tag:blogger.com,1999:blog-3500917063499850097.post8375310713021615301..comments2023-04-17T15:20:23.244+02:00Comments on Mathy Vanhoef: Advanced WiFi Attacks Using Commodity HardwareMathyhttp://www.blogger.com/profile/12266874794108836514noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-3500917063499850097.post-57131392049537685692017-08-16T16:11:07.536+02:002017-08-16T16:11:07.536+02:00Hi yar1k,
Some general remarks.
First, the react...Hi yar1k,<br /><br />Some general remarks.<br /><br />First, the reactive jammer only targets beacons. Missed beacons will not show up in the TX statistics. I also doubt they will show up in the RX statistics.<br /><br />Second, the jammer should be physically close to the victim, and the access point should be relatively far away. This is to assure the jammer can overpower the signal of the access point (in reference to the victim).<br /><br />Finally, to confirm if the reactive jammer is working, I recommend using another WiFi interface. Put it in monitor mode, and right next to the victim. Then see whether beacons are received or corrupted.<br /><br />- MathyMathyhttps://www.blogger.com/profile/12266874794108836514noreply@blogger.comtag:blogger.com,1999:blog-3500917063499850097.post-41396161232654577152017-08-15T21:19:55.082+02:002017-08-15T21:19:55.082+02:00modwifi@ubuntu:~/modwifi/tools$ sudo rfkill unbloc...modwifi@ubuntu:~/modwifi/tools$ sudo rfkill unblock wifi<br />[sudo] password for modwifi: <br />modwifi@ubuntu:~/modwifi/tools$ sudo iw wlan1 set type monitor<br />modwifi@ubuntu:~/modwifi/tools$ sudo ifconfig wlan1 up<br />modwifi@ubuntu:~/modwifi/tools$ sudo iw wlan1 set channel 11<br />modwifi@ubuntu:~/modwifi/tools$ sudo ./reactivejam -i wlan1 -s "dom"<br />Jamming 02:1b:11:76:5c:80 SSID dom<br /><br /> >> Press CTRL+C to exit << <br /><br />=========== JAMMING =============<br />=========== JAMMING =============<br />=========== JAMMING =============<br />...<br /><br />Determined the MAC AP correctly!<br />At this time in the second terminal:<br /><br />-----dmesg-skip-start-----<br />[ 1568.321135] ath9k_htc: Reactively jamming 2:1b:11:76:5c:80 for 30000 miliseconds<br />[ 1598.217716] ath9k_htc: Reactively jamming 2:1b:11:76:5c:80 for 30000 miliseconds<br />[ 1628.110949] ath9k_htc: Reactively jamming 2:1b:11:76:5c:80 for 30000 miliseconds<br />[ 1658.003324] ath9k_htc: Reactively jamming 2:1b:11:76:5c:80 for 30000 miliseconds<br />[ 1687.906342] ath9k_htc: Reactively jamming 2:1b:11:76:5c:80 for 30000 miliseconds<br />[ 1717.805230] ath9k_htc: Reactively jamming 2:1b:11:76:5c:80 for 30000 miliseconds<br />...<br /><br />modwifi@ubuntu:~/modwifi/tools$ ip -s link ls wlan1<br />3: wlan1: mtu 1500 qdisc mq state UNKNOWN mode DEFAULT group default <br /><br />qlen 1000<br /> link/ieee802.11/radiotap 14:cc:20:19:38:cc brd ff:ff:ff:ff:ff:ff<br /> RX: bytes packets errors dropped overrun mcast <br /> 732832 1618 0 1604 0 0 <br /> TX: bytes packets errors dropped carrier collsns <br /> 0 0 0 0 0 0 <br />modwifi@ubuntu:~/modwifi/tools$ <br /><br />The TX statistics remain equal to 0.<br />The access point continues to work successfully.<br />Jamming not work :(<br />yar1knoreply@blogger.comtag:blogger.com,1999:blog-3500917063499850097.post-86943727339527576302017-08-15T21:18:57.389+02:002017-08-15T21:18:57.389+02:00Hi. Many thanks for the work done.
I try to work w...Hi. Many thanks for the work done.<br />I try to work with modwifi and it does not work ...<br /><br />What equipment do I use:<br />1. TLWN722N v.1 + notebook HP, Host Debian jessie + VMware 12.5 + Xubuntu-Modwifi (official image)<br /><br />2. TLWN722N v.1 (another adapter, but also v.1 - atheros chip) + PC Asus, Host Windows 7 + VMware 12.5 + Xubuntu-Modwifi <br /><br />(official image)<br /><br />3. TLWN722N v.1 + notebook HP, Host Debian jessie + Virtualbox + Xubuntu I installed the system with the kernel 4.4 + <br /><br />modwifi-4.4-1.tar.gz (installed in the official manual, the drivers (fw) are replaced!)<br /><br /><br />In all cases, the situation is identical to each other.<br />When connecting (by transferring from the host machine to the guest):<br /><br />-----dmesg-skip-start-----<br />[ 87.396805] usb 2-1: new full-speed USB device number 2 using uhci_hcd<br />[ 88.457141] usb 2-1: New USB device found, idVendor=0e0f, idProduct=0003<br />[ 88.457171] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0<br />[ 88.457197] usb 2-1: Product: VMware Virtual USB Mouse<br />[ 88.457221] usb 2-1: Manufacturer: VMware<br />[ 88.567773] hidraw: raw HID events driver (C) Jiri Kosina<br />[ 88.587309] usbcore: registered new interface driver usbhid<br />[ 88.587332] usbhid: USB HID core driver<br />[ 88.590842] usb 2-2: new full-speed USB device number 3 using uhci_hcd<br />[ 88.603026] input: VMware VMware Virtual USB Mouse as /devices/pci0000:00/0000:00:11.0/0000:02:00.0/usb2/2-1/2-<br /><br />1:1.0/input/input4<br />[ 88.613990] hid-generic 0003:0E0F:0003.0001: input,hidraw0: USB HID v1.10 Mouse [VMware VMware Virtual USB Mouse] on <br /><br />usb-0000:02:00.0-1/input0<br />[ 88.731601] usb 2-2: New USB device found, idVendor=0e0f, idProduct=0002<br />[ 88.731610] usb 2-2: New USB device strings: Mfr=0, Product=1, SerialNumber=0<br />[ 88.731614] usb 2-2: Product: VMware Virtual USB Hub<br />[ 88.740782] hub 2-2:1.0: USB hub found<br />[ 88.742689] hub 2-2:1.0: 7 ports detected<br />[ 1264.563100] usb 1-1: new high-speed USB device number 6 using ehci-pci<br />[ 1264.898240] usb 1-1: New USB device found, idVendor=0cf3, idProduct=9271<br />[ 1264.898269] usb 1-1: New USB device strings: Mfr=16, Product=32, SerialNumber=48<br />[ 1264.898308] usb 1-1: Product: USB2.0 WLAN<br />[ 1264.898334] usb 1-1: Manufacturer: ATHEROS<br />[ 1264.898358] usb 1-1: SerialNumber: 12345<br />[ 1264.916641] usb 1-1: ath9k_htc: Firmware htc_9271.fw requested<br />[ 1265.269131] usb 1-1: ath9k_htc: Transferred FW: htc_9271.fw, size: 51040<br />[ 1265.545357] ath9k_htc 1-1:1.0: ath9k_htc: HTC initialized with 33 credits<br />[ 1266.457978] ath9k_htc 1-1:1.0: ath9k_htc: FW Version: 1.4<br />[ 1266.458102] ath: EEPROM regdomain: 0x809c<br />[ 1266.458123] ath: EEPROM indicates we should expect a country code<br />[ 1266.458174] ath: doing EEPROM country->regdmn map search<br />[ 1266.458201] ath: country maps to regdmn code: 0x52<br />[ 1266.458240] ath: Country alpha2 being used: CN<br />[ 1266.458252] ath: Regpair used: 0x52<br />[ 1266.543701] ieee80211 phy0: Atheros AR9271 Rev:1<br />[ 1266.543942] cfg80211: Calling CRDA for country: CN<br />[ 1266.548917] systemd-udevd[2725]: renamed network interface wlan0 to wlan1<br />[ 1266.562933] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready<br />[ 1266.681207] cfg80211: Regulatory domain changed to country: CN<br />[ 1266.681247] cfg80211: DFS Master region: unset<br />[ 1266.681384] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)<br />[ 1266.681445] cfg80211: (2402000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)<br />[ 1266.681453] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (N/A, 3000 mBm), (N/A)<br />[ 1266.681454] cfg80211: (57240000 KHz - 59400000 KHz @ 2160000 KHz), (N/A, 2800 mBm), (N/A)<br />[ 1266.681455] cfg80211: (59400000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 4400 mBm), (N/A)<br />[ 1266.681457] cfg80211: (63720000 KHz - 65880000 KHz @ 2160000 KHz), (N/A, 2800 mBm), (N/A)<br />-----dmesg-END-----<br />yar1knoreply@blogger.comtag:blogger.com,1999:blog-3500917063499850097.post-37921807650854115112016-06-18T09:20:44.028+02:002016-06-18T09:20:44.028+02:00Amazing writings from you. I have learned a lot fr...Amazing writings from you. I have learned a lot from this article. Your videos were also great.Rosehttp://www.pccenter.onlinenoreply@blogger.comtag:blogger.com,1999:blog-3500917063499850097.post-76229985924730410392015-12-10T10:59:45.739+01:002015-12-10T10:59:45.739+01:00Interesting, it is about time to find a card that ...Interesting, it is about time to find a card that has support for 'bpf' in firmware with auto-response (fairly common for 'off-loaded' features like ns, arp while the host/computer is sleeping) and craft a nifty huge response when the address fields match, reduces the whole delay of capturing in monitor mode, inspection on cpu and then sending it back off with TX, have you experimented with disabling csma ? All wifi chips have ED and CS detection thresholds as a 'programmable' configuration.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3500917063499850097.post-61575397245411595312015-10-27T10:06:27.367+01:002015-10-27T10:06:27.367+01:00You can request the code by sending a mail to my K...You can request the code by sending a mail to my KU Leuven email address (you should be able to easily find it). Include a brief explanation why you want to use the constant jammer.Mathyhttps://www.blogger.com/profile/12266874794108836514noreply@blogger.comtag:blogger.com,1999:blog-3500917063499850097.post-90838717657540911362015-10-26T22:16:49.314+01:002015-10-26T22:16:49.314+01:00Would it be possible to send a copy of the source ...Would it be possible to send a copy of the source for unfair channel usage & constant jamming implementation? Please contact me on github.com user "theblackrabbit" ( horo.inukami@gmail.com )<br /><br />Much appreciated!Anonymoushttps://www.blogger.com/profile/09408503129820061937noreply@blogger.com