RE: Rogue AP Wireless on Windows/Linux

From: Steve A (steve@logicallysecure.org)
Date: Sun Apr 10 2005 - 15:14:17 EDT


Hi

Try AirJack and MonkeyJack as they will let kill the other AP and
monkey-jack will let you do the other stuff you wanted to do but didn't
say.

AirJack needs a Linux build (and a rather special one with lots of
kernel mods if I recall correctly) anyway see
(http://sourceforge.net/projects/airjack/) for the source and
docs/presentation from the authors here
(http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/bh-us
a-02/baird-lynn/) and here (http://802.11ninja.net/) (but last time I
looked the default apache page was the only page up (I guess web
security aint their thing)) and some useful stuff here
(http://www.netstumbler.org/archive/index.php/t-3282.html).

Note sure about the DHCP bit, you might need to use Airjack to de-auth
the real AP and then set up an AP of your own (any one would probably
do, but the higher powered the better, and set the DHCP scope to be the
same at that of the real AP - you will need to have sussed the Default
Gateway or users will loose external connectivity real fast).

Hope that sort of answers your questions - we have only used airjack to
de-auth an AP and thus kill a single AP network so sorry if some of it
is a bit vague.

Steve

Steve<at>logicallysecure.org

-----Original Message-----
From: szynkro@gmail.com [mailto:szynkro@gmail.com]
Sent: 08 April 2005 18:53
To: pen-test@securityfocus.com
Subject: Rogue AP Wireless on Windows/Linux

Hi,

I'm looking for a way/all in one tool to simulate a wireless Access
Point on a Windows XP and/or Linux system preferably with built-in DHCP
daemon and all. The goal is to see if we can trick wireless clients in
connecting to the AP, sniffing for potential credentials and other
interesting stuff etc...

I've heard about hotspotter, airsnarf and alikes but don't know if they
are valid...

The scenario would be sniffing the unknown wireless network for valid
SSID's and setting the SSID on the rogue AP.... then fingers crossed I
guess that signal is strong enough to get some clients connecting. Can
we force/help the client in associating with the rogue AP?

Anyone some other valid (recent) Wireless Pen-Test scenario's?

thanks



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:19 EDT