-----------------------------------------------------------
     Fake AP v0.3.2 - Proof of Concept - 03/30/2005
      Copyright (c) 2005 Black Alchemy Enterprises
-----------------------------------------------------------

0. Disclaimer
-------------
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.

IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.

1. License
----------
Fake AP is provided under the GPL.  See the file COPYING for more 
information.

2. Intro
--------
Using features of the Host AP Driver for Intersil Prism2/2.5/3 
(http://hostap.epitest.fi), Fake AP rapidly generates 802.11b beacon
frames with random ESSID, BSSID (MAC), and channel assignments.  Wardriving
tools like Kismet or NetStumbler will see thousands of APs pop up on their
screens.  While more knowledgeable individuals will spot these fake APs 
for what they are, those with less clue will be generally befuddled and 
great comedy will ensue.  Fake AP can be used on its own, as part of a
wireless honeypot, or form a component of an 802.11b security architecture.  

What ever you do, realize this is beta code at best and a simple proof
of concept.  Fake AP was written in 2 hours at DEFCON X and tested on the
chaos that was the DCX wireless network.

3. Requirements
---------------
You need a Linux machine with a Prism2/2.5/3 802.11b card with the 
Host AP Driver for Intersil Prism2/2.5/3 available from
http://hostap.epitest.fi.  As of 07/31/2002 you will need the CVS snapshot
of the driver to enable the MAC switching functionality.  The stable
version of the driver is untested.

4. Installation
---------------
  1. Compile the Host AP driver and get it running.
  2. Edit fakeap.pl to reflect your settings and paths.
  3. Run fakeap.pl as root with your favorite command line parameters
  4. Have fun.

5. Usage
--------
By default, Fake AP will randomize some parameters.  It will use a small
internal list of ESSID names and a small list of MAC prefixes along with a
random channel.  Transmition power will default to card settings, and WEP
will not be used.

It's _much_ more fun if you use a big potential list of ESSID names 
and MAC prefixes.  We recommend /usr/dict/words or it's equivalent 
(/usr/share/dict/words on RH7.3) for ESSIDs and the Ethereal list of 
MAC vendor prefixes found in the "manuf" file bundled with the
Ethereal distribution. 

Fake AP allows you to specify which parameters you would like to remain 
static.  This makes it much more useful.  See the command line below:

Usage: fakeap.pl --interface wlanX [--channel X] [--mac XX:XX...]
     [--essid NAME] [--words FILENAME] [--sleep N] [--vendors FILENAME]
     [--wep N] [--key KEY] [--power N]

     --channel X     Use static channel X
     --essid NAME    Use static ESSID NAME
     --mac XX:XX...  Use static MAC address XX:...
     --words FILE    Use FILE to create ESSIDs
     --sleep N       Sleep N Ssec between changes, default 0.25
     --vendor FILE   Use FILE to define vendor MAC prefixes
     --wep N         Use WEP with probability N where 0 < N <= 1
     --key KEY       Use KEY as the WEP key.  Passed raw to iwconfig
     --power N       Vary Tx power between 1 and N.  In milliwatts

The format of the words file is plain text one word per line.  The MAC vendor
file is plaintext one colon-separated MAC prefix per line as in:

XX:YY:ZZ  Some comment that's ignored
AA:BB:CC  Another comment that's ignored

...and so on.  Keep in mind that you don't want these files too big as they're
loaded into memory.

Consult the lists/ directory for vendor and word lists contributed by Fake AP
users.

Version 0.3 and up allow you to use WEP for added fun.  Supply Fake AP with
a number between 0 and 1 that indicates how often a WEP enabled access point
should be generated.  For example, 0.3 means generate a WEP enabled AP about
30% of the time.  

For extra control, you can optionally pass the --key parameter to define the 
WEP key you wish to use.  This is passed directly to iwconfig so 
check that manpage if you want more info on syntax.  FYI, --key really doen't
have any effect since no data packets are being sent, but it's been included 
for completeness.

Also in 0.3, for cards that support it, is a new option to vary Tx power.  
Pass the maximum milliwatts your card can transmit to --power and Fake AP will
randomize the card's power settings for each ESSID/MAC/channel combo.  This
helps create the appearance that the generated access points are in different
locations.

6. Fun things to try
--------------------
  - Run two or more copies of Fake AP on different cards for that extra-
    special AP generation rate.
  - While running Fake AP, sniff for 802.11b probe requests/responses to find 
    NetStumbler users.
  - Perhaps you'd like to generate bogus beacons with the ESSID of your legit
    access point but with random MACs and channels.
  - Using the prism2_param utility that comes with the Host AP drivers, 
    decrease the beacon interval to generate beacons more frequenty.  We've
    had good results with beacon_int=20-50.  Play around with beacon_int and 
    Fake AP's --sleep setting to find the maximum generation rate for your 
    setup.

7. Shortcomings
---------------
Every now and then Fake AP will generate an invalid MAC address.  ifconfig 
will complain but things will keep going fine.

More rare than above, every now and then iwconfig will give you a "No 
such IOCTL" or some other serious looking error.  Most of the time, the card 
will reset without your intervention and things will pick up where they left 
off, however, sometimes the card freezes.  We've found that the lights on our 
SMC cards cease to blink and stay solid when this happens.  Ejecting the card, 
re-inserting it, and restarting Fake AP seems to fix things just fine but it 
might be different for you.

Your beacon interval and --sleep settings will determine how many beacons are
sent out for each mac/essid/channel combo.  Insufficient numbers of frames 
(1 or 2) seem to cause some tools (notably Kismet) to not report the channel.  
If this bugs you, make --sleep larger and your beacon interval smaller.

8. Todo
-------
This is only a quick hack but it makes one think...

- Using the Host AP driver is very sub-optimal.  Crafting beacon frames
  ourselves using something like libradiate would be much better and _so_
  much faster.  Check out http://www.packetfactory.net/projects/radiate/
- To act as a viable long-term honeypot, we need to generate fake traffic
  on our fake APs...  
- Generating the beacons directly would also allow us to craft other 
  "interesting" frames.  Make beacon generation a background thread
  coupled with a sniffer card that looks for Probe requests, Auth requests,
  or Association requests.  When we spot one of these, craft the appropriate
  response and send it out.  Unlimited fun!

9. The Guilty
-------------
Fake AP was written by Stuart Stock and Ken Beames of Black Alchemy 
Enterprises. Development was sponsored by the Black Alchemy Weapons Laboratory
and partially funded by a grant from the Black Alchemy Philanthropic 
Foundation, a non-profit non-organization.

We would like to thank all of the folks we met at DCX who talked shop with us
and got a big kick out of Fake AP.  We'd particularly like to thank Eric 
from Seattle Wireless who was very cool and gave us ideas and Stefan Puffer
who has provided on-going feedback and excellent suggestions.

stuart@blackalchemy.to
ken@blackalchemy.to
