Results 1 to 8 of 8

Thread: wifitap error no /dev/net/tun

  1. #1
    Junior Member
    Join Date
    Jan 2010
    Posts
    53

    Default wifitap error "no /dev/net/tun"

    Hello,

    i'm trying to test (understand risk-faktor) wifitap.
    I've set up a mini wep wlan. One card is connected while other card (atheros) tries to "wifitap".

    Each time i run wifitap ( wifitap -b xxxx -w key ) i get an error :
    No such file or directory /dev/net/tun
    Wifitap tries correct card (ath0).
    For additional info : I'm using a pcmcia card

    I can't find related info in forum.
    Does anyone have a hint how to fix this or how to use wifitap correct ?

    thx

  2. #2
    Junior Member
    Join Date
    Jan 2010
    Posts
    53

    Default

    Still now i'm having no progress in what is going wrong.

    I know theroetical how weak wep is. But like men tend to be i need to taste it with my own fingers. This way wireless security looses its invisibly and becomes real.
    So it would be real nice anybody can tell me what is going wrong .

  3. #3
    Junior Member
    Join Date
    Jan 2010
    Posts
    53

    Default

    I made little progress.
    Wifitap now creates adapter but ping still fails .

    I did
    lsmod | grep tun , to check if tun is loaded.
    If not loaded
    modprobe tun

    Now i connected eth1 to wep network
    used airmon to create ath0 monitor enabled with specified channel

    Then i started wifitap supplying accesspoint-bssid and my wep key.

    Now i don't get any errors from wifitap and wj0 is created
    Then running ifconfig on wj0

    But when using ping -I wj0 RouterIP
    i'm getting a destination unreachable.
    Using eth1 ping runs fine ...

    With google i found an example which activated ath0raw for output with wifitap. Unfortunatly i'm not able to reproduce creation auf ath0raw.

    Can someone help me out ?

  4. #4
    Junior Member
    Join Date
    Jan 2010
    Posts
    53

    Default its working (somehow)

    well i got it working ( at least ping is fine )

    wifitap howto :
    #load module tun
    modprobe tun
    #activate monitor mode
    airmon-ng stop wlanDevice
    airmon-ng start wlanDevice channel
    #start promisc mode
    ifconfig wlanDevice promisc
    #launch wifitap
    wifitap.py -b bssid -w key
    #config wj0
    ifconfig wj0 yourDesiredIP up

    #Test
    ping -I wj0 RouterIP

    So far it works.
    When i tested to get router http access , nothing happend.
    So tried nmap
    nmap -e wj0 -p80 -P0 routerIP
    But no host found...

    Any Ideas why ?

  5. #5
    Member imported_blackfoot's Avatar
    Join Date
    Jun 2007
    Posts
    386

    Default associated station

    It is my understanding that the procedure communicates directly with an associated station (another user) not the DS itself.

    At least that was what I understood from the conference lecture.
    Lux sit

  6. #6
    Junior Member
    Join Date
    Jan 2010
    Posts
    53

    Default

    Well this seems to be the correct hint.

    I took a look at airtun-ng which works very similar.
    There 's a flag "toDS" which can be adapted to choose wheter sending to client or station.

    I assume wifitap always fills in Frame a "toDS=0". I will check this out.
    But why is ping to DS working in case of this ?

  7. #7
    Member imported_blackfoot's Avatar
    Join Date
    Jun 2007
    Posts
    386

    Default Proof of concept

    The background to this procedure is that of appreciating that management traffic on most APs (DSs) is distinct from payloads. It is possible to divorce the payload (usually encrypted) from the associated management frames and reinject different payloads using the same management traffic.

    For this reason the python script separates the management directives (collects all To DS packets) enabling injection of differing payloads.

    It is a proof of concept not a fully worked solution. If you want to develop a fully worked solution extra scripting is needed as noted in the script verbage. It does not for instance currently collect 'FromDS' packets.

    It is quite possible to do that. The script is short and commented. It uses scapy so that we do not have to 'reinvent the wheel'.

    The essence remains that it is a proof of the concept that one can communicate direct with a station 'through' an AP without necessarily knowing the passkey. It is significant in that it is a type of activated rogue AP. A script of great worth.
    Lux sit

  8. #8
    Junior Member
    Join Date
    Jan 2010
    Posts
    53

    Default

    you are right. Thx for clarification .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •