#!/usr/bin/ruby ######################################## # # This code is part of the SANS/GIAC Gold Paper titled # # Programming Wireless Security # # by Robin Wood (dninja@gmail.com), accepted May 2008 # # For more information you can find the paper in the "Wireless Access" section of the # SANS Reading Room at http://www.sans.org/reading_room/ or at www.digininja.org # ######################################## $datastore = Hash.new("Unknown") $datastore["INTERFACE"] = "athn0" $datastore["CHANNEL"] = 11 $datastore["DRIVER"] = "madwifing" begin require "Lorcon" @lorcon_loaded = true rescue ::Exception => e @lorcon_loaded = false @lorcon_error = e end if (not @lorcon_loaded) puts ("The Lorcon module is not available: #{@lorcon_error.to_s}") raise RuntimeError, "Lorcon not available" end system("ifconfig", $datastore["INTERFACE"], "up") wifi = ::Lorcon::Device.new($datastore["INTERFACE"], $datastore["DRIVER"]) wifi.fmode = "INJECT" wifi.channel = 11 wifi.txrate = 2 wifi.modulation = "DSSS" if (not wifi) raise RuntimeError, "Could not open the wireless device interface" end destination_addr = "\xff\xff\xff\xff\xff\xff"; source_addr = "\xee\xad\xde\xad\xde\xad"; bss_id_addr = "\x00\x1f\xb8\xff\xe2\x28"; essid = "HelloWorld" # Type/Subtype 0/8 Management/Beacon packet = '\x80\x00' # flags and duration packet = packet + '\x00\x00'; packet = packet + destination_addr packet = packet + source_addr packet = packet + bss_id_addr # sequency number packet = packet + '\x90\x70'; # fixed params, timestamp, beacon interval, capability interval packet = packet + '\x8a\xd1\xf7\x3c\x00\x00\x00\x00\x64\x00\x11\x04'; # tag number 0 packet = packet + "\x00" + essid.length.chr + essid # tag number 1 packet = packet + '\x01' + '\x08\x82\x84\x8b\x96\x24\x30\x48\x6c' # tag number 3 packet = packet + '\x03' + '\x01\x0b' packet = packet + '\x05\x04\x02\x03\x00\x00' packet = packet + '\x2a\x01\x00' packet = packet + '\x2f\x01\x00' packet = packet + '\x32\x04\x0c\x12\x18\x60' packet = packet + '\xdd\x06\x00\x10\x18\x02\x00\x00'; puts "About to transmit HelloWorld beacon"; 1000.times do wifi.write(packet) end puts "Done"