airjack - Page 3

fade · 09-04-2002

Hey abaddon, great work on AirJack! I had a few questions though:

Just out of curiousity, what's the difference between your custom driver and the host ap driver? Can you do essentially the same things with both, or does yours have capabilities that it doesn't?

Also, I notice that in essid_jack and wlan_jack you use the deauth (0x0C) command. Is there an advantage or difference to using that instead of disassociate (0x0A)?

Thanks!

abaddon · 09-04-2002

first off airjack does a number of things that host ap doesnt, it will let you switch to modes that host ap will not, its more stable than host ap, it will allow you to send data frames both from and to ds without a driver change out, it will allow you to send frames from within monitor mode (though not very well) it will allow you to switch to such modes as mode 5 which wont send out beacons but will still give you the ability to send frames while having the firmware handle frame ack's and the like...the other major difference is that when i first started writing drivers like airjack there was no such thing as the host ap so i had to go it alone, so i just stay'ed that path rather than making host ap do something it really wasnt ment to...

to address your second question, for somethings the disassociate will work the same, for others it will not, one thing it doesnt do if you send out disassociate frames is it will not attack adhoc networks as they do not associate (they only authenticate), another difference is that sometimes one some hardware if you simply disassociate them they wont send out proberequest anymore and that is one of the ways i get the ESSID in essid_jack...the final reason why i chose the deauth rather than the disassociate (although i believe i left it in as an option to choose which you wanted) was because if i deauth you, you are forced to re-authenticate and reassociate, this causes you to have to go through twice the number of steps to get back on, and when we're trying to take down an entire network that goes along way...

--Abaddon

http://802.11ninja.net

Quote:

Originally posted by fade
Hey abaddon, great work on AirJack! I had a few questions though:

Just out of curiousity, what's the difference between your custom driver and the host ap driver? Can you do essentially the same things with both, or does yours have capabilities that it doesn't?

Also, I notice that in essid_jack and wlan_jack you use the deauth (0x0C) command. Is there an advantage or difference to using that instead of disassociate (0x0A)?

Thanks!

unclex · 09-04-2002

abaddon - going to have to test this one out - thanks for all the work m8

JoeTampa · 09-14-2002

Very nice job... There are a few features that it doesn't have, so I did some sloppy coding (i.e. I don't know C well enough to do this in the program itself, so I did it mostly as shell scripts..) and got it to work, half-assed:

1. Wrote some quick shell scripts to grab bssid info from Kismet generated CSV files. You can either dump a list of them in wlan-jack compatible command lines (for copy/paste) or specify an SSID, which will generate a shell script that will:

2. Take down a multi-AP system. If you wlan_jack a given AP on a given channel, and the client re-associates to another AP on another channel with that same SSID, you haven't accomplished very much. Running multiple copies of wlan_jack caused me to freeze up reasonably quick. So, instead, I modified the wlan_jack binary to simply send 10 deauth frames at once and exit. The shell script generated above (in #1) then does the same thing to the next AP in the list, etc, etc, etc. I was able to keep two systems (iPAQ and WinXP) completely down as they went from AP to AP in a 3-AP system with this method. At best, they got a few pings through here and there. I'd love to do this in the program itself, but alas, I'm not a C programmer by any stretch, nor do I play one on TV.

Just as a bonus, I wrote some quick shell scripts that change from airjack_cs to prism2_cs and back again, a basic sed replace on wlan-ng.conf. Since I use only one card in a dedicated linux laptop, this approach works well.

If anyone wants these, let me know.

abaddon · 09-14-2002

check out the drunken defcon release, the hunter_killer program will do this for you already...it works best if you have a real AP to ack as a sink so they can only stay associated to that one...

--Abaddon
http://802.11ninja.net

Quote:

Originally posted by JoeTampa

1. Wrote some quick shell scripts to grab bssid info from Kismet generated CSV files. You can either dump a list of them in wlan-jack compatible command lines (for copy/paste) or specify an SSID, which will generate a shell script that will:

2. Take down a multi-AP system. If you wlan_jack a given AP on a given channel, and the client re-associates to another AP on another channel with that same SSID, you haven't accomplished very much. Running multiple copies of wlan_jack caused me to freeze up reasonably quick. So, instead, I modified the wlan_jack binary to simply send 10 deauth frames at once and exit. The shell script generated above (in #1) then does the same thing to the next AP in the list, etc, etc, etc. I was able to keep two systems (iPAQ and WinXP) completely down as they went from AP to AP in a 3-AP system with this method. At best, they got a few pings through here and there. I'd love to do this in the program itself, but alas, I'm not a C programmer by any stretch, nor do I play one on TV.

JoeTampa · 09-14-2002

I did, actually, but it appeared to try to kill every connection on every AP on every channel. Great for mass chaos! I did, however, want the ability to target one specific SSID. (I.E., I didn't want to turf important stuff going on in the office on different SSIDs...)

How would you exempt the one AP that you've set up? Didn't see any help for hunter_killer, perhaps it's time to try to figger out the source. <<nods>>

abaddon · 09-14-2002

you should just be able to give it a command line option (though i dont for the life of me remember what it was, i was drunk when i wrote that)...

but yeah, it was mostly for mass chaos

..

--Abaddon

Quote:

Originally posted by JoeTampa

How would you exempt the one AP that you've set up? Didn't see any help for hunter_killer, perhaps it's time to try to figger out the source. <<nods>>

JoeTampa · 09-15-2002

Looks like -b. I'll give it a try on Monday.

<<all proud with himself for searching for argv>>

Damn, I've really gotta sit down one day and seriously learn C.

Again, nice job, been looking for something like this for professional reasons for a while.

- Joe

abaddon · 09-15-2002

heh, well when you finally do learn C you'll probably see that most of that code is crap, but it does what i needed it to do at the time, which was demonstrate the vulnerabilities at blackhat...

--Abaddon

Quote:

Originally posted by JoeTampa

<<all proud with himself for searching for argv>>
Damn, I've really gotta sit down one day and seriously learn C.
- Joe

BLKMGK · 09-17-2002

If I recall correctly, wasn't there supposed to be a few other tools released too or was it just this one? I seem to recall it being called "MonkeyJack" but my memory is a bit dim. Spoke at both BlackHat and DEFCON about it, right? I can't quite recall what the other tools were supposed to be but they sounded VERY interesting! Any other interesting tools or ideas to share?

abaddon · 09-17-2002

we just spoke at blackhat, but we did give a few, um, informal demonstrations at defcon...

airjack is actually a tool kit, it includes wlan-jack (the dos attack that has unfortunatly gotten most of the attention), essid-jack which forces networks with so called masked essid's to unmask them and send them in the clear, monkey-jack, which was a tool to get in the middle of an 802.11 session (between the AP and the client, full layer one insertion), and kracker-jack, a tool that used monkey-jack to get in the middle of a weakly authenticated IPSEC VPN tunnel (in this case wavesec) and break it open like they were my bitch...

--Abaddon
http://802.11ninja.net

Quote:

Originally posted by BLKMGK
If I recall correctly, wasn't there supposed to be a few other tools released too or was it just this one? I seem to recall it being called "MonkeyJack" but my memory is a bit dim. Spoke at both BlackHat and DEFCON about it, right? I can't quite recall what the other tools were supposed to be but they sounded VERY interesting! Any other interesting tools or ideas to share?

BLKMGK · 09-17-2002

Terific, thanks!

unclex · 09-25-2002

compiles ok but comes up with error messages - will have to keep on trying...

abaddon · 09-25-2002

id like to help, but you need to tell me what the error messages say...

--Abaddon

Quote:

Originally posted by unclex
compiles ok but comes up with error messages - will have to keep on trying...

novocane · 09-26-2002

I am having some issues getting airjack to work.

It compiled fine on a Gentoo Linux based system,
gcc 2.95.3
pcmcia-cs-3.2.1
airjack-v0.6.2-alpha-defcon (also tried non defcon rls)
SMC2632W Prism2 card (also tried Linksys, Senao, and Lucent cards).

The card appears to initialize ok:
$ lsmod
Module Size Used by Not Tainted
airjack_cs 16800 0 (unused)
ds 6752 2 [airjack_cs]
i82365 23376 2
pcmcia_core 43936 0 [airjack_cs ds i82365]

$ ifconfig aj0
aj0 Link encap: AMPR NET/ROM HWaddr
BROADCAST MULTICAST MTU:1600 Metric:1
RX packets:178 errors:13 dropped:0 overruns:0 frame:13
TX packets:0 errors:5 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11392 (11.1 Kb) TX bytes:0 (0.0 b)
Interrupt:9 Base address:0x140

(notice no HWaddr found)
$ ./setmac aj0 aa:bb:cc:dd:ee:ff
ioctl: SIOCSIFHWADDR: Operation not supported

$ dmesg
airjack_cs: Initialization complete.
cs: IO port probe 0x0100-0x04ff: excluding 0x3c0-0x3e7 0x4d0-0x4d7
cs: IO port probe 0x03e8-0x04cf: clean
cs: IO port probe 0x04d8-0x04ff: clean
cs: IO port probe 0x0800-0x08ff: clean
cs: IO port probe 0x0a00-0x0aff: clean
cs: IO port probe 0x0a70-0x0aff: clean
cs: IO port probe 0x0c00-0x0cff: clean
cs: memory probe 0xa0000000-0xa0ffffff: clean.
aj0: index 0x01: Vcc 5.0, Vpp 5.0, irq 9, io 0x0140-0x17f

I also tried on a Redhat 7.3 /w pcmcia-cs-3.1.31 (as suggested in howto). Exactly the same errors.

Any ideas?
What cards have been tested and known working?

09-04-2002	#33 (permalink)
unclex ER - working on Oil Drums Join Date: Apr 2002 Location: MARS Posts: 127	abaddon - going to have to test this one out - thanks for all the work m8 __________________ Have Fun. http://www.ackers.org.uk http://forums.netstumbler.com/showthread.php?s=&postid=14030#post14030

09-17-2002	#40 (permalink)
BLKMGK Registered Member Join Date: Apr 2002 Posts: 24	MonkeyJack? If I recall correctly, wasn't there supposed to be a few other tools released too or was it just this one? I seem to recall it being called "MonkeyJack" but my memory is a bit dim. Spoke at both BlackHat and DEFCON about it, right? I can't quite recall what the other tools were supposed to be but they sounded VERY interesting! Any other interesting tools or ideas to share?

09-25-2002	#43 (permalink)
unclex ER - working on Oil Drums Join Date: Apr 2002 Location: MARS Posts: 127	compiles ok but comes up with error messages - will have to keep on trying... __________________ Have Fun. http://www.ackers.org.uk http://forums.netstumbler.com/showthread.php?s=&postid=14030#post14030

09-26-2002	#45 (permalink)
novocane Registered Member Join Date: Sep 2002 Posts: 6	MAC address errors: SIOCSIFHWADDR I am having some issues getting airjack to work. It compiled fine on a Gentoo Linux based system, gcc 2.95.3 pcmcia-cs-3.2.1 airjack-v0.6.2-alpha-defcon (also tried non defcon rls) SMC2632W Prism2 card (also tried Linksys, Senao, and Lucent cards). The card appears to initialize ok: $ lsmod Module Size Used by Not Tainted airjack_cs 16800 0 (unused) ds 6752 2 [airjack_cs] i82365 23376 2 pcmcia_core 43936 0 [airjack_cs ds i82365] $ ifconfig aj0 aj0 Link encap: AMPR NET/ROM HWaddr BROADCAST MULTICAST MTU:1600 Metric:1 RX packets:178 errors:13 dropped:0 overruns:0 frame:13 TX packets:0 errors:5 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:11392 (11.1 Kb) TX bytes:0 (0.0 b) Interrupt:9 Base address:0x140 (notice no HWaddr found) $ ./setmac aj0 aa:bb:cc:dd:ee:ff ioctl: SIOCSIFHWADDR: Operation not supported $ dmesg airjack_cs: Initialization complete. cs: IO port probe 0x0100-0x04ff: excluding 0x3c0-0x3e7 0x4d0-0x4d7 cs: IO port probe 0x03e8-0x04cf: clean cs: IO port probe 0x04d8-0x04ff: clean cs: IO port probe 0x0800-0x08ff: clean cs: IO port probe 0x0a00-0x0aff: clean cs: IO port probe 0x0a70-0x0aff: clean cs: IO port probe 0x0c00-0x0cff: clean cs: memory probe 0xa0000000-0xa0ffffff: clean. aj0: index 0x01: Vcc 5.0, Vpp 5.0, irq 9, io 0x0140-0x17f I also tried on a Redhat 7.3 /w pcmcia-cs-3.1.31 (as suggested in howto). Exactly the same errors. Any ideas? What cards have been tested and known working?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

09-04-2002	#31 (permalink)
fade Registered Member Join Date: Aug 2002 Posts: 1	Hey abaddon, great work on AirJack! I had a few questions though: Just out of curiousity, what's the difference between your custom driver and the host ap driver? Can you do essentially the same things with both, or does yours have capabilities that it doesn't? Also, I notice that in essid_jack and wlan_jack you use the deauth (0x0C) command. Is there an advantage or difference to using that instead of disassociate (0x0A)? Thanks!

09-14-2002	#34 (permalink)
JoeTampa Registered Member Join Date: Apr 2002 Posts: 51	Very nice job... There are a few features that it doesn't have, so I did some sloppy coding (i.e. I don't know C well enough to do this in the program itself, so I did it mostly as shell scripts..) and got it to work, half-assed: 1. Wrote some quick shell scripts to grab bssid info from Kismet generated CSV files. You can either dump a list of them in wlan-jack compatible command lines (for copy/paste) or specify an SSID, which will generate a shell script that will: 2. Take down a multi-AP system. If you wlan_jack a given AP on a given channel, and the client re-associates to another AP on another channel with that same SSID, you haven't accomplished very much. Running multiple copies of wlan_jack caused me to freeze up reasonably quick. So, instead, I modified the wlan_jack binary to simply send 10 deauth frames at once and exit. The shell script generated above (in #1) then does the same thing to the next AP in the list, etc, etc, etc. I was able to keep two systems (iPAQ and WinXP) completely down as they went from AP to AP in a 3-AP system with this method. At best, they got a few pings through here and there. I'd love to do this in the program itself, but alas, I'm not a C programmer by any stretch, nor do I play one on TV. Just as a bonus, I wrote some quick shell scripts that change from airjack_cs to prism2_cs and back again, a basic sed replace on wlan-ng.conf. Since I use only one card in a dedicated linux laptop, this approach works well. If anyone wants these, let me know.

09-14-2002	#36 (permalink)
JoeTampa Registered Member Join Date: Apr 2002 Posts: 51	I did, actually, but it appeared to try to kill every connection on every AP on every channel. Great for mass chaos! I did, however, want the ability to target one specific SSID. (I.E., I didn't want to turf important stuff going on in the office on different SSIDs...) How would you exempt the one AP that you've set up? Didn't see any help for hunter_killer, perhaps it's time to try to figger out the source. <<nods>>

09-15-2002	#38 (permalink)
JoeTampa Registered Member Join Date: Apr 2002 Posts: 51	Looks like -b. I'll give it a try on Monday. <<all proud with himself for searching for argv>> Damn, I've really gotta sit down one day and seriously learn C. Again, nice job, been looking for something like this for professional reasons for a while. - Joe

09-17-2002	#42 (permalink)
BLKMGK Registered Member Join Date: Apr 2002 Posts: 24	Terific, thanks!