pyRawCovert
===========

Author: Laurent Butti

This software is released under the GPL v2 licence, and thus is Open Source software.

Abstract
========

This tool is an enhancement of the Raw Covert tool that was released at ShmooCon2006. It is a covert channel over the 802.11 protocol. It uses valid control frames (ACK) for carrying the communication protocol. These frames are usually considered as non malicious and thus are not analyzed by most wireless IDS.

This tool enables a full-duplex communication between two pyrawcovert.

Check the web homepage for further information.

Requirements
============

* Python installed
* Eventually have Psyco installed
* 2 laptops with wireless chipsets (internal or PCMCIA)
* wireless chipsets with injection/monitoring capabilities

Warnings: Prism monitoring devices are not tested at this time. So, it is recommended to disable prism monitoring header when using this tool. Also, this tool does not check for injection/monitoring capabilities, you should do this by yourself. Today, most wireless chipsets have injection/monitoring capabilities (e.g. Prism54, Atheros, Realtek).

Using
=====

Activate your wireless card in monitoring mode on laptop 1:
* iwconfig interface mode monitor channel 1
* ifconfig interface up

Launch pyrawcovert tool:
* ./pyrawcovert -i interface -m interface

A tap interface will be created, you must configure it!
* ifconfig tap0 1.1.1.1 up
* ifconfig tap0 mtu 500

Setting a MTU below 1000 is mandatory in order to have a fully functionnal covert channel. As a matter of fact, wireless medium is susceptible to packet losses and then a lower MTU tends to mitigate these issues. Of course, you should use a reliable protocol as TCP in order to enhance the reliability of the covert channel.

Repeat the same operation for laptop 2.
* iwconfig interface mode monitor channel 1
* ifconfig interface up
* ./pyrawcovert -i interface -m interface
* a tap interface will be created, you must configure it!
* ifconfig tap0 1.1.1.2 up
* ifconfig tap0 mtu 500

Then when successfully configured, you should be able to ping, nmap, ssh... Quite funny, no?
