| To answer you directly - no, you technically don't chat "over someone's WiFi network". If you're thinking TCP/UDP, the ability to see other computers on a LAN segment, access to encrypted data over a WPA2 connection, etc. - that's too many layers up in the OSI model. Bunny lives down at the layer 1 / layer 2 model - hardware to hardware communication. Negotiation of connections that eventually lead to joining a subnet, etc. Since it's at this lower level, it still hasn't "signed on" to a WiFi network - it's just chattering like it would like to sign onto one. No traffic from a bunny client makes it any farther than devices that can directly hear the broadcast. For bunny to work correctly, your device would have to be within range of another device using bunny such that you could pick up the packets as they were broadcast directly from the device. TL;DR: Nothing is routed. bunny monitors the WiFi traffic, regardless of network, that it can see in the area. It then builds up a model of what packets it can see (the packets have identifying fields, bunny builds up a list of the common values it sees in those fields) and builds similar looking packets (with values from those lists). Here's the code for the 'fake packets' that it can make: https://github.com/mothran/bunny/blob/master/libbunny/Templa... The main difference between its fake packets and the real ones are that bunny repurposes part of the packets that normally don't contain any real data (vendor specific fields that are part of packets, but rarely used) and swaps them out with AES encrypted data that bunny understands (using an encryption key in config.py). Any other bunny client with the same encryption key can see these broadcast fake packets, determine that they're fake (they're built in a very particular way), and then attempt to decrypt the data using the key it knows. If it can decrypt the data into something meaningful, then data can be broadcast back and forth between the bunny clients. The main packet types bunny clones are: * Beacon: the packets that announce the presence of a WiFi network. These will be close clones of the existing beacons and are will contain the same core information the real beacons contain. A client looking for a WiFi network may end up using a bunny generated beacon to attempt signing in - but the actual connection negotiation won't be handled by bunny itself. bunny might be the source of the packet that causes WiFi network "Your Local Cafe" to appear in your available WiFi network menu, but it won't ever be involved in connecting you beyond that. * Probe Response: This is the client counterpart to a beacon packet, basically. It's a client saying "Hey network <SSID name here> - are you there?" WiFi APs will likely respond to it with a "Yes, I'm here" but it won't go beyond that - bunny won't do anything with the responses. * LLC QOS: This packet has the most potential to do something, in that it's a link level flow control quality of service packet. It's the kind of thing that one piece of the network would send to the other saying: 'Whoa, please slow down - too much data right now on <this stream>'. However, part of the data that's fudged in this packet is the sequence number. An invalid sequence number should cause any receiver of the packet to ignore it, making it safe for bunny to do this. |