Difference between revisions of "Episode85"

From Security Weekly Wiki
Jump to navigationJump to search
Line 37: Line 37:
 
2) Setup kernel source directory and build madwifi:
 
2) Setup kernel source directory and build madwifi:
  
 +
<pre>
 
ln -s /usr/src/linux-source-2.6.18 /usr/src/linux
 
ln -s /usr/src/linux-source-2.6.18 /usr/src/linux
 
cd /usr/src/modules/madwifi
 
cd /usr/src/modules/madwifi
Line 42: Line 43:
 
make install
 
make install
 
modprobe ath_pci
 
modprobe ath_pci
 +
</pre>
  
 
3) Setup your card for monitor mode:
 
3) Setup your card for monitor mode:
  
wlanconfig ath create wlandev wifi0 wlanmode monitor
+
<pre>wlanconfig ath create wlandev wifi0 wlanmode monitor</pre>
  
 
This gave me an ath1 interface in monitor mode.
 
This gave me an ath1 interface in monitor mode.
Line 51: Line 53:
 
4) Install kismet & tcpdump (Wifizoo complained when I did not have tcpdump):
 
4) Install kismet & tcpdump (Wifizoo complained when I did not have tcpdump):
  
aptitude install kismet
+
<pre>aptitude install kismet</pre>
  
 
5) Get Wifizoo and "install":
 
5) Get Wifizoo and "install":
  
 +
<pre>
 
wget http://community.corest.com/~hochoa/wifizoo/wifizoo_v1.2.tgz
 
wget http://community.corest.com/~hochoa/wifizoo/wifizoo_v1.2.tgz
 
tar zxvf wifizoo_v1.2.tgz  
 
tar zxvf wifizoo_v1.2.tgz  
 
cd wifizoo_v1.2
 
cd wifizoo_v1.2
 +
</pre>
  
 
6) You then need to modify the source to use the correct interface:
 
6) You then need to modify the source to use the correct interface:
  
vi wifizoo.py
+
<pre>vi wifizoo.py
  
 
- conf.iface = 'rausb0'
 
- conf.iface = 'rausb0'
 
+ conf.iface = 'ath1'
 
+ conf.iface = 'ath1'
 +
</pre>
  
 
7) Configure Kismet and run it first!
 
7) Configure Kismet and run it first!
  
vi /etc/kismet/kismet.conf
+
<pre>vi /etc/kismet/kismet.conf
  
 
source=madwifi_ag,wifi0,ubiquiti
 
source=madwifi_ag,wifi0,ubiquiti
 +
</pre>
  
 
Note: Kismet is used to channel hop and I believe it talks directly to the chipset, so even though ath1 is a different interface, the physical card (chipset) is channel hopping so we can take advantage of it.  Or, you could use a [http://802.11ninja.net/code/chanhop.sh channel hopping script].
 
Note: Kismet is used to channel hop and I believe it talks directly to the chipset, so even though ath1 is a different interface, the physical card (chipset) is channel hopping so we can take advantage of it.  Or, you could use a [http://802.11ninja.net/code/chanhop.sh channel hopping script].
 +
 +
8) Run wifizoo:
 +
 +
<pre>
 +
$ python wifizoo.py
 +
WifiZoo v1.2, complains to Hernan Ochoa (hernan@gmail.com)
 +
Waiting...
 +
Launching Web Interface..
 +
WifiZoo Web GUI Serving HTTP on 127.0.0.1 port 8000 ...
 +
WifiZoo HTTP Proxy on 127.0.0.1 port 8080 ...
 +
</pre>

Revision as of 14:45, 4 October 2007


Wifizoo - Wireless Auditing Made Easy (With Pictures!)

Introduction & Features

Wifizoo is a fun tool written by Hernan Ochoa from Core Security. It passively monitors the wireless network and collects the following information:

  • A list of SSIDS (access points that are beaconing)
  • BSSID->Clients Graph - This produces some really interesting output, as its based on destination BSSID (so sometimes you may get a BSSID from an AP that is out of range, and from a client that is within range?). Its interesting to see some client MAC addresses with connections to all of the BSSIDs in the area...
  • Probe requests - All probe requests by clients are logged by source mac address and SSID. A list is kept for future reference :)
  • Cookies - Ala Hamster, all cookies are collected off the network and then placed on a web page. Clicking on a cookie sets Wifizoo's proxy server to use that cookie. Set your browser to the Wifizoo proxy, then click the "Jump To.." link for that cookie in Wifizoo, and well, you know, pwnage.
  • "other" information - Ala Ferret, POP3, FTP, and SMTP data are collected.

Installation

You must have the following:

  • A wireless card (I'm using an Ubiquiti Atheros card)
  • Linux drivers that support monitor mode (I'm using madwifi-ng on Debian Etch)
  • Python & Scapy
  • Graphviz to generate the graphs

The initial setup in Debain:

1) Install the kernel & madwifi sources and headers:

 aptitude install linux-source-2.6.18 madwifi-source linux-headers-$(uname -r) 

2) Setup kernel source directory and build madwifi:

ln -s /usr/src/linux-source-2.6.18 /usr/src/linux
cd /usr/src/modules/madwifi
make
make install
modprobe ath_pci

3) Setup your card for monitor mode:

wlanconfig ath create wlandev wifi0 wlanmode monitor

This gave me an ath1 interface in monitor mode.

4) Install kismet & tcpdump (Wifizoo complained when I did not have tcpdump):

aptitude install kismet

5) Get Wifizoo and "install":

wget http://community.corest.com/~hochoa/wifizoo/wifizoo_v1.2.tgz
tar zxvf wifizoo_v1.2.tgz 
cd wifizoo_v1.2

6) You then need to modify the source to use the correct interface:

vi wifizoo.py

- conf.iface = 'rausb0'
+ conf.iface = 'ath1'

7) Configure Kismet and run it first!

vi /etc/kismet/kismet.conf

source=madwifi_ag,wifi0,ubiquiti

Note: Kismet is used to channel hop and I believe it talks directly to the chipset, so even though ath1 is a different interface, the physical card (chipset) is channel hopping so we can take advantage of it. Or, you could use a channel hopping script.

8) Run wifizoo:

$ python wifizoo.py 
WifiZoo v1.2, complains to Hernan Ochoa (hernan@gmail.com)
Waiting...
Launching Web Interface..
WifiZoo Web GUI Serving HTTP on 127.0.0.1 port 8000 ...
WifiZoo HTTP Proxy on 127.0.0.1 port 8080 ...