|
Post by m3m0r3x on Feb 4, 2016 12:04:20 GMT
Hi Xtr4nge,
How are you?
I have a quick question. Is there any possibility to prevent some MAC or allow only specified MACs to associate with Karma? Is there a File on te Filesystem? In the Web GUI I can't find such a config.
Regards
mem
|
|
|
Post by xtr4nge on Feb 4, 2016 15:39:21 GMT
Hi m3m0r3x, Yes, the new AP module (v1.1) has filters for MACs and SSIDs. You also need to upgrade Karma and Mana modules.
There are new functionalities in AP module: Picker, Scatter and Polite ( I will write some documentation as soon as I can )
Please notice that FruityWiFi has been updated to v2.3
regards,
|
|
|
Post by m3m0r3x on Feb 4, 2016 17:24:58 GMT
Hi xtr4nge,
thanks for your quick replay. Yes, I read about FruityWiFi 2.3 on twitter. But I a not shure if I damaga all my configs while updating from git. But I try it on this weekend and backup my Raspberry SD by dd to an image file. I am realy curious about the new functionalities.
Best regards
mem
|
|
|
Post by xtr4nge on Feb 4, 2016 17:54:54 GMT
Hi m3m0r3x, If you are using v2.2, you can do a diff to just replace the new files. another alternative is to do a backup of the modules folder and after install v2.3, replace the modules folder with your backup regards,
|
|
|
Post by m3m0r3x on Feb 5, 2016 20:31:06 GMT
Hi xtr4nge,
thanks for the hint. it works great so far. Tomorrow I will test some of the modules, but I think they work well. I have allready tried the white- and blacklisting of MAC. Blacklisting works great. But I need just the other way. So I switched to whitelisting. Unfortunately this doesn't work. Fruitywifi even sends out no SSIDs. Have I to configure something else?
regards
mem
|
|
|
Post by m3m0r3x on Feb 22, 2016 14:03:31 GMT
Hi @ all,
I have already tried black-/whitelisting of MACs in the new Version 2.4 of FruityWifi. Unfortunateley only None filtering an Blacklist Filtering works fine. I have a set of 7 Devices wich mac addresses are given to the filtering list. If "filter station" is set to none in the AP module, it works as expected. Every client will connect to mana. If I set it to blacklist, it works, too. All Clients connect to karma except the clients in the filtering list. For Demo purposes I need to connetct only those clients in the filtering list. But this does not work. When I start up karma in whitelist mode, I even get no SSIDs from karma to which the device can connect. Have I done something wrong on configuring te AP module?
Thanx 4 help
greetings
mem
|
|
|
Post by calippo on Feb 22, 2016 22:17:11 GMT
This was my point about documentation! :-) Despite people is able to understand how modules work... most of the time there are misunderstanding on properly setup them.
|
|
|
Post by calippo on Feb 22, 2016 22:20:57 GMT
Of course by reading each module php sources I would fully understand where are issues and misunderstanding... But at this point the main benefit of using Fruitywifi (I.e. comfortable and time-saviny GUI for pentesters) would be missing. :-)
|
|
|
Post by xtr4nge on Feb 23, 2016 8:59:15 GMT
Hi @ all, I have already tried black-/whitelisting of MACs in the new Version 2.4 of FruityWifi. Unfortunateley only None filtering an Blacklist Filtering works fine. I have a set of 7 Devices wich mac addresses are given to the filtering list. If "filter station" is set to none in the AP module, it works as expected. Every client will connect to mana. If I set it to blacklist, it works, too. All Clients connect to karma except the clients in the filtering list. For Demo purposes I need to connetct only those clients in the filtering list. But this does not work. When I start up karma in whitelist mode, I even get no SSIDs from karma to which the device can connect. Have I done something wrong on configuring te AP module? Thanx 4 help greetings mem Hi m3m0r3x, I hope you are well, sorry for the delay in my response. Blacklist and Whitelist is kind of tricky, and there is not too much information about it =/ you can interact with hostapd client directly from the command line to test it and also to modify on the fly what you are trying to achieve. If you are using mana: /usr/share/fruitywifi/www/modules/mana/includes/hostapd_cliIf you are using karma: /usr/share/fruitywifi/www/modules/karma/includes/hostapd_cliAs soon as you have Karma or Mana enable, you can use the hostapd client ( for each version ), -h will show you the options available. The options that you are looking for are: karma_black karma_white karma_add_black_mac karma_add_white_mac Please note that not all the options from Karma are present in Mana. regards,
|
|
|
Post by m3m0r3x on Feb 23, 2016 11:33:59 GMT
Hi m3m0r3x, I hope you are well, sorry for the delay in my response. Blacklist and Whitelist is kind of tricky, and there is not too much information about it =/ you can interact with hostapd client directly from the command line to test it and also to modify on the fly what you are trying to achieve. If you are using mana: /usr/share/fruitywifi/www/modules/mana/includes/hostapd_cliIf you are using karma: /usr/share/fruitywifi/www/modules/karma/includes/hostapd_cliAs soon as you have Karma or Mana enable, you can use the hostapd client ( for each version ), -h will show you the options available. The options that you are looking for are: karma_black karma_white karma_add_black_mac karma_add_white_mac Please note that not all the options from Karma are present in Mana. regards, EDIT: Ok, i have reinstalled FruityWifi + moduels. Now I have those options. I have to check if it works. But I think so. Hi xtr4nge, I'm fine, thanks. Hope your well, too. Thanks for the replay. I tried as you posted. I activated AP and Karma. When I entered the directory and checked the help from hostapd_cli I can't find some of those options or somthing similar. Here is the output: pi@raspberrypi /usr/share/fruitywifi/www/modules/karma/includes $ sudo hostapd_cli -h hostapd_cli v1.0 Copyright (c) 2004-2012, Jouni Malinen <j@w1.fi> and contributors
usage: hostapd_cli [-p<path>] [-i<ifname>] [-hvB] [-a<path>] \ [-G<ping interval>] [command..]
Options: -h help (show this usage text) -v shown version information -p<path> path to find control sockets (default: /var/run/hostapd) -a<file> run in daemon mode executing the action file based on events from hostapd -B run a daemon in the background -i<ifname> Interface to listen on (default: first interface found in the socket path)
Commands: mib get MIB variables (dot1x, dot11, radius) sta <addr> get MIB variables for one station all_sta get MIB variables for all stations new_sta <addr> add a new station deauthenticate <addr> deauthenticate a station disassociate <addr> disassociate a station sa_query <addr> send SA Query to a station wps_pin <uuid> <pin> [timeout] [addr] add WPS Enrollee PIN wps_check_pin <PIN> verify PIN checksum wps_pbc indicate button pushed to initiate PBC wps_ap_pin <cmd> [params..] enable/disable AP PIN wps_config <SSID> <auth> <encr> <key> configure AP get_config show current configuration help show this usage help interface [ifname] show interfaces/select interface level <debug level> change debug level license show full hostapd_cli license quit exit hostapd_cli
Perhaps I have to reinstall the module? regards,
|
|
|
Post by xtr4nge on Feb 23, 2016 13:13:54 GMT
Hi m3m0r3x, I'm fine thanks You should use: /usr/share/fruitywifi/www/modules/karma/includes/hostapd_cli or from the includes folder: ./hostapd_cli In the way that you are executing it, is using the default hostapd_cli regards,
|
|
|
Post by m3m0r3x on Feb 23, 2016 16:06:38 GMT
Hi xtr4nge,
thank you. Of course that was my mistake (./hostapd_cli). But I have now experimented a bit. But here i have the same issue like in the web-gui. I set a device as "karma_white_mac"and another device as "karma_black_mac". Without changing the state of karma it works like expected. Both devices connect to karma. When setting up "karma_black" the device in the blacklist can't connect to Karma. The other device can connect. In both modes I get the list off spoofed probe responses (I can see all the SSIDs that shouldn't be there :-) ).
But when I do exact the same with karma_white I get no SSIDs from karma. Neither on the blacklistetd device nor on the whitelisted device.
As mentioned above I will do a Demo whith FruityWifi. For this I will just have a set of demo devices which will connect to it. I will prevent that some devces from the audience will connect to it. Do you have an idea how i can solve this?
regards,
|
|
|
Post by xtr4nge on Feb 24, 2016 10:24:15 GMT
Hi m3m0r3x, You can add the following lines into the hostapd.conf and hosted-secure.conf file. (I included the comments for reference but they are not required) I'm planning to add these to the AP module soon, but for the moment, you can add the lines manually into the config files.
# Station MAC address -based authentication # Please note that this kind of access control requires a driver that uses # hostapd to take care of management frame processing and as such, this can be # used with driver=hostap or driver=nl80211, but not with driver=atheros. # 0 = accept unless in deny list # 1 = deny unless in accept list # 2 = use external RADIUS server (accept/deny lists are searched first) macaddr_acl=0
# Accept/deny lists are read from separate files (containing list of # MAC addresses, one per line). Use absolute path name to make sure that the # files can be read on SIGHUP configuration reloads. deny_mac_file=/usr/share/fruitywifi/conf/hostapd.deny accept_mac_file=/usr/share/fruitywifi/conf/hostapd.accept
Please note that there are multiple hostapd config files:
[AP] hostapd: /usr/share/fruitywifi/conf/hostapd.conf /usr/share/fruitywifi/conf/hostapd-secure.conf
[AP] hostapd-karma: /usr/share/fruitywifi/www/modules/karma/includes/conf/hostapd.conf /usr/share/fruitywifi/www/modules/karma/includes/conf/hostapd-secure.conf
[AP] hostapd-mana: /usr/share/fruitywifi/www/modules/mana/includes/conf/hostapd.conf /usr/share/fruitywifi/www/modules/mana/includes/conf/hostapd-secure.conf
and also you need to create these files if you want to use different lists (add the MACs to allow or deny):
/usr/share/fruitywifi/conf/hostapd.deny /usr/share/fruitywifi/conf/hostapd.accept
if you want to use the AP filter list (stations), you can use the following combinations:
Blacklist
macaddr_acl=0
deny_mac_file=/usr/share/fruitywifi/conf/pool-station.conf #accept_mac_file=/usr/share/fruitywifi/conf/pool-station.conf
Whitelist
macaddr_acl=1
#deny_mac_file=/usr/share/fruitywifi/conf/pool-station.conf accept_mac_file=/usr/share/fruitywifi/conf/pool-station.conf
regards,
|
|
|
Post by m3m0r3x on Feb 24, 2016 12:25:58 GMT
Hi xtr4nge,
thank you very much for your effort. That is exactly what I need. After my first and short test, the modification works fine. Later I will do some deeper tests.
I think you have a copy & paste failure in the Karma and Mana pathes. The config files are in:
[AP] hostapd-karma: /usr/share/fruitywifi/www/modules/karma/includes/conf/hostapd.conf /usr/share/fruitywifi/www/modules/karma/includes/conf/hostapd-secure.conf
[AP] hostapd-mana: /usr/share/fruitywifi/www/modules/mana/includes/conf/hostapd.conf /usr/share/fruitywifi/www/modules/mana/includes/conf/hostapd-secure.conf
I have just mentioned it for users who want to implement this feature, too.
Thanks again for your help.
regards
mem
|
|
|
Post by xtr4nge on Feb 24, 2016 12:55:43 GMT
Hi m3m0r3x No problem at all haha, cool thanks, I fixed it in the previous post regards,
|
|