Wednesday, February 18, 2009

Mac OSX: Capturing 802.11 WLAN Traffic

This is trick for Mac OSX users, if you want to capture 802.11 WLAN packets, you can't do that with normal capturing argument using tcpdump. Normally en1 is the wireless network interface for Apple Macbook.

shell>sudo tcpdump -s 0 -nni en1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 96 bytes

If you look at the link-type, it is EN10MB so 802.11 Radio information header is not going to be captured, however we can define the link type with tcpdump, we can list the supported link type for the interface first -

shell>sudo tcpdump -nni en1 -L
Data link types (use option -y to set):
IEEE802_11_RADIO_AVS (802.11 plus AVS radio information header) (not supported)
IEEE802_11 (802.11)
IEEE802_11_RADIO (802.11 plus BSD radio information header)
EN10MB (Ethernet)

Specify link type with -y option -

shell>sudo tcpdump -y 'IEEE802_11_RADIO' -ttttnni en1
tcpdump: data link type IEEE802_11_RADIO
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type IEEE802_11_RADIO (802.11 plus BSD radio information header), capture size 96 bytes
2009-02-18 00:55:13.948664 3466317997us tsft 1.0 Mb/s 2462 MHz (0x0080) -44dB signal 0dB noise antenna 0 Beacon (SSID) [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 11, PRIVACY
2009-02-18 00:55:14.051029 3466420387us tsft 1.0 Mb/s 2462 MHz (0x0080) -44dB signal 0dB noise antenna 0 Beacon (SSID) [1.0* 2.0* 5.5* 11.0* Mbit] ESS CH: 11, PRIVACY

If you want to analyze 802.11 traffic, you can definitely play around with this. Of course if you want to put your Macbook into RFMON mode, the best tool around is Kismac.

Enjoy (;])

Tuesday, February 17, 2009

HITB Dubai 2009


This year HITB Dubai is coming again, there will be 3 technical trainings and good line up of speakers so don't miss it!

Economy is not in good shape for the moment, but hackers are still working hard so make yourself to the conference and see what they are up to ;]

For more information, check out -

http://conference.hackinthebox.org/hitbsecconf2009dubai/

Cheers ;]

Monday, February 09, 2009

Pcapr - Another pcap repository

I just found out another public packet capture repository which is supported by Mu Dynamics. For more detail, check out the web site here ->

http://www.pcapr.net/home

More packets for the monkeys!

Cheers ;]

Wednesday, February 04, 2009

Ubuntu: Netdude Installation Revisit

Many people have urged me to update my old Netdude installation guide, I don't know what went wrong for them but here's how I get Netdude 0.5 installed on Ubuntu 8.04.

Make sure you have debian packages that I mentioned in old post installed properly via apt-get, now download Netdude 0.5.0, libnetdude 0.11 and libpcapav 0.8 from here.

The sequence of installation is libpcapav -> libnetdude -> Netdude.

To install libpcapav 0.8 -

shell>tar xvzf libpcapav-0.8.tar.gz

shell>cd libpcapav-0.8

shell>./configure --prefix=/usr/local/stow/libpcapav-0.8

shell>make

shell>sudo make install

shell>cd /usr/local/stow

shell>sudo stow libpcapav-0.8

To install libnetdude 0.11 -

shell>tar xvzf libnetdude-0.11.tar.gz

shell>cd libnetdude-0.11

shell>./configure --prefix=/usr/local/stow/libnetdude-0.11

shell>make

shell>sudo make install

shell>cd /usr/local/stow

shell>sudo stow libnetdude-0.11

To install netdude 0.5.0 -

shell>export LDFLAGS=-L/usr/local/lib

shell>tar xvzf netdude-0.5.0.tar.gz

shell>cd netdude-0.5.0

shell>./configure --prefix=/usr/local/stow/netdude-0.5.0

shell>make

shell>sudo make install

shell>cd /usr/local/stow

shell>sudo stow netdude-0.5.0

Now you can run netdude and check out its version -

shell>netdude --version
0.5.0

The reason why I like to use stow to manage my software installation is that I can install multiple version of netdude in /usr/local/stow first, and choose which to use by stowing and unstowing(stow -D) them.

There you go, it should be flawless unless my memory sux(though I'm).

Enjoy (;])