Category: Amateur

Proximoth & Control Frame Attack

Standards and architecture designs build up to systems which surround the world, pushing the information age to the future. Every produced device gets a share from these standards and they generally share same properties even though the branding differs. With this similarity, comes the opportunity to conquer the far away lands without going a journey. In terms of this article, we will focus on the Control Frame Attack vulnerability due to Wi-Fi chips that use the similar standards, end up violating your privacy; and we will see the tool Proximoth for vulnerability analysis and detection.

Did you know that your device might tell the Oscar whether you are near without you even realize? Trust to the machine has consequences.

Disclaimer

Proximoth is created for the sake of vulnerability detection and raising awareness of the Control Frame Attack vulnerability which was discovered by U.S. Naval Academy. I encourage anyone to not use this tool for any action which can be illegal. I do not take any responsibility for any use which might cause Denial of Service or data loss.

Notion Behind Proximoth

Idea first came to my mind when I thought whether I can determine a friend of mine is in a cafe I am passing by. The method had to be undetectable by a normal person, which means they should not even suspect any virus/spyware activity and had to require at most single information of the target which I must be able to be find without making the target suspicious.

One can realize that with this method being successful, it might lead to scenarios where the target could be important people. So I thought it would be beneficial to share and spread this vulnerability.

Control Frame Attack

What information does the attack require to know?

  • Global MAC Address of the target device’s Wi-Fi chip.

What equipment is needed from the attacker side?

  • A Wi-Fi Antenna with packet injection AND packet sniffing capabilities (Monitor Mode).
  • A computer with Debian based operating system.

How the attack process work?

U.S. Naval Academy states in their article [1] that:

“The result of sending a RTS frame to the global MAC address of a device performing randomization was that the target device responded with a CTS frame.”

RTS and CTS

Wireless protocols ensure that no device collides with one other in the communication medium. This prevention is provided with frames specialized for this task, two of them are RTS and CTS. RTS stands for Request to Send and CTS stands for Clear to Send. When a device wants to send frames over the medium, it asks for availability(RTS), other devices permit this communication by saying that they are not using the medium(CTS). These two are responsible for this vulnerability.

Fake RTS Frames contains fraud MAC addresses as transmitter and the target’s Global MAC address as the receiver. In order to get a reply from the target, the threat actor’s Wi-Fi chip must be on the same channel as the target’s Wi-Fi chip. When a device connects to a Wi-Fi network, its Wireless chip stays on the same channel with the router, but when the device is on passive network search mode, it hops between channels, so listening on the same channel for a device that is hopping channels is a correct choice. In the end, the threat actor gets a CTS frame from the target on the same channel the threat actor is listening to.

The vulnerability which Proximoth uses is called Control Frame Attack by the U.S. Naval Academy in their article [1] because RTS and CTS frames are in the “Control Frames” section of Wi-Fi frames.

Defense Against The Vulnerability

U.S. Naval Academy states in their article [1] that:

“…This leads us to believe that RTS/CTS responses are not a function of the OS, but of the underlying IEEE 802.11 chipset. Manufacturers have configured their chipset hardware with default RTS/CTS operation which may not even be accessible to configure at the OS level. If we are correct, this derandomization issue can not be fixed with a simple patch or OS update.”

After using Proximoth myself, I could say that some devices turn off their Wi-Fi chips when you lock their screen. This prevents any CTS response to the threat actor; on the other hand, some devices still send CTS responses even if you lock their screens and turn them off. This variety depends on how the operating system manages the chipset; but, once the chipset is open, inevitable it is the CTS responses.

According to my research, devices which are released in 2020 or later do not have this vulnerability. Considering the article [1] was released in 2017, this vulnerability was patched after 3 years. I will continue investigating devices and publish the vulnerable devices list on the Proximoth GitHub page. You can contribute to this list via sending your findings to me.

Since the vulnerability cannot be patched by operating system updates, possible certain solution to this vulnerability is buying a device which was released after 2020. If you are a smartphone user, then turning off Wi-Fi when not used is another option.

Proximoth And Vulnerability Detection

Proximoth is a Wi-Fi tool to replicate Control Frame Attack to determine whether the subject device is vulnerable.

Proximoth Features

  • Colorful panel to view analysis information ( +Narrowed mode )
  • Output time/period/signal information to a file
  • Output of all CTS Frames to a pcap file
  • RTS Frame injection speed control
  • Wait until no previously injected RTS frames remain
  • Custom MAC address as fraud address (First 3 pairs are arbitrary)

Source Code/Releases/Usage

Proximoth GitHub page can be found down below.

Proximoth GitHub Page

References

[1] Martin, J., Mayberry, T., Donahue, C., Foppe, L., Brown, L., Riggins, C., … & Brown, D. (2017). A Study of MAC Address Randomization in Mobile Devices and When it Fails. Proc. Priv. Enhancing Technol., 2017(4), 365-383.

Batch MAC Spoofer

Windows has always been restrictive compared to Linux. While Linux developers are benefiting from the power of pure hardware, Windows users, on the other hand, were given GUI based user experience, which depends on API calls, not giving the vibe of full control. Even though Windows doesn’t seem like an OS with ultimate customizability, there are still ways for achieving some Linux-ish tasks on Windows. Talking about tasks, this project is based on the tool “macchanger“, which is working on Linux, to give similar functionality to Windows machines. You can eventually download the source code immediately but I recommend you to take a look at the information about MACs and this script below. 😀

Disclaimer

This tool is intended to teach IT Security enthusiasts about network security implementations. Any illegal activity is not my responsibility.

What Is A MAC Address?

The MAC ( Media Access Control ) is a unique identifier number for network interface cards ( NIC ). MACs are used to detect the location where a network packet should go along with the IP on networks. The difference between IPs and MACs is MACs are always static while IPs can be dynamic according to how and where you connect to the Internet.

Every MAC follows the same rules:

  • Each character is represented in hexadecimal numbers.
  • There are a total of 12 characters, or 6 pairs.
  • Every pair is separated from another with a semicolon.

An example for a MAC Address -> 0E:BF:C8:25:FF:9A:B6

  • If you are a Windows user, you can check yours from the command prompt by typing: ipconfig /all or getmac
  • If you are a Linux user, you can use ifconfig command on the terminal.

Technically, a MAC Address is not alterable. Each one of them is burned into your network interface card. Even though they cannot be changed directly on the hardware, the software side can spoof it. The potential power of spoofing MAC addresses is so valuable since MAC Address give a lot of information to anyone who has a technical understanding.

What Can You Infer From A MAC?

MAC Addresses consist of 2 parts. Each part includes 3 pairs of characters. The first 3 pairs are the most valuable ones because they reveal the information about your device’s manufacturer. A hardware company sets the same pairs onto their similar hardware. Because of this, you can predict what the device is. There is a database that consists of MAC pairs and manufacturer names on the website wireshark.org. The last 3 pairs are for identifying unique devices. This information can still be useful.

You can check it out from this address:

With this web-based tool, you can query yours or other people’s MAC address.

MAC Spoofing On Windows

The trick behind the scenes depends on the Windows Registry, where much information is stored about the machine and users. The script simply finds where the information about your network card is stored which you selected. And then changes the value in the registry with the one you specified in the script.

Registry is the location of many information about the machine and the users. Many things can be altered or viewed.

Including MAC Addresses. 🙂

The Usage

You have to run the script with administrator privileges. Writing to registry requires admin rights.

The script simply welcomes you with the interface selection screen, where you specify the interface you wish to use if you have more than one. If you have only a single interface, the script automatically sets it as default.

Note: This script only works with wireless interfaces, do not expect any functionality with ethernet cards.

Detection and selection of the interface.

Then the main menu pops up. You have the option to select your interface later. You can also plug in any new/external interface and select it later on the interface selection page.

After typing “macspoof”, you have 3 options, you can randomize the MAC, define it with your custom MAC, or revert to its original static form. Be careful when typing the custom MAC, Windows accepts only some patterns for new MACs. Do not put semicolons between pairs, and do not use any character different than E, A, 2, or 6 while typing the second character. Example:

0ABBCCDDEEFF -> The second char is A so it is valid.

EXBBCCDDEEFF -> The second char is X so it is invalid.

a6bbccddeeff -> The second char is 6, and lower case values are also accepted so it is valid.

aa11bb22cc33dd -> Length is longer than 12 chars so it is invalid. Shorter lengths are also not accepted.

The spoofing screen showing options.

GitHub Page

GitHub

WI-FI Brute Forcer

This project is based upon the trick that, how to hack WI-FI with CMD. The main purpose behind, creating wifi hacking tool with cmd tool is to make everyone aware that how easy it is to break a simple password. And, motivate them to keep some complex passwords – to keep them protected against it.

Disclaimer

This tool is intended to teach IT Security enthusiasts about network security implementations. Any illegal activity is not my responsibility.

ABOUT PASSWORD CRACKING WITH CMD

Some of you may know the concept of Brute Forcing, but I will explain it for the ones who don’t know. In case, you are already familiar with it – you are free to skip this part (although, you will definitely learn something new from it).

There are 3 types of attacks:

1) BRUTE FORCE ATTACK FOR PASSWORD CRACKING

This type of attacks are simply try all possible combinations. And, it seems weird and impractical at first. But, as computers can do billion of calculations per second – so, it is not that much impractical to try out everything. The only problem is – it needs time; HELL LOT OF TIME!

2) DICTIONARY ATTACK

In this type of password hacking attack – again we try all passwords, but this time they are stored in a text file that you have given to the program. So, the program only refers to a few password combinations to verify the accessibility of the network.

3) THE MASKED ATTACK

In masked attack; we apply a bit different approach – Here the concept is to try all possible combinations in a way programmer defines. And, in this attack hackers combine some social engineering to make it better and less hard for the dumb computer.

HOW TO HACK WIFI WITH CMD? – THE ALGORITHM

So, basically – In this part, you’ll know how it is possible to hack wifi password with CMD and it is not another fake trick to fool you guys! Let’s have a look at the basic parts of this main project:

WI-FI Brute Forcer has 3 main parts:

  1. Interface Detection and Selection
  2. WI-FI Scanning
  3. Attacking

Detecting Interfaces and Selection

netsh wlan show interfaces

With the help of built-in executable netsh.exe, so many things are possible. Program detects your physical interfaces with the command above but not by just simply running it, by a very advanced for loop which batch scripts provide that is something I love about CMD(Versatile for loops). With this for loop, interfaces are being enumerated and stored inside the global variables. Selection is up to you from this time if you have multiple interfaces. Program will choose the only option if you have just 1.

Scanning

netsh wlan show networks

Netsh means so much if you consider networking with CMD. Above command is technically shows us which networks can be seen from which interfaces. The tricky loops of CMD come to play again. Algorithm enumerates every network and stores them in a file which will be printed onto the screen.

Attacking

netsh wlan connect name="<SSID>" interface="<WI-FI>"

A simple command turned a script into a hacking machine. The command above just connects to a network if you use it singular. The trick under the hood is using it in a loop until a sign of connection occurs between you and the router. The program checks the connection status while running the command above so if you are connected, than the attack is successful.

How Password Lists Are Being Used Inside The Script?

Short answer: XML and String Substitution.

The method which Windows uses to connect a network is using an XML file to store SSIDs and passwords. The program is using a modified XML file to create custom importable XML files. There are placeholder texts where normal SSIDs and passwords should be.

When you select a network from a scan result, the script changes the “changethistitle” text with the selection of yours as you can see above. Then a big loop of password usage starts. The script takes the passwords from the passlist.txt one by one and basically changes the “changethiskey” text with this password. Then the script imports the XML file with CMD command below.

netsh wlan add profile filename=attempt.xml

With this import, now we are ready to try connecting. Rest of it is the job of connection command of netsh.

Disclaimer:

  • Unfinished Product, may not work for all Windows 10 systems.
  • I am not responsible for any illegal activity, educational purposes only.

 

GitHub Page

GitHub

What’s new?

[Release 1.2.0] Undercover Update

  • Added MAC Spoofing Feature.
  • Interface Detection bugs fixed.
  • Graphics updated.

[Release 1.1.2]

  • Upgraded attack progress observation.
  • Fatal errors at interface detection system fixed.
  • Some bugs fixed.

[Release 1.1.1]

  • Some bugs fixed.
  • UI improved.

[Release 1.1.0]

  • Added WI-FI interface selection and automatic interface detection.
  • Some bugs fixed.

[Release 1.0.0]

  • First Release.

Sphere Escape

Specifications

  • Platforms: Windows
  • Langauge: C# + Unity Game Engine
  • Version: 1.0.20
  • Size: 20 MB
  • Type: Proprietary Software
  • Status: Not Supported Anymore
  • Developed by Technical_User_X

A basic platformer game where your mission is to go to end of the map to pass finish line.

You will encounter different types of challenges during this journey.

Disclaimer: Unfinished Product.

Download Links

GitHub
GitHub (Direct)