wifitap error "no /dev/net/tun"
i'm trying to test (understand risk-faktor) wifitap.
I've set up a mini wep wlan. One card is connected while other card (atheros) tries to "wifitap".
Each time i run wifitap ( wifitap -b xxxx -w key ) i get an error :
No such file or directory /dev/net/tun
Wifitap tries correct card (ath0).
For additional info : I'm using a pcmcia card
I can't find related info in forum.
Does anyone have a hint how to fix this or how to use wifitap correct ?
Still now i'm having no progress in what is going wrong.
I know theroetical how weak wep is. But like men tend to be i need to taste it with my own fingers. This way wireless security looses its invisibly and becomes real.
So it would be real nice anybody can tell me what is going wrong .
I made little progress.
Wifitap now creates adapter but ping still fails .
lsmod | grep tun , to check if tun is loaded.
If not loaded
Now i connected eth1 to wep network
used airmon to create ath0 monitor enabled with specified channel
Then i started wifitap supplying accesspoint-bssid and my wep key.
Now i don't get any errors from wifitap and wj0 is created
Then running ifconfig on wj0
But when using ping -I wj0 RouterIP
i'm getting a destination unreachable.
Using eth1 ping runs fine ...
With google i found an example which activated ath0raw for output with wifitap. Unfortunatly i'm not able to reproduce creation auf ath0raw.
Can someone help me out ?
its working (somehow)
well i got it working ( at least ping is fine )
wifitap howto :
#load module tun
#activate monitor mode
airmon-ng stop wlanDevice
airmon-ng start wlanDevice channel
#start promisc mode
ifconfig wlanDevice promisc
wifitap.py -b bssid -w key
ifconfig wj0 yourDesiredIP up
ping -I wj0 RouterIP
So far it works.
When i tested to get router http access , nothing happend.
So tried nmap
nmap -e wj0 -p80 -P0 routerIP
But no host found...
Any Ideas why ?
It is my understanding that the procedure communicates directly with an associated station (another user) not the DS itself.
At least that was what I understood from the conference lecture.
Well this seems to be the correct hint.
I took a look at airtun-ng which works very similar.
There 's a flag "toDS" which can be adapted to choose wheter sending to client or station.
I assume wifitap always fills in Frame a "toDS=0". I will check this out.
But why is ping to DS working in case of this ?
Proof of concept
The background to this procedure is that of appreciating that management traffic on most APs (DSs) is distinct from payloads. It is possible to divorce the payload (usually encrypted) from the associated management frames and reinject different payloads using the same management traffic.
For this reason the python script separates the management directives (collects all To DS packets) enabling injection of differing payloads.
It is a proof of concept not a fully worked solution. If you want to develop a fully worked solution extra scripting is needed as noted in the script verbage. It does not for instance currently collect 'FromDS' packets.
It is quite possible to do that. The script is short and commented. It uses scapy so that we do not have to 'reinvent the wheel'.
The essence remains that it is a proof of the concept that one can communicate direct with a station 'through' an AP without necessarily knowing the passkey. It is significant in that it is a type of activated rogue AP. A script of great worth.
you are right. Thx for clarification .