Offensive Tools
Over the year I’ve written a few tools that demonstrated weaknesses in wireless networks. I’m identifying these tools here, but please use them responsibly. -Josh
Tools designed to highlight wireless vulnerabilities
Demonstrates a serious deficiency in proprietary Cisco LEAP networks. Since LEAP uses a variant of MS-CHAPv2 for the authentication exchange, it is susceptible to accelerated offline dictionary attacks. Asleap can also attack the Point-to-Point Tunneling Protocol (PPTP), and any MS-CHAPv2 exchange where you can specify the challenge and response values on the command line.
Implementation of an offline dictionary attack against WPA/WPA2 networks using PSK-based authentication (e.g. WPA-Personal). Many enterprise networks deploy PSK-based authentication mechanisms for WPA/WPA2 since it is much easier than establishing the necessary RADIUS, supplicant and certificate authority architecture needed for WPA-Enterprise authentication. Cowpatty can implement an accelerated attack if a precomputed PMK file is available for the SSID that is being assessed.
Patch to FreeRADIUS server to add capabilities suitable to demonstrate RADIUS impersonation attacks.
A command-line utility for injecting IEEE 802.11 frames from binary files. This works well with Wireshark’s “File | Export | Selected Packet Bytes” feature, allowing the user to override supported field contents (source address, destination address, BSSID, sequence number, etc) with command-line arguments. This makes file2air a useful tool for evaluating the impact of various DoS attacks, and for fuzzing wireless drivers without knowing a programming/scripting language.
A simple implementation of the Bluetooth authentication cryptographic functions including E0, E21 and E22. Includes some wrapper functions to make Bluetooth authentication functions a little simpler including gen_kinit(), gen_kmaster(), gen_lkrand(), etc. See bluecrypt_t.c for test cases from the Bluetooth SIG reference documentation.
An implementation of an offline dictionary attack against the EAP-MD5 protocol. This utility can be used to audit passwords used for EAP-MD5 networks from wireless packet captures, or by manually specifying the challenge, response and associated authentication information.
802.11n fuzzing tools
Two scripts for Metasploit to fuzz 802.11n specific features, including probe response fuzzing, and Aggregate MSDU fuzzing. Copy these scripts to the Metasploit modules/auxiliary/dos/wireless directory. See the Metasploit Documentation for more information on using Metasploit auxiliary modules.
wlan2eth
A simple tool to convert packet captures in 802.11 format to Ethernet format. Lots of tools can only understand Ethernet link types, so I wrote this tool to convert captures to a format that they can understand. Not useful for encrypted traffic. Source is available here; simply run "./wlan2eth input.pcap output.pcap" and wlan2eth will tell you how many frames were converted to Ethernet format.