WLAN Tools

WLAN Software Tools for Windows

NetStumbler

NetStumbler is a tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using 802.11b, 802.11a and 802.11g. It has many uses:

Verify that your network is set up the way you intended.
Find locations with poor coverage in your WLAN.
Detect other networks that may be causing interference on your network.
Detect unauthorized "rogue" access points in your workplace.
Help aim directional antennas for long-haul WLAN links.
Use it recreationally for WarDriving.

StumbVerter is a standalone application which allows you to import Network Stumbler's summary files into Microsoft's MapPoint 2004 maps. The logged WAPs will be shown with small icons, their colour and shape relating to WEP mode and signal strength.

As the AP icons are created as MapPoint pushpins, the balloons contain other information, such as MAC address, signal strength, mode, etc. This balloon can also be used to write down useful information about the AP.

KNSgem

KNSGEM converts (in batch) Netstumbler NS1 files into a format that can be access in Google Earth. See an example of Ontario Street East in Montreal.

APTools

APTools is a utility that queries ARP Tables and Content-Addressable Memory (CAM) for MAC Address ranges associated with 802.11b Access Points. It will also utilize Cisco Discovery Protocol (CDP) if available. If an Access Point that is web managed is identified, the security configuration of the Access Point is audited via HTML parsing.

WLAN Software Tools for Unix

AirSnort

AirSnort is a wireless LAN (WLAN) tool which cracks encryption keys on 802.11b WEP networks. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered.

Kismet

Kismet is an 802.11 Layer 2 wireless network detector, sniffer, and Intrusion Detection System. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.

Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and infering the presence of nonbeaconing networks via data traffic.

Airsnarf

Airsnarf is a simple rogue wireless access point setup utility designed to demonstrate how a rogue AP can steal usernames and passwords from public WLAN hotspots. Airsnarf was developed and released to demonstrate an inherent vulnerability of public 802.11b hotspots--snarfing usernames and passwords by confusing users with DNS and HTTP redirects from a competing AP.

Hotspotter

Hotspotter passively monitors WLAN networks for probe request frames to identify the preferred networks of Windows XP clients, and will compare it to a supplied list of common hotspot network names. If the probed network name matches a common hotspot name, Hotspotter will act as an access point to allow the client to authenticate and associate. Once associated, Hotspotter can be configured to run a command, possibly a script to kick off a DHCP daemon and other scanning against the new victim.

BSD-Airtools

bsd-airtools is a package that provides a complete toolset for wireless 802.11b auditing. Namely, it currently contains a bsd-based wep cracking application, called dweputils (as well as kernel patches for NetBSD, OpenBSD, and FreeBSD). It also contains a curses based ap detection application similar to netstumbler (dstumbler) that can be used to detect wireless access points and connected nodes, view signal to noise graphs, and interactively scroll through scanned ap's and view statistics for each. It also includes a couple other tools to provide a complete toolset for making use of all 14 of the prism2 debug modes as well as do basic analysis of the hardware-based link-layer protocols provided by prism2's monitor debug mode.

WaveStumbler

WaveStumbler is console based 802.11 network mapper for Linux.

WEPCrack

WEPCrack is a tool that cracks 802.11 WEP encryption keys by exploiting the weaknesses of RC4 key scheduling.

AirFart

AirFart is a wireless tool created to detect WLAN devices, calculate their signal strengths, and present them to the user in an easy-to-understand fashion. It is written in C/C++ with a GTK front end. Airfart supports all wireless network cards supported by the linux-wlan-ng Prism2 driver that provide hardware signal strength information in the "raw signal" format (ssi_type 3). Airfart implements a modular n-tier architecture with the data collection at the bottom tier and a graphical user interface at the top.

AirTraf

AirTraf is one of the first wireless 802.11(b) network analyzers. With the growth of interest in wireless networks, network administrators of today are faced with a challenge. The challenge is to effectively deploy numerous access points within their organization to provide wireless coverage for all users, and at the same time make sure that everyone who is granted access is able to operate in a fast, robust network environment.

AirTraf is a 100% passive packet sniffing tool for the wireless 802.11b networks. It captures and tracks all wireless activity in the coverage area, decodes packets, and maintains acquired information associated by access points, as well as detected individual wireless nodes. It dynamically detects any access points in the area, finds association between wireless clients and access points, and builds information table for each packet that is transmitted via the air. AirTraf is able to maintain packet count, byte information, related bandwidth, as well as signal strength of nodes.

And best of all, its open-source, and distributed under the GPL. Other comparable products that perform wireless network analysis price their products above $10,000 (such as Sniffer Wireless), and is limited to single-licenses of copy, while AirTraf can be installed at any detection location you choose, enabled to run in (Server Mode), and polled periodically via the polling server to retrieve active wireless data from multiple stations at once, resulting in consolidation of wireless information over your entire organization into a single point of access (database), and able to be administered via a web interface, visualizing your wireless network performance in a single glance. At absolutely no cost to you, or your organization.

However, AirTraf is still a work in progress, meaning much of planned features, such as injecting packets into the network to test Access Point security, are not available yet. But it is constantly being worked on, and soon it will prove to be a critical tool in managing healthy wireless networks in the future.

AP Hunter

AP Hunter (Access Point Hunter) can find and automatically connect to whatever wireless network is within range. AP Hunter can be used for site surveys, writing the results in a file.

AP Radar

AP Radar (Access Point Radar) is a Linux/GTK+ based graphical netstumbler and wireless profile manager. This project makes use of the version 14 wireless extensions in linux 2.4.20 and 2.6 to provide access point scanning capabilities for most models of wireless cards. It is meant to replace the manual process of running iwconfig and dhclient. It makes reconfiguring for different wireless access points quick and easy.

Mognet

Mognet is a simple, lightweight 802.11b sniffer written in Java and available under the GPL. It features realtime capture output, support for all 802.11b generic and frame-specific headers, easy display of frame contents in hex or ascii, text mode capture for GUI-less devices, and loading/saving capture sessions in libpcap format.

PrismStumbler

Prismstumbler is a wireless LAN (WLAN) discovery tool which scans for beaconframes from accesspoints. Prismstumbler operates by constantly switching channels and monitors any frames recived on the currently selected channel.

Prismstumbler is designed to be a flexible tool to find as much information about wireless LAN installations as possible. It comes with an easy to use GTK2 frontend and is small enough to fit on a small portable system. Because of its client-sever architecture the scanner engine may be used for different frontends. An example for this is gpe-aerial, a wireless LAN access tool for GPE.

The current GTK user interface is designed to work on large PC screens as well as on PDA displays. Prismstumbler uses an embedded SQL database to store network information. It is also able to create networks lists in GPSdrive format and store captured packages to pcap dump files.

THC WarDrive

THC-WarDrive is a tool for mapping your city for wavelan networks with a GPS device while you are driving a car or walking through the streets. It is effective and flexible, a "must-download" for all wavelan nerds.

WLANnd

WLANnd is a wirelesss network detection tool that is written in C and is aiming for flexibility and clean easy to understand code. WLANnd currently only supports Prism2 based cards using the wlan-ng drive.

Wifi-Scanner

Wifi-Scanner is a tool that has been designed to discover wireless nodes (i.e access point and wireless clients). It is distributed under the GPL License.

WiFi-Scanner will work with Cisco cards and prism cards with the hostap driver or wlan-ng driver.

An IDS (Intrusion Detection System) is integrated into Wifi-Scanner to detect anomalies like MAC usurpation.

WaveMon

wavemon is a ncurses-based monitor for wireless devices. It allows you to watch the signal and noise levels, packet statistics, device configuration, and network parameters of your wireless network hardware.

WPM (Wireless Power Meter)

WPM (Wireless Power Meter) is intended to give you a nice signal strength meter for analyzing your wireless connection, and facilitate setting up point-to-point links.

asleap

asleap exploits weaknesses in Cisco's LEAP protocol. Specifically, asleap:

Recovers weak LEAP passwords.

Can read live from any wireless interface in RFMON mode.
Can monitor a single channel, or perform channel hopping to look for targets.
Will actively deauthenticate users on LEAP networks, forcing them to reauthenticate. This makes the capture of LEAP passwords very fast.
Will only deauth users who have not already been seen, doesn't waste time on users who are not running LEAP.
Can read from stored libpcap files, or AiroPeek NX files (1.X or 2.X files).
Uses a dynamic database table and index to make lookups on large files very fast. Reduces the worst-case search time to .0015% as opposed to lookups in a flat file.
Can write *just* the LEAP exchange information to a libpcap file. This could be used to capture LEAP credentials with a device short on disk space (like an iPaq), and then process the LEAP credentials stored in the libpcap file on a system with more storage resources.

anwrap

anwrap.pl is a wrapper for ancontrol that serves as a Dictionary attack tool against LEAP enabled Cisco Wireless Networks. anwrap traverses a user list and password list attempting authentication and logging the results to a file. anrwap really wrecks havoc on RADIUS calls to NT networks that have lockout policies in place, you have been warned. Tweak the Timeouts, a lengthy LEAP timeout on the Cisco side could make for a very boring afternoon. anwrap was designed to audit authentication strengths before deploying LEAP in a production environment.

WAP Attack

WepAttack is a WLAN open source Linux tool for breaking 802.11 WEP keys. This tool is based on an active dictionary attack that tests millions of words to find the right key. Only one packet is required to start an attack.

WEPWedgie

WEPWedgie is a toolkit for determining 802.11 WEP keystreams and injecting traffic with known keystreams. The toolkit also includes logic for firewall rule mapping, pingscanning, and portscanning via the injection channel and a cellular modem.

AirJack

AirJack is a device driver (or suite of device drivers) for 802.11(a/b/g) raw frame injection and reception. It is meant as a development tool for all manor of 802.11 applications that need to access the raw protocol.

Fake AP

Black Alchemy's Fake AP generates thousands of counterfeit 802.11b access points. Hide in plain sight amongst Fake AP's cacophony of beacon frames. As part of a honeypot or as an instrument of your site security plan, Fake AP confuses Wardrivers, NetStumblers, Script Kiddies, and other undesirables.

macfld

macfld tool utilizes the Linux wireless extensions to generate and set random MAC addresses on a Cisco or patched Lucent (drivers) NIC, eventually filling up the association ID table on a wireless bridge. The IEEE 802.11 specification identifies a max value of 2007 concurrent associations to an IBSS access point, but does not discuss what to do when the AID table is full. I have found that ~250 concurrent associations will cause an access point to restart.

void11

ivoid11 is a free implementation of basic 802.11 attacks:

deauth (Network DOS) (flood wireless networks with deauthentication packets and spoofed BSSID; authenticated stations will drop their network connections)
auth (Accesspoint DOS) (flood accesspoints with authentication packets and random stations addresses; some accesspoints will deny any service after some flooding)
- Apple Airport aka "UFO" died after ~60sec flooding for about 15 minutes
- Lucent OR1000 survived with minor problems
- OpenBSD 3.1/3.2 HostAP freezed after some flooding
- Linux HostAP driver survived ;-) (max. 1023 authenticated stations)

Wireless Access point Utilities for Unix

Wireless Access Point Utilites for Unix is a set of WLAN utilities to configure and monitor Wireless Access Points under Unix using SNMP protocol. Wireless Access Point Utilities compiles by GCC and IBM C compiler and runs under Linux, FreeBSD, NetBSD, MacOS-X, AIX, QNX, OpenBSD.

AP Hopper

AP Hopper is a program that automatically hops between access points of different wireless networks. It checks for DHCP and Internet Access on all the networks found. It logs successful and unsuccessful attempts.

APTools

gpsd

gpsd is a daemon that listens to a GPS or Loran receiver and translates the positional data into a simplified format that can be more easily used by other programs, like chart plotters. The package comes with a sample client that plots the location of the currently visible GPS satellites (if available) and a speedometer. It can also use DGPS/ip.

GpsDrive

GpsDrive is a car (bike, ship, plane) navigation system. GpsDrive displays your position provided from your NMEA capable GPS receiver on a zoomable map, the map file is autoselected depending of the position and prefered scale. Speech output is supported if the "festival" software is running. The maps are autoselected for best resolution depending of your position and can be downloaded from Internet. All Garmin GPS reveiver with a serial output should be usable, also other GPS receiver which supports NMEA protocol.

airpwn

Airpwn is a tool for generic packet injection on an 802.11 network.

airpwn requires two 802.11b interfaces, one for listening, and another for injecting. It uses a config file with multiple config sections to respond to specific data packets with arbitrary content.

WLAN Software Tools for Mac OS

MacStumbler.

MacStumbler is a utility to display information about nearby 802.11b and 802.11g wireless access points. It is mainly designed to be a tool to help find access points while traveling, or to diagnose wireless network problems. Additionally, MacStumbler can be used for "wardriving", which involves co-ordinating with a GPS unit while traveling around to help produce a map of all access points in a given area.

KisMAC

KisMAC is a free stumbler application for MacOS X, that puts your card into the monitor mode. Unlike most other applications for OS X we are completely invisible and send no probe requests. KisMAC supports third party PCMCIA cards with Orinoco and PrismII chipsets, as well as Cisco Aironet cards.