background preloader

Wifi

Facebook Twitter

Remotely compromise devices by using bugs in Marvell Avastar Wi-Fi: from zero knowledge to zero-click RCE – Embedi. Introduction and motivation How wireless device works and starts up In general, there are two main categories of Wi-Fi dongles: FullMAC and SoftMAC. Both of them need a firmware image, which should be uploaded every time a device starts up. A device manufacturer supplies appropriate firmware images and operating system device drivers, so during startup, a driver can upload firmware enabling its main functionality to the Wi-Fi SoC. There is a picture below which illustrates the process. The main difference between SoftMAC and FullMAC dongles lies in their firmware functionality. Obviously, the attack surface of FullMAC dongles is far wider, so these devices are of greater interest for us. Interaction between Wi-Fi SoC and driver We prefer to think about commands like about API implemented by firmware.

Firmware analysis As described earlier, the Marvell Avastar Wi-Fi chipset family uses firmware files, which host most of the device functionality. Static firmware file analysis Hunting for bugs. Effective radiated power. An alternate parameter that measures the same thing is effective (or equivalent) isotropic radiated power (EIRP). Effective isotropic radiated power is the total power that would have to be radiated by a hypothetical isotropic antenna to give the same signal strength as the actual source in the direction of the antenna's strongest beam.

The difference between EIRP and ERP is that ERP compares the actual antenna to a half-wave dipole antenna, while EIRP compares it to a theoretical isotropic antenna. Since a half-wave dipole antenna has a gain of 1.64, or 2.15 decibels compared to an isotropic radiator, if ERP and EIRP are expressed in watts their relation is If they are expressed in decibels Definitions[edit] The difference between ERP and EIRP is that antenna gain has traditionally been measured in two different units, comparing the antenna to two different standard antennas; an isotropic antenna and a half-wave dipole antenna: The decibel gain relative to a dipole (dBd) is given by . . Alfa AWUS036NH 802.11n WIRELESS-N USB Wi-Fi adapter 2 watt. Alfa AWUS036NH is an 802.11n wireless USB adapter with a maximum output power 2000mW. This is a single band (2.4 GHz) 802.11n adapter with maximum transfer speeds of 150 megabits per second (mbps). This is for one brand new (in retail box) AWUS036NH wireless adapter with USB cable, driver CD, and 5 dBi gain antenna.

The AWUS036NH hooks up to any computer that has a USB port and one of the compatible operating systems listed below. It allows you to get a longer range than your existing wireless card. Compatibility: This item works with Microsoft Windows XP, Vista, Windows 7, 8, 8.1 and Windows 10.Windows 10 drivers may not included on the CD-ROM and can be downloaded here. - Compatible with IEEE 802.11n, 802.11b/g/n wireless standards- 2.4GHz frequency band, MIMO (Multiple Input Multiple Output)- Supports wireless data encryption with 64/128-bit WEP, WPA, WPA2, TKIP, AES- IEEE 802.11b/g/n standard- USB 2.0 standard- Up to 150Mbps for 802.11n connections- Frequency Range: 2.412~2.483 GHz.

GitHub - vk496/reaver-wps-fork-t6x. Introducing a new way to crack WPS: Option p with an Arbitrary String · t6x/reaver-wps-fork-t6x Wiki. We are very happy to present you the improved argument -p. `-p, --pin=<wps pin> Use the specified pin (may be arbitrary string or 4/8 digit WPS pin)` It can be used against Access Points that do not follow the WPS checksum on the last digit of the PIN. For example: D-Link used 22222222 as a default PIN in some devices. It is not a "legitimate" WPS PIN. BusyBox vv1.9.1 (2014-02-08 20:26:13 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. # nvram show | grep wps_device_pin size: 2659 bytes (30109 left) wps_device_pin= # As you can see the variable wps_device_pin is declared but is not defined.

The screen shot below shows that sending a PIN for a brute force does not lead anywhere against this AP: Pixie dust attack is pointless too: But if I send a blank PIN, I crack the device in 2 seconds! Thanks to binarymaster for proposing and coding - see #133 - this exciting new feature! GitHub - t6x/reaver-wps-fork-t6x at Big_endian. Install reaver v1.6.1 null "pin" on Wifi PineApple Nano - WiFi Pineapple NANO - Hak5 Forums. Reaver wps key no nacks. Beamforming: The Best WiFi You’ve Never Seen : Open-Mouthed Amazement. You should have seen my wife’s face when she found me glued to the Victoria’s Secret Fashion Show.

“No, honey, come here!” I said, my face aglow with the bikini-clad pixels of Tyra and Heidi Klum. “You’ve got to see this!” Arms crossed. Pursed lips. I pointed at the laptop on the counter in front of me. “Mm-hmm.” “Now turn around.” My wife looked at the screens, looked back to me, and shrugged. She walked away and slammed the front door. This was my first experience with beamforming, something I’d only seen vague mention of on long-term WiMAX roadmaps. Interested? Why Your Wi-Fi Sucks And How It Can Be Helped, Part 1 - Please Power Down. “All you bloggers need to turn off your base stations,” an increasingly annoyed Steve Jobs told the crowd at the June 2010 iPhone 4 demo. “If you want to see the demos, shut off your laptops, turn off all these MiFi base stations, and put them on the floor, please.” In a crowd of 5000 people, roughly 500 Wi-Fi devices were active.

It was the wireless apocalypse, and not even a fleet of Silicon Valley’s finest backstage engineers could do a thing about it. If this example of 802.11 extremity sounds inapplicable to your everyday world, refer back to August 2009, when Tom’s Hardware took its first look at Ruckus Wireless's beamforming technology in Beamforming: The Best WiFi You’ve Never Seen. In that story, we introduced the concepts of beamforming and examined some competitive test results in a big office environment. As enlightening as this was at the time, there is clearly much more of the tale to be told. What was going on here?