RSS Feed
« Exploiting the Pizza Thief | Main | Using Content Security Policy to Prevent Cross-Site Scripting (XSS) »

Resurrecting Wifitap

Security technology and common sense are not always 100% compatible.  

We recently encountered Cisco Wireless Client Isolation, a simple technology that prevents wireless clients from communicating with each other, used as a security control on an open wireless network. Handy sounding technology that, except for one small problem … how do you prevent radio transceivers from communicating with each other?

As the deployment didn’t actually involve putting every wireless client into a Faraday cage and plugging them into Ethernet, we had to demonstrate why this setup was not exactly secure…

Which brings us to wifitap, a set of very clever tools by Cédric Blancher that bridges a Linux tun/tap device with a WiFi interface in monitor mode, and allows you to communicate directly with wireless clients without associating with an Access Point (AP).

The way 802.11 is supposed to work, an AP mediates all communication on the network, which means that in theory technology like Cisco Client Isolation would work great:


However, in reality 802.11 is … well … wireless. There’s no way to dictate exactly who sends what to whom in a wireless network, notwithstanding carefully designed encryption or some highly directional antenna design. To exploit this, wifitap reads packets from victim to AP using a WiFi transceiver in monitor mode, and simply injects responses to those packets as if they came from the AP.


Neat trick. Unfortunately wifitap hasn’t been maintained in years, and even though it’s included in Backtrack 5r3, it took a good bit of work to make it go. In the interest of being good open-source netizens, we’re sharing an updated version that should work on modern distros over here:

We might even manage to keep it up to date.

Lastly, you might be thinking: “Sure, open and WEP networks are insecure, but WPA2 fixed all these issues, right?”. 

Well, not so much: 

Now where did I leave my Faraday cage?

Reader Comments (2)

There is a tool in the aircrack-ng suite called airtun-ng that does the same thing but also supports WEP and a tool also in aircrack-ng called tkiptun-ng that does that for WPA1. If you wished to implement this attack on WPA2 there is as you mentioned the hole 196 attack but there is also a interesting attack that seems to only work on windows 7 and possibly windows 8 that uses broadcast MAC addresses that seems like it would be interesting.
March 11, 2013 | Unregistered CommenterJethro Inwald
I kinda hate to necro this post, but here goes.

With the recent NSA revelations and whatnot, I had a crazy thought. Since a google for anything related to wifitap turns up this page first, I'll ask here.

Wouldn't wifitap make you essentially invisible to anyone trying to track a connection?

That is, a traceroute, etc is going to trace back to either the router, or at most (if someone gets the router logs) to the client on the WLAN that wifitap is spoofing, right? There's no way to trace it past that, no? In other words, anything you do whilst using wifitap is, as far as any logs can tell, done by the poor bastard you're spoofing, not you, right?

As a followup, how exactly does Hole196 work with this? I mean, if your goal is merely privacy rather than trying to actually breach any system on the network, how does Hole196 help? It appears it'd be useless for this purpose.

Either way, if for example I'm at the local cafe and it's using WPA2 but the key (PSK) is printed on all the napkin holders, is there any reason straight up wifitap couldn't use it? Does wifitap need extra software (aside from wpasupplicant, of course) to use a WPA2 WLAN where the key is known?

Just a few dumb questions. But if this could work, does this not completely and totally negate any form of tracking? I mean not counting machine-based stuff (cookies, etc) it seems like this would provide pretty simple anonymity.
July 8, 2014 | Unregistered CommenterChuck

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
All HTML will be escaped. Hyperlinks will be created for URLs automatically.