Fake Wifi Access Points

From Bob's Basement

Jump to: navigation, search

Contents

Subversion access

Wifi fake AP is the first project in our Subversion. To check it out, do the following in your working directory of choice: 

svn checkout http://svn.bobsbasement.co.uk/wififakeap/trunk wififakeap

To build: 

cd wififakeap; make

Status update

  • As of 5/6/2007, my laptop has died.
  • The hard disc contains the latest copy of the source
  • It should be recoverable
  • But development will then stall until I can get a new machine to develop it on
  • Unless someone else wants to take it over.

Summary

This is a project to develop an application which simulates a number (up to 100) of Wireless Accesspoints, without providing any actual service. It can be run on a single laptop without any actual hardware access point.

Motivation

  • A proof of concept DoS on legitimate access points (if you create enough fake ones with stronger signal, clients will try to connect to it preferentially)
  • Could be used for advertising through the essidS

Current status

We can:

  • Send beacon packets (which APs usually send 10 times per second)
  • Respond to probes. Searching clients send out probes when looking for APs, for example via the Windows Zero Config service, or Mac's equivalent. "Stumbler" applications also send probes to discover APs.
  • Our packets look reasonably believable in monitor apps (e.g. Wireshark)
  • Has been shown to be capable to simulating 100 access points at once.

The "access points" created by this application do show up in Windows, on Kismet and in stumbler applications.

Future ideas

  • Initially simulate a small number of APs, but dynamically add them based on what probes we see.
  • Detect existing "real" APs and simulate "evil twin" points with the same ESSID, encryption settings and MAC manufacturer.

System requirements

  • Linux, ia32 with Wireless extensions
  • A wifi interface which supports packet injection - only tested with the Atheros MadWifi driver.
  • Interface must be in "Monitor mode". But that's not a problem on Atheros as you can have several virtual interfaces so it won't interfere with anything else you're doing.
  • Having Kismet channel hopping is not helpful - channel hopping must not be used if Kismet is run concurrently on the same interface.

Other thing

  • This has been done before, but not very well. Mine is better and I made it!

Mark

Retrieved from "http://www.bobsbasement.co.uk/Fake_Wifi_Access_Points"
Personal tools