Security technology and common sense are not always 100% compatible.
We recently encountered Cisco Wireless Client Isolation, a simple technology that prevents wireless clients from communicating with each other, used as a security control on an open wireless network. Handy sounding technology that, except for one small problem … how do you prevent radio transceivers from communicating with each other?
As the deployment didn’t actually involve putting every wireless client into a Faraday cage and plugging them into Ethernet, we had to demonstrate why this setup was not exactly secure…
Which brings us to wifitap, a set of very clever tools by Cédric Blancher that bridges a Linux tun/tap device with a WiFi interface in monitor mode, and allows you to communicate directly with wireless clients without associating with an Access Point (AP).
The way 802.11 is supposed to work, an AP mediates all communication on the network, which means that in theory technology like Cisco Client Isolation would work great:
However, in reality 802.11 is … well … wireless. There’s no way to dictate exactly who sends what to whom in a wireless network, notwithstanding carefully designed encryption or some highly directional antenna design. To exploit this, wifitap reads packets from victim to AP using a WiFi transceiver in monitor mode, and simply injects responses to those packets as if they came from the AP.
Neat trick. Unfortunately wifitap hasn’t been maintained in years, and even though it’s included in Backtrack 5r3, it took a good bit of work to make it go. In the interest of being good open-source netizens, we’re sharing an updated version that should work on modern distros over here:
We might even manage to keep it up to date.
Lastly, you might be thinking: “Sure, open and WEP networks are insecure, but WPA2 fixed all these issues, right?”.
Well, not so much:
Now where did I leave my Faraday cage?