I posted this on some other forums and was told to check here.
Would it be possible to write a non-promiscuous mode sniffer for the
PSP that simply captures all incoming packets, ie: intercept all incoming
pings.
Also, is it possible to craft ARP packets on the PSP?
My idea was to write a sniffer that uses ARP cache poisoning to create
a Man-In-The-Middle condition which would allow one to sniff packets
without using promiscuous mode.
Here is a link to the code I have written so far: http://intercon.ifastnet.com/files/main.c
And here is the sniffer it was based on:
http://hacktivist.net/index.php?page=sc ... scripts=41
Unfortunately, it is not capturing the incoming packets.
I have been looking up the sceIoIoctl function to see if this would help.
Does anyone know what I should try?
--download
psp based mitm sniffer
well i don't know anything about what you've posted above, BUT, here's something you can look into...
take a look at psputility_netparam.h
would it be possible make a call to
sceUtilitySetNetParam(int param, const void *val)
and pass PSP_NETPARAM_WEPKEY
I'm thinking you could generate WEP keys and brute force it until it connects... though there is no telling how long it may take to crack the WEP key. but I know the source for some key crackers are available (aircrack -ng)
let me know if you make any progress, interested in this myself!
just a thought
take a look at psputility_netparam.h
would it be possible make a call to
sceUtilitySetNetParam(int param, const void *val)
and pass PSP_NETPARAM_WEPKEY
I'm thinking you could generate WEP keys and brute force it until it connects... though there is no telling how long it may take to crack the WEP key. but I know the source for some key crackers are available (aircrack -ng)
let me know if you make any progress, interested in this myself!
just a thought
Libertas!
I've been looking for a libpcap like sniffer capability for the PSP myself. (As a user, not a coder)dowload wrote:It doesn't need to crack anything!
It's just sopposed to capture already incoming packets.
For example: you ping the PSP and those ICMP echo request
packets show up in the sniffer logs.
THIS HAS NOTHING TO DO WITH WEP CRACKING!
From my research, it seems like the stopping block is the wireless NIC technology they used. There are no obvious hooks into the low-level capabilities of the NIC.
If you've got driver/linux kung fu ... you can try here http://wiki.laptop.org/go/Libertas ...http://jylam.info/psp/dev.html wrote:
PSP uses two chips for wifi stuff :
* Marvell Libertas 88W8010 - RF Transceiver
* Marvell Libertas 88W8380 - ARM9 Processor
It handles 802.11b and g (11 and 54Mbps), WEP and AES encryption (not sure for AES).
Unfortunately, there is no GPL'd Linux driver for this. A big problem, I've absolutely no experience in wlan drivers coding, and it seems Marvell released no documentation at all about its chip.x
Scroll down to links with some projects to reverse engineer libertas for various devices. I've looked at some of it but it is way out of my league.
Re: Libertas!
g/54Mbps?? erm don't think so.mojojojo wrote:http://jylam.info/psp/dev.html wrote:
...It handles 802.11b and g (11 and 54Mbps)...
-
tabularasa
- Posts: 13
- Joined: Wed Nov 22, 2006 12:28 am
Re: psp based mitm sniffer
Hm doesn't really work for me that URL. But i like the idea of a working psp sniffer. More to come?dowload wrote: Here is a link to the code I have written so far: http://intercon.ifastnet.com/files/main.c
Edit:
Hm. Are there any other ways to hijack wifi connections more low level based than on ARP spoofing? I'm not that familiar with wifi so ...
http://monkey.org/~dugsong/dsniff/ should be a good starting point regarding arp spoofed packets. Maybe i got some more time later on to check code and try to figure out some things.
-
tabularasa
- Posts: 13
- Joined: Wed Nov 22, 2006 12:28 am
Hm. Unforunately when i try to send something over raw socket i get the errno error #121 = Remote I/O error.
My arp packet looks something like that:
My arp packet looks something like that:
Code: Select all
/*
router: 192.168.2.1 (00:03:C9:A8:70:D5)
laptop: 192.168.2.155 (00:01:36:0E:21:8E)
psp: 192.168.2.102 (00:01:4A:A8:D8:18)
*/
const char atob[] = "\x00\x01\x36\x0E\x21\x8E" /* address to spoof (laptop)*/
"\x00\x01\x4a\xa8\xd8\x18" /* myself (psp) */
"\x08\x06" /* type: ARP */
"\x00\01" /* hardware type: ethernet */
"\x08\x00" /* prot. type: IP */
"\x06" /* hardware size: 6 */
"\x04" /* prot. size: 4 */
"\x00\x02" /* Opcode: reply */
"\x00\x01\x4a\xa8\xd8\x18" /* sender mac address (psp) */
"\xc0\xa8\x02\x01" /* sender ip address (router) */
"\x00\x01\x36\x0E\x21\x8e" /* target mac address (laptop) */
"\xc0\xa8\x02\x9b"; /* target ip address (laptop) */
const char btoa[] = "\x00\x03\xc9\xa8\x70\xd5" /* address to spoof (router) */
"\x00\x01\x4a\xa8\xd8\x18" /* myself (psp) */
"\x08\x06" /* type: ARP */
"\x00\01" /* hardware type: ethernet */
"\x08\x00" /* prot. type: IP */
"\x06" /* hardware size: 6 */
"\x04" /* prot. size: 4 */
"\x00\x02" /* Opcode: reply */
"\x00\x01\x4a\xa8\xd8\x18" /* sender mac address (psp) */
"\xc0\xa8\x02\x9b" /* sender ip address (laptop) */
"\x00\x03\xc9\xa8\x70\xd5" /* target mac address (router) */
"\xc0\xa8\x02\x01"; /* target ip address (router) */
No one working on this anymore
The links dont work, does anyone know what was the sniffer he usedI posted this on some other forums and was told to check here.
Would it be possible to write a non-promiscuous mode sniffer for the
PSP that simply captures all incoming packets, ie: intercept all incoming
pings.
Also, is it possible to craft ARP packets on the PSP?
My idea was to write a sniffer that uses ARP cache poisoning to create
a Man-In-The-Middle condition which would allow one to sniff packets
without using promiscuous mode.
Here is a link to the code I have written so far: http://intercon.ifastnet.com/files/main.c
And here is the sniffer it was based on:
http://hacktivist.net/index.php?page=sc ... scripts=41
Unfortunately, it is not capturing the incoming packets.
I have been looking up the sceIoIoctl function to see if this would help.
Does anyone know what I should try?
This technic is very much possible on psp to capture packets and hopefuly dump them into a cap file
Re: No one working on this anymore
This thread is two years old! Of course the links wont work.Gaby_64 wrote:The links dont work, does anyone know what was the sniffer he usedI posted this on some other forums and was told to check here.
Would it be possible to write a non-promiscuous mode sniffer for the
PSP that simply captures all incoming packets, ie: intercept all incoming
pings.
Also, is it possible to craft ARP packets on the PSP?
My idea was to write a sniffer that uses ARP cache poisoning to create
a Man-In-The-Middle condition which would allow one to sniff packets
without using promiscuous mode.
Here is a link to the code I have written so far: http://intercon.ifastnet.com/files/main.c
And here is the sniffer it was based on:
http://hacktivist.net/index.php?page=sc ... scripts=41
Unfortunately, it is not capturing the incoming packets.
I have been looking up the sceIoIoctl function to see if this would help.
Does anyone know what I should try?
This technic is very much possible on psp to capture packets and hopefuly dump them into a cap file
No I have no idea
Well witch program would be the best to port that has arp spoofing capability's and captures packets
Anyway here is a link to my current progress: http://psp.wijou.com/forum/index.php?showtopic=815
Anyway here is a link to my current progress: http://psp.wijou.com/forum/index.php?showtopic=815
-
Dariusc123456
- Posts: 388
- Joined: Tue Aug 12, 2008 12:46 am