Penetration Testing mailing list archives
Re: 802.11B and libpcap
From: David Hulton <dhulton () nightfallsecurity com>
Date: Mon, 17 Sep 2001 15:33:33 -0700
On Thursday 13 September 2001 13:24, you wrote:
I want to capture the 802.11B link layer data with etherreal. I've read that you need to patch your libpcap for use with 802.11B networks.
You can capture link layer data to a certain extent with lucent cards by simply not converting the header received by the kernel from the card to a standard ethernet header. If you look in the sources for linux/*bsd all they do is remove the header received from the card and use it to fill in a ethernet header so the kernel doesn't freak out. By removing this filter from your kernel you can receive a header similar to: /* * Hermes transmit/receive frame structure */ struct wi_frame { u_int16_t wi_status; /* 0x00 */ u_int16_t wi_rsvd0; /* 0x02 */ u_int16_t wi_rsvd1; /* 0x04 */ u_int16_t wi_q_info; /* 0x06 */ u_int16_t wi_rsvd2; /* 0x08 */ u_int16_t wi_rsvd3; /* 0x0A */ u_int16_t wi_tx_ctl; /* 0x0C */ u_int16_t wi_frame_ctl; /* 0x0E */ u_int16_t wi_id; /* 0x10 */ u_int8_t wi_addr1[6]; /* 0x12 */ u_int8_t wi_addr2[6]; /* 0x18 */ u_int8_t wi_addr3[6]; /* 0x1E */ u_int16_t wi_seq_ctl; /* 0x24 */ u_int8_t wi_addr4[6]; /* 0x26 */ u_int16_t wi_dat_len; /* 0x2C */ u_int8_t wi_dst_addr[6]; /* 0x2E */ u_int8_t wi_src_addr[6]; /* 0x34 */ u_int16_t wi_len; /* 0x3A */ u_int16_t wi_dat[3]; /* 0x3C */ /* SNAP header */ u_int16_t wi_type; /* 0x42 */ }; I have developed patches that allow you to receive packets with these frames still intact using libpcap/bpf for OpenBSD, NetBSD, and FreeBSD. (these patches along with a bsd version of airsnort and a curses based wardriving application, I will be releasing in the next couple days). Furthermore, you don't necessarily have to have your card in monitor mode (or how it's referred to in the wlan-ng drivers) in order to crack wep. By simply putting your prism2 card into ad-hoc mode at the right channel you can sniff wep packets going across the air on that channel. Using that along with the wi_addr4 wep IV in the frame you receive off of the card, you can look for weak keys and crack them.
However on the tcpdump site I could not find any pointers to this subject. Could anybody help me out here. Also, what is so special in the PRISMII cards that airsnort only works with them, and can you recommend any card in particular.
Prism2 cards will spit out wep packets being sent over the wire while in ad-hoc mode. Orinoco cards will not. The reason why airsnort only works with Prism2 cards is because of that.. No wep packets, no crackage. Cheers, -David ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- 802.11B and libpcap Ronny Vaningh (Sep 14)
- Re: 802.11B and libpcap Robert van der Meulen (Sep 16)
- Re: 802.11B and libpcap Michael H. Warfield (Sep 16)
- Re: 802.11B and libpcap Bill Pennington (Sep 16)
- Re: 802.11B and libpcap David Hulton (Sep 18)
- <Possible follow-ups>
- RE: 802.11B and libpcap Kelley, John (Sep 16)
- RE: 802.11B and libpcap Frank Knobbe (Sep 17)
- Re: 802.11B and libpcap Robert van der Meulen (Sep 17)
- Re: 802.11B and libpcap Andrew Brown (Sep 18)
- RE: 802.11B and libpcap Anton Rager (Sep 18)
- RE: 802.11B and libpcap Frank Knobbe (Sep 18)
- Re: 802.11B and libpcap Michael H. Warfield (Sep 18)
- RE: 802.11B and libpcap Leif Sawyer (Sep 18)
- 802.11/monitor mode (Was: Re: 802.11B and libpcap) Robert van der Meulen (Sep 18)
- Re: 802.11/monitor mode (Was: Re: 802.11B and libpcap) Michael H. Warfield (Sep 18)
- 802.11/monitor mode (Was: Re: 802.11B and libpcap) Robert van der Meulen (Sep 18)
(Thread continues...)