6 Modes of WiFi --------------- Master - Access Point or Base Station Managed - Infrastructure Mode (Client) Demo: Managed ------------- iwconfig wlan0 mode manged iwconfig wlan0 essid pineapple iwconfig wlan0 *more on associations soon Ad-Hoc - peer to peer Demo: Ad-Hoc ------------ iwconfig wlan0 channel 1 essid myadhocnetwork mode ad-hoc Mesh - Mesh Cloud/Network. Planned Ad-hoc Repeater - Range Extender Monitor (RFMON) Demo: Monitor Mode ------------------ airmon-ng start wlan2 tshark -i mon0 Modes and your NIC ------------------ Not all wireless NICs are made the same. Depending on chipset and other factors your adapter may not support all 6 modes. Demo: Determinte your NICs available modes ------------------------------------------ airmon-ng # find phy# iw phy phy1 info | grep -A8 modes A Word On Transmit Power ------------------------ Like channels, transmit power, or txpower, is regulated by country. In the US, txpower has a max of 500 Milli Watts, or 20 dBm This is hard coded into the Linux Kernel (though can be changed) Easier than changing the kernel is to move to a country with nicer laws Demo: Moving to Bolivia ----------------------- iw reg get iw reg set BO iwconfig wlan2 txpower 30 3 States of Wifi ---------------- State 1: Unauthenticated and Unassociated State 2: Authenticated but Unassociated State 3: Authenticated and Associated WiFi Frames ----------- Frames: Simply Data Packets Typically made up of: Header, Payload, Integrity Check (CRC) Frame Header: Source and Destination Ether Type (What Protocol) Frame Check Sequence: CRC Say that again? WiFi Frames: Management Frames Control Frames Data Frames Management Frames: Beacons Probes Authentications Associations Beacons: Advertise the network Specify SSID (network name), Channels and other capabilities Demo: Beacon Flood Attack ------------------------- airmon-ng start wlan2 mdk3 mon0 b -f ssidlist.txt Demo: Analyze Beacon Frame -------------------------- gksudo wireshark & disown wlan.fc.subtype == 0x08 # IEEE 802.11 Beacon Frame > Frame Control > Type Management > Subtype 8 # IEEE 802.11 Management Frame > Tagged parameters Probe Frame Probe Request - Are you my friend? Probe Response - Includes capability info Demo: Is that a probe in your pocket or are you just happy to see me? --------------------------------------------------------------------- # Look what's coming out of everyone's devices! airmon-ng start wlan2 airodump-ng mon0 Authentication Authentication - Open, WEP (Shared), WPA, WPA2, WPA-Radius Deauthentication Association Association Request - Can we be friends? Association Response Disassociation Demo: Analyze Connection to Open AP ----------------------------------- # start wirehark on wlan2 # Silence the noise! wlan.addr == 00:c0:ca:54:51:ef and not wlan.fc.subtype == 0x08 # Passive Scan should not generate any frames iw dev wlan2 scan passive | grep SSID # Active Scan iw wlan2 scan | grep SSID Display only REQUESTS by updating wireshark filter to include "and wlan.fc.subtype == 0x04" Display only RESPONSES by changing 0x04 to 0x05 airmon-ng start wlan2 airodump-ng mon0 # find channel for AP "pineapple" iwconfig wlan2 channel 11 iwconfig mon0 channel 11 iwconfig wlan2 | grep Frequency gksudo wireshark & disown # Filter for just pineapple and not beacons wlan.addr == 00:C0:CA:60:53:2E and not wlan.fc.subtype == 0x08 # Associate # Filter for just phone and pineapple wlan.addr == 00:C0:CA:60:53:2E and wlan.addr == a0:0b:ba:ba:6a:ca # Probe Request SSID=Broadcast = null probe request Deauthentication ---------------- Remember trust? Demo: Deauthenticate my phone! ------------------------------ iwconfig mon0 channel 11 aireplay-ng -0 10 -a 00:C0:CA:60:53:2E -c A0:0B:BA:BA:6A:CA mon0 Demo: Hella Deauthentication with Airdrop-ng -------------------------------------------- # Begin demo connected to anything but pineapple airodump-ng --output-format csv --write /root/dump.csv mon0 airdrop-ng -i mon0 -t /root/dump.csv-01.csv -r /root/droprules Control Frames: --------------- Request to Send - RTS: Can I speak? Clear to Send - CTS: Sure! Everyone else shut up. Acknowledgement - ACK: Cool, I got what you said ok. Data Frames: ------------ Kittens!
on 2012-07-25
This time on the show, part 2 of our WiFi from-the-ground-up series. Darren presents a wireless workshop at the Noisebridge hackerspace in San Francisco.
getting 404s on the download links for the last 2 episodes.
Looks like they have made some typo.
The mp4 file can be found at http://bitcast-p.v1.o1.sjc1.bitgravity.com/revision3/web/hak5/1123/hak5–1123–wifi-hacking-workshop-part-2–large.h264.mp4
I got through all the very technical stuff on Wi-Fi and I am still alive.
Thanks Darren for making it easy to understand.
Nice !!!
Darrin was incorrect. With a ham license you CAN exceed the 500mW limit of wifi. According to the American Radio Relay League’s (ARRL) band plan chart all license classes are allowed full amateur privileges between 2390-2450 MHz (among ghz bands). That covers wifi channels 1 through 8. Transmit power with an amateur license is limited to 1500 watts!
You do of course have to abide by all the rules of amateur radio. You have to give out your call sign at the end of every transmission or every 10 minutes. One trick I read about is converting your call sign to hexadecimal and using that as your MAC address. I would also change your host name to your call sign. You also aren’t allowed to send encrypted messages except control commands to a space station or radio controlled craft. So your wifi would have to be wide open. Accessing things like Gmail might not be legal since it uses encryption. Since I have a ham license, I think I want to get a one watt alfa and move to Bolivia 
I also want to find a higher wattage wifi device I can run as an access point or do ad-hoc mode with. There are wifi amplifiers out there, they are however rather expensive.