Re: 802.11B and libpcap

[David Hulton <dhulton () nightfallsecurity com>]

On Thursday 13 September 2001 13:24, you wrote:
> I want to capture the 802.11B link layer data with etherreal.
> I've read that you need to patch your libpcap for use with 802.11B
> networks.

You can capture link layer data to a certain extent with lucent cards by 
simply not converting the header received by the kernel from the card to a 
standard ethernet header. If you look in the sources for linux/*bsd all they 
do is remove the header received from the card and use it to fill in a 
ethernet header so the kernel doesn't freak out. By removing this filter from 
your kernel you can receive a header similar to:

/*
 * Hermes transmit/receive frame structure
 */
struct wi_frame {
        u_int16_t               wi_status;      /* 0x00 */
        u_int16_t               wi_rsvd0;       /* 0x02 */
        u_int16_t               wi_rsvd1;       /* 0x04 */
        u_int16_t               wi_q_info;      /* 0x06 */
        u_int16_t               wi_rsvd2;       /* 0x08 */
        u_int16_t               wi_rsvd3;       /* 0x0A */
        u_int16_t               wi_tx_ctl;      /* 0x0C */
        u_int16_t               wi_frame_ctl;   /* 0x0E */
        u_int16_t               wi_id;          /* 0x10 */
        u_int8_t                wi_addr1[6];    /* 0x12 */
        u_int8_t                wi_addr2[6];    /* 0x18 */
        u_int8_t                wi_addr3[6];    /* 0x1E */
        u_int16_t               wi_seq_ctl;     /* 0x24 */
        u_int8_t                wi_addr4[6];    /* 0x26 */
        u_int16_t               wi_dat_len;     /* 0x2C */
        u_int8_t                wi_dst_addr[6]; /* 0x2E */
        u_int8_t                wi_src_addr[6]; /* 0x34 */
        u_int16_t               wi_len;         /* 0x3A */
        u_int16_t               wi_dat[3];      /* 0x3C */ /* SNAP header */
        u_int16_t               wi_type;        /* 0x42 */
};

I have developed patches that allow you to receive packets with these frames 
still intact using libpcap/bpf for OpenBSD, NetBSD, and FreeBSD. (these 
patches along with a bsd version of airsnort and a curses based wardriving 
application, I will be releasing in the next couple days). Furthermore, you 
don't necessarily have to have your card in monitor mode (or how it's 
referred to in the wlan-ng drivers) in order to crack wep. By simply putting 
your prism2 card into ad-hoc mode at the right channel you can sniff wep 
packets going across the air on that channel. Using that along with the 
wi_addr4 wep IV in the frame you receive off of the card, you can look for 
weak keys and crack them.

> However on the tcpdump site I could not find any pointers to this
> subject.
>
> Could anybody help me out here.
>
> Also, what is so special in the PRISMII cards that airsnort only works
> with them, and can you recommend any card in particular.

Prism2 cards will spit out wep packets being sent over the wire while in 
ad-hoc mode. Orinoco cards will not. The reason why airsnort only works with 
Prism2 cards is because of that.. No wep packets, no crackage.

Cheers,
-David

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/