Sep. 5, 2008
So I finally had some great success running airbase-ng as a rouge AP. I ended up buying the Alfa AWUS036H, an excellent 500mw Realtek 8187 based card. I am running a Virtual Gentoo system with the git version of the rtl8187 driver. The SKB BUF error messages from the aircrack-ng version of the driver where too annoying.
All in all I am very pleased with the setup, as it behaves consistantly now (knowing the needed tweaks to get it running). I believe it performs as well as running an AP with the madwifi-ng karma kernel patches from digininja. Well, except for one thing. When changing the MAC address of the wifi card it doesn't really do such a good job anymore. For some reason most clients fail to associate, some still do but theres a considerable drop in the number of connecting clients.
I have tried to change the MAC using both ifconfig and simply specifying the -a option to airbase-ng. Sniffing the traffic using another wifi card shows a lot of probe requests and responses being re-sent, but no requests to associate. From my initial checks I do not see any difference in the requests or responses apart from the "Frame check sequence" and the MAC of-course. But then again, I haven't put that much time into it.
ANY insight into why this happens, and if I am missing something REALLY obvious would be great. I will file a bugreport in the aircrack-ng TRAC system once I collect and clean the relevant packet traces.
Posted by Patrik in Security | No Comments
Aug. 27, 2008
OK so I've been able to get things running quite smoothly now. I cracked my Linksys WUSB54GC card open and soldered a pigtail connector to it according to the following photo http://www.josepino.com/other_projects/antenna/usb-antenna.jpg. I also added txPowerTuning=36 as option to the rt73 driver which I believe did make things somewhat better.
What remains in order to get a good solid environment running is a better wifi card with a lot better transmit power, which I've ordered from the UK today. Hopefully it will be here by monday so me and my friend can do some more tests over a beer or two.
Posted by Patrik in Security | 2 Comments
Aug. 22, 2008
I have had some better luck with airbase-ng the last few days, most likely due to a combination of factors.
For starters I (once more) ripped apart my USB adapter and de-soldered my external antenna cable and found a better spot for it. The new re-fitted antenna works a lot better now and actually picks up quite a few new networks (and clients of course).
Another change I made was to switch the wireless drivers to the ones available from the git kernel sources which for the moment seem to work better than the previous ones.
I still believe in the airbase-ng concept of a user-mode AP which works with many different chipsets and not that dependent of driver patches. However, in order to switch away from the madwifi-patches it has to work atleast as good as they do and with a USB wifi-interface.
Once I get things running I'll post my setup here. If someone already has done so, please drop me a line with your setup including hardware 
Posted by Patrik in Security | No Comments
Aug. 20, 2008
I recently purchased a new Asus eee 900 as I dropped my previous lovely pink 700 in the floor breaking the screen 
Due to its small size I thought it could be suitable for carrying around while performing wireless assesments. This led me to setting it up as both a scanning/monitoring device using the built-in wireless interface and a fake access point. Kismet basically ran out of the box while the fake access point took some more work.
As a friend told me about the airbase-ng project I though I would give it a shot...
Posted by Patrik in Security | 2 Comments
May. 28, 2008
So, we had yet another OWASP - meeting here in Stockholm, Sweden yesterday. I must say I was pleased to see that so many people took the time to attend and listen to us three speakers.
I held yet another speech on SQL injection and yet again overestimated my ability to deliver slides at a pace of 0.78 minutes per slide. Skipping through a few of them gave me just the little time I needed to finish up with a short demo
After a few requests for the presentation I decided to put it online together with the small DNS server and samle code I used to demonstrate the DNS-channeling parts.
The DNS server has a brief help describing each parameter. Basically in order to try it out, it needs to be run on either:
- An authorative DNS in the zone against which we are tunneling our queries. Please note that in the event of a zone having multiple DNS servers assigned to it, all queries will NOT end up at the same resolver.
- On the host assigned as the DNS server on the victim DB server
When starting the dns_server.pl script a zone for which it answer queries needs to be specified. This is done with the "-q" option. In my cheat sheet I am using the zone inj.cqure.net and therefore need to start the DNS server like this: ./dns_server.pl -q inj.cqure.net
A zip-file containing the PDF presentation, a subset of the cheat sheet I used and my small DNS server is available for download from here.
Feel free to drop me a line if you have any questions.