Shmoocon 2006: Wi-Fi Trickery or How to Secure, Break and Have Fun with Wi-Fi
posted Jan 30th 2006 9:00am by Eliotfiled under: Uncategorized
Franck Veysset and Laurent Butti, both from France Telecom R&D, presented several proof-of-concept tools at Shmoocon that use 802.11 raw injection. The first is Raw Fake AP. The original Fake AP is a script that generates thousands of fake access points. It is easy to spot because of tell-tale signs like the BSSID showing the AP has only been up for a couple milliseconds. Raw Fake AP tries to generate legitimate access points by modifying BSSIDs and sending beacon frames at coherent time intervals.
Raw Glue AP is designed catch probe requests from clients scanning for a preferred ESSID. It then tries to generate the appropriate probe responses to keep the client occupied.
Raw Covert was the final tool. It creates a covert channel inside of valid ACK frames. ACK frames are usually considered harmless and ignored by wireless IDS. The tool is really basic right now, there is no encryption and it doesn’t handle dropped frames.
Hmm. That raw glue looks like it would be good for pulling virus infected computers from an access node and then shutting them down.
Or if you more evil then simply pull them off and begin attacking their computer.
That looks to have potential. The others are like other scanners that catch nodes. Unless someone can break them down for me.