## bsdfap - Modified by SolarfluX - Based on: # # fakeap - Create fake 802.11b Access Points # Stuart Stock and Ken Beames, Black Alchemy Weapons Lab # $Id: fakeap.pl,v 1.3 2002/08/31 20:56:42 shstock Exp $ # # Copyright (c) 2002 Black Alchemy Enterprises. All rights reserved. # This code is released under the GNU Public License. # -------------------------------------------------------------------- # Notes: # # Requires the CVS version (as of 7/31/2002) of the Prism2/2.5/3 Host AP # driver to switch BSSID (MAC address). If you use an older version, # the MAC address change will appear to work, but the beacons will retain # the original address. (DOES NOT APPLY TO BSD) # ## The maximum number of characters that can be used to set the SSID/nwid ## (for @words) is 32 use strict; use warnings; use Getopt::Long; use Time::HiRes; use vars qw( $sleep_opt $channel_opt $mac_opt $nwid_opt $words_opt $interface_opt $vendors_opt $wep_opt $key_opt $power_opt ); my $MAX_CHANNEL = 11; # FCC (U.S.A.) - Change for other regions. my $WICONTROL = "/sbin/wicontrol"; ## CHANGED my $IFCONFIG = "/sbin/ifconfig"; # Change as needed my $CRYPTCONF = "/usr/local/bin/hostap_crypt_conf"; # Change as needed my @words = ( "Access Point", "tsunami", "host", "airport", "linksys", "Default", "Senao", "cisco", "aironet", "d-link", "netstumblereh?", "wardrive-this", "biteme", "AVAYA", "Enterasys", "Lucent", "ORiNOCO", "WAP11", "ap1k", "AP-1000", "hackme", "null" ); my @vendors = ( "00:00:0C:", "00:00:CE:", "00:00:EF:", "00:40:AC:", "FF:FF:FF:" ); ## NEW CODE ## ## Array for mapping frequencies to channels, as BSD takes frequencies as ## arguments for wicontrol ## my @freq = qw[ 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 ]; # catch ctrl-c # $SIG{INT} = \&int_catcher; # int_catcher # # args: none # rets: none # # Signal catcher. Prints message and exits. sub int_catcher { print "\n"; print "-------------------------------------------------------------------------------\n"; print "Run complete\n\n"; exit; } # usage # # args: none # rets: none # # Prints arguments and exits sub usage { print "Usage: bsdfap.pl -i interfaceX [-c X] [-m XX:XX...]\n"; print " [-n NAME] [-wo WORDFILE] [-s N] [-v VENDORFILE]\n"; print " [-we N] [-k KEY] [-p N]\n\n"; print " -c X Use static channel X\n"; print " -n NAME Use static SSID NAME\n"; print " -m XX:XX... Use static MAC address XX:...\n"; print " -wo FILE Use FILE to create SSIDs \n"; print " -s N Sleep N sec between changes, default 0.25\n"; print " -v FILE Use FILE to define vendor MAC prefixes \n"; print " -we N Use WEP with probability N where 0 < N <= 1\n"; print " -k KEY Use KEY as the WEP key. Passed raw to wicontrol\n"; print " -p N Vary TX power between 1 and N. In milliwatts\n"; print "\n"; } # load_words # # args: none # rets: none # # Load the user-specified wordlist into @words sub load_words { @words = (); open( my $FH, "<$words_opt" ) or die "Could not open $words_opt: $!\n"; while ( my $line = <$FH> ) { chomp $line; push @words, $line; } close $FH; return; } # load_vendors # # args: none # rets: none # # Loads vendor MAC prefix file into @vendors sub load_vendors { @vendors = (); open( my $FH, "<$vendors_opt" ) or die "Could not open $vendors_opt: $!\n"; while ( my $line = <$FH> ) { chomp $line; $line =~ /^(\w\w:\w\w:\w\w)/; push @vendors, "$1:"; } close $FH; return; } # gen_nwid # # args: none # rets: scalar string $word # # Returns a string suitable for use as an SSID/nwid. Picks it randomly from # @words sub gen_nwid { return $words[ int( rand $#words ) + 1 ]; } # gen_channel # # args: none # rets: scalar int $channel # # Returns a number between 1 and $MAX_CHANNEL ## ORIGINAL CODE ## ##sub gen_channel { ## return int( rand $MAX_CHANNEL ) + 1; ##} ## NEW CODE ## ## Uses the frequency array to obtain the channel number ## sub gen_channel { return int( rand ($#freq+1) ) + 1; } # gen_power # # args: none # rets: scalar int $channel # # Returns a number between 1 and $power_opt or Def if $power_opt is not set sub gen_power { return int( rand $power_opt ) + 1 if $power_opt; return "Def"; } # gen_mac # # args: none # rets: none # # Returns a random MAC address with first three octets from @vendors # and the last three octets being random sub gen_mac { return sprintf( "%s%02X:%02X:%02X", $vendors[ int( rand $#vendors ) ], int( rand 256 ), int( rand 256 ), int( rand 256 ) ); } # pick_wep # # args: none # rets: string Y|N # # Returns N if wep_opt is not set otherwise returns # Y with probability $wep_opt sub pick_wep { $wep_opt = 0 if not $wep_opt; return "Y" if ( rand(1) < $wep_opt ); return "N"; } ################################################################ # # Main # ##print "fakeap 0.3.1 - Wardriving countermeasures\n"; ##print "Copyright (c) 2002 Black Alchemy Enterprises. All rights reserved\n\n"; print "\n"; GetOptions( "channel=i" => \$channel_opt, "nwid=s" => \$nwid_opt, "words=s" => \$words_opt, "mac=s" => \$mac_opt, "sleep=s" => \$sleep_opt, "power=i" => \$power_opt, "wep=s" => \$wep_opt, "key=s" => \$key_opt, "interface=s" => \$interface_opt, "vendors=s" => \$vendors_opt ); usage() and exit if not $interface_opt; usage() and exit if ( $words_opt and $nwid_opt ); # mutually exclusive print "Using interface $interface_opt:\n"; print "Sleeping $sleep_opt sec\n" if $sleep_opt; print "Static channel $channel_opt\n" if $channel_opt; print "Static SSID $nwid_opt\n" if $nwid_opt; print "Static MAC $mac_opt\n" if $mac_opt; print "Generating SSIDs from $words_opt\n" if $words_opt; print "Using WEP with probability $wep_opt\n" if $wep_opt; print "Using supplied WEP key $key_opt\n" if $key_opt; print "Vary TX power up to $power_opt\n" if $power_opt; load_words() if $words_opt; print "Using $#words words for SSID generation\n"; load_vendors() if $vendors_opt; print "Using $#vendors vendors for MAC generation\n"; print "-------------------------------------------------------------------------------\n"; for ( my $i = 0 ; ; $i++ ) { my $nwid = $nwid_opt || gen_nwid(); my $channel = $channel_opt || gen_channel(); my $mac = $mac_opt || gen_mac(); my $sleep = $sleep_opt || 0.25; my $wep = pick_wep(); my $power = gen_power(); if ($wep_opt) { system( $CRYPTCONF, "-p", $interface_opt, "ff:ff:ff:ff:ff:ff", "none" ) if $wep eq "N"; system( $WICONTROL, $interface_opt, "key", $key_opt ? $key_opt : "s:fakeap", "open" ) if $wep eq "Y"; } ## ORIGINAL LINUX SETTINGS ## ## system( $IWCONFIG, $interface_opt, "ESSID", $essid ); ## system( $IWCONFIG, $interface_opt, "channel", $channel ); ## system( $IFCONFIG, $interface_opt, "hw", "ether", $mac ); ## system( $IWCONFIG, $interface_opt, "txpower", $power . "mW" ) if $power_opt; printf( "%i: SSID=%-15s CH=%02i PWR=%-3s WEP=%s MAC=%s\n \r", $i, $nwid, $channel, $power, $wep, $mac ); ## NEW BSD SETTINGS ## system( $IFCONFIG, $interface_opt, "nwid", $nwid, "up" ); system( $WICONTROL, $interface_opt, "-m", $mac ); system( $WICONTROL, $interface_opt, "-f", $channel ); Time::HiRes::sleep($sleep); } ## ## bsdfap NOTES: ## ## Modified for OpenBSD 3.2... It should work with NetBSD; FreeBSD may need ## additional tweaking ## ## $ssid changed to $nwid due to BSD's use of nwid in wicontrol ## ## Shortened switches for ease of use ## ## If it complains about certain Perl modules, you'll have to download and ## install them... ## ## WEP option does not work (someone can pick this up and run with it) ## ## txpower is not supported by wicontrol, therefore removed ## ## 'my @words' ("null") and 'my @vendors' ("FF:FF:FF:"): the last value in each ## list is skipped; needs fixing (Same thing happens when using ## word/vendorlists) ## ## Fixed annoyances like lag in values displayed with respect to true values ## (confirmed with wicontrol and dstumbler), due to the last printf statement ## being in the wrong place; also, the output display width was too narrow. ## ## 'man wicontrol' for more info on configuring your wireless card ## ## Change 'wicontrol' where appropriate to 'ancontrol' if using Cisco Aironet ## cards ## ## Download the original package from http://www.blackalchemy.to/project/fakeap/ ## to get the original fakeap.pl and sample wordlists and vendorlists ## ## Run 'diff bsdfap.pl fakeap.pl' to see all the changes made ## ## If you catch me on a good day, I just might help you with tweaking it... ## Otherwise, 'you're on your own'... ##