To answer you directly - no, you technically don't chat "over someone's WiFi network". If you're thinking TCP/UDP, the ability to see other computers on a LAN segment, access to encrypted data over a WPA2 connection, etc. - that's too many layers up in the OSI model.
Bunny lives down at the layer 1 / layer 2 model - hardware to hardware communication. Negotiation of connections that eventually lead to joining a subnet, etc.
Since it's at this lower level, it still hasn't "signed on" to a WiFi network - it's just chattering like it would like to sign onto one. No traffic from a bunny client makes it any farther than devices that can directly hear the broadcast. For bunny to work correctly, your device would have to be within range of another device using bunny such that you could pick up the packets as they were broadcast directly from the device.
TL;DR: Nothing is routed.
bunny monitors the WiFi traffic, regardless of network, that it can see in the area. It then builds up a model of what packets it can see (the packets have identifying fields, bunny builds up a list of the common values it sees in those fields) and builds similar looking packets (with values from those lists). Here's the code for the 'fake packets' that it can make:
The main difference between its fake packets and the real ones are that bunny repurposes part of the packets that normally don't contain any real data (vendor specific fields that are part of packets, but rarely used) and swaps them out with AES encrypted data that bunny understands (using an encryption key in config.py).
Any other bunny client with the same encryption key can see these broadcast fake packets, determine that they're fake (they're built in a very particular way), and then attempt to decrypt the data using the key it knows.
If it can decrypt the data into something meaningful, then data can be broadcast back and forth between the bunny clients.
The main packet types bunny clones are:
* Beacon: the packets that announce the presence of a WiFi network. These will be close clones of the existing beacons and are will contain the same core information the real beacons contain. A client looking for a WiFi network may end up using a bunny generated beacon to attempt signing in - but the actual connection negotiation won't be handled by bunny itself. bunny might be the source of the packet that causes WiFi network "Your Local Cafe" to appear in your available WiFi network menu, but it won't ever be involved in connecting you beyond that.
* Probe Response: This is the client counterpart to a beacon packet, basically. It's a client saying "Hey network <SSID name here> - are you there?" WiFi APs will likely respond to it with a "Yes, I'm here" but it won't go beyond that - bunny won't do anything with the responses.
* LLC QOS: This packet has the most potential to do something, in that it's a link level flow control quality of service packet. It's the kind of thing that one piece of the network would send to the other saying: 'Whoa, please slow down - too much data right now on <this stream>'. However, part of the data that's fudged in this packet is the sequence number. An invalid sequence number should cause any receiver of the packet to ignore it, making it safe for bunny to do this.
Yes-- that's what it does. Nodes need to agree on a pre-shared AES key, a modulus, and a remainder, and with that information they can monitor the wifi network to locate Bunny frames.
I glanced over the "proposal.txt" file and I think a reasonable summary is as follows: Bunny monitors a wifi network to build a model of the types of common packets it "sees". Once it has built the model it can transmit data covertly by sending packets with a crafted length (based on a couple of pre-shared values) that are similar to the "average" traffic on the network. Bits of AES-encrypted data are stored in some of the various header and payload fields that are "sloppily" defined in the 802.11 standards. Other Bunny nodes are able to recognize these frames because their length modulus the pre-shared modulus value will equal the pre-shared remainder value.
The packets sent wont be routed ?
So this is a peer to peer / adhoc network between two clients who not only will encrypt their messages but will write it in invisible ink too.
It's a really cool hack, and mothran probably knows more about wifi packets now than anyone is legally allowed.
But if I am in a situation where the enemy is so sophisticated they can infer useful information from my non hidden encrypted traffic I am going back to filling in the Times crossword on a bench in st James park
Bunny basically sends raw packets are that build around a model of 802.11 packets that it has seen. It spoofs all the fields and then injects little bits of data into certain 802.11 fields that are rarely used or have someone random data when they are. So this means that bunny is essentially a ad-hoc style network that hides is traffic to look like whatever wifi networks are around.
Basically with a bit of work you should be able to implement something approximating a tty type interface over this, which means that you could (theoretically) sit in the car park running a metasploit session on an evil box hooked into the target network in a very difficult to detect manner.
It also provides all kinds of interesting potential capabilities for anonymous communication across crowded networks. This could be great for co-ordinating drug deals or suchlike but is probably better still for co-ordinating protests and exporting information when GSM's down.
It's not for hacking into other people's network, it's for communicating wirelessly invisibly. It hides in other people's wireless signals so that an eavesdropper doesn't even see it's there
From my reading of the included proposal.txt, it uses steganography to have side-channel communications that look like other wifi communication near you.
I'm in the same boat, maybe I am just not familiar enough with this kind of software but I can't tell, do you have to have the SSID/Key to connect or does this piggy-back on it somehow?
Bunny lives down at the layer 1 / layer 2 model - hardware to hardware communication. Negotiation of connections that eventually lead to joining a subnet, etc.
Since it's at this lower level, it still hasn't "signed on" to a WiFi network - it's just chattering like it would like to sign onto one. No traffic from a bunny client makes it any farther than devices that can directly hear the broadcast. For bunny to work correctly, your device would have to be within range of another device using bunny such that you could pick up the packets as they were broadcast directly from the device.
TL;DR: Nothing is routed.
bunny monitors the WiFi traffic, regardless of network, that it can see in the area. It then builds up a model of what packets it can see (the packets have identifying fields, bunny builds up a list of the common values it sees in those fields) and builds similar looking packets (with values from those lists). Here's the code for the 'fake packets' that it can make:
https://github.com/mothran/bunny/blob/master/libbunny/Templa...
The main difference between its fake packets and the real ones are that bunny repurposes part of the packets that normally don't contain any real data (vendor specific fields that are part of packets, but rarely used) and swaps them out with AES encrypted data that bunny understands (using an encryption key in config.py).
Any other bunny client with the same encryption key can see these broadcast fake packets, determine that they're fake (they're built in a very particular way), and then attempt to decrypt the data using the key it knows.
If it can decrypt the data into something meaningful, then data can be broadcast back and forth between the bunny clients.
The main packet types bunny clones are:
* Beacon: the packets that announce the presence of a WiFi network. These will be close clones of the existing beacons and are will contain the same core information the real beacons contain. A client looking for a WiFi network may end up using a bunny generated beacon to attempt signing in - but the actual connection negotiation won't be handled by bunny itself. bunny might be the source of the packet that causes WiFi network "Your Local Cafe" to appear in your available WiFi network menu, but it won't ever be involved in connecting you beyond that.
* Probe Response: This is the client counterpart to a beacon packet, basically. It's a client saying "Hey network <SSID name here> - are you there?" WiFi APs will likely respond to it with a "Yes, I'm here" but it won't go beyond that - bunny won't do anything with the responses.
* LLC QOS: This packet has the most potential to do something, in that it's a link level flow control quality of service packet. It's the kind of thing that one piece of the network would send to the other saying: 'Whoa, please slow down - too much data right now on <this stream>'. However, part of the data that's fudged in this packet is the sequence number. An invalid sequence number should cause any receiver of the packet to ignore it, making it safe for bunny to do this.