![Page 1: WiFi networks & RAW SOCKETS IL-HACK2009 Eddie Harari](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5697c00f1a28abf838cca8d5/html5/thumbnails/1.jpg)
WiFi networks &
RAW SOCKETS
IL-HACK2009
Eddie Harari
![Page 2: WiFi networks & RAW SOCKETS IL-HACK2009 Eddie Harari](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5697c00f1a28abf838cca8d5/html5/thumbnails/2.jpg)
Sniffing WiFi
Managed mode VS Monitor mode Promiscuous mode is
driver/Firmware dependent. Driver and Firmware for each NIC. can we sniff with any card ???Monitor mode, IT IS !!!
![Page 3: WiFi networks & RAW SOCKETS IL-HACK2009 Eddie Harari](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5697c00f1a28abf838cca8d5/html5/thumbnails/3.jpg)
802.11 Data frames
Frame size is not fixed ! Encapsulation is 802.2 (inside body). Some networks use QOS ( Extra 2 bytes). Is it so important ?
![Page 4: WiFi networks & RAW SOCKETS IL-HACK2009 Eddie Harari](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5697c00f1a28abf838cca8d5/html5/thumbnails/4.jpg)
Sniffing in promiscuous mode
Ethernet II frame “EMULATION”
![Page 5: WiFi networks & RAW SOCKETS IL-HACK2009 Eddie Harari](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5697c00f1a28abf838cca8d5/html5/thumbnails/5.jpg)
MITM Implementation
“Clear text” Networks. “WEP” based Networks. Shared & non shared keys. famous last words:
“ I surf through my neighbors WIFI connection.”
![Page 6: WiFi networks & RAW SOCKETS IL-HACK2009 Eddie Harari](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5697c00f1a28abf838cca8d5/html5/thumbnails/6.jpg)
Monitor VS Managed
Monitor mode sniffs everything. Monitor mode is undetectable. Packet injection is hard… A word about WIFI encryption. Managed mode is “Dream environment” for packet injection.
![Page 7: WiFi networks & RAW SOCKETS IL-HACK2009 Eddie Harari](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5697c00f1a28abf838cca8d5/html5/thumbnails/7.jpg)
So which one is it ?
![Page 8: WiFi networks & RAW SOCKETS IL-HACK2009 Eddie Harari](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5697c00f1a28abf838cca8d5/html5/thumbnails/8.jpg)
Pre implementation considerations
SCAPY is for script kiddies !?(SCAPY is good solution for certain things…)
MITM network attack must win RACE conditions .
What are the attacks that can take place here ?
![Page 9: WiFi networks & RAW SOCKETS IL-HACK2009 Eddie Harari](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5697c00f1a28abf838cca8d5/html5/thumbnails/9.jpg)
Thinking of an attack
Don’t you hate when your WIFI bandwidth is low cause everyone else is using the AP ?
RESET any TCP -SYN request !From all machines but ours…
Why cant you reset “MS” SYN request on the client side …
![Page 10: WiFi networks & RAW SOCKETS IL-HACK2009 Eddie Harari](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5697c00f1a28abf838cca8d5/html5/thumbnails/10.jpg)
MITM implementation
LibPcap is the best tool to use on this scenario. Ability to sniff & inject packets. Support all common DLT. Supports Managed and monitor modes. In monitor mode you can get RADIO headers…(FREAKY).
![Page 11: WiFi networks & RAW SOCKETS IL-HACK2009 Eddie Harari](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5697c00f1a28abf838cca8d5/html5/thumbnails/11.jpg)
Code & Implementation
EXAMPLE I – RESETCON CODE RESETCON POC CODE
![Page 12: WiFi networks & RAW SOCKETS IL-HACK2009 Eddie Harari](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5697c00f1a28abf838cca8d5/html5/thumbnails/12.jpg)
Some ideas of what can be done…
MSN contact stealer…DNS Spoofing…FILE DOWNLOAD Injection…ANY MITM ATTACK
![Page 13: WiFi networks & RAW SOCKETS IL-HACK2009 Eddie Harari](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5697c00f1a28abf838cca8d5/html5/thumbnails/13.jpg)
Important things to remember…
802.11 headers are not fixed. RADIO TAP headers are not fixed. Code must win race conditions. Packet format is important. Detectable !? How to avoid that…
![Page 14: WiFi networks & RAW SOCKETS IL-HACK2009 Eddie Harari](https://reader035.vdocuments.mx/reader035/viewer/2022081513/5697c00f1a28abf838cca8d5/html5/thumbnails/14.jpg)
THANK YOU !!!