digininja

It does work but you'd have the problem of sharing the wifi interface between sending and receiving. Darren has his setup like this. I'd prefer the option of taping two together with one as client and one as AP so you get dedicated radio on each so you can have them both on different channels.

Your plan for Jasager is different to mine, mine is for MITM auditing attacks so I don't really care about what nasty stuff is going on to the clients machine as long as it isn't affecting the nasty stuff I'm sending in their direction. I keep my machine fully hardened and don't open anything that I don't fully control to client access.

You are the second person to get this, do an lsmod and check for ath and wlan being mentioned. It seems like the madwifi drivers aren't being loaded for some reason.

telnet should only work till you set a root password, after that it is ssh only. Username root, password whatever you set it as. Did you remember the step of enabling dropbear by renaming the start up file?

Ye, you only get a second or two so starting the app first seems the best thing to do. Using the linux redboot script is really nice as you can start that and just leave it running till you start the Fon.

use dmesg and grep for karma and madwifi, that will tell you if the modules are being loaded. You can also use lsmod to check the list of modules in memory. I don't know why you'd be on a lower kernel version, unless you got a different firmware from somewhere. I haven't heard any reports of fons with wifi chipsets that aren't atheros so my feeling is that it is software failure somewhere.

Yes, but why would you scan for viruses in network traffic? The traffic would be going through you but wouldn't stop at you unless it was something designed to actually attack your servers. So, you want to make sure your box in the middle is sufficiently hardened to prevent attackers from going after it but that should be standard setup anyway.

iyeman has it right, only one list, chose either, probably black list with your AP in it. white list is designed for capturing specific targets, one test I did a client had 3 different SSIDs for different levels of business, I would add just those 3 to target that specific client.

Ye, Renderman. He has done it a few times. His story about doing it at a conference in Iceland (I think) is quite good.

Daft question but are you on a Fon? If so, do you have the madwifi drivers loaded? If not, are you on a device with an atheros chipset?

Alternatively you could use karma on the laptop. Jasager is a port of karma to the fon with some additions and some things removed. Jasager is designed for pen-testing environments where you want to be able to leave a device behind, a few dollar fon is much easier to leave in a reception area and hope to pick up later.

OK, information on the difference....... By default the wireless drivers are in blacklist mode with an empty ssid list and will automatically accept any SSID that comes along. If you use the "add ssid to list" command the chosen ssid will be added to a blacklist so the drivers will ignore that ssid and not let it connect. This is useful if you are working in an environment where you want to make sure you are not capturing traffic you are not supposed to (maybe in an office where you don't want to capture the company nextdoors wifi traffic), it is also useful to stop Jasager from taking over your own wifi in a testing environment. When you change to whitelist mode you are saying that the drivers should only accept ssids that are in the list, this is where you want to target a small range of ssids, maybe known home router ssids or ssids where you believe because of the ssid the client may be vulnerable. As it states in the interface, switching modes does not clear the list down, you have to do that manually. Hope this explains it.

Did you let Jasager create the device first? Just browse to the web interface and it will offer to create ath0 for you. Or you could do wlanconfig ath0 create wlandev wifi0 wlanmode master

It depends on the clients configuration, if it expects WEP/WPA and doesn't get it some will move on till they find an encrypted network, others will just drop back to unencrypted. Jasager can only do unencrypted as it obviously doesn't know the encryption keys for the encrypted networks.

You wouldn't need to, airpwn sniffs other people wifi traffic and injects fake responses into the their stream, as you are already in the middle you can just intercept the real data as it passes through and replace it. So the real question is probably how do I replace images, it depends on how you configure your network. All you need to do is to have one of the steps along the route monitor all traffic and drop in the new image when it sees an existing image go past. It is on my list of things to do to get packet sniffing and replacing working on the fon but it hasn't hit the top of the list yet.

Try connecting through the wired network instead. I did all my flashing through that.

Sounds like you went a bit wrong here. The AP is supposed to be open, no wpa, if you have wpa then no clients will be able to connect as they won't know the key. You shouldn't need to touch wireless in webif, destroy all athX interfaces and let Jasager create it when it starts up, that is the safest thing.

Does an iPhone try to automatically connect to last known APs? Try forcing it to connect to an SSID you tell it exists.

If I remember right a client can send a deauth packet to the AP if it wants. The quickest way to deauth a group of clients is to send a spoofed broadcast deauth from the AP that will kick off everyone. If you are pen-testing in an office environment and you only had the one device then you'd need to set up an occasional broadcast deauth pretending to be the real AP, if you are in a more mobile environment where clients are coming and going all the time you'd have to increase the deauth rate.

You need bridging, check your distro for instructions on how to set it up. The basic idea is that you bridge your wired and wireless interfaces together so the internet connection gets passed from the wifi out through the wired.

The files get copied to /tmp but that gets wiped after a reboot, just copy the files over again.

As the fon is already in the middle you don't need ettercap you can either run tcpdump on the fon and parse the data there if just looking for passwords or you can set a device inside the network as the default route so all traffic goes through it as well the just sniff on that machine. No point arp spoofing if you don't need to.

I'm looking at porting Lorcon to openwrt, if I can then I've got a really nice deauth script I wrote for my SANS gold paper. I'll integrate that.

I won't mention goatsee then :-)

Not dyndns