Wifitap is a proof of concept for communication over WiFi networks using traffic injection.
Direct communication without association
Wifitap allows direct communication with an associated station to a given access point directly, meaning:
* not being associated ourselves;
* not being handled by access point.
airmon-ng start ath0
airmon-ng start wifi0
airmon-ng start wifi0
(Now you have 3 ath interface.ath0,ath1,ath2)
airodump-ng ath1
Note the BSSID of your AP.
Wifitap is ready to be launched to communicate with reachable associated stations to access point
goto /pentest/wireless/wifitap
modprobe tun (we need this tunnel interface to inject frames)
bt wifitap# wifitap.py -b 00:21:29:68:16:C2 -o ath2 -i ath2
(Launching Wifitap creates an tuntap interface named wj0 through which we can inject regular IP traffic)
assign an IP address to the wjo interface
bt~#ifconfig wj0 192.168.1.200 (Most of the routers work in 192.168.1.X segment so you can use safely any IP except 192.168.1.1,192.168.1.10,192.168.1.100 etc.)
Now we can reach 192.168.1.0/24 through wj0. now start listening on ath2 interface we can discover associated stations and communicate with them with IP.
bt~#tcpdump -vvv -i ath2
NB : wj0 MAC address is used as source for sent frames if you don’t provide source MAC address using -s <SMAC>
bt ~ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wj0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
bt ~ # ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=64 time=0.045 ms
64 bytes from 192.168.1.100: icmp_seq=2 ttl=64 time=0.036 ms
64 bytes from 192.168.1.100: icmp_seq=3 ttl=64 time=0.035 ms
64 bytes from 192.168.1.100: icmp_seq=4 ttl=64 time=0.040 ms
— 192.168.1.100 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 2997ms
rtt min/avg/max/mdev = 0.035/0.039/0.045/0.004 ms
you have successfully setup a connection with router.Wifitap allows any application do send and receive IP packets using 802.11 traffic capture and injection over a WiFi network simply configuring wj0, which means :
* setting an IP address consistent with target network address range ;
* routing desired traffic through it.
In particular, it’s a cheap method for arbitrary packets injection in 802.11 frames without specific library.
In addition, it will allow one to get rid of any limitation set at access point level, such as bypassing inter-client communications prevention systems (e.g. Cisco PSPF) or reaching multiple SSID handled by the same access point.
Wifitap can easily be modified to be used as a framework for simple tasks such as injecting answers to captured frames.
If you want to use Scapy for captured packets parsing and answers generation, it is necessary to add import for related classes. For instance, if you want to work on ICMP packets, just add:
from scapy import IP,ICMP
Then, you have to rip tuntap interface handling:
* initialisation;
* reading;
* writting.
Finally, you have to modify the main loop to handle interesting frames identification, fields parsing, then answers generation and injection.
Wifitap contains sample programs:
* ARP requests answering machine (wifiarp.py);
* DNS requests answering machine (wifidns.py).
* ICMP Echo Requests answering machine (wifiping.py);
All Your Wireless Belongs To Us 