Jump to content

Did I Miss Anything?


Recommended Posts

After the site outage I think I've caught up with all the messages but if I missed a question and you still need it answering just drop a new comment in there to push the question back to the top and I'll see what I can do.

Robin

Link to comment
Share on other sites

Oddly enough, I was going to use that thread header :P I have two questions.

I've been playing with jasager and the fon in the office with a colleague after hours. I wasnt convinced I'd got it right. I've set up the Fon with a battery pack and a new aerial. I've managed to get the Fon to forward its connections over the wired connection to my laptop and with a combination of DHCP server and Firestarter, we have a tarpit.

Now I've tried this at home and sadly, It only works when I connect to the 'guest' ssid that the fon sets up. I tried this with my iPhone and although it did the forwarding, it acted like nothing more than just another gateway to my wireless. As I understand it, Jasager responds to probe requests. I take it these are only sent by 'certain' clients (on a related note, these appear as blue probe requests in Kismet right?) and of course, I need to beat the existing wifi network if its there? If its not there, I shouldnt have a problem right?

Now this leads me to tonights antics. In the office, we have loads of networks; eduroam being one of them. As its signal is weak, I figure, if someone comes in with a laptop they are sure to connect to this and the jasager will notice this and present itself with hopefully, a stronger signal. As our office is in the basement, this theory might work. My mate tried with his HTC and low and behold, an 'open network' called 'eduroam' appeared next to the official one. It'd didnt join automagically though and it did take a little time to work but i then tried my iphone again. Lo and behold, success. So my first question is, is this expected behaviour with the Fon?

Secondly, thinking about this, i bought one of these:

http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=390099885120&ssPageName=STRK:MEWNX:IT#ht_3282wt_941 ://http://cgi.ebay.co.uk/ws/eBayISAPI....#ht_3282wt_941

in the hopes that I'd get a better signal. I tested this aerial with my trusty Alfa. Guess what? It makes things worse! >< Im wondering if its because this is actually not an omni aerial (it was a total whim buying it!). Its now soldered to my fon for good now. I wonder if this degrades things? Also, if the signal was stronger, would I effectively 'beat' other APs?

Link to comment
Share on other sites

Also, if the signal was stronger, would I effectively 'beat' other APs?

If the machine is already connected to a network then the fon/jasager starts and wishes to use that same name the machine which was previously must be disconnected from the network then try to recoonect to it then the fon should pick it up. Since both are transmitting and the same distance from the connecting computer then the fon will "beat" the other AP because it is based on which AP completes the handshake with the connecting computer first. The fon transmitts faster than other AP's do the setting is called "fully-auto" on the webif for the fon and can be set lower but in the case that it is it will decrease the chance of the FON completing the handshake first

As for the antanae are you sure it had the same db rating using an antanae with a different db rating could severly decrease its performance as the circuit is designed to run on it also adding more or using less wire for the antanae wire will change its resistance thus effect the properties of the antanae Its actually pretty complicated Ide suggest researching antanaes

Edited by ¿~Acet•lyne~? ™
Link to comment
Share on other sites

As for the antanae are you sure it had the same db rating using an antanae with a different db rating could severly decrease its performance as the circuit is designed to run on it also adding more or using less wire for the antanae wire will change its resistance thus effect the properties of the antanae Its actually pretty complicated Ide suggest researching antanaes

Are you sure about this? I was told you could put any strength of antenna on any card.

Link to comment
Share on other sites

Now I've tried this at home and sadly, It only works when I connect to the 'guest' ssid that the fon sets up. I tried this with my iPhone and although it did the forwarding, it acted like nothing more than just another gateway to my wireless. As I understand it, Jasager responds to probe requests. I take it these are only sent by 'certain' clients (on a related note, these appear as blue probe requests in Kismet right?) and of course, I need to beat the existing wifi network if its there? If its not there, I shouldnt have a problem right?

That depends on whether the client is set to auto connect or not. If it auto connects then it is sending out probes so Karma will detect them and respond. Kismet does mark probes in blue.

Now this leads me to tonights antics. In the office, we have loads of networks; eduroam being one of them. As its signal is weak, I figure, if someone comes in with a laptop they are sure to connect to this and the jasager will notice this and present itself with hopefully, a stronger signal. As our office is in the basement, this theory might work. My mate tried with his HTC and low and behold, an 'open network' called 'eduroam' appeared next to the official one. It'd didnt join automagically though and it did take a little time to work but i then tried my iphone again. Lo and behold, success. So my first question is, is this expected behaviour with the Fon?

No, you shouldn't see the eduroam network coming from Jasager, it only does probe responses so you would see if if your mate had previously connected to eduroam and was currently probing for it

Secondly, thinking about this, i bought one of these:

http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=390099885120&ssPageName=STRK:MEWNX:IT#ht_3282wt_941 ://http://cgi.ebay.co.uk/ws/eBayISAPI....#ht_3282wt_941 ://http://cgi.ebay.co.uk/ws/eBayISAPI....#ht_3282wt_941

in the hopes that I'd get a better signal. I tested this aerial with my trusty Alfa. Guess what? It makes things worse! >< Im wondering if its because this is actually not an omni aerial (it was a total whim buying it!). Its now soldered to my fon for good now. I wonder if this degrades things? Also, if the signal was stronger, would I effectively 'beat' other APs?

As Jasager isn't beaconing then you won't take over an existing signal without deauthing them as they will only move if they see a beacon with a stronger signal and you aren't sending beacons.

I've been told you can add any antenna to any card so for me a bigger antenna will give a stronger signal all round.

Link to comment
Share on other sites

Greetings Robin, another thing:

How about Karma and the SSID Spoofing thing?

Did you came to any results in fixing it?

I mean without the SSID Spoofing the Jasager is just an Open Wireless Accesspoint that needs the User to Connect to it on its on - so actually the same thing as staying with the normal Fon Box in Open Mode or anything else. So... could you solve the problem?

Thank you very much,

Xeno

Link to comment
Share on other sites

I think you've got the wrong line on how Karma works. It listens for any probe requests then replies to them regardless of what ESSID it has set, that means that any machine set to auto connect will send out probes, see the responses and then connect.

It is more than the normal Fon as it will accept any ESSID where as the normal Fon will only accept the ones it knows about.

Link to comment
Share on other sites

Yeah I "think" I got that right:

The Laptop opens, sends out an request i.e. "FritzBox" - the Karma does hear that probe request, tells the Laptop "I am FritzBox, connect to me!" and than the Laptop connects to it.

Correct?

But that feature is broken at the moment, doesn't it? T_T'

*sorry if I got it wrong but somehow mine wouldn't really function - only if I really do connect manually with the laptops to it...*

Greetings and btw - very nice work on the kreios thing, I don't completly get it all yet, could lay on the medication I'm now (I'm a sick sadly) but what I see I think its very cool ^-^

Xeno

Link to comment
Share on other sites

That is correct and that is all working. The bit that is broken is telling it to ignore certain ESSIDs.

Drop Kreios on a couple of machines and play with it, it becomes obvious once you get it running.

Link to comment
Share on other sites

About the antanae

I dont know how much you know about electronics as alot of the terms are electronics related but here is a reference perhaps it will help you understand antanae efficiency a little better

http://en.wikipedia.org/wiki/Antenna_(radio)

you may still get results using other antanae but yes it does effect its efficiency everything from the length of the atanaae to the legth of the cord

Link to comment
Share on other sites

As for the antanae are you sure it had the same db rating using an antanae with a different db rating could severly decrease its performance as the circuit is designed to run on it

I should have been more specific, this is the bit I was questioning. Can a system be designed to use a specific rating and lose performance if a higher rated antenna is attached?

I agree on the length of wire.

Link to comment
Share on other sites

heya,

i'm new to the forums (not to the show i love it!)

though i now finnaly want to go make my own pineapple. so i am ready to buy a fon+

though i wanted to know a few things:

on digininja's site i saw this:

http://www.digininja.org/jasager/installation.php

i got 2 questions about it.

first:

i dont get this:

Grab redboot.pl and the firmware from the download page and unpack the firmware tarball into your tftp files directory.

do i need to download redboot.pl,the firmware AND tarball ??

or only redboot + firmware and the tarball isnt needed??

second:

when you say power up the fon ect. are you expecting me to use a wired connection to the fon or does the redboot.pl connect itself to the FON+ wireless???

and maby a noob question:

can i still use the La fontenna to expand the area??

thanks in advance for anwsering!

Edited by fjux
Link to comment
Share on other sites

heya,

i'm new to the forums (not to the show i love it!)

though i now finnaly want to go make my own pineapple. so i am ready to buy a fon+

though i wanted to know a few things:

on digininja's site i saw this:

http://www.digininja.org/jasager/installation.php

i got 2 questions about it.

first:

i dont get this:

Grab redboot.pl and the firmware from the download page and unpack the firmware tarball into your tftp files directory.

do i need to download redboot.pl,the firmware AND tarball ??

or only redboot + firmware and the tarball isnt needed??

The firmware is two files that come in a tarball, get the firmware tarball then unpack it to give you the files you need

second:

when you say power up the fon ect. are you expecting me to use a wired connection to the fon or does the redboot.pl connect itself to the FON+ wireless???

ye, go wired

and maby a noob question:

can i still use the La fontenna to expand the area??

thanks in advance for anwsering!

Yes

Link to comment
Share on other sites

I should have been more specific, this is the bit I was questioning. Can a system be designed to use a specific rating and lose performance if a higher rated antenna is attached?

Yes however a system designed around a 0db antanae could very well function on say maybe a 6 db antanae just fine If you increase or decrease it from the original antanaes db rating too much you will then see the difference alot more. Typically the db rating is where it is at due to FCC regulations because using a higher db rating will increase its range and FCC regulations state that the device can only transmit so far and increasing the antanae to much can be against the regulations they have in place ( talking USA obviously ) however as stated before at a certain point it does effect the signal and causes the signal to be dropped at various times.

most people see an increase in signal using a bigger antanae mainly because it is higher up in the air whereas using the origanal antanae on a pole thus rising the antanae to the same height as the bigger antanae usually will work better. a slighty bigger antanae may actually increase the performance if not to much bigger however your may be transmitting at a power level over that of the FCC regulations but typically it wont be at such a higher lvl that anyone will complain depending on where you live.

Hope this helps a bit more than my last post

Link to comment
Share on other sites

So in practise most people will see a performance increase if only due to physical conditions rather than actual radio conditions. Kind of placebo affect, bigger antenna must mean better performance.

And as for the FCC, everyone obeys their rules :)

Link to comment
Share on other sites

Thanks for the tips guys. Looking at the aerial I have, though it works, Im convinced something isn't right. It is indeed larger (at least 5 times longer) and therefore, its probably not going to work too well as it essentially uses a lot of extra wire with no power or any other elements so i guess it was a waste of time. Still, good for learning.

Cheers for the tip with the Beacon though. That is indeed useful as I had thought that generally, all devices would probe when they were turned on as a matter of course in order to locate said networks. I clearly need to read more about 802.11

However, assuming this is the case and a client authenticates and I give them an IP, the attack vectors as I see them, are

1) present a false page of some kind when they attempt any HTTP traffic. Probably fairly obvious to spot bad things going on here.

2) Karmetasploit. Like the above, our little false TCP/HTTP response program listens for requests and attempts nasty things when it gets them

3) Pipe to a net connection you own and MITM.

The latter seems the most useful. Sort of the rogue AP scenario we've been mentioning. Typically, on a campus i suspect this could go on rather easily. Sit in a coffee shop near by... wait for students with laptops and similar ;)

I suspect nothing really interesting, save the SSID is sent in a probe?

Also, the aerial on a pole is quite interesting. My flat is at the top of a tall house. I've yet to see whether or not ground level affects things. Most aerials i guess are Dipoles with wifi and I suspect their power goes out in a doughnut shape right? That means they are roughly 2 dimensional which means the AP or Target needs to be roughly at the same level as you? Is this right? I suspect not but just checking ;)

FYI, the aerial setup I found on HIR here HIR Jasager Thread

Edited by Oni
Link to comment
Share on other sites

Also, the aerial on a pole is quite interesting. My flat is at the top of a tall house. I've yet to see whether or not ground level affects things. Most aerials i guess are Dipoles with wifi and I suspect their power goes out in a doughnut shape right? That means they are roughly 2 dimensional which means the AP or Target needs to be roughly at the same level as you? Is this right? I suspect not but just checking ;)

omnidirectional antennas do this:

Antenna_Coverage-1.jpg

so yea, you'll miss a lot of nearby stuff if you're up high and have the antenna placed vertical, and if you've only got a small antenna you may not have the range to pick up stuff as the signal broadens. you could always tilt your antenna or look into fun stuff like the wokfi which could be seriously cool if you can see any cafes from your window.

i use a decent omni 7db antenna with my ddwrt router that i use to bridge my pc & xbox across the flat to the modem/router. before we had our own internet i bridged to a neighbors router with enough signal strength to download at 400kb/s (SNR of about 14 on a good day). my netbook can only get a SNR of about 3 to that particular router. so yea, higher db antennas can improve your signal, but if the fon can only give it a small amount of power it may make things worse. i havent hacked around with the foneras yet but my dd wrt router only transmits at 10mw edit: about 80mw. i forgot that my WHR-HP-G54 has an amp :rolleyes:

Edited by aeiah
Link to comment
Share on other sites

You need to go back and brush up on your antenna theory. Long story short the router doesn't care or even know what the dBi is. I could fill pages with antenna theory but I'll try to boil it down. The typical Fon antenna is 2 dBi and they antenna you reference is 12dBi. Let's assumes that the Fonera transmits 2 watts of power at the antenna's resonant frequency and that both antennas really are what they say they are. Manufacturer's can "play" with the numbers ;)

with a 2dBi antenna the Effective Isotropic Radiated Power (EIRP) would be measure to be 3.17 watts

with a 12dBi antenns the EIRP would be 31.7watts.

This assumes a 1.0 SWR and no losses. Note the power doesn't really increase it's just the effective radiation pattern (distribution) is more directional. You can't create energy from nothing. Think of it as an adjustable flashlight (torch for those of you on the side of the pond). When you focus the beam the bulb doesn't get brighter the light is just focused more in one direction.

The EIRP is what the FCC measures not the dBi or distance the signal goes (theoretically it goes forever). So a higher dBi antenna will focus more energy making the EIRP higher and that could get you into trouble. But typically since it's unlicensed spectrum nobody cares until you cause enough interfence and somebody complains. Part of the whole "Part 15" rule.

The 12dBi antenna will have a stronger signal at farther distance then the 2dBi antenna but this comes with some trade-offs. This is where the 'i' in dBi comes in. The refers to an isotropic radiator. In essence the perferct isotropic antenna is a single point and the signal radiates in equally in all directions (vertically and horizontally), a perfect sphere. Such an antenna does not exist. Instead the omni-directional antenna is more like a donut in it's radiation pattern. The trade-off is that as the dBi increases the donut signal has to get flatter in order to go farther. The horizontal radiation pattern is 360 deg but the vertical can go from say 75-80 (low dBi) down to 5 (high dBi) deg

Antennas are mounted high because the best signal is received when you have direct line of sight to the antenna, obstruction free. The high the antenna to the receiver, the less obstructions.

Things that can effect the actual power output are losses due to cabling, connectors or crappy antenna design. Losses due to SWR (Standing Wave Ratio) where a portion of the output signal is actual reflected back to the transmitter causing heat and in worst case damage to the transmitter. SWR is mainly caused by a mismatch of impedence between the transmitter and antenna/feedline. Like the perfect isotropic radiator SWR will never be 1.0 but <2 is generally considered safe.

So depending on the case a higher dBi may be worse then a lower dBi antenna, because the beam may be focused in a direction you don't want.

Hopefully, I didn't make any errors I'll review this again in a bit.

Link to comment
Share on other sites

Wao! Clearly there is much more to this than I had thought. I've recently been looking into antennae with respect to RFID (thats a whole 'nother can of worms!) and clearly I do not know enough. The donut shaped stuff you mention sounds right to me as I'd seen that mentioned before and would explain the loss of signal as the base station for me is 3 floors down. I wonder how this aerial focuses? I suspect a flater and further range, as you suggest, might indeed be a handy feature with a fon.

Must read more... :P Thanks for the help

Link to comment
Share on other sites

  • 1 month later...

Ok, looking into this and after watching the last few eps of Hak 5 I have another question

Has anyone here tried this with a mobile phone? Specifically an iPhone with Linux

Heres the scenario. You are using a pineapple, you have a 3G connection. You want to setup a tarpit. Its a fun thing to play with on your own lil network

Now im using backtrack which runs intrepid. I eventually managed to get some iproxy working with usbmuxd so we can connect to the net using my lovely iphone. However, this works by setting up a SOCKS proxy. Using proxychains we can use firefox and all that through my proxy and get to the web. But of course, how does this work with jasager?

I found a program called transocks_ev which, when used with iptables, apparently forwards ANY TCP traffic to a waiting SOCKS proxy. It essentially talks SOCKS so your users/victims don't have to. Sounds great huh?

Well it would be if the damn thing would talk DNS. I have another laptop that gets snared by jasger. The fon forwards to my laptop and the laptop sends to the iphone. it works IF the user types the IP but NOT the domain name. Wireshark reports the DNS attempts but shows that an ICMP packet is coming back saying that the port in question is not available....

so close and yet so far.... :'(

Link to comment
Share on other sites

Darren runs his pineapple off his phone tethered to his laptop. Just setup the internet connection as usual then ICS as usual.

Lol! no dice at all.

Tethering an iPhone under linux is no mean feat. With Intrepid, you don't get the nice ifuse libs etc etc. So basically, you need to compile up your own. This is ok but what you end up with is a SOCKS5 connection over OpenSSH.

Now this is fine for the laptop receiving its packets from Jasager. But where do these packets go? Sure you can setup ip forwarding but.... where are they heading? OpenSSH just gives you a port... thats it.

So the next obvious thing to do is use iptables to forward TCP to this port. No luck there though. We need to start talking SOCKS5. Proxychains does this but doesn't work as a daemon process in the background (annoyingly). Looking around the web I've found transproxy (no Socks5 support), fw-socks5-fwd and transproxy_ev. The last 2 claim to be able to do Socks5 so I set them up and added some iptables rules to forward TCP and UDP towards the port opened by these apps.

Result?

NO DNS ><

Ok sure, a victim machine can type in the ip and get to where they need to go but otherwise.... no dice! >< So Im stumped as to where this is going wrong. My suspicion is either iptables isnt doing its job right and I've entered the wrong rules, or that my transparent SOCKS proxy isnt doing the right thing.

Is anyone else attempting to do this sort of thing? Surely it cant be as hard as I'm making it?

Link to comment
Share on other sites

Not sure then, I wasn't thinking about SOCKS proxy I was thinking more of just a straight connection sharing.

Oh yeah, that'd be awesomes... if one could get that working with Backtrack I'd have saved a good 5 hours! If such a program exists, job done. I suspect full tethering under Linux doesn't however :S

Backup plan of scapy with proxyresolv. Just realised proxychains (which works) wraps it's DNS within TCP which explains certain problems I had before

Link to comment
Share on other sites

Oh yeah, that'd be awesomes... if one could get that working with Backtrack I'd have saved a good 5 hours! If such a program exists, job done. I suspect full tethering under Linux doesn't however :S

Backup plan of scapy with proxyresolv. Just realised proxychains (which works) wraps it's DNS within TCP which explains certain problems I had before

Ok sorted it. Will post findings once script is a bit tidier :D

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...