IMPORTANT: As of June 21, 2023, this guide is no longer supported. For the current version of this guide, see beSTORM Fuzzing Wi-Fi Devices Guide (13.1.0 or later).


Overview


This guide explains how to fuzz Wi-Fi devices with beSTORM. 


Required hardware


To perform Wi-Fi fuzzing in beSTORM, purchase and install a wireless device on your computer that supports "promiscuous" mode for Wi-Fi packet injection. Currently, the only known device that supports this functionality is the Riverbed AirPcap NX USB-based adapter.


Note: As of December 31, 2017, Riverbed no longer manufactures the Riverbed AirPcap NX USB adapter. 


How beSTORM fuzzes Wi-Fi devices


Fuzzing is performed by injecting malformed Wi-Fi packets into an existing communication between a live access point and the target wireless device. beSTORM uses the IEEE802.11 (AP) module to perform attacks on a wireless device in a non-encrypted environment (currently, WEP or WPA is not supported). 


Set up an access point


Set up an access point with DHCP enabled (internet access is not required) on an open network (disable WEP or WPA encryption). Take note of the SSID and the channel in use by the access point.


To test the access point, connect to it from the computer where beSTORM is installed, and then ping the IP address of the access point.


Once your ping is successful, connect the target wireless device to the access point.

 

Monitoring the wireless device


If you have the ability to run software on the target wireless device, the Windows monitor or GDB monitor are ideal methods to monitor for failure. However, the most compatible method is to ping the wireless device.  If Internet Control Message Protocol (ICMP) pinging over Wi-Fi is unsuccessful, this indicates the client's Wi-Fi stack stopped working which shows a potential weakness.


Verify monitoring works by pinging the target wireless device from the beSTORM computer, using the ping command in the Windows Command Prompt. For example: 


>ping 192.168.0.0


If you receive a response the monitoring will work with ICMP.


Note: Since Wi-Fi packets are injected by beSTORM wirelessly, other wireless devices can potentially be attacked since some of the packets are sent to a broadcast address and picked up by all wireless devices. It is recommended to use a robust access point device as it will receive and process all packets since the SSID matches (for example, a high-end wireless access point or a computer running access point software on a supported Linux or Windows operating system).


How to configure and start the fuzzing test


To configure and start fuzzing your wireless device:

  1. Open beSTORM Client.
  2. Select New Project.
  3. On the Welcome page, enter a name in Project Name.
  4. Leave the Location to the default setting.
  5. Select Simple for the wizard level.
  6. Leave the Perform a port scan, and service detection and assist me in choosing the relevant module check box disabled.
  7. Select Next.
  8. In the beSTORM's predefine modules list, select IEEE802.11 (AP - Simple).
    Note: If the Unable to fine any capture / injection devices, has WinPcap been installed? (Npcap doesn't support WiFI) dialog box appears, confirm the Riverbed AirPcap NX USB-based adapter (see the Required hardware section of this guide) is correctly installed.
  9. Select Next
  10. On the Module Environment screen, confirm or set the following:
    1. 802.11 Transmitting Channel: The channel set for your access point.
    2. Default SSID value - The SSID set for your access point.
    3. Interface Name - The location of the AirPCap network interface.
    4. BSS ID - Sometimes the MAC address of the access point.
    5. Source address - The MAC address of the access point. This test will spoof the access point's MAC address to inject packets into the communication between the access point and the wireless device. You can double-click on the Value box for Source address to open the MAC Address Finder dialog box; a useful tool for locating a device's MAC address. 
    6. Destination address - This is the MAC address of the target wireless device. You can double-click on the Value box for Source address to open the MAC Address Finder dialog box; a useful tool for locating a device's MAC address. 
  11. Select Next
  12. On the Extra Configuration screen, under Monitor Type(s), select ICMP Echo and disable ARP Echo and UDP Echo.
  13. In the Monitored IP address box, enter the wireless device's IP address.
  14. Select Next.
  15. Select Finish to complete the wizard.
  16. Ensure the wireless device is connected to the access point, and you can ping both the access point and the target wireless device from the beSTORM computer. 
  17. You can now start the fuzzing test. The test will run until the ICMP Echo fails, which indicates the Wi-Fi stack had a problem.


beSTORM API support

 

The following API calls access the interface for a Wi-FI packet injection-based wireless device:

  • AirpcapSetDeviceChannel - Receives an AirPcap handle and an unsigned int for the channel.
  • pcap_open, pcap_sendpacket, and pcap_close - Subsequent calls to the interface.
  • pcap_get_airpcap_handle - Queries the pcap opened interface for its AirPcap interface.
  • AirpcapSetFcsPresence - Sets the FCS value for the interface to TRUE (Frame check sequence).
  • AirpcapSetLinkType - Sets the AirPcap interface to support low level packet sending AIRPCAP_LT_802_11.


API calls 

 

The following is an example of performing the above API calls from the beSTORM module (open > set channel > send > close):

  1. Open the device:
    pcap_open
    pcap_get_airpcap_handle
    AirpcapSetFcsPresence
    AirpcapSetLinkType 
  2. Set the channel: AirpcapSetDeviceChannel 
  3. Send the fuzzed packet: pcap_sendpacket
  4. Close the device: pcap_close