Wifitap(Communication Over Wifi Network Without Association

Posted: Tuesday,July 22, 2008 in Wifi-Hacking
Tags: , , , , , , ,

Wifitap is a proof of concept for communication over WiFi networks using traffic injection.
Direct communication without association

Wifitap allows direct communication with an associated station to a given access point directly, meaning:

* not being associated ourselves;
* not being handled by access point.

airmon-ng start ath0
airmon-ng start wifi0
airmon-ng start wifi0
(Now you have 3 ath interface.ath0,ath1,ath2)

airodump-ng ath1
Note the BSSID of your AP.
Wifitap is ready to be launched to communicate with reachable associated stations to access point

goto /pentest/wireless/wifitap

modprobe tun (we need this tunnel interface to inject frames)

bt wifitap# wifitap.py -b 00:21:29:68:16:C2 -o ath2 -i ath2
(Launching Wifitap creates an tuntap interface named wj0 through which we can inject regular IP traffic)

assign an IP address to the wjo interface
bt~#ifconfig wj0 (Most of the routers work in 192.168.1.X segment so you can use safely any IP except,, etc.)

Now we can reach through wj0. now start listening on ath2 interface we can discover associated stations and communicate with them with IP.

bt~#tcpdump -vvv -i ath2

NB : wj0 MAC address is used as source for sent frames if you don’t provide source MAC address using -s <SMAC>

bt ~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags  Metric Ref     Use    Iface   U      0         0           0      eth0   U      0         0           0      wj0          U      0         0           0       lo             UG     0        0           0       eth0

bt ~ # ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=0.045 ms
64 bytes from icmp_seq=2 ttl=64 time=0.036 ms
64 bytes from icmp_seq=3 ttl=64 time=0.035 ms
64 bytes from icmp_seq=4 ttl=64 time=0.040 ms

— ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.035/0.039/0.045/0.004 ms

you have successfully setup a connection with router.Wifitap allows any application do send and receive IP packets using 802.11 traffic capture and injection over a WiFi network simply configuring wj0, which means :

* setting an IP address consistent with target network address range ;
* routing desired traffic through it.

In particular, it’s a cheap method for arbitrary packets injection in 802.11 frames without specific library.

In addition, it will allow one to get rid of any limitation set at access point level, such as bypassing inter-client communications prevention systems (e.g. Cisco PSPF) or reaching multiple SSID handled by the same access point.
Wifitap can easily be modified to be used as a framework for simple tasks such as injecting answers to captured frames.

If you want to use Scapy for captured packets parsing and answers generation, it is necessary to add import for related classes. For instance, if you want to work on ICMP packets, just add:

from scapy  import IP,ICMP

Then, you have to rip tuntap interface handling:

* initialisation;
* reading;
* writting.

Finally, you have to modify the main loop to handle interesting frames identification, fields parsing, then answers generation and injection.

Wifitap contains sample programs:

* ARP requests answering machine (wifiarp.py);
* DNS requests answering machine (wifidns.py).
* ICMP Echo Requests answering machine (wifiping.py);

About these ads
  1. Gabrella says:

    This is amazing. I hope I can get it working. Thank you. You’re incredible. Gabrella.

  2. DK says:

    how to use it with rtl8187 chipset since it doesnt have wifi0 or ath0 interfaces.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s