Be the first to post a text review of WEPWedgie. Rate and review a project by clicking thumbs up or thumbs down in the right column.

• Forum comment added

  anton_rager commented on the RE: Welcome to Open Discussion forum thread

  posted by anton_rager 2286 days ago

• Alpha Code Released - 0.1.0

  I uploaded the demo code from Defcon 11. I'm having some issues with the release note / changelog sourceforge stuff, so there is limited info in the sourcecode on how the tools work. Here's some more info in the interim. Release Notes: wepwedgie consists of two main programs at the moment. .prgasnarf: looks for shared-key-auth sequences to derive a IV and PRGA - this can later be used as a packet keystream with the same IV. .wepwedige: injects frames encoded with IV/PRGA from prgasnarf to a user specified target and internet helper. The internet helper is a host that you own that will be monitoring the results from the injected traffic via the internet. How to Run 1 - Install airjack. The version included allows hostencrypt mode which is needed for injecting WEP frames. 2 - make prgasnarf and wepwedgie 3 - ifconfig up aj0 4 - run prgasnarf and collect a shared-key auth sequence [prgasnarf -i aj0 -c 6] 5 - run wepwedgie from the same directory and specify your airjack int, channel, internet helper IP, the scan type, the dest MAC, and the target IP. [wepwedigie -i aj0 -c 6 -d desmac -t target_ip -h helper_ip -p helper_port] Usage Notes: 1 - Determine the dest mac address by watching an 802.11 sniffer. Look for the MAC that most the traffic goes to and that is the local default gateway. 2 - enter IP addresses in hex format with : as a delimter. 10.10.10.10 becomes 0a:0a:0a:0a. 3 - enter MAC values in hex format with : as a delimter. ie -d 01:02:03:04:05:06 4 - enter port numbers in decimal. -p 80 5 -scan types - the firewall check scan injects some traffic to test the firewall. Use helper_ip [-h] as the test destination and the target as a spoofed source IP [-t] -- 1 for firewall check - the other scans use target as host to scan and helper as ip to forward responses to. The helper port is used to force all the repsonse to the internet helper to use a port that you've determined is allowed thru the firewall [see scan type 1 above] -- 2 for tcp scan [port 0-1023] -- 3 for pingscan [iterate from 0-255 in last IP octect] -- 4 for udp scan [port 0-1023] 5 - watch for the response traffic with tcpdump or ethereal at your internet host. The next rev will have some helper monitoring tools to correlate the results and such. -h dumps some parameter help info. example: -prgasnarg -i aj0 -c 1 -sniff the 802.11 network and try to determine what the default gateway MAC is for the 802.11 net you got a PRGA/IV for. Let's assume you observed that 01:02:03:04:05:06 is the MAC of the default gateway. -wepwedgie -i aj0 -c 1 -d 01:02:03:04:05:06 -h 192.168.1.1 -t 10.10.10.1 -S 4 -p 53 will use aj0 and channel 1 to inject a UDP portscan against 10.10.10.1 and send the results to UDP port 53 at 192.168.1.1. It will use the MAC address of 01:02:03:04:05:06 to forward the traffic out of the 802.11 network. -to see the portscan results, run tcpdump on the 192.168.1.1 host and look for traffic for port 53 as well ICMP port unreachables. If you get a port 53 frame and no ICMP unreachable, then there is probably an active service on that port. You've now poked a hole in the firewall for that UDP service, so send whatever that service normally likes back to the source IP/port. Known Bugs in this release: -- wepwedgie injection sometimes requires a "ifconfig down aj0" to release all the frames. Only seems to be an issue on very idle networks. -- prgasnarf sometimes glitches when multiple auths occur simultaneously. I'm not tracking auth state by BSSID or Source MAC, so it gets confused -- prgasnarf glitches on a failed auth with a Cisco AP. Cisco AP seems to forget to send a auth failure message, so sequence is left hanging. I'll add a timer when I get a chance Future Features: --add IV collision tracking to prgasnarf<br> --add IV collision unrolling to prgasnarf [a prototype is included --with this source as unroller_poc.c] --add multiple BSSID, SourceMAC and IV capabilities to prgasnarf and wepwedgie --manual packet crafting and injection options --remote listener/responder to parse and react to the packets directed to the helper IP. --local listener/responder to poarse and react to the helper IP packets [ie -- CDMA modem as helper on same system as 802.11 injection] ChangeLog: 0.1.0 Alpha -- Initial Release 8/6/2003 -prgasnarf --PRGA determination via Shared-Key Auth frames only --saves PRGA, IV, BSSID, and SRC MAC to a file -wepwedgie --IV injection based on info in prgafile.dat. --option for firewall testing [basic TCP/UDP/ICMP packet injection] --option for TCP portscanning [0-1023] --option for UDP portscanning [0-1023] --option for ICMP pingscanning [nodes 0-255 of supplied target IP] Enjoy. Anton Rager

  posted by anton_rager 2286 days ago

• Forum thread added

  anton_rager created the Alpha Release 0.1.0 Uploaded forum thread

  posted by anton_rager 2286 days ago

• File released: /wepwedgie/0.1.0-alpha/wepwedgie-alpha-0.1.0.tar.gz

  posted 2286 days ago

• wepwedgie 0.1.0-alpha file released: wepwedgie-alpha-0.1.0.tar.gz

  posted 2287 days ago

• wepwedgie 0.1.0-alpha file released: wepwedgie-alpha-0.1.0.tar.gz

  posted 2287 days ago

• Forum comment added

  cgw007 commented on the RE: Welcome to Open Discussion forum thread

  posted by cgw007 2302 days ago

• Code committed

  Anonymous committed patchset 1 of module CVSROOT to the WEPWedgie CVS repository, changing 11 files

  posted by nobody 2309 days ago

• Forum thread added

  Anonymous created the Welcome to Developers forum thread

  posted by nobody 2309 days ago

• Forum thread added

  Anonymous created the Welcome to Help forum thread

  posted by nobody 2309 days ago