#include <tx80211.h> #include <tx80211_packet.h> struct tx80211_cardlist *tx80211_getcardlist() void tx80211_freecardlist(struct tx80211_cardlist *in_list) int tx80211_getversion() int tx80211_resolvecard(const char *in_str) int tx80211_init(struct tx80211 *in_tx, const char *in_ifname,
int in_injector) char * tx80211_geterrstr(struct tx80211 *in_tx) int tx80211_getcapabilities(struct tx80211 *in_tx) int tx80211_open(struct tx80211 *in_tx) int tx80211_setmode(struct tx80211 *in_tx, int in_mode) /* superceded */ int tx80211_getmode(struct tx80211 *in_tx) int tx80211_setfunctionalmode(struct tx80211 *in_tx, int in_fmode) int tx80211_setchannel(struct tx80211 *in_tx, int in_chan) int tx80211_getchannel(struct tx80211 *in_tx) int tx80211_txpacket(struct tx80211 *in_tx,
struct tx80211_packet *in_packet) int tx80211_close(struct tx80211 *in_tx)
LORCON - Loss Of Radio CONnectivity
The LORCON packet injection library provides a high level interface to transmit IEEE 802.11 packets onto a wireless medium. Written for Linux systems, this architecture simplifies the development of 802.11 packet injection through an abstraction layer, making the development of auditing and assessment tools driver- independent. Using LORCON, developers can write tools that inject packets onto the wireless network without writing driver-specific code, simply by asking the user to identify the driver name they are currently using for a specified interface.
tx80211_getversion() is used to return the LORCON internal version, of the format YYYYMMRR (year-month-release#)
tx80211_getcardlist() is used to obtain a list of supported wireless drivers by the LORCON architecture, with a driver description and capability information. This function allocates memory to populate a pointer of type tx80211_cardlist , returning NULL on error.
tx80211_freecardlist() is used to free the tx80211_cardlist pointer populated by tx80211_getcardlist(). in_list is the populated tx80211_cardlist pointer.
tx80211_resolvecard() is used to resolve the driver type being used from a specified string. in_str is a case-insensitive string (usually specified by the user on the command-line) describing the driver that they wish to use for packet injection. Supported driver names include:
tx80211_resolvecard() returns an integer value that uniquely identifies the driver based on the input string. Upon error, tx80211_resolvecard() will return INJ_NODRIVER.
NOTE: It is not recommended for developers to write code that relies on any given driver. Instead, developers should enumerate what capabilities are needed for their program, and examine the capabilities for the user's selected card and driver combination to determine if the required capabilities are present.
tx80211_init() is used to populate the in_tx structure with the driver-specific code needed for packet injection using the interface name (e.g. "wlan0") specified in the string in_ifname , and the driver type returned from tx80211_resolvecard() with in_injector. This function also establishes the function pointers contained in the in_tx structure and other components needed for packet injection.
tx80211_geterrstr() fetches the error string of the last failed operation, contained in the in_tx structure. tx80211_geterrstr() should only be called when an error is returned. Calling it extraneously may return older error data which is not relevant.
tx80211_getcapabilities() is used to resolve the capability information for the driver in use. Different wireless card and driver combinations present different capability information. LORCON provides the capability bitmask for each card so the driver can deduce what the current capabilities are of the given card to prevent writing driver-specific code. in_tx is the structure populated by the tx80211_init function. This function returns a bitmask value indicating the specific capabilities for this driver:
NOTE: The tx80211_getcardlist() call will also populate capability information in the tx80211_cardlist->capabilities[INDEX] field, where INDEX is the resolved card returned by tx80211_resolvecard().
tx80211_open() is used to open and bind a socket for packet transmission. in_tx is the structure populated by the tx80211_init function. It is necessary to call tx80211_open() function before transmitting packets.
tx80211_setmode() is used to explicitly set the operating mode of the wireless card. in_tx is the structure populated by the tx80211_init function.
This function has been superceded with the tx80211_setfunctionalmode() function. Only use this function for explicitly setting the card mode, not to prepare the card for packet injection.
in_mode is the desired operating mode for the wireless card, as defined below:
tx80211_setmode() returns 0 on success, -1 on error.
tx80211_setfunctionalmode() is used to set the functional operating mode of the wireless card. in_tx is the structure populated by the tx80211_init function. in_fmode is the desired functional operating mode for the wireless card:
NOTE: For most packet injection uses, the TX80211_FUNCMODE_INJMON operating mode is the preferred operating mechanism.
NOTE 2: It's possible that on some cards one mode can perform multiple tasks (IE injection still works while in monitor mode) however this is not recommended as it will not operate on all cards. The caller should always set the desired functional mode.
tx80211_getmode() is used to identify the current operating mode, returning the operating mode or -1 on error. in_tx is the structure populated by the tx80211_init function.
tx80211_setchannel() is used to set card channel, returning 0 on success and -1 on error. in_tx is the structure populated by the tx80211_init function. in_chan is the desired channel number.
tx80211_getchannel() is used to identify the current channel number, returning the channel number or -1 on error. in_tx is the structure populated by the tx80211_init function.
tx80211_txpacket() is used to transmit a packet, returning the number of bytes transmitted on success. On error, TX80211_ENOTX is returned if no bytes were transmitted; TX80211_EPARTTX is returned if only a partial number of bytes were transmitted. in_tx is the structure populated by the tx80211_init function. in_packet is a structure consisting of two members:
tx80211_close() is used to close the socket opened for packet injection with the tx80211_open() function. in_tx is the structure populated by the tx80211_init function. The return value is zero on success, or -1 if an error occurred.
#include <stdio.h> #include <sys/socket.h> #include <tx80211.h> #include <tx80211_packet.h> #include <linux/wireless.h> #define CHANNEL 11 #define IFACE "wlan0" void usage() { struct tx80211_cardlist *cardlist = NULL; int i; printf("Usage : txack [drivername]\n"); cardlist = tx80211_getcardlist(); if (cardlist == NULL) { fprintf(stderr, "Error accessing supported cardlist.\n"); } else { printf("\nSupported drivers are: "); for (i = 1; i < cardlist->num_cards; i++) { printf("%s ", cardlist->cardnames[i]); } printf("\n"); } tx80211_freecardlist(cardlist); } int main(int argc, char *argv[]) { /* ACK frame */ unsigned char packet[10] = { 0xd4, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x66, 0xe3, 0x76, 0x3b }; struct tx80211 in_tx; struct tx80211_packet in_packet; int drivertype; if (argc < 2) { usage(); return 0; } /* Use the command-line argument as the desired driver type */ drivertype = tx80211_resolvecard(argv[1]); /* Validate the driver name specified */ if (drivertype == INJ_NODRIVER) { fprintf(stderr, "Driver name not recognized.\n"); return -1; } /* Initialize the in_tx structure using the resolved drivertype and interface name */ if (tx80211_init(&in_tx, IFACE, drivertype) < 0) { fprintf(stderr, "Error initializing driver " "\"%s\".\n", argv[1]); return -1; } /* Check the capability of the card to ensure it supports transmitting control frames. */ if ((tx80211_getcapabilities(&in_tx) & TX80211_CAP_CTRL) == 0) { fprintf(stderr, "Driver does not support transmitting " "control frames.\n"); return -1; } /* Place the card in monitor mode */ if (tx80211_setfunctionalmode(&in_tx, TX80211_FUNCMODE_INJMON) != 0) { fprintf(stderr, "Error setting monitor/inject mode: %s.\n", tx80211_geterrstr(in_tx)); return 1; } /* Switch to the specified channel */ if (tx80211_setchannel(&in_tx, CHANNEL) < 0) { fprintf(stderr, "Error setting channel: %s.\n", tx80211_geterrstr(in_tx)); return 1; } /* Open the interface */ if (tx80211_open(&in_tx) < 0) { fprintf(stderr, "Unable to open interface %s: %s.\n", in_tx.ifname, tx80211_geterrstr(in_tx)); return 1; } /* Initialized in_packet with packet contents and length of the packet */ in_packet.packet = packet; in_packet.plen = sizeof(packet); /* Transmit the packet */ if (tx80211_txpacket(&in_tx, &in_packet) < 0) { fprintf(stderr, "Unable to transmit packet: %s.\n", tx80211_geterrstr(in_tx)); return 1; } /* Close the socket after transmitting the packet */ tx80211_close(&in_tx); return 0; }
Joshua Wright <jwright@hasborg.com>
Mike Kershaw <dragorn@kismetwireless.net>