Franck Veysset and Laurent Butti, both from France Telecom R&D, presented several proof-of-concept tools at Shmoocon that use 802.11 raw injection. The first is Raw Fake AP. The original Fake AP is a script that generates thousands of fake access points. It is easy to spot because of tell-tale signs like the BSSID showing the AP has only been up for a couple milliseconds. Raw Fake AP tries to generate legitimate access points by modifying BSSIDs and sending beacon frames at coherent time intervals.
Raw Glue AP is designed catch probe requests from clients scanning for a preferred ESSID. It then tries to generate the appropriate probe responses to keep the client occupied.
Raw Covert was the final tool. It creates a covert channel inside of valid ACK frames. ACK frames are usually considered harmless and ignored by wireless IDS. The tool is really basic right now, there is no encryption and it doesn’t handle dropped frames.
Hmm. That raw glue looks like it would be good for pulling virus infected computers from an access node and then shutting them down.
Or if you more evil then simply pull them off and begin attacking their computer.
That looks to have potential. The others are like other scanners that catch nodes. Unless someone can break them down for me.
Raw Covert sounds interesting if you put it in the right context. For example, in a campus or municipal wireless environment it may be possible to secret a wireless network within the ack frames of the legitimate one, effectively using the infrastructure without signing on to it. A wired connection at a dorm room or nearby office could become a router used by machines taking advantage of this covert network.
Its just a thought — point is, if you can force any data sent by your local machine to be repeated by the router (or best bet repeated by the wireless cloud overall) something in that data can be used as “information” — though effective bandwidth would be greatly reduced.