Demonstrations I showed during WiSec class at EURECOM.
Perform a replay attack on a unprotected clicker.
- Directory: rf-clicker/
Exfiltrate a secret in Morse Code through a Soft-Tempest covert-channel based on Ethernet link mode.
- Prerequisites :
- One computer connected with an Ethernet cable to an internet box OR two computers connected with an Ethernet cable to each others.
- One SDR (from RTL-SDR to USRP).
- GQRX and sudo permissions.
- Directory: rf-etherify/
- Hardware :
- Ettus USRP B210
- Software :
- Ubuntu 16.04
- OpenBTS
Demo using OpenBTS and a USRP B210 or B200mini SDR to build a rogue GSM base station.
In this demo, you will generate traffic (using ARP replay) on a WEP-protected Wi-Fi network in order to capture IVs and perform an offline cracking of the WEP key. Every steps are programmed in a =Makefile=.
List of the setup:
- Software:
aircrack-ng
NetworkManager
- Hardware:
- Attacker aircrack-compatible Wi-Fi dongle (here, ZyXEL NWD6605 (Amazon) with the rtl8812au driver).
- Victim AP-compatible interface (here, Wi-Fi card of a Lenovo Thinkpad T460 laptop).
In this demo, you will setup a WPA2 protected network with a victim authenticated to it. As an attacker, you will start listening to the traffic to capture a 4-way handshake while sending deauthentication request to the victim. Hence, you will be able to perform an offline dictionary attack on the 4-way handshake to retrieve the WPA 2 key.
Every steps are programmed in a =Makefile=.
List of the setup:
- Software:
aircrack-ng
NetworkManager
- Hardware:
- Attacker aircrack-compatible Wi-Fi dongle (here, ZyXEL NWD6605 (Amazon) with the rtl8812au driver).
- Victim AP-compatible interface (here, a COTS ASUS Wi-Fi access point).
- Victim STA-compatible interface (here, Wi-Fi card of a Lenovo Thinkpad T460 laptop).
Setup a fake Wi-Fi network with the same name as a legitimate Wi-Fi network, creating an evil twin. The goal is to make the victim client connect to the evil twin instead of the legitimate Wi-Fi AP.
This demo succeed once, but failed another. Some parameters could be tuned to make it more reliable. Once it will be done, it would be great to setup the transparent forwarding of the victim data to the internet, to make the evil twin stealth (currently, the victim will loose connection to the internet).