Airraid(Atheros Based FakeAP)

Posted: Tuesday,July 22, 2008 in Wifi-Hacking
Tags: , , , , ,

As I got the script working with my card, I noticed that it was quite effective at throwing a lot of trash onto the 802.11 spectrum. You could quickly fill up a Netstumbler, Kismet or Airodump screen with random stuff. However, if the purpose was to make it appear as if the area was filled with access points

Prerequisites

* A card working with the MadWifi drivers. There are some specific commands (wlanconfig) that will need to be changed if you are going to hack this for other cards/drivers.
* A card that supports Master or AP mode. This allows it to function or appear as an access point to wireless clients.
* The Time::HiRes Perl module. [OPTIONAL] This is available from CPAN and allows you to specify sleep times in sub-second increments. Not needed if you are happy with whole second delays.
* The Getopt::Long Perl module. This is available from CPAN and is required for processing of command line arguments passed to airraid.
* macchanger. This is a very handy little utility. It is available here or from various other places. There are many binaries already compiled. It is required to effectively change the MAC address of the wireless card.
* Linux or some form of *nix. Of course.
* Root (superuser) access. I don’t know this for a fact but I suspect you need to be root to manipulate some of the ifconfig and iwconfig commands.

goto /pentest/wireless/airraid-0.1/
make some modifications to groupfile-example.dat and put some of AP details in following manner
bssid,essid,WEP y/n,channel
for example I entered
00:21:29:68:16:C2,thunderbolt,Y,11
00:39:67:12:33:W2,UTStarcom,Y,11
00:98:G3:VV:23:55,netgear,Y,6
00:56:F5:JP:23:44,beetel,Y,4
22:66:g6:78:34:11,Ubiquiti,Y,7
34:77:88:1V:H8,S0,wifi0wn,Y,2
00:1E:40:14:F6:D4,PRAVEEN,Y,11

save and close it

nano airraid.pl

edit my @words= put these strings in end.its random generation of ESSID’s.
my @words = ( “Access Point”, “tsunami”, “host”, “airport”, “linksys”, “Netgear”, “Cisco”, “Wireless”, “2wire”, “intel”, “WLAN” , “thunderbolt” , “UTStarcom” , “beetel” , “Ubiquiti”, “wifi0wn” , “PRAVEEN”);

bt~#airraid.pl –interface ath0

This is about as simple as you can go. This will generate fully random (wireless) MAC addresses, no WEP (open), full power, use a random assortment of the built-in default ESSIDs, sleep for the default (0.6 sec) between generations, and use all available channels. The MACs will, in all likelihood, almost never be repeated so any scanners will see a nearly infinite number of APs if they watch long enough.For testing it I monitored using another wireless interface.

bt~#airodump rausb0
(Check that all the FakeAP is having encryption type OPN)

bt~#airodump rausb0
(Check that all the FakeAP is having encryption type OPN)

bt~#airraid.pl –interface ath0 –power 20 –wep 1

This one creates a bit more variety on the airwaves. This will generate fully random (wireless) MAC addresses, randomly assign WEP keys to all of the APs, vary power between 0 mW and 20 mw (or the max of the card), use a random assortment of the built-in default ESSIDs and use all available channels. Similar to the example above, this will create a nearly infinite number of APs.For testing it use

bt~#airodump-ng rausb0
(Check all the FakeAP’s now showing encryption type as WEP)

bt~#airraid.pl –interface ath0 –power 20 –gf groupfile-example.dat

My personal favorite. This will vary power between 0 mW and 20 mw (or the max of the card) but pull all other information from the groupfile called groupfile-example.dat which contains all the information necessary to create n bogus APs. This will cycle through these n APs in random order, sending out beacons.

bt~#airodump-ng rausb0
(Check that FakeAP is throwing Becons randomly & acting as Real AP like.)

Advertisements
Comments
  1. salawank says:

    nice tuto man…but do you have any idea how to track or get the real mac address of the real access point?

  2. kuni says:

    okok, fine tut. Nut for som weird reason airraid does not change the mac of my card, so all the fakeaps have the mac of my wirelesscard, causing common scan tools only diplay th last encounterd Fake AP.

    Machanger, when manually called changes the mac as desired.

    Any suggestions?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s