User Tools

Site Tools


airtun-ng

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
airtun-ng [2008/01/20 02:23] – Fixed typo mister_xairtun-ng [2010/03/07 23:36] – Fixed typo darkaudax
Line 12: Line 12:
 Airtun-ng also has repeater and tcpreplay-type functionality.  There is a repeater function which allows you to replay all traffic sniffed through a wireless device (interface specified by -i at0) and optionally filter the traffic by a bssid together with a network mask and replay the remaining traffic.  While doing this, you can still use the tun interface while repeating.  As well, a pcap file read feature allows you to replay stored pcap-format packet captures just the way you captured them in the first place.  This is essentially tcpreplay functionality for wifi. Airtun-ng also has repeater and tcpreplay-type functionality.  There is a repeater function which allows you to replay all traffic sniffed through a wireless device (interface specified by -i at0) and optionally filter the traffic by a bssid together with a network mask and replay the remaining traffic.  While doing this, you can still use the tun interface while repeating.  As well, a pcap file read feature allows you to replay stored pcap-format packet captures just the way you captured them in the first place.  This is essentially tcpreplay functionality for wifi.
  
-Airtun-ng only runs on linux platforms.+Airtun-ng only runs on linux platforms and does support WDS if you have a pretty recent version (svn rev 1624?).
  
 ===== Usage ===== ===== Usage =====
Line 25: Line 25:
       *-t tods : send frames to AP (1) or to client (0) (optional / defaults to 0)       *-t tods : send frames to AP (1) or to client (0) (optional / defaults to 0)
       *-r file : read frames out of pcap file (optional)       *-r file : read frames out of pcap file (optional)
 +      *-h MAC  : source MAC address
 +      *-H      : Display help.  Long form --help
  
 Repeater options (the following all require double dashes): Repeater options (the following all require double dashes):
Line 30: Line 32:
   *- -bssid <mac> : BSSID to repeat.  Short form -d.   *- -bssid <mac> : BSSID to repeat.  Short form -d.
   *- -netmask <mask> : netmask for BSSID filter.  Short form -m.   *- -netmask <mask> : netmask for BSSID filter.  Short form -m.
 +
  
 ===== Scenarios ===== ===== Scenarios =====
 +
 ==== wIDS ==== ==== wIDS ====
  
Line 52: Line 56:
    ifconfig at0 up    ifconfig at0 up
  
-This interface (at0) will receive a copy of every wireless network packet. The packets will have been decrypted with the key you have provided.  At this point you may any tool to sniff and analyze the traffic.  For example, tcpdump or snort.+This interface (at0) will receive a copy of every wireless network packet. The packets will have been decrypted with the key you have provided.  At this point you may utilize any tool to sniff and analyze the traffic.  For example, tcpdump, wireshark or snort.
  
 ==== WEP injection ==== ==== WEP injection ====
Line 130: Line 134:
  
 At this point, any packets for the AP (00:14:6C:7E:40:80) from the ath0 interface will be repeated and sent out on the wlan0 interface. At this point, any packets for the AP (00:14:6C:7E:40:80) from the ath0 interface will be repeated and sent out on the wlan0 interface.
- 
  
 ==== Packet Replay Mode ==== ==== Packet Replay Mode ====
Line 153: Line 156:
  
 Please note that the file contents are transmitted exactly as is.  You may ignore the message "FromDS bit set in all frames" The flags nor any other field are modified while  transmitting the file contents. Please note that the file contents are transmitted exactly as is.  You may ignore the message "FromDS bit set in all frames" The flags nor any other field are modified while  transmitting the file contents.
 +
 +==== Tunneling traffic into WDS networks or WiFi Bridges ====
 +
 +If you use a recent version of airtun-ng, you can use its WDS support to inject traffic into WDS networks and WiFi bridges.
 +Bridges are pretty secure since traffic may be sniffed, but it is impossible to connect with them to send data into the networks.
 +This is where airtun-ng comes into the game. With airtun-ng you can impersonate either of the two endpoints to interact with the other one. Lets assume you can only see one node of the bridge, this is how you can check if an attacker could inject traffic into this side of the network:
 +
 +   * There are two nodes AA:AA:AA:AA:AA:AA and BB:BB:BB:BB:BB:BB.
 +   * Your attacking client can only send to and receive from node A.
 +   * In this case you will only see packets with Transmitter = A and Receiver = B on your interface.
 +   * If you impersonate node B, you could inject traffic into the network behind node A.
 +
 +This is how to setup airtun-ng for this scenario:
 +
 +   airtun-ng -t 1 ath0 -h BB:BB:BB:BB:BB:BB -a AA:AA:AA:AA:AA:AA -i ath0
 +
 +If you are able to see both sides of a WDS/Bridge network, you can enable bidirectional mode. This enables communication with both endpoint's networks. Be aware that bidirectional mode keeps track of clients behind each node in a list in memory, since it needs to know to which of the two endpoints it needs to send a packet to reach a certain client. If you use an embedded system, or there are large amounts of clients connected, this may slow down your machine.
 +
 +   airtun-ng -t 1 ath0 -h BB:BB:BB:BB:BB:BB -a AA:AA:AA:AA:AA:AA -i ath0 -f
 +
 +WDS mode is fully compatible with WEP encryption, so you can use the -w and -y flags as usual.
 +However, Repeater Mode hasn't been tested with WDS.
  
 ===== Usage Tips ===== ===== Usage Tips =====
Line 161: Line 186:
  
 You can also inject management and control frames.  This can be done by putting a PCAP file together of frames to be sent, or just using a capture you made before and by replaying the whole file using airtun-ng. You can also inject management and control frames.  This can be done by putting a PCAP file together of frames to be sent, or just using a capture you made before and by replaying the whole file using airtun-ng.
- 
  
 ===== Usage Troubleshooting ===== ===== Usage Troubleshooting =====
- +==== I can't find the airtun-ng tool! ====
-===== I can't find the airtun-ng tool! =====+
 Windows platforms - "I can't find the airtun-ng tool!" Answer:  airtun-ng only runs on linux. Windows platforms - "I can't find the airtun-ng tool!" Answer:  airtun-ng only runs on linux.
  
- +==== Error opening tap device: No such file or directory ====
-===== error opening tap device: No such file or directory =====+
  
 When you run airtun-ng, you get a message similar to "error opening tap device: No such file or directory". When you run airtun-ng, you get a message similar to "error opening tap device: No such file or directory".
Line 175: Line 197:
 Make sure you have the OpenVPN package installed and run: Make sure you have the OpenVPN package installed and run:
  
-   modprobe tun+ modprobe tun
  
 This loads the "tun" module.  You can confirm it is loaded by running "lsmod | grep tun" If it does not load or there are problems, running "dmesg" and reviewing the end should show errors, if any. This loads the "tun" module.  You can confirm it is loaded by running "lsmod | grep tun" If it does not load or there are problems, running "dmesg" and reviewing the end should show errors, if any.
  
 +==== Error creating tap interface: Permission denied ====
  
 +See the following [[faq#why_do_i_get_error_creating_tap_interfacepermission_denied_or_a_similar_message|FAQ entry]].
  
airtun-ng.txt · Last modified: 2015/04/12 23:15 by mister_x