I m starting this blog with WiFish-Finder, a wireless client vulnerability assessment tool which has just been presented in Defcon 17.
http://www.defcon.org/html/defcon-17/dc-17-speakers.html#Ahmad
What the tool does: This tool gives the security and authentication settings of the SSID's configured in the wireless client's PNL.
Now before we go further and try to understand how the tool does it, we first need to understand the basics of how a wireless client connects to a network.
When a wireless client refreshes the wireless network list, it is presented with a list of wireless networks in the vicinity. This list is known as ANL(Available Network List). This list is populated by collecting the beacons and probe responses sent from the AP's in which they advertise their supported rates, security settings etc. There is one more list known as PNL(preferred network list) which stores wireless network configuations it has connected to in the past. The wireless interface keeps probing for the networks in the PNL, and if it gets one such network, it tries to connect to that network.
For this tool, as we are interested in finding a vulnerable client i.e. a client which is configured to connect to an open/weakly-secured SSID, we will focus on PNL. To know the security settings of SSID's configured in wireless client, tool has to collect association request from the client(as only assoc request has this information). But wireless client woudnt send assoc request if security settings sent by AP in probe response does not match with the security settings of configured SSID.
So how the tool does it: The tool listens for probe requests, and send probe responses. If it does not get assoc request for that SSID/client, next time it gets probe request for same SSID/client, it changes the security in probe responses. WiFish-Finder keeps doing it till it gets assoc request from the client. As the tool maintains the list per client per SSID, it is able to differentiate if same SSID has been configured with different security settings on different clients.
http://www.defcon.org/html/defcon-17/dc-17-speakers.html#Ahmad
What the tool does: This tool gives the security and authentication settings of the SSID's configured in the wireless client's PNL.
Now before we go further and try to understand how the tool does it, we first need to understand the basics of how a wireless client connects to a network.
When a wireless client refreshes the wireless network list, it is presented with a list of wireless networks in the vicinity. This list is known as ANL(Available Network List). This list is populated by collecting the beacons and probe responses sent from the AP's in which they advertise their supported rates, security settings etc. There is one more list known as PNL(preferred network list) which stores wireless network configuations it has connected to in the past. The wireless interface keeps probing for the networks in the PNL, and if it gets one such network, it tries to connect to that network.
For this tool, as we are interested in finding a vulnerable client i.e. a client which is configured to connect to an open/weakly-secured SSID, we will focus on PNL. To know the security settings of SSID's configured in wireless client, tool has to collect association request from the client(as only assoc request has this information). But wireless client woudnt send assoc request if security settings sent by AP in probe response does not match with the security settings of configured SSID.
So how the tool does it: The tool listens for probe requests, and send probe responses. If it does not get assoc request for that SSID/client, next time it gets probe request for same SSID/client, it changes the security in probe responses. WiFish-Finder keeps doing it till it gets assoc request from the client. As the tool maintains the list per client per SSID, it is able to differentiate if same SSID has been configured with different security settings on different clients.
What you need to have:
1. A linux machine having a wireless driver supporting packet injection in monitor mode. (madwifi-ng)
2. A wireless card (cisco a/b/g)
Tool is available here for download :
http://blog.airtightnetworks.com/wifish-finder/
If you find any problem running this tool, please feel free to comment on this post. I will try to reply ASAP. Next version of the tool having PEAP vulnerability detection will be uploaded soon. I will be explaining that feature when the next version is available.
1. A linux machine having a wireless driver supporting packet injection in monitor mode. (madwifi-ng)
2. A wireless card (cisco a/b/g)
Tool is available here for download :
http://blog.airtightnetworks.com/wifish-finder/
If you find any problem running this tool, please feel free to comment on this post. I will try to reply ASAP. Next version of the tool having PEAP vulnerability detection will be uploaded soon. I will be explaining that feature when the next version is available.
how to install wifi finder in backtrack
ReplyDeletei have tried but it never works for me.
ran make command, returns the following:
ReplyDeletemake -C osdep
make[1]: Entering directory `/home/brian/Downloads/WiFishFinder-v0.2/osdep'
Building for Linux
make[2]: Entering directory `/home/brian/Downloads/WiFishFinder-v0.2/osdep'
make[2]: `.os.Linux' is up to date.
make[2]: Leaving directory `/home/brian/Downloads/WiFishFinder-v0.2/osdep'
make[1]: Leaving directory `/home/brian/Downloads/WiFishFinder-v0.2/osdep'
gcc -g -W -Wall -Werror -O3 -D_FILE_OFFSET_BITS=64 -Iinclude -c -o wifishfinder.o wifishfinder.c
cc1: warnings being treated as errors
wifishfinder.c: In function ‘main’:
wifishfinder.c:3191: error: format not a string literal and no format arguments
wifishfinder.c:3203: error: format not a string literal and no format arguments
make: *** [wifishfinder.o] Error 1
i get this error
Nice post dear. Thanks for sharing with us. in-building antenna manufacturers & LTE antenna manufacturers
ReplyDelete