone?" Basically, these programs are some examples of nifty and evil wireless things you can do with Windows XP via Windows Management Instrumentation (WMI). Brief breakdown: wifiwmd4win32.sxi - Slides in OpenOffice format. wifiwmd4win32.pdf - slides in PDF format. HotspotDK - Windows binary & source thanks to Scott Tenaglia, a.k.a. "Intern", intern@geekspeed.net iwconfig for XP - Windows binary & source. Older VBScript version, too. SSidScan.vbs - Simple and small SSID scanner for Windows. WiFiLocalSignal.vbs - Local current SSID, BSSID, and RSSI monitor. WiFiRemoteSignal.vbs - Current SSID, BSSID, and RSSI of REMOTE system. ssidscan.exe - Windows binary & source SSID scanner--has RSSI values, too. ssidpeek.exe - Windows binary & source SSID scanner of REMOTE system. WiFiMultiHome.vbs - Local check if connected to a WLAN while connected to a wired LAN. WiFiMultiHomeLogon.vbs - Multi-home check suitable for logon script that post results to share. WarLounge.vbs - Suitable friendly distributed app or worm-ready code to perform a global wardrive. C# stuff needs .NET framework to run the binary or .NET SDK to compile from source. VBscript stuff should just run with cscript <filename> from any command prompt. Tested with Senao cards. Limited testing / results with Orinoco, Netgear, D-Link, and Cisco cards. No testing with USB wireless adapters. NOTE: I recommend having Wireless Zero Configuration Service enabled in XP for these scripts, as well as making sure "force guest" is disabled in XP Pro's local security policy if attempting to run the tools on a remote system that's part of a Workgroup instead of a Domain. Enjoy. See you at ShmooCon (http://www.shmoocon.org) 2005! Sincerely, Beetle

09-28-2004	#2 (permalink)
Thorn Did you do the math? Join Date: Apr 2002 Location: Villa Straylight Posts: 9,980	Schmoocon CFP Beetle, I'm think of presenting a paper for the Smchoocon, but frankly I'm not sure that I'll complete the software in time. Is there some provision for such things? __________________ Thorn "You guys'll be chalk outlines without me."

09-28-2004	#3 (permalink)
renderman Drunken Stumbler Join Date: Jun 2002 Location: Anywhere but Utah Posts: 1,792	Great stuff Beetle! Damn I wish I could code. __________________ Never drink anything larger than your head! Scaramental Wine Taster for the Church Of WiFi Buy our book: RFID Security "I reject your reality, and substitute my own!" – Adam Savage CoWF WPA Hash Tables

12-19-2004	#5 (permalink)
TheWatcher Yep ... Join Date: Jun 2002 Location: Wardriving.INFO Posts: 344	Hi Beetle, Looking forward to see you at shmoocon. Regards, TheWatcher __________________ Wardriving.INFO - "wireless web portal" Wireless Sniffers - we got them, let me know if I missed your tools.

02-18-2005	#12 (permalink)
RedSector CoWF Priest Join Date: Nov 2004 Location: Illinois Posts: 673	You are running these programs from the command prompt right (with the exception of HotspotDK)? Is there any error messages, etc? __________________ Get thine ass into the Church The Church of Wifi Last edited by RedSector : 02-18-2005 at 10:32 AM.

02-18-2005	#6 (permalink)
kabassanov Registered Member Join Date: Feb 2005 Location: Paris, France Posts: 4	Hi, I've tried to use these files with Windows XP SP2 and it does not work... Is it normal? Thanks.

02-18-2005	#8 (permalink)
kabassanov Registered Member Join Date: Feb 2005 Location: Paris, France Posts: 4	I've installed all windows updates that are available ... Is it possible that internal wireless structures were modified in SP2?

02-18-2005	#11 (permalink)
kabassanov Registered Member Join Date: Feb 2005 Location: Paris, France Posts: 4	Yes .NET is installed.

02-19-2005	#13 (permalink)
kabassanov Registered Member Join Date: Feb 2005 Location: Paris, France Posts: 4	cscript iwconfig.vbs wlan0 gives: iwconfig.vbs(122, 1) (null): 0x8004100C iwconfig.exe wlan0 gives: [thread 0xe64] Unhandled exception generated: (0x00ab8c1c) <System.Management.Ma nagementException> errorObject=(0x00ab8bac) <System.Management.ManagementBaseObject> errorCode=<System.Management.ManagementStatus> _className=<null> _exceptionMethod=<null> _exceptionMethodString=<null> _message=(0x00ab8be4) "Non pris en charge " _innerException=<null> _helpURL=<null> _stackTrace=(0x00ab8c64) array with dims=[36] _stackTraceString=<null> _remoteStackTraceString=<null> _remoteStackIndex=0x00000000 _HResult=0x80131501 _source=<null> _xptrs=0x00000000 _xcode=0xe0434f4d [00a8] int 3

03-23-2005	#14 (permalink)
Flopik Posts: n/a	Wireless Programming It can be nice to make a forum for wireless developers and I web site with source for Windows and linux. And try to make program multiplatform.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode