 Good morning everyone and Thank you for waiting through all the technical problems getting up before the crack of noon to come listen to this talk The title of it is called Zulu a command line wireless frame injector There were two people that wrote this tool myself Damon McCoy and on Mel Seth Unfortunately, I couldn't talk on Malin to coming down to Vegas. He's up in Berkeley working this summer But when I asked him to come and have a fun time in Vegas. He said he was a little bit nervous about the people that came These kinds of things I said, but I come to these things and he said exactly that's his point So you're stuck just listening to me and not some guy with a cool Indian accent He also asked that all email be directed to me Something about his visa and worrying about it Okay, so the whole point this talk is basically to get you to download the Zulu tool Play with it mess around break it. Tell me what bugs are so I can fix them So anyone that doesn't need any convincing yet. There's a source forage project Zulu wireless source forage net You can just go ahead and download it play with it Well, I'm talking for those of you that aren't convinced yet to download it or are too scared to connect to the DEF CON wireless network You can listen to the rest of the talk So the first question that you'll be asking yourself. What the hell is Zulu good for? The easy answer is that it's used to inject custom frames into an 802.11 network Uses for this is you could probe that network for security holes possibly If you had some kind of device that was acting up this might be a good tool to debug it with Okay, those are the quasi legitimate uses You could also use this tool probably to launch a de author de association attack Or you could launch some kind of association attack to flood the access point fairly easily with this tool You could also use it probably to test wireless device drivers So now that you know the motivations, what exactly is this tool? I've said that it can inject custom frames, but what the hell does that mean? so Basically this tool allows you to set and unset most fields within a 802.11 wireless frame is the whole point of this tool I wanted it to be incredibly configurable right now. It has about 20 plus documented command line options. There are a few more that are undocumented and less tested So you can look at the source code to find out what those are Currently it works on Linux with the mad Wi-Fi drivers fairly stably There's also been some testing on the prism to drivers. So it it works kind of with those You have to compile it with a special command flag Also as a pitch it includes some code from the lower con project Which some of you might be familiar with to help with setting the channel in the ESS ID When I wrote this to I kind of I wanted to have like a goal in mind for this tool And I so that you know it didn't get cluttered up and become this useless heap of you know buggy garbage that some tools become so When I set out to write this tool my number one vision is that everything that I did had to be easy to use I didn't want anything where you needed to bust out your definitive wireless guidebook to look at Framing for 802 dot 11 specifications So that was my number one goal in everything. It's got to be easy to use Um, I would equate this tool to I don't know how many of you are familiar with h-ping Yeah, quite a few of you. So that was built to inject Packets into TCP to basically turn off frames and stuff and that was kind of my inspiration for building this tool What's to model it off of h-ping? Um Other things that I had in mind is that I didn't want you to have to type in 2 billion command line options Just to generate a stupid frame So I wanted there to be as few required command line options as possible And then just same defaults for everything that you didn't specify. So that was again with the easy to use vein But I also didn't want to cripple it I didn't want to make it so that you know you said damn I wish I could set this field But this tool can't do it So I wanted to make sure that basically any field within a wireless frame you could set that value to whatever you wanted Also, I didn't want there to be any programming language Programming skills required. I wanted it to be usable by any network debugger and Also, I wanted to work with unmodified drivers some tools in the past You've had to apply patches to your drivers and stuff to get to see inject frames and I wanted it to just work right out of the Box again easy to use I'm a quick review at the top. You can see there's essentially two required options Or all that are required to run this tool the dash t option and you provide it with the type of frame This can be a probe request frame. It could be a data frame It could be a RTS or CTS frame It supports any frame within the 802.11 specification except for the control acts Since those are controlled by the firmware of the card. Most drivers won't allow you to send those I'm looking down. It has tons of optional parameters You can set the source and destination Mac of the frame You can tell it how many of these frames you want to spit out if you want to do de-auth attacks and stuff like that You can specify the delay So you can send out one pack and then wait a little bit and then send out the other frames that you want to send out the Dash D. I mean the dash W option will like oh Okay I've been babbling for too long. That'll allow you to set the web frame and stuff like that I'm gonna have to race through this so I was thinking since it's kind of a sales pitch for you to download this tool that This would be the slogan for zoo Then I wanted to have a cool flash animation. So this might be an attack scenario Thank you. Thank you So now let me just run through a quick some really quick examples This was the tool run. I provide it with an interface the mad Wi-Fi interface I told it to generate a association request and then it filled in all these default parameters You can see it set the SSID to Zulu. It set all the flags to Zulu. It set the destination to zero Set the destination address to the broadcast address. It has a default source address and Everything so they used to parameters. It generated the frame just fine A little bit more complicated example, you could toss in the dash S and dash to the D You can see from the ethereal dump. It set those fields correctly I'm getting a little bit more fancy This one I kicked in the dash P option Which if you look at the flags turned on the power management option, I kicked on the sequence number So I overwrote the sequence number this on the mad Wi-Fi drivers caused it I also had to set the retry bit or else the firmware itself will overwrite the sequence number So if it's a retry thing you can specify the sequence number if it's not and the tool automatically took care of that It set the retry bit without you asking it to and I set the SSID Really quick again You might say there's a boatload of these tools What's so special about this tool so file to air was a tool that worked with the prism 3 chipset You basically laid out the frame and a file and it would just send it to the air Again our tool you don't have to read the 802 dot 11 specification and get everything correct We live W land liberate where both men is programming tools ours is supposed to be a command line tool No programming knowledge required Air jack fake AP had limited injection capabilities Not as flexible as our tool probably air base is an interesting one and the author of that is going to be speaking on Sunday It basically allows you to replay p-camp files and he might have some other tricks up his sleeve that he's going to reveal in his talk Future work. We want to just make it more robust do more testing Stuff like that so they can pile on your toaster Okay, if I've convinced you download it now the address is again Zulu dash wireless source code net if you download it within the next five minutes I'll throw in the free ginseng knives Quick acknowledgments. I'd definitely like to thank Joshua right drag-or-n for writing the lorkan tools They rock for helping people write these kind of tools There's an address for the current tar ball that they have I'd like to thank my advisor for actually letting me do this talk And I'd like to thank a member of our lab Kevin Bauer for Compiling this thing on every Linux distro that I've ever heard of Thank you very much any questions Yes, there's actually a mode that isn't of per se a frame type But it's just what we call the junk mode and in that mode you can send it whatever random string you want Yeah, totally you could script this thing just to iterate through every possible value of that field I'm Johnny Cash. He's the one that released the wireless exploits for the OS X. Oh Excuse me. It's today. Okay. Must have gotten moved