Channel Hopping
WifiZoo just listens on a wifi interface and will not do channel hopping by itself (this is sthg inside the huge TODO list the tool has). right now, I do channel hopping using Kismet, weird perhaps, but it works:
-Configure Kismet to do channel hopping
-run kismet
-run wifizoo and wait
For example, you can customize how Kismet does channel hopping thru the kismet.conf file by modifying the following options:
channelhop
channelvelocity
channeldwell
defaultchannels
sourcechannels
you can confIgure how much time to spend on each channel, which channels to hop thru, etc.
dot -Tpng -oclients.png clients.log
clients.png will be the file with the graph.
Here's an example:
the bssids are at the top (the APs supposedly), and the ones below are
the clients. This includes src and dst addresses.
You'll notice that some 'clients' appear to belong to different bssids,
usually these are mac addresses obtained from the dst field in packets,
perhaps my logic to come up with this graph is totally wrong (what
is possible :)), or perhaps is the fact that I still need to omit
multicast dst addresses and things like that when storing the bssid->client relationship :), or the packets observed have a src=bssid and the dst is a common node between the APs, etc :). The 'multicast dst addresses' thing is the most predominant.
-clients.log
Examples:
From the web interface you can get information about the data collected,
some data is more 'digested' than other, but you get the idea.
(note:please remember that although i'm html encoding stuff, wifizoo is basically
displaying on a browser what it gets from the 'air', so be careful.. I did not spend too much time on the 'html enconding' part..)
Now, instead of calling 'dot' yourself to do the graphs, the web interface does it for you, is not the greatest thing in the world but it is more user friendly/convenient.. :)
You also have a small 'stats' window (this web page auto-refreshes every 5 seconds) where you get the number of packets
captured for each of the protocols 'handled' by wifizoo. This is just
useful to know when new data is available without doing a 'tail -f' on the
log files :). A lot more can be done in this respect, we will get there..
v1.3 changed the way AP info is displayed:
The 'vendor' according to the MAC address and the number of clients of each
When the cookies are displayed, each captured cookie is displayed as a link:
When you click on the link, a new window opens:
the cookie is set on the WifiZoo Proxy running on localhost:8080, if you set your browser to use the WifiZoo Proxy, and then click on the 'Jump to...' link the proxy will include the
cookie in your request, and hopefully this will do the 'magic' (ala ferret/hamster) and
you'll be able to access a gmail account or any other web app where the cookie you
captured is used as an authentication token (if the cookie has not expired, etc etc).
I tested this feature with gmail and it works, and also with some other random
web sites. The feature needs to be improved but it is working, if you want to improve
it yourself, you have the source code available! :)
When thing to have in mind, when clicking on the 'jump to' link to
use the cookie:
Remember that, currently, the 'jump' is made to an IP address,
In order to address this issue, WifiZoo tries to store along with the
This means that sometimes you need to, before clicking on the cookie,
Also, sometimes using the ip address alone works just fine.
For example, when capturing gmail cookies, if you just click on the
What do you need to run WifiZoo?
-python
-scapy
-kismet if you want to do channel hopping (although you can probably come up with a script instead of installing kismet just to do channel hopping)
-logs are stored in ./logs/, make sure this directory is created before running the tool :).
TODO
Mmm, lots of things TODO. you'll notice.
Wifi bssids->clients graphs
This is perhaps the most fun, because everyone loves graphs, right?.
The bssid->clients file is stored in ./logs/clients.log, to
generate the graph do:
Graph of probe requests ssid->srcs
This graphs shows you what SSIDS are being probed from what SRCs:
Log files
WifiZoo generates the following log files:
-ssids.log
-probereq.log
-http.log
-httpauth.log
-cookies.log
-pop3.log
-pop3_creds.log
-smtp.log
-msn.log
-nbtdgm.log
-nbtns.log
-ftp.log
-telnet.log
ssids.log
00:XX:XX:f1:XX:XX -> default (ch:11)
00:XX:XX:18:XX:XX -> Fugazzeta (ch:11)
00:XX:XX:2f:XX:XX -> Empanada (ch:11)
cookies.log
--------------------------------------------------------------------------------
WHEN: 2007-09-06 22:46:34.885886
SRC: bssid=00:XX:XX:XX:XX:XX (Empanada) src=00:XX:XX:5d:XX:XX dst=00:XX:XX:96:XX:XX
TCP: 192.168.1.100.4772 -> XX.XX.XX.19.80
GET /mail/im/offline_ltblue1.gif HTTP/1.1^M
Host: mail.google.com^M
COOKIE: Cookie: GV=asdadadaadasde1064e0ec7b63ede43e3b8fe78c4; __utma=asdada123123d.17a220249.1174999652.18908094520.118789798142.168; __utmz=81231372373.1171897823652.1.1.utmccn=(referral)|utmcsr=mail.google.com|utmcct=/mail/|utmcmd=referral; gmailchat=somemail@gmail.com/111111; GMAIL_AT=74c1313132s215a-112989S8e9; GMAIL_SU=1; rememberme=false; PREF=ID=1983019390123f:TM=115190381209331:LM=1181983912313:GM=1:S=ivIUA*)(A*SD()O; testcookie=; S=gmail=0a8d9a8d0a9da809sRghcI_ydasdQ:gmail_yj=s9XZNradadasd1FJa67bA:gmproxy=gfPgadasdaddrg:gmproxy_yj=P9809809rCFsddo:gmproxy_yj_sub=_NOfCF_N_cI; SID=DAAa9a98989897d98a7d98a798adXi6xADsYS; TZ=180; GMAIL_HELP=hosted:0^M
--------------------------------------------------------------------------------
msn.log
WHEN: 2007-09-07 16:03:39.247290
SRC: channel 4
SRC: bssid=00:0X:XX:3b:XX:XX () src=00:XX:XX:3a:XX:17 dst=XX:XX:2e:XX:XX:f4
TCP: 207.XX.XX.XX.1863 -> 10.1.1.23.1373
MSG somemail@hotmail.com :MySuperFancyAlias^M
MIME-Version: 1.0^M
Content-Type: text/x-msmsgscontrol^M
TypingUser: somemail@hotmail.com^M
^M
^M
MSG somemail@hotmail.com@hotmail.com :MySuperFancyAlias 135^M
MIME-Version: 1.0^M
Content-Type: text/plain; charset=UTF-8^M
X-MMS-IM-Format: FN=Century%20Gothic; EF=B; CO=800000; CS=0; PF=22^M
^M
yess, this is my message!
WifiZoo Web GUI
Starting from v1.2, WifiZoo has a web interface listening on 127.0.0.1:8000, it's not web2.0 but it works :).
AP is displayed on a same screen; and if you click on each AP's BSSID,
you'll be redirected to a page containing info about the clients of that AP.
sometimes web servers have multiple virtual directories or they just
require the HTTP request to have the right 'Host:' header,
if you just go to http://<ip_address> the web server might not like
it, because you need to use correct the FQDN.
cookie, the address:port of src and destination, also the headers of
the HTTP request ('Host:' for example), and the
request (the GET/POST with the full URL), as an attempt to collect
information that will tell the tool which domain name the 'jump' has
to be made to. This information sometimes can also be extracted from
the cookie (e.g.: from the domain= part). But currently it does not
add it automatically to the 'jump to' link, the 'jump' link just goes
to 'http://ipaddress'. (all the code to do it is actually there, but I
just have to kind of glue it together, will be there for the next
version :))
take a look at the data around the cookie, the logged data, looking
for the domain name, the URL, or something that will tell you the
right FQDN to use.
'jump to' link it will redirect you to google.com instead of
gmail.com, so you need to click on the cookie to set the cookie, and
then use the browser window opened up by wifizoo to go manually to
www.gmail.com instead of clicking on the 'jump to' link (or click on
the 'jump to..' link and then go to www.gmail.com, is the same :)).
Download
wifizoo_v1.0.tgz
wifizoo_v1.1.tgz
wifizoo_v1.2.tgz
wifizoo_v1.3.tgz
Feedback
Complains to hernan[at]gmail.com