Packet Injection
In order to attack a driver's beacon and probe response processing code, a
method of sending raw 802.11 frames to the device is needed. Although the
ability to send raw 802.11 packets is not a supported feature in most wireless
cards, many open-source drivers can be convinced to integrate support with a
small patch. A few even support it natively. Under the Linux operating
system, there is a wide range of hardware and drivers that support raw packet
injection. Unfortunately, each driver provides a slightly different interface
for accessing this feature. To support many different wireless cards, a
hardware-independent method for sending raw 802.11 frames is needed.
The solution is the LORCON library (Loss of Radio Connectivity), written by Mike
Kershaw and Joshua Wright. This library provides a standardized interface for
sending raw 802.11 packets through a variety of supported drivers. However, this
library is written in C and does not expose any Ruby bindings by default. To make it
possible to interact with this library from Ruby, a new Ruby extension (ruby-lorcon)
was created that interfaces with the LORCON library and exposes a simple
object-oriented interface. This wrapper interface makes it possible to send
arbitrary wireless packets from a Ruby script.
The easiest way to call the ruby-lorcon interface from a Metasploit
module is through a mixin. Mixins are used in the 3.0 version of the
Metasploit Framework to improve code reuse and allow any module to import a
rich feature set simply by including the right mixins. The mixin that exists
for LORCON provides three new user options and a simple API for opening the
interface, sending packets, and changing the channel.
Name | Default | Required | Description |
CHANNEL | 11 | yes | The default channel number |
DRIVER | madwifi | yes | The name of the wireless driver for lorcon |
INTERFACE | ath0 | yes | The name of the wireless interface |
A Metasploit module that wants to send raw 802.11 packets should include the
Msf::Exploit::Lorcon mixin. When this mixin is used, a module can
make use of wifi.open() to open the interface and wifi.write()
to send packets. The user will specify the INTERFACE and
DRIVER options for their particular hardware and driver. The creation
of the 802.11 packet itself is left in the hands of the module developer.
|