MAC - Spoofing

Hello...

I have a univ - project to do a Denial of Service attack to a WLAN.
The way i should do this is by setting up a 'fake Acces Point', get the same MAC address of the real Acces Point and broadcast to all logged in users that they cannot connect to the network anymore.

Firtst problem: changing MAC address: i found a program written in C++ to spoof a MAC, but I have to write the hack-program in java... so anybody has a clue? i can't find it in java...
in c++ it looks like this
#include <sys/ioctl.h>
mc_net_info_set_mac (net_info_t *net, const mac_t *mac)
{
int i;

for (i=0; i<6; i++) {
net->dev.ifr_hwaddr.sa_data[i] = mac->byte[i];
}

if (ioctl(net->sock, SIOCSIFHWADDR, &net->dev) < 0) {
perror ("ERROR: Can't change MAC: interface up or not permission");
return -1;
}

return 0;
}
full source available at http://www.alobbs.com/modules.php?op...acc&file=index

Second problem: i don't know what and how to broadcast ( of course i'm still searching myself :) )

Third problem: In our university city we all have direct acces to a university network and i know some students are able to break in into my Pc via that network. So do u know any GOOD sites where i can get information how they do that/how i can prevent it.

Forgot to tell: I use (gentoo) Linux

For the MAC program, can you use JNI? If you can, just call this C program from Java (Cheating, I know, but what the hell). Otherwise, I don't think java has anything that goes all the way to the MAC layer, only TCP and UDP protocols are supported in java.net.* .

As to what to broadcast, you might want to look into poisoning the ARP cache and just not forward any of the packets that you receive (I might be talking through my hat on the second one, I only have a very basic understanding of how it works).

As for the third one, this site!!! Just search the newbie security forums, they rock!!!

Cheers,
cgkanchi

Thx a lot!

Yes, I can use JNI (phew).

The ARP cashe poisoning would probably work, but i can not do it like that:
I HAVE TO send a disconnect message to all logged in users. I searched the net and only found this: you can first grab a disconnect message from the access point and then keep on resending it. Little problem: how the hell can i grab a disconnect message without doing a serversided DoS??
So if anybody knows how a disconnect message looks like and whether it's the same for every wireless access point, let me know.

Quote:

---

Originally posted here by paranoid_sonic
[B]Thx a lot!

Yes, I can use JNI (phew).

The ARP cashe poisoning would probably work, but i can not do it like that:
I HAVE TO send a disconnect message to all logged in users.

---

Not necessairly. Many systems, unless configured not to, will accept a gratituitous ARP. Meaning that even if they have the ARP entry, if they see the ARP broadcast with a new MAC, they will take it, whether they had it or not... This is one of the big things that DSNIFF takes advantange of.


Seems kind of a strange project to DoS wireless, but I would think your traditional type of DoS attacks would be much simpler...for example, smurf (spoofed ping to broadcast with WAP as source), maybe some bad routing advice (kind of depends on what they are using and whether or not it is static)...

/nebulus

You have a university project to DoS a WAN? what are you studying?

Civil engineer... project includes wep-cracker and dos attack.

Don`t civil engineers build bridges and design roads?

LOL
yes, some of them do...
but while studying for civil engineer you can choose (after the second year): chemistry, computer science, mechanics, elektrotechnics, etc...

Ok, just checking, the civil engineers I know do indeed build bridges and roads.

Back to you original question, is the hardware you are going against from one particular vendor? or a mix?

Th ARP cache poisoning as explained, should work, or just create a lot of wireless noise to disrupt the wireless signal (a really big microwave oven would work..). On a more serious note, you need to flood the network with "disassocate" commands. An easy approach might be to take a look at HostAP, this is a driver that allows you to turn your machine into an access point, and may come with the ability to send out the disassociate command (not to sure, haven`t played with it very much).

To actually get the command I think you will need to dig into the RFC's relating to wireless, I`ll see if I can find anything for you (doing some wireless work at the moment)